Merge pull request #5388 from camilamacedo86/helm-scope

🐛 (helm/v2-alpha): Escape existing Go template syntax in generated Helm charts

Author: k8s-ci-robot

pkg/plugins/optional/helm/v2alpha/scaffolds/extras_integration_test.go

@@ -976,5 +976,133 @@ spec:
 			}
 			Expect(externalSAFound).To(BeTrue(), "external ServiceAccount file should exist")
 		})
+
+		It("should escape existing Go template syntax in CRD samples", func() {
+			// Test a CRD with Go template syntax in default values.
+			// Real-world example: gitops-promoter's ChangeTransferPolicy CRD has templates
+			// in pullRequest.template fields that should be preserved as literal text.
+			kustomizeYAML := `---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: test-project
+  name: test-project-system
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: changetransferpolicies.promoter.argoproj.io
+  namespace: test-project-system
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: test-project
+spec:
+  group: promoter.argoproj.io
+  names:
+    kind: ChangeTransferPolicy
+    listKind: ChangeTransferPolicyList
+    plural: changetransferpolicies
+    singular: changetransferpolicy
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        description: ChangeTransferPolicy is the Schema for the changetransferpolicies API
+        properties:
+          spec:
+            properties:
+              activeBranch:
+                type: string
+              pullRequest:
+                properties:
+                  template:
+                    properties:
+                      description:
+                        default: "Promoting {{ .ChangeTransferPolicy.Spec.ActiveBranch }}"
+                        type: string
+                      title:
+                        default: "Promote {{ trunc 5 .ChangeTransferPolicy.Status.Proposed.Dry.Sha }}"
+                        type: string
+                    type: object
+                type: object
+            type: object
+        type: object
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-project-controller-manager
+  namespace: test-project-system
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: test-project
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      serviceAccountName: test-project-controller-manager
+      containers:
+      - name: manager
+        image: controller:latest
+        args:
+        - --metrics-bind-address=:8443
+        - --health-probe-bind-address=:8081
+`
+
+			kustomizeFile := filepath.Join(tmpDir, "install.yaml")
+			err := os.WriteFile(kustomizeFile, []byte(kustomizeYAML), 0o600)
+			Expect(err).NotTo(HaveOccurred())
+
+			parser := kustomize.NewParser(kustomizeFile)
+			resources, err := parser.Parse()
+			Expect(err).NotTo(HaveOccurred())
+
+			converter := kustomize.NewChartConverter(resources, "test-project", "test-project", "dist")
+			err = converter.WriteChartFiles(fs)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("verifying CRD file has escaped Go template syntax")
+			crdDir := filepath.Join("dist", "chart", "templates", "crd")
+			crdPath := filepath.Join(crdDir, "changetransferpolicies.promoter.argoproj.io.yaml")
+			exists, err := afero.Exists(fs.FS, crdPath)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(exists).To(BeTrue(), "CRD file should exist")
+
+			crdContent, err := afero.ReadFile(fs.FS, crdPath)
+			Expect(err).NotTo(HaveOccurred())
+			crdStr := string(crdContent)
+
+			// Existing Go template syntax should be escaped to prevent Helm from parsing it
+			Expect(crdStr).To(ContainSubstring(`{{ "{{ .ChangeTransferPolicy.Spec.ActiveBranch }}" }}`),
+				"existing template syntax should be escaped")
+			Expect(crdStr).To(ContainSubstring(`{{ "{{ trunc 5 .ChangeTransferPolicy.Status.Proposed.Dry.Sha }}" }}`),
+				"template functions should be escaped")
+
+			// Verify we don't have unescaped template syntax that would break Helm rendering
+			// We check that all ChangeTransferPolicy references are properly wrapped in escaped strings
+			// Pattern checks for: default: "...<text>{{ .ChangeTransferPolicy" (not escaped)
+			// The properly escaped version is: default: "...{{ "{{ .ChangeTransferPolicy..." }}"
+			Expect(crdStr).NotTo(MatchRegexp(`default:\s+"[^{]*\{\{\s*\.ChangeTransferPolicy`),
+				"unescaped Go templates should not exist in default values")
+
+			// Helm templates we add should still work (not escaped)
+			Expect(crdStr).To(ContainSubstring("{{- if .Values.crd.enable }}"),
+				"Helm conditional should be present and NOT escaped")
+			Expect(crdStr).To(ContainSubstring("namespace: {{ .Release.Namespace }}"),
+				"Helm namespace template should be present and NOT escaped")
+			Expect(crdStr).To(ContainSubstring(`app.kubernetes.io/name: {{ include "test-project.name" . }}`),
+				"Helm label template should be present and NOT escaped")
+		})
 	})
 })

pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater.go

@@ -71,6 +71,11 @@ func (t *HelmTemplater) resourceNameTemplate(suffix string) string {
 
