├── .github └── workflows │ ├── linter.yml │ ├── main.yml │ └── push.yml ├── .gitignore ├── .hadolint.yml ├── Dockerfile ├── LICENSE ├── README.md ├── action.yml ├── src ├── deps.sh ├── hrval-all.sh └── hrval.sh └── test ├── flagger.yaml ├── podinfo.yaml └── subdirectory ├── ghost.yaml ├── not-a-yaml-file └── some-other-yaml.yaml /.github/workflows/linter.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ########################### 3 | ########################### 4 | ## Linter GitHub Actions ## 5 | ########################### 6 | ########################### 7 | name: Lint Code Base 8 | 9 | # 10 | # Documentation: 11 | # https://help.github.com/en/articles/workflow-syntax-for-github-actions 12 | # 13 | 14 | ############################# 15 | # Start the job on all push # 16 | ############################# 17 | on: 18 | push: 19 | branches-ignore: [master] 20 | # Remove the line above to run when pushing to master 21 | pull_request: 22 | branches: [master] 23 | 24 | ############### 25 | # Set the Job # 26 | ############### 27 | jobs: 28 | build: 29 | # Name the Job 30 | name: Lint Code Base 31 | # Set the agent to run on 32 | runs-on: ubuntu-latest 33 | 34 | ################## 35 | # Load all steps # 36 | ################## 37 | steps: 38 | ########################## 39 | # Checkout the code base # 40 | ########################## 41 | - name: Checkout Code 42 | uses: actions/checkout@v2 43 | 44 | ################################ 45 | # Run Linter against code base # 46 | ################################ 47 | - name: Lint Code Base 48 | uses: github/super-linter@v3 49 | env: 50 | VALIDATE_ALL_CODEBASE: false 51 | LINTER_RULES_PATH: / 52 | DEFAULT_BRANCH: master 53 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 54 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | test-action: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - name: Validate Helm Release from Helm Repo 11 | uses: ./ 12 | with: 13 | helmRelease: test/flagger.yaml 14 | kubernetesVersion: 1.16.0 15 | helmVersion: v2 16 | - name: Validate Helm Release from Git Repo 17 | uses: ./ 18 | with: 19 | helmRelease: test/podinfo.yaml 20 | helmVersion: v3 21 | - name: Validate Helm Release without values 22 | uses: ./ 23 | with: 24 | helmRelease: test/podinfo.yaml 25 | ignoreValues: true 26 | test-dir: 27 | runs-on: ubuntu-latest 28 | steps: 29 | - uses: actions/checkout@v1 30 | - name: Validate all Helm Releases in the test dir 31 | id: validate-dir 32 | uses: ./ 33 | with: 34 | helmRelease: test/ 35 | - name: Check tested file count 36 | env: 37 | NUM_FILES_TESTED: ${{ steps.validate-dir.outputs.numFilesTested }} 38 | run: "(( NUM_FILES_TESTED==3 ))" 39 | 40 | -------------------------------------------------------------------------------- /.github/workflows/push.yml: -------------------------------------------------------------------------------- 1 | name: PUSH 2 | 3 | on: [push] 4 | 5 | jobs: 6 | push-container: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - name: Publish to Docker Hub 11 | uses: elgohr/Publish-Docker-Github-Action@2.7 12 | with: 13 | name: stefanprodan/hrval 14 | username: ${{ secrets.DOCKER_USERNAME }} 15 | password: ${{ secrets.DOCKER_PASSWORD }} 16 | tag_names: true 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, build with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | -------------------------------------------------------------------------------- /.hadolint.yml: -------------------------------------------------------------------------------- 1 | ignored: 2 | - DL3018 3 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM garethr/kubeval:0.15.0 2 | 3 | RUN apk --no-cache add curl bash git openssh-client 4 | 5 | COPY LICENSE README.md / 6 | 7 | COPY src/deps.sh /deps.sh 8 | RUN /deps.sh 9 | 10 | COPY src/hrval.sh /usr/local/bin/hrval.sh 11 | COPY src/hrval-all.sh /usr/local/bin/hrval 12 | 13 | ENTRYPOINT ["hrval"] 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # hrval-action 2 | 3 | ## This project is no longer maintained, helm-operator users should migrate to [Flux v2](https://github.com/fluxcd/flux2) and [helm-controller](https://github.com/fluxcd/helm-controller). 4 | 5 | This GitHub action validates a Flux 6 | [Helm Release](https://docs.fluxcd.io/projects/helm-operator/en/latest/references/helmrelease-custom-resource.html) 7 | Kubernetes custom resources with [kubeval](https://github.com/instrumenta/kubeval). 8 | 9 | Steps: 10 | * installs kubectl, yq, kubeval, helm v2 and v3 11 | * extracts the chart source with yq 12 | * downloads the chart from the Helm or Git repository 13 | * extracts the Helm Release values with yq 14 | * runs helm template for the extracted values 15 | * validates the YAMLs using kubeval strict mode 16 | 17 | ## Usage 18 | 19 | Validate Helm release custom resources: 20 | 21 | ```yaml 22 | name: CI 23 | 24 | on: [push, pull_request] 25 | 26 | jobs: 27 | hrval: 28 | runs-on: ubuntu-latest 29 | steps: 30 | - uses: actions/checkout@v1 31 | - name: Validate Helm Releases in test dir 32 | uses: stefanprodan/hrval-action@master 33 | with: 34 | helmRelease: test/ 35 | - name: Validate Helm Release from Helm Repo 36 | uses: stefanprodan/hrval-action@master 37 | with: 38 | helmRelease: test/flagger.yaml 39 | helmVersion: v2 40 | kubernetesVersion: 1.17.0 41 | - name: Validate Helm Release from Git Repo 42 | uses: stefanprodan/hrval-action@master 43 | with: 44 | helmRelease: test/podinfo.yaml 45 | helmVersion: v3 46 | kubernetesVersion: master 47 | ignoreValues: true 48 | ``` 49 | 50 | Output: 51 | 52 | ```text 53 | Processing test/flagger.yaml 54 | Downloading to /tmp/tmp.TuA4QzCOG7 55 | Extracting values to /tmp/tmp.TuA4QzCOG7/flagger.values.yaml 56 | Writing Helm release to /tmp/tmp.TuA4QzCOG7/flagger.release.yaml 57 | Validating Helm release flagger.flagger-system against Kubernetes 1.16.0 58 | WARN - Set to ignore missing schemas 59 | PASS - flagger/templates/psp.yaml contains a valid PodSecurityPolicy 60 | PASS - flagger/templates/psp.yaml contains a valid ClusterRole 61 | PASS - flagger/templates/psp.yaml contains a valid RoleBinding 62 | PASS - flagger/templates/account.yaml contains a valid ServiceAccount 63 | WARN - flagger/templates/crd.yaml containing a CustomResourceDefinition was not validated against a schema 64 | PASS - flagger/templates/prometheus.yaml contains a valid ClusterRole 65 | PASS - flagger/templates/prometheus.yaml contains a valid ClusterRoleBinding 66 | PASS - flagger/templates/prometheus.yaml contains a valid ServiceAccount 67 | PASS - flagger/templates/prometheus.yaml contains a valid ConfigMap 68 | PASS - flagger/templates/prometheus.yaml contains a valid Deployment 69 | PASS - flagger/templates/prometheus.yaml contains a valid Service 70 | PASS - flagger/templates/rbac.yaml contains a valid ClusterRole 71 | PASS - flagger/templates/rbac.yaml contains a valid ClusterRoleBinding 72 | PASS - flagger/templates/deployment.yaml contains a valid Deployment 73 | ``` 74 | 75 | ## Usage with private charts repositories 76 | 77 | ### Private GitHub/GitLab repository 78 | To allow the action to be able to clone charts from private GitHub repositories, 79 | you must [create a GitHub private access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) 80 | and [add it as a secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#creating-encrypted-secrets) to the target repository. NOTE: secret names *cannot* start with `GITHUB_` as these are reserved. 81 | 82 | You can then pass the secret (in this case, `GH_TOKEN`) into the action like so: 83 | ```yaml 84 | name: CI 85 | 86 | on: [push, pull_request] 87 | 88 | jobs: 89 | hrval: 90 | runs-on: ubuntu-latest 91 | steps: 92 | - uses: actions/checkout@v1 93 | - name: Validate Helm Releases in test dir 94 | uses: stefanprodan/hrval-action@master 95 | with: 96 | helmRelease: test/ 97 | env: 98 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 99 | ``` 100 | 101 | Gitlab CI Token is also possible using `GITLAB_CI_TOKEN`. 102 | 103 | ### AWS S3 104 | 105 | If you set `awsS3Repo: true`, make sure you set the appropriate environment variables for helm s3 plugin to work. Example: 106 | ```yaml 107 | name: CI 108 | 109 | on: [push, pull_request] 110 | 111 | jobs: 112 | hrval: 113 | runs-on: ubuntu-latest 114 | steps: 115 | - uses: actions/checkout@v1 116 | - name: Validate Helm Releases in test dir 117 | uses: stefanprodan/hrval-action@master 118 | with: 119 | helmRelease: test/ 120 | awsS3Repo: true 121 | awsS3RepoName: example-s3-helm-repo 122 | awsS3Plugin: https://github.com/hypnoglow/helm-s3.git 123 | env: 124 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 125 | AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} 126 | AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 127 | AWS_DEFAULT_REGION: "us-east-1" 128 | 129 | ``` 130 | 131 | ### HTTP(S) Helm chart repository 132 | 133 | To allow fetching Helm charts from private Helm chart repositories you need to 134 | pass a list of Helm repositories in `HTTP_PRIVATE_CHART_REPOS` environment variable as JSON. 135 | 136 | ```json 137 | { 138 | "repositories": [ 139 | { 140 | "url": "https://raw.githubusercontent.com/username/helm-chart-repository/master/", 141 | "username": "YOUR_USERNAME", 142 | "password": "YOUR_PASSWORD" 143 | }, 144 | { 145 | "url": "https://raw.githubusercontent.com/username/another-helm-chart-repository/master/", 146 | "username": "YOUR_USERNAME", 147 | "password": "YOUR_PASSWORD" 148 | } 149 | ] 150 | } 151 | ``` 152 | 153 | It should be passed [as a secret](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets) 154 | to keep credentials secure. 155 | 156 | ```yaml 157 | name: CI 158 | 159 | on: [push, pull_request] 160 | 161 | jobs: 162 | hrval: 163 | runs-on: ubuntu-latest 164 | steps: 165 | - uses: actions/checkout@v1 166 | - name: Validate Helm Releases in test dir 167 | uses: stefanprodan/hrval-action@master 168 | with: 169 | helmRelease: test/ 170 | env: 171 | HTTP_PRIVATE_CHART_REPOS: ${{ secrets.HTTP_PRIVATE_CHART_REPOS }} 172 | ``` 173 | 174 | 175 | ## Usage with pull requests containing changes of Helm chart source located in base repository branch 176 | 177 | If a base repository branch of pull request is referenced in helm release, 178 | you need to pass `HRVAL_BASE_BRANCH` and `HRVAL_HEAD_BRANCH` environment variables 179 | to an action to make sure it will check out amended version of the chart 180 | from a head repository branch. 181 | 182 | 183 | ```yaml 184 | name: CI 185 | 186 | on: [pull_request] 187 | 188 | jobs: 189 | hrval: 190 | runs-on: ubuntu-latest 191 | steps: 192 | - uses: actions/checkout@v1 193 | - name: Validate Helm Releases in test dir 194 | uses: stefanprodan/hrval-action@master 195 | with: 196 | helmRelease: test/ 197 | env: 198 | HRVAL_BASE_BRANCH: ${{ github.base_ref }} 199 | HRVAL_HEAD_BRANCH: ${{ github.head_ref }} 200 | ``` 201 | 202 | ## Usage with Helm source caching enabled 203 | 204 | Sometimes single Helm release might be referenced multiple times in a single Flux repository, 205 | for example if staging branch of Helm chart repository is used as a release ref across all staging releases. 206 | A property named `helmSourcesCacheEnabled` enables caching for such releases, 207 | so a single Helm repository chart version or Git repository ref 208 | will be retrieved only once, and cached version will be used for validation of another releases which reuse same sources. 209 | 210 | 211 | ```yaml 212 | name: CI 213 | 214 | on: [pull_request] 215 | 216 | jobs: 217 | hrval: 218 | runs-on: ubuntu-latest 219 | steps: 220 | - uses: actions/checkout@v1 221 | - name: Validate Helm Releases in test dir 222 | uses: stefanprodan/hrval-action@master 223 | with: 224 | helmRelease: test/ 225 | helmSourcesCacheEnabled: true 226 | ``` 227 | 228 | 229 | ## CI alternatives 230 | 231 | The validation scripts can be used in any CI system. 232 | 233 | CircleCI example: 234 | 235 | ```yaml 236 | version: 2.1 237 | jobs: 238 | hrval: 239 | docker: 240 | - image: stefanprodan/hrval:latest 241 | steps: 242 | - checkout 243 | - run: 244 | name: Validate Helm Releases in test dir 245 | command: | 246 | IGNORE_VALUES=false 247 | KUBE_VER=master 248 | HELM_VER=v2 249 | 250 | hrval test/ $IGNORE_VALUES $KUBE_VER $HELM_VER 251 | ``` 252 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'Validate Flux Helm Release' 2 | description: 'Github Action to validate Flux Helm Releases with kubeval' 3 | author: 'Stefan Prodan' 4 | branding: 5 | icon: 'check-square' 6 | color: 'blue' 7 | inputs: 8 | helmRelease: 9 | description: 'The HelmRelease YAML file path or dir' 10 | required: true 11 | ignoreValues: 12 | description: 'When set to true HelmRelease values will be ignored' 13 | default: 'false' 14 | kubernetesVersion: 15 | description: 'Version of Kubernetes to validate against' 16 | default: 'master' 17 | helmVersion: 18 | description: 'Version of Helm to validate against' 19 | default: 'v2' 20 | awsS3Repo: 21 | description: '(Optional) Set to true if using an AWS S3 Helm Repo' 22 | default: false 23 | awsS3RepoName: 24 | description: '(Optional) The name of the AWS S3 Helm repo, if awsS3Repo was set to true' 25 | default: '' 26 | awsS3Plugin: 27 | description: '(Optional) AWS S3 Plugin to be used in the helm plugin install command' 28 | default: '' 29 | helmSourcesCacheEnabled: 30 | description: '(Optional) Enabled Helm source caching, so same release or ref will not be downloaded twice.' 31 | default: 'false' 32 | outputs: 33 | numFilesTested: 34 | description: The number of HelmRelease files which were tested 35 | 36 | runs: 37 | using: 'docker' 38 | image: 'Dockerfile' 39 | args: 40 | - ${{ inputs.helmRelease }} 41 | - ${{ inputs.ignoreValues }} 42 | - ${{ inputs.kubernetesVersion }} 43 | - ${{ inputs.helmVersion }} 44 | - ${{ inputs.awsS3Repo }} 45 | - ${{ inputs.awsS3RepoName }} 46 | - ${{ inputs.awsS3RepoPlugin }} 47 | - ${{ inputs.helmSourcesCacheEnabled }} 48 | -------------------------------------------------------------------------------- /src/deps.