stefanprodan / hrval-action Goto Github PK

View Code? Open in Web Editor NEW

59.0 4.0 44.0 95 KB

Flux Helm Release validation GitHub action

License: Apache License 2.0

Dockerfile 2.25% Shell 97.75%

github-action fluxcd helm

hrval-action's Introduction

hrval-action

This project is no longer maintained, helm-operator users should migrate to Flux v2 and helm-controller.

This GitHub action validates a Flux Helm Release Kubernetes custom resources with kubeval.

Steps:

installs kubectl, yq, kubeval, helm v2 and v3
extracts the chart source with yq
downloads the chart from the Helm or Git repository
extracts the Helm Release values with yq
runs helm template for the extracted values
validates the YAMLs using kubeval strict mode

Usage

Validate Helm release custom resources:

name: CI

on: [push, pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
      - name: Validate Helm Release from Helm Repo
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/flagger.yaml
          helmVersion: v2
          kubernetesVersion: 1.17.0
      - name: Validate Helm Release from Git Repo
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/podinfo.yaml
          helmVersion: v3
          kubernetesVersion: master
          ignoreValues: true

Output:

Processing test/flagger.yaml
Downloading to /tmp/tmp.TuA4QzCOG7
Extracting values to /tmp/tmp.TuA4QzCOG7/flagger.values.yaml
Writing Helm release to /tmp/tmp.TuA4QzCOG7/flagger.release.yaml
Validating Helm release flagger.flagger-system against Kubernetes 1.16.0
WARN - Set to ignore missing schemas
PASS - flagger/templates/psp.yaml contains a valid PodSecurityPolicy
PASS - flagger/templates/psp.yaml contains a valid ClusterRole
PASS - flagger/templates/psp.yaml contains a valid RoleBinding
PASS - flagger/templates/account.yaml contains a valid ServiceAccount
WARN - flagger/templates/crd.yaml containing a CustomResourceDefinition was not validated against a schema
PASS - flagger/templates/prometheus.yaml contains a valid ClusterRole
PASS - flagger/templates/prometheus.yaml contains a valid ClusterRoleBinding
PASS - flagger/templates/prometheus.yaml contains a valid ServiceAccount
PASS - flagger/templates/prometheus.yaml contains a valid ConfigMap
PASS - flagger/templates/prometheus.yaml contains a valid Deployment
PASS - flagger/templates/prometheus.yaml contains a valid Service
PASS - flagger/templates/rbac.yaml contains a valid ClusterRole
PASS - flagger/templates/rbac.yaml contains a valid ClusterRoleBinding
PASS - flagger/templates/deployment.yaml contains a valid Deployment

Usage with private charts repositories

Private GitHub/GitLab repository

To allow the action to be able to clone charts from private GitHub repositories, you must create a GitHub private access token and add it as a secret to the target repository. NOTE: secret names cannot start with GITHUB_ as these are reserved.

You can then pass the secret (in this case, GH_TOKEN) into the action like so:

name: CI

on: [push, pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

Gitlab CI Token is also possible using GITLAB_CI_TOKEN.

AWS S3

If you set awsS3Repo: true, make sure you set the appropriate environment variables for helm s3 plugin to work. Example:

name: CI

on: [push, pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
          awsS3Repo: true
          awsS3RepoName: example-s3-helm-repo
          awsS3Plugin: https://github.com/hypnoglow/helm-s3.git
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: "us-east-1"

HTTP(S) Helm chart repository

To allow fetching Helm charts from private Helm chart repositories you need to pass a list of Helm repositories in HTTP_PRIVATE_CHART_REPOS environment variable as JSON.

{
  "repositories": [
    {
      "url": "https://raw.githubusercontent.com/username/helm-chart-repository/master/",
      "username": "YOUR_USERNAME",
      "password": "YOUR_PASSWORD"
    },
    {
      "url": "https://raw.githubusercontent.com/username/another-helm-chart-repository/master/",
      "username": "YOUR_USERNAME",
      "password": "YOUR_PASSWORD"
    }
  ]
}

It should be passed as a secret to keep credentials secure.

name: CI

on: [push, pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
        env:
          HTTP_PRIVATE_CHART_REPOS: ${{ secrets.HTTP_PRIVATE_CHART_REPOS }}

Usage with pull requests containing changes of Helm chart source located in base repository branch

If a base repository branch of pull request is referenced in helm release, you need to pass HRVAL_BASE_BRANCH and HRVAL_HEAD_BRANCH environment variables to an action to make sure it will check out amended version of the chart from a head repository branch.

name: CI

on: [pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
        env:
          HRVAL_BASE_BRANCH: ${{ github.base_ref }}
          HRVAL_HEAD_BRANCH: ${{ github.head_ref }}

Usage with Helm source caching enabled

Sometimes single Helm release might be referenced multiple times in a single Flux repository, for example if staging branch of Helm chart repository is used as a release ref across all staging releases. A property named helmSourcesCacheEnabled enables caching for such releases, so a single Helm repository chart version or Git repository ref will be retrieved only once, and cached version will be used for validation of another releases which reuse same sources.

name: CI

on: [pull_request]

jobs:
  hrval:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: Validate Helm Releases in test dir
        uses: stefanprodan/hrval-action@master
        with:
          helmRelease: test/
          helmSourcesCacheEnabled: true

CI alternatives

The validation scripts can be used in any CI system.

CircleCI example:

version: 2.1
jobs:
  hrval:
    docker:
      - image: stefanprodan/hrval:latest
    steps:
      - checkout
      - run:
          name: Validate Helm Releases in test dir
          command: |
            IGNORE_VALUES=false
            KUBE_VER=master
            HELM_VER=v2

            hrval test/ $IGNORE_VALUES $KUBE_VER $HELM_VER

hrval-action's People

Contributors

Stargazers

Watchers

hrval-action's Issues

Flux2 support

Is there any plan to support Flux2

Cloning Private Chart Repositories

Currently if charts are stored in a private repo (even it's the same repository the action is being run against), the clone will fail. Some possible solutions I've thought of:

Skip trying to clone the chart repo if it is the same as the target repo; simply use the local path.
Use ${{ secrets.GITHUB_TOKEN }}. I'm not exactly sure how this would work with raw Git commands. I believe this also requires the use of https://, so chart git URLs would need to be altered from the ssh://[email protected] format Flux uses.
Add the ability to pass in an SSH private key so that the script operates in the same way as Flux.

Thoughts?

Add Helm v3 support

Add support for HTTP private Helm chart repositories

Currently the implementation allows to use Helm charts from private GitHub, GitLab and AWS S3 repositories. However, it is not possible to use regular private Helm chart repositories which are "HTTP server that houses an index.yaml file" as described in Helm documentation. By "private" I mean that they have HTTP basic authentication which is supported by Helm CLI.

I would like to add this functionality to hrval-action.

Issue with helm v3

Thanks for this cool action! However I'm unable to use it on my public gitops repo. See log below:

https://github.com/onedr0p/k3s-gitops/runs/466223287?check_suite_focus=true

/usr/bin/docker run --name e87b5236ae01e39efc45a68ac7c329c6bc8ba9_760a17 --label e87b52 --workdir /github/workspace --rm -e INPUT_HELMRELEASE -e INPUT_HELMVERSION -e INPUT_KUBERNETESVERSION -e INPUT_IGNOREVALUES -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/k3s-gitops/k3s-gitops":"/github/workspace" e87b52:36ae01e39efc45a68ac7c329c6bc8ba9  "deployments/" "true" "1.17.0" "v3"
Processing deployments/kube-system/metrics-server/metrics-server.yaml
Cloning to /tmp/tmp.M6uOPEXzij
usage: git remote add [<options>] <name> <url>

    -f, --fetch           fetch the remote branches
    --tags                import all tags and associated objects when fetching
                          or do not fetch any tag at all (--no-tags)
    -t, --track <branch>  branch(es) to track
    -m, --master <branch>
                          master branch
    --mirror[=(push|fetch)]
                          set up remote as a mirror to push to or fetch from

fatal: 'origin' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: You are on a branch yet to be born
Ingnoring Helm release values
Writing Helm release to /tmp/tmp.M6uOPEXzij/metrics-server.release.yaml
Error: validation: chart.metadata is required

Looks like an issue fetching a chart...

