udpate: change manifests entrypoint after upstream change overlays#3765
Conversation
Signed-off-by: Wen Zhou <wenzhou@redhat.com>
📝 WalkthroughWalkthroughCWE-829 (Inclusion of Functionality from Untrusted Control Sphere) applies here — this PR changes pinned git commit SHAs in get_all_manifests.sh for the "wva" component (both main and rhoai-3.5 branches), altering the exact upstream commit content fetched. No SHA provenance/verification is described. Separately, modelcontroller_support.go changes the WVA manifests SourcePath from a namespace-scoped overlay to a cluster-scoped overlay, which is a privilege/scope escalation of applied resources — verify RBAC and resource scoping implications before merge, as cluster-scoped manifests broaden blast radius beyond a single namespace. Estimated code review effort: 2 (Simple) | ~10 minutes Related issues: None specified in diff. Related PRs: None specified in diff. Suggested labels: supply-chain, security-review, manifest-scope-change Suggested reviewers: None specified. Poem: 🚥 Pre-merge checks | ✅ 10✅ Passed checks (10 passed)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: asanzgom, davidebianchi The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
How Has This Been Tested?
Screenshot or short clip
Merge criteria
E2E test suite update requirement
When bringing new changes to the operator code, such changes are by default required to be accompanied by extending and/or updating the E2E test suite accordingly.
To opt-out of this requirement:
E2E update requirement opt-out justificationsection belowE2E update requirement opt-out justification
no need
cc @aleskandro
Summary by CodeRabbit