fix(nexus): tighten config validation and skip empty pod annotations#15
Conversation
Address review feedback from #14: - Drop the unconditional `annotations:` block in the deployment template — it rendered an empty key whenever neither the configMap checksum nor any user `podAnnotations` were present. - Emit a `checksum/config` for the SecretProviderClass too when `create: true`, so chart-managed SPC edits also roll the pod. - Extend `nexus.validateConfigProvider` to require `mountPath` whenever a provider is set, require `secretProviderClass.driver`, and reject `secretProviderClass.create=true` without `provider` and a non-empty `secrets` list. Bumps chart version to 0.5.1.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request bumps the Nexus chart version to 0.5.1 and introduces enhanced validation for configuration providers in the helper templates, ensuring that mount paths and SecretProviderClass details are correctly defined. Additionally, it updates the deployment template to include a configuration checksum for SecretProviderClass to trigger pod restarts on changes. A review comment identifies a potential issue where the 'checksum/config' annotation key could collide if users provide the same key in custom pod annotations or if multiple providers are used.
| checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||
| {{- end }} | ||
| {{- if $spcChecksum }} | ||
| checksum/config: {{ include (print $.Template.BasePath "/secretproviderclass.yaml") . | sha256sum }} |
There was a problem hiding this comment.
The checksum/config annotation is used for both configMap and secretProviderClass providers. While they are currently mutually exclusive, if the chart were extended to support multiple providers simultaneously, this would lead to duplicate keys in the YAML. Additionally, if a user provides checksum/config in podAnnotations, it will be duplicated or overwritten depending on the YAML parser. Consider using a more unique key or merging the annotations to avoid potential collisions.
1 participant
Summary
Follow-up on review feedback from #14:
annotations:block. The deployment template emitted an emptyannotations:key whenever the provider wasn'tconfigMapandpodAnnotationswas empty. The block is now gated on actually having something to write.create: true, so edits to the chart-managed SPC roll the pod the same way ConfigMap edits do.nexus.validateConfigProvider:config.mountPathis required wheneverconfig.provideris set.secretProviderClassrequiresdriver.secretProviderClass.create: trueadditionally requiresproviderand a non-emptysecretslist (otherwise the SPC would render incomplete and apply would fail with a less clear error).Chart version: 0.5.0 → 0.5.1.
Test plan
provider: ""(default) — noannotations:block in the deploymentprovider: secretProviderClasswithcreate: false— noannotations:blockprovider: configMap—checksum/configannotation presentprovider: secretProviderClasswithcreate: true—checksum/configannotation present (hashing the SPC)mountPath: ""with provider set —fail"config.mountPath is required when config.provider is set"driver—failwith required-field messagecreate: truebut missingprovider—failcreate: truebut emptysecrets—failhelm lintclean