Skip to content

Validate embedded JSON blobs in ConfigMaps in CIΒ #2480

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Problem. Some ConfigMaps embed JSON as a YAML block scalar β€” e.g. the Headlamp Kubescape exceptions ConfigMap (k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml, data.exceptionPolicies, ~15 hand-maintained policy entries). ksail workload validate schema-validates the YAML but treats the blob as an opaque string, so a stray comma or missing bracket ships silently and only fails at consumption time β€” Headlamp would just show no exceptions, which reads identical to a clean posture (the 0 β‰  clean trap). Flagged by CodeRabbit on #2446.

Proposal. Add a small CI step (script under scripts/, wired into the validate workflow) that finds ConfigMap keys whose value looks like JSON (key convention or an explicit allowlist, starting with exceptionPolicies) and runs them through a JSON parse, failing the build on a syntax error.

Acceptance criteria.

  • CI fails when data.exceptionPolicies (or another registered embedded-JSON key) is not parseable JSON.
  • Passing case adds negligible CI time and no new heavyweight tooling.
  • The check is documented where the validate command is documented.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions