-
Notifications
You must be signed in to change notification settings - Fork 22
129 lines (111 loc) · 3.79 KB
/
Copy pathcluster-ci.yml
File metadata and controls
129 lines (111 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Cluster CI
on:
pull_request:
paths:
- infrastructure/**
- monitoring/**
- my-apps/**
- scripts/**
- scripts/validate-argocd-apps.sh
- .github/workflows/cluster-ci.yml
push:
branches:
- main
paths:
- infrastructure/**
- monitoring/**
- my-apps/**
- scripts/**
- scripts/validate-argocd-apps.sh
- .github/workflows/cluster-ci.yml
permissions:
contents: read
jobs:
argocd-structure:
name: ArgoCD Structure Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate ArgoCD app topology
run: bash ./scripts/validate-argocd-apps.sh
render-and-schema:
name: Kustomize Render and Schema Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v2
with:
kustomize-version: 5.4.2
- name: Setup Helm
uses: azure/setup-helm@v4
with:
version: v3.16.2
- name: Install kubeconform
run: |
set -euo pipefail
KUBECONFORM_VERSION="v0.6.7"
curl -sSL -o /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz"
tar -xzf /tmp/kubeconform.tar.gz -C /tmp
sudo mv /tmp/kubeconform /usr/local/bin/kubeconform
kubeconform -v
- name: Render all kustomizations
run: |
set -euo pipefail
mapfile -t dirs < <(find infrastructure monitoring my-apps -type f -name kustomization.yaml -exec dirname {} \; | sort -u)
if [ "${#dirs[@]}" -eq 0 ]; then
echo "No kustomization directories found."
exit 1
fi
: > /tmp/all-manifests.yaml
for dir in "${dirs[@]}"; do
echo "Rendering ${dir}"
kustomize build "${dir}" --enable-helm >> /tmp/all-manifests.yaml
echo "---" >> /tmp/all-manifests.yaml
done
- name: Validate Kubernetes schemas
run: |
set -euo pipefail
# Filter out Gitea Helm-rendered Service gitea-http (targetPort triggers
# oneOf false positive in kubeconform — valid K8s but ambiguous schema match).
# Split multi-doc YAML into per-document files, skip the offending one.
csplit -z -f /tmp/doc- /tmp/all-manifests.yaml '/^---$/' '{*}' > /dev/null
: > /tmp/filtered-manifests.yaml
for f in /tmp/doc-*; do
if grep -q 'kind: Service' "$f" && grep -q 'name: gitea-http' "$f"; then
continue
fi
cat "$f" >> /tmp/filtered-manifests.yaml
done
kubeconform \
-summary \
-ignore-missing-schemas \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
/tmp/filtered-manifests.yaml
kyverno-policy-safety:
name: Kyverno Policy Safety Check
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check for dangerous Kyverno generate policy settings
run: bash ./scripts/validate-kyverno-policies.sh
shellcheck:
name: Shell Script Lint (Informational)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install shellcheck
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Run shellcheck on scripts
run: |
set -euo pipefail
shellcheck -S warning scripts/*.sh