From 35ac5a1acb34240c4187be59acda8cb6e2f26d69 Mon Sep 17 00:00:00 2001 From: Asad Iqbal Date: Mon, 18 May 2026 18:46:23 +0500 Subject: [PATCH] fix: nil-guard ingestionAuthz access for --reuse-values upgrade path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #123's ingestion-authz ConfigMap template did unguarded nested access: {{- range .Values.ingestionAuthz.allowed }} This crashes with "nil pointer evaluating interface {}.allowed" when `.Values.ingestionAuthz` is absent — which is exactly what `helm upgrade --reuse-values` produces against a pre-#123 release. The stored values from the previous deploy don't have the key, and `--reuse-values` doesn't pick up new chart defaults, so the upgrade fails before any of the new resources are created. A real user hit this immediately after #123 merged: Error: UPGRADE FAILED: template: client/templates/ ingestion-authz-configmap.yaml:20:21: executing "..." at <.Values.ingestionAuthz.allowed>: nil pointer evaluating interface {}.allowed Fix: collapse the missing-parent and missing-child cases to an empty list with `default dict` + `default list`. The rendered ConfigMap becomes `allowed:` (empty), which the authz policy parser treats as "no SAs authorized" — fail-safe, matches the intent of "operator hasn't configured this yet". The recommended `helm upgrade` recipe is still `--reset-then-reuse-values` (picks up new defaults including the non-empty `ingestionAuthz.allowed` default), but the template no longer requires that — it renders correctly under either path. Verified ──────── - helm template renders cleanly with default values (full policy), with `--set ingestionAuthz=null` (empty allowed list), and with `--set ingestionAuthz.allowed=null` (same). - helm unittest client/: 116/116 pass, no snapshot changes. Co-Authored-By: Claude Opus 4.7 (1M context) --- client/templates/ingestion-authz-configmap.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/client/templates/ingestion-authz-configmap.yaml b/client/templates/ingestion-authz-configmap.yaml index f5a6dc4..f8a1e74 100644 --- a/client/templates/ingestion-authz-configmap.yaml +++ b/client/templates/ingestion-authz-configmap.yaml @@ -17,7 +17,17 @@ metadata: data: ingestion-authz.yaml: | allowed: - {{- range .Values.ingestionAuthz.allowed }} + {{- /* + Nil-guarded chain: an upgrade with `--reuse-values` from a + pre-#123 release won't have `.Values.ingestionAuthz` in its + stored values, and an unguarded `.Values.ingestionAuthz.allowed` + crashes with "nil pointer evaluating interface {}.allowed". + `default dict` + `default list` collapse the missing parent / + missing child to an empty list, which renders as `allowed: []` + — fail-safe (the authz policy then denies every caller, which + is correct: there's no policy until the operator sets one). + */ -}} + {{- range default list (default dict .Values.ingestionAuthz).allowed }} - service_account: {{ .service_account | quote }} namespace: {{ .namespace | default $.Release.Namespace | quote }} table_prefixes: