Skip to content

verticadb-operator/25.4.0.0-r2: cve remediation #76703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
Open

verticadb-operator/25.4.0.0-r2: cve remediation #76703

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 23, 2025

verticadb-operator/25.4.0.0-r2: fix GHSA-c4p6-qg4m-9jmr

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/verticadb-operator.advisories.yaml

"Breadcrumbs" for this automated service

Inspected git repositories: https://github.com/vertica/vertica-kubernetes@v25.4.0-0

@octo-sts octo-sts bot added automated pr request-cve-remediation go/bump p:verticadb-operator GHSA-c4p6-qg4m-9jmr P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. labels Dec 23, 2025
@octo-sts
Copy link
Contributor Author

octo-sts bot commented Dec 23, 2025

⚙️ Build Failed: Configuration

Error: not all generators ran successfully - controller-gen failed to generate CRD manifests due to missing schema types for k8s.io/api/core/v1 types

Build Details

Category Details
Build System make
Failure Point make manifests - controller-gen rbac:roleName=manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases

Root Cause Analysis 🔍

The controller-gen tool is unable to locate schema definitions for Kubernetes core/v1 API types. This appears to be caused by incompatible versions between the k8s.io/api dependency and the controller-gen tool version v0.15.0. The error shows multiple 'unknown type' and 'unable to locate schema' messages for basic Kubernetes types like ConditionStatus, NodeAffinity, ResourceRequirements, etc.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Makefile

  • modification at line manifests target (controller-gen target)
    Original:
controller-gen rbac:roleName=manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases

Replacement:

controller-gen rbac:roleName=manager-role crd:allowDangerousTypes=true paths="./..." output:crd:artifacts:config=config/crd/bases

Content:

Add allowDangerousTypes flag to controller-gen command

File: tools.go

  • addition (root directory)
    Replacement:
//go:build tools

package tools

import (
	_ "sigs.k8s.io/controller-tools/cmd/controller-gen"
)

Content:

Create tools.go file to ensure controller-gen dependencies are properly managed

File: go.mod

  • addition (require section)
    Replacement:
sigs.k8s.io/controller-tools v0.15.0

Content:

Ensure controller-tools version is explicitly pinned
Click to expand fix analysis

Analysis

Since no similar build failures were provided, I'm analyzing the current error which shows controller-gen v0.15.0 failing to locate schema definitions for basic Kubernetes types like ConditionStatus, NodeAffinity, and ResourceRequirements. This typically occurs when there are version mismatches between controller-tools and k8s.io dependencies, or when the controller-gen tool needs specific build tags or module configuration to locate the required schemas.

Click to expand fix explanation

Explanation

The controller-gen tool is failing because it cannot locate schema definitions for Kubernetes core types. This typically happens when there are version mismatches or when the tool needs specific flags to handle certain type definitions. The suggested fix includes: 1) Adding the allowDangerousTypes=true flag to the controller-gen command, which allows it to process types that might not have complete schema information; 2) Creating a tools.go file to ensure proper dependency management for build tools; 3) Explicitly pinning the controller-tools version in go.mod to ensure consistency. The allowDangerousTypes flag is particularly important as it tells controller-gen to proceed even when it encounters types without complete schema definitions, which is common with core Kubernetes API types.

Click to expand alternative approaches

Alternative Approaches

  • Downgrade controller-gen to an earlier version (v0.14.x) that may be more compatible with the current k8s.io/api version
  • Update all k8s.io dependencies to versions that are fully compatible with controller-gen v0.15.0
  • Use build constraints or module replace directives to ensure controller-gen can find the required schemas
  • Run controller-gen with specific module paths using the -w flag to set the working directory

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-c4p6-qg4m-9jmr go/bump p:verticadb-operator P1 This label indicates our scanning found High, Medium or Low CVEs for these packages. request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant