[FEATURE_REQUEST] EnvVar ValueFrom checks #705
Description
Description of the problem/feature request
A check to detect containers referring to configmaps/secret keys that do not exist in the current release via valueFrom (v1.EnvVarSource)
Description of the existing behavior vs. expected behavior
In some of our workloads we have containers with environment variables defined as:
# [...] clipped for brevity
- name: AIRBRAKE_PROJECT_KEY
valueFrom:
secretKeyRef:
name: secrets
key: airbrake-project-key
# [...] clipped for brevity
But it has happened a couple of times that a typo in the key slips and we notice it at the very last moment when the helm release fails to complete.
Additional context
The minimum reproduceable manifest could be something like:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-deployment
namespace: example
spec:
selector:
matchLabels:
app.kubernetes.io/name: example
template:
metadata:
labels:
app.kubernetes.io/name: example
spec:
containers:
- name: example-container
image: internal.container.registry/an-image:v1
env:
- name: MY_DANGLING_ENV
valueFrom:
secretKeyRef:
name: existing-secret
key: with-a-typo # <-- notice here
---
apiVersion: v1
kind: Secret
metadata:
name: example-deployment
namespace: example
type: Opaque
data:
without-a-typo: "YmFzZTY0Li4uCg=="And the output should indicate which deployment or the container (whatever is more comfy) is referring to an unknown secret/config-map.
Currently there's no output of this, I do have a draft in a fork I can contribute to. I'm missing some tests but it sort-of works (golang is not my native speak):