release: Release candidate v0.21.0 #6027
Conversation
…ollback in configData
…emplate and some more metadata added for pipeline strategy
# Conflicts: # pkg/bean/configSecretData.go
* fix image getting deactivated * wip * wip * wip * wip * wip * wip * wip * removing deactivate function
fix: Force abort fix
fix: Config deployment history fix
* cluster terminal images updated * migration seq num modified for cluster terminal images
* adding refchart migration * added helm chart templates --------- Co-authored-by: Badal Kumar Prusty <badalkumar@Badals-MacBook-Pro.local>
* migration seq rename * migration seq fix and renamed
vikramdevtron
requested review from
prakarsh-dt,
nishant-d and
pawan-mehta-dt
as code owners
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 10220829 | Triggered | Generic High Entropy Secret | 6f7bc6e | charts/devtron/devtron-bom.yaml | View secret |
| 10220829 | Triggered | Generic High Entropy Secret | 6f7bc6e | charts/devtron/values.yaml | View secret |
| 2763127 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/reference-chart_4-19-0/secrets-test-values.yaml | View secret |
| 2763127 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/deployment-chart_4-20-0/secrets-test-values.yaml | View secret |
| 141558 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/reference-chart_4-20-0/env-values.yaml | View secret |
| 2763127 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/reference-chart_4-20-0/secrets-test-values.yaml | View secret |
| 141558 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/reference-chart_4-19-0/env-values.yaml | View secret |
| 141558 | Triggered | Generic High Entropy Secret | b6cf6e8 | scripts/devtron-reference-helm-charts/deployment-chart_4-20-0/env-values.yaml | View secret |
| 9257608 | Triggered | Base64 AWS keys | b6cf6e8 | scripts/devtron-reference-helm-charts/deployment-chart_4-20-0/test-values.json | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| {{- if $.Values.topologySpreadConstraint }} | ||
| topologySpreadConstraints: | ||
| {{ toYaml .Values.topologySpreadConstraint }} | ||
| {{- end }} |
Check warning
Code scanning / SonarCloud
Service account permissions should be restricted Medium
| {{- end}} | ||
| {{- end}} | ||
| containers: | ||
| - name: {{ $.Chart.Name }} |
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium
| {{- end}} | ||
| {{- end}} | ||
| containers: | ||
| - name: {{ $.Chart.Name }} |
Check warning
Code scanning / SonarCloud
Storage limits should be enforced Medium
| {{- end}} | ||
| {{- else}} | ||
| - | ||
| {{ toYaml . | indent 10 }} |
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium
| {{- end}} | ||
| {{- else}} | ||
| - | ||
| {{ toYaml . | indent 10 }} |
Check warning
Code scanning / SonarCloud
Storage limits should be enforced Medium
| configDataDto.WithSecretData(cmCsConfig) | ||
| } else if resourceType == bean.CM { | ||
| resolvedConfigDataStringJson, err := utils.ConvertToJsonRawMessage(resolvedCmCsMetadataDto.ResolvedConfigMapData) | ||
| if err != nil { | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "ResolvedConfigMapData", resolvedCmCsMetadataDto.ResolvedConfigMapData, "err", err) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that sensitive information is not logged in clear text. Instead, we should either obfuscate the sensitive data or avoid logging it altogether. In this case, we will remove the sensitive data from the logging statement.
- Identify the logging statement that includes sensitive information.
- Modify the logging statement to exclude the sensitive data.
- Ensure that the functionality of the code remains unchanged.
| @@ -585,3 +585,3 @@ | ||
| if err != nil { | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "ResolvedConfigMapData", resolvedCmCsMetadataDto.ResolvedConfigMapData, "err", err) | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "err", err) | ||
| return nil, err |
| } | ||
| resolvedConfigMapDataStringJson, err := utils.ConvertToJsonRawMessage(resolvedCmCsMetadataDto.ResolvedConfigMapData) | ||
| if err != nil { | ||
| impl.logger.Errorw("error in ConvertToJsonRawMessage for resolvedConfigMapDataStringJson", "resolvedCmData", resolvedCmCsMetadataDto.ResolvedConfigMapData, "err", err) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that sensitive information is not logged in clear text. Instead, we should either obfuscate the sensitive data or avoid logging it altogether. In this case, we will remove the sensitive data from the log message to prevent any potential exposure.
- We will modify the logging statement on line 630 in
pkg/configDiff/DeploymentConfigurationService.goto exclude the sensitive data. - No additional methods or imports are required for this fix.
| @@ -629,3 +629,3 @@ | ||
| if err != nil { | ||
| impl.logger.Errorw("error in ConvertToJsonRawMessage for resolvedConfigMapDataStringJson", "resolvedCmData", resolvedCmCsMetadataDto.ResolvedConfigMapData, "err", err) | ||
| impl.logger.Errorw("error in ConvertToJsonRawMessage for resolvedConfigMapDataStringJson", "err", err) | ||
| return nil, err |
| resolvedConfigDataReq := &bean.ConfigDataRequest{ConfigData: resolvedConfigDataList} | ||
| resolvedConfigDataString, err := utils.ConvertToString(resolvedConfigDataReq) | ||
| if err != nil { | ||
| impl.logger.Errorw(" error in converting resolved config data to string", "resolvedConfigDataReq", resolvedConfigDataReq, "err", err) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that sensitive information is not logged in clear text. Instead of logging the entire resolvedConfigDataReq object, we should log only non-sensitive parts of the data or obfuscate the sensitive information before logging.
- Identify the sensitive fields within the
resolvedConfigDataReqobject. - Modify the logging statement to exclude or obfuscate these sensitive fields.
- Ensure that the changes do not affect the existing functionality of the code.
| @@ -748,3 +748,3 @@ | ||
| if err != nil { | ||
| impl.logger.Errorw(" error in converting resolved config data to string", "resolvedConfigDataReq", resolvedConfigDataReq, "err", err) | ||
| impl.logger.Errorw(" error in converting resolved config data to string", "err", err) | ||
| return "", "", err |
| } | ||
| resolvedConfigDataStringJson, err := utils.ConvertToJsonRawMessage(resolvedConfigDataString) | ||
| if err != nil { | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "resolvedJson", resolvedConfigDataStringJson, "err", err) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that sensitive information is not logged in clear text. The best way to address this is to remove the sensitive data from the log message or obfuscate it before logging.
- Identify the logging statement that includes sensitive data.
- Modify the logging statement to exclude the sensitive data or replace it with a placeholder.
- Ensure that the sensitive data is handled securely elsewhere in the code.
In this case, we will modify the logging statement on line 773 in pkg/pipeline/history/ConfigMapHistoryService.go to exclude the sensitive resolvedConfigDataStringJson.
| @@ -772,3 +772,3 @@ | ||
| if err != nil { | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "resolvedJson", resolvedConfigDataStringJson, "err", err) | ||
| impl.logger.Errorw("getCmCsPublishedConfigResponse, error in ConvertToJsonRawMessage for resolvedJson", "err", err) | ||
| return nil, err |
* misc: Replaced != with <> for PostgreSQL compatibility (#5987) * error handling while creating github repo * Replaced != with <> for PostgreSQL compatibility * removed deployment group validation when deleting CD pipelines (#5989) * fix for multiple param of filter in helm app list (#6013) * fix: plugin getByName method error handling (#6016) * plugin fix * reverted errnorows change * dep import --------- Co-authored-by: prakhar katiyar <39842461+prkhrkat@users.noreply.github.com> Co-authored-by: kartik-579 <84493919+kartik-579@users.noreply.github.com>
|
Description
Fixes #
Checklist:
Does this PR introduce a user-facing change?