Merge pull request #1130 from fluxcd/StrictPostBuildSubstitutions

stefanprodan · web-flow · commit fa5cebbcd21a · 2024-04-09T14:39:31.000+03:00
Add `StrictPostBuildSubstitutions` feature flag
diff --git a/docs/spec/v1/kustomizations.md b/docs/spec/v1/kustomizations.md
@@ -564,8 +564,7 @@ kind: Kustomization
 metadata:
   name: apps
 spec:
-  interval: 5m
-  path: "./apps/"
+  # ...omitted for brevity
   postBuild:
     substitute:
       cluster_env: "prod"
@@ -605,6 +604,11 @@ will print out `${var}`.
 All the undefined variables in the format `${var}` will be substituted with an
 empty string unless a default value is provided e.g. `${var:=default}`.
 
+**Note:** It is recommended to set the `--feature-gates=StrictPostBuildSubstitutions=true`
+controller flag, so that the post-build substitutions will fail if a
+variable without a default value is declared in files but is
+missing from the input vars.
+
 You can disable the variable substitution for certain resources by either
 labelling or annotating them with:
 
@@ -624,6 +628,7 @@ kind: Kustomization
 metadata:
   name: apps
 spec:
+  # ...omitted for brevity
   postBuild:
     substitute:
       var_substitution_enabled: "true"
@@ -635,13 +640,11 @@ enclosed in double quotes vars to be treated as strings, for more information se
 
 You can replicate the controller post-build substitutions locally using
 [kustomize](https://github.com/kubernetes-sigs/kustomize)
-and Drone's [envsubst](https://github.com/drone/envsubst):
+and the Flux CLI:
 
 ```console
-$ go install github.com/drone/envsubst/cmd/envsubst
-
 $ export cluster_region=eu-central-1
-$ kustomize build ./apps/ | $GOPATH/bin/envsubst
+$ kustomize build ./apps/ | flux envsubst --strict
 ---
 apiVersion: v1
 kind: Namespace
diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/fluxcd/pkg/apis/kustomize v1.4.0
 	github.com/fluxcd/pkg/apis/meta v1.4.0
 	github.com/fluxcd/pkg/http/fetch v0.10.0
-	github.com/fluxcd/pkg/kustomize v1.8.0
+	github.com/fluxcd/pkg/kustomize v1.9.0
 	github.com/fluxcd/pkg/runtime v0.46.0
 	github.com/fluxcd/pkg/ssa v0.38.0
 	github.com/fluxcd/pkg/tar v0.6.0
@@ -96,12 +96,12 @@ require (
 	github.com/docker/docker v24.0.9+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/drone/envsubst v1.0.3 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.16.0 // indirect
+	github.com/fluxcd/pkg/envsubst v1.0.0 // indirect
 	github.com/fluxcd/pkg/sourceignore v0.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/getsops/gopgagent v0.0.0-20170926210634-4d7ea76ff71a // indirect
diff --git a/go.sum b/go.sum
@@ -116,8 +116,6 @@ github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKoh
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/drone/envsubst v1.0.3 h1:PCIBwNDYjs50AsLZPYdfhSATKaRg/FJmDc2D6+C2x8g=
-github.com/drone/envsubst v1.0.3/go.mod h1:N2jZmlMufstn1KEqvbHjw40h1KyTmnVzHcSc9bFiJ2g=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -143,10 +141,12 @@ github.com/fluxcd/pkg/apis/kustomize v1.4.0 h1:SXoGN9M31fW5tO+wpKMnyHXbjxGUqDo7Y
 github.com/fluxcd/pkg/apis/kustomize v1.4.0/go.mod h1:bZklVWB11tELMss89qYzgg4ClzhFzp0Hm4/8EiHgKew=
 github.com/fluxcd/pkg/apis/meta v1.4.0 h1:nNdgB6FFHP3cubxZCViaCFDUVlAbpq9+hvKEIveOGMg=
 github.com/fluxcd/pkg/apis/meta v1.4.0/go.mod h1:81sZ01ShTuLc1C3M1dFJNkINareBysvmrO1b8zJFFKs=