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | 5 | curl -sL "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl 6 | 7 | curl -sL https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq 8 | 9 | curl -sSL https://get.helm.sh/helm-v2.17.0-linux-amd64.tar.gz | tar xz && mv linux-amd64/helm /bin/helm && rm -rf linux-amd64 10 | helm init --stable-repo-url https://charts.helm.sh/stable --client-only --kubeconfig="${HOME}/.kube/kubeconfig" 11 | 12 | curl -sSL https://get.helm.sh/helm-v3.1.1-linux-amd64.tar.gz | tar xz && mv linux-amd64/helm /bin/helmv3 && rm -rf linux-amd64 13 | helmv3 version 14 | -------------------------------------------------------------------------------- /src/hrval-all.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | 5 | DIR=${1} 6 | IGNORE_VALUES=${2-false} 7 | KUBE_VER=${3-master} 8 | HELM_VER=${4-v2} 9 | HRVAL="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/hrval.sh" 10 | AWS_S3_REPO=${5-false} 11 | AWS_S3_REPO_NAME=${6-""} 12 | AWS_S3_PLUGIN="${7-""}" 13 | HELM_SOURCES_CACHE_ENABLED=${8-""} 14 | 15 | function configurePrivateChartRepositories() { 16 | 17 | local tempDir 18 | tempDir="$(mktemp -d)" 19 | echo "$HTTP_PRIVATE_CHART_REPOS" > "$tempDir/repositories.json" 20 | local numberOfRepositories 21 | numberOfRepositories=$(yq r "$tempDir/repositories.json" --length repositories) 22 | 23 | for (( i = 0; i < numberOfRepositories; i++ )); do 24 | local url 25 | url=$(yq r "$tempDir/repositories.json" repositories[$i].url) 26 | local username 27 | username=$(yq r "$tempDir/repositories.json" repositories[$i].username) 28 | local password 29 | password=$(yq r "$tempDir/repositories.json" repositories[$i].password) 30 | local repoMD5 31 | repoMD5=$(/bin/echo "$url" | /usr/bin/md5sum | cut -f1 -d" ") 32 | 33 | >&2 echo "Adding Helm chart repository '$url'" 34 | if [[ ${HELM_VER} == "v3" ]]; then 35 | helmv3 repo add "$repoMD5" "${url}" --username "${username}" --password "${password}" 36 | helmv3 repo update 37 | else 38 | helm repo add "$repoMD5" "${url}" --username "${username}" --password "${password}" 39 | helm repo update 40 | fi 41 | done 42 | } 43 | 44 | if [[ -v HTTP_PRIVATE_CHART_REPOS ]]; then 45 | echo "Configuring Helm chart repositories" 46 | configurePrivateChartRepositories 47 | fi 48 | 49 | if [ "${HELM_SOURCES_CACHE_ENABLED}" == "true" ]; then 50 | CACHEDIR=$(mktemp -d) 51 | else 52 | CACHEDIR="${CACHEDIR}" 53 | fi 54 | 55 | if [[ ${HELM_VER} == "v2" ]]; then 56 | helm init --client-only 57 | fi 58 | 59 | if [[ ${AWS_S3_REPO} == true ]]; then 60 | helm plugin install "${AWS_S3_PLUGIN}" 61 | helm repo add "${AWS_S3_REPO_NAME}" "s3:/${AWS_S3_REPO_NAME}/charts" 62 | helm repo update 63 | fi 64 | 65 | # If the path provided is actually a file, just run hrval against this one file 66 | if test -f "${DIR}"; then 67 | ${HRVAL} "${DIR}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}" "${CACHEDIR}" 68 | exit 0 69 | fi 70 | 71 | # If the path provided is not a directory, print error message and exit 72 | if [ ! -d "$DIR" ]; then 73 | echo "\"${DIR}\" directory not found!" 74 | exit 1 75 | fi 76 | 77 | function isHelmRelease { 78 | KIND=$(yq r "${1}" kind) 79 | if [[ ${KIND} == "HelmRelease" ]]; then 80 | echo true 81 | else 82 | echo false 83 | fi 84 | } 85 | 86 | # Find yaml files in directory recursively 87 | FILES_TESTED=0 88 | declare -a FOUND_FILES=() 89 | while read -r file; do 90 | FOUND_FILES+=( "$file" ) 91 | done < <(find "${DIR}" -type f -name '*.yaml' -o -name '*.yml') 92 | 93 | for f in "${FOUND_FILES[@]}"; do 94 | if [[ $(isHelmRelease "${f}") == "true" ]]; then 95 | ${HRVAL} "${f}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}" "${CACHEDIR}" 96 | FILES_TESTED=$(( FILES_TESTED+1 )) 97 | else 98 | echo "Ignoring ${f} not a HelmRelease" 99 | fi 100 | done 101 | 102 | # This will set the GitHub actions output 'numFilesTested' 103 | echo "::set-output name=numFilesTested::${FILES_TESTED}" 104 | -------------------------------------------------------------------------------- /src/hrval.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | 5 | HELM_RELEASE="${1}" 6 | IGNORE_VALUES="${2}" 7 | KUBE_VER="${3-master}" 8 | HELM_VER="${4-v2}" 9 | CACHEDIR="${5-""}" 10 | 11 | if test ! -f "${HELM_RELEASE}"; then 12 | echo "\"${HELM_RELEASE}\" Helm release file not found!" 13 | exit 1 14 | fi 15 | 16 | echo "Processing ${HELM_RELEASE}" 17 | 18 | function isHelmRelease { 19 | KIND=$(yq r "${1}" kind) 20 | if [[ "${KIND}" == "HelmRelease" ]]; then 21 | echo true 22 | else 23 | echo false 24 | fi 25 | } 26 | 27 | 28 | function download { 29 | CHART_REPO="$(yq r "${1}" spec.chart.repository)" 30 | CHART_NAME="$(yq r "${1}" spec.chart.name)" 31 | CHART_VERSION="$(yq r "${1}" spec.chart.version)" 32 | CHART_DIR=${2}/${CHART_NAME} 33 | 34 | CHART_REPO_MD5=$(/bin/echo "${CHART_REPO}" | /usr/bin/md5sum | cut -f1 -d" ") 35 | 36 | 37 | if [[ ${HELM_VER} == "v3" ]]; then 38 | if [[ $(helmv3 repo list -o yaml | yq r - "[*].name" | grep "$CHART_REPO_MD5") == "$CHART_REPO_MD5" ]]; then 39 | CHART_REPO_ALREADY_ADDED=true 40 | else 41 | CHART_REPO_ALREADY_ADDED=false 42 | fi 43 | else 44 | if [[ $(helm repo list -o yaml | yq r - "[*].Name" | grep "$CHART_REPO_MD5") == "$CHART_REPO_MD5" ]]; then 45 | CHART_REPO_ALREADY_ADDED=true 46 | else 47 | CHART_REPO_ALREADY_ADDED=false 48 | fi 49 | fi 50 | 51 | if [[ "$CHART_REPO_ALREADY_ADDED" = false ]]; then 52 | if [[ "${HELM_VER}" == "v3" ]]; then 53 | helmv3 repo rm stable 54 | helmv3 repo add stable https://charts.helm.sh/stable 55 | helmv3 repo add "${CHART_REPO_MD5}" "${CHART_REPO}" 56 | helmv3 repo update 57 | else 58 | helm repo rm stable 59 | helm repo add stable https://charts.helm.sh/stable 60 | helm repo add "${CHART_REPO_MD5}" "${CHART_REPO}" 61 | helm repo update 62 | fi 63 | fi 64 | 65 | if [[ ${HELM_VER} == "v3" ]]; then 66 | helmv3 fetch --version "${CHART_VERSION}" --untar "${CHART_REPO_MD5}/${CHART_NAME}" --untardir "${2}" 67 | else 68 | helm fetch --version "${CHART_VERSION}" --untar "${CHART_REPO_MD5}/${CHART_NAME}" --untardir "${2}" 69 | fi 70 | 71 | echo "${CHART_DIR}" 72 | } 73 | 74 | 75 | function fetch { 76 | cd "${1}" 77 | git init -q 78 | git remote add origin "${3}" 79 | git fetch -q origin 80 | git checkout -q "${4}" 81 | cd "${5}" 82 | echo "${2}" 83 | } 84 | 85 | 86 | function clone { 87 | ORIGIN=$(git rev-parse --show-toplevel) 88 | CHART_GIT_REPO=$(yq r "${1}" spec.chart.git) 89 | RELEASE_GIT_REPO=$(git remote get-url origin) 90 | 91 | CHART_BASE_URL=$(echo "${CHART_GIT_REPO}" | sed -e 's/ssh:\/\///' -e 's/http:\/\///' -e 's/https:\/\///' -e 's/git@//' -e 's/:/\//' -e 's/\.git$//') 92 | RELEASE_BASE_URL=$(echo "${RELEASE_GIT_REPO}" | sed -e 's/ssh:\/\///' -e 's/http:\/\///' -e 's/https:\/\///' -e 's/git@//' -e 's/:/\//' -e 's/\.git$//') 93 | 94 | if [[ -n "${GITHUB_TOKEN}" ]]; then 95 | CHART_GIT_REPO="https://${GITHUB_TOKEN}:x-oauth-basic@${CHART_BASE_URL}" 96 | elif [[ -n "${GITLAB_CI_TOKEN}" ]]; then 97 | CHART_GIT_REPO="https://gitlab-ci-token:${GITLAB_CI_TOKEN}@${CHART_BASE_URL}" 98 | fi 99 | 100 | GIT_REF=$(yq r "${1}" spec.chart.ref) 101 | CHART_PATH=$(yq r "${1}" spec.chart.path) 102 | 103 | if [ -n "${3}" ]; then 104 | if [[ "${CHART_BASE_URL}" == "${RELEASE_BASE_URL}" ]] && [[ "${GIT_REF}" == "${4}" ]]; then 105 | # Clone from the head repository branch/ref 106 | fetch "${2}" "${2}/${CHART_PATH}" "${RELEASE_GIT_REPO}" "${3}" "${ORIGIN}" 107 | else 108 | # Regular clone 109 | fetch "${2}" "${2}/${CHART_PATH}" "${CHART_GIT_REPO}" "${GIT_REF}" "${ORIGIN}" 110 | fi 111 | else 112 | fetch "${2}" "${2}/${CHART_PATH}" "${CHART_GIT_REPO}" "${GIT_REF}" "${ORIGIN}" 113 | fi 114 | } 115 | 116 | 117 | function retrieve_sources { 118 | HELM_RELEASE="${1}" 119 | TMPDIR="${2}" 120 | 121 | CHART_PATH=$(yq r "${HELM_RELEASE}" spec.chart.path) 122 | 123 | if [[ -z "${CACHEDIR}" ]]; then 124 | 125 | # Retrieve files directly into tempdir 126 | if [[ -z "${CHART_PATH}" ]]; then 127 | >&2 echo "Downloading to ${TMPDIR}" 128 | CHART_DIR=$(download "${HELM_RELEASE}" "${TMPDIR}" "${HELM_VER}" | tail -n1) 129 | else 130 | >&2 echo "Cloning to ${TMPDIR}" 131 | CHART_DIR=$(clone "${HELM_RELEASE}" "${TMPDIR}" "${HRVAL_HEAD_BRANCH}" "${HRVAL_BASE_BRANCH}" | tail -n1) 132 | fi 133 | 134 | else 135 | # Retrieve existing helm chart source from cache, 136 | # or create new cache directory if it does not exist yet. 137 | 138 | if [[ -z "${CHART_PATH}" ]]; then 139 | # Caches releases from Helm repos 140 | 141 | CHART_REPO=$(yq r "${HELM_RELEASE}" spec.chart.repository) 142 | CHART_REPO_MD5=$(/bin/echo "${CHART_REPO}" | /usr/bin/md5sum | cut -f1 -d" ") 143 | CHART_NAME=$(yq r "${HELM_RELEASE}" spec.chart.name) 144 | CHART_VERSION=$(yq r "${HELM_RELEASE}" spec.chart.version) 145 | CHART_LOCAL_PATH="${CACHEDIR}/${CHART_REPO_MD5}/${CHART_NAME}/${CHART_VERSION}" 146 | 147 | if [[ ! -d ${CHART_LOCAL_PATH} ]]; then 148 | mkdir -p "${CHART_LOCAL_PATH}" 149 | >&2 echo "Downloading to ${CHART_LOCAL_PATH}" 150 | CHART_DIR=$(download "${HELM_RELEASE}" "${CHART_LOCAL_PATH}" "${HELM_VER}" | tail -n1) 151 | else 152 | >&2 echo "Using cached sources from ${CHART_LOCAL_PATH}" 153 | CHART_DIR="${CHART_LOCAL_PATH}/${CHART_NAME}" 154 | fi 155 | 156 | else 157 | # Caches releases from Git repos 158 | 159 | CHART_GIT_REPO=$(yq r "${1}" spec.chart.git) 160 | CHART_PATH=$(yq r "${1}" spec.chart.path) 161 | GIT_REF=$(yq r "${1}" spec.chart.ref) 162 | 163 | CHART_LOCAL_PATH="${CACHEDIR}/${CHART_GIT_REPO}/${GIT_REF}" 164 | 165 | if [[ ! -d "${CHART_LOCAL_PATH}" ]]; then 166 | mkdir -p "${CHART_LOCAL_PATH}" 167 | >&2 echo "Cloning to ${CHART_LOCAL_PATH}" 168 | CHART_DIR=$(clone "${HELM_RELEASE}" "${CHART_LOCAL_PATH}" "${HRVAL_HEAD_BRANCH}" "${HRVAL_BASE_BRANCH}" | tail -n1) 169 | else 170 | >&2 echo "Using cached sources from ${CHART_LOCAL_PATH}" 171 | CHART_DIR="${CHART_LOCAL_PATH}/${CHART_PATH}" 172 | fi 173 | 174 | fi 175 | 176 | fi 177 | 178 | echo "${CHART_DIR}" 179 | } 180 | 181 | 182 | function validate { 183 | if [[ $(isHelmRelease "${HELM_RELEASE}") == "false" ]]; then 184 | echo "\"${HELM_RELEASE}\" is not of kind HelmRelease!" 185 | exit 1 186 | fi 187 | 188 | TMPDIR="$(mktemp -d)" 189 | CHART_DIR=$(retrieve_sources "${HELM_RELEASE}" "${TMPDIR}") 190 | CHART_PATH=$(yq r "${HELM_RELEASE}" spec.chart.path) 191 | 192 | HELM_RELEASE_NAME=$(yq r "${HELM_RELEASE}" metadata.name) 193 | HELM_RELEASE_NAMESPACE=$(yq r "${HELM_RELEASE}" metadata.namespace) 194 | 195 | if [[ "${IGNORE_VALUES}" == "true" ]]; then 196 | echo "Ignoring Helm release values" 197 | echo "" > "${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml" 198 | else 199 | echo "Extracting values to ${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml" 200 | yq r -X "${HELM_RELEASE}" spec.values > "${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml" 201 | fi 202 | 203 | echo "Writing Helm release to ${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml" 204 | if [[ ${HELM_VER} == "v3" ]]; then 205 | if [[ "${CHART_PATH}" ]]; then 206 | helmv3 dependency build "${CHART_DIR}" 207 | fi 208 | helmv3 template "${HELM_RELEASE_NAME}" "${CHART_DIR}" \ 209 | --namespace "${HELM_RELEASE_NAMESPACE}" \ 210 | --skip-crds=true \ 211 | -f "${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml" > "${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml" 212 | else 213 | if [[ "${CHART_PATH}" ]]; then 214 | helm dependency build "${CHART_DIR}" 215 | fi 216 | helm template "${CHART_DIR}" \ 217 | --name "${HELM_RELEASE_NAME}" \ 218 | --namespace "${HELM_RELEASE_NAMESPACE}" \ 219 | -f "${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml" > "${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml" 220 | fi 221 | 222 | echo "Validating Helm release ${HELM_RELEASE_NAME}.${HELM_RELEASE_NAMESPACE} against Kubernetes ${KUBE_VER}" 223 | kubeval --strict --ignore-missing-schemas --kubernetes-version "${KUBE_VER}" "${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml" 224 | } 225 | 226 | validate 227 | -------------------------------------------------------------------------------- /test/flagger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: flagger 5 | namespace: flagger-system 6 | spec: 7 | releaseName: flagger 8 | chart: 9 | repository: https://flagger.app 10 | name: flagger 11 | version: 0.19.0 12 | values: 13 | crd: 14 | create: true 15 | prometheus: 16 | install: true 17 | rbac: 18 | create: true 19 | pspEnabled: true 20 | -------------------------------------------------------------------------------- /test/podinfo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: podinfo 5 | namespace: demo 6 | spec: 7 | releaseName: podinfo 8 | chart: 9 | git: https://github.com/stefanprodan/podinfo 10 | ref: 3.0.0 11 | path: charts/podinfo 12 | values: 13 | hpa: 14 | enabled: true 15 | maxReplicas: 10 16 | cpu: 90 17 | memory: 200Mi 18 | ingress: 19 | enabled: true 20 | annotations: 21 | kubernetes.io/ingress.class: nginx 22 | path: /* 23 | hosts: [] 24 | -------------------------------------------------------------------------------- /test/subdirectory/ghost.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.fluxcd.io/v1 3 | kind: HelmRelease 4 | metadata: 5 | name: ghost 6 | namespace: demo 7 | spec: 8 | releaseName: ghost 9 | chart: 10 | git: https://github.com/fluxcd/flux-get-started 11 | ref: master 12 | path: charts/ghost 13 | values: 14 | image: 15 | repository: bitnami/ghost 16 | tag: 3.1.1-debian-9-r0 17 | persistence: 18 | enabled: false 19 | resources: 20 | requests: 21 | memory: 32Mi 22 | cpu: 10m 23 | serviceType: ClusterIP 24 | mariadb: 25 | persistence: 26 | enabled: false 27 | -------------------------------------------------------------------------------- /test/subdirectory/not-a-yaml-file: -------------------------------------------------------------------------------- 1 | foo 2 | -------------------------------------------------------------------------------- /test/subdirectory/some-other-yaml.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: foo 5 | annotations: 6 | description: a file which should not get tested by hrval 7 | data: {} 8 | --------------------------------------------------------------------------------