From 8730dfe6bc05e2d64f58e7185094164b95f3918a Mon Sep 17 00:00:00 2001 From: Cyril Jouve Date: Tue, 3 Oct 2023 14:23:16 +0200 Subject: [PATCH] use ct to run tests --- .ct/additional.sh | 4 ++ .ct/ct.yaml | 3 + .ct/helm-unittest.sh | 7 ++ .ct/kube-linter.sh | 7 ++ .../actions/setup-chart-testing/action.yaml | 24 +++++++ .github/actions/setup-helm-plugin/action.yaml | 15 ++++ .github/actions/setup-kube-linter/action.yaml | 58 ++++++++++++++++ .github/workflows/lint.yaml | 68 +++++-------------- charts/cloudnative-pg/.helmignore | 2 + charts/cloudnative-pg/.kube-linter.yaml | 4 ++ charts/coredns/.helmignore | 3 + charts/coredns/.kube-linter.yaml | 5 ++ charts/extra/.helmignore | 4 ++ charts/extra/tests/configmap_test.yaml | 6 +- 14 files changed, 154 insertions(+), 56 deletions(-) create mode 100755 .ct/additional.sh create mode 100644 .ct/ct.yaml create mode 100755 .ct/helm-unittest.sh create mode 100755 .ct/kube-linter.sh create mode 100644 .github/actions/setup-chart-testing/action.yaml create mode 100644 .github/actions/setup-helm-plugin/action.yaml create mode 100644 .github/actions/setup-kube-linter/action.yaml create mode 100644 charts/cloudnative-pg/.kube-linter.yaml create mode 100644 charts/coredns/.kube-linter.yaml diff --git a/.ct/additional.sh b/.ct/additional.sh new file mode 100755 index 0000000..1e60922 --- /dev/null +++ b/.ct/additional.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +.ct/kube-linter.sh "$@" +.ct/helm-unittest.sh "$1" diff --git a/.ct/ct.yaml b/.ct/ct.yaml new file mode 100644 index 0000000..0b50406 --- /dev/null +++ b/.ct/ct.yaml @@ -0,0 +1,3 @@ +additional-commands: > + .ct/additional.sh {{ .Path }}{{ range .ValuesFilePathsForCI }}{{ $v := slice . (len $.Path) }}{{ if eq (index $v 0) '/' }}{{ $v = slice $v 1}}{{ end }} {{ $v }}{{ else }} values.yaml{{ end }} +use-helmignore: true diff --git a/.ct/helm-unittest.sh b/.ct/helm-unittest.sh new file mode 100755 index 0000000..fb34c44 --- /dev/null +++ b/.ct/helm-unittest.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +if [ -d "$1/tests" ]; then + helm unittest "$1" +fi diff --git a/.ct/kube-linter.sh b/.ct/kube-linter.sh new file mode 100755 index 0000000..7d3a572 --- /dev/null +++ b/.ct/kube-linter.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +cd "$1" +shift +for values; do + helm template -f "$values" . | kube-linter lint - +done diff --git a/.github/actions/setup-chart-testing/action.yaml b/.github/actions/setup-chart-testing/action.yaml new file mode 100644 index 0000000..f561279 --- /dev/null +++ b/.github/actions/setup-chart-testing/action.yaml @@ -0,0 +1,24 @@ +name: setup-chart-testing +description: Setup Chart Testing +inputs: + url: + description: plugin url + required: true + version: + description: plugin version + required: true +runs: + using: "composite" + steps: + - name: Download plugin + shell: bash + run: | + cache_dir=${RUNNER_TOOL_CACHE}/ct/${{ inputs.version }}/amd64 + mkdir -p "${cache_dir}" + curl -fsSL ${{ inputs.url }}/releases/download/v${{ inputs.version }}/chart-testing_${{ inputs.version }}_linux_amd64.tar.gz | tar -C "${cache_dir}" -xz + + echo 'Setting CT_CONFIG_DIR...' + echo "CT_CONFIG_DIR=${cache_dir}/etc" >> "${GITHUB_ENV}" + + echo 'Configuring environment variables for virtual environment for subsequent workflow steps...' + echo "${cache_dir}" >> "${GITHUB_PATH}" diff --git a/.github/actions/setup-helm-plugin/action.yaml b/.github/actions/setup-helm-plugin/action.yaml new file mode 100644 index 0000000..1f7ea05 --- /dev/null +++ b/.github/actions/setup-helm-plugin/action.yaml @@ -0,0 +1,15 @@ +name: helm-plugin +description: Setup helm plugin +inputs: + url: + description: plugin url + required: true + version: + description: plugin version + required: true +runs: + using: "composite" + steps: + - name: Download plugin + shell: bash + run: helm plugin install ${{ inputs.url }} --version ${{ inputs.version }} diff --git a/.github/actions/setup-kube-linter/action.yaml b/.github/actions/setup-kube-linter/action.yaml new file mode 100644 index 0000000..909652f --- /dev/null +++ b/.github/actions/setup-kube-linter/action.yaml @@ -0,0 +1,58 @@ +name: 'kube-linter' +description: 'Scan directory or file with kube-linter' +branding: + icon: 'check-circle' + color: 'green' +inputs: + directory: + description: 'Directory or file to scan' + required: true + config: + description: 'Path to config file' + required: false + format: + description: 'Output format. Allowed values: sarif, plain, json. Default: "plain"' + required: false + default: 'plain' + output-file: + description: 'Filename to store output. File will be overwritten if it exists. Default: "kubelinter.log"' + required: false + default: 'kubelinter.log' + version: + description: 'Version of kube-linter to use. E.g. "0.2.4". Default: "latest"' + required: false + default: 'latest' +runs: + using: "composite" + steps: + - name: Download kube-linter + shell: bash + run: | + set -u + case "${{ runner.os }}" in + macOS) OS=darwin ;; + Windows) OS=windows ;; + *) OS=linux ;; + esac + RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/latest' + if [[ "${{ inputs.version }}" != "latest" ]]; then + RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/tags/${{ inputs.version }}' + fi + # Although releases endpoint is available without authentication, the current github.token is still passed + # in order to increase the limit of 60 requests per hour per IP address to a higher value that's also counted + # per GitHub account. + # Caching is disabled in order not to receive stale responses from Varnish cache fronting GitHub API. + RELEASE_INFO="$(curl --silent --show-error --fail \ + --header 'authorization: Bearer ${{ github.token }}' \ + --header 'Cache-Control: no-cache, must-revalidate' \ + "${RELEASE_URL}")" + RELEASE_NAME="$(echo "${RELEASE_INFO}" | jq --raw-output ".name")" + LOCATION="$(echo "${RELEASE_INFO}" \ + | jq --raw-output ".assets[].browser_download_url" \ + | grep --fixed-strings "kube-linter-${OS}.tar.gz")" + TARGET="kube-linter-${OS}-${RELEASE_NAME}.tar.gz" + # Skip downloading release if downloaded already, e.g. when the action is used multiple times. + if [[ ! -e "$TARGET" ]]; then + curl --silent --show-error --fail --location --output "$TARGET" "$LOCATION" + tar -xf "$TARGET" + fi diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ac9aa9e..f60e649 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -13,7 +13,7 @@ on: jobs: # https://github.com/bridgecrewio/checkov-action#example-usage-for-iac-and-sca - checkov-github_actions: + checkov: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -121,6 +121,21 @@ jobs: - name: Set up chart-testing uses: helm/chart-testing-action@v2 + - name: Override ct version + uses: ./.github/actions/setup-chart-testing + with: + url: https://github.com/jouve/chart-testing + version: 3.10.0 + + - name: Setup kube-linter + uses: ./.github/actions/setup-kube-linter + + - name: Setup helm unittest + uses: ./.github/actions/setup-helm-plugin + with: + url: https://github.com/helm-unittest/helm-unittest.git + version: v0.3.5 + - name: Run chart-testing (list-changed) id: list-changed run: | @@ -133,57 +148,6 @@ jobs: if: steps.list-changed.outputs.changed == 'true' run: ct lint --target-branch ${{ github.event.repository.default_branch }} - kube-linter: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - runs-on: ubuntu-latest - - strategy: - matrix: - chart: - #- extra - - mailpit - #- postgresql - #- subnamespace - - steps: - - uses: actions/checkout@v3 - - - name: Set up Helm - uses: azure/setup-helm@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Build chart - run: helm dep build "charts/${{ matrix.chart }}" - - - name: Scan yaml files with kube-linter - uses: stackrox/kube-linter-action@v1.0.4 - id: kube-linter-action-scan - with: - # Adjust this directory to the location where your kubernetes resources and helm charts are located. - directory: charts/${{ matrix.chart }} - # The following two settings make kube-linter produce scan analysis in SARIF format which would then be - # made available in GitHub UI via upload-sarif action below. - format: sarif - output-file: kube-linter.sarif - - - name: Upload SARIF report files to GitHub - uses: github/codeql-action/upload-sarif@v2 - - # Results are generated only on a success or failure - # this is required since GitHub by default won't run the next step - # when the previous one has failed. Security checks that do not pass will 'fail'. - # An alternative is to add `continue-on-error: true` to the previous step - # Or 'soft_fail: true' to checkov. - if: success() || failure() - with: - # Path to SARIF file relative to the root of the repository - sarif_file: kube-linter.sarif - # https://github.com/aquasecurity/trivy-action#scan-ci-pipeline-w-trivy-config trivy: runs-on: ubuntu-latest diff --git a/charts/cloudnative-pg/.helmignore b/charts/cloudnative-pg/.helmignore index 0e8a0eb..492bc43 100644 --- a/charts/cloudnative-pg/.helmignore +++ b/charts/cloudnative-pg/.helmignore @@ -21,3 +21,5 @@ .idea/ *.tmproj .vscode/ +.kube-linter.yaml +.helmignore diff --git a/charts/cloudnative-pg/.kube-linter.yaml b/charts/cloudnative-pg/.kube-linter.yaml new file mode 100644 index 0000000..c514389 --- /dev/null +++ b/charts/cloudnative-pg/.kube-linter.yaml @@ -0,0 +1,4 @@ +checks: + exclude: + - unset-cpu-requirements + - unset-memory-requirements diff --git a/charts/coredns/.helmignore b/charts/coredns/.helmignore index 7c04072..d0ebf3c 100644 --- a/charts/coredns/.helmignore +++ b/charts/coredns/.helmignore @@ -20,3 +20,6 @@ .idea/ *.tmproj OWNERS +.helmignore +.kube-linter.yaml +ci/ diff --git a/charts/coredns/.kube-linter.yaml b/charts/coredns/.kube-linter.yaml new file mode 100644 index 0000000..01a937a --- /dev/null +++ b/charts/coredns/.kube-linter.yaml @@ -0,0 +1,5 @@ +checks: + exclude: + - drop-net-raw-capability + - no-read-only-root-fs + - run-as-non-root diff --git a/charts/extra/.helmignore b/charts/extra/.helmignore index 0e8a0eb..9e1f33b 100644 --- a/charts/extra/.helmignore +++ b/charts/extra/.helmignore @@ -21,3 +21,7 @@ .idea/ *.tmproj .vscode/ +.kube-linter.yaml +.helmignore +ci/ +tests/ diff --git a/charts/extra/tests/configmap_test.yaml b/charts/extra/tests/configmap_test.yaml index 579ae25..6db9df5 100644 --- a/charts/extra/tests/configmap_test.yaml +++ b/charts/extra/tests/configmap_test.yaml @@ -1,6 +1,4 @@ suite: test configmap -templates: - - extra-list.yaml tests: - it: should create a ConfigMap values: @@ -15,5 +13,5 @@ tests: app.kubernetes.io/name: extra app.kubernetes.io/instance: RELEASE-NAME - equal: - path: data.foo - value: bar + path: data.toto + value: tutu