NAS-121398 / 23.10 / Adds validation in few places (#1097)

* Adds a check in persistence that the specified configmap/secret exists * catch edge case in env rendering * validate size in emptyDir
2026-02-03 02:23:49 +08:00 · 2023-04-11 18:37:22 +03:00
parent 768be33a96
commit da114013c1
10 changed files with 131 additions and 9 deletions
--- a/library/common-test/tests/container/env_test.yaml
+++ b/library/common-test/tests/container/env_test.yaml
@@ -64,6 +64,7 @@ tests:
                  VAR7:
                    fieldRef:
                      fieldPath: metadata.name
+                  VAR8: ""
    asserts:
      - documentIndex: &deploymentDoc 2
        isKind:
@@ -127,6 +128,12 @@ tests:
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
+      - documentIndex: *deploymentDoc
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: VAR8
+            value: ""

  # Failures
  - it: it should fail invalid ref
--- a/library/common-test/tests/persistence/validation_test.yaml
+++ b/library/common-test/tests/persistence/validation_test.yaml
@@ -33,3 +33,60 @@ tests:
    asserts:
      - failedTemplate:
          errorMessage: Persistence - Expected <type> to be one of [emptyDir, hostPath, ixVolume, secret, configmap, device], but got [not-a-type]
+
+  - it: should fail with non-existent configmap
+    set:
+      configmap:
+        my-configmap:
+          enabled: true
+          data:
+            foo: bar
+      persistence:
+        volume1:
+          enabled: true
+          type: configmap
+          mountPath: /mnt/volume1
+          objectName: my-non-existent-configmap
+      image: &image
+        repository: nginx
+        tag: 1.17.6
+        pullPolicy: IfNotPresent
+      workload: &workload
+        main:
+          enabled: true
+          primary: true
+          type: Deployment
+          podSpec:
+            containers:
+              main:
+                enabled: true
+                primary: true
+                probes:
+                  liveness:
+                    enabled: false
+                  readiness:
+                    enabled: false
+                  startup:
+                    enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence - Expected configmap [my-non-existent-configmap] defined in <objectName> to exist
+
+  - it: should fail with non-existent secret
+    set:
+      secret:
+        my-secret:
+          enabled: true
+          data:
+            foo: bar
+      persistence:
+        volume1:
+          enabled: true
+          type: secret
+          mountPath: /mnt/volume1
+          objectName: my-non-existent-secret
+      image: *image
+      workload: *workload
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence - Expected secret [my-non-existent-secret] defined in <objectName> to exist
--- a/library/common-test/tests/pod/volume_configmap_test.yaml
+++ b/library/common-test/tests/pod/volume_configmap_test.yaml
@@ -6,6 +6,11 @@ tests:
    set:
      some_object: some-object-name
      some_mode: "0777"
+      configmap: &configmap
+        some-object-name:
+          enabled: true
+          data:
+            some-key: some-value
      workload:
        workload-name1:
          enabled: true
@@ -19,7 +24,7 @@ tests:
          objectName: "{{ .Values.some_object }}"
          defaultMode: "{{ .Values.some_mode }}"
    asserts:
-      - documentIndex: &deploymentDoc 0
+      - documentIndex: &deploymentDoc 1
        isKind:
          of: Deployment
      - documentIndex: *deploymentDoc
@@ -37,6 +42,7 @@ tests:
      some_mode: "0777"
      some_key: some-key
      some_path: some-path
+      configmap: *configmap
      workload:
        workload-name1:
          enabled: true
@@ -88,10 +94,10 @@ tests:
          objectName: "{{ .Values.some_object }}"
          expandObjectName: false
    asserts:
-      - documentIndex: *deploymentDoc
+      - documentIndex: &otherDeploymentDoc 0
        isKind:
          of: Deployment
-      - documentIndex: *deploymentDoc
+      - documentIndex: *otherDeploymentDoc
        contains:
          path: spec.template.spec.volumes
          content:
@@ -135,6 +141,7 @@ tests:

  - it: should fail with defaultMode not a string in configmap
    set:
+      configmap: *configmap
      workload:
        some-workload:
          enabled: true
@@ -153,6 +160,7 @@ tests:

  - it: should fail with defaultMode not in format of "0000"-"0777" in configmap
    set:
+      configmap: *configmap
      workload:
        some-workload:
          enabled: true
@@ -171,6 +179,7 @@ tests:

  - it: should fail without key in items in configmap
    set:
+      configmap: *configmap
      workload:
        some-workload:
          enabled: true
@@ -191,6 +200,7 @@ tests:

  - it: should fail without path in items in configmap
    set:
+      configmap: *configmap
      workload:
        some-workload:
          enabled: true
--- a/library/common-test/tests/pod/volume_emptyDir_test.yaml
+++ b/library/common-test/tests/pod/volume_emptyDir_test.yaml
@@ -121,3 +121,20 @@ tests:
    asserts:
      - failedTemplate:
          errorMessage: Persistence - Expected [medium] to be one of ["", Memory], but got [not-a-valid-medium] on <emptyDir> type
+
+  - it: should fail with invalid size format
+    set:
+      workload:
+        some-workload:
+          enabled: true
+          primary: true
+          type: Deployment
+          podSpec: {}
+      persistence:
+        volume1:
+          enabled: true
+          type: emptyDir
+          size: not-a-valid-size
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence Expected <size> to have one of the following formats [(Suffixed with E/P/T/G/M/K - eg. 1G), (Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi), (Plain Integer in bytes - eg. 1024), (Exponent - eg. 134e6)], but got [not-a-valid-size]
--- a/library/common-test/tests/pod/volume_secret_test.yaml
+++ b/library/common-test/tests/pod/volume_secret_test.yaml
@@ -6,6 +6,11 @@ tests:
    set:
      some_object: some-object-name
      some_mode: "0777"
+      secret: &secret
+        some-object-name:
+          enabled: true
+          data:
+            some-key: some-value
      workload:
        workload-name1:
          enabled: true
@@ -19,7 +24,7 @@ tests:
          objectName: "{{ .Values.some_object }}"
          defaultMode: "{{ .Values.some_mode }}"
    asserts:
-      - documentIndex: &deploymentDoc 0
+      - documentIndex: &deploymentDoc 1
        isKind:
          of: Deployment
      - documentIndex: *deploymentDoc
@@ -37,6 +42,7 @@ tests:
      some_mode: "0777"
      some_key: some-key
      some_path: some-path
+      secret: *secret
      workload:
        workload-name1:
          enabled: true
@@ -88,10 +94,10 @@ tests:
          objectName: "{{ .Values.some_object }}"
          expandObjectName: false
    asserts:
-      - documentIndex: *deploymentDoc
+      - documentIndex: &otherDeploymentDoc 0
        isKind:
          of: Deployment
-      - documentIndex: *deploymentDoc
+      - documentIndex: *otherDeploymentDoc
        contains:
          path: spec.template.spec.volumes
          content:
@@ -136,6 +142,7 @@ tests:

  - it: should fail with defaultMode not a string in secret
    set:
+      secret: *secret
      workload:
        some-workload:
          enabled: true
@@ -154,6 +161,7 @@ tests:

  - it: should fail with defaultMode not in format of "0000"-"0777" in secret
    set:
+      secret: *secret
      workload:
        some-workload:
          enabled: true
@@ -172,6 +180,7 @@ tests:

  - it: should fail without key in items in secret
    set:
+      secret: *secret
      workload:
        some-workload:
          enabled: true
@@ -192,6 +201,7 @@ tests:

  - it: should fail without path in items in secret
    set:
+      secret: *secret
      workload:
        some-workload:
          enabled: true
--- a/library/common/Chart.yaml
+++ b/library/common/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: common
 description: A library chart for iX Official Catalog
 type: library
-version: 1.0.3
+version: 1.0.4
 appVersion: v1
 annotations:
  title: Common Library Chart
--- a/library/common/templates/lib/container/_env.tpl
+++ b/library/common/templates/lib/container/_env.tpl
@@ -11,8 +11,12 @@ objectData: The object data to be used to render the container.
  {{- range $k, $v := $objectData.env -}}
    {{- include "ix.v1.common.helper.container.envDupeCheck" (dict "rootCtx" $rootCtx "objectData" $objectData "source" "env" "key" $k) }}
 - name: {{ $k | quote }}
-    {{- if not (kindIs "map" $v) }}
-  value: {{ tpl (toString $v) $rootCtx | quote }}
+    {{- if not (kindIs "map" $v) -}}
+      {{- $value := "" -}}
+      {{- if $v -}} {{/* Only tpl non-empty values */}}
+        {{- $value = tpl (toString $v) $rootCtx -}}
+      {{- end }}
+  value: {{ $value | quote }}
    {{- else if kindIs "map" $v }}
  valueFrom:
      {{- $refs := (list "configMapKeyRef" "secretKeyRef" "fieldRef") -}}
--- a/library/common/templates/lib/pod/volumes/_configmap.tpl
+++ b/library/common/templates/lib/pod/volumes/_configmap.tpl
@@ -19,6 +19,10 @@ objectData: The object data to be used to render the volume.
  {{- end -}}

  {{- if $expandName -}}
+    {{- $object := (get $rootCtx.Values.configmap $objectName) -}}
+    {{- if not $object -}}
+      {{- fail (printf "Persistence - Expected configmap [%s] defined in <objectName> to exist" $objectName) -}}
+    {{- end -}}
    {{- $objectName = (printf "%s-%s" (include "ix.v1.common.lib.chart.names.fullname" $rootCtx) $objectName) -}}
  {{- end -}}

--- a/library/common/templates/lib/pod/volumes/_emptyDir.tpl
+++ b/library/common/templates/lib/pod/volumes/_emptyDir.tpl
@@ -17,6 +17,14 @@ objectData: The object data to be used to render the volume.
    {{- $size = tpl . $rootCtx -}}
  {{- end -}}

+  {{- if $size -}}
+    {{/* Size: https://regex101.com/r/NNPV2D/1 */}}
+    {{- if not (mustRegexMatch "^[1-9][0-9]*([EPTGMK]i?|e[0-9]+)?$" (toString $size)) -}}
+      {{- $formats := "(Suffixed with E/P/T/G/M/K - eg. 1G), (Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi), (Plain Integer in bytes - eg. 1024), (Exponent - eg. 134e6)" -}}
+      {{- fail (printf "Persistence Expected <size> to have one of the following formats [%s], but got [%s]" $formats $size) -}}
+    {{- end -}}
+  {{- end -}}
+
  {{- if and $medium (ne $medium "Memory") -}}
    {{- fail (printf "Persistence - Expected [medium] to be one of [\"\", Memory], but got [%s] on <emptyDir> type" $medium)  -}}
  {{- end }}
--- a/library/common/templates/lib/pod/volumes/_secret.tpl
+++ b/library/common/templates/lib/pod/volumes/_secret.tpl
@@ -19,6 +19,11 @@ objectData: The object data to be used to render the volume.
  {{- end -}}

  {{- if $expandName -}}
+    {{- $object := (get $rootCtx.Values.secret $objectName) -}}
+    {{- $certObject := (get $rootCtx.Values.scaleCertificate $objectName) -}}
+    {{- if and (not $object) (not $certObject) -}}
+      {{- fail (printf "Persistence - Expected secret [%s] defined in <objectName> to exist" $objectName) -}}
+    {{- end -}}
    {{- $objectName = (printf "%s-%s" (include "ix.v1.common.lib.chart.names.fullname" $rootCtx) $objectName) -}}
  {{- end -}}