sse-secure-systems · annekebr · Nov 26, 2021 · Feb 11, 2022 · Feb 22, 2022 · Feb 22, 2022
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -14,5 +14,6 @@ Fixes #
 - [ ] PR follows [Contributing Guide](../docs/CONTRIBUTING.md)
 - [ ] Added tests (if necessary)
 - [ ] Extended README/Documentation (if necessary)
+- [ ] Adjusted `helm/values.schema.json` according to new changes (if `helm/values.yaml` has been touched)
 - [ ] Adjusted versions of image and Helm chart in `values.yaml` and `Chart.yaml` (if necessary)
 
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: connaisseur
 description: Helm chart for Connaisseur - a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.
 type: application
-version: 1.2.1
+version: 1.2.2
 appVersion: 2.4.1
 keywords:
   - container image

diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -184,3 +184,71 @@ Extract Kubernetes Minor Version.
   readOnly: true
 {{- end -}}
 {{- end -}}
+{{- define "checkForAlertTemplates" -}}
+  {{ $files := .Files }}
+  {{- if .Values.alerting }}
+    {{- if .Values.alerting.admit_request }}
+      {{- if .Values.alerting.admit_request.templates }}
+        {{- range .Values.alerting.admit_request.templates }}
+          {{- $filename := .template -}}
+          {{- $file := printf "alert_payload_templates/%s.json" $filename | $files.Get }}
+          {{- if $file }}
+          {{- else }}
+            {{- fail (printf "The value of the alert template must be chosen such that <template>.json matches one of the file names in the ./alert_payload_templates directory, but there is no %s.json file in that directory or the file is empty." $filename) }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.alerting.reject_request }}
+      {{- if .Values.alerting.reject_request.templates }}
+        {{- range .Values.alerting.reject_request.templates }}
+          {{- $filename := .template -}}
+          {{- $file := printf "alert_payload_templates/%s.json" $filename | $files.Get }}
+          {{- if $file }}
+          {{- else }}
+            {{- fail (printf "The value of the alert template must be chosen such that <template>.json matches one of the file names in the ./alert_payload_templates directory, but there is no %s.json file in that directory or the file is empty." $filename) }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{- define "validatePolicy" -}}
+  {{- $validatornames := list }}
+  {{ range .Values.validators }}
+    {{- $validator := deepCopy . }}
+    {{ $validatornames = append $validatornames $validator.name }}
+  {{- end }}
+  {{- range .Values.policy }}
+    {{- $policy := deepCopy . -}}
+    {{- if $policy.validator }}
+      {{- if has $policy.validator $validatornames }}
+      {{- else }}
+        {{- fail (printf "Validator %s has not been defined and cannot be used in a policy." $policy.validator)}}
+      {{- end }}
+      {{- $validtrustroots := list }}
+      {{ range $.Values.validators }}
+        {{- $validator := deepCopy .}}
+        {{- if eq $validator.name $policy.validator}}
+          {{range $validator.trust_roots }}
+            {{ $trustroot := deepCopy .}}
+            {{- $validtrustroots = append $validtrustroots $trustroot.name }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if $policy.with }}
+        {{- if has $policy.with.trust_root $validtrustroots }}
+        {{- else if eq $policy.with.trust_root "default" }}
+        {{- else }}
+          {{- fail (printf "Validator %s has no %s trust root defined." $policy.validator $policy.with.trust_root)}}
+        {{- end }}
+      {{- end}}
+    {{- else }}
+      {{- if has "default" $validatornames }}
+      {{- else }}
+        {{- fail (printf "Policy for images matching '%s' has no explicit validator defined such that the validator named 'default' is going to be used, but there is no validator named 'default' defined." $policy.pattern)}}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/helm/templates/alertconfig.yaml b/helm/templates/alertconfig.yaml
@@ -1,3 +1,5 @@
+{{ include "checkForAlertTemplates" . }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -28,4 +30,4 @@ stringData:
   {{- if .Values.alerting}}
   alertconfig.json: |
     {{ mustToJson .Values.alerting | nindent 4 }}
-  {{- end }}
+  {{- end }}
diff --git a/helm/templates/config.yaml b/helm/templates/config.yaml
@@ -1,3 +1,5 @@
+{{ include "validatePolicy" . }}
+
 apiVersion: v1
 kind: ConfigMap
 metadata: