Skip to content

Bug 1756458: Separate upgrade flags for safety instead of abusing force #23875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Oct 22, 2019
Merged

Bug 1756458: Separate upgrade flags for safety instead of abusing force #23875

openshift-merge-robot merged 1 commit into from
Oct 22, 2019

Conversation

@smarterclayton
Copy link
Contributor

@smarterclayton smarterclayton commented Sep 27, 2019

The --force flag is dangerous and potentially allows untrusted
content to be upgraded to accidentally. Instead, introduce two
new flags --allow-explicit-upgrade (for upgrading to something not
in availableVersions) and --allow-unsafe-upgrade (for upgrading
when another upgrade is in progress or the cluster is reporting
an error) and remove those checks from --force.

While this is an API change, it is necessary to ensure that users
do not accidentally get access to untrusted content when
performing upgrades across major versions in advance of graph
updates, or when they are upgrading in disconnected environments.

Backport of openshift/oc#109

@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 27, 2019

@smarterclayton: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Details

In response to this:

upgrade: Separate flags for safety instead of abusing force

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 27, 2019
@smarterclayton smarterclayton changed the title upgrade: Separate flags for safety instead of abusing force Bug 1756458: Separate flags for safety instead of abusing force Sep 27, 2019
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 27, 2019

@smarterclayton: This pull request references Bugzilla bug 1756458, which is invalid:

  • expected dependent Bugzilla bug 1756453 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is POST instead
  • expected dependent Bugzilla bug 1756454 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is NEW instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 1756458: Separate flags for safety instead of abusing force

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Sep 27, 2019
@smarterclayton smarterclayton changed the title Bug 1756458: Separate flags for safety instead of abusing force Bug 1756458: Separate upgrade flags for safety instead of abusing force Sep 27, 2019
@smarterclayton
upgrade: Separate flags for safety instead of abusing force
2b75aa5 
The --force flag is dangerous and potentially allows untrusted
content to be upgraded to accidentally. Instead, introduce two
new flags `--allow-explicit-upgrade` (for upgrading to something not
in availableVersions) and `--allow-upgrade-with-warnings` (for upgrading
when another upgrade is in progress or the cluster is reporting
an error) and remove those checks from `--force`.

While this is an API change, it is necessary to ensure that users
do not accidentally get access to untrusted content when
performing upgrades across major versions in advance of graph
updates, or when they are upgrading in disconnected environments.
@smarterclayton
Copy link
Contributor Author

smarterclayton commented Oct 4, 2019

/retest

@soltysh
Copy link
Contributor

soltysh commented Oct 7, 2019

/bugzilla refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 7, 2019

@soltysh: This pull request references Bugzilla bug 1756458, which is invalid:

  • expected dependent Bugzilla bug 1756453 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

soltysh
soltysh approved these changes Oct 7, 2019
View reviewed changes
Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Oct 7, 2019
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 7, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: smarterclayton, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@smarterclayton
Copy link
Contributor Author

smarterclayton commented Oct 14, 2019

/bugzilla refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 14, 2019

@smarterclayton: This pull request references Bugzilla bug 1756458, which is invalid:

  • expected dependent Bugzilla bug 1756453 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@enj
Copy link
Contributor

enj commented Oct 16, 2019

/uncc

@stlaz @sttts @mfojtik

@openshift-ci-robot openshift-ci-robot removed the request for review from enj October 16, 2019 15:08
@smarterclayton
Copy link
Contributor Author

smarterclayton commented Oct 16, 2019

/bugzilla refresh

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Oct 16, 2019
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 16, 2019

@smarterclayton: This pull request references Bugzilla bug 1756458, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Oct 16, 2019
@jwforres jwforres added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Oct 22, 2019
@openshift-merge-robot openshift-merge-robot merged commit 861932d into openshift:release-4.1 Oct 22, 2019
@openshift-ci-robot
Copy link

openshift-ci-robot commented Oct 22, 2019

@smarterclayton: All pull requests linked via external trackers have merged. Bugzilla bug 1756458 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1756458: Separate upgrade flags for safety instead of abusing force

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@soltysh soltysh soltysh approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@soltysh soltysh

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@smarterclayton @openshift-ci-robot @soltysh @enj @jwforres @openshift-merge-robot