Skip to content

Merge 1.2.3 to main #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
indrora wants to merge 1 commit into from
Closed

Merge 1.2.3 to main #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# 1.2.3

## Bug Fixes
- fix(management): `K8SNS` and `K8SCluster` Management Remove jobs no longer throw `IndexOutOfRangeException` when alias does not contain the expected `/` delimiter.

# 1.2.2

## Bug Fixes
Expand All @@ -22,6 +27,12 @@ on missing or invalid secret field name.
## Features
- feat(client): Retry interrupted connections to k8s cluster.

# 1.1.4

## Bug Fixes
- fix(management): `K8SNS` Management Add job no longer throws `IndexOutOfRangeException` when alias does not contain the expected `/` delimiter.
- fix(management): `K8SNS` and `K8SCluster` Management Remove jobs no longer throw `IndexOutOfRangeException` when alias does not contain the expected `/` delimiter.

# 1.1.3

## Bug Fixes
Expand Down
Binary file modified docsource/images/K8SCluster-basic-store-type-dialog.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docsource/images/K8SNS-basic-store-type-dialog.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docsource/images/K8STLSSecr-basic-store-type-dialog.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 12 additions & 0 deletions kubernetes-orchestrator-extension/Jobs/Management.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -688,13 +688,25 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con
var splitAlias = certAlias.Split("/");
if (Capability.Contains("K8SNS"))
{
if (splitAlias.Length < 2)
{
var errMsg = $"Invalid alias format for K8SNS store type. Expected pattern: 'secrets/<tls|opaque>/<secret_name>' but got '{certAlias}'";
Logger.LogError(errMsg);
return FailJob(errMsg, config.JobHistoryId);
}
// Split alias by / and get second to last element KubeSecretType
KubeSecretType = splitAlias[^2];
KubeSecretName = splitAlias[^1];
Comment on lines +691 to 699

Copilot AI Apr 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation for the K8SNS remove alias is too lenient for the format described in the error message. With the documented pattern secrets/<tls|opaque>/<secret_name>, splitAlias.Length must be at least 3 (and ideally also validate the fixed secrets segment) before indexing [^2]/[^1]; otherwise aliases like tls/mysecret will be treated as valid and can lead to removing the wrong secret.

Copilot uses AI. Check for mistakes.
if (string.IsNullOrEmpty(KubeNamespace)) KubeNamespace = StorePath;
}
else if (Capability.Contains("K8SCluster"))
{
if (splitAlias.Length < 3)
{
var errMsg = $"Invalid alias format for K8SCluster store type. Expected pattern: '<namespace>/secrets/<tls|opaque>/<secret_name>' but got '{certAlias}'";
Logger.LogError(errMsg);
return FailJob(errMsg, config.JobHistoryId);
}
KubeSecretType = splitAlias[^2];
KubeSecretName = splitAlias[^1];
KubeNamespace = splitAlias[0];
Comment on lines +704 to 712

Copilot AI Apr 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The K8SCluster alias validation does not match the documented expected pattern. The message indicates <namespace>/secrets/<tls|opaque>/<secret_name> (4 segments), but the code only requires 3 segments; a 3-part alias will pass and then KubeSecretType becomes secrets. Consider requiring at least 4 segments (and validating the secrets segment) before extracting KubeSecretType/KubeSecretName/KubeNamespace.

Copilot uses AI. Check for mistakes.
Expand Down
Loading
Loading