New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ansible]: mark variables from custom resources as unsafe #4566
[ansible]: mark variables from custom resources as unsafe #4566
Conversation
07b20b7
to
c611724
Compare
internal/ansible/runner/runner.go
Outdated
@@ -337,7 +337,7 @@ func (r *runner) makeParameters(u *unstructured.Unstructured) map[string]interfa | |||
parameters = paramconv.MapToSnake(spec) | |||
} else { | |||
for k, v := range spec { | |||
parameters[k] = v | |||
parameters[k] = markUnsafe(v) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are also specifying the spec key as it is for json to Marshall (https://github.com/operator-framework/operator-sdk/pull/4566/files#diff-40a9a64aa847bb7816a7eb40cf6ec6b3ca70a7d4066e320d95fe9c0e0cb2ac11R349). Do we need to tag only these variables as unsafe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah we'll need to run this on all pieces of the spec that we pass in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two more things:
- Could we also add a setting in the
watches.yaml
to toggle this on/off (off by default is good). As far as I can tell there's not a way to mark a variable as safe once it's been marked unsafe, and some authors may actually want to process user-provided templates (or may be relying on that now) - Could we add an integration test with nested values so that we can verify we're properly formatting these variables in a way that Ansible can read
internal/ansible/runner/runner.go
Outdated
@@ -337,7 +337,7 @@ func (r *runner) makeParameters(u *unstructured.Unstructured) map[string]interfa | |||
parameters = paramconv.MapToSnake(spec) | |||
} else { | |||
for k, v := range spec { | |||
parameters[k] = v | |||
parameters[k] = markUnsafe(v) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah we'll need to run this on all pieces of the spec that we pass in.
internal/ansible/runner/runner.go
Outdated
@@ -337,7 +337,7 @@ func (r *runner) makeParameters(u *unstructured.Unstructured) map[string]interfa | |||
parameters = paramconv.MapToSnake(spec) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'd also need to mark these as unsafe
User provided values from the custom resource are tagged unsafe by default. Signed-off-by: varshaprasad96 <varshaprasad96@gmail.com>
Signed-off-by: varshaprasad96 <varshaprasad96@gmail.com>
c611724
to
6e1441c
Compare
Signed-off-by: varshaprasad96 <varshaprasad96@gmail.com>
9a9182d
to
bfbeecd
Compare
Fabian's concerns were addressed by Varsha. Dismissing his change request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Description of the change:
User provided values from the custom resource are tagged
unsafe by default.
Motivation for the change:
Closes: #4169
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments
(seechangelog/fragments/00-template.yaml
)website/content/en/docs