lib/resourcemerge/core: Clear env and envFrom if unset in manifest

Even if the manifest authors state no opinions, these are not properties that we want to allow cluster admins to manipulate. For example, a customer cluster recently stuck a Deployment by inserting a reference to a non-existent secret [1]: $ yaml2json <namespaces/openshift-marketplace/apps/deployments.yaml | jq -r '.items[].spec.template.spec.containers[].envFrom[]' { "secretRef": { "name": "openshift-reg" } } $ yaml2json <namespaces/openshift-marketplace/pods/marketplace-operator-f7cc88d59-hhh75/marketplace-operator-f7cc88d59-hhh75.yaml | jq -r '.status.containerStatuses[].state' { "waiting": { "message": "secret \"openshift-reg\" not found", "reason": "CreateContainerConfigError" } } The outgoing logic dates back to the beginning of reconciling these properties in 14fab0b (add generic 2-way merge handler for random types, 2018-09-27, openshift#26), and this commit's tightening follows on a number of reconciliation tightenings like 29b92d2 (lib/resourcemerge/core: Clear livenessProbe and readinessProbe if nil in required, 2020-01-16, openshift#298). [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1951339#c0
wking · Apr 20, 2021 · 02bb9ba · 02bb9ba
1 parent 8132d6a
commit 02bb9ba
Showing 1 changed file with 0 additions and 6 deletions.
diff --git a/lib/resourcemerge/core.go b/lib/resourcemerge/core.go
@@ -141,19 +141,13 @@ func ensureContainer(modified *bool, existing *corev1.Container, required corev1
 }
 
 func ensureEnvVar(modified *bool, existing *[]corev1.EnvVar, required []corev1.EnvVar) {
-	if required == nil {
-		return
-	}
 	if !equality.Semantic.DeepEqual(required, *existing) {
 		*existing = required
 		*modified = true
 	}
 }
 
 func ensureEnvFromSource(modified *bool, existing *[]corev1.EnvFromSource, required []corev1.EnvFromSource) {
-	if required == nil {
-		return
-	}
 	if !equality.Semantic.DeepEqual(required, *existing) {
 		*existing = required
 		*modified = true