tower 0.61.10 — Phase I review hardening
Pre-test review of 0.61.9 surfaced two issues in the manifest reader:
1. v3 stores instanceCode under provenance.* but readManifestString
only looked at recipe → root. Today the v2 root mirror covers it,
but a future v4 dropping that mirror would silently lose the
filestore-rename hint.
2. Adding a blanket provenance lookup re-opened the leak: a poison
bundle could embed provenance.tenantId and have it reachable to
any future caller.
Fix: provenance lookup is now allowlisted to {instanceCode}. Any
new provenance field requires an explicit constant addition,
which is a code-review gate against re-introducing the leak.
Round-trip simulation (tools/phase_i_simulate.go) passes for v3,
v3-pure (no v2 mirrors), v3-poison, and v2.
This commit is contained in:
Claude
@@ -9,7 +9,7 @@ backend:
|
|||||||
# so every cluster that runs Tower needs the same imagePullSecret
|
# so every cluster that runs Tower needs the same imagePullSecret
|
||||||
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
||||||
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
||||||
tag: "0.61.9"
|
tag: "0.61.10"
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
imagePullSecrets:
|
imagePullSecrets:
|
||||||
- name: docker-mirror-pull
|
- name: docker-mirror-pull
|
||||||
|
|||||||
Reference in New Issue
Block a user