Skip to content

fix(deps): upgrade ansible-operator v1.40.0 → v1.42.2 (CVE-2026-33186)#349

Open
B-Whitt wants to merge 2 commits into
ansible:mainfrom
B-Whitt:fix/CVE-2026-33186-gRPC-Go
Open

fix(deps): upgrade ansible-operator v1.40.0 → v1.42.2 (CVE-2026-33186)#349
B-Whitt wants to merge 2 commits into
ansible:mainfrom
B-Whitt:fix/CVE-2026-33186-gRPC-Go

Conversation

@B-Whitt
Copy link
Copy Markdown

@B-Whitt B-Whitt commented May 20, 2026
edited
Loading

Summary

  • CVE-2026-33186: gRPC-Go authorization bypass due to improper HTTP/2
    :path validation (CVSS 9.1). Fixed in grpc-go v1.79.3.
  • Upgrades ansible-operator base image and OPERATOR_SDK_VERSION from
    v1.40.0 to v1.42.2, which ships google.golang.org/grpc@v1.79.3.
  • Upstream fix only. The downstream RHEL image
    (ansible-automation-platform-26/eda-controller-rhel9-operator) is built
    from openshift/ansible-operator-plugins, which is still at
    google.golang.org/grpc@v1.75.1. The downstream image remains vulnerable
    until that fork bumps gRPC-Go to >= v1.79.3 and the base image is rebuilt.

Tracked in: https://redhat.atlassian.net/browse/AAP-76149

Changes

File Change
Dockerfile:1 Base image v1.40.0v1.42.2
Makefile:51 OPERATOR_SDK_VERSION v1.40.0v1.42.2

Verification

Fix confirmed by pulling ansible-operator:v1.42.2 and inspecting the
embedded Go module version:

  • strings ansible-operator | grep "google.golang.org/grpc@"
  • google.golang.org/grpc@v1.79.3

Test Plan

  • make docker-build succeeds
  • Operator deploys and reconciles in test cluster
  • Existing molecule tests pass

Ref: AAP-75792
Assisted by: Claude Opus

Summary by CodeRabbit

Release Notes

  • Chores
    • Updated operator framework base image and operator SDK toolkit from v1.40.0 to v1.42.2 for improved stability and features
    • Refreshed build environment configuration to use updated toolkit versions
    • Added Python virtual environment directory to development ignore list

B-Whitt added 2 commits May 20, 2026 12:53
@B-Whitt
Update .gitignore
91dd6a8
@B-Whitt
fix(deps): [devel] upgrade ansible-operator to v1.42.2 for CVE-2026-3…
04170cd 
…3186

gRPC-Go < v1.79.3 allows authorization bypass via malformed HTTP/2 :path headers. The v1.42.2 base image and SDK ship grpc@v1.79.3.

Ref: AAP-75792

Assisted by: Claude Opus
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 20, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR updates operator framework dependencies and adds Python development environment configuration. The Dockerfile and Makefile both upgrade to ansible-operator v1.42.2 and operator-sdk v1.42.2 respectively, and .gitignore gains an entry to exclude Python virtual environments from version control.

Changes

Dependency and Environment Updates

Layer / File(s) Summary
Operator framework and SDK version alignment
Dockerfile, Makefile		 Ansible-operator base image and operator-sdk version are bumped from v1.40.0 to v1.42.2 in the build base layer and makefile download targets.
Python virtual environment configuration
.gitignore		 Python virtual environment directory is added to gitignore to exclude local development environments from tracking.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly and specifically describes the main change: upgrading ansible-operator from v1.40.0 to v1.42.2 to address a security vulnerability. It is concise, directly related to the changeset, and includes the CVE reference for context.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 20, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@B-Whitt B-Whitt changed the title fix(deps): [devel] upgrade ansible-operator v1.40.0 → v1.42.2 (CVE-2026-33186) fix(deps): upgrade ansible-operator v1.40.0 → v1.42.2 (CVE-2026-33186) May 20, 2026
@ttuffin
Copy link
Copy Markdown
Contributor

ttuffin commented May 21, 2026

LGTM, although we should confirm we are bumping to the same version as other operators. @rooftopcellist @lucas-benedito do you know if v1.42.2 is the version we're using in other operators?

@kaiokmo
Copy link
Copy Markdown
Member

kaiokmo commented May 21, 2026

LGTM, although we should confirm we are bumping to the same version as other operators. @rooftopcellist @lucas-benedito do you know if v1.42.2 is the version we're using in other operators?

You read my mind, @ttuffin . Also looping @dsavineau on this one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsavineau dsavineau Awaiting requested review from dsavineau

@rooftopcellist rooftopcellist Awaiting requested review from rooftopcellist

@lucas-benedito lucas-benedito Awaiting requested review from lucas-benedito

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@B-Whitt @ttuffin @kaiokmo