[confcom] Fix bugs in containers from_vn2 command#9625
Conversation
️✔️Azure CLI Extensions Breaking Change Test
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
|
There was a problem hiding this comment.
Pull request overview
This PR fixes multiple bugs in the containers from_vn2 command that were discovered during testing with policy fragment generation. The fixes improve compatibility with ORAS CLI >= 1.3.0, correct handling of Kubernetes Deployment/StatefulSet resources, and prevent incorrect policy generation for containers without explicit commands or with non-exec probes.
Changes:
- Fixed ORAS fragment discovery to support both old ("manifests") and new ("referrers") API response formats in ORAS CLI >= 1.3.0
- Fixed Deployment/StatefulSet volume mount and securityContext resolution to correctly access pod template specs
- Fixed command array handling to preserve image ENTRYPOINT/CMD when no command/args are specified in Kubernetes YAML
- Fixed exec_processes generation to exclude non-exec probes (httpGet/tcpSocket)
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/confcom/setup.py | Version bump from 1.7.1 to 1.7.2 for bug fix release |
| src/confcom/HISTORY.rst | Added changelog entries documenting all four bug fixes |
| src/confcom/azext_confcom/oras_proxy.py | Added backward compatibility for ORAS >= 1.3.0 by checking both "referrers" and "manifests" keys |
| src/confcom/azext_confcom/lib/images.py | Added filtering to prevent errors from dmverity-vhd output lines without "hash: " |
| src/confcom/azext_confcom/command/containers_from_vn2.py | Added _get_pod_spec helper and fixed volume, securityContext, command, and exec_processes handling for templated Kubernetes resources |
| src/confcom/samples/vn2/*/containers.inc.rego | Removed empty "command" arrays from 10 sample outputs to match fixed behavior |
|
/azp run |
|
Commenter does not have sufficient privileges for PR 9625 in repo Azure/azure-cli-extensions |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
/azp run |
|
Commenter does not have sufficient privileges for PR 9625 in repo Azure/azure-cli-extensions |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
…confcom-containers-from-vn2-command
|
Looks like there are 5 CI tests failing due to Docker Hub rate limiting:
Since this is unrelated to these changes, the PR should be ready to get merged. |
|
@yonzhan Could you please re-run tests? They might eventually pass if they don't hit the Docker Hub rate limit. |
|
@necusjz Could you please review and merge this PR? |
|
/azp run |
|
Commenter does not have sufficient privileges for PR 9625 in repo Azure/azure-cli-extensions |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
The tests are now failing for unrelated errors to other integration tests:
|
…confcom-containers-from-vn2-command
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
@necusjz The PR has passed all the checks. Could you please approve and merge it? Thanks! |
|
[Release] Update index.json for extension [ confcom ] : https://dev.azure.com/msazure/One/_build/results?buildId=155068399&view=results |
Fix various bugs found when testing the new
containers from_vn2command with policy fragment generation. See CHANGELOG for details.This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
az confcomGeneral Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.