linode · dennisvankekem · Apr 17, 2025 · Mar 27, 2025 · Mar 31, 2025 · Mar 31, 2025
@@ -1,8 +1,8 @@
+import { globSync } from 'glob'
 import { applyChanges, Changes, filterChanges, getBuildName, policiesMigration } from 'src/cmd/migrate'
 import stubs from 'src/test-stubs'
-import { globSync } from 'glob'
-import { getFileMap } from '../common/repo'
 import { env } from '../common/envalid'
+import { getFileMap } from '../common/repo'
 
 jest.mock('uuid', () => ({
   v4: jest.fn(() => 'my-fixed-uuid'),
@@ -571,6 +571,105 @@ describe('Build image name migration', () => {
   }, 20000)
 })
 
+describe('teamSettingsMigration', () => {
+  // Create a mock values object representing teams with settings that need migration.
+  const getTeamSettingsMockValues = (): any => ({
+    versions: { specVersion: 1 },
+    teamConfig: {
+      team1: {
+        settings: {
+          alerts: {
+            email: 'test@example.com',
+            opsgenie: 'ops_value',
+            teams: 'keep this alert',
+          },
+          selfService: {
+            service: ['ingress'],
+            access: ['downloadKubeConfig', 'shell'],
+            policies: ['edit policies'],
+            apps: ['argocd', 'gitea'],
+          },
+        },
+      },
+      team2: {
+        settings: {
+          alerts: {
+            teams: 'team2 alert',
+          },
+          selfService: {
+            service: [],
+            access: [],
+            policies: [],
+            apps: ['argocd'],
+          },
+        },
+      },
+    },
+  })
+
+  // Expected values after migration:
+  // - The alerts block should have the 'email' and 'opsgenie' keys removed.
+  // - The selfService arrays ('service', 'access', 'policies', 'apps') are replaced with a new
+  //   teamMembers object with the correct
8000
 boolean values.
+  const getTeamSettingsExpectedValues = (): any => ({
+    versions: { specVersion: 2 },
+    teamConfig: {
+      team1: {
+        settings: {
+          alerts: {
+            teams: 'keep this alert',
+          },
+          selfService: {
+            teamMembers: {
+              createServices: true, // 'ingress' was present in service.
+              editSecurityPolicies: true, // 'edit policies' was present in policies.
+              useCloudShell: true, // 'shell' was present in access.
+              downloadKubeconfig: true, // 'downloadKubeConfig' was present in access.
+              downloadDockerLogin: false, // 'downloadDockerConfig' was not provided.
+            },
+          },
+        },
+      },
+      team2: {
+        settings: {
+          alerts: {
+            teams: 'team2 alert',
+          },
+          selfService: {
+            teamMembers: {
+              createServices: false,
+              editSecurityPolicies: false,
+              useCloudShell: false,
+              downloadKubeconfig: false,
+              downloadDockerLogin: false,
+            },
+          },
+        },
+      },
+    },
+  })
+
+  // Set up the values and changes flag to trigger the teamSettingsMigration.
+  const teamSettingValues: any = getTeamSettingsMockValues()
+  const valuesChanges: any = {
+    version: 2,
+    teamSettingsMigration: true,
+  }
+  const deps: any = {
+    cd: jest.fn(),
+    rename: jest.fn(),
+    hfValues: jest.fn().mockReturnValue(teamSettingValues),
+    terminal,
+    writeValues: jest.fn(),
+  }
+
+  it('should migrate team settings correctly', async () => {
+    await applyChanges([valuesChanges], false, deps)
+    const expectedValues = getTeamSettingsExpectedValues()
+    expect(deps.writeValues).toBeCalledWith(expectedValues, true)
+  }, 20000)
+})
+
 jest.mock('glob')
 describe('Policies migration', () => {
   const mockFilePaths = ['/path/to/env/teams/admin/policies.yaml', '/path/to/env/teams/alpha/policies.yaml']

@@ -51,6 +51,7 @@ interface Change {
     [mutation: string]: string
   }>
   networkPoliciesMigration?: boolean
+  teamSettingsMigration?: boolean
   teamResourceQuotaMigration?: boolean
   buildImageNameMigration?: boolean
   policiesMigration?: boolean
@@ -303,6 +304,67 @@ const networkPoliciesMigration = async (values: Record<string, any>): Promise<vo
   )
 }
 
+const teamSettingsMigration = (values: Record<string, any>): void => {
+  const teams: Array<string> = Object.keys(values?.teamConfig as Record<string, any>)
+
+  teams.map((teamName) => {
+    // Get the alerts block for the team and remove email and opsgenie
+    const alerts = get(values, `teamConfig.${teamName}.settings.alerts`)
+    if (alerts?.email) unset(alerts, 'email')
+    if (alerts?.opsgenie) unset(alerts, 'opsgenie')
+    // Get the selfService block for the team
+    const selfService = get(values, `teamConfig.${teamName}.settings.selfService`)
+    if (!selfService) return
+
+    // Initialize the new teamMembers structure with default boolean values
+    const teamMembers = {
+      createServices: false,
+      editSecurityPolicies: false,
+      useCloudShell: false,
+      downloadKubeconfig: false,
+      downloadDockerLogin: false,
+    }
+
+    // Map selfService.service.ingress -> teamMembers.createServices
+    const servicePermissions = get(selfService, 'service', [])
+    if (Array.isArray(servicePermissions) && servicePermissions.includes('ingress')) {
+      teamMembers.createServices = true
+    }
+
+    // Map selfService.access keys to corresponding teamMembers fields
+    // - downloadKubeConfig -> downloadKubeconfig
+    // - downloadDockerConfig -> downloadDockerLogin
+    // - shell -> useCloudShell
+    const accessPermissions = get(selfService, 'access', [])
+    if (Array.isArray(accessPermissions)) {
+      if (accessPermissions.includes('downloadKubeConfig')) {
+        teamMembers.downloadKubeconfig = true
+      }
+      if (accessPermissions.includes('downloadDockerConfig')) {
+        teamMembers.downloadDockerLogin = true
+      }
+      if (accessPermissions.includes('shell')) {
+        teamMembers.useCloudShell = true
+      }
+    }
+
+    // Map selfService.policies.edit_policies -> teamMembers.editSecurityPolicies.
+    // Note: In the source schema, the string "edit policies" is used.
+    const policies = get(selfService, 'policies', [])
+    if (Array.isArray(policies) && policies.includes('edit policies')) {
+      teamMembers.editSecurityPolicies = true
+    }
+
+    // Set the new teamMembers object on selfService
+    set(selfService, 'teamMembers', teamMembers)
+
+    unset(selfService, 'service')
+    unset(selfService, 'access')
+    unset(selfService, 'policies')
+    unset(selfService, 'apps')
+  })
+}
+
 export const getBuildName = (name: string, tag: string): string => {
   return `${name}-${tag}`
     .toLowerCase()
@@ -437,6 +499,7 @@ export const applyChanges = async (
     }
 
     if (c.networkPoliciesMigration) await networkPoliciesMigration(values)
+    if (c.teamSettingsMigration) teamSettingsMigration(values)
     if (c.teamResourceQuotaMigration) teamResourceQuotaMigration(values)
     if (c.buildImageNameMigration) await buildImageNameMigration(values)
     if (c.policiesMigration) await policiesMigration()

@@ -1,6 +1,6 @@
 import { pathExists } from 'fs-extra'
 import { mkdir, unlink, writeFile } from 'fs/promises'
-import { cloneDeep, get, isEmpty, isEqual, merge, omit, pick, set } from 'lodash'
+import { cloneDeep, get, isEmpty, isEqual, merge, mergeWith, omit, pick, set } from 'lodash'
 import path from 'path'
 import { supportedK8sVersions } from 'src/supportedK8sVersions.json'
 import { stringify } from 'yaml'
@@ -121,7 +121,9 @@ export const writeValuesToFile = async (
   const values = cloneDeep(inValues)
   const originalValues = (await loadYaml(targetPath + suffix, { noError: true })) ?? {}
   d.debug('originalValues: ', JSON.stringify(originalValues, null, 2))
-  const mergeResult = merge(cloneDeep(originalValues), values)
+  const mergeResult = mergeWith(cloneDeep(originalValues), values, (prev, next) => {
+    return next
+  })
   const cleanedValues = removeBlankAttributes(values)
   const cleanedMergeResult = removeBlankAttributes(mergeResult)
   if (((overwrite && isEmpty(cleanedValues)) || (!overwrite && isEmpty(cleanedMergeResult))) && isSecretsFile) {

@@ -3,8 +3,8 @@ metadata:
     name: alerts
     labels: {}
 spec:
-    email: {}
-    msteams: {}
     receivers:
+        - slack
         - msteams
+    msteams: {}
     slack: {}
@@ -1,13 +1,10 @@
 kind: AplAlertSet
 spec:
-    email:
-        critical: admins@yourdoma.in
-        nonCritical: admins@yourdoma.in
+    slack:
+        url: https://hooks.slack.com/services/id
     msteams:
         highPrio: https://xxxxxxx.com
         lowPrio: https://xxxxxxxx.com
-    slack:
-        url: https://hooks.slack.com/services/id
 name: alerts
 metadata:
     name: alerts
@@ -8,14 +8,12 @@ spec:
         alertmanager: true
         grafana: true
     selfService:
-        access:
-            - shell
-            - downloadCertificateAuthority
-        policies:
-            - edit policies
-        apps: []
-        service:
-            - ingress
+        teamMembers:
+            createServices: false
+            editSecurityPolicies: true
+            useCloudShell: true
+            downloadKubeconfig: false
+            downloadDockerLogin: false
     alerts:
         groupInterval: 5m
         receivers:

@@ -2,9 +2,6 @@ kind: AplTeamSettingSet
 spec:
     password: somesecretvalue
     alerts:
-        email:
-            critical: admins@yourdoma.in
-            nonCritical: admins@yourdoma.in
         slack:
             url: https://slack.con
 name: demo

@@ -5,9 +5,6 @@ metadata:
         apl.io/teamId: demo
 spec:
     alerts:
-        email:
-            critical: admins@yourdoma.in
-            nonCritical: admins@yourdoma.in
         receivers:
             - slack
         repeatInterval: 3h
@@ -30,14 +27,9 @@ spec:
         - name: services.loadbalancers
           value: '0'
     selfService:
-        access:
-            - shell
-            - downloadCertificateAuthority
-        apps: []
-        policies:
-            - edit policies
-        service:
-            - ingress
-        team:
-            - alerts
-    password: somesecretvalue
+        teamMembers:
+            createServices: true
+            editSecurityPolicies: true
+            useCloudShell: true
+            downloadKubeconfig: false
+            downloadDockerLogin: false
@@ -11,14 +11,12 @@ spec:
         egressPublic: false
         ingressPrivate: true
     selfService:
-        access:
-            - shell
-            - downloadCertificateAuthority
-        policies:
-            - edit policies
-        apps: []
-        service:
-            - ingress
+        teamMembers:
+            createServices: false
+            editSecurityPolicies: true
+            useCloudShell: true
+            downloadKubeconfig: false
+            downloadDockerLogin: false
     password: IkdUsKPcGAdanjas
     alerts:
         groupInterval: 5m

@@ -343,6 +343,8 @@ changes:
       - 'databases.keycloak.imported'
       - 'databases.gitea.imported'
       - 'databases.gitea.useOtomiDB'
+  - version: 34
+    teamSettingsMigration: true
   - version: 35
     teamResourceQuotaMigration: true
   - version: 36