 // ApplyHelmSubstitutions converts YAML content to use Helm template syntax
 func (t *HelmTemplater) ApplyHelmSubstitutions(yamlContent string, resource *unstructured.Unstructured) string {
+	// Escape existing Go template syntax ({{ }}) FIRST before adding Helm templates.
+	// Resources from install.yaml may contain templates that should be preserved as literal text.
+	// For example: CRD default values, ConfigMap data, Secret URLs, annotations, etc.
+	yamlContent = t.escapeExistingTemplateSyntax(yamlContent)
+
 	// Apply conditional wrappers first
 	yamlContent = t.addConditionalWrappers(yamlContent, resource)
 
@@ -116,6 +121,70 @@ func (t *HelmTemplater) ApplyHelmSubstitutions(yamlContent string, resource *uns
 	return yamlContent
 }
 
+// escapeExistingTemplateSyntax escapes Go template syntax ({{ }}) in YAML to prevent
+// Helm from parsing them. Converts existing templates to literal strings that Helm outputs as-is.
+//
+// Why this is needed:
+// Resources from install.yaml may contain {{ }} in string fields that are NOT Helm templates.
+// Without escaping, Helm will try to evaluate them and fail. For example:
+//
+//	CRD default: "Branch: {{ .Spec.Branch }}"  ->  ERROR: .Spec undefined
+//
+// How it works:
+// Wraps non-Helm templates in string literals so Helm outputs them unchanged:
+//
+//	{{ .Field }}  ->  {{ "{{ .Field }}" }}
+//
+// When Helm renders this, it outputs the literal string: {{ .Field }}
+//
+// Smart detection:
+// Only escapes templates that DON'T start with Helm keywords:
+//   - .Release, .Values, .Chart (Helm built-ins)
+//   - include, if, with, range, toYaml (Helm functions)
+//
+// This means our Helm templates work normally while existing templates are preserved.
+func (t *HelmTemplater) escapeExistingTemplateSyntax(yamlContent string) string {
+	// Find all {{ ... }} patterns (non-greedy for multiple on same line)
+	templatePattern := regexp.MustCompile(`\{\{(.*?)\}\}`)
+
+	yamlContent = templatePattern.ReplaceAllStringFunc(yamlContent, func(match string) string {
+		// Extract content between {{ and }}
+		content := strings.TrimPrefix(match, "{{")
+		content = strings.TrimSuffix(content, "}}")
+		trimmedContent := strings.TrimSpace(content)
+
+		// Check if this is a Helm template (starts with Helm keyword)
+		helmPatterns := []string{
+			"include ", "- include ",
+			".Release.", "- .Release.",
+			".Values.", "- .Values.",
+			".Chart.", "- .Chart.",
+			"toYaml ", "- toYaml ",
+			"if ", "- if ",
+			"end ", "- end ",
+			"with ", "- with ",
+			"range ", "- range ",
+			"else", "- else",
+		}
+
+		// If it's a Helm template, keep it as-is
+		for _, pattern := range helmPatterns {
+			if strings.HasPrefix(trimmedContent, pattern) {
+				return match
+			}
+		}
+
+		// Otherwise, escape it to preserve as literal text
+		// Escape any quotes inside the template content
+		escapedContent := strings.ReplaceAll(content, `"`, `\"`)
+
+		// Wrap in Helm string literal: {{ "{{...}}" }}
+		return `{{ "{{` + escapedContent + `}}" }}`
+	})
+
+	return yamlContent
+}
+
 // substituteProjectNames keeps original YAML as much as possible - only add Helm templating
 func (t *HelmTemplater) substituteProjectNames(yamlContent string, _ *unstructured.Unstructured) string {
 	return yamlContent

pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater_test.go

@@ -714,6 +714,176 @@ spec:
 		})
 	})
 
+	Context("existing Go template syntax escaping", func() {
+		It("should escape existing Go template syntax in CRD samples", func() {
+			crdResource := &unstructured.Unstructured{}
+			crdResource.SetAPIVersion("apiextensions.k8s.io/v1")
+			crdResource.SetKind("CustomResourceDefinition")
+			crdResource.SetName("changetransferpolicies.promoter.argoproj.io")
+
+			content := `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: changetransferpolicies.promoter.argoproj.io
+spec:
+  names:
+    kind: ChangeTransferPolicy
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              pullRequest:
+                properties:
+                  template:
+                    properties:
+                      description:
+                        default: "Promoting {{ .ChangeTransferPolicy.Spec.ActiveBranch }}"
+                        type: string
+                      title:
+                        default: "Promote {{ trunc 5 .ChangeTransferPolicy.Status.Proposed.Dry.Sha }}"
+                        type: string`
+
+			result := templater.ApplyHelmSubstitutions(content, crdResource)
+
+			// Existing {{ }} should be escaped to {{ "{{ ... }}" }}
+			Expect(result).To(ContainSubstring(`{{ "{{ .ChangeTransferPolicy.Spec.ActiveBranch }}" }}`),
+				"existing template syntax should be escaped")
+			Expect(result).To(ContainSubstring(`{{ "{{ trunc 5 .ChangeTransferPolicy.Status.Proposed.Dry.Sha }}" }}`),
+				"function calls in templates should be escaped")
+
+			// Should NOT have unescaped Go template syntax (which would break Helm)
+			// We check that all ChangeTransferPolicy references are properly wrapped
+			// Pattern checks for: default: "...<text>{{ .ChangeTransferPolicy" (not escaped)
+			// The properly escaped version is: default: "...{{ "{{ .ChangeTransferPolicy..." }}"
+			Expect(result).NotTo(MatchRegexp(`default:\s+"[^{]*\{\{\s*\.ChangeTransferPolicy`),
+				"unescaped Go templates should not exist in default values")
+		})
+
+		It("should escape multiple template expressions on the same line", func() {
+			crdResource := &unstructured.Unstructured{}
+			crdResource.SetAPIVersion("apiextensions.k8s.io/v1")
+			crdResource.SetKind("CustomResourceDefinition")
+			crdResource.SetName("policies.example.com")
+
+			content := `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+spec:
+  versions:
+  - schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              message:
+                default: "From {{ .Source.Branch }} to {{ .Target.Branch }}"`
+
+			result := templater.ApplyHelmSubstitutions(content, crdResource)
+
+			// Both templates should be escaped (applies to all resources)
+			Expect(result).To(ContainSubstring(`{{ "{{ .Source.Branch }}" }}`))
+			Expect(result).To(ContainSubstring(`{{ "{{ .Target.Branch }}" }}`))
+		})
+
+		It("should escape templates with special characters", func() {
+			crdResource := &unstructured.Unstructured{}
+			crdResource.SetAPIVersion("apiextensions.k8s.io/v1")
+			crdResource.SetKind("CustomResourceDefinition")
+			crdResource.SetName("configs.example.com")
+
+			content := `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+spec:
+  versions:
+  - schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              value:
+                default: "Value: {{ .Config.Key-With-Dashes }}"`
+
+			result := templater.ApplyHelmSubstitutions(content, crdResource)
+
+			Expect(result).To(ContainSubstring(`{{ "{{ .Config.Key-With-Dashes }}" }}`))
+		})
+
+		It("should handle template syntax with quotes correctly", func() {
+			crdResource := &unstructured.Unstructured{}
+			crdResource.SetAPIVersion("apiextensions.k8s.io/v1")
+			crdResource.SetKind("CustomResourceDefinition")
+			crdResource.SetName("messages.example.com")
+
+			content := `apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+spec:
+  versions:
+  - schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              template:
+                default: '{{ .Config.Message "default" }}'`
+
+			result := templater.ApplyHelmSubstitutions(content, crdResource)
+
+			// Quotes inside templates should be escaped
+			Expect(result).To(ContainSubstring(`{{ "{{ .Config.Message \"default\" }}" }}`))
+		})
+
+		It("should escape templates in ConfigMaps and other non-CRD resources", func() {
+			configMapResource := &unstructured.Unstructured{}
+			configMapResource.SetAPIVersion("v1")
+			configMapResource.SetKind("ConfigMap")
+			configMapResource.SetName("template-config")
+			configMapResource.SetNamespace("test-project-system")
+
+			// ANY resource can have Go template syntax that needs escaping
+			// Examples: ConfigMaps with notification templates, Secrets with webhook URLs,
+			// Deployment annotations with CI/CD metadata, etc.
+			content := `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: template-config
+  namespace: test-project-system
+  labels:
+    app.kubernetes.io/name: test-project
+data:
+  notification: "Deployed from {{ .Source.Branch }} to {{ .Target.Branch }}"`
+
+			result := templater.ApplyHelmSubstitutions(content, configMapResource)
+
+			// Existing templates should be escaped (applies to ALL resources, not just CRDs)
+			Expect(result).To(ContainSubstring(`{{ "{{ .Source.Branch }}" }}`))
+			Expect(result).To(ContainSubstring(`{{ "{{ .Target.Branch }}" }}`))
+
+			// Helm templates should still be added normally
+			Expect(result).To(ContainSubstring("namespace: {{ .Release.Namespace }}"))
+			Expect(result).To(ContainSubstring(`app.kubernetes.io/name: {{ include "test-project.name" . }}`))
+		})
+
+		It("should handle content without any templates", func() {
+			configMapResource := &unstructured.Unstructured{}
+			configMapResource.SetAPIVersion("v1")
+			configMapResource.SetKind("ConfigMap")
+			configMapResource.SetName("no-template")
+
+			content := `apiVersion: v1
+kind: ConfigMap
+data:
+  message: "No templates here"`
+
+			result := templater.ApplyHelmSubstitutions(content, configMapResource)
+
+			// Should not add any escaping
+			Expect(result).To(ContainSubstring(`message: "No templates here"`))
+			Expect(result).NotTo(ContainSubstring(`{{ "{{`))
+		})
+	})
+
 	Context("edge cases", func() {
 		It("should handle empty content", func() {
 			testResource := &unstructured.Unstructured{}