You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How to test changes / Special notes to the reviewer
Checklist
For each Chart updated, version bumped in the corresponding Chart.yaml according to Semantic Versioning.
For each Chart updated, variables are documented in the values.yaml and added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Use pre-commit run -a to apply changes. The pre-commit Workflow will do this automatically for you if needed.
JSON Schema template updated and re-generated the raw schema via the pre-commit hook.
Tests pass using the Chart Testing tool and the ct lint command.
QE automation changes required to test these changes.
Any documentation updates outside this repo/PR that may be done in parallel.
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 Security concerns
TLS verification weakening: QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL=true together with QUARKUS_DATASOURCE_REACTIVE_POSTGRESQL_SSL_MODE=allow may disable/relax certificate validation and allow non-TLS connections depending on server/client negotiation. This can expose DB credentials and traffic to interception if used outside tightly controlled environments. Consider making these settings optional/configurable and defaulting to secure verification.
The template introduces hardcoded DB-related behavior (dbMigrationStrategy: service) and hardcoded TLS settings (QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL=true, ..._SSL_MODE=allow) when jobServiceImage is set. This should be validated for security and portability, and ideally made configurable via values.yaml (or omitted by default) to match existing chart configurability patterns. (Ref 2, Ref 6)
Reference reasoning: Existing SonataFlowPlatform configuration in the codebase focuses on declarative persistence wiring (secretRef/serviceRef) without embedding trust-all/SSL overrides in the manifest, and the chart’s values.yaml pattern exposes SonataFlowPlatform knobs as user-configurable fields rather than hardcoding operational/security-sensitive settings in templates.
Add dbMigrationStrategy: service configuration to job service persistence settings
Add PostgreSQL SSL environment variables (QUARKUS_DATASOURCE_REACTIVE_POSTGRESQL_SSL_MODE and QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL) to job service container
To prevent Man-in-the-Middle attacks, enforce SSL certificate verification by setting QUARKUS_DATASOURCE_REACTIVE_POSTGRESQL_SSL_MODE to verify-full and QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL to false.
Why: The suggestion correctly identifies and offers a fix for a significant security vulnerability (MITM risk) introduced by disabling database connection certificate validation.
High
Possible issue
Move migration strategy out of persistence
Correct the configuration by moving dbMigrationStrategy to be a direct child of jobService and a sibling of persistence, ensuring the database migration runs correctly.
+dbMigrationStrategy: service
persistence:
- dbMigrationStrategy: service
postgresql:
secretRef:
name: {{ .Release.Name }}-postgresql-svcbind-postgres
jdbcUrl: jdbc:postgresql://...
[To ensure code accuracy, apply this suggestion manually]
Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a misconfiguration where dbMigrationStrategy is placed incorrectly, which will likely cause the database migration to fail.
The reason will be displayed to describe this comment to others. Learn more.
@elai-shalev when testing this on an OCP cluster I only changed the env var variables, I did not add the dbMigrationStrategy: service section. It seemed to worked regardless.
After conversing with @y-first offline, looks like this PR is not really needed. The extra env-vars should only be added in the specific case for deploying orchestraotr with an external DB and using SSL, and was needed for a workaround in the QE's setup. This could be handled in documentation. Closing this PR for now
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the change
This PR will introduce necessary changes in Orchestrator's Sonataflow Platform, following the switch to use Openshift Serverless Logic v1.37
for more information see this slack thread
Which issue(s) does this PR fix or relate to
- JIRA_issue_link
How to test changes / Special notes to the reviewer
Checklist
Chart.yamlaccording to Semantic Versioning.values.yamland added to the corresponding README.md. The pre-commit utility can be used to generate the necessary content. Usepre-commit run -ato apply changes. The pre-commit Workflow will do this automatically for you if needed.pre-commithook.ct lintcommand.