feat(workload): render GitOps manifests in-process for validate & scan (#5344) (#5356)

* feat(workload): add in-process GitOps render package (#5344)

Introduce pkg/svc/gitops/render, which expands a kustomize-built, Flux-substituted manifest stream into the resources Flux actually applies: each HelmRelease is resolved against the OCIRepository/HelmRepository sources in the same stream and rendered in-process via the embedded Helm client (helm.TemplateChart). Successfully rendered releases replace their CR; unrenderable ones (GitRepository sources, charts unreachable offline, missing sources) degrade gracefully — the CR is kept and a Degradation is recorded — so a run never hard-fails purely because a chart can't be resolved offline.

Rendering is exposed behind a ChartResolver interface so callers can validate/scan the real applied manifests offline; wiring into the validate and scan commands follows in subsequent changes for #5344.

Also fix a latent data race the renderer exposes: the Helm client mutated the process-global HELM_HTTP_TIMEOUT env var around each repository chart locate; concurrent renders now serialize that set/restore under a package-level mutex (covered by a new -race test).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* feat(workload): render HelmReleases in 'validate' (#5344)

ksail workload validate now renders HelmReleases in-process before validating, so the manifests Flux actually applies (Deployments, Services, …) are schema-checked — not just the opaque HelmRelease CR. For each kustomization, the build output is Flux-substituted, then HelmReleases are resolved against the OCIRepository/HelmRepository sources in the same directory and rendered via the embedded Helm client; the rendered children are validated with kubeconform.

Rendering is on by default and controlled by the new spec.workload.validation.helmRender config field and the --skip-helm-render flag. HelmReleases that cannot be rendered offline (GitRepository sources, unreachable/private registries, missing sources) degrade gracefully: the HelmRelease CR is validated as before and a warning is emitted, so a run never hard-fails purely because a chart could not be resolved. Rendering applies to kustomization builds only; a single-file input remains a CR-schema check (keeping the gen-smoke CI canary green). Push-time validation keeps its existing CR-level behavior.

Adds the shared gitopsRenderer/degradationSink helpers (also used by scan next), offline integration tests (valid render passes, invalid rendered manifest fails, unreachable chart degrades, --skip-helm-render bypasses, single-file canary), and regenerated schema/CRD/docs/chat artifacts.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* feat(workload): scan the rendered output in 'scan' (#5344)

ksail workload scan now scans the manifests Flux actually applies instead of the raw files: when the target directory is a Kustomize root, it is rendered (Kustomize build + Flux substitution + in-process Helm templating) to a temp directory which kubescape then scans. Findings therefore reflect overlay patches that weaken a base and the output of rendered charts, not just the opaque HelmRelease/Kustomize sources.

Rendering reuses the gitopsRenderer from the validate change and is on by default, honoring spec.workload.validation.helmRender. A new --raw flag restores the previous raw-file behavior for one release while consumers migrate (kept visible in --help so the escape hatch is discoverable). The rendered temp directory is canonicalized for kubescape and always cleaned up via defer. Single files and directories without a kustomization are scanned as-is, matching prior behavior.

Removes the now-unused resolveValidatePathFromCmd helper (scan loads config directly, like validate). Adds offline tests for the render-vs-raw decision and temp-dir cleanup via an ExportResolveScanInput seam, and regenerates the scan flag + chat docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(workload): isolate Helm client per render; simplify degradation reporting (#5344)

Code-review follow-up on the GitOps rendering work. The gitopsRenderer previously held one shared Helm client, but validate renders kustomizations in parallel — concurrent TemplateChart calls on a shared helm.action.Configuration are not safe. Construct a fresh template-only client per render instead (cheap, no cluster access); the stateless kustomize client is still shared. Adds a -race regression test that renders multiple kustomizations concurrently.

Simplifications from the same review: extract a shared warnDegradations helper so scan's renderToTempDir no longer builds a throwaway degradationSink; newGitOpsRenderer no longer returns an error (client moved into expand), dropping the error plumbing in buildValidateRenderer and resolveScanInput; and expandHelmRelease reuses the already-parsed objectMeta instead of re-parsing the document.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: devantler

charts/ksail-operator/crds/ksail.io_clusters.yaml

@@ -938,6 +938,10 @@ spec:
                     description: ValidationConfig defines configuration for the workload
                       validate command.
                     properties:
+                      helmRender:
+                        description: HelmRender controls whether HelmReleases are
+                          rendered before validation.
+                        type: boolean
                       skipKinds:
                         description: |-
                           SkipKinds lists additional Kubernetes kinds to skip during validation.

docs/src/content/docs/cli-flags/workload/workload-scan.mdx

@@ -11,6 +11,12 @@ Run security scans on Kubernetes manifests using Kubescape.
 This command scans manifests in the specified path against security frameworks
 such as NSA-CISA, MITRE ATT&CK, and CIS Benchmarks.
 
+When the target directory is a Kustomize root, manifests are rendered before
+scanning (Kustomize build + Flux variable substitution + in-process Helm
+templating of HelmReleases), so findings reflect overlay patches and chart output
+rather than the raw files. HelmReleases that cannot be rendered offline are left
+as-is with a warning. Use --no-render to scan the raw files instead.
+
 If no path is provided, the path is resolved in order:
   1. spec.workload.sourceDirectory from ksail.yaml (if a config file is found and the field is set)
   2. The default source directory when spec.workload.sourceDirectory is unset ("k8s" directory)
@@ -28,6 +34,7 @@ Flags:
       --compliance-threshold float32   Fail if compliance score is below this threshold (0-100)
       --format string                  Output format (pretty-printer, json, sarif, junit) (default "pretty-printer")
       --framework strings              Security frameworks to scan against (e.g. nsa, mitre, cis, pss) (default [nsa])
+      --no-render                      Scan the raw manifest files instead of the Kustomize + Helm rendered output (skip rendering entirely; restores the pre-rendering behavior)
   -o, --output string                  Output file path (stdout if empty)
       --verbose                        Show all resources in output, not just failed ones
 

docs/src/content/docs/cli-flags/workload/workload-validate.mdx

@@ -40,6 +40,7 @@ Usage:
 
 Flags:
       --ignore-missing-schemas   Ignore resources with missing schemas (default true)
+      --skip-helm-render         Skip rendering HelmReleases before validation (validate the HelmRelease CR as-is). By default, charts are rendered in-process and the rendered manifests are validated.
       --skip-kinds strings       Additional Kubernetes kinds to skip during validation (merged with spec.workload.validation.skipKinds from ksail.yaml)
       --skip-secrets             Skip validation of Kubernetes Secrets (default true)
       --strict                   Enable strict validation mode

pkg/apis/cluster/v1alpha1/types.go

@@ -210,6 +210,9 @@ type ValidationConfig struct {
 	// kubeconform would otherwise reject (e.g. valid newer fields flagged as
 	// "additional properties not allowed").
 	SkipKinds []string `json:"skipKinds,omitzero" jsonschema_description:"Additional Kubernetes kinds to skip during 'ksail workload validate' (Secrets are skipped by default via --skip-secrets). Use for CRDs whose CRDs-catalog schema is stale or missing, which kubeconform would otherwise reject."` //nolint:lll
+
+	// HelmRender controls whether HelmReleases are rendered before validation.
+	HelmRender *bool `json:"helmRender,omitzero" jsonschema_description:"Render HelmReleases (Kustomize + Helm) before 'ksail workload validate' so the actually-applied manifests are validated rather than the opaque HelmRelease CR. Charts are resolved from the OCIRepository/HelmRepository sources in the same directory and rendered in-process; releases that cannot be rendered offline fall back to validating the CR. Defaults to true. Override per-run with --skip-helm-render."` //nolint:lll
 }
 
 // WatchConfig defines configuration for the workload watch command.

pkg/apis/cluster/v1alpha1/zz_generated.deepcopy.go

@@ -158,6 +158,12 @@ Run security scans on Kubernetes manifests using Kubescape.
 This command scans manifests in the specified path against security frameworks
 such as NSA-CISA, MITRE ATT&CK, and CIS Benchmarks.
 
+When the target directory is a Kustomize root, manifests are rendered before
+scanning (Kustomize build + Flux variable substitution + in-process Helm
+templating of HelmReleases), so findings reflect overlay patches and chart output
+rather than the raw files. HelmReleases that cannot be rendered offline are left
+as-is with a warning. Use --no-render to scan the raw files instead.
+
 If no path is provided, the path is resolved in order:
   1. spec.workload.sourceDirectory from ksail.yaml (if a config file is found and the field is set)
   2. The default source directory when spec.workload.sourceDirectory is unset ("k8s" directory)
@@ -176,6 +182,7 @@ Flags:
       --format string                  Output format (pretty-printer, json, sarif, junit) (default "pretty-printer")
       --framework strings              Security frameworks to scan against (e.g. nsa, mitre, cis, pss) (default [nsa])
   -h, --help                           help for scan
+      --no-render                      Scan the raw manifest files instead of the Kustomize + Helm rendered output (skip rendering entirely; restores the pre-rendering behavior)
   -o, --output string                  Output file path (stdout if empty)
       --verbose                        Show all resources in output, not just failed ones
 
@@ -217,6 +224,7 @@ Usage:
 Flags:
   -h, --help                     help for validate
       --ignore-missing-schemas   Ignore resources with missing schemas (default true)
+      --skip-helm-render         Skip rendering HelmReleases before validation (validate the HelmRelease CR as-is). By default, charts are rendered in-process and the rendered manifests are validated.
       --skip-kinds strings       Additional Kubernetes kinds to skip during validation (merged with spec.workload.validation.skipKinds from ksail.yaml)
       --skip-secrets             Skip validation of Kubernetes Secrets (default true)
       --strict                   Enable strict validation mode
@@ -3123,6 +3131,12 @@ Run security scans on Kubernetes manifests using Kubescape.
 This command scans manifests in the specified path against security frameworks
 such as NSA-CISA, MITRE ATT&CK, and CIS Benchmarks.
 
+When the target directory is a Kustomize root, manifests are rendered before
+scanning (Kustomize build + Flux variable substitution + in-process Helm
+templating of HelmReleases), so findings reflect overlay patches and chart output
+rather than the raw files. HelmReleases that cannot be rendered offline are left
+as-is with a warning. Use --no-render to scan the raw files instead.
+
 If no path is provided, the path is resolved in order:
   1. spec.workload.sourceDirectory from ksail.yaml (if a config file is found and the field is set)
   2. The default source directory when spec.workload.sourceDirectory is unset ("k8s" directory)
@@ -3141,6 +3155,7 @@ Flags:
       --format string                  Output format (pretty-printer, json, sarif, junit) (default "pretty-printer")
       --framework strings              Security frameworks to scan against (e.g. nsa, mitre, cis, pss) (default [nsa])
   -h, --help                           help for scan
+      --no-render                      Scan the raw manifest files instead of the Kustomize + Helm rendered output (skip rendering entirely; restores the pre-rendering behavior)
   -o, --output string                  Output file path (stdout if empty)
       --verbose                        Show all resources in output, not just failed ones
 
@@ -3186,6 +3201,7 @@ Usage:
 Flags:
   -h, --help                     help for validate
       --ignore-missing-schemas   Ignore resources with missing schemas (default true)
+      --skip-helm-render         Skip rendering HelmReleases before validation (validate the HelmRelease CR as-is). By default, charts are rendered in-process and the rendered manifests are validated.
       --skip-kinds strings       Additional Kubernetes kinds to skip during validation (merged with spec.workload.validation.skipKinds from ksail.yaml)
       --skip-secrets             Skip validation of Kubernetes Secrets (default true)
       --strict                   Enable strict validation mode

pkg/cli/cmd/workload/__snapshots__/workload_test.snap

@@ -121,6 +121,25 @@ func ExportHasKustomizationFile(dir string) bool {
 	return hasKustomizationFile(dir)
 }
 
+// ExportResolveScanInput exposes resolveScanInput for testing the scan render
+// decision (rendered temp dir vs raw path) and temp-dir cleanup without
+// invoking kubescape.
+func ExportResolveScanInput(
+	ctx context.Context,
+	cmd *cobra.Command,
+	path string,
+	cfg *v1alpha1.Cluster,
+	configFound, noRender bool,
+) (string, func(), error) {
+	return resolveScanInput(ctx, cmd, path, cfg, configFound, noRender)
+}
+
+// ExportResolveScanOutput exposes resolveScanOutput for testing the scan
+// --output directory creation and canonicalization.
+func ExportResolveScanOutput(output string) (string, error) {
+	return resolveScanOutput(output)
+}
+
 // ExportPollInterval exposes the engine's poll interval constant for testing.
 const ExportPollInterval = workloadwatch.PollInterval
 

pkg/cli/cmd/workload/export_test.go

@@ -171,10 +171,16 @@ func validateManifests(cmd *cobra.Command, sourceDir string, outputTimer timer.T
 		cmd.Context(),
 		cmd,
 		[]string{sourceDir},
-		true, // skipSecrets
-		true, // strict
-		true, // ignoreMissingSchemas
-		nil,  // extra skip-kinds are read from ksail.yaml (configuredSkipKinds)
+		validateFlags{
+			skipSecrets:          true,
+			strict:               true,
+			ignoreMissingSchemas: true,
+			// Push-time validation keeps the existing CR-level check (no Helm
+			// render) so a push stays fast and offline; `ksail workload validate`
+			// is where rendered-manifest validation applies.
+			skipHelmRender: true,
+			skipKinds:      nil, // extra skip-kinds are read from ksail.yaml (configuredSkipKinds)
+		},
 	)
 	if err != nil {
 		return fmt.Errorf("validate manifests: %w", err)

