From 5abc6b80d052142b2039137fc63eea67197f3139 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Mon, 9 Jan 2023 13:49:52 +0200 Subject: [PATCH] add some sanity checks for paths and reduce complexity on portal generation by a lot --- .../container_in_deployment/probe_test.yaml | 10 +++++++ .../volumeMounts_test.yaml | 10 +++++++ .../deployment/volume_hostPath_test.yaml | 14 +++++++++- .../tests/deployment/volume_nfs_test.yaml | 14 +++++++++- .../tests/portal/portal_host_test.yaml | 2 +- .../tests/portal/portal_path_test.yaml | 18 ++++++++++++ library/common-test/values.yaml | 28 +++++++++++++++++++ .../templates/lib/container/_volumeMounts.tpl | 7 +++-- .../lib/container/probes/_httpGet.tpl | 8 ++++-- .../templates/lib/pod/volumes/_hostPath.tpl | 9 ++++-- .../1.0.0/templates/lib/pod/volumes/_nfs.tpl | 9 ++++-- .../1.0.0/templates/lib/portal/_host.tpl | 21 +++++++------- .../1.0.0/templates/lib/portal/_path.tpl | 24 ++++++++-------- .../1.0.0/templates/lib/portal/_port.tpl | 21 +++++++------- .../1.0.0/templates/lib/portal/_protocol.tpl | 21 +++++++------- 15 files changed, 161 insertions(+), 55 deletions(-) diff --git a/library/common-test/tests/container_in_deployment/probe_test.yaml b/library/common-test/tests/container_in_deployment/probe_test.yaml index 3d558b949b..033f0e2ec7 100644 --- a/library/common-test/tests/container_in_deployment/probe_test.yaml +++ b/library/common-test/tests/container_in_deployment/probe_test.yaml @@ -192,6 +192,16 @@ tests: - failedTemplate: errorMessage: Invalid probe type (not_valid_type) on probe (liveness) in (RELEASE-NAME-common-test) container. Valid types are tcp, http, https, grpc, exec, auto + - it: should fail with probe path not starting with / + set: + probes: + liveness: + type: http + path: a/random/path + asserts: + - failedTemplate: + errorMessage: Probe in container (RELEASE-NAME-common-test) with path (a/random/path), must start with a forward slash -> / <- + - it: should fail with httpHeader value is defined as list set: probes: diff --git a/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml b/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml index 5b56da7109..950f228fca 100644 --- a/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml +++ b/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml @@ -21,6 +21,16 @@ tests: - failedTemplate: errorMessage: must be defined, alternatively use the flag. + - it: should fail when mountPath does not start with / + set: + persistence: + vol1: + enabled: true + mountPath: relative/path/to/dir + asserts: + - failedTemplate: + errorMessage: Mount path (relative/path/to/dir), must start with a forward slash -> / <- + - it: should fail with empty readOnly set: persistence: diff --git a/library/common-test/tests/deployment/volume_hostPath_test.yaml b/library/common-test/tests/deployment/volume_hostPath_test.yaml index 094e0df4a2..721ecde8f8 100644 --- a/library/common-test/tests/deployment/volume_hostPath_test.yaml +++ b/library/common-test/tests/deployment/volume_hostPath_test.yaml @@ -21,7 +21,19 @@ tests: noMount: true asserts: - failedTemplate: - errorMessage: hostPath not set on item some_volume + errorMessage: hostPath not set on item (some_volume) + + - it: should fail with hostPath not starting with / + set: + persistence: + some_volume: + type: hostPath + enabled: true + mountPath: /some/path + hostPath: some/relative/path + asserts: + - failedTemplate: + errorMessage: Host path (some/relative/path) on item (some_volume) must start with a forward slash -> / <- - it: should fail with ValidateHostPath globally set on and invalid hostPath (/mnt/pool) set: diff --git a/library/common-test/tests/deployment/volume_nfs_test.yaml b/library/common-test/tests/deployment/volume_nfs_test.yaml index edb2abd912..dcd0e86ce1 100644 --- a/library/common-test/tests/deployment/volume_nfs_test.yaml +++ b/library/common-test/tests/deployment/volume_nfs_test.yaml @@ -37,12 +37,24 @@ tests: some_volume: type: nfs enabled: true - path: some_path + path: /some_path noMount: true asserts: - failedTemplate: errorMessage: NFS Server not set on item some_volume + - it: should