From fc655247a5192c3975f9b0e508bf50745ccb838c Mon Sep 17 00:00:00 2001
From: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Date: Sun, 10 Mar 2024 01:17:40 +0200
Subject: [PATCH] chore(volumes): do not allow RWO vols on daemonsets (#739)

---
 .../tests/pod/volume_pvc_test.yaml            | 41 +++++++++++++++++++
 library/common/Chart.yaml                     |  2 +-
 library/common/templates/lib/pod/_volumes.tpl | 14 +++++++
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/library/common-test/tests/pod/volume_pvc_test.yaml b/library/common-test/tests/pod/volume_pvc_test.yaml
index 2362704e4..d5ce455b7 100644
--- a/library/common-test/tests/pod/volume_pvc_test.yaml
+++ b/library/common-test/tests/pod/volume_pvc_test.yaml
@@ -53,3 +53,44 @@ tests:
             name: pvc-vol
             persistentVolumeClaim:
               claimName: some-existing-claim
+
+  # Failures
+  - it: should fail when DaemonSet and RWO volume from fallback
+    set:
+      fallbackDefaults:
+        accessModes:
+          - ReadWriteOnce
+      workload:
+        workload-name1:
+          enabled: true
+          primary: true
+          type: DaemonSet
+          podSpec: {}
+      persistence:
+        pvc-vol:
+          enabled: true
+          type: pvc
+    asserts:
+      - failedTemplate:
+          errorMessage: Expected [accessMode] to not be [ReadWriteOnce] when used on a [DaemonSet]
+
+  - it: should fail when DaemonSet and RWO volume from persistence
+    set:
+      fallbackDefaults:
+        accessModes:
+          - ReadWriteMany
+      workload:
+        workload-name1:
+          enabled: true
+          primary: true
+          type: DaemonSet
+          podSpec: {}
+      persistence:
+        pvc-vol:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          type: pvc
+    asserts:
+      - failedTemplate:
+          errorMessage: Expected [accessMode] to not be [ReadWriteOnce] when used on a [DaemonSet]
diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml
index 7d744368a..e36871c22 100644
--- a/library/common/Chart.yaml
+++ b/library/common/Chart.yaml
@@ -15,7 +15,7 @@ maintainers:
 name: common
 sources: null
 type: library
-version: 19.0.2
+version: 19.0.3
 annotations:
   artifacthub.io/category: "integration-delivery"
   artifacthub.io/license: "BUSL-1.1"
diff --git a/library/common/templates/lib/pod/_volumes.tpl b/library/common/templates/lib/pod/_volumes.tpl
index 7f69ff09d..b35000824 100644
--- a/library/common/templates/lib/pod/_volumes.tpl
+++ b/library/common/templates/lib/pod/_volumes.tpl
@@ -51,6 +51,20 @@ objectData: The object data to be used to render the Pod.
         {{/* Define the volume based on type */}}
         {{- $type := ($persistence.type | default $rootCtx.Values.fallbackDefaults.persistenceType) -}}
 
+        {{- if eq $objectData.type "DaemonSet" -}}
+          {{/* Only check accessModes if persistence is one of those types */}}
+          {{- $typesWithAccessMode := (list "pvc") -}}
+          {{- if (mustHas $type $typesWithAccessMode) -}}
+            {{- $modes := include "tc.v1.common.lib.pvc.accessModes" (dict "rootCtx" $rootCtx "objectData" $persistence "caller" "Volumes") | fromYamlArray -}}
+
+            {{- range $m := $modes -}}
+              {{- if eq $m "ReadWriteOnce" -}}
+                {{- fail "Expected [accessMode] to not be [ReadWriteOnce] when used on a [DaemonSet]" -}}
+              {{- end -}}
+            {{- end -}}
+          {{- end -}}
+        {{- end -}}
+
         {{- if eq "pvc" $type -}}
           {{- include "tc.v1.common.lib.pod.volume.pvc" (dict "rootCtx" $rootCtx "objectData" $persistence) | trim | nindent 0 -}}
         {{- else if eq "hostPath" $type -}}