Merge pull request #600 from deric/nodename

chelnak · web-flow · commit a8a9343825d3 · 2022-12-12T12:27:35.000Z
Stronger type checking for $node_name
diff --git a/manifests/cluster_roles.pp b/manifests/cluster_roles.pp
@@ -3,7 +3,7 @@
 class kubernetes::cluster_roles (
   Optional[Boolean] $controller = $kubernetes::controller,
   Optional[Boolean] $worker = $kubernetes::worker,
-  String $node_name = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name = $kubernetes::node_name,
   String $container_runtime = $kubernetes::container_runtime,
   Optional[String] $join_discovery_file = $kubernetes::join_discovery_file,
   Optional[Array] $ignore_preflight_errors = $kubernetes::ignore_preflight_errors,
diff --git a/manifests/config/kubeadm.pp b/manifests/config/kubeadm.pp
@@ -49,7 +49,7 @@
   Optional[Array] $scheduler_extra_arguments = $kubernetes::scheduler_extra_arguments,
   Optional[Array] $kubelet_extra_arguments = $kubernetes::kubelet_extra_arguments,
   String $service_cidr = $kubernetes::service_cidr,
-  String $node_name = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name = $kubernetes::node_name,
   Optional[String] $cloud_provider = $kubernetes::cloud_provider,
   Optional[String] $cloud_config = $kubernetes::cloud_config,
   Optional[Hash] $apiserver_extra_volumes = $kubernetes::apiserver_extra_volumes,
diff --git a/manifests/config/worker.pp b/manifests/config/worker.pp
@@ -1,6 +1,6 @@
 # Class kubernetes config_worker, populates worker config files with joinconfig
 class kubernetes::config::worker (
-  String $node_name                        = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name                  = $kubernetes::node_name,
   String $config_file                      = $kubernetes::config_file,
   String $kubernetes_version               = $kubernetes::kubernetes_version,
   String $kubernetes_cluster_name          = $kubernetes::kubernetes_cluster_name,
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -643,7 +643,7 @@
   Array $controllermanager_extra_arguments                = [],
   Array $scheduler_extra_arguments                        = [],
   String $service_cidr                                    = '10.96.0.0/12',
-  Optional[String] $node_label                            = undef,
+  Optional[Stdlib::Fqdn] $node_label                      = undef,
   Optional[String] $controller_address                    = undef,
   Optional[String] $cloud_provider                        = undef,
   Optional[String] $cloud_config                          = undef,
diff --git a/manifests/kube_addons.pp b/manifests/kube_addons.pp
@@ -12,7 +12,7 @@
   String $kubernetes_version                = $kubernetes::kubernetes_version,
   Boolean $controller                       = $kubernetes::controller,
   Optional[Boolean] $schedule_on_controller = $kubernetes::schedule_on_controller,
-  String $node_name                         = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name                   = $kubernetes::node_name,
   Array $path                               = $kubernetes::default_path,
   Optional[Array] $env                      = $kubernetes::environment,
 ) {
@@ -90,10 +90,6 @@
     }
   }
 
-  if $node_name !~ /^[a-zA-Z0-9]([a-zA-Z0-9\-\.]{0,251}[a-zA-Z0-9])?$/ {
-    fail("Invalid node name: ${node_name}")
-  }
-
   if $schedule_on_controller {
     $schedule_command = ['kubectl', 'taint', 'nodes', $node_name, 'node-role.kubernetes.io/master-']
     $schedule_onlyif = "kubectl describe nodes ${node_name} | tr -s ' ' | grep 'Taints: node-role.kubernetes.io/master:NoSchedule'"
diff --git a/manifests/kubeadm_init.pp b/manifests/kubeadm_init.pp
@@ -1,6 +1,6 @@
 # == kubernetes::kubeadm_init
 define kubernetes::kubeadm_init (
-  String $node_name                             = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name                       = $kubernetes::node_name,
   Optional[String] $config                      = $kubernetes::config_file,
   Boolean $dry_run                              = false,
   Array $path                                   = $kubernetes::default_path,
diff --git a/manifests/kubeadm_join.pp b/manifests/kubeadm_join.pp
@@ -1,6 +1,6 @@
 # == kubernetes::kubeadm_join
 define kubernetes::kubeadm_join (
-  String $node_name                        = $kubernetes::node_name,
+  Stdlib::Fqdn $node_name                  = $kubernetes::node_name,
   String $kubernetes_version               = $kubernetes::kubernetes_version,
   String $config                           = $kubernetes::config_file,
   String $controller_address               = $kubernetes::controller_address,
diff --git a/metadata.json b/metadata.json
@@ -10,7 +10,7 @@
   "dependencies": [
     {
       "name": "puppetlabs-stdlib",
-      "version_requirement": ">= 4.20.0 < 9.0.0"
+      "version_requirement": ">= 4.25.0 < 9.0.0"
     },
     {
       "name": "puppetlabs-apt",
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -89,6 +89,15 @@
 
         it { is_expected.to_not contain_notify('aws_name_override') }
       end
+
+      context 'with invalid node_label should not allow code injection' do
+        let(:params) do {
+          worker: true,
+          node_label: 'hostname;rm -rf /',
+        } end
+
+        it { is_expected.to raise_error(/Evaluation Error: Error while evaluating/) }
+      end
     end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`"dependencies": [`
`11`	`11`	`{`
`12`	`12`	`"name": "puppetlabs-stdlib",`
`13`		`- "version_requirement": ">= 4.20.0 < 9.0.0"`
	`13`	`+ "version_requirement": ">= 4.25.0 < 9.0.0"`
`14`	`14`	`},`
`15`	`15`	`{`
`16`	`16`	`"name": "puppetlabs-apt",`