Add conditional set-me in config (#1980)

Author: Ajarmar

bin/common.bash

@@ -344,24 +344,48 @@ validate_version() {
 #       future.
 validate_config() {
     log_info "Validating $1 config"
+
+    check_conditionals() {
+        merged_config="${1}"
+        template_config="${2}"
+
+        # Loop all lines in ${template_config} and checks if same option has conditional set-me in ${merged_config}
+        options="$(yq_read_block "${template_config}" "set-me-if-*")"
+        for opt in ${options}; do
+            opt_value="$(yq4 "${opt}" "${merged_config}")"
+            opt_value_no_list="$(yq4 "[.] | flatten | .[0]" <<< "${opt_value}")"
+
+            if [[ "${opt_value_no_list}" =~ ^set-me-if-.*$ ]]; then
+                required_condition="$(sed -rn 's/^set-me-if-(.*)/\1/p' <<< "${opt_value_no_list}")"
+                if [[ "$(yq4 "${required_condition}" "${merged_config}")" == "true" ]]; then
+                    # If the option is a list, set the first element in the list
+                    if [[ "$(yq4 "${opt} | tag" "${merged_config}")" == "!!seq" ]]; then
+                        yq4 "${opt}[0] = \"set-me\"" -i "${merged_config}"
+                        yq4 "${opt}[0] = \"set-me\"" -i "${template_config}"
+                        log_info "Set-me condition matched for ${opt}"
+                    else
+                        yq4 "${opt} = \"set-me\"" -i "${merged_config}"
+                        yq4 "${opt} = \"set-me\"" -i "${template_config}"
+                        log_info "Set-me condition matched for ${opt}"
+                    fi
+                fi
+            fi
+        done
+    }
+
     validate() {
         merged_config="${1}"
         template_config="${2}"
 
         # Loop all lines in ${template_config} and warns if same option is not available in ${merged_config}
         options=$(yq_read_block "${template_config}" "set-me")
-        maybe_exit="false"
         for opt in ${options}; do
             compare=$(diff <(yq4 -oj "${opt}" "${template_config}") <(yq4 -oj "${opt}" "${merged_config}") || true)
             if [[ -z "${compare}" ]]; then
                 log_warning "WARN: ${opt} is not set in config"
                 maybe_exit="true"
             fi
         done
-
-        if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then
-            ask_abort
-        fi
     }
 
     schema_validate() {
@@ -376,46 +400,50 @@ validate_config() {
             sed -r 's/^.*_(..-config\.yaml): fail: (.*)/\1: \2/; / failed validation$/q' < "${schema_validation_result}"
             grep -oP '(?<=fail: )[^:]+' "${schema_validation_result}" | sort -u |
             while read -r jpath; do
-              echo -n ".$jpath = "
-              yq4 -oj ".$jpath" "${merged_config}"
+              if [[ $jpath != "(root)" ]]; then
+                echo -n ".$jpath = "
+                yq4 -oj ".$jpath" "${merged_config}"
+              fi
             done
             maybe_exit="true"
         fi
-
-        if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then
-            ask_abort
-        fi
     }
 
     template_file=$(mktemp --suffix="-tpl.yaml")
     append_trap "rm ${template_file}" EXIT
 
+    maybe_exit="false"
     if [[ $1 == "sc" ]]; then
         check_config "${config_template_path}/common-config.yaml" \
             "${config_template_path}/sc-config.yaml" \
             "${config_template_path}/secrets.yaml"
         yq_merge "${config_template_path}/common-config.yaml" \
             "${config_template_path}/sc-config.yaml" \
             > "${template_file}"
-        validate "${config[config_file_sc]}" "${template_file}"
-        schema_validate "${config[config_file_sc]}" "${config_template_path}/schemas/config.yaml"
-        validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml"
-        schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml"
+        config_to_validate="${config[config_file_sc]}"
     elif [[ $1 == "wc" ]]; then
         check_config "${config_template_path}/common-config.yaml" \
             "${config_template_path}/wc-config.yaml" \
             "${config_template_path}/secrets.yaml"
         yq_merge "${config_template_path}/common-config.yaml" \
             "${config_template_path}/wc-config.yaml" \
             > "${template_file}"
-        validate "${config[config_file_wc]}" "${template_file}"
-        schema_validate "${config[config_file_wc]}" "${config_template_path}/schemas/config.yaml"
-        validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml"
-        schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml"
+        config_to_validate="${config[config_file_wc]}"
     else
         log_error "ERROR: usage validate_config <sc|wc>"
         exit 1
     fi
+
+    check_conditionals "${config_to_validate}" "${template_file}"
+    validate "${config_to_validate}" "${template_file}"
+    schema_validate "${config_to_validate}" "${config_template_path}/schemas/config.yaml"
+    check_conditionals "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml"
+    validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml"
+    schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml"
+
+    if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then
+        ask_abort
+    fi
 }
 
 validate_sops_config() {

bin/init.bash

@@ -86,18 +86,6 @@ generate_sops_config() {
     sops_config_write_fingerprints "${fingerprint}"
 }
 
