Skip to content

HYPERFLEET-1317 - chore: add Ruclo to OWNERS#12

Merged
kuudori merged 2 commits into
openshift-hyperfleet:mainfrom
rafabene:HYPERFLEET-1317-add-ruclo-to-owners
Jul 2, 2026
Merged

HYPERFLEET-1317 - chore: add Ruclo to OWNERS#12
kuudori merged 2 commits into
openshift-hyperfleet:mainfrom
rafabene:HYPERFLEET-1317-add-ruclo-to-owners

Conversation

@rafabene

@rafabene rafabene commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

  • Add GitHub user Ruclo (Michal Vavrinec) as reviewer and approver to OWNERS

JIRA

https://redhat.atlassian.net/browse/HYPERFLEET-1317

rafabene added 2 commits July 2, 2026 13:28
Add SubnetSpec model and optional subnets array to ClusterPlatform
to support subnet configuration in cluster platform spec. Required by
E2E tests that validate Maestro Go template rendering of subnet data
in ManifestWork ConfigMaps.
@openshift-ci openshift-ci Bot requested review from jsell-rh and ma-hill July 2, 2026 17:34
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pnguyen44 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Added support for structured subnet entries in cluster platform configuration.
    • Introduced a new subnet information model with required details such as ID, name, CIDR, and role.
  • Documentation
    • Updated release notes and API/spec version information to reflect version 1.0.27.

Walkthrough

This PR introduces a SubnetSpec model (id, name, cidr, role, all required) across the TypeSpec source, generated OpenAPI spec, and Swagger definitions. ClusterPlatform's optional subnet string field is replaced with an optional subnets array of SubnetSpec. Service/API version is bumped from 1.0.26 to 1.0.27 in main.tsp, openapi.yaml, and swagger.yaml. CHANGELOG.md gets a new 1.0.27 entry and updated compare links. OWNERS adds Ruclo as approver and reviewer.

Estimated code review effort: 2 (Simple) | ~10 minutes

Security Notes

  • CWE-284 (Improper Access Control): OWNERS change grants Ruclo both approver and reviewer privileges — verify this identity via commit signature/org membership before merge; unauthorized OWNERS modifications are a common supply-chain injection vector for downstream CI/CD trust escalation.
  • Schema change (subnet string → subnets: SubnetSpec[]) is a breaking API contract change with no deprecation window documented in CHANGELOG — downstream consumers parsing subnet will silently fail; no CVE applicable, but flag as an availability/compatibility risk (CWE-1104 class: use of unmaintained third-party components not applicable here, but same principle re: contract stability).
  • No input validation constraints (e.g., CIDR format validation, regex pattern) specified for SubnetSpec.cidr in either OpenAPI or Swagger schema — untyped string CIDR fields risk downstream SSRF/injection if consumed by Adapter or Broker components without validation (CWE-20: Improper Input Validation). Recommend a pattern constraint in schema.

Sequence Diagram(s)

Not applicable — this PR is schema/metadata-only with no new multi-component runtime control flow.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the OWNERS change, though it omits the schema and version updates also included in the diff.
Description check ✅ Passed The description accurately states the OWNERS update to add Ruclo as reviewer and approver.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No slog/logr/zap/fmt.Print* statements with token/password/credential/secret found; only workflow env refs to GITHUB_TOKEN and harmless echo output. CWE-532 not present.
No Hardcoded Secrets ✅ Passed No API keys, tokens, passwords, private keys, embedded creds, or long base64 strings in changed OWNERS/changelog/version/schema files (CWE-798/259).
No Weak Cryptography ✅ Passed No CWE-327/CWE-328/CWE-208 issues: touched files are OWNERS/docs/spec version/model changes only; no MD5/DES/RC4, ECB, custom crypto, or secret compares found.
No Injection Vectors ✅ Passed Touched files only update docs, OWNERS, versions, and schema fields; no CWE-89/CWE-78/CWE-79/CWE-502 sinks or unsafe data flow found.
No Privileged Containers ✅ Passed No manifests/Dockerfiles changed; scan found no privileged settings (CWE-250).
No Pii Or Sensitive Data In Logs ✅ Passed No logging statements were added; changes are OWNERS/changelog/schema/version only. No CWE-532-style data exposure found.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
models/cluster/model.tsp (1)

14-19: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

No format validation on cidr/role.

cidr: string accepts any value, not just valid CIDR notation, and role: string is unconstrained despite representing a small fixed set of values (e.g. public/private). Per HyperFleet SEC-03, input must be validated at API boundaries — this model defines the request schema.

🛡️ Proposed constraint
 model SubnetSpec {
     id: string;
     name: string;
-    cidr: string;
-    role: string;
+    `@pattern`("^([0-9]{1,3}\\.){3}[0-9]{1,3}/[0-9]{1,2}$")
+    cidr: string;
+    role: "public" | "private";
 }

Note: this mirrors the existing unconstrained ClusterNetworkEntry.cidr field, so it's an existing pattern rather than a new regression — flagging as improvement opportunity.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@models/cluster/model.tsp` around lines 14 - 19, The SubnetSpec request schema
currently leaves cidr and role as unconstrained strings, so add API-boundary
validation in the model definition to enforce valid CIDR format and restrict
role to the allowed set (for example public/private). Update the SubnetSpec type
in the cluster model to use appropriate validation/enum constraints, and keep
the field names cidr and role aligned with any existing request/schema patterns.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@models/cluster/model.tsp`:
- Around line 14-19: The SubnetSpec request schema currently leaves cidr and
role as unconstrained strings, so add API-boundary validation in the model
definition to enforce valid CIDR format and restrict role to the allowed set
(for example public/private). Update the SubnetSpec type in the cluster model to
use appropriate validation/enum constraints, and keep the field names cidr and
role aligned with any existing request/schema patterns.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2189ffa2-fa70-464a-b5a4-121bc89c4271

📥 Commits

Reviewing files that changed from the base of the PR and between 1f869c2 and 27e39d7.

📒 Files selected for processing (6)
  • CHANGELOG.md
  • OWNERS
  • main.tsp
  • models/cluster/model.tsp
  • schemas/template/openapi.yaml
  • schemas/template/swagger.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

@kuudori kuudori merged commit ff75e1f into openshift-hyperfleet:main Jul 2, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants