NAS-121398 / 23.10 / Adds validation in few places (#1097)

* Adds a check in persistence that the specified configmap/secret exists

* catch edge case in env rendering

* validate size in emptyDir

library/common-test/tests/container/env_test.yaml

@@ -64,6 +64,7 @@ tests:
                   VAR7:
                     fieldRef:
                       fieldPath: metadata.name
+                  VAR8: ""
     asserts:
       - documentIndex: &deploymentDoc 2
         isKind:
@@ -127,6 +128,12 @@ tests:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+      - documentIndex: *deploymentDoc
+        contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: VAR8
+            value: ""
 
   # Failures
   - it: it should fail invalid ref

library/common-test/tests/persistence/validation_test.yaml

@@ -33,3 +33,60 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: Persistence - Expected <type> to be one of [emptyDir, hostPath, ixVolume, secret, configmap, device], but got [not-a-type]
+
+  - it: should fail with non-existent configmap
+    set:
+      configmap:
+        my-configmap:
+          enabled: true
+          data:
+            foo: bar
+      persistence:
+        volume1:
+          enabled: true
+          type: configmap
+          mountPath: /mnt/volume1
+          objectName: my-non-existent-configmap
+      image: &image
+        repository: nginx
+        tag: 1.17.6
+        pullPolicy: IfNotPresent
+      workload: &workload
+        main:
+          enabled: true
+          primary: true
+          type: Deployment
+          podSpec:
+            containers:
+              main:
+                enabled: true
+                primary: true
+                probes:
+                  liveness:
+                    enabled: false
+                  readiness:
+                    enabled: false
+                  startup:
+                    enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence - Expected configmap [my-non-existent-configmap] defined in <objectName> to exist
+
+  - it: should fail with non-existent secret
+    set:
+      secret:
+        my-secret:
+          enabled: true
+          data:
+            foo: bar
+      persistence:
+        volume1:
+          enabled: true
+          type: secret
+          mountPath: /mnt/volume1
+          objectName: my-non-existent-secret
+      image: *image
+      workload: *workload
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence - Expected secret [my-non-existent-secret] defined in <objectName> to exist

library/common-test/tests/pod/volume_configmap_test.yaml

@@ -6,6 +6,11 @@ tests:
     set:
       some_object: some-object-name
       some_mode: "0777"
+      configmap: &configmap
+        some-object-name:
+          enabled: true
+          data:
+            some-key: some-value
       workload:
         workload-name1:
           enabled: true
@@ -19,7 +24,7 @@ tests:
           objectName: "{{ .Values.some_object }}"
           defaultMode: "{{ .Values.some_mode }}"
     asserts:
-      - documentIndex: &deploymentDoc 0
+      - documentIndex: &deploymentDoc 1
         isKind:
           of: Deployment
       - documentIndex: *deploymentDoc
@@ -37,6 +42,7 @@ tests:
       some_mode: "0777"
       some_key: some-key
       some_path: some-path
+      configmap: *configmap
       workload:
         workload-name1:
           enabled: true
@@ -88,10 +94,10 @@ tests:
           objectName: "{{ .Values.some_object }}"
           expandObjectName: false
     asserts:
-      - documentIndex: *deploymentDoc
+      - documentIndex: &otherDeploymentDoc 0
         isKind:
           of: Deployment
-      - documentIndex: *deploymentDoc
+      - documentIndex: *otherDeploymentDoc
         contains:
           path: spec.template.spec.volumes
           content:
@@ -135,6 +141,7 @@ tests:
 
   - it: should fail with defaultMode not a string in configmap
     set:
+      configmap: *configmap
       workload:
         some-workload:
           enabled: true
@@ -153,6 +160,7 @@ tests:
 
   - it: should fail with defaultMode not in format of "0000"-"0777" in configmap
     set:
+      configmap: *configmap
       workload:
         some-workload:
           enabled: true
@@ -171,6 +179,7 @@ tests:
 
   - it: should fail without key in items in configmap
     set:
+      configmap: *configmap
       workload:
         some-workload:
           enabled: true
@@ -191,6 +200,7 @@ tests:
 
   - it: should fail without path in items in configmap
     set:
+      configmap: *configmap
       workload:
         some-workload:
           enabled: true

library/common-test/tests/pod/volume_emptyDIr_test.yaml → library/common-test/tests/pod/volume_emptyDir_test.yaml

@@ -121,3 +121,20 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: Persistence - Expected [medium] to be one of ["", Memory], but got [not-a-valid-medium] on <emptyDir> type
+
+  - it: should fail with invalid size format
+    set:
+      workload:
+        some-workload:
+          enabled: true
+          primary: true
+          type: Deployment
+          podSpec: {}
+      persistence:
+        volume1:
+          enabled: true
+          type: emptyDir
+          size: not-a-valid-size
+    asserts:
+      - failedTemplate:
+          errorMessage: Persistence Expected <size> to have one of the following formats [(Suffixed with E/P/T/G/M/K - eg. 1G), (Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi), (Plain Integer in bytes - eg. 1024), (Exponent - eg. 134e6)], but got [not-a-valid-size]

