Skip to content

Kea first pass #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
casibbald wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Kea first pass #9

casibbald wants to merge 3 commits into from

Conversation

@casibbald
Copy link
Contributor

@casibbald casibbald commented Jan 12, 2026

No description provided.

@casibbald
fix: enhance IP address logging and verify tag reconciliation
4b3a682 
- Enhanced IP address creation logging to show address source (spec vs status)
- Verified all key reconcilers (IPAddress, Device, MACAddress) call update_tags_if_differ
- Confirmed description and DNS name fields are compared in drift detection
- Simplified device reconciler tag reconciliation flow
- All Phase 1-3 fixes completed: IP address issues, tag reconciliation, field updates
@casibbald
feat: add diagnostic script for missing resources
28590b2 
- Created diagnose_missing_resources.py to investigate why resources aren't created
- Checks CR existence, status, netbox_id, RBAC permissions
- Provides actionable recommendations for each resource
- Updated RECONCILIATION_DIFFERENCES_ANALYSIS.md with diagnostic tool usage
@github-actions
Copy link

github-actions bot commented Jan 12, 2026

Hey there and thank you for opening this pull request! 👋

We require pull request titles to follow the
Conventional Commits specification
and it looks like your proposed title needs to be adjusted.

We use the pull request title in automated release changelog updates, and would like our
changelogs to look nice.

Details:

No release type found in pull request title "Kea first pass". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 12, 2026
View reviewed changes
scripts/diagnose_missing_resources.py
resources = rule.get("resources", [])
verbs = rule.get("verbs", [])

if "dcops.microscaler.io" in api_groups:

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
dcops.microscaler.io
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 8 days ago

In general, to fix incomplete URL/host substring sanitization, you should parse the URL and compare the structured hostname (or API group) using exact or well-scoped suffix checks instead of generic substring checks. For non-URL lists like apiGroups, you should ensure you are comparing whole elements, not substrings within them.

In this script, api_groups is a list of API group identifiers from a ClusterRole rule. The expression "dcops.microscaler.io" in api_groups is interpreted by CodeQL as a potentially unsafe substring test. However, in Python, in on a list already performs equality comparison on list elements, not substring containment. To make this intent explicit and robust against any accidental change of api_groups to a string in the future, we can normalize api_groups to a list of strings and then check for equality on each element. The safest, least intrusive fix is:

  • Ensure api_groups is always treated as a list: if the JSON field is a single string, wrap it into a list.
  • Replace the direct membership test with an explicit loop or a any(...) that compares each element for equality with "dcops.microscaler.io". This makes it impossible for "foo-dcops.microscaler.io-bar" to match if api_groups ever became a string or a list with such a value.

Concretely, in check_rbac in scripts/diagnose_missing_resources.py, at the point where api_groups is retrieved, we will:

  1. Fetch apiGroups as before.
  2. If it is a string, convert it to a one-element list.
  3. Use any(group == "dcops.microscaler.io" for group in api_groups) instead of "dcops.microscaler.io" in api_groups.

No new imports are required, and functionality remains the same when api_groups is the expected list of strings.

Suggested changeset 1
scripts/diagnose_missing_resources.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/scripts/diagnose_missing_resources.py b/scripts/diagnose_missing_resources.py
--- a/scripts/diagnose_missing_resources.py
+++ b/scripts/diagnose_missing_resources.py
@@ -68,17 +68,19 @@
         # Check if this kind has list permission
         for rule in rules:
             api_groups = rule.get("apiGroups", [])
+            if isinstance(api_groups, str):
+                api_groups = [api_groups]
             resources = rule.get("resources", [])
             verbs = rule.get("verbs", [])
-            
-            if "dcops.microscaler.io" in api_groups:
+
+            if any(group == "dcops.microscaler.io" for group in api_groups):
                 # Convert kind to resource name (e.g., NetBoxDevice -> netboxdevices)
                 resource_name = kind.lower().replace("netbox", "netbox").replace("Box", "")
                 # More accurate: NetBoxDevice -> netboxdevices
                 if kind.startswith("NetBox"):
                     resource_name = kind[6:].lower() + "s"  # Remove "NetBox" prefix, add 's'
                     resource_name = "netbox" + resource_name
-                
+
                 # Check all possible resource name formats
                 possible_names = [
                     resource_name,
EOF
@@ -68,17 +68,19 @@
# Check if this kind has list permission
for rule in rules:
api_groups = rule.get("apiGroups", [])
if isinstance(api_groups, str):
api_groups = [api_groups]
resources = rule.get("resources", [])
verbs = rule.get("verbs", [])
if "dcops.microscaler.io" in api_groups:

if any(group == "dcops.microscaler.io" for group in api_groups):
# Convert kind to resource name (e.g., NetBoxDevice -> netboxdevices)
resource_name = kind.lower().replace("netbox", "netbox").replace("Box", "")
# More accurate: NetBoxDevice -> netboxdevices
if kind.startswith("NetBox"):
resource_name = kind[6:].lower() + "s" # Remove "NetBox" prefix, add 's'
resource_name = "netbox" + resource_name

# Check all possible resource name formats
possible_names = [
resource_name,
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@casibbald