Do you have any idea what's going wrong here? I pretty much copied pasted your example.

Docker build exists with error

When building the image docker exits with the error:
Looks like "https://kubernetes-charts.storage.googleapis.com" is not a valid chart repository or cannot be reached

Recursively search for HelmRelease files

Search the provided directory recursively for yaml files

Support for SSH access to chart repositories

fatal: unable to access '***[email protected]:my-org/my-chart-repo/': URL using bad/illegal format or missing URL

I use a GitHub repo as my chart repository in all my HelmRelease manifests, like this:

spec:
  chart:
    git: [email protected]:my-org/my-chart-repo
    path: my-chart
    ref: master

I'd rather not switch to https:// if I can avoid it. I guess this would be a feature request?

Entrypoint in Docker Image having problem with Buddy Cloud

Hi,

I was wondering if the ENTRYPOINT line on the Docker Image can be replaced by RUN or CMD. Reason being, the ENTRYPOINT line causes an error on Buddy Cloud where Buddy Cloud will try to run /bin/sh to run the scripts, and it is instead accepted as an argument for the "hrval" command. This causes the image to be unusable in Buddy Cloud Pipeline.

Processing /bin/sh
10:31:03 main [ERRO] yaml: control characters are not allowed
"/bin/sh" is not of kind HelmRelease!

Validate Helm Releases based on the CRD schema

Use the Helm Release CRD schema for validation.

Add support for Gitlab CI token

Currently it doesn't support Gitlab CI token. Would be nice to have this feature.

Make the version of Kubernetes to validate against configurable

Add the Kubernetes version as an optional input and pass it to kubeval.

Validate all HRs in a directory

ERROR: unsatisfiable constraints When building docker image

During the action while building the Docker image an error is received when reaching the apk line.
ERROR: unsatisfiable constraints:
curl-7.67.0-r2:
breaks: world[curl=7.67.0-r1]

Updating curl=7.67.0-r1 to curl=7.67.0-r2 fixes this issue.

support authenticated chart repositories

Currently, there is no way to test HelmRelease when the release is pointing to an authenticated cart repository. This is because the helm repo add line, that is failed if the repo is authenticated.

Publish hrval image to public registry

It would be great if an official hrval image could be made available on a public image registry such as Quay or Docker Hub.

Doing so would allow users to utilise it without either having to maintain an image themselves or, alternatively, having to bootstrap it during the pipeline run as documented in the README:

      - run:
          name: Install hrval
          command: |
            curl -sL https://raw.githubusercontent.com/stefanprodan/hrval-action/master/src/deps.sh | sudo bash
            sudo curl -sL https://raw.githubusercontent.com/stefanprodan/hrval-action/master/src/hrval.sh \
              -o /usr/local/bin/hrval.sh && sudo chmod +x /usr/local/bin/hrval.sh
            sudo curl -sL https://raw.githubusercontent.com/stefanprodan/hrval-action/master/src/hrval-all.sh \
              -o /usr/local/bin/hrval && sudo chmod +x /usr/local/bin/hrval

Thank you!

Support validation of ".spec.valuesFrom"

I would like to use hrval-action, but in my use case I am using ".spec.valuesFrom" to add values from Kubernetes secrets to application configuration. These values passed with "valuesFrom" are required in Helm chart so validation fails.

What I would propose is to have a separate directory with ConfigMaps and Secrets in the deployment repository where hrval-action would look for ConfigMaps and Secrets specified with ".spec.ValuesFrom". In my case - I will push Secrets with fake values and flux.weave.works/ignore set to "true" to this directory.

Additional steps would be:

Read valuesFrom from HelmRelease
Find files fitting valuesFrom configmap or secret
Read values from file found in point 2 and move it to temp file
Add multiple -f tempfile to helm template command

What do you think about it?

Bonus question:
Is other language then Bash acceptable for this project? I can see Docker image is using Go.

Recursively search for .yml (not only .yaml)

Recursively search is enabled only for *.yaml files now.
https://github.com/stefanprodan/hrval-action/blob/master/src/hrval-all.sh#L39

We need to enable it for *.yml files too