pkg/cli/cmd/workload/push.go

@@ -0,0 +1,143 @@
+package workload
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/devantler-tech/ksail/v7/pkg/client/helm"
+	"github.com/devantler-tech/ksail/v7/pkg/client/kustomize"
+	"github.com/devantler-tech/ksail/v7/pkg/notify"
+	"github.com/devantler-tech/ksail/v7/pkg/svc/fluxsubst"
+	"github.com/devantler-tech/ksail/v7/pkg/svc/gitops/render"
+	"github.com/spf13/cobra"
+)
+
+// renderedManifestPerm is the permission for the rendered manifests file written
+// to the scan temp directory.
+const renderedManifestPerm = 0o600
+
+// gitopsRenderer expands a kustomization directory into the manifests Flux
+// actually applies: Kustomize build, Flux variable substitution, then in-process
+// Helm rendering of HelmReleases. It is shared by the validate and scan commands.
+type gitopsRenderer struct {
+	kustomize *kustomize.Client
+}
+
+// newGitOpsRenderer constructs a renderer. The kustomize client is stateless and
+// safe to share across goroutines; the Helm template client is created per
+// kustomization in expand (see below).
+func newGitOpsRenderer() *gitopsRenderer {
+	return &gitopsRenderer{kustomize: kustomize.NewClient()}
+}
+
+// expand builds, substitutes, and Helm-renders one kustomization directory. The
+// kustomize build error is returned unwrapped so the caller's simplifyBuildError
+// can strip the verbose "kustomize build <path>:" prefix.
+//
+// A fresh Helm template client is created per call: helm's action.Configuration
+// is not safe for concurrent use, and validate renders kustomizations in
+// parallel, so each render must be isolated. Construction needs no cluster
+// access and is cheap.
+func (g *gitopsRenderer) expand(ctx context.Context, kustDir string) (render.Result, error) {
+	output, err := g.kustomize.Build(ctx, kustDir)
+	if err != nil {
+		return render.Result{}, err //nolint:wrapcheck // caller strips the kustomize prefix
+	}
+
+	helmClient, err := helm.NewTemplateOnlyClient()
+	if err != nil {
+		return render.Result{}, fmt.Errorf("create helm template client: %w", err)
+	}
+
+	expanded := fluxsubst.ExpandFluxSubstitutions(output.Bytes())
+
+	result, err := render.Expand(ctx, expanded, render.Options{
+		Resolver: render.NewHelmChartResolver(helmClient),
+	})
+	if err != nil {
+		return render.Result{}, fmt.Errorf("expand HelmReleases: %w", err)
+	}
+
+	return result, nil
+}
+
+// renderToTempDir renders one kustomization directory to a fresh temp directory
+// and returns it together with a cleanup func, so a file-based scanner
+// (kubescape) can read the actually-applied manifests. Non-silent render
+// degradations are warned to the user. The caller must invoke cleanup (e.g. via
+// defer) to remove the temp directory.
+func (g *gitopsRenderer) renderToTempDir(
+	ctx context.Context,
+	cmd *cobra.Command,
+	kustDir string,
+) (string, func(), error) {
+	result, err := g.expand(ctx, kustDir)
+	if err != nil {
+		return "", nil, fmt.Errorf("render %q: %w", kustDir, err)
+	}
+
+	tmpDir, err := os.MkdirTemp("", "ksail-scan-*")
+	if err != nil {
+		return "", nil, fmt.Errorf("create scan temp dir: %w", err)
+	}
+
+	cleanup := func() { _ = os.RemoveAll(tmpDir) }
+
+	manifestPath := filepath.Join(tmpDir, "manifests.yaml")
+
+	err = os.WriteFile(manifestPath, result.Bytes(), renderedManifestPerm)
+	if err != nil {
+		cleanup()
+
+		return "", nil, fmt.Errorf("write rendered manifests: %w", err)
+	}
+
+	warnDegradations(cmd, result.Degradations)
+
+	return tmpDir, cleanup, nil
+}
+
+// degradationSink collects render degradations across parallel validation tasks
+// so they can be reported once after the progress group completes (emitting
+// mid-group would interleave with the ANSI progress display).
+type degradationSink struct {
+	mu   sync.Mutex
+	list []render.Degradation
+}
+
+// add records degradations from one render result for later reporting.
+func (s *degradationSink) add(degradations []render.Degradation) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.list = append(s.list, degradations...)
+}
+
+// report warns about all collected degradations.
+func (s *degradationSink) report(cmd *cobra.Command) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	warnDegradations(cmd, s.list)
+}
+
+// warnDegradations emits a warning for each non-silent render degradation. Silent
+// degradations (e.g. a source object owned by a different kustomization) are
+// skipped to avoid noise on large repos.
+func warnDegradations(cmd *cobra.Command, degradations []render.Degradation) {
+	for _, degradation := range degradations {
+		if degradation.Silent {
+			continue
+		}
+
+		notify.WriteMessage(notify.Message{
+			Type:    notify.WarningType,
+			Content: "skipped Helm render for HelmRelease %s (validating the resource as-is): %s",
+			Args:    []any{degradation.HelmRelease, degradation.Reason},
+			Writer:  cmd.ErrOrStderr(),
+		})
+	}
+}