fix(live): validate annotation values to prevent silent data loss #4371
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Copyright 2026 The kpt Authors | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| parallel: true | ||
|
|
||
| kptArgs: | ||
| - "live" | ||
| - "apply" | ||
|
|
||
| # Expected exit code is non-zero (failure) | ||
| exitCode: 1 | ||
|
|
||
| # Error should be in stderr with clear message about which field failed | ||
| stdErr: | | ||
| error: annotation "example.com/enabled" must be a string, got boolean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: kpt.dev/v1 | ||
| kind: Kptfile | ||
| metadata: | ||
| name: invalid-annotation-type |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: bad-config | ||
| annotations: | ||
| example.com/enabled: true | ||
| data: | ||
| key: value |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| apiVersion: kpt.dev/v1alpha1 | ||
| kind: ResourceGroup | ||
| metadata: | ||
| name: inventory-obj | ||
| namespace: invalid-annotation-type | ||
| labels: | ||
| cli-utils.sigs.k8s.io/inventory-id: test-invalid-annotation |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Copyright 2026 The kpt Authors | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| parallel: true | ||
|
|
||
| kptArgs: | ||
| - "live" | ||
| - "apply" | ||
|
|
||
| # Expected exit code is non-zero (failure) | ||
| exitCode: 1 | ||
|
|
||
| # Error should be in stderr with clear message about which field failed | ||
| stdErr: | | ||
| error: label "app.kubernetes.io/enabled" must be a string, got boolean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: kpt.dev/v1 | ||
| kind: Kptfile | ||
| metadata: | ||
| name: invalid-label-type |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: bad-label-config | ||
| labels: | ||
| app.kubernetes.io/enabled: true | ||
| data: | ||
| key: value |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| apiVersion: kpt.dev/v1alpha1 | ||
| kind: ResourceGroup | ||
| metadata: | ||
| name: inventory-obj | ||
| namespace: invalid-label-type | ||
| labels: | ||
| cli-utils.sigs.k8s.io/inventory-id: test-invalid-label |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -16,6 +16,7 @@ package live | |||||||||||||||
|
|
||||||||||||||||
| import ( | ||||||||||||||||
| "encoding/json" | ||||||||||||||||
| "fmt" | ||||||||||||||||
|
|
||||||||||||||||
| "github.com/kptdev/kpt/internal/util/pathutil" | ||||||||||||||||
| rgfilev1alpha1 "github.com/kptdev/kpt/pkg/api/resourcegroup/v1alpha1" | ||||||||||||||||
|
|
@@ -93,6 +94,9 @@ func removeAnnotations(n *yaml.RNode, annotations ...kioutil.AnnotationKey) erro | |||||||||||||||
| // | ||||||||||||||||
| //nolint:interfacer | ||||||||||||||||
| func kyamlNodeToUnstructured(n *yaml.RNode) (*unstructured.Unstructured, error) { | ||||||||||||||||
| if err := validateMetadataStringMaps(n); err != nil { | ||||||||||||||||
| return nil, err | ||||||||||||||||
| } | ||||||||||||||||
| b, err := n.MarshalJSON() | ||||||||||||||||
| if err != nil { | ||||||||||||||||
| return nil, err | ||||||||||||||||
|
|
@@ -109,6 +113,109 @@ func kyamlNodeToUnstructured(n *yaml.RNode) (*unstructured.Unstructured, error) | |||||||||||||||
| }, nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
|
There was a problem hiding this comment. This function is missing a documentation comment. According to Go conventions and best practices visible throughout the codebase (e.g., kyamlNodeToUnstructured on line 92, removeAnnotations on line 81), exported and internal functions should have documentation comments that explain their purpose, parameters, and behavior. Add a comment explaining what this function does, what errors it returns, and when those errors occur.
Suggested change
|
||||||||||||||||
| // validateMetadataStringMaps inspects the raw YAML nodes for metadata.annotations | ||||||||||||||||
| // and metadata.labels to ensure all values are strings. This prevents silent data | ||||||||||||||||
| // loss that occurs when non-string values (booleans, integers, floats) are | ||||||||||||||||
| // unmarshaled into map[string]string fields. | ||||||||||||||||
| // | ||||||||||||||||
| // Parameters: | ||||||||||||||||
| // - n: The RNode representing a Kubernetes resource | ||||||||||||||||
| // | ||||||||||||||||
| // Returns: | ||||||||||||||||
| // - error: A descriptive error if any annotation or label value is not a string, | ||||||||||||||||
| // nil otherwise | ||||||||||||||||
| func validateMetadataStringMaps(n *yaml.RNode) error { | ||||||||||||||||
| metadata := n.Field("metadata") | ||||||||||||||||
| if metadata == nil || metadata.Value == nil { | ||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| // Validate annotations | ||||||||||||||||
| if err := validateStringMap(metadata.Value, "annotations", "annotation"); err != nil { | ||||||||||||||||
| return err | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| // Validate labels | ||||||||||||||||
| if err := validateStringMap(metadata.Value, "labels", "label"); err != nil { | ||||||||||||||||
| return err | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| // validateStringMap checks that all values in a metadata field (annotations or labels) | ||||||||||||||||
| // are strings. It inspects the YAML tag of each value to detect non-string types | ||||||||||||||||
| // that would be silently dropped during unmarshaling. | ||||||||||||||||
| // | ||||||||||||||||
| // Parameters: | ||||||||||||||||
| // - metadata: The RNode for the metadata field | ||||||||||||||||
| // - fieldName: The name of the field to validate ("annotations" or "labels") | ||||||||||||||||
| // - fieldType: Human-readable name for error messages ("annotation" or "label") | ||||||||||||||||
| // | ||||||||||||||||
| // Returns: | ||||||||||||||||
| // - error: A descriptive error if any value is not a string, nil otherwise | ||||||||||||||||
| func validateStringMap(metadata *yaml.RNode, fieldName, fieldType string) error { | ||||||||||||||||
| field := metadata.Field(fieldName) | ||||||||||||||||
| if field == nil || field.Value == nil { | ||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| mapNode := field.Value.YNode() | ||||||||||||||||
| if mapNode == nil { | ||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| // Handle explicit null (e.g., annotations: null) | ||||||||||||||||
| if mapNode.Tag == yaml.NodeTagNull { | ||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| if mapNode.Kind != yaml.MappingNode { | ||||||||||||||||
| return fmt.Errorf("metadata.%s must be a string map", fieldName) | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| for i := 0; i < len(mapNode.Content); i += 2 { | ||||||||||||||||
| keyNode := mapNode.Content[i] | ||||||||||||||||
| valueNode := mapNode.Content[i+1] | ||||||||||||||||
| if valueNode.Kind != yaml.ScalarNode || valueNode.Tag != yaml.NodeTagString { | ||||||||||||||||
| return fmt.Errorf("%s %q must be a string, got %s", fieldType, keyNode.Value, yamlTagToType(valueNode)) | ||||||||||||||||
|
There was a problem hiding this comment. I think we don't need to convert the type to more human readable, but curious about the others' opinion. Maybe separate the checks to Also, is "!!str" not available as a const from somewhere?
Contributor
Author
There was a problem hiding this comment. Hi @mozesl-nokia , indeed !!str is available as a constant in yaml.NodeTagString, I will shortly replace the other ones as well and push it |
||||||||||||||||
| } | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| return nil | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
|
There was a problem hiding this comment. This helper function is missing a documentation comment. According to Go conventions and best practices visible throughout the codebase, functions should have documentation comments that explain their purpose. Add a comment explaining that this function converts YAML type tags to human-readable type names for error messages.
Suggested change
|
||||||||||||||||
| // yamlTagToType converts a YAML node's tag to a human-readable type name | ||||||||||||||||
| // for use in error messages. | ||||||||||||||||
| // | ||||||||||||||||
| // Parameters: | ||||||||||||||||
| // - node: The YAML node to inspect | ||||||||||||||||
| // | ||||||||||||||||
| // Returns: | ||||||||||||||||
| // - string: A human-readable type name (e.g., "boolean", "integer", "number") | ||||||||||||||||
| func yamlTagToType(node *yaml.Node) string { | ||||||||||||||||
| if node.Kind != yaml.ScalarNode { | ||||||||||||||||
| return "non-scalar" | ||||||||||||||||
| } | ||||||||||||||||
| switch node.Tag { | ||||||||||||||||
| case yaml.NodeTagBool: | ||||||||||||||||
| return "boolean" | ||||||||||||||||
| case yaml.NodeTagInt: | ||||||||||||||||
| return "integer" | ||||||||||||||||
| case yaml.NodeTagFloat: | ||||||||||||||||
| return "number" | ||||||||||||||||
| case yaml.NodeTagNull: | ||||||||||||||||
| return "null" | ||||||||||||||||
| case yaml.NodeTagString: | ||||||||||||||||
| return "string" | ||||||||||||||||
| default: | ||||||||||||||||
| if node.Tag == yaml.NodeTagEmpty { | ||||||||||||||||
| return "unknown" | ||||||||||||||||
| } | ||||||||||||||||
| return node.Tag | ||||||||||||||||
| } | ||||||||||||||||
| } | ||||||||||||||||
|
|
||||||||||||||||
| const NoLocalConfigAnnoVal = "false" | ||||||||||||||||
|
|
||||||||||||||||
| // filterLocalConfig returns a new slice of Unstructured where all resources | ||||||||||||||||
|
|
||||||||||||||||
|
There was a problem hiding this comment. Should there be a test for labels here too? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
There was a problem hiding this comment. Should there be a test for labels here too? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be a test for labels here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mozesl-nokia , i will add the test for labels and commit it soon