From 6d0d9e9648b7c6833af8c9af54b39c2be8fb0075 Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Tue, 16 Jun 2026 09:23:08 -0500 Subject: [PATCH] fix: include supported values in validation error messages When users pass unsupported args, env vars, labels, or resources to the CertManager CR, the error now lists the supported values so they can self-correct without consulting documentation. --- .../certmanager/deployment_overrides_validation.go | 11 ++++++----- .../deployment_overrides_validation_test.go | 8 ++++---- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/pkg/controller/certmanager/deployment_overrides_validation.go b/pkg/controller/certmanager/deployment_overrides_validation.go index 874967385..78b42a8be 100644 --- a/pkg/controller/certmanager/deployment_overrides_validation.go +++ b/pkg/controller/certmanager/deployment_overrides_validation.go @@ -2,6 +2,7 @@ package certmanager import ( "fmt" + "strings" "unsafe" appsv1 "k8s.io/api/apps/v1" @@ -78,7 +79,7 @@ func withContainerArgsValidateHook(certmanagerinformer certmanagerinformer.CertM validateArgs := func(argMap map[string]string, supportedArgs []string) error { for k, v := range argMap { if !slices.Contains(supportedArgs, k) { - return fmt.Errorf("validation failed due to unsupported arg %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported arg %q=%q; supported args are: %s", k, v, strings.Join(supportedArgs, ", ")) } } return nil @@ -127,7 +128,7 @@ func withContainerEnvValidateHook(certmanagerinformer certmanagerinformer.CertMa validateEnv := func(argMap map[string]corev1.EnvVar, supportedEnv []string) error { for k, v := range argMap { if !slices.Contains(supportedEnv, k) { - return fmt.Errorf("validation failed due to unsupported arg %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported env var %q=%q; supported env vars are: %s", k, v, strings.Join(supportedEnv, ", ")) } } return nil @@ -176,7 +177,7 @@ func withPodLabelsValidateHook(certmanagerinformer certmanagerinformer.CertManag validateLabels := func(labels map[string]string, supportedLabelKeys []string) error { for k, v := range labels { if !slices.Contains(supportedLabelKeys, k) { - return fmt.Errorf("validation failed due to unsupported label %q=%q", k, v) + return fmt.Errorf("validation failed due to unsupported label %q=%q; supported labels are: %s", k, v, strings.Join(supportedLabelKeys, ", ")) } } return nil @@ -254,12 +255,12 @@ func validateResources(resources v1alpha1.CertManagerResourceRequirements, suppo errs := []error{} for k, v := range resources.Limits { if !slices.Contains(supportedResourceNames, string(k)) { - errs = append(errs, fmt.Errorf("validation failed due to unsupported resource limits %q=%s", k, v.String())) + errs = append(errs, fmt.Errorf("validation failed due to unsupported resource limits %q=%s; supported resources are: %s", k, v.String(), strings.Join(supportedResourceNames, ", "))) } } for k, v := range resources.Requests { if !slices.Contains(supportedResourceNames, string(k)) { - errs = append(errs, fmt.Errorf("validation failed due to unsupported resource requests %q=%s", k, v.String())) + errs = append(errs, fmt.Errorf("validation failed due to unsupported resource requests %q=%s; supported resources are: %s", k, v.String(), strings.Join(supportedResourceNames, ", "))) } } return utilerrors.NewAggregate(errs) diff --git a/pkg/controller/certmanager/deployment_overrides_validation_test.go b/pkg/controller/certmanager/deployment_overrides_validation_test.go index e72dc4b43..daf041908 100644 --- a/pkg/controller/certmanager/deployment_overrides_validation_test.go +++ b/pkg/controller/certmanager/deployment_overrides_validation_test.go @@ -309,7 +309,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerControllerDeployment, - wantErrMsg: `validation failed due to unsupported arg "--totally-unknown-flag"="value"`, + wantErrMsg: `validation failed due to unsupported arg "--totally-unknown-flag"="value"; supported args are: --acme-http01-solver-nameservers, --acme-http01-solver-resource-limits-cpu, --acme-http01-solver-resource-limits-memory, --acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory, --dns01-recursive-nameservers, --dns01-recursive-nameservers-only, --v, -V, --metrics-listen-address, --issuer-ambient-credentials, --enable-certificate-owner-ref, --certificate-request-minimum-backoff-duration`, }, { name: "controller validates only controllerConfig webhook override args ignored", @@ -369,7 +369,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerWebhookDeployment, - wantErrMsg: `validation failed due to unsupported arg "--metrics-listen-address"="0.0.0.0:9402"`, + wantErrMsg: `validation failed due to unsupported arg "--metrics-listen-address"="0.0.0.0:9402"; supported args are: --v, -V`, }, { name: "webhook rejects certificate-request-minimum-backoff-duration", @@ -382,7 +382,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerWebhookDeployment, - wantErrMsg: `validation failed due to unsupported arg "--certificate-request-minimum-backoff-duration"="1m"`, + wantErrMsg: `validation failed due to unsupported arg "--certificate-request-minimum-backoff-duration"="1m"; supported args are: --v, -V`, }, { name: "nil webhook config skips validation", @@ -430,7 +430,7 @@ func TestWithContainerArgsValidateHook(t *testing.T) { }, }, deploymentName: certmanagerCAinjectorDeployment, - wantErrMsg: `validation failed due to unsupported arg "--dns01-recursive-nameservers"="8.8.8.8:53"`, + wantErrMsg: `validation failed due to unsupported arg "--dns01-recursive-nameservers"="8.8.8.8:53"; supported args are: --v, -V`, }, { name: "nil cainjector config skips validation",