Skip to content

Commit

Permalink
CI: Improved K8s Kubeconformance validation
Browse files Browse the repository at this point in the history 
- Improved Helm chart validation by using Kubeconformance with
enabled CR validation.
- Added JSON schemas for the Tetragon CRDs as we might need them
in the future to validate CRs from the Helm chart (TPs, etc.).

Signed-off-by: Philip Schmid <[email protected]>
  • Loading branch information
@PhilipSchmid
PhilipSchmid committed Aug 16, 2024
1 parent a3da4f6 commit dd509f2
Show file tree
Hide file tree
Showing 8 changed files with 6,356 additions and 4 deletions.
104 changes: 101 additions & 3 deletions .github/workflows/lint-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ name: Lint helm chart
on:
push:
branches:
- main
- v*
- main
- v*
paths:
- 'install/kubernetes/**'
- 'pkg/k8s/apis/cilium.io/client/crds/v1alpha1/*.yaml'
Expand All @@ -14,12 +14,33 @@ on:
- 'pkg/k8s/apis/cilium.io/client/crds/v1alpha1/*.yaml'
- '.github/workflows/lint-helm.yaml'

env:
MIN_K8S_VERSION: "1.23.0"

jobs:
generated-files:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Run install/kubernetes
- name: Check if vendored openapi2jsonschema.py script is up to date
run: |
make -C install/kubernetes openapi2jsonschema.py
test -z "$(git status --porcelain)"
if [ $? != 0 ]; then
git status --porcelain
echo "Vendored openapi2jsonschema.py script is out of date."
echo "Please run 'make -C install/kubernetes openapi2jsonschema.py' and submit your changes."; exit 1
fi
- name: Check if vendored CRD JSON schemas are up to date
run: |
make -C install/kubernetes generate-jsonschemas
test -z "$(git status --porcelain)"
if [ $? != 0 ]; then
git status --porcelain
echo "Vendored CRD JSON schemas are out of date."
echo "Please run 'make -C install/kubernetes generate-jsonschemas' or 'make -C install/kubernetes generate-jsonschemas-local' and submit your changes."; exit 1
fi
- name: Generate Helm chart
run: |
make -C install/kubernetes
- name: Validate generated files
Expand All @@ -29,3 +50,80 @@ jobs:
git status --porcelain
echo "Please run 'make -C install/kubernetes' and submit your changes."; exit 1
fi
- name: Set up go # Required for kubeconform
uses: actions/setup-go@v5
- name: Install latest kubeconform version # We don't want to vendor a binary. Also, latest is good enough.
run: |
go install github.com/yannh/kubeconform/cmd/kubeconform@latest
- name: Install Helm CLI
uses: azure/[email protected]
- name: Run Kubeconform with minimum supported K8s version
id: kubeconform_min_k8s_version
uses: mathiasvr/[email protected]
with:
shell: bash
run: |
for chart in tetragon enterprise;
do
echo "## Testing Helm chart: \"$chart\""
helm template $chart-ee install/kubernetes/$chart \
-f install/kubernetes/$chart/values.yaml \
--set crds.installMethod=helm \
--set tracingPolicies.default.enabled=true |\
kubeconform \
-summary \
-verbose \
-schema-location default \
-schema-location 'install/kubernetes/schemas/{{ .ResourceKind }}-{{ .Group }}.json' \
-skip CustomResourceDefinition \
-strict \
-kubernetes-version $MIN_K8S_VERSION
echo ""
done
- name: Run Kubeconform with latest K8s version
id: kubeconform_latest_k8s_version
uses: mathiasvr/[email protected]
with:
shell: bash
run: |
for chart in tetragon enterprise;
do
echo "## Testing Helm chart: \"$chart\""
helm template $chart-ee install/kubernetes/$chart \
-f install/kubernetes/$chart/values.yaml \
--set crds.installMethod=helm \
--set tracingPolicies.default.enabled=true |\
kubeconform \
-summary \
-verbose \
-schema-location default \
-schema-location 'install/kubernetes/schemas/{{ .ResourceKind }}-{{ .Group }}.json' \
-skip CustomResourceDefinition \
-strict
echo ""
done
- name: Comment Kubeconform Output
if: failure() && (steps.kubeconform_min_k8s_version.outcome != 'success' || steps.kubeconform_latest_k8s_version.outcome != 'success')
uses: marocchino/sticky-pull-request-comment@v2
with:
hide_and_recreate: true
skip_unchanged: true
message: |
## Kubeconform with minimum supported K8s version ${{ env.MIN_K8S_VERSION }}
STDOUT:
```
${{ steps.kubeconform_min_k8s_version.outputs.stdout }}
```
STDERR:
```
${{ steps.kubeconform_min_k8s_version.outputs.stderr }}
```
## Kubeconform with latest K8s version
STDOUT:
```
${{ steps.kubeconform_latest_k8s_version.outputs.stdout }}
```
STDERR:
```
${{ steps.kubeconform_latest_k8s_version.outputs.stderr }}
```
31 changes: 30 additions & 1 deletion install/kubernetes/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,15 @@ HELM_IMAGE=docker.io/alpine/helm:3.15.3@sha256:ba0dcbbcf31f780bd8cdeeabc44bc6939
KUBECONFORM_IMAGE=ghcr.io/yannh/kubeconform:v0.6.7-alpine@sha256:824e0c248809e4b2da2a768b16b107cf17ada88a89ec6aa6050e566ba93ebbc6
# renovate: datasource=docker
HELMDOCS_IMAGE=docker.io/jnorwood/helm-docs:v1.14.2@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c
# renovate: datasource=github-releases depName=yannh/kubeconform
KUBECONFORM_VERSION := v0.6.4
PYTHON := python3
PIPENV := pipenv

