diff --git a/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl b/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl index 9d65bcc0..cd8e5d99 100644 --- a/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl +++ b/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl @@ -39,12 +39,12 @@ command: # If no empty lastSync is found, break the loop if [ -z "$empty_syncs" ]; then - echo "No replicationDestinations with empty last-sync found in namespace '$NAMESPACE'." + echo "No replicationDestinations with empty last-sync found in namespace [{{ .Release.Namespace }}]." break fi # Print the names of replicationDestinations with empty lastSync - echo "Found replicationDestinations with empty last-sync in namespace '$NAMESPACE':" + echo "Found replicationDestinations with empty last-sync in namespace [{{ .Release.Namespace }}]:" echo "$empty_syncs" # Optionally: Add a sleep interval to avoid excessive looping @@ -54,15 +54,11 @@ command: {{- end -}} {{- define "tc.v1.common.dependencies.volsync.waitrbac" -}} - {{- $primarypresent := false -}} - {{- range .values.rbac -}} {{/* FIXME: enabled could be a tpl. */}} - {{- if and .enabled .primary -}} - {{- $primarypresent = true -}} - {{- end -}} - {{- end }} + + {{- $result := include "tc.v1.common.lib.rbac.hasPrimaryOnEnabled" (dict "rootCtx" $) | fromJson }} enabled: true allServiceAccounts: true -primary: {{ $primarypresent }} +primary: {{ not $result.hasPrimary }} clusterWide: false rules: - apiGroups: diff --git a/library/common/templates/lib/rbac/_validation.tpl b/library/common/templates/lib/rbac/_validation.tpl index 81f7ca81..89aea34f 100644 --- a/library/common/templates/lib/rbac/_validation.tpl +++ b/library/common/templates/lib/rbac/_validation.tpl @@ -4,15 +4,33 @@ */}} {{- define "tc.v1.common.lib.rbac.primaryValidation" -}} + {{- $result := include "tc.v1.common.lib.rbac.hasPrimaryOnEnabled" (dict "rootCtx" $) | fromJson -}} + {{- if $result.hasMoreThanOne -}} + {{- fail "RBAC - Only one rbac can be primary" -}} + {{- end -}} + + {{/* Require at least one primary rbac, if any enabled */}} + {{- if and $result.hasEnabled (not $result.hasPrimary) -}} + {{- fail "RBAC - At least one enabled rbac must be primary" -}} + {{- end -}} + +{{- end -}} + +{{- define "tc.v1.common.lib.rbac.hasPrimaryOnEnabled" -}} + {{- $rootCtx := .rootCtx -}} {{/* Initialize values */}} {{- $hasPrimary := false -}} + {{- $hasMoreThanOne := false -}} {{- $hasEnabled := false -}} - {{- range $name, $rbac := .Values.rbac -}} - + {{- range $name, $rbac := $rootCtx.Values.rbac -}} + {{- $enabled := (include "tc.v1.common.lib.util.enabled" (dict + "rootCtx" $rootCtx "objectData" $rbac + "name" $name "caller" "RBAC" "key" "rbac" + )) -}} {{/* If rbac is enabled */}} - {{- if $rbac.enabled -}} + {{- if eq $enabled "true" -}} {{- $hasEnabled = true -}} {{/* And rbac is primary */}} @@ -20,7 +38,7 @@ {{/* Fail if there is already a primary rbac */}} {{- if $hasPrimary -}} - {{- fail "RBAC - Only one rbac can be primary" -}} + {{- $hasMoreThanOne = true -}} {{- end -}} {{- $hasPrimary = true -}} @@ -30,9 +48,5 @@ {{- end -}} {{- end -}} - {{/* Require at least one primary rbac, if any enabled */}} - {{- if and $hasEnabled (not $hasPrimary) -}} - {{- fail "RBAC - At least one enabled rbac must be primary" -}} - {{- end -}} - + {{- dict "hasEnabled" $hasEnabled "hasPrimary" $hasPrimary "hasMoreThanOne" $hasMoreThanOne | toJson }} {{- end -}} diff --git a/library/common/templates/lib/serviceAccount/_validation.tpl b/library/common/templates/lib/serviceAccount/_validation.tpl index 6c82b2c4..69013068 100644 --- a/library/common/templates/lib/serviceAccount/_validation.tpl +++ b/library/common/templates/lib/serviceAccount/_validation.tpl @@ -4,15 +4,33 @@ */}} {{- define "tc.v1.common.lib.serviceAccount.primaryValidation" -}} + {{- $result := include "tc.v1.common.lib.serviceAccount.hasPrimaryOnEnabled" (dict "rootCtx" $) | fromJson -}} + {{- if $result.hasMoreThanOne -}} + {{- fail "Service Account - Only one service account can be primary" -}} + {{- end -}} + + {{/* Require at least one primary service account, if any enabled */}} + {{- if and $result.hasEnabled (not $result.hasPrimary) -}} + {{- fail "Service Account - At least one enabled service account must be primary" -}} + {{- end -}} + +{{- end -}} + +{{- define "tc.v1.common.lib.serviceAccount.hasPrimaryOnEnabled" -}} + {{- $rootCtx := .rootCtx -}} {{/* Initialize values */}} {{- $hasPrimary := false -}} + {{- $hasMoreThanOne := false -}} {{- $hasEnabled := false -}} - {{- range $name, $serviceAccount := .Values.serviceAccount -}} - + {{- range $name, $serviceAccount := $rootCtx.Values.serviceAccount -}} + {{- $enabled := (include "tc.v1.common.lib.util.enabled" (dict + "rootCtx" $rootCtx "objectData" $serviceAccount + "name" $name "caller" "Service Account" "key" "serviceAccount" + )) -}} {{/* If service account is enabled */}} - {{- if $serviceAccount.enabled -}} + {{- if eq $enabled "true" -}} {{- $hasEnabled = true -}} {{/* And service account is primary */}} @@ -20,7 +38,7 @@ {{/* Fail if there is already a primary service account */}} {{- if $hasPrimary -}} - {{- fail "Service Account - Only one service account can be primary" -}} + {{- $hasMoreThanOne = true -}} {{- end -}} {{- $hasPrimary = true -}} @@ -30,9 +48,5 @@ {{- end -}} {{- end -}} - {{/* Require at least one primary service account, if any enabled */}} - {{- if and $hasEnabled (not $hasPrimary) -}} - {{- fail "Service Account - At least one enabled service account must be primary" -}} - {{- end -}} - + {{ dict "hasEnabled" $hasEnabled "hasPrimary" $hasPrimary "hasMoreThanOne" $hasMoreThanOne | toJson }} {{- end -}}