Skip to content

[dmt] fix add mount points validation rule#401

Open
diyliv wants to merge 13 commits into
mainfrom
fix/mount-points-validation-rule
Open

[dmt] fix add mount points validation rule#401
diyliv wants to merge 13 commits into
mainfrom
fix/mount-points-validation-rule

Conversation

@diyliv

@diyliv diyliv commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Mount-points validation rule (mount_points.go): checks that all directories listed in mount-points.yaml are actually used as volumeMount.mountPath in at least one pod controller (Deployment / StatefulSet / DaemonSet). One-way check: file → templates.
  • File discovery: recursive walk of the module directory via filepath.Walk to find all mount-points.yaml files, parse each and extract the dirs list.
  • MountPath collection from templates: iterates GetStorage(), filters pod controllers via IsPodController(), calls GetAllContainers() for each (main + init containers), collects all volumeMount.mountPath into a set.
  • Comparison: string comparison with trailing slash normalization (strings.TrimRight("/")) on both sides. If a dir from the file is not found in any controller — warning (not error).
  • Error context: each warning is tied to the specific mount-points.yaml file via errorList.WithFilePath() so the developer can quickly locate the source.
  • Graceful handling of missing data: no files → no check, no pod controllers → rule skips, empty dirs → no errors.
  • Config wiring: added MountPointsRule RuleConfig to runtime config (pkg/config.go), global config with tag mapstructure:"mount-points" (pkg/config/global/global.go), rule level mapping in mapTemplatesRules() (internal/module/module.go).
  • Registration: NewMountPointsRule().ValidateMountPoints(...) call added to the Run() method of the templates linter (templates.go).
  • Tests: 12 test scenarios covering all dirs matched, missing dir, multiple files, no files, empty file, no pod controllers, DaemonSet/StatefulSet, trailing slash match, init containers, exclude, exclude with trailing slash, controller without volume mounts.

Context

Modules may contain mount-points.yaml files describing directories that should be mounted into containers. If a directory is listed in the file but is not used as volumeMount.mountPath in any pod, containerd v2 may crash when trying to mount something into a non-existent directory. The rule ensures that mount-points.yaml always matches actual usage in templates.

Example

mount-points.yaml (images/app/mount-points.yaml):

dirs:
  - /etc/app
  - /etc/app/certs

Deployment in template (uses only /etc/app):

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        volumeMounts:
        - name: config
          mountPath: /etc/app

Result: warning — mount-points.yaml references dir "/etc/app/certs" which is not used as a mountPath in any pod controller.

Excluding directories

Per-line exclude is supported via DMT config. Use when pods are managed outside Helm (operator, webhook, static pods, bashible) — their volumeMounts are not in templates, producing false positives.

exclude-rules:
  mount-points:
    - /run/secrets/              # exclude entire tree (istio webhook)
    - /etc/ssl/certs             # exclude single dir (static pod)
    - /var/run/secrets/istiod/ca # exact path

Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv self-assigned this Jun 17, 2026
@diyliv diyliv added bug Something isn't working go Pull requests that update go code labels Jun 17, 2026
@diyliv diyliv marked this pull request as draft June 17, 2026 09:50
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv changed the title add mount points validation rule fix/add mount points validation rule Jun 17, 2026
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv changed the title fix/add mount points validation rule [dmt] fix/add mount points validation rule Jun 17, 2026
diyliv added 5 commits June 17, 2026 19:34
Signed-off-by: diyliv <onlogn081@gmail.com>
Signed-off-by: diyliv <onlogn081@gmail.com>
Signed-off-by: diyliv <onlogn081@gmail.com>
Signed-off-by: diyliv <onlogn081@gmail.com>
Signed-off-by: diyliv <onlogn081@gmail.com>
@diyliv diyliv changed the title [dmt] fix/add mount points validation rule [dmt] fix add mount points validation rule Jun 17, 2026
@diyliv diyliv marked this pull request as ready for review June 19, 2026 09:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new mount-points validation rule to keep mount-points.yaml in sync with actual volumeMount.mountPath usage in pod controllers, and wires it into both the templates and container linters with config support, docs, and tests.

Changes:

  • Added a Templates-linter mount-points rule that warns when mount-points.yaml declares directories not used as any controller mountPath.
  • Added a Container-linter mount-points rule that warns when controllers use mountPaths not declared in any mount-points.yaml.
  • Wired config (global + runtime), updated documentation, and added unit + e2e test coverage.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
test/e2e/testdata/container/mount-points-missing/module/templates/deployment.yaml E2E fixture with declared + undeclared mountPaths.
test/e2e/testdata/container/mount-points-missing/module/openapi/values.yaml Minimal OpenAPI fixture for the e2e module.
test/e2e/testdata/container/mount-points-missing/module/openapi/config-values.yaml Minimal OpenAPI fixture for the e2e module.
test/e2e/testdata/container/mount-points-missing/module/module.yaml E2E module metadata fixture.
test/e2e/testdata/container/mount-points-missing/module/images/app/mount-points.yaml E2E mount-points declaration fixture.
test/e2e/testdata/container/mount-points-missing/expected.yaml E2E expected warning for undeclared mountPath.
pkg/linters/templates/templates.go Registers the new templates mount-points rule in the templates linter.
pkg/linters/templates/rules/mount_points.go Implements file → templates validation for mount-points.yaml.
pkg/linters/templates/rules/mount_points_test.go Unit tests for templates mount-points rule scenarios.
pkg/linters/templates/README.md Documents the new templates mount-points rule and configuration.
pkg/linters/container/rules/mount_points.go Implements templates → file validation for undeclared mountPaths.
pkg/linters/container/rules/mount_points_test.go Unit tests for container mount-points rule scenarios.
pkg/linters/container/rules.go Registers the new container mount-points rule.
pkg/linters/container/container.go Stores module path for rules needing module filesystem access.
pkg/config/linters_settings.go Adds rule + exclude configuration fields for mount-points.
pkg/config/global/global.go Adds global rule config entries for mount-points.
pkg/config.go Adds runtime config entries for mount-points rules/excludes.
internal/module/module.go Maps mount-points rule levels/excludes into effective linter settings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/module/module.go
Comment on lines 413 to +417
excludes.SeccompProfile = configExcludes.SeccompProfile.Get()
excludes.NoNewPrivileges = configExcludes.NoNewPrivileges.Get()
excludes.ImageDigest = configExcludes.ImageDigest.Get()
excludes.Description = pkg.StringRuleExcludeList(configExcludes.Description)
excludes.MountPoints = pkg.StringRuleExcludeList(configExcludes.MountPoints)

`/etc/app/certs` is declared in `mount-points.yaml` but no pod controller uses it as a mountPath.

**Error:**
Comment on lines +57 to +63
dirsByFile := collectMountPointsDirs(m, errorList)
if len(dirsByFile) == 0 {
return
}

templateMountPaths := collectTemplateMountPaths(m, errorList)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants