Introduce template for enforcing immutability of s-u values
What does this MR do and why?
Closes #1161 (closed)
Introduces:
- s-u dict value (loose schema)
._internal.immutable_valuesand named template to walk it for defining which values are immutable and returning a templating failure if a value drift is found - immutability is verified by checking the equality between what previous sylva-units Helm release saved inside
Secret/sylva-units-valuescontents and the current release.Valuescontents - because in
templates/sylva-units-values.yamlI've wrapped the check in
# templates/sylva-units-values.yaml
{{- if .Release.IsUpgrade -}}
{{- $previous_values := .Values._internal.previous_values -}}
{{- tuple .Values._internal.immutable_values $previous_values .Values list | include "check-immutable-values" -}}
{{- end -}}# charts/sylva-units/values.yaml
_internal:
previous_values: '{{ lookup "v1" "Secret" .Release.Namespace "sylva-units-values" | dig "data" "values" "" | b64dec | fromYaml | default dict | include "preserve-type" }}'
immutable_values:
cluster:
name: true
capi_providers:
bootstrap_provider:
_immutable: true
_immutable_comment: "K8s distribution of a running cluster can't be changed"with a .Release.IsUpgrade conditional, I had to add the helm template --is-upgrade option to the tools/validation/helm-template-yamllint.sh script
Related reference(s)
Test coverage
Tested locally with helm template with a small change to simulate the contents of the $currentValues with values passed under _internal
# charts/sylva-units/templates/sylva-units-values.yaml
{{- $currentValues := .Values._internal -}}
{{- tuple .Values.immutable_values $currentValuesl .Values list | include "check-immutable-values" -}}# charts/sylva-units/values.yaml
_internal:
immutable_values:
cluster:
name:
_immutable: true
capi_providers:
bootstrap_provider:
_immutable: true
vsphere:
vsphere-cpi:
vsphere_conf:
global:
insecureFlag:
_immutable: truewhere _internal is hosting the "current Helm release values":
1)
# charts/sylva-units/values.yaml
_internal:
cluster:
name: old-management-cluster
capi_providers:
bootstrap_provider: cabpk
vsphere:
vsphere-cpi:
vsphere_conf:
global:
insecureFlag: true[git:test-immutable]root@caasdev:sylva-units# helm template .
Error: execution error at (sylva-units/templates/sylva-units-values.yaml:90:68): Immutable value for '.cluster.name' has changed (from 'old-management-cluster' to 'management-cluster').
Use --debug flag to render out invalid YAML
[git:test-immutable]root@caasdev:sylva-units## charts/sylva-units/values.yaml
_internal:
cluster:
capi_providers:
bootstrap_provider: old-cabpk
name: management-cluster
vsphere:
vsphere-cpi:
vsphere_conf:
global:
insecureFlag: true [git:test-immutable]root@caasdev:sylva-units# helm template .
Error: execution error at (sylva-units/templates/sylva-units-values.yaml:90:68): Immutable value for '.cluster.capi_providers.bootstrap_provider' has changed (from 'old-cabpk' to 'cabpk').
Use --debug flag to render out invalid YAML
[git:test-immutable]root@caasdev:sylva-units## charts/sylva-units/values.yaml
_internal:
cluster:
name: management-cluster
capi_providers:
bootstrap_provider: cabpk
vsphere:
vsphere-cpi:
vsphere_conf:
global:
insecureFlag: old-true [git:test-immutable]root@caasdev:sylva-units# helm template .
Error: execution error at (sylva-units/templates/sylva-units-values.yaml:90:68): Immutable value for '.vsphere.vsphere-cpi.vsphere_conf.global.insecureFlag' has changed (from 'old-true' to '%!s(bool=true)').
Use --debug flag to render out invalid YAML
[git:test-immutable]root@caasdev:sylva-units#Edited by Bogdan-Adrian Burciu