From ca6535c19a4e27a2926887b77a5ba0174b354479 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Tue, 13 Dec 2022 21:12:55 +0200 Subject: [PATCH] harden volumeMounts and secret/configmap volumes and update tests --- .../tests/cert/cert_secret_mount_test.yaml | 36 +++++++++---------- .../volumeMounts_test.yaml | 13 ++++++- .../deployment/volume_configMap_test.yaml | 32 ++++++----------- .../tests/deployment/volume_secret_test.yaml | 32 ++++++----------- .../templates/lib/container/_volumeMounts.tpl | 6 +++- .../templates/lib/pod/volumes/_configMap.tpl | 7 +++- .../templates/lib/pod/volumes/_secret.tpl | 7 +++- 7 files changed, 69 insertions(+), 64 deletions(-) diff --git a/library/common-test/tests/cert/cert_secret_mount_test.yaml b/library/common-test/tests/cert/cert_secret_mount_test.yaml index b176525ecd..59ea6ea3b9 100644 --- a/library/common-test/tests/cert/cert_secret_mount_test.yaml +++ b/library/common-test/tests/cert/cert_secret_mount_test.yaml @@ -46,12 +46,12 @@ tests: enabled: true path: /some/path/crt.key readOnly: true - defaultMode: 700 + defaultMode: "0700" key: enabled: true path: /some/path/key.key readOnly: true - defaultMode: 700 + defaultMode: "0700" asserts: - isKind: of: Deployment @@ -62,7 +62,7 @@ tests: path: spec.template.spec.volumes[0].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[0].name pattern: *patternCert @@ -79,7 +79,7 @@ tests: path: spec.template.spec.volumes[1].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[1].name pattern: *patternKey @@ -105,12 +105,12 @@ tests: enabled: true path: /some/path/crt.key readOnly: true - defaultMode: 700 + defaultMode: "0700" key: enabled: false path: /some/path/key.key readOnly: true - defaultMode: 700 + defaultMode: "0700" asserts: - isKind: of: Deployment @@ -121,7 +121,7 @@ tests: path: spec.template.spec.volumes[0].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[0].name pattern: *patternCert @@ -147,12 +147,12 @@ tests: enabled: false path: /some/path/crt.key readOnly: true - defaultMode: 700 + defaultMode: "0700" key: enabled: true path: /some/path/key.key readOnly: true - defaultMode: 700 + defaultMode: "0700" asserts: - matchRegex: path: spec.template.spec.volumes[0].name @@ -161,7 +161,7 @@ tests: path: spec.template.spec.volumes[0].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[0].name pattern: *patternKey @@ -190,24 +190,24 @@ tests: enabled: true path: /some/path/crt.key readOnly: true - defaultMode: 700 + defaultMode: "0700" key: enabled: true path: /some/path/key.key readOnly: true - defaultMode: 700 + defaultMode: "0700" cert-name2: id: 2 cert: enabled: true path: /some/path/crt.key readOnly: true - defaultMode: 700 + defaultMode: "0700" key: enabled: true path: /some/path/key.key readOnly: true - defaultMode: 700 + defaultMode: "0700" asserts: - isKind: of: Deployment @@ -218,7 +218,7 @@ tests: path: spec.template.spec.volumes[0].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[0].name pattern: *patternCert @@ -236,7 +236,7 @@ tests: path: spec.template.spec.volumes[1].secret value: secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[1].name pattern: *patternCert @@ -254,7 +254,7 @@ tests: path: spec.template.spec.volumes[2].secret value: secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[2].name pattern: *patternKey @@ -272,7 +272,7 @@ tests: path: spec.template.spec.volumes[3].secret value: secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2 - defaultMode: 700 + defaultMode: 0700 - matchRegex: path: spec.template.spec.containers[0].volumeMounts[3].name pattern: *patternKey diff --git a/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml b/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml index bf2e1101ab..5b56da7109 