Skip to content

udpate: change manifests entrypoint after upstream change overlays#3765

Merged
asanzgom merged 1 commit into
opendatahub-io:mainfrom
zdtsw-forking:chore_issue_1354
Jul 6, 2026
Merged

udpate: change manifests entrypoint after upstream change overlays#3765
asanzgom merged 1 commit into
opendatahub-io:mainfrom
zdtsw-forking:chore_issue_1354

Conversation

@zdtsw

@zdtsw zdtsw commented Jul 6, 2026

Copy link
Copy Markdown
Member

Description

How Has This Been Tested?

Screenshot or short clip

Merge criteria

  • You have read the contributors guide.
  • Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
  • Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work
  • The developer has run the integration test pipeline and verified that it passed successfully
  • New RELATED_IMAGE mappings are listed in ODH-Build-Config and RHOAI-Build-Config (CI validates names against build-config repos). Include links to build-config PRs in the description.

E2E test suite update requirement

When bringing new changes to the operator code, such changes are by default required to be accompanied by extending and/or updating the E2E test suite accordingly.

To opt-out of this requirement:

  1. Please inspect the opt-out guidelines, to determine if the nature of the PR changes allows for skipping this requirement
  2. If opt-out is applicable, provide justification in the dedicated E2E update requirement opt-out justification section below
  3. Check the checkbox below:
  • Skip requirement to update E2E test suite for this PR
  1. Submit/save these changes to the PR description. This will automatically trigger the check.

E2E update requirement opt-out justification

no need

cc @aleskandro

Summary by CodeRabbit

  • Bug Fixes
    • Updated the WVA component to use newer manifest revisions.
    • Adjusted WVA resource selection to use the cluster-scoped OpenShift overlay, which may improve how the component is deployed and managed.

Signed-off-by: Wen Zhou <wenzhou@redhat.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) applies here — this PR changes pinned git commit SHAs in get_all_manifests.sh for the "wva" component (both main and rhoai-3.5 branches), altering the exact upstream commit content fetched. No SHA provenance/verification is described. Separately, modelcontroller_support.go changes the WVA manifests SourcePath from a namespace-scoped overlay to a cluster-scoped overlay, which is a privilege/scope escalation of applied resources — verify RBAC and resource scoping implications before merge, as cluster-scoped manifests broaden blast radius beyond a single namespace.

Estimated code review effort: 2 (Simple) | ~10 minutes

Related issues: None specified in diff.

Related PRs: None specified in diff.

Suggested labels: supply-chain, security-review, manifest-scope-change

Suggested reviewers: None specified.

Poem:
No praise, no summary — just a fact:
a SHA moved, an overlay repacked.
Namespace to cluster, scope grows wide,
audit the blast radius before you ride.

🚥 Pre-merge checks | ✅ 10
✅ Passed checks (10 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection ✅ Passed Small manifest pin/path update only; no concrete security-theater or code-quality issue, and template/no-issue hygiene alone isn't enough to flag spam.
No Hardcoded Secrets ✅ Passed No hardcoded secrets found in the touched files; changes are Git SHAs and manifest paths only, with no credential literals (CWE-798/CWE-522).
No Weak Cryptography ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, no custom crypto, and no secret comparisons found in the changed files; CWE-327/CWE-328 not triggered.
No Injection Vectors ✅ Passed PASS: Changed lines only pin hardcoded git SHAs and switch a manifest SourcePath constant; no untrusted input reaches exec/eval/sql/yaml.load/dangerouslySetInnerHTML (CWE-78/89/94/502/79).
No Privileged Containers ✅ Passed PASS: diff only repins WVA manifests and changes SourcePath; no privileged:true/hostNetwork/root/SYS_ADMIN found in touched files (CWE-250).
No Sensitive Data In Logs ✅ Passed No logging statements were added; the diff only changes manifest refs and a SourcePath, so no CWE-532/CWE-200 exposure is present.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: updating the manifests entrypoint for upstream overlay changes.

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: asanzgom, davidebianchi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [asanzgom,davidebianchi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@asanzgom asanzgom merged commit 825fb12 into opendatahub-io:main Jul 6, 2026
34 of 38 checks passed
@github-project-automation github-project-automation Bot moved this from Todo to Done in ODH Platform Planning Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants