kubeconform fails validation on null/empty fields

[mustafaStakater]

Problem Description:
We are using a kubeconform to validate manifests generated as a Helm chart in our pipelines. We are using mongodb helm chart that generated a few empty / null fields in a Deployment and Service as below

When I run kubeconform validation

kubeconform -summary -schema-location "$location" /kubeconform-data/manifest.yaml    

It fails with following error:

This seems weird because while making resources in openshift/kubernetes empty/fields are replaced by defaults and resources are created successfully. We intended to use this in our pipelines for validation, but this makes it unusable since nulls/ empty fields can occur quite frequently.

[eyarz]

I tried to reproduce this error with the following config (nodePort: null):

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      nodePort: null

As you can see here, Kubeconform is passing:

I see that you're using -schema-location "$location" so maybe this is why I get a different result.
which schema do you use there to validate your manifest?

[mustafaStakater]

We are using openshift 4.10 & extract schema from openshift openapi endpoint and convert it using openshift2jsonschema utility. it generates json schemas for all resources like in the image below.

[mustafaStakater]

The above file you added is failing for my schemas, you can see schema in the repo below
https://github.com/mustafaStakater/sharing/tree/main/kubeconform/

Before using change $ref field on line 27,31,35 in service-v1.json

[eyarz]

So the OpenShift schema defines that nodePort: null is not allowed for object type Service. It's the expected behavior :)

[hanzala1234]

@eyarz if that defines, it should not have failed. isn't it?

[eyarz]

@hanzala1234 I forget to add "is not allowed" 🤦‍♂️. I updated my comment.
BTW, here you can find a similar issue: #123

[hanzala1234]

thanks @eyarz . its quite common scenario though that optional field will have null values. is that something where we can have some workaround?

[eyarz]

As a workaround, you can use the skip flag to skip this type of k8s kind:

Another option - because you're using your schema locally, you can also just fix the schema to meet your requirements.

[mustafaStakater]

Service and Deployments are most basic kinds, we cant ignore/skip them because almost all applications contain services & deployments.

We arent using it locally, we intend to use it inside a pipeline as a task (extract schema from <cluster_ip>:442/openshift/openapi/v2 endpoint and validate manifests against it). manually fixing doesnt seem right to me

Point is these manifests with null / empty fields are created successfully in openshift, so kubeconform shouldnt give an error either.

[yannh]

Closing as duplicate of #123