From 60cf252e8b8acfdc12f99e9b12ce0daa140b96f0 Mon Sep 17 00:00:00 2001 From: Paul Morie Date: Mon, 18 Jan 2016 15:07:48 -0500 Subject: [PATCH] Add validation for variant-type of EnvVarSource --- pkg/api/validation/validation.go | 33 +++++++++++++++++++++++---- pkg/api/validation/validation_test.go | 30 ++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/pkg/api/validation/validation.go b/pkg/api/validation/validation.go index 165c3b2914e..980fc5a4a65 100644 --- a/pkg/api/validation/validation.go +++ b/pkg/api/validation/validation.go @@ -964,17 +964,25 @@ func validateEnvVarValueFrom(ev api.EnvVar, fldPath *field.Path) field.ErrorList numSources := 0 - switch { - case ev.ValueFrom.FieldRef != nil: + if ev.ValueFrom.FieldRef != nil { numSources++ allErrs = append(allErrs, validateObjectFieldSelector(ev.ValueFrom.FieldRef, &validFieldPathExpressionsEnv, fldPath.Child("fieldRef"))...) - case ev.ValueFrom.ConfigMapKeyRef != nil: + } + if ev.ValueFrom.ConfigMapKeyRef != nil { numSources++ allErrs = append(allErrs, validateConfigMapKeySelector(ev.ValueFrom.ConfigMapKeyRef, fldPath.Child("configMapKeyRef"))...) } + if ev.ValueFrom.SecretKeyRef != nil { + numSources++ + allErrs = append(allErrs, validateSecretKeySelector(ev.ValueFrom.SecretKeyRef, fldPath.Child("secretKeyRef"))...) + } - if len(ev.Value) != 0 && numSources != 0 { - allErrs = append(allErrs, field.Invalid(fldPath, "", "may not be specified when `value` is not empty")) + if len(ev.Value) != 0 { + if numSources != 0 { + allErrs = append(allErrs, field.Invalid(fldPath, "", "may not be specified when `value` is not empty")) + } + } else if numSources != 1 { + allErrs = append(allErrs, field.Invalid(fldPath, "", "may not have more than one field specified at a time")) } return allErrs @@ -1014,6 +1022,21 @@ func validateConfigMapKeySelector(s *api.ConfigMapKeySelector, fldPath *field.Pa return allErrs } +func validateSecretKeySelector(s *api.SecretKeySelector, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + + if len(s.Name) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) + } + if len(s.Key) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("key"), "")) + } else if !IsSecretKey(s.Key) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("key"), s.Key, fmt.Sprintf("must have at most %d characters and match regex %s", validation.DNS1123SubdomainMaxLength, SecretKeyFmt))) + } + + return allErrs +} + func validateVolumeMounts(mounts []api.VolumeMount, volumes sets.String, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} diff --git a/pkg/api/validation/validation_test.go b/pkg/api/validation/validation_test.go index c911b0c6c97..f3ca9d02ea4 100644 --- a/pkg/api/validation/validation_test.go +++ b/pkg/api/validation/validation_test.go @@ -812,6 +812,17 @@ func TestValidateEnv(t *testing.T) { }, }, }, + { + Name: "secret_value", + ValueFrom: &api.EnvVarSource{ + SecretKeyRef: &api.SecretKeySelector{ + LocalObjectReference: api.LocalObjectReference{ + Name: "some-secret", + }, + Key: "secret-key", + }, + }, + }, } if errs := validateEnv(successCase, field.NewPath("field")); len(errs) != 0 { t.Errorf("expected success: %v", errs) @@ -846,6 +857,25 @@ func TestValidateEnv(t *testing.T) { }}, expectedError: "[0].valueFrom: Invalid value: \"\": may not be specified when `value` is not empty", }, + { + name: "FieldRef and SecretKeyRef specified", + envs: []api.EnvVar{{ + Name: "abc", + ValueFrom: &api.EnvVarSource{ + FieldRef: &api.ObjectFieldSelector{ + APIVersion: testapi.Default.GroupVersion().String(), + FieldPath: "metadata.name", + }, + SecretKeyRef: &api.SecretKeySelector{ + LocalObjectReference: api.LocalObjectReference{ + Name: "a-secret", + }, + Key: "a-key", + }, + }, + }}, + expectedError: "[0].valueFrom: Invalid value: \"\": may not have more than one field specified at a time", + }, { name: "missing FieldPath on ObjectFieldSelector", envs: []api.EnvVar{{