Skip to content

feat(ci): validate embedded JSON blobs in ConfigMaps#2502

Merged
devantler merged 2 commits into
mainfrom
claude/configmap-json-guard
Jul 5, 2026
Merged

feat(ci): validate embedded JSON blobs in ConfigMaps#2502
devantler merged 2 commits into
mainfrom
claude/configmap-json-guard

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

ConfigMaps that embed whole JSON documents (the Headlamp Kubescape exceptions policy, velero's node-agent config) are opaque strings to schema validation — a stray comma ships silently and only breaks where the JSON is consumed, where an empty exceptions view reads identical to a clean posture. Flagged by CodeRabbit on #2446.

What

Adds a fast stdlib-Python CI gate that json-parses every registered embedded-JSON ConfigMap key (exceptionPolicies plus any *.json key) as the first step of the validate job, failing the PR on a syntax error. Verified against a deliberately corrupted blob in both covered ConfigMaps.

Fixes #2480

devantler and others added 2 commits July 5, 2026 16:04
Registered ConfigMap data keys (exceptionPolicies, *.json) are now
json-parsed by scripts/validate-embedded-json.py as the first step of the
validate job, so a JSON syntax error fails the PR instead of shipping as an
opaque string that only breaks at consumption time.

Fixes #2480

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds scripts/validate-embedded-json.py, a stdlib Python script that scans k8s ConfigMap manifests for embedded JSON values (in registered keys or keys ending in .json), validates JSON syntax, and flags folded YAML scalars (>) as invalid for JSON content. The CI workflow (ci.yaml) is updated to include this script in its k8s path filter and to run it as a new step in the validate job before KSail setup. AGENTS.md documentation is updated to describe this new validation step.

Sequence Diagram(s)

Included above within the hidden review stack artifact.

Related issues: #2480

Suggested labels: ci, documentation, scripts

Suggested reviewers: devantler

Poem:
A rabbit hopped through YAML deep,
Found stray commas that JSON can't keep,
With scripts in hand and CI's new eye,
No folded scalar shall slip on by,
Now every blob it checks with glee — 🐰✅

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR adds a stdlib CI script, wires it into validate, checks registered JSON-like keys, and documents the flow, matching #2480.
Out of Scope Changes check ✅ Passed The changes are limited to the workflow, validation script, and related documentation, with no obvious unrelated additions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly summarizes the main change: adding CI validation for embedded JSON in ConfigMaps.
Description check ✅ Passed The description matches the changeset and explains the CI gate, target keys, and motivation.

Comment @coderabbitai help to get the list of available commands.

@devantler devantler marked this pull request as ready for review July 5, 2026 16:08
@devantler devantler added this pull request to the merge queue Jul 5, 2026
Merged via the queue into main with commit 40a7736 Jul 5, 2026
16 checks passed
@devantler devantler deleted the claude/configmap-json-guard branch July 5, 2026 16:11
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 5, 2026
@botantler-1

botantler-1 Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.105.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

Validate embedded JSON blobs in ConfigMaps in CI

1 participant