villebro opened a new pull request, #119: URL: https://github.com/apache/superset-kubernetes-operator/pull/119
## Summary The MySQL clone script passed Secret-backed database passwords as `-p"$VAR"` arguments, which the shell expands into the `mysql`/`mysqldump` process argv — arguments, which the shell expands into the `mysql`/`mysqldump` process argv — visible via `ps` and `/proc/<pid>/cmdline`. Clone can run in Staging/Production with `passwordFrom`, so this contradicted the claim in `docs/reference/security.md` that the operator never leaks secret values. The same script also interpolated the target database name into destructive `DROP`/`CREATE DATABASE` SQL unquoted. This PR fixes both, mirroring the safer patterns already used by the create-database helper, and folds in a few docs and test inconsistencies found along the way. ## Details **Security fixes (`internal/controller/lifecycle_clone.go`)** - Pass passwords via the `MYSQL_PWD` env var instead of `-p"$VAR"`, mirroring `lifecycle_create_db.go`. The target password is exported once at the top (inherited by the import side of the pipe and postCloneSQL); the source password is scoped inside the dump subshell so the two never collide. Empty passwords stay unset to support passwordless/trust/IAM auth. - Backtick-quote and escape the database identifier in `DROP`/`CREATE DATABASE` rather than interpolating the raw name into SQL. - `internal/controller/clone_test.go`: regression assertions that the generated script contains no `-p"$`, uses `MYSQL_PWD` on both source and target sides, and emits a backtick-quoted/escaped identifier. **Docs & tooling** - `docs/reference/downloads.md`: add the ASF source-release section (signed tarball, `.asc`, `.sha512`, `KEYS`, and `gpg`/`shasum` verification) referenced by the announce template, and refresh the stale download banner. Links use `<version>` placeholders to fill in once artifacts are staged. - `scripts/render-supported-versions.sh` + `docs/getting-started.md`: bring the previously hand-written (and stale) supported-Kubernetes-version line under generation via a new inline sentinel (`SUPPORTED-K8S-INLINE`) driven by the same `.github/supported-k8s.json` source of truth, so `make codegen` / CI drift checks keep it current with no new manual step. - `README.md` / `docs/index.md`: soften the namespace-scoped RBAC claims to note that CRD installation and (unless disabled) secure metrics auth still require cluster-scoped RBAC, linking to the precise installation constraints. **Test cleanup** - `internal/controller/serviceaccount_test.go`: rename the `create=false` without-name case to reflect it is a CEL-rejected, defensive-only path rather than a supported configuration, with a cross-reference to the validation rule. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