-# Only writes value if it is set to "set-me*"
-# Usage: replace_set_me <file> <field> <value>
-replace_set_me(){
-    if [[ $# -ne 3 ]]; then
-        log_error "ERROR: number of args in replace_set_me must be 3. #=[$#]"
-        exit 1
-    fi
-    if [[ $(yq4 "${2}" "${1}") =~ ^set-me.* ]]; then
-        yq4 --inplace "${2} = ${3}" "${1}"
-    fi
-}
-
 # Usage: generate_default_config <default_config>
 generate_default_config() {
     if [[ $# -ne 1 ]]; then

config/common-config.yaml

@@ -583,11 +583,11 @@ ingressNginx:
 
       ## Type of service.
       ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-      type: set-me
+      type: set-me-if-(.ingressNginx.controller.service.enabled)
 
       ## Annotations to add to service
       ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-      annotations: set-me
+      annotations: set-me-if-(.ingressNginx.controller.service.enabled)
 
       ## Enable node port allocation
       ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
@@ -670,7 +670,7 @@ issuers:
     enabled: true
     prod:
       ## Mail through which letsencrypt can contact you.
-      email: set-me
+      email: set-me-if-(.issuers.letsencrypt.enabled)
       ## Solvers, sets a default http01 when empty.
       solvers: []
       # - selector:
@@ -687,7 +687,7 @@ issuers:
       #         key: secretKey
     staging:
       ## Mail through which letsencrypt can contact you.
-      email: set-me
+      email: set-me-if-(.issuers.letsencrypt.enabled)
       ## Solvers, sets a default http01 when empty.
       solvers: []
 
@@ -1026,14 +1026,14 @@ networkPolicies:
     ingressUsingHostNetwork: set-me
     trivy:
       ips:
-        - set-me
+        - set-me-if-(.trivy.enabled)
       port: 443
 
   kured:
     enabled: true
     notificationSlack:
       ips:
-        - set-me-if-kured.notification.slack.enabled
+        - set-me-if-(.kured.enabled and .kured.notification.slack.enabled)
       ports:
         - 443
 
@@ -1045,7 +1045,7 @@ networkPolicies:
     # letsencrypt ip addresses
     letsencrypt:
       ips:
-        - set-me
+        - set-me-if-(.networkPolicies.certManager.enabled)
     # Configure this if DNS-01 challenges are enabled in cert-manager
     dns01:
       ips: []
@@ -1055,20 +1055,20 @@ networkPolicies:
     ingressOverride:
       enabled: set-me
       ips:
-        - set-me-if-enabled
+        - set-me-if-(.networkPolicies.ingressNginx.ingressOverride.enabled)
 
   falco:
     enabled: true
     plugins:
       ips:
-        - set-me
+        - set-me-if-(.falco.enabled and .networkPolicies.falco.enabled)
       ports:
         - 443
 
   externalDns:
     enabled: false
     ips:
-      - set-me-if-externalDns.enabled
+      - set-me-if-(.externalDns.enabled and .networkPolicies.externalDns.enabled)
     ports:
       - 443
 
@@ -1093,9 +1093,10 @@ networkPolicies:
     enabled: true
     externalDns:
       ips:
-        - set-me
+        - set-me-if-(.networkPolicies.coredns.enabled)
     serviceIp:
-      ips: set-me
+      ips:
+        - set-me-if-(.networkPolicies.coredns.enabled)
 
   dnsAutoscaler:
     enabled: true
@@ -1133,7 +1134,7 @@ externalDns:
   # Example: https://kubernetes-sigs.github.io/external-dns/v0.14.1/tutorials/aws/
   enabled: false
   provider: aws
-  txtOwnerId: set-me-if-externalDns.enabled
+  txtOwnerId: set-me-if-(.externalDns.enabled)
   sources:
     crd: false
     ingress: true

config/flavors/prod/sc-config.yaml

@@ -5,7 +5,6 @@ alerts:
   alertTo: opsgenie
   opsGenieHeartbeat:
     enabled: true
-    name: set-me
 
 prometheus:
   retention:

config/providers/baremetal/common-config.yaml

@@ -9,8 +9,6 @@ ingressNginx:
     useHostPort: true
     service:
       enabled: false
-      type: set-me-if-ingressNginx.controller.service.enabled
-      annotations: set-me-if-ingressNginx.controller.service.enabled
       allocateLoadBalancerNodePorts: true
 networkPolicies:
   global:

config/providers/exoscale/common-config.yaml

@@ -14,8 +14,6 @@ ingressNginx:
     service:
       enabled: false
       allocateLoadBalancerNodePorts: true
-      type: set-me-if-ingressNginx.controller.service.enabled
-      annotations: set-me-if-ingressNginx.controller.service.enabled
 networkPolicies:
   global:
     externalLoadBalancer: true

config/providers/safespring/common-config.yaml

@@ -36,8 +36,6 @@ ingressNginx:
     service:
       enabled: false
       allocateLoadBalancerNodePorts: true
-      type: set-me-if-ingressNginx.controller.service.enabled
-      annotations: set-me-if-ingressNginx.controller.service.enabled
 externalTrafficPolicy:
   local: false
 opa:

config/providers/upcloud/common-config.yaml

@@ -32,8 +32,6 @@ ingressNginx:
     service:
       enabled: false
       allocateLoadBalancerNodePorts: true
-      type: set-me-if-ingressNginx.controller.service.enabled
-      annotations: set-me-if-ingressNginx.controller.service.enabled
 externalTrafficPolicy:
   local: false
 opa:

config/sc-config.yaml

@@ -1097,9 +1097,9 @@ alerts:
   opsGenieHeartbeat:
     enabled: false
     url: https://api.eu.opsgenie.com/v2/heartbeats
-    name: set-me-if-enabled
+    name: set-me-if-(.alerts.opsGenieHeartbeat.enabled)
   slack:
-    channel: set-me-if-enabled
+    channel: set-me-if-(.alerts.alertTo == "slack")
     # Alertmanager templating: https://prometheus.io/docs/alerting/notifications/
     customTemplate: {}
     ## Example:
@@ -1182,7 +1182,7 @@ networkPolicies:
   global:
     objectStorageSwift:
       ips:
-        - "set-me-if-enabled"
+        - set-me-if-(.harbor.persistence.type == "swift" or .thanos.objectStorage.type == "swift")
       ports:
         - 5000
     scApiserver:
@@ -1199,12 +1199,12 @@ networkPolicies:
     # For replication, added to core and jobservice
     registries:
       ips:
-        - "set-me"
+        - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled)
       ports:
         - 443
     jobservice:
       ips:
-        - "set-me"
+        - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled)
       ports:
         - 443
     database:
@@ -1244,7 +1244,7 @@ networkPolicies:
     trivy:
       # IP to trivy vulnerability database
       ips:
-        - "set-me"
+        - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled)
       ports:
         - 443
   monitoring:
@@ -1254,9 +1254,9 @@ networkPolicies:
       externalDataSources:
         enabled: false
         ips:
-          - "set-me-if-externalDataSources.enabled"
+          - set-me-if-(.networkPolicies.monitoring.enabled and .networkPolicies.monitoring.grafana.externalDataSources.enabled)
         ports:
-          - "set-me-if-externalDataSources.enabled"
+          - set-me-if-(.networkPolicies.monitoring.enabled and .networkPolicies.monitoring.grafana.externalDataSources.enabled)
       # loading dashboards from grafana website
       externalDashboardProvider:
         ips:
@@ -1270,7 +1270,7 @@ networkPolicies:
     enabled: true
     plugins:
       ips:
-        - "set-me"
+        - set-me-if-(.networkPolicies.opensearch.enabled)
       ports:
         - 443
 
@@ -1283,20 +1283,19 @@ networkPolicies:
     sync:
       objectStorage:
         ips:
-          - set-me-if-objectStorage.sync.enabled
+          - set-me-if-(.objectStorage.sync.enabled and .objectStorage.type == "s3")
         ports:
           - 443
       objectStorageSwift:
         ips:
-          - set-me-if-objectStorage.sync.enabled-and-any-target-use-swift-as-destination
+          - set-me-if-(.objectStorage.sync.enabled and (.harbor.persistence.type == "swift" or .thanos.objectStorage.type == "swift"))
         ports:
           - 5000
       secondaryUrl:
         ips:
-          - set-me-if-objectStorage.sync.secondaryUrl-has-an-url
+          - set-me-if-(.objectStorage.sync.secondaryUrl != null and .objectStorage.sync.secondaryUrl != "")
         ports:
           - 443
-
   s3Exporter:
     enabled: true
 
@@ -1313,7 +1312,7 @@ networkPolicies:
     # Ip to connector, e.g. Google, LDAP, ...
     connectors:
       ips:
-        - "set-me"
+        - set-me-if-(.networkPolicies.dex.enabled)
       ports:
         - 443