100644 --- a/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml +++ b/library/common-test/tests/container_in_deployment/volumeMounts_test.yaml @@ -21,7 +21,18 @@ tests: - failedTemplate: errorMessage: must be defined, alternatively use the flag. - - it: should fail with empty mountPath set + - it: should fail with empty readOnly + set: + persistence: + vol1: + enabled: true + mountPath: /some/path + readOnly: + asserts: + - failedTemplate: + errorMessage: cannot be empty on item (vol1) + + - it: should fail with empty mountPath set: persistence: vol1: diff --git a/library/common-test/tests/deployment/volume_configMap_test.yaml b/library/common-test/tests/deployment/volume_configMap_test.yaml index fa52d42acf..205fe8d6a8 100644 --- a/library/common-test/tests/deployment/volume_configMap_test.yaml +++ b/library/common-test/tests/deployment/volume_configMap_test.yaml @@ -62,7 +62,7 @@ tests: configMap: name: some_object_name - - it: should pass with added configMap and defaultMode as int + - it: should fail with added configMap and defaultMode as int documentIndex: *deploymentDoc set: persistence: @@ -70,16 +70,11 @@ tests: type: configMap enabled: true objectName: some_object_name - defaultMode: 777 + defaultMode: 0777 noMount: true asserts: - - equal: - path: spec.template.spec.volumes[0] - value: - name: some_volume - configMap: - name: some_object_name - defaultMode: 777 + - failedTemplate: + errorMessage: (511, converted to octal) is not valid format. Valid format is string with 4 digits <0777>. - it: should pass with added configMap and defaultMode as string documentIndex: *deploymentDoc @@ -89,7 +84,7 @@ tests: type: configMap enabled: true objectName: some_object_name - defaultMode: "777" + defaultMode: "0777" noMount: true asserts: - equal: @@ -98,9 +93,9 @@ tests: name: some_volume configMap: name: some_object_name - defaultMode: 777 + defaultMode: 0777 - - it: should pass with added configMap and defaultMode as int from tpl + - it: should fail with added configMap and defaultMode as int from tpl documentIndex: *deploymentDoc set: mode: 644 @@ -112,18 +107,13 @@ tests: defaultMode: "{{ .Values.mode }}" noMount: true asserts: - - equal: - path: spec.template.spec.volumes[0] - value: - name: some_volume - configMap: - name: some_object_name - defaultMode: 644 + - failedTemplate: + errorMessage: (644, converted to octal) is not valid format. Valid format is string with 4 digits <0777>. - it: should pass with added configMap and defaultMode as string from tpl documentIndex: *deploymentDoc set: - mode: "644" + mode: "0644" persistence: some_volume: type: configMap @@ -138,7 +128,7 @@ tests: name: some_volume configMap: name: some_object_name - defaultMode: 644 + defaultMode: 0644 - it: should pass with added configMap and items documentIndex: *deploymentDoc diff --git a/library/common-test/tests/deployment/volume_secret_test.yaml b/library/common-test/tests/deployment/volume_secret_test.yaml index f4d96ec4e6..bd1fbc111e 100644 --- a/library/common-test/tests/deployment/volume_secret_test.yaml +++ b/library/common-test/tests/deployment/volume_secret_test.yaml @@ -52,7 +52,7 @@ tests: secret: secretName: some_object_name - - it: should pass with added secret and defaultMode as int + - it: should fail with added secret and defaultMode as int documentIndex: *deploymentDoc set: persistence: @@ -60,16 +60,11 @@ tests: type: secret enabled: true objectName: some_object_name - defaultMode: 777 + defaultMode: 0777 noMount: true asserts: - - equal: - path: spec.template.spec.volumes[0] - value: - name: some_volume - secret: - secretName: some_object_name - defaultMode: 777 + - failedTemplate: + errorMessage: (511, converted to octal) is not valid format. Valid format