Open kirthiprakash opened 1 month ago
Since you've already locally done the needed package update, would you want to submit a PR with the updates?
I'd be happy to submit a PR, but it looks like my experiment was incomplete. I had only checked the package versions without validating if it would work. Today, I tried running it locally and encountered compatibility issues
go test controllers/*.go
# github.com/tigera/operator/pkg/render
pkg/render/logstorage.go:318:15: cannot use corev1.ResourceRequirements{…} (value of type "k8s.io/api/core/v1".ResourceRequirements) as "k8s.io/api/core/v1".VolumeResourceRequirements value in struct literal
pkg/render/logstorage.go:330:32: cannot use overridePvcRequirements(pvcTemplate.Spec.Resources, userOverrides) (value of type "k8s.io/api/core/v1".ResourceRequirements) as "k8s.io/api/core/v1".VolumeResourceRequirements value in assignment
pkg/render/logstorage.go:330:56: cannot use pvcTemplate.Spec.Resources (variable of type "k8s.io/api/core/v1".VolumeResourceRequirements) as "k8s.io/api/core/v1".ResourceRequirements value in argument to overridePvcRequirements
FAIL command-line-arguments [build failed]
FAIL
I will look into this and see if I can make the version changes without affecting compatibility.
We appreciate the value this tool brings to our production environment. However, our vulnerability scans have identified vulnerability with the package
github.com/emicklei/go-restful
, an indirect dependency of this project. Could this be addressed?Vulnerability details
Expected Behavior
Current Behavior
Possible Solution
go mod why
shows that multiple packages depend on thego-restful
package. In my local experiments, upgrading thegithub.com/elastic/cloud-on-k8s
package bumpsgo-restful
to >v3.10.0, which includes the fix for the vulnerability.Context
Your Environment