From 5be306a59b85721108a9baddce0b17f1bbb6acae Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Fri, 19 May 2023 12:21:48 -0300 Subject: [PATCH 1/2] helm: Fail install if clusterName contains a port --- .../templates/proxy/config.yaml | 9 +++ .../__snapshot__/proxy_config_test.yaml.snap | 60 +++++++++++++++++++ .../tests/proxy_config_test.yaml | 36 +++++++++++ 3 files changed, 105 insertions(+) diff --git a/examples/chart/teleport-cluster/templates/proxy/config.yaml b/examples/chart/teleport-cluster/templates/proxy/config.yaml index 0d98cb99ce149..979f7e9a94c76 100644 --- a/examples/chart/teleport-cluster/templates/proxy/config.yaml +++ b/examples/chart/teleport-cluster/templates/proxy/config.yaml @@ -1,5 +1,14 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} {{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}} +{{- if (contains ":" $proxy.clusterName) -}} + {{- $split := split ":" $proxy.clusterName -}} + {{- $maybePort := int $split._1 -}} + {{- /* Technically helm-example:test could be a valid cluster name, but strings convert to 0 */ -}} + {{- /* Only fail when numbers are explicitly used */ -}} + {{- if or (gt $maybePort 0) (hasSuffix ":0" $proxy.clusterName) -}} + {{- fail "clusterName must not contain a port" -}} + {{- end -}} +{{- end -}} apiVersion: v1 kind: ConfigMap metadata: diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap index ea55919113818..4088f0d07f12b 100644 --- a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap +++ b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap @@ -1,3 +1,63 @@ +generates a config with a clusterName containing a regular string: + 1: | + |- + auth_service: + enabled: false + proxy_service: + enabled: true + kube_listen_addr: 0.0.0.0:3026 + listen_addr: 0.0.0.0:3023 + mysql_listen_addr: 0.0.0.0:3036 + public_addr: helm-test.example.com:443 + tunnel_listen_addr: 0.0.0.0:3024 + ssh_service: + enabled: false + teleport: + auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025 + join_params: + method: kubernetes + token_name: RELEASE-NAME-proxy + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 +generates a config with a clusterName containing a regular string and a colon: + 1: | + |- + auth_service: + enabled: false + proxy_service: + enabled: true + kube_listen_addr: 0.0.0.0:3026 + listen_addr: 0.0.0.0:3023 + mysql_listen_addr: 0.0.0.0:3036 + public_addr: helm-test:cluster-1:443 + tunnel_listen_addr: 0.0.0.0:3024 + ssh_service: + enabled: false + teleport: + auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025 + join_params: + method: kubernetes + token_name: RELEASE-NAME-proxy + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + version: v3 matches snapshot for acme-on.yaml: 1: | |- diff --git a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml index 23727d44cc07c..d7b3a17468b34 100644 --- a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml +++ b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml @@ -137,3 +137,39 @@ tests: of: ConfigMap - matchSnapshot: path: data.teleport\.yaml + + - it: generates a config with a clusterName containing a regular string + set: + clusterName: "helm-test.example.com" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: + path: data.teleport\.yaml + + - it: generates a config with a clusterName containing a regular string and a colon + set: + clusterName: "helm-test:cluster-1" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: + path: data.teleport\.yaml + + - it: fails when clusterName contains a port + set: + clusterName: "helm-test.example.com:443" + asserts: + - failedTemplate: + errorMessage: "clusterName must not contain a port" + + - it: fails when clusterName contains port 0 + set: + clusterName: "helm-test.example.com:0" + asserts: + - failedTemplate: + errorMessage: "clusterName must not contain a port" From ee9a7ac7c21e7402ce1f36f2410d09fc721bebe1 Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Fri, 19 May 2023 12:25:28 -0300 Subject: [PATCH 2/2] Colons should not be allowed at all as they break public address templating --- .../templates/proxy/config.yaml | 8 +---- .../__snapshot__/proxy_config_test.yaml.snap | 30 ------------------- .../tests/proxy_config_test.yaml | 19 +++--------- 3 files changed, 5 insertions(+), 52 deletions(-) diff --git a/examples/chart/teleport-cluster/templates/proxy/config.yaml b/examples/chart/teleport-cluster/templates/proxy/config.yaml index 979f7e9a94c76..8cd7788ad0c47 100644 --- a/examples/chart/teleport-cluster/templates/proxy/config.yaml +++ b/examples/chart/teleport-cluster/templates/proxy/config.yaml @@ -1,13 +1,7 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} {{- $configTemplate := printf "teleport-cluster.proxy.config.%s" $proxy.chartMode -}} {{- if (contains ":" $proxy.clusterName) -}} - {{- $split := split ":" $proxy.clusterName -}} - {{- $maybePort := int $split._1 -}} - {{- /* Technically helm-example:test could be a valid cluster name, but strings convert to 0 */ -}} - {{- /* Only fail when numbers are explicitly used */ -}} - {{- if or (gt $maybePort 0) (hasSuffix ":0" $proxy.clusterName) -}} - {{- fail "clusterName must not contain a port" -}} - {{- end -}} + {{- fail "clusterName must not contain a colon, you can override the cluster's public address with publicAddr" -}} {{- end -}} apiVersion: v1 kind: ConfigMap diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap index 4088f0d07f12b..7765a078da150 100644 --- a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap +++ b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap @@ -28,36 +28,6 @@ generates a config with a clusterName containing a regular string: output: stderr severity: INFO version: v3 -generates a config with a clusterName containing a regular string and a colon: - 1: | - |- - auth_service: - enabled: false - proxy_service: - enabled: true - kube_listen_addr: 0.0.0.0:3026 - listen_addr: 0.0.0.0:3023 - mysql_listen_addr: 0.0.0.0:3036 - public_addr: helm-test:cluster-1:443 - tunnel_listen_addr: 0.0.0.0:3024 - ssh_service: - enabled: false - teleport: - auth_server: RELEASE-NAME-auth.NAMESPACE.svc.cluster.local:3025 - join_params: - method: kubernetes - token_name: RELEASE-NAME-proxy - log: - format: - extra_fields: - - timestamp - - level - - component - - caller - output: text - output: stderr - severity: INFO - version: v3 matches snapshot for acme-on.yaml: 1: | |- diff --git a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml index d7b3a17468b34..3c6b93938204f 100644 --- a/examples/chart/teleport-cluster/tests/proxy_config_test.yaml +++ b/examples/chart/teleport-cluster/tests/proxy_config_test.yaml @@ -149,27 +149,16 @@ tests: - matchSnapshot: path: data.teleport\.yaml - - it: generates a config with a clusterName containing a regular string and a colon + - it: fails when clusterName contains a regular string and a colon set: clusterName: "helm-test:cluster-1" asserts: - - hasDocuments: - count: 1 - - isKind: - of: ConfigMap - - matchSnapshot: - path: data.teleport\.yaml + - failedTemplate: + errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr" - it: fails when clusterName contains a port set: clusterName: "helm-test.example.com:443" asserts: - failedTemplate: - errorMessage: "clusterName must not contain a port" - - - it: fails when clusterName contains port 0 - set: - clusterName: "helm-test.example.com:0" - asserts: - - failedTemplate: - errorMessage: "clusterName must not contain a port" + errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"