use ct to run tests

jouve · Oct 4, 2023 · 8730dfe · 8730dfe
1 parent 2db4dcc
commit 8730dfe
Show file tree

Hide file tree

Showing 14 changed files with 154 additions and 56 deletions.
diff --git a/.ct/additional.sh b/.ct/additional.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+.ct/kube-linter.sh "$@"
+.ct/helm-unittest.sh "$1"
diff --git a/.ct/ct.yaml b/.ct/ct.yaml
@@ -0,0 +1,3 @@
+additional-commands: >
+  .ct/additional.sh {{ .Path }}{{ range .ValuesFilePathsForCI }}{{ $v := slice . (len $.Path) }}{{ if eq (index $v 0) '/' }}{{ $v = slice $v 1}}{{ end }} {{ $v }}{{ else }} values.yaml{{ end }}
+use-helmignore: true
diff --git a/.ct/helm-unittest.sh b/.ct/helm-unittest.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e
+
+if [ -d "$1/tests" ]; then
+    helm unittest "$1"
+fi
diff --git a/.ct/kube-linter.sh b/.ct/kube-linter.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+cd "$1"
+shift
+for values; do
+    helm template -f "$values" . | kube-linter lint -
+done
diff --git a/.github/actions/setup-chart-testing/action.yaml b/.github/actions/setup-chart-testing/action.yaml
@@ -0,0 +1,24 @@
+name: setup-chart-testing
+description: Setup Chart Testing
+inputs:
+  url:
+    description: plugin url
+    required: true
+  version:
+    description: plugin version
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Download plugin
+      shell: bash
+      run: |
+        cache_dir=${RUNNER_TOOL_CACHE}/ct/${{ inputs.version }}/amd64
+        mkdir -p "${cache_dir}"
+        curl -fsSL ${{ inputs.url }}/releases/download/v${{ inputs.version }}/chart-testing_${{ inputs.version }}_linux_amd64.tar.gz | tar -C "${cache_dir}" -xz
+
+        echo 'Setting CT_CONFIG_DIR...'
+        echo "CT_CONFIG_DIR=${cache_dir}/etc" >> "${GITHUB_ENV}"
+
+        echo 'Configuring environment variables for virtual environment for subsequent workflow steps...'
+        echo "${cache_dir}" >> "${GITHUB_PATH}"
diff --git a/.github/actions/setup-helm-plugin/action.yaml b/.github/actions/setup-helm-plugin/action.yaml
@@ -0,0 +1,15 @@
+name: helm-plugin
+description: Setup helm plugin
+inputs:
+  url:
+    description: plugin url
+    required: true
+  version:
+    description: plugin version
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Download plugin
+      shell: bash
+      run: helm plugin install ${{ inputs.url }} --version ${{ inputs.version }}
diff --git a/.github/actions/setup-kube-linter/action.yaml b/.github/actions/setup-kube-linter/action.yaml
@@ -0,0 +1,58 @@
+name: 'kube-linter'
+description: 'Scan directory or file with kube-linter'
+branding:
+  icon: 'check-circle'
+  color: 'green'
+inputs:
+  directory:
+    description: 'Directory or file to scan'
+    required: true
+  config:
+    description: 'Path to config file'
+    required: false
+  format:
+    description: 'Output format. Allowed values: sarif, plain, json. Default: "plain"'
+    required: false
+    default: 'plain'
+  output-file:
+    description: 'Filename to store output. File will be overwritten if it exists. Default: "kubelinter.log"'
+    required: false
+    default: 'kubelinter.log'
+  version:
+    description: 'Version of kube-linter to use. E.g. "0.2.4". Default: "latest"'
+    required: false
+    default: 'latest'
+runs:
+  using: "composite"
+  steps:
+    - name: Download kube-linter
+      shell: bash
+      run: |
+        set -u
+        case "${{ runner.os }}" in
+          macOS)   OS=darwin ;;
+          Windows) OS=windows ;;
+          *)       OS=linux ;;
+        esac
+        RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/latest'
+        if [[ "${{ inputs.version }}" != "latest" ]]; then
+          RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/tags/${{ inputs.version }}'
+        fi
+        # Although releases endpoint is available without authentication, the current github.token is still passed
+        # in order to increase the limit of 60 requests per hour per IP address to a higher value that's also counted
+        # per GitHub account.
+        # Caching is disabled in order not to receive stale responses from Varnish cache fronting GitHub API.
+        RELEASE_INFO="$(curl --silent --show-error --fail \
+          --header 'authorization: Bearer ${{ github.token }}' \
+          --header 'Cache-Control: no-cache, must-revalidate' \
+          "${RELEASE_URL}")"
+        RELEASE_NAME="$(echo "${RELEASE_INFO}" | jq --raw-output ".name")"
+        LOCATION="$(echo "${RELEASE_INFO}" \
+          | jq --raw-output ".assets[].browser_download_url" \
+          | grep --fixed-strings "kube-linter-${OS}.tar.gz")"
+        TARGET="kube-linter-${OS}-${RELEASE_NAME}.tar.gz"
+        # Skip downloading release if downloaded already, e.g. when the action is used multiple times.
+        if [[ ! -e "$TARGET" ]]; then
+          curl --silent --show-error --fail --location --output "$TARGET" "$LOCATION"
+          tar -xf "$TARGET"
+        fi
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -13,7 +13,7 @@ on:
 
 jobs:
   # https://github.com/bridgecrewio/checkov-action#example-usage-for-iac-and-sca
-  checkov-github_actions:
+  checkov:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -121,6 +121,21 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2
 
+      - name: Override ct version
+        uses: ./.github/actions/setup-chart-testing
+        with:
+          url: https://github.com/jouve/chart-testing
+          version: 3.10.0
+
+      - name: Setup kube-linter
+        uses: ./.github/actions/setup-kube-linter
+
+      - name: Setup helm unittest
+        uses: ./.github/actions/setup-helm-plugin
+        with:
+          url: https://github.com/helm-unittest/helm-unittest.git
+          version: v0.3.5
+
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
@@ -133,57 +148,6 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
 
-  kube-linter:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        chart:
-          #- extra
-          - mailpit
-          #- postgresql
-          #- subnamespace
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build chart
-        run: helm dep build "charts/${{ matrix.chart }}"
-
-      - name: Scan yaml files with kube-linter
-        uses: stackrox/[email protected]
-        id: kube-linter-action-scan
-        with:
-          # Adjust this directory to the location where your kubernetes resources and helm charts are located.
-          directory: charts/${{ matrix.chart }}
-          # The following two settings make kube-linter produce scan analysis in SARIF format which would then be
-          # made available in GitHub UI via upload-sarif action below.
-          format: sarif
-          output-file: kube-linter.sarif
-
-      - name: Upload SARIF report files to GitHub
-        uses: github/codeql-action/upload-sarif@v2
-
-        # Results are generated only on a success or failure
-        # this is required since GitHub by default won't run the next step
-        # when the previous one has failed. Security checks that do not pass will 'fail'.
-        # An alternative is to add `continue-on-error: true` to the previous step
-        # Or 'soft_fail: true' to checkov.
-        if: success() || failure()
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: kube-linter.sarif
-
   # https://github.com/aquasecurity/trivy-action#scan-ci-pipeline-w-trivy-config
   trivy:
     runs-on: ubuntu-latest

diff --git a/charts/cloudnative-pg/.helmignore b/charts/cloudnative-pg/.helmignore
@@ -21,3 +21,5 @@
 .idea/
 *.tmproj
 .vscode/
+.kube-linter.yaml
+.helmignore
diff --git a/charts/cloudnative-pg/.kube-linter.yaml b/charts/cloudnative-pg/.kube-linter.yaml
@@ -0,0 +1,4 @@
+checks:
+  exclude:
+  - unset-cpu-requirements
+  - unset-memory-requirements
diff --git a/charts/coredns/.helmignore b/charts/coredns/.helmignore
@@ -20,3 +20,6 @@
 .idea/
 *.tmproj
 OWNERS
+.helmignore
+.kube-linter.yaml
+ci/
diff --git a/charts/coredns/.kube-linter.yaml b/charts/coredns/.kube-linter.yaml
@@ -0,0 +1,5 @@
+checks:
+  exclude:
+  - drop-net-raw-capability
+  - no-read-only-root-fs
+  - run-as-non-root
diff --git a/charts/extra/.helmignore b/charts/extra/.helmignore
@@ -21,3 +21,7 @@
 .idea/
 *.tmproj
 .vscode/
+.kube-linter.yaml
+.helmignore
+ci/
+tests/
diff --git a/charts/extra/tests/configmap_test.yaml b/charts/extra/tests/configmap_test.yaml
@@ -1,6 +1,4 @@
 suite: test configmap
-templates:
-  - extra-list.yaml
 tests:
   - it: should create a ConfigMap
     values:
@@ -15,5 +13,5 @@ tests:
             app.kubernetes.io/name: extra
             app.kubernetes.io/instance: RELEASE-NAME
       - equal:
-          path: data.foo
-          value: bar
+          path: data.toto
+          value: tutu