-
Notifications
You must be signed in to change notification settings - Fork 22
210 lines (182 loc) · 7.26 KB
/
Copy pathcluster-ci.yml
File metadata and controls
210 lines (182 loc) · 7.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
name: Cluster CI
on:
pull_request:
paths:
- infrastructure/**
- monitoring/**
- my-apps/**
- scripts/**
- scripts/validate-argocd-apps.sh
- .github/workflows/cluster-ci.yml
- .github/renovate.json5
push:
branches:
- main
paths:
- infrastructure/**
- monitoring/**
- my-apps/**
- scripts/**
- scripts/validate-argocd-apps.sh
- .github/workflows/cluster-ci.yml
- .github/renovate.json5
permissions:
contents: read
jobs:
argocd-structure:
name: ArgoCD Structure Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate ArgoCD app topology
run: bash ./scripts/validate-argocd-apps.sh
truenas-csi-contract:
name: TrueNAS CSI Contract
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v2
with:
kustomize-version: 5.4.2
- name: Validate official TrueNAS CSI deployment
run: bash ./scripts/validate-truenas-csi.sh
render-and-schema:
name: Kustomize Render and Schema Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v2
with:
kustomize-version: 5.4.2
- name: Setup Helm
uses: azure/setup-helm@v4
with:
version: v3.16.2
- name: Install kubeconform
run: |
set -euo pipefail
KUBECONFORM_VERSION="v0.6.7"
curl -sSL -o /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz"
tar -xzf /tmp/kubeconform.tar.gz -C /tmp
sudo mv /tmp/kubeconform /usr/local/bin/kubeconform
kubeconform -v
- name: Render all kustomizations
run: |
set -euo pipefail
mapfile -t dirs < <(find infrastructure monitoring my-apps -type f -name kustomization.yaml -exec dirname {} \; | sort -u)
if [ "${#dirs[@]}" -eq 0 ]; then
echo "No kustomization directories found."
exit 1
fi
: > /tmp/all-manifests.yaml
for dir in "${dirs[@]}"; do
echo "Rendering ${dir}"
kustomize build "${dir}" --enable-helm >> /tmp/all-manifests.yaml
echo "---" >> /tmp/all-manifests.yaml
done
- name: Validate Kubernetes schemas
run: |
set -euo pipefail
# Filter a known kubeconform false positive:
# - Gitea Helm-rendered Service gitea-http: targetPort triggers a
# oneOf ambiguity in the Kubernetes Service schema.
# (kopiur CRDs are skipped via -ignore-missing-schemas below.)
csplit -z -f /tmp/doc- /tmp/all-manifests.yaml '/^---$/' '{*}' > /dev/null
: > /tmp/filtered-manifests.yaml
for f in /tmp/doc-*; do
if grep -q 'kind: Service' "$f" && grep -q 'name: gitea-http' "$f"; then
continue
fi
cat "$f" >> /tmp/filtered-manifests.yaml
done
kubeconform \
-summary \
-ignore-missing-schemas \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
/tmp/filtered-manifests.yaml
- name: Validate kopiur backup coverage
# Replaces the retired pvc-plumber validate-restore-contract.sh and the
# backup-exempt-contract job. Runs on the RENDERED stream so Helm-rendered
# PVCs (gitea, tubesync) are covered. Hard-fails when a backed-up PVC is
# missing its dataSourceRef (recreates EMPTY in DR) or a backed-up namespace
# lacks the kopiur.home-operations.com/repo label (repo creds won't fan in);
# warns on missing mover securityContext, uncovered+unexempt PVCs, and
# backup-exempt PVCs missing the qualified reason annotation.
run: |
set -euo pipefail
python3 -c "import yaml" 2>/dev/null || pip3 install --quiet pyyaml
python3 ./scripts/validate-kopiur-coverage.py /tmp/all-manifests.yaml
# backup-exempt-contract job RETIRED 2026-06-27 (pvc-plumber removed). It
# hard-failed on the bare `backup-exempt-reason` key because pvc-plumber denied
# such PVCs on CREATE; with pvc-plumber gone, nothing enforces the key, so the
# check is folded into validate-kopiur-coverage.py as a WARNING (grep-consistency
# only). The coverage check runs as a step in the render-and-schema job above.
otel-collector-validate:
name: OpenTelemetry Collector Config Validation
# Catches the class of bug that caused the 2026-04-20 9-hour
# root-sync jam: a pipeline referencing a receiver that was removed.
# Runs `otelcol validate` on each OpenTelemetryCollector's rendered
# config so pipeline-receiver-exporter mismatches are rejected at
# PR time instead of crashlooping in-cluster.
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Kustomize
uses: imranismail/setup-kustomize@v2
with:
kustomize-version: 5.4.2
- name: Setup Helm
uses: azure/setup-helm@v4
with:
version: v3.16.2
- name: Validate all OpenTelemetryCollector configs
run: bash ./scripts/validate-otel-configs.sh
renovate-config-validate:
name: Renovate Config Validation
# Catches the class of bug that opened issue #1284 on 2026-05-10:
# `packageRules` cannot combine `matchUpdateTypes` and `versioning`,
# but the validator only flags it at runtime — Renovate stops opening
# PRs cluster-wide until fixed. Run validator on every PR that touches
# .github/renovate.json5 so the bad rule never reaches main.
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
# Renovate >=41 requires Node >=22 and dropped Node 20. On Node 20,
# `npx renovate` silently resolves to an old renovate major that
# still uses `fileMatch`, so it rejects this repo's modern
# `managerFilePatterns` config and fails EVERY renovate PR.