+github.com/fluxcd/pkg/envsubst v1.0.0 h1:LD86BRNSCGJrvyrH2aX5/pit7RfbFpkzRXogwcazLVk=
+github.com/fluxcd/pkg/envsubst v1.0.0/go.mod h1:VAcb4OxcRdsDix1TRtr/mtTqFGHmNQaOvXQO2REArFQ=
 github.com/fluxcd/pkg/http/fetch v0.10.0 h1:Uh1ZrPa4B4EDgi+NFrY7qP6g9vg1O6JHKg3+iJLtt1w=
 github.com/fluxcd/pkg/http/fetch v0.10.0/go.mod h1:zZOsAqn7iODap40PVq29mcCPEKjDodYvamEaoN6tV/Q=
-github.com/fluxcd/pkg/kustomize v1.8.0 h1:Vf1UwnoP3yScaLi/QrDjgN2d2nI6LcmX4tNRoH+sypY=
-github.com/fluxcd/pkg/kustomize v1.8.0/go.mod h1:yszv9tkYrnC01mcGPct8+bdxpTyxf69k1kmSvk7w0zs=
+github.com/fluxcd/pkg/kustomize v1.9.0 h1:bqS3mXiK1q5TpUtIO5I5b+v/0r96NGJBiearKGUhicA=
+github.com/fluxcd/pkg/kustomize v1.9.0/go.mod h1:PBerk0KzZN/IXaGociVp4MSMvsUQB0jR1P2SqSdixz0=
 github.com/fluxcd/pkg/runtime v0.46.0 h1:+pxFwTk8j8lZIS9Vyc8EJbgvmFp9JqeT6pfLo/0iP98=
 github.com/fluxcd/pkg/runtime v0.46.0/go.mod h1:d9BaIjqoHL71fYeZsssrt08UFONGN2WQRaJ/Ay2d1Cc=
 github.com/fluxcd/pkg/sourceignore v0.6.0 h1:kD6QXL/upPEX66UpR669yK1Bxr/GtjzmZiqBeYpunUQ=
diff --git a/internal/controller/kustomization_controller.go b/internal/controller/kustomization_controller.go
@@ -98,6 +98,7 @@ type KustomizationReconciler struct {
 	KubeConfigOpts          runtimeClient.KubeConfigOptions
 	ConcurrentSSA           int
 	DisallowedFieldManagers []string
+	StrictSubstitutions     bool
 }
 
 // KustomizationReconcilerOptions contains options for the KustomizationReconciler.
@@ -622,9 +623,10 @@ func (r *KustomizationReconciler) build(ctx context.Context,
 
 		// run variable substitutions
 		if obj.Spec.PostBuild != nil {
-			outRes, err := generator.SubstituteVariables(ctx, r.Client, u, res, false)
+			outRes, err := generator.SubstituteVariables(ctx, r.Client, u, res,
+				generator.SubstituteWithStrict(r.StrictSubstitutions))
 			if err != nil {
-				return nil, fmt.Errorf("var substitution failed for '%s': %w", res.GetName(), err)
+				return nil, fmt.Errorf("post build failed for '%s': %w", res.GetName(), err)
 			}
 
 			if outRes != nil {
diff --git a/internal/controller/kustomization_varsub_test.go b/internal/controller/kustomization_varsub_test.go
@@ -366,10 +366,11 @@ func TestKustomizationReconciler_VarsubNumberBool(t *testing.T) {
 	manifests := func(name string) []testserver.File {
 		return []testserver.File{
 			{
-				Name: "service-account.yaml",
+				Name: "templates.yaml",
 				Body: fmt.Sprintf(`
-apiVersion: v1
-kind: ServiceAccount
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
 metadata:
   name: %[1]s
   namespace: %[1]s
@@ -379,6 +380,29 @@ metadata:
   annotations:
     id: ${q}${number}${q}
     enabled: ${q}${boolean}${q}
+spec:
+  interval: ${number}m
+  url: https://host/repo
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+  namespace: %[1]s
+data:
+  id: ${q}${number}${q}
+  text: |
+    This variable is escaped $${var}
+
+    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus at
+    nisl sem. Nullam nec dui ipsum. Nam vehicula volutpat ipsum, ac fringilla
+    nisl convallis sed. Aliquam porttitor turpis finibus, finibus velit ut,
+    imperdiet mauris. Cras nec neque nulla. Maecenas semper nulla et elit
+    dictum sagittis. Quisque tincidunt non diam non ullamcorper. Curabitur
+    pretium urna odio, vitae ullamcorper purus mollis sit amet. Nam ac lectus
+    ac arcu varius feugiat id fringilla massa.
+
+    \?
 `, name),
 			},
 		}
@@ -423,35 +447,126 @@ metadata:
 					"boolean":    "true",
 				},
 			},
-			Wait: true,
+			Wait: false,
 		},
 	}
 	g.Expect(k8sClient.Create(ctx, inputK)).Should(Succeed())
 
-	resultSA := &corev1.ServiceAccount{}
+	g.Eventually(func() bool {
+		resultK := &kustomizev1.Kustomization{}
+		_ = k8sClient.Get(ctx, client.ObjectKeyFromObject(inputK), resultK)
+		for _, c := range resultK.Status.Conditions {
+			if c.Reason == kustomizev1.ReconciliationSucceededReason {
+				return true
+			}
+		}
+		return false
+	}, timeout, interval).Should(BeTrue())
+
+	resultRepo := &sourcev1.GitRepository{}
+	g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: id, Namespace: id}, resultRepo)).Should(Succeed())
+	g.Expect(resultRepo.Labels["id"]).To(Equal("123"))
+	g.Expect(resultRepo.Annotations["id"]).To(Equal("123"))
+	g.Expect(resultRepo.Labels["enabled"]).To(Equal("true"))
+	g.Expect(resultRepo.Annotations["enabled"]).To(Equal("true"))
+
+	resultCM := &corev1.ConfigMap{}
+	g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: id, Namespace: id}, resultCM)).Should(Succeed())
+	g.Expect(resultCM.Data["id"]).To(Equal("123"))
+	g.Expect(resultCM.Data["text"]).To(ContainSubstring(`${var}`))
+	g.Expect(resultCM.Data["text"]).ToNot(ContainSubstring(`$${var}`))
+	g.Expect(resultCM.Data["text"]).To(ContainSubstring(`\?`))
+}
 
-	ensureReconciles := func(nameSuffix string) {
-		t.Run("reconciles successfully"+nameSuffix, func(t *testing.T) {
-			g.Eventually(func() bool {
-				resultK := &kustomizev1.Kustomization{}
-				_ = k8sClient.Get(ctx, client.ObjectKeyFromObject(inputK), resultK)
-				for _, c := range resultK.Status.Conditions {
-					if c.Reason == kustomizev1.ReconciliationSucceededReason {
-						return true
-					}
-				}
-				return false
-			}, timeout, interval).Should(BeTrue())
+func TestKustomizationReconciler_VarsubStrict(t *testing.T) {
+	reconciler.StrictSubstitutions = true
+	defer func() {
+		reconciler.StrictSubstitutions = false
+	}()
 
-			g.Expect(k8sClient.Get(ctx, types.NamespacedName{Name: id, Namespace: id}, resultSA)).Should(Succeed())
-		})
+	ctx := context.Background()
+
+	g := NewWithT(t)
+	id := "vars-" + randStringRunes(5)
+	revision := "v1.0.0/" + randStringRunes(7)
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	manifests := func(name string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "service-account.yaml",
+				Body: fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: %[1]s
+  namespace: %[1]s
+  labels:
+    default: ${default:=test}
+    missing: ${missing}
+`, name),
+			},
+		}
 	}
 
-	ensureReconciles(" with optional ConfigMap")
-	t.Run("replaces vars from optional ConfigMap", func(t *testing.T) {
-		g.Expect(resultSA.Labels["id"]).To(Equal("123"))
-		g.Expect(resultSA.Annotations["id"]).To(Equal("123"))
-		g.Expect(resultSA.Labels["enabled"]).To(Equal("true"))
-		g.Expect(resultSA.Annotations["enabled"]).To(Equal("true"))
+	artifact, err := testServer.ArtifactFromFiles(manifests(id))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      randStringRunes(5),
