From 3acac4e8a5a54d2cfec42daa8f6a7dff9ef45de1 Mon Sep 17 00:00:00 2001
From: Dmitry <anoshindx@gmail.com>
Date: Tue, 16 Nov 2021 15:07:11 -0800
Subject: [PATCH] Add helm hook for custom secret validation

---
 .../templates/secret-validation-hook.yaml     | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 helm-charts/splunk-otel-collector/templates/secret-validation-hook.yaml

diff --git a/helm-charts/splunk-otel-collector/templates/secret-validation-hook.yaml b/helm-charts/splunk-otel-collector/templates/secret-validation-hook.yaml
new file mode 100644
index 0000000000..494c9e04cd
--- /dev/null
+++ b/helm-charts/splunk-otel-collector/templates/secret-validation-hook.yaml
@@ -0,0 +1,45 @@
+{{- if not .Values.secret.create }}
+# Helm hook validating that custom secret provided by user has all the required
+# fields.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "splunk-otel-collector.fullname" . }}-validate-secret
+  labels:
+    {{- include "splunk-otel-collector.commonLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade,pre-install
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  containers:
+  - name: validate-secret
+    image: {{ template "splunk-otel-collector.image.otelcol" . }}
+    imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
+    command: ["sh", "-c"]
+    args:
+      - if [ "{{ include "splunk-otel-collector.splunkO11yEnabled" . }}" = "true" ] && [ ! -f /otel/secret/splunk_observability_access_token ]; then
+          echo Splunk Observability destination is enabled, but custom\
+          Kubernetes secret \"{{ template "splunk-otel-collector.secret" . }}\"\
+          doesn\'t have required field \"splunk_observability_access_token\".;
+          export TOKEN_INVALID=true;
+        fi;
+        if [ "{{ include "splunk-otel-collector.splunkPlatformEnabled" . }}" = "true" ] && [ ! -f /otel/secret/splunk_platform_hec_token ]; then
+          echo Splunk Platform destination is enabled, but custom Kubernetes\
+          secret \"{{ template "splunk-otel-collector.secret" . }}\" doesn\'t\
+          have required field \"splunk_platform_hec_token\".;
+          export TOKEN_INVALID=true;
+        fi;
+        if [ "$TOKEN_INVALID" = "true" ]; then
+          echo Please update the secret.;
+          exit 1;
+        fi
+    volumeMounts:
+      - name: secret
+        mountPath: /otel/secret
+        readOnly: true
+  volumes:
+    - name: secret
+      secret:
+        secretName: {{ template "splunk-otel-collector.secret" . }}
+{{- end }}