From 0d543d24bebbf37a5e6b64e388d6de2e973dc5f4 Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Tue, 16 Jun 2026 09:23:08 -0500 Subject: [PATCH] fix: include supported values in validation error messages When users pass unsupported args, env vars, labels, or resources to the CertManager CR, the error now lists the supported values so they can self-correct without consulting documentation. --- .../certmanager/deployment_overrides_validation.go | 11 ++++++----- .../deployment_overrides_validation_test.go | 8 ++++---- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/pkg/controller/certmanager/deployment_overrides_validation.go b/pkg/controller/certmanager/deployment_overrides_validation.go index 34d4c342a..ede587896 100644 --- a/pkg/controller/certmanager/deployment_overrides_validation.go +++ b/pkg/controller/certmanager/deployment_overrides_validation.go @@ -3,6 +3,7 @@ package certmanager import ( "fmt" "strconv" + "strings" "unsafe" appsv1 "k8s.io/api/apps/v1" @@ -94,7 +95,7 @@ func withContainerArgsValidateHook(certmanagerinformer certmanagerinformer.CertM validateArgs := func(argMap map[string]string, supportedArgs []string) error { for k, v := range argMap { if !slices.Contains(supportedArgs, k) { - return fmt.Errorf("validation failed due to unsupported arg %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported arg %q=%q; supported args are: %s", k, v, strings.Join(supportedArgs, ", ")) } } return nil @@ -189,7 +190,7 @@ func withContainerEnvValidateHook(certmanagerinformer certmanagerinformer.CertMa validateEnv := func(argMap map[string]corev1.EnvVar, supportedEnv []string) error { for k, v := range argMap { if !slices.Contains(supportedEnv, k) { - return fmt.Errorf("validation failed due to unsupported arg %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported env var %q=%q; supported env vars are: %s", k, v, strings.Join(supportedEnv, ", ")) } } return nil @@ -238,7 +239,7 @@ func withPodLabelsValidateHook(certmanagerinformer certmanagerinformer.CertManag validateLabels := func(labels map[string]string, supportedLabelKeys []string) error { for k, v := range labels { if !slices.Contains(supportedLabelKeys, k) { - return fmt.Errorf("validation failed due to unsupported label %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported label %q=%q; supported labels are: %s", k, v, strings.Join(supportedLabelKeys, ", ")) } } return nil @@ -316,12 +317,12 @@ func validateResources(resources v1alpha1.CertManagerResourceRequirements, suppo errs := []error{} for k, v := range resources.Limits { if !slices.Contains(supportedResourceNames, string(k)) { - errs = append(errs, fmt.Errorf("validation failed due to unsupported resource limits %q=%s", k, v.String())) + errs = append(errs, fmt.Errorf("validation failed due to unsupported resource limits %q=%s; supported resources are: %s", k, v.String(), strings.Join(supportedResourceNames, ", "))) } } for k, v := range resources.Requests { if !slices.Contains(supportedResourceNames, string(k)) { - errs = append(errs, fmt.Errorf("validation failed due to unsupported resource requests %q=%s", k, v.String())) + errs = append(errs, fmt.Errorf("validation failed due to unsupported resource requests %q=%s; supported resources are: %s", k, v.String(), strings.Join(supportedResourceNames, ", "))) } } return utilerrors.NewAggregate(errs) diff --git a/pkg/controller/certmanager/deployment_overrides_validation_test.go b/pkg/controller/certmanager/deployment_overrides_validation_test.go index ec7ffd310..8a6ea0ef5 100644 --- a/pkg/controller/certmanager/deployment_overrides_validation_test.go +++ b/pkg/controller/certmanager/deployment_overrides_validation_test.go @@ -309,7 +309,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerControllerDeployment, - wantErrMsg: `validation failed due to unsupported arg "--totally-unknown-flag"="value"`, + wantErrMsg: `validation failed due to unsupported arg "--totally-unknown-flag"="value"; supported args are: --acme-http01-solver-nameservers, --acme-http01-solver-resource-limits-cpu, --acme-http01-solver-resource-limits-memory, --acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory, --dns01-recursive-nameservers, --dns01-recursive-nameservers-only, --v, -V, --metrics-listen-address, --issuer-ambient-credentials, --enable-certificate-owner-ref, --certificate-request-minimum-backoff-duration`, }, { name: "controller accepts performance tuning flags", @@ -546,7 +546,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerWebhookDeployment, - wantErrMsg: `validation failed due to unsupported arg "--metrics-listen-address"="0.0.0.0:9402"`, + wantErrMsg: `validation failed due to unsupported arg "--metrics-listen-address"="0.0.0.0:9402"; supported args are: --v, -V`, }, { name: "webhook rejects certificate-request-minimum-backoff-duration", @@ -559,7 +559,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerWebhookDeployment, - wantErrMsg: `validation failed due to unsupported arg "--certificate-request-minimum-backoff-duration"="1m"`, + wantErrMsg: `validation failed due to unsupported arg "--certificate-request-minimum-backoff-duration"="1m"; supported args are: --v, -V`, }, { name: "nil webhook config skips validation", @@ -607,7 +607,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerCAinjectorDeployment, - wantErrMsg: `validation failed due to unsupported arg "--dns01-recursive-nameservers"="8.8.8.8:53"`, + wantErrMsg: `validation failed due to unsupported arg "--dns01-recursive-nameservers"="8.8.8.8:53"; supported args are: --v, -V`, }, { name: "nil cainjector config skips validation",