+		Namespace: id,
+	}
+
+	err = applyGitRepository(repositoryName, artifact, revision)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	inputK := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      id,
+			Namespace: id,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			Interval: metav1.Duration{Duration: reconciliationInterval},
+			Path:     "./",
+			Prune:    true,
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Kind: sourcev1.GitRepositoryKind,
+				Name: repositoryName.Name,
+			},
+			PostBuild: &kustomizev1.PostBuild{
+				Substitute: map[string]string{
+					"test": "test",
+				},
+			},
+			Wait: true,
+		},
+	}
+	g.Expect(k8sClient.Create(ctx, inputK)).Should(Succeed())
+
+	var resultK kustomizev1.Kustomization
+	t.Run("fails to reconcile", func(t *testing.T) {
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(inputK), &resultK)
+			for _, c := range resultK.Status.Conditions {
+				if c.Reason == kustomizev1.BuildFailedReason {
+					return true
+				}
+			}
+			return false
+		}, timeout, interval).Should(BeTrue())
 	})
+
+	ready := apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
+	g.Expect(ready.Message).To(ContainSubstring("variable not set"))
+	g.Expect(k8sClient.Delete(context.Background(), &resultK)).To(Succeed())
 }
diff --git a/internal/features/features.go b/internal/features/features.go
@@ -39,6 +39,11 @@ const (
 	// DisableFailFastBehavior controls whether the fail-fast behavior when
 	// waiting for resources to become ready should be disabled.
 	DisableFailFastBehavior = "DisableFailFastBehavior"
+
+	// StrictPostBuildSubstitutions controls whether the post-build substitutions
+	// should fail if a variable without a default value is declared in files
+	// but is missing from the input vars.
+	StrictPostBuildSubstitutions = "StrictPostBuildSubstitutions"
 )
 
 var features = map[string]bool{
@@ -51,6 +56,9 @@ var features = map[string]bool{
 	// DisableFailFastBehavior
 	// opt-in from v1.1
 	DisableFailFastBehavior: false,
+	// StrictPostBuildSubstitutions
+	// opt-in from v1.3
+	StrictPostBuildSubstitutions: false,
 }
 
 // FeatureGates contains a list of all supported feature gates and
diff --git a/main.go b/main.go
@@ -228,6 +228,12 @@ func main() {
 		failFast = false
 	}
 
+	strictSubstitutions, err := features.Enabled(features.StrictPostBuildSubstitutions)
+	if err != nil {
+		setupLog.Error(err, "unable to check feature gate "+features.StrictPostBuildSubstitutions)
+		os.Exit(1)
+	}
+
 	if err = (&controller.KustomizationReconciler{
 		ControllerName:          controllerName,
 		DefaultServiceAccount:   defaultServiceAccount,
@@ -242,6 +248,7 @@ func main() {
 		PollingOpts:             pollingOpts,
 		StatusPoller:            polling.NewStatusPoller(mgr.GetClient(), mgr.GetRESTMapper(), pollingOpts),
 		DisallowedFieldManagers: disallowedFieldManagers,
+		StrictSubstitutions:     strictSubstitutions,
 	}).SetupWithManager(ctx, mgr, controller.KustomizationReconcilerOptions{
 		DependencyRequeueInterval: requeueDependency,
 		HTTPRetry:                 httpRetry,