fail with path not starting with / + set: + persistence: + some_volume: + type: nfs + enabled: true + path: some/relative/path + noMount: true + asserts: + - failedTemplate: + errorMessage: NFS path (some/relative/path) on (some_volume) must start with a forward slash -> / <- + - it: should fail with not set path on nfs set: persistence: diff --git a/library/common-test/tests/portal/portal_host_test.yaml b/library/common-test/tests/portal/portal_host_test.yaml index c23d1b7903..fef96bfcea 100644 --- a/library/common-test/tests/portal/portal_host_test.yaml +++ b/library/common-test/tests/portal/portal_host_test.yaml @@ -26,7 +26,7 @@ tests: targetPort: 80 asserts: - failedTemplate: - errorMessage: You have defined empty in . Define a path or remove the key. + errorMessage: You have defined empty in . Define a host or remove the key. - it: should pass with defaults on single service/port documentIndex: &portalDoc 2 diff --git a/library/common-test/tests/portal/portal_path_test.yaml b/library/common-test/tests/portal/portal_path_test.yaml index b46a7dc14f..f94bb9877a 100644 --- a/library/common-test/tests/portal/portal_path_test.yaml +++ b/library/common-test/tests/portal/portal_path_test.yaml @@ -28,6 +28,24 @@ tests: - failedTemplate: errorMessage: You have defined empty in . Define a path or remove the key. + - it: should fail with portal override with path not starting with / + set: + portal: + main: + main: + path: a/relative/path + service: + main: + enabled: true + ports: + main: + enabled: true + port: 10000 + targetPort: 80 + asserts: + - failedTemplate: + errorMessage: Portal path (a/relative/path) must start with a forward slash -> / <- + - it: should pass with defaults on single service/port documentIndex: &portalDoc 2 set: diff --git a/library/common-test/values.yaml b/library/common-test/values.yaml index 67cebbb6ff..a4699a4d58 100644 --- a/library/common-test/values.yaml +++ b/library/common-test/values.yaml @@ -3,3 +3,31 @@ service: ports: main: port: 65535 + +# jobs: +# jobname: +# enabled: true +# nameOverride: "" +# cron: +# enabled: false +# annotations: {} +# labels: {} +# schedule: "* *" +# timezone: +# concurrencyPolicy: +# failedJobsHistoryLimit: 0 +# successfulJobsHistoryLimit: 0 +# startingDeadlineSeconds: +# annotations: +# labels: +# backoffLimit: 5 +# ttlSecondsAfterFinished: 100 +# activeDeadlineSeconds: 100 +# parallelism: 1 +# completions: 1 +# completionMode: Indexed + +# containers: +# containername: +# imageSelector: asdfas +# restartPolicy: Never diff --git a/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl b/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl index b3175efd20..6e14f68727 100644 --- a/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl +++ b/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl @@ -62,12 +62,15 @@ {{- $root := .root -}} {{- $item := .item -}} {{- $name := .name -}} - {{- if not $item.mountPath -}} {{/* Make sure that we have a mountPath */}} {{- fail " must be defined, alternatively use the flag." -}} {{- end -}} + {{- $mountPath := (tpl $item.mountPath $root) -}} + {{- if not (hasPrefix "/" $mountPath) -}} + {{- fail (printf "Mount path (%s), must start with a forward slash -> / <-" $mountPath) -}} + {{- end }} - name: {{ tpl $name $root }} - mountPath: {{ tpl $item.mountPath $root }} + mountPath: {{ $mountPath }} {{- with $item.subPath }} subPath: {{ tpl . $root }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl b/library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl index 7a282f938e..d78b3cccc9 100644 --- a/library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl +++ b/library/common/1.0.0/templates/lib/container/probes/_httpGet.tpl @@ -9,10 +9,14 @@ {{- end -}} {{- if not $probe.path -}} {{- fail (printf " must be defined for / probe types in probe (%s) in (%s) container." $probe.name $containerName) -}} - {{- end }} + {{- end -}} + {{- $probePath := tpl $probe.path $root -}} + {{- if not (hasPrefix "/" $probePath) -}} + {{- fail (printf "Probe in container (%s) with path (%s), must start with a forward slash -> / <-" $containerName $probePath) -}} + {{- end -}} httpGet: - path: {{ tpl $probe.path $root }} + path: {{ $probePath }} scheme: {{ $probe.type | upper }} port: {{ $probe.port }} {{- with $probe.httpHeaders }} diff --git a/library/common/1.0.0/templates/lib/pod/volumes/_hostPath.tpl b/library/common/1.0.0/templates/lib/pod/volumes/_hostPath.tpl index 96cc210019..28c3ad80ff 100644 --- a/library/common/1.0.0/templates/lib/pod/volumes/_hostPath.tpl +++ b/library/common/1.0.0/templates/lib/pod/volumes/_hostPath.tpl @@ -3,10 +3,15 @@ {{- $vol := .volume -}} {{- $root := .root -}} - {{- include "ix.v1.common.controller.volumes.hostPath.validation" (dict "volume" $vol "root" $root) }} {{/* hostPath validation (if enabled) */}} + {{- include "ix.v1.common.controller.volumes.hostPath.validation" (dict "volume" $vol "root" $root) -}} {{/* hostPath validation (if enabled) */}} + {{- if not $vol.hostPath -}} + {{- fail (printf "hostPath not set on item (%s)" $index) -}} + {{- else if not (hasPrefix "/" $vol.hostPath) -}} + {{- fail (printf "Host path (%s) on item (%s) must start with a forward slash -> / <-" $vol.hostPath $index) -}} + {{- end }} - name: {{ $index }} hostPath: - path: {{ required (printf "hostPath not set on item %s" $index) $vol.hostPath }} + path: {{ $vol.hostPath }} {{- with $vol.hostPathType -}} {{- $type := (tpl . $root) -}} {{- include "ix.v1.common.controller.hostPathType.validation" (dict "index" $index "type" $type) }} diff --git a/library/common/1.0.0/templates/lib/pod/volumes/_nfs.tpl b/library/common/1.0.0/templates/lib/pod/volumes/_nfs.tpl index f237cd08af..805afd0317 100644 --- a/library/common/1.0.0/templates/lib/pod/volumes/_nfs.tpl +++ b/library/common/1.0.0/templates/lib/pod/volumes/_nfs.tpl @@ -1,9 +1,14 @@ {{- define "ix.v1.common.controller.volumes.nfs" -}} {{- $index := .index -}} {{- $vol := .volume -}} - {{- $root := .root }} + {{- $root := .root -}} + {{- if not $vol.path -}} + {{- fail (printf "NFS Path not set on item %s" $index) -}} + {{- else if not (hasPrefix "/" $vol.path ) -}} + {{- fail (printf "NFS path (%s) on (%s) must start with a forward slash -> / <-" $vol.path $index) -}} + {{- end }} - name: {{ $index }} nfs: server: {{ required (printf "NFS Server not set on item %s" $index) $vol.server }} - path: {{ required (printf "NFS Path not set on item %s" $index) $vol.path }} + path: {{ $vol.path }} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/portal/_host.tpl b/library/common/1.0.0/templates/lib/portal/_host.tpl index 9068f39d41..8efac96cc3 100644 --- a/library/common/1.0.0/templates/lib/portal/_host.tpl +++ b/library/common/1.0.0/templates/lib/portal/_host.tpl @@ -16,19 +16,18 @@ {{/* If ingress is added at any point, here is the place to implement */}} {{/* Check if there are any overrides in .Values.portal */}} - {{- range $name, $svc := $root.Values.portal -}} - {{- if eq $svcName $name -}} - {{- range $name, $port := $svc -}} - {{- if eq $portName $name -}} - {{- if (hasKey $port "host") -}} - {{- $portalHost = (tpl (toString $port.host) $root) -}} - {{- if or (eq $portalHost "") (not $portalHost) -}} {{/* toString on a nil key returns the string "" */}} - {{- fail "You have defined empty in . Define a path or remove the key." -}} - {{- end -}} - {{- end -}} + {{- $tmpSVCPortal := get $root.Values.portal $svcName -}} + {{- if $tmpSVCPortal -}} + {{- $tmpPortPortal := get $tmpSVCPortal $portName -}} + {{- if $tmpPortPortal -}} + {{- if (hasKey $tmpPortPortal "host") -}} + {{- if or (kindIs "invalid" $tmpPortPortal.host) (not $tmpPortPortal.host) -}} + {{- fail "You have defined empty in . Define a host or remove the key." -}} {{- end -}} + {{- $portalHost = (tpl (toString $tmpPortPortal.host) $root) -}} {{- end -}} {{- end -}} {{- end -}} -{{- $portalHost -}} + + {{- $portalHost -}} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/portal/_path.tpl b/library/common/1.0.0/templates/lib/portal/_path.tpl index 6c498428a1..6d748457a1 100644 --- a/library/common/1.0.0/templates/lib/portal/_path.tpl +++ b/library/common/1.0.0/templates/lib/portal/_path.tpl @@ -9,19 +9,21 @@ {{/* If ingress is added at any point, here is the place to implement */}} {{/* Check if