refactor: add jsonschema validation for values.yaml

Adding a jsonschema allows user to fail early as the user configuration in the is validated at installation time already. For that reason, there has been added additional validation that couldn't be performed using jsonschema in the helm helper file. Moreover, as we now have our dear conny in artifacthub we can enhance our artifacthub page by adding a jsonschema as artifacthub parses the file and shows its content in a nice format.
sse-secure-systems · Feb 11, 2022 · 7edc099 · 7edc099
1 parent 77ab33b
commit 7edc099
Show file tree

Hide file tree

Showing 6 changed files with 1,885 additions and 2 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -14,5 +14,6 @@ Fixes #
 - [ ] PR follows [Contributing Guide](../docs/CONTRIBUTING.md)
 - [ ] Added tests (if necessary)
 - [ ] Extended README/Documentation (if necessary)
+- [ ] Adjusted `helm/values.schema.json` according to new changes if `helm/values.yaml` has been touched
 - [ ] Adjusted versions of image and Helm chart in `values.yaml` and `Chart.yaml` (if necessary)
 
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: connaisseur
 description: Helm chart for Connaisseur - a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.
 type: application
-version: 1.2.1
+version: 1.2.2
 appVersion: 2.4.1
 keywords:
   - container image

diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -184,3 +184,71 @@ Extract Kubernetes Minor Version.
   readOnly: true
 {{- end -}}
 {{- end -}}
+{{- define "checkForAlertTemplates" -}}
+  {{ $files := .Files }}
+  {{- if .Values.alerting }}
+    {{- if .Values.alerting.admit_request }}
+      {{- if .Values.alerting.admit_request.templates }}
+        {{- range .Values.alerting.admit_request.templates }}
+          {{- $filename := .template -}}
+          {{- $file := printf "alert_payload_templates/%s.json" $filename | $files.Get }}
+          {{- if $file }}
+          {{- else }}
+            {{- fail (printf "The value of the alert template must be chosen such that <template>.json matches one of the file names in the ./alert_payload_templates directory, but there is no %s.json file in that directory or the file is empty." $filename) }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.alerting.reject_request }}
+      {{- if .Values.alerting.reject_request.templates }}
+        {{- range .Values.alerting.reject_request.templates }}
+          {{- $filename := .template -}}
+          {{- $file := printf "alert_payload_templates/%s.json" $filename | $files.Get }}
+          {{- if $file }}
+          {{- else }}
+            {{- fail (printf "The value of the alert template must be chosen such that <template>.json matches one of the file names in the ./alert_payload_templates directory, but there is no %s.json file in that directory or the file is empty." $filename) }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{- define "validatePolicy" -}}
+  {{- $validatornames := list }}
+  {{ range .Values.validators }}
+    {{- $validator := deepCopy . }}
+    {{ $validatornames = append $validatornames $validator.name }}
+  {{- end }}
+  {{- range .Values.policy }}
+    {{- $policy := deepCopy . -}}
+    {{- if $policy.validator }}
+      {{- if has $policy.validator $validatornames }}
+      {{- else }}
+        {{- fail (printf "Validator %s has not been defined and cannot be used in a policy." $policy.validator)}}
+      {{- end }}
+      {{- $validtrustroots := list }}
+      {{ range $.Values.validators }}
+        {{- $validator := deepCopy .}}
+        {{- if eq $validator.name $policy.validator}}
+          {{range $validator.trust_roots }}
+            {{ $trustroot := deepCopy .}}
+            {{- $validtrustroots = append $validtrustroots $trustroot.name }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if $policy.with }}
+        {{- if has $policy.with.trust_root $validtrustroots }}
+        {{- else if eq $policy.with.trust_root "default" }}
+        {{- else }}
+          {{- fail (printf "Validator %s has no %s trust root defined." $policy.validator $policy.with.trust_root)}}
+        {{- end }}
+      {{- end}}
+    {{- else }}
+      {{- if has "default" $validatornames }}
+      {{- else }}
+        {{- fail (printf "Policy for images matching '%s' has no explicit validator defined such that the validator named 'default' is going to be used, but there is no validator named 'default' defined." $policy.pattern)}}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/helm/templates/alertconfig.yaml b/helm/templates/alertconfig.yaml
@@ -1,3 +1,5 @@
+{{ include "checkForAlertTemplates" . }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -28,4 +30,4 @@ stringData:
   {{- if .Values.alerting}}
   alertconfig.json: |
     {{ mustToJson .Values.alerting | nindent 4 }}
-  {{- end }}
+  {{- end }}
diff --git a/helm/templates/config.yaml b/helm/templates/config.yaml
@@ -1,3 +1,5 @@
+{{ include "validatePolicy" . }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata: