Skip to content

OCPBUGS-59888: Add support to disable CAPZ components through a manager flag #347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2025
Merged

OCPBUGS-59888: Add support to disable CAPZ components through a manager flag #347

merged 1 commit into from
Jul 29, 2025

Conversation

bryan-cox
Copy link
Member

This is from kubernetes-sigs#5552.

Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 28, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 28, 2025
edited by openshift-ci bot
Loading

@bryan-cox: This pull request references CNTRLPLANE-263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.z" version, but no target version was set.

In response to this:

This is from kubernetes-sigs#5552.

Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from sub-mod and theobarberbany July 28, 2025 13:02
damdo
damdo reviewed Jul 28, 2025
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

cc. @nrb

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 28, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 28, 2025
@damdo
Copy link
Member

damdo commented Jul 28, 2025

/assign @nrb

@nrb
Copy link

nrb commented Jul 28, 2025

/lgtm

/retest-required

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 28, 2025
@bryan-cox
Copy link
Member Author

/test security

@nrb
Copy link

nrb commented Jul 28, 2025

Security verification was failing on this:


 ✗ [Medium] Path Traversal
   ID: a7448f64-c142-4f4e-8d3d-793913d4b04e 
   Path: hack/boilerplate/boilerplate.py, line 57 
   Info: Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
 ✗ [Medium] Path Traversal
   ID: ed01acc1-027a-4af3-8b13-8e85880dd57b 
   Path: hack/boilerplate/boilerplate.py, line 173 
   Info: Unsanitized input from a command line argument flows into os.walk, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

At the moment, I'm not quite sure how to log in to Snyk to mark this as ignored permanently, but we do not ship anything within the hack directory; these are build-time tools used primarily by the upstream developers.

/override ci/prow/security

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 28, 2025

@nrb: Overrode contexts on behalf of nrb: ci/prow/security

In response to this:

Security verification was failing on this:


✗ [Medium] Path Traversal
  ID: a7448f64-c142-4f4e-8d3d-793913d4b04e 
  Path: hack/boilerplate/boilerplate.py, line 57 
  Info: Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
✗ [Medium] Path Traversal
  ID: ed01acc1-027a-4af3-8b13-8e85880dd57b 
  Path: hack/boilerplate/boilerplate.py, line 173 
  Info: Unsanitized input from a command line argument flows into os.walk, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

At the moment, I'm not quite sure how to log in to Snyk to mark this as ignored permanently, but we do not ship anything within the hack directory; these are build-time tools used primarily by the upstream developers.

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@nrb
Copy link

nrb commented Jul 28, 2025

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jul 28, 2025
@bryan-cox bryan-cox changed the title CNTRLPLANE-263: Add support to disable CAPZ components through a manager flag OCPBUGS-59888: Add support to disable CAPZ components through a manager flag Jul 28, 2025
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jul 28, 2025
@openshift-ci-robot
Copy link

@bryan-cox: This pull request references Jira Issue OCPBUGS-59888, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is from kubernetes-sigs#5552.

Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox
Copy link
Member Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 28, 2025
@openshift-ci-robot
Copy link

@bryan-cox: This pull request references Jira Issue OCPBUGS-59888, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.z) matches configured target version for branch (4.19.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-59887 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-59887 targets the "4.20.0" version, which is one of the valid target versions: 4.20.0
  • bug has dependents

Requesting review from QA contact:
/cc @sunzhaohua2

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from sunzhaohua2 July 28, 2025 18:17
@damdo
Copy link
Member

damdo commented Jul 28, 2025

/override ci/prow/security

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 28, 2025

@damdo: Overrode contexts on behalf of damdo: ci/prow/security

In response to this:

/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 28, 2025

@bryan-cox: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security d51dd10 link true /test security
ci/prow/okd-scos-e2e-aws-ovn d51dd10 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sunzhaohua2
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jul 29, 2025
@sunzhaohua2
Copy link

/label qe-approved

Setup a cluster and disabled cvo and cluster-capi-operator, update deployment capz-controller-manager to try the new flag - --disable-controllers-or-webhooks=DisableAzureJSONMachineController, the deployment works well.

$ oc get po                
NAME                                       READY   STATUS    RESTARTS   AGE
capi-controller-manager-65f5c44f8b-mqh6n   1/1     Running   0          24m
capz-controller-manager-b64c4885-r66hx     1/1     Running   0          21s
$ oc get po capz-controller-manager-b64c4885-r66hx -o yaml | grep disable                     
    - --disable-controllers-or-webhooks=DisableAzureJSONMachineController

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jul 29, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 2e2909c into openshift:release-4.19 Jul 29, 2025
14 of 15 checks passed
@openshift-ci-robot
Copy link

@bryan-cox: Jira Issue OCPBUGS-59888: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-59888 has been moved to the MODIFIED state.

In response to this:

This is from kubernetes-sigs#5552.

Adds the ability to disable CAPZ components through a manager flag. Flags added for disabling ASO Secret Controller and disabling Azure JSON Machine Controller.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bryan-cox bryan-cox deleted the CNTRLPLANE-263 branch July 29, 2025 10:30
@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

Distgit: ose-azure-cluster-api-controllers
This PR has been included in build ose-azure-cluster-api-controllers-container-v4.19.0-202507291138.p0.g2e2909c.assembly.stream.el9.
All builds following this will include this PR.

@openshift-merge-robot
Copy link

Fix included in accepted release 4.19.0-0.nightly-2025-07-30-023414

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sub-mod sub-mod Awaiting requested review from sub-mod

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

@sunzhaohua2 sunzhaohua2 Awaiting requested review from sunzhaohua2

1 more reviewer

@damdo damdo damdo left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@nrb nrb

@sunzhaohua2 sunzhaohua2

@miyadav miyadav

@huali9 huali9

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@bryan-cox @openshift-ci-robot @damdo @nrb @sunzhaohua2 @openshift-bot @openshift-merge-robot @miyadav @huali9