REPO_ROOT := $(shell git rev-parse --show-toplevel)
TETRAGON_CHART := tetragon
CRDS := $(REPO_ROOT)/pkg/k8s/apis/cilium.io/client/crds/v1alpha1
JSON_SCHEMAS := $(REPO_ROOT)/install/kubernetes/schemas

HELM ?= docker run --rm -v $(CURDIR)/$(TETRAGON_CHART):/apps $(HELM_IMAGE)

Expand All @@ -24,7 +29,6 @@ deps:
.PHONY: lint
lint:
$(HELM) lint . --with-subcharts
$(HELM) template tetragon . | docker run --rm -i $(KUBECONFORM_IMAGE) --strict --schema-location default

.PHONY: docs
docs:
Expand All @@ -40,3 +44,28 @@ docs:
.PHONY: $(TETRAGON_CHART)/crds-yaml
$(TETRAGON_CHART)/crds-yaml: $(CRDS)
cp -rf $(CRDS)/. $(TETRAGON_CHART)/crds-yaml

# openapi2jsonschema.py script generating JSON schema from the CRD YAML spec.
.PHONY: openapi2jsonschema.py
openapi2jsonschema.py:
curl -sSfLO https://raw.githubusercontent.com/yannh/kubeconform/$(KUBECONFORM_VERSION)/scripts/$@

# To validate (using openapi2jsonschema.py) default Ruleset policies included in the Helm chart, we need to pass the
# JSON schema of the TracingPolicy CRD. This target generates such schema.
# Requires pipenv to be pre-installed.
.PHONY: generate-jsonschemas
generate-jsonschemas: $(CRDS)
mkdir -p $(JSON_SCHEMAS)/
FILENAME_FORMAT='{kind}-{fullgroup}' $(PYTHON) openapi2jsonschema.py $(CRDS)/*
mv $(REPO_ROOT)/install/kubernetes/*-cilium.io.json $(JSON_SCHEMAS)/

# To validate (using openapi2jsonschema.py) default Ruleset policies included in the Helm chart, we need to pass the
# JSON schema of the TracingPolicy CRD. This target generates such schema and is intended to be run on environments
# where's there no pyyaml pre-installed. However, it requires pipenv to be pre-installed instead.
.PHONY: generate-jsonschemas-local
generate-jsonschemas-local: $(CRDS)
mkdir -p $(JSON_SCHEMAS)/
pipenv install
FILENAME_FORMAT='{kind}-{fullgroup}' $(PIPENV) run $(PYTHON) openapi2jsonschema.py $(CRDS)/*
mv $(REPO_ROOT)/install/kubernetes/*-cilium.io.json $(JSON_SCHEMAS)/
pipenv --rm
12 changes: 12 additions & 0 deletions install/kubernetes/Pipfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[packages]
pyyaml = "*"

[dev-packages]

[requires]
python_version = "3.12"
81 changes: 81 additions & 0 deletions install/kubernetes/Pipfile.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit dd509f2

Please sign in to comment.