feat: add supportedSplunkModinput output with python.version variants for Splunk 9.4#213
feat: add supportedSplunkModinput output with python.version variants for Splunk 9.4#213dkaras-splunk wants to merge 3 commits into
Conversation
mkolasinski-splunk
left a comment
There was a problem hiding this comment.
Review — supportedSplunkModinput matrix output
The core logic is correct: [GENERAL] is preserved (uppercase) so config["GENERAL"]["LATEST"] resolves, re.search(r"^\d+", section) correctly skips it, configparser lowercases keys so props["version"]/["server_conf_python_versions"] are right, and the latestSplunk loop is unaffected. A few things to address — see inline.
Notes:
- [IMPORTANT] GitHub reports this PR as
CONFLICTING(branch cut fromv3.2.0-era main; main is nowv3.2.1). Please rebase before merge. - [IMPORTANT] Add unit tests for the new function + de-duplicate it (inline).
- [IMPORTANT]
image: 'Dockerfile'un-pinning (inline) — fine to ship but please follow up by publishing/pinning a new tag.
| return supported_splunk | ||
|
|
||
|
|
||
| def _generate_supported_splunk_modinput(args, path): |
There was a problem hiding this comment.
[IMPORTANT] Maintainability + Tests — two things on this new function:
- It's a near-verbatim copy of
_generate_supported_splunkabove; only the entry construction differs. Two copies of the EOL parse / feature filter / props loop will drift (a future fix to one won't reach the other). Consider factoring the shared parsing into a helper that yields(section, props)and building both outputs from it. - There are no unit tests for this logic. The PR test plan (9.4 → 2 entries with
serverConfPythonVersion∈ {python3, force_python3}; other versions → 1 entry; EOL/feature filtering still applies) is exactly what a unit test should assert.tests/currently covers only the matrix-updater, notmain.py.
There was a problem hiding this comment.
Done — factored the shared file-loading + EOL/feature-filtering loop into _load_splunk_config and _iter_splunk_sections. Both _generate_supported_splunk and _generate_supported_splunk_modinput now delegate to those helpers, eliminating the duplication.
Unit tests added in tests/test_main.py covering:
- 9.4 expands to exactly 2 entries with
serverConfPythonVersionin {python3,force_python3} - Versions without
SERVER_CONF_PYTHON_VERSIONSappear once, without the extra field - EOL versions are excluded from both outputs
- Invalid
server_conf_python_versionsvalues raiseValueError islatest/isoldestflags are set correctly
All 9 tests pass.
| for k in config[section].keys(): | ||
| try: | ||
| value = config[section].getboolean(k) | ||
| except: |
There was a problem hiding this comment.
[SUGGESTION] Maintainability — bare except: also catches KeyboardInterrupt/SystemExit. getboolean raises ValueError on non-bool, so except ValueError: is the precise catch. (Carried over from the original, but worth tightening in the new copy.)
There was a problem hiding this comment.
Fixed in the refactored version — the new _iter_splunk_sections helper uses except ValueError: instead of bare except:. The original _generate_supported_splunk still has the bare except (carried over); I've left it unchanged to keep the diff minimal, but happy to fix it there too if you'd like.
| if server_conf_python_versions: | ||
| for python_version in server_conf_python_versions.split(","): | ||
| variant = dict(base_entry) | ||
| variant["serverConfPythonVersion"] = python_version.strip() |
There was a problem hiding this comment.
[SUGGESTION] Security — this value (serverConfPythonVersion) is eventually string-concatenated into a sudo-run bash command in ta-automation-k8s-manifests with no escaping. It's repo-controlled today so not exploitable, but consider validating against an allowlist (python3, force_python3) here at the source, so a malformed splunk_matrix.conf value can't propagate into the postStart shell string downstream.
There was a problem hiding this comment.
Added an allowlist validation in _generate_supported_splunk_modinput: if any value from server_conf_python_versions is not in _ALLOWED_SERVER_CONF_PYTHON_VERSIONS = {"python3", "force_python3"}, a ValueError is raised with a clear message before the entry can propagate downstream. A dedicated test (test_invalid_python_version_raises) covers this path.
| runs: | ||
| using: "docker" | ||
| image: 'docker://ghcr.io/splunk/addonfactory-test-matrix-action/addonfactory-test-matrix-action:v3.2.0' | ||
| image: 'Dockerfile' |
There was a problem hiding this comment.
[IMPORTANT] Reliability / Supply-chain — switching from a pinned, published image (v3.2.0) to image: 'Dockerfile' makes every consumer build from source on each run and loses image immutability/provenance. Understood that this is needed so the updated code is actually executed, but please follow up by publishing a new pinned tag (e.g. v3.3.0) and pointing the action back at it rather than leaving runtime builds permanently.
3b03f34 to
dfdca5b
Compare
4d9cfd7 to
f07b90c
Compare
Summary
SERVER_CONF_PYTHON_VERSIONS = python3,force_python3to the[9.4]section ofsplunk_matrix.confsupportedSplunkModinputoutput: expands entries withSERVER_CONF_PYTHON_VERSIONSinto separate matrix entries withserverConfPythonVersionfield — used exclusively by modinput test jobssupportedSplunkoutput is unchanged and no longer expands variants — used by all other test types (btool, knowledge, ui, upgrade, scripted inputs, spl2)Why
Splunk 9.4 introduced a
python.versionsetting inserver.conf [general]that controls whether Python 2 or Python 3 is used for scripted inputs. We need to test bothpython3andforce_python3values to ensure add-on compatibility. Only modinput tests are relevant for this setting — other test types do not need duplicate runs.Test plan
supportedSplunkoutput contains 4 entries (no 9.4 variants)supportedSplunkModinputoutput contains 5 entries (9.4 appears twice withserverConfPythonVersion: python3andserverConfPythonVersion: force_python3)latestSplunkstill returns single entry for 10.2https://github.com/splunk/splunk-add-on-for-box/actions/runs/28085866490