feat(ops): add install preflight and secret validation hardening#72
Open
anchapin wants to merge 2 commits into
Open
feat(ops): add install preflight and secret validation hardening#72anchapin wants to merge 2 commits into
anchapin wants to merge 2 commits into
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update install-dry-run.sh: fix storageClass assertion (cinder-csi -> csi-cinder); add expected-failure test for unset provider.name - Add scripts/safe-delete-volumes.sh for safely deleting PVCs with guard checks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces install-time guardrails and preflight validation for application secrets, and adds an operational reliability script intended to help diagnose/recover stuck workloads.
Changes:
- Added a Kubernetes Secret validator script and integrated it into the install flow.
- Added a Helm template for creating/validating an app Secret (
secrets.create/secrets.existingSecret). - Added operational scripts for reliability checks/recovery and (separately) OpenStack volume deletion.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/validate-app-secret.sh | New kubectl-based validator for required Secret keys/values. |
| scripts/install.sh | Adds provider/secret-mode handling and preflight validation before Helm install/upgrade. |
| scripts/install-dry-run.sh | Adds a chart render “matrix” script plus mock-based checks for install/secret handling. |
| openstudio-server/templates/secrets/app-secrets.yaml | New Secret template with optional existing-secret validation via lookup. |
| scripts/openstudio-reliability | New operational tooling for checks/snapshots/Helm reconcile/stuck-job recovery. |
| scripts/safe-delete-volumes.sh | New OpenStack volume cleanup helper (appears unrelated to stated PR scope). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+51
to
+52
| HELM_ARGS+=(--namespace "${NAMESPACE}" --create-namespace) | ||
| HELM_ARGS+=(--set "global.provider.name=${PROVIDER}") |
Comment on lines
+95
to
+98
| redis: | ||
| password: '$(yaml_single_quote "${REDIS_PASSWORD}")' | ||
| web: | ||
| secret_key_value: '$(yaml_single_quote "${WEB_SECRET_KEY}")' |
Comment on lines
+72
to
+76
| HELM_ARGS+=( | ||
| --set "secrets.existingSecret=${EXISTING_SECRET_NAME}" | ||
| --set "secrets.create=false" | ||
| --set "secrets.validateExistingSecret=true" | ||
| ) |
Comment on lines
+58
to
+71
| decode_base64() { | ||
| local input="$1" | ||
| if decoded=$(printf '%s' "$input" | base64 --decode 2>/dev/null); then | ||
| printf '%s' "$decoded" | ||
| return 0 | ||
| fi | ||
|
|
||
| if decoded=$(printf '%s' "$input" | base64 -D 2>/dev/null); then | ||
| printf '%s' "$decoded" | ||
| return 0 | ||
| fi | ||
|
|
||
| return 1 | ||
| } |
Comment on lines
+61
to
+65
| stringData: | ||
| {{ $dbUsernameKey }}: {{ required "db.username must be set to a non-empty value when secrets.create=true" .Values.db.username | quote }} | ||
| {{ $dbPasswordKey }}: {{ required "db.password must be set to a non-empty value when secrets.create=true" .Values.db.password | quote }} | ||
| {{ $redisPasswordKey }}: {{ required "redis.password must be set to a non-empty value when secrets.create=true" .Values.redis.password | quote }} | ||
| {{ $webSecretKey }}: {{ required "web.secret_key_value must be set to a non-empty value when secrets.create=true" .Values.web.secret_key_value | quote }} |
Comment on lines
+114
to
+118
| if ! helm template openstudio-server "${CHART_DIR}" \ | ||
| --set global.provider.name=aws \ | ||
| --set secrets.validateExistingSecret=false \ | ||
| --set redis.url='redis://:pa%40ss@custom-redis:6380/0' \ | ||
| | grep -q 'value: "redis://:pa%40ss@custom-redis:6380/0"'; then |
Comment on lines
+1
to
+6
| #!/bin/bash | ||
|
|
||
| # safe-delete-volumes.sh | ||
| # A script to safely delete OpenStack volumes after running diagnostics. | ||
| # Usage: ./safe-delete-volumes.sh | ||
| # Requirements: OpenStack CLI, jq |
Comment on lines
+20
to
+23
| SECRET_MODE="${SECRET_MODE:-existing}" | ||
| EXISTING_SECRET_NAME="${EXISTING_SECRET_NAME:-openstudio-app-secrets}" | ||
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
| SECRET_VALIDATOR="${SCRIPT_DIR}/validate-app-secret.sh" |
Comment on lines
+13
to
+15
| helm template openstudio-server "${CHART_DIR}" -f "${ROOT_DIR}/openstack/values-openstack.yaml" --set secrets.validateExistingSecret=false >/dev/null | ||
| helm template openstudio-server "${CHART_DIR}" -f "${ROOT_DIR}/openstack/values-openstack-nfs.yaml" --set secrets.validateExistingSecret=false >/dev/null | ||
| helm template openstudio-server "${CHART_DIR}" -f "${ROOT_DIR}/openstack/values-openstack-nfs-small.yaml" --set secrets.validateExistingSecret=false >/dev/null |
Comment on lines
+36
to
+43
| run_diagnostics() { | ||
| echo "Running diagnostics..." | ||
| if [[ -z "${KUBERNETES_CLUSTER:-}" ]]; then | ||
| echo "Kubernetes cluster is unavailable. Skipping diagnostics." | ||
| return | ||
| fi | ||
| ./diagnose-volumes.sh | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR isolates install-time guardrails and secret preflight validation logic.
Scope
scripts/install.shscripts/install-dry-run.shscripts/openstudio-reliabilityscripts/validate-app-secret.shopenstudio-server/templates/secrets/app-secrets.yamlWhy split
Keeps secret/install safety changes independent from broader Helm runtime/provider template refactors.