From 44e1d62f4c0872ab4cb6f6bd5126f5a8ca2e66ef Mon Sep 17 00:00:00 2001
From: Paulo Gomes <paulo.gomes@weave.works>
Date: Fri, 5 Aug 2022 21:20:30 +0100
Subject: [PATCH] add validation to namespace flag

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
---
 cmd/flux/install_test.go | 43 ++++++++++++++++++++++++++++++++++++++++
 cmd/flux/main.go         | 21 ++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 cmd/flux/install_test.go

diff --git a/cmd/flux/install_test.go b/cmd/flux/install_test.go
new file mode 100644
index 0000000000..098cfa0bb0
--- /dev/null
+++ b/cmd/flux/install_test.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestInstall(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "invalid namespace",
+			args:   "install --namespace='@#[]'",
+			assert: assertError("namespace must be a valid DNS label: \"@#[]\""),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}
diff --git a/cmd/flux/main.go b/cmd/flux/main.go
index 010ca7adac..cc3d955359 100644
--- a/cmd/flux/main.go
+++ b/cmd/flux/main.go
@@ -27,6 +27,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
@@ -96,6 +97,18 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
 
   # Uninstall Flux and delete CRDs
   flux uninstall`,
+	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		ns, err := cmd.Flags().GetString("namespace")
+		if err != nil {
+			return fmt.Errorf("error getting namespace: %w", err)
+		}
+
+		if e := validation.IsDNS1123Label(ns); len(e) > 0 {
+			return fmt.Errorf("namespace must be a valid DNS label: %q", ns)
+		}
+
+		return nil
+	},
 }
 
 var logger = stderrLogger{stderr: os.Stderr}
@@ -178,6 +191,14 @@ func configureDefaultNamespace() {
 	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
+		// namespace must be a valid DNS label. Assess against validation
+		// used upstream, and ignore invalid values as environment vars
+		// may not be actively provided by end-user.
+		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
+			logger.Warningf(" ignoring invalid FLUX_SYSTEM_NAMESPACE: %q", fromEnv)
+			return
+		}
+
 		kubeconfigArgs.Namespace = &fromEnv
 	}
 }