Strict deployment loading from configmap

docs/function-controller-configuration.md

@@ -4,7 +4,8 @@
 
 Configurations for functions can be done in `ConfigMap`: `kubeless-config` which is a part of `Kubeless` deployment manifests.
 
-Deployments for function can be configured in `data` inside the `ConfigMap`, using key `deployment`, which takes a string in the form of `yaml/json` and is driven by the structure of [v1.Deployment](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#deployment-v1-apps):
+Deployments for function can be configured in `data` inside the `ConfigMap`, using key `deployment`, which takes a string in the form of `yaml/json` and is driven by the structure of [v1.Deployment](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#deployment-v1-apps).
+Unknown fields or duplicate keys in the provided deployment data will result in an error.
 
 E.g. In the below configuration, new **annotations** are added globally to all function deployments and podTemplates and **replicas** for each function pod will be `2`.
 
@@ -44,6 +45,45 @@ metadata:
   namespace: kubeless
 ```
 
+The following configuration will result in an error because of duplicate key:
+
+```yaml
+apiVersion: v1
+data:
+  deployment: |-
+    {
+      "metadata": {
+          "annotations":{
+            "annotation-to-deployment": "value",
+            "annotation-to-deployment": "other value",
+          }
+      }
+    }
+  ingress-enabled: "false"
+  service-type: ClusterIP
+kind: ConfigMap
+metadata:
+  name: kubeless-config
+  namespace: kubeless
+```
+
+The following configuration will result in an error because of unknown key:
+
+```yaml
+apiVersion: v1
+data:
+  deployment: |-
+    {
+      "unknown": "hack",
+    }
+  ingress-enabled: "false"
+  service-type: ClusterIP
+kind: ConfigMap
+metadata:
+  name: kubeless-config
+  namespace: kubeless
+```
+
 It is **recommended** to have controlled custom configurations on the following **items** (*but is not limited to just these*):
 
 > Warning: You should know what you are doing.
@@ -239,10 +279,10 @@ It is possible to configure the different images that Kubeless uses to deploy an
   - (Optional) Secrets: Shared with the container as volumes mounted at `/var/run/secrets/kubeless.io/`.
  - The image used to populate the base image with the function. This is called `provision-image`. This image should have at least `unzip`, `GNU tar`, `gzip`, `bzip2`, `xz` and `curl`. It is also possible to specify `provision-image-secret` to specify a secret to pull that image from a private registry.
  - The image used to build function images. This is called `builder-image`. This image is optional since its usage can be disabled with the property `enable-build-step`. A Dockerfile to build this image can be found [here](https://github.com/kubeless/kubeless/tree/master/docker/function-image-builder). It is also possible to specify `builder-image-secret` to specify a secret to pull that image from a private registry.
- 
+
 ## Authenticate Kubeless Function Controller using OAuth Bearer Token
 
-In some non-RBAC k8s deployments using webhook authorization, service accounts may have insufficient privileges to perform all k8s operations that the Kubeless Function Controller requires for interacting with the cluster. It's possible to override the default behavior of the Kubeless Function Controller using a k8s serviceaccount for authentication with the cluster and instead use a provided OAuth Bearer token for all k8s operations. 
+In some non-RBAC k8s deployments using webhook authorization, service accounts may have insufficient privileges to perform all k8s operations that the Kubeless Function Controller requires for interacting with the cluster. It's possible to override the default behavior of the Kubeless Function Controller using a k8s serviceaccount for authentication with the cluster and instead use a provided OAuth Bearer token for all k8s operations.
 
 This can be done by creating a k8s secret and mounting that secret as a volume on controller pods, then setting the environmental variable `KUBELESS_TOKEN_FILE_PATH` to the filepath of that secret. Be sure to set this environmental variable on the controller template spec or to every pod created in the deployment.
 

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/aws/aws-sdk-go v1.16.26
 	github.com/coreos/prometheus-operator v0.0.0-20171201110357-197eb012d973
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
-	github.com/ghodss/yaml v1.0.0
+	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect
 	github.com/googleapis/gnostic v0.2.0 // indirect
@@ -34,6 +34,7 @@ require (
 	github.com/spf13/cobra v1.1.1
 	golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d // indirect
 	golang.org/x/net v0.0.0-20190620200207-3b0461eec859
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/api v0.0.0-20180308224125-73d903622b73
 	k8s.io/apiextensions-apiserver v0.0.0-20180327033742-750feebe2038
 	k8s.io/apimachinery v0.0.0-20180228050457-302974c03f7e