add a key_safe filter to ensure ConfigMap/Secret keys are converted t…

…o something safe to use
cloudtruth · Jun 17, 2021 · 6ef09e1 · 6ef09e1
1 parent 3249752
commit 6ef09e1
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -152,6 +152,7 @@ ones:
 
  * `dns_safe` - Ensures the string is safe for use as a kubernetes resource name (i.e. Namespace/ConfigMap/Secret names)
  * `env_safe` - Ensures the string is safe for setting as a shell environment variable
+ * `key_safe` - Ensures the string is safe for use as a key inside a ConfigMap/Secret data hash
  * `indent: count` - Indents each line in the argument by count spaces
  * `nindent: count` - Adds a leading newline, then indents each line in the argument by count spaces
  * `stringify` - Converts argument to a staring safe to use in yaml (escapes quotes and surrounds with the quote character)

diff --git a/helm/kubetruth/values.yaml b/helm/kubetruth/values.yaml
@@ -105,7 +105,7 @@ projectMappings:
               {{ parameter_origins | to_yaml | indent: 6 | lstrip }}
         data:
           {%- for parameter in parameters %}
-          {{ parameter[0] | stringify }}: {{ parameter[1] | stringify }}
+          {{ parameter[0] | key_safe | stringify }}: {{ parameter[1] | stringify }}
           {%- endfor %}
         {%- endif %}
 
@@ -124,6 +124,6 @@ projectMappings:
               {{ secret_origins | to_yaml | indent: 6 | lstrip }}
         data:
           {%- for secret in secrets %}
-          {{ secret[0] | stringify }}: {{ secret[1] | encode64 | stringify }}
+          {{ secret[0] | key_safe | stringify }}: {{ secret[1] | encode64 | stringify }}
           {%- endfor %}
         {%- endif %}
diff --git a/lib/kubetruth/template.rb b/lib/kubetruth/template.rb
@@ -15,6 +15,7 @@ module CustomLiquidFilters
       # From kubernetes error message
       DNS_VALIDATION_RE = /^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$/
       ENV_VALIDATION_RE = /^[A-Z_][A-Z0-9_]*$/
+      KEY_VALIDATION_RE = /^[\w\.\-]*$/
 
       def dns_safe(str)
         return str if str =~ DNS_VALIDATION_RE
@@ -32,6 +33,13 @@ def env_safe(str)
         result
       end
 
+      # Kubernetes validation: a valid config key must consist of alphanumeric
+      # characters, '-', '_' or '.'
+      def key_safe(str)
+        return str if str =~ KEY_VALIDATION_RE
+        str.gsub(/[^\w\.\-]+/, '_')
+      end
+
       def indent(str, count)
         result = ""
         str.lines.each do |l|

diff --git a/spec/kubetruth/template_spec.rb b/spec/kubetruth/template_spec.rb
@@ -74,6 +74,23 @@ module Kubetruth
 
       end
 
+      describe "#key_safe" do
+
+        it "returns if already valid" do
+          str = "aB1-_."
+          expect(key_safe(str)).to equal(str)
+        end
+
+        it "cleans up name" do
+          expect(key_safe("Foo/Bar.Baz-0")).to eq("Foo_Bar.Baz-0")
+        end
+
+        it "simplifies successive non-chars" do
+          expect(key_safe("foo/&!bar")).to eq("foo_bar")
+        end
+
+      end
+
       describe "#indent" do
 
         it "indents by count spaces for each line" do