library/common-test/tests/pod/volume_secret_test.yaml

@@ -6,6 +6,11 @@ tests:
     set:
       some_object: some-object-name
       some_mode: "0777"
+      secret: &secret
+        some-object-name:
+          enabled: true
+          data:
+            some-key: some-value
       workload:
         workload-name1:
           enabled: true
@@ -19,7 +24,7 @@ tests:
           objectName: "{{ .Values.some_object }}"
           defaultMode: "{{ .Values.some_mode }}"
     asserts:
-      - documentIndex: &deploymentDoc 0
+      - documentIndex: &deploymentDoc 1
         isKind:
           of: Deployment
       - documentIndex: *deploymentDoc
@@ -37,6 +42,7 @@ tests:
       some_mode: "0777"
       some_key: some-key
       some_path: some-path
+      secret: *secret
       workload:
         workload-name1:
           enabled: true
@@ -88,10 +94,10 @@ tests:
           objectName: "{{ .Values.some_object }}"
           expandObjectName: false
     asserts:
-      - documentIndex: *deploymentDoc
+      - documentIndex: &otherDeploymentDoc 0
         isKind:
           of: Deployment
-      - documentIndex: *deploymentDoc
+      - documentIndex: *otherDeploymentDoc
         contains:
           path: spec.template.spec.volumes
           content:
@@ -136,6 +142,7 @@ tests:
 
   - it: should fail with defaultMode not a string in secret
     set:
+      secret: *secret
       workload:
         some-workload:
           enabled: true
@@ -154,6 +161,7 @@ tests:
 
   - it: should fail with defaultMode not in format of "0000"-"0777" in secret
     set:
+      secret: *secret
       workload:
         some-workload:
           enabled: true
@@ -172,6 +180,7 @@ tests:
 
   - it: should fail without key in items in secret
     set:
+      secret: *secret
       workload:
         some-workload:
           enabled: true
@@ -192,6 +201,7 @@ tests:
 
   - it: should fail without path in items in secret
     set:
+      secret: *secret
       workload:
         some-workload:
           enabled: true

library/common/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: common
 description: A library chart for iX Official Catalog
 type: library
-version: 1.0.3
+version: 1.0.4
 appVersion: v1
 annotations:
   title: Common Library Chart

library/common/templates/lib/container/_env.tpl

@@ -11,8 +11,12 @@ objectData: The object data to be used to render the container.
   {{- range $k, $v := $objectData.env -}}
     {{- include "ix.v1.common.helper.container.envDupeCheck" (dict "rootCtx" $rootCtx "objectData" $objectData "source" "env" "key" $k) }}
 - name: {{ $k | quote }}
-    {{- if not (kindIs "map" $v) }}
-  value: {{ tpl (toString $v) $rootCtx | quote }}
+    {{- if not (kindIs "map" $v) -}}
+      {{- $value := "" -}}
+      {{- if $v -}} {{/* Only tpl non-empty values */}}
+        {{- $value = tpl (toString $v) $rootCtx -}}
+      {{- end }}
+  value: {{ $value | quote }}
     {{- else if kindIs "map" $v }}
   valueFrom:
       {{- $refs := (list "configMapKeyRef" "secretKeyRef" "fieldRef") -}}

library/common/templates/lib/pod/volumes/_configmap.tpl

@@ -19,6 +19,10 @@ objectData: The object data to be used to render the volume.
   {{- end -}}
 
   {{- if $expandName -}}
+    {{- $object := (get $rootCtx.Values.configmap $objectName) -}}
+    {{- if not $object -}}
+      {{- fail (printf "Persistence - Expected configmap [%s] defined in <objectName> to exist" $objectName) -}}
+    {{- end -}}
     {{- $objectName = (printf "%s-%s" (include "ix.v1.common.lib.chart.names.fullname" $rootCtx) $objectName) -}}
   {{- end -}}
 

library/common/templates/lib/pod/volumes/_emptyDir.tpl

@@ -17,6 +17,14 @@ objectData: The object data to be used to render the volume.
     {{- $size = tpl . $rootCtx -}}
   {{- end -}}
 
+  {{- if $size -}}
+    {{/* Size: https://regex101.com/r/NNPV2D/1 */}}
+    {{- if not (mustRegexMatch "^[1-9][0-9]*([EPTGMK]i?|e[0-9]+)?$" (toString $size)) -}}
+      {{- $formats := "(Suffixed with E/P/T/G/M/K - eg. 1G), (Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi), (Plain Integer in bytes - eg. 1024), (Exponent - eg. 134e6)" -}}
+      {{- fail (printf "Persistence Expected <size> to have one of the following formats [%s], but got [%s]" $formats $size) -}}
+    {{- end -}}
+  {{- end -}}
+
   {{- if and $medium (ne $medium "Memory") -}}
     {{- fail (printf "Persistence - Expected [medium] to be one of [\"\", Memory], but got [%s] on <emptyDir> type" $medium)  -}}
   {{- end }}

library/common/templates/lib/pod/volumes/_secret.tpl

@@ -19,6 +19,11 @@ objectData: The object data to be used to render the volume.
   {{- end -}}
 
   {{- if $expandName -}}
+    {{- $object := (get $rootCtx.Values.secret $objectName) -}}
+    {{- $certObject := (get $rootCtx.Values.scaleCertificate $objectName) -}}
+    {{- if and (not $object) (not $certObject) -}}
+      {{- fail (printf "Persistence - Expected secret [%s] defined in <objectName> to exist" $objectName) -}}
+    {{- end -}}
     {{- $objectName = (printf "%s-%s" (include "ix.v1.common.lib.chart.names.fullname" $rootCtx) $objectName) -}}
   {{- end -}}