there are any overrides in .Values.portal */}} - {{- range $name, $svc := $root.Values.portal -}} - {{- if eq $svcName $name -}} - {{- range $name, $port := $svc -}} - {{- if eq $portName $name -}} - {{- if (hasKey $port "path") -}} - {{- $portalPath = (tpl (toString $port.path) $root) -}} - {{- if or (eq $portalPath "") (not $portalPath) -}} {{/* toString on a nil key returns the string "" */}} - {{- fail "You have defined empty in . Define a path or remove the key." -}} - {{- end -}} - {{- end -}} + {{- $tmpSVCPortal := get $root.Values.portal $svcName -}} + {{- if $tmpSVCPortal -}} + {{- $tmpPortPortal := get $tmpSVCPortal $portName -}} + {{- if $tmpPortPortal -}} + {{- if (hasKey $tmpPortPortal "path") -}} + {{- if or (kindIs "invalid" $tmpPortPortal.path) (not $tmpPortPortal.path) -}} + {{- fail "You have defined empty in . Define a path or remove the key." -}} + {{- end -}} + {{- $portalPath = (tpl (toString $tmpPortPortal.path) $root) -}} + {{- if not (hasPrefix "/" $portalPath) -}} + {{- fail (printf "Portal path (%s) must start with a forward slash -> / <-" $portalPath) -}} {{- end -}} {{- end -}} {{- end -}} {{- end -}} -{{- $portalPath -}} + + {{- $portalPath -}} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/portal/_port.tpl b/library/common/1.0.0/templates/lib/portal/_port.tpl index 3a1d209bae..e51a265d73 100644 --- a/library/common/1.0.0/templates/lib/portal/_port.tpl +++ b/library/common/1.0.0/templates/lib/portal/_port.tpl @@ -20,19 +20,18 @@ {{/* If ingress is added at any point, here is the place to implement */}} {{/* Check if there are any overrides in .Values.portal */}} - {{- range $name, $svc := $root.Values.portal -}} - {{- if eq $svcName $name -}} - {{- range $name, $port := $svc -}} - {{- if eq $portName $name -}} - {{- if (hasKey $port "port") -}} - {{- $portalPort = (tpl (toString $port.port) $root) -}} - {{- if or (lt (int $portalPort) 1) (gt (int $portalPort) 65535) (eq (int $portalPort) 0) -}} - {{- fail (printf "Port (%s) in is out of range. Range is 1-65535" $portalPort) -}} - {{- end -}} - {{- end -}} + {{- $tmpSVCPortal := get $root.Values.portal $svcName -}} + {{- if $tmpSVCPortal -}} + {{- $tmpPortPortal := get $tmpSVCPortal $portName -}} + {{- if $tmpPortPortal -}} + {{- if (hasKey $tmpPortPortal "port") -}} + {{- $portalPort = (tpl (toString $tmpPortPortal.port) $root) -}} + {{- if or (lt (int $portalPort) 1) (gt (int $portalPort) 65535) (eq (int $portalPort) 0) -}} + {{- fail (printf "Port (%s) in is out of range. Range is 1-65535" $portalPort) -}} {{- end -}} {{- end -}} {{- end -}} {{- end -}} -{{- $portalPort -}} + + {{- $portalPort -}} {{- end -}} diff --git a/library/common/1.0.0/templates/lib/portal/_protocol.tpl b/library/common/1.0.0/templates/lib/portal/_protocol.tpl index 4388705c13..d1057077be 100644 --- a/library/common/1.0.0/templates/lib/portal/_protocol.tpl +++ b/library/common/1.0.0/templates/lib/portal/_protocol.tpl @@ -16,19 +16,18 @@ {{/* If ingress is added at any point, here is the place to implement */}} {{/* Check if there are any overrides in .Values.portal */}} - {{- range $name, $svc := $root.Values.portal -}} - {{- if eq $svcName $name -}} - {{- range $name, $port := $svc -}} - {{- if eq $portName $name -}} - {{- if (hasKey $port "protocol") -}} - {{- $portalProtocol = ((tpl (toString $port.protocol) $root) | lower) -}} - {{- if not (has $portalProtocol (list "http" "https")) -}} - {{- fail (printf "Invalid protocol (%s). Only HTTP/HTTPS protocols are allowed for " $portalProtocol) -}} - {{- end -}} - {{- end -}} + {{- $tmpSVCPortal := get $root.Values.portal $svcName -}} + {{- if $tmpSVCPortal -}} + {{- $tmpPortPortal := get $tmpSVCPortal $portName -}} + {{- if $tmpPortPortal -}} + {{- if (hasKey $tmpPortPortal "protocol") -}} + {{- $portalProtocol = ((tpl (toString $tmpPortPortal.protocol) $root) | lower) -}} + {{- if not (has $portalProtocol (list "http" "https")) -}} + {{- fail (printf "Invalid protocol (%s). Only HTTP/HTTPS protocols are allowed for " $portalProtocol) -}} {{- end -}} {{- end -}} {{- end -}} {{- end -}} -{{- $portalProtocol -}} + + {{- $portalProtocol -}} {{- end -}}