is string with 4 digits <0777>. - it: should pass with added secret and defaultMode as string documentIndex: *deploymentDoc @@ -79,7 +74,7 @@ tests: type: secret enabled: true objectName: some_object_name - defaultMode: "777" + defaultMode: "0777" noMount: true asserts: - equal: @@ -88,9 +83,9 @@ tests: name: some_volume secret: secretName: some_object_name - defaultMode: 777 + defaultMode: 0777 - - it: should pass with added secret and defaultMode as int from tpl + - it: should fail with added secret and defaultMode as int from tpl documentIndex: *deploymentDoc set: mode: 644 @@ -102,18 +97,13 @@ tests: defaultMode: "{{ .Values.mode }}" noMount: true asserts: - - equal: - path: spec.template.spec.volumes[0] - value: - name: some_volume - secret: - secretName: some_object_name - defaultMode: 644 + - failedTemplate: + errorMessage: (644, converted to octal) is not valid format. Valid format is string with 4 digits <0777>. - it: should pass with added secret and defaultMode as string from tpl documentIndex: *deploymentDoc set: - mode: "644" + mode: "0644" persistence: some_volume: type: secret @@ -128,7 +118,7 @@ tests: name: some_volume secret: secretName: some_object_name - defaultMode: 644 + defaultMode: 0644 - it: should fail with added secret and no key on items set: diff --git a/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl b/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl index d0343a6d4f..8a8ea5dd2d 100644 --- a/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl +++ b/library/common/1.0.0/templates/lib/container/_volumeMounts.tpl @@ -11,8 +11,12 @@ {{- with $item.subPath }} subPath: {{ tpl . $ }} {{- end -}} - {{- if (hasKey $item "readOnly") }} + {{- if (hasKey $item "readOnly") -}} + {{- if or (eq $item.readOnly true) (eq $item.readOnly false) }} readOnly: {{ $item.readOnly }} + {{- else -}} + {{- fail (printf " cannot be empty on item (%s)" $index) -}} + {{- end -}} {{- end -}} {{- with $item.mountPropagation }} mountPropagation: {{ tpl . $ }} diff --git a/library/common/1.0.0/templates/lib/pod/volumes/_configMap.tpl b/library/common/1.0.0/templates/lib/pod/volumes/_configMap.tpl index ec8dd9022e..35d0672e8b 100644 --- a/library/common/1.0.0/templates/lib/pod/volumes/_configMap.tpl +++ b/library/common/1.0.0/templates/lib/pod/volumes/_configMap.tpl @@ -7,7 +7,12 @@ configMap: name: {{ $objectName }} {{- with $vol.defaultMode }} - defaultMode: {{ tpl (toString .) $root }} + {{- $defMode := tpl (toString .) $root -}} + {{- if (mustRegexMatch "^[0-9]{4}$" $defMode) }} + defaultMode: {{ $defMode }} + {{- else -}} + {{- fail (printf " (%s, converted to octal) is not valid format. Valid format is string with 4 digits <0777>." $defMode) -}} + {{- end -}} {{- end -}} {{- with $vol.items }} items: diff --git a/library/common/1.0.0/templates/lib/pod/volumes/_secret.tpl b/library/common/1.0.0/templates/lib/pod/volumes/_secret.tpl index c64b051c38..ae64757228 100644 --- a/library/common/1.0.0/templates/lib/pod/volumes/_secret.tpl +++ b/library/common/1.0.0/templates/lib/pod/volumes/_secret.tpl @@ -7,7 +7,12 @@ secret: secretName: {{ $objectName }} {{- with $vol.defaultMode }} - defaultMode: {{ tpl (toString .) $root }} + {{- $defMode := tpl (toString .) $root -}} + {{- if (mustRegexMatch "^[0-9]{4}$" $defMode) }} {{/* TODO: Document that "0700" equals to 448 in octal, k8s accepts both */}} + defaultMode: {{ $defMode }} {{/* TODO: But because when octal values pass from go variables they covert to octal, we require them as string to avoid confusion */}} + {{- else -}} + {{- fail (printf " (%s, converted to octal) is not valid format. Valid format is string with 4 digits <0777>." $defMode) -}} + {{- end -}} {{- end -}} {{- with $vol.items }} items: