From 7d08d1fbcdbf5801599ae0159e7f72a4fa00af96 Mon Sep 17 00:00:00 2001 From: morazow Date: Wed, 18 Mar 2026 15:57:51 +0100 Subject: [PATCH 1/3] [helm] Refactor validation warning and error checks --- helm/README.md | 25 +++++++++++++- helm/templates/NOTES.txt | 3 +- helm/templates/_security.tpl | 32 +++++++----------- helm/templates/_validate.tpl | 65 ++++++++++++++++++++++++++++++++++++ 4 files changed, 102 insertions(+), 23 deletions(-) create mode 100644 helm/templates/_validate.tpl diff --git a/helm/README.md b/helm/README.md index b0b8ab1dca..9066baaf99 100644 --- a/helm/README.md +++ b/helm/README.md @@ -28,7 +28,7 @@ For how to build your local Fluss image and use it in Minikube refer to the Refer to the [official documentation](https://fluss.apache.org/docs/next/install-deploy/deploying-with-helm/#configuration-parameters) as well for configuration values. -We use the [`helm-unittest`](https://github.com/helm-unittest/helm-unittest) plugin for testing Fluss Helm charts. +We use the [`helm-unittest`](https://github.com/helm-unittest/helm-unittest) plugin for testing Fluss Helm charts. You can run tests locally via: ```bash @@ -36,6 +36,29 @@ You can run tests locally via: docker run -ti --rm -v $(pwd):/apps helmunittest/helm-unittest . ``` +### Validation Checks + +The chart runs the validation checks at install or upgrade time using templates in `_validate.tpl` file. + +The warnings are printed to the user, but errors abort the deployment. + +To add new validations, for example for a new feature: + +1. Define `fluss..validateWarning` or `fluss..validateError` templates in the feature `_.tpl` template file. +2. Add the corresponding `include` calls to `fluss.validateWarning` or `fluss.validateError` in `_validate.tpl` template file. + +For example, for the `security` checks, include and update these methods in the `_validate.tpl` file: + +``` +{{- define "fluss.validateWarning" -}} +{{- include "fluss.security.validateWarning" . -}} +{{- end -}} + +{{- define "fluss.validateError" -}} +{{- include "fluss.security.validateError" . -}} +{{- end -}} +``` + ## Contributing Follow the [development section](#development) for local development. diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt index 7a2dfd2dd2..04f13172d5 100644 --- a/helm/templates/NOTES.txt +++ b/helm/templates/NOTES.txt @@ -20,5 +20,4 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} -{{ include "fluss.security.validateValues" . }} -{{ include "fluss.metrics.validateValues" . }} +{{ include "fluss.validate" . }} diff --git a/helm/templates/_security.tpl b/helm/templates/_security.tpl index 210a35746f..725ea7d511 100644 --- a/helm/templates/_security.tpl +++ b/helm/templates/_security.tpl @@ -170,33 +170,25 @@ Usage: {{- end -}} {{/* -Compile all warnings and errors into a single message. +Collects security warning messages. Usage: - include "fluss.security.validateValues" . + include "fluss.security.validateWarning" . */}} -{{- define "fluss.security.validateValues" -}} +{{- define "fluss.security.validateWarning" -}} +{{- include "fluss.security.sasl.warnInternalUser" . -}} +{{- end -}} +{{/* +Collects security error messages. +Usage: + include "fluss.security.validateError" . +*/}} +{{- define "fluss.security.validateError" -}} {{- $errMessages := list -}} {{- $errMessages = append $errMessages (include "fluss.security.sasl.validateMechanisms" .) -}} {{- $errMessages = append $errMessages (include "fluss.security.sasl.validateClientPlainUsers" .) -}} - {{- $errMessages = without $errMessages "" -}} -{{- $errMessage := join "\n" $errMessages -}} - -{{- $warnMessages := list -}} -{{- $warnMessages = append $warnMessages (include "fluss.security.sasl.warnInternalUser" .) -}} - -{{- $warnMessages = without $warnMessages "" -}} -{{- $warnMessage := join "\n" $warnMessages -}} - -{{- if $warnMessage -}} -{{- printf "\nVALUES WARNING:\n%s" $warnMessage -}} -{{- end -}} - -{{- if $errMessage -}} -{{- printf "\nVALUES VALIDATION:\n%s" $errMessage | fail -}} -{{- end -}} - +{{- join "\n" $errMessages -}} {{- end -}} {{/* diff --git a/helm/templates/_validate.tpl b/helm/templates/_validate.tpl new file mode 100644 index 0000000000..91f3ee784f --- /dev/null +++ b/helm/templates/_validate.tpl @@ -0,0 +1,65 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +{{/* +Collects all warning messages from validation methods. +Usage: + include "fluss.validateWarning" . +*/}} +{{- define "fluss.validateWarning" -}} +{{- include "fluss.security.validateWarning" . -}} +{{- end -}} + +{{/* +Collects all error messages from validation methods. +Usage: + include "fluss.validateError" . +*/}} +{{- define "fluss.validateError" -}} +{{- include "fluss.security.validateError" . -}} +{{- end -}} + +{{/* +Global validation checks entry point. +Collects all warnings and errors, prints warnings and fails on errors. +Usage: + include "fluss.validate" . +*/}} +{{- define "fluss.validate" -}} + +{{- $warnMessages := list -}} +{{- $warnMessages = append $warnMessages (include "fluss.validateWarning" .) -}} + +{{- $warnMessages = without $warnMessages "" -}} +{{- $warnMessage := join "\n" $warnMessages -}} + +{{- $errMessages := list -}} +{{- $errMessages = append $errMessages (include "fluss.validateError" .) -}} + +{{- $errMessages = without $errMessages "" -}} +{{- $errMessage := join "\n" $errMessages -}} + +{{- if $warnMessage -}} +{{- printf "\nVALUES WARNING:\n%s" $warnMessage -}} +{{- end -}} + +{{- if $errMessage -}} +{{- printf "\nVALUES VALIDATION:\n%s" $errMessage | fail -}} +{{- end -}} + +{{- end -}} From f085c8a84667d4e79abed008d3100dd79d4d54cc Mon Sep 17 00:00:00 2001 From: morazow Date: Wed, 18 Mar 2026 16:20:22 +0100 Subject: [PATCH 2/3] Add _validate.tpl tests --- helm/README.md | 12 ++++++++-- helm/templates/_validate.tpl | 16 ++++++++++---- helm/tests/validate_test.yaml | 41 +++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 6 deletions(-) create mode 100644 helm/tests/validate_test.yaml diff --git a/helm/README.md b/helm/README.md index 9066baaf99..676b4df3d7 100644 --- a/helm/README.md +++ b/helm/README.md @@ -51,11 +51,19 @@ For example, for the `security` checks, include and update these methods in the ``` {{- define "fluss.validateWarning" -}} -{{- include "fluss.security.validateWarning" . -}} +... + +{{- $messages = append $messages (include "fluss.security.validateWarning" .) -}} + +... {{- end -}} {{- define "fluss.validateError" -}} -{{- include "fluss.security.validateError" . -}} +... + +{{- $messages = append $messages (include "fluss.security.validateError" .) -}} + +... {{- end -}} ``` diff --git a/helm/templates/_validate.tpl b/helm/templates/_validate.tpl index 91f3ee784f..00b9f85988 100644 --- a/helm/templates/_validate.tpl +++ b/helm/templates/_validate.tpl @@ -22,7 +22,12 @@ Usage: include "fluss.validateWarning" . */}} {{- define "fluss.validateWarning" -}} -{{- include "fluss.security.validateWarning" . -}} +{{- $messages := list -}} + +{{- $messages = append $messages (include "fluss.security.validateWarning" .) -}} + +{{- $messages = without $messages "" -}} +{{- join "\n" $messages -}} {{- end -}} {{/* @@ -31,7 +36,12 @@ Usage: include "fluss.validateError" . */}} {{- define "fluss.validateError" -}} -{{- include "fluss.security.validateError" . -}} +{{- $messages := list -}} + +{{- $messages = append $messages (include "fluss.security.validateError" .) -}} + +{{- $messages = without $messages "" -}} +{{- join "\n" $messages -}} {{- end -}} {{/* @@ -44,13 +54,11 @@ Usage: {{- $warnMessages := list -}} {{- $warnMessages = append $warnMessages (include "fluss.validateWarning" .) -}} - {{- $warnMessages = without $warnMessages "" -}} {{- $warnMessage := join "\n" $warnMessages -}} {{- $errMessages := list -}} {{- $errMessages = append $errMessages (include "fluss.validateError" .) -}} - {{- $errMessages = without $errMessages "" -}} {{- $errMessage := join "\n" $errMessages -}} diff --git a/helm/tests/validate_test.yaml b/helm/tests/validate_test.yaml new file mode 100644 index 0000000000..2d561c56e6 --- /dev/null +++ b/helm/tests/validate_test.yaml @@ -0,0 +1,41 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +suite: validate-aggregation +templates: + - templates/NOTES.txt +tests: + - it: renders warning for auto-generated internal SASL credentials + set: + security.internal.sasl.mechanism: plain + asserts: + - matchRegexRaw: + pattern: 'VALUES WARNING:' + - matchRegexRaw: + pattern: 'AUTO-GENERATED SASL credentials' + + - it: fails with error for invalid mechanism through aggregator + set: + security.client.sasl.mechanism: bogus + asserts: + - failedTemplate: + errorMessage: "VALUES VALIDATION:\nsecurity.client.sasl.mechanism must be empty or: plain" + + - it: passes cleanly with default values + asserts: + - notFailedTemplate: {} From c0f017f54896b270fc5cfa8aea04bb9a36f17b43 Mon Sep 17 00:00:00 2001 From: morazow Date: Fri, 27 Mar 2026 14:56:33 +0100 Subject: [PATCH 3/3] Add metrics validation errors --- helm/templates/_metrics.tpl | 6 +++--- helm/templates/_validate.tpl | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/helm/templates/_metrics.tpl b/helm/templates/_metrics.tpl index ccdcd64972..0ec65e31fe 100644 --- a/helm/templates/_metrics.tpl +++ b/helm/templates/_metrics.tpl @@ -112,11 +112,11 @@ Validates that metrics.reporters is not set via configurationOverrides. {{- end -}} {{/* -Validates metrics configuration values. +Collects metrics error messages. Usage: - include "fluss.metrics.validateValues" . + include "fluss.metrics.validateError" . */}} -{{- define "fluss.metrics.validateValues" -}} +{{- define "fluss.metrics.validateError" -}} {{- $errMessages := list -}} {{- $errMessages = append $errMessages (include "fluss.metrics.validateReporterPorts" .) -}} diff --git a/helm/templates/_validate.tpl b/helm/templates/_validate.tpl index 00b9f85988..4cc5862d07 100644 --- a/helm/templates/_validate.tpl +++ b/helm/templates/_validate.tpl @@ -39,6 +39,7 @@ Usage: {{- $messages := list -}} {{- $messages = append $messages (include "fluss.security.validateError" .) -}} +{{- $messages = append $messages (include "fluss.metrics.validateError" .) -}} {{- $messages = without $messages "" -}} {{- join "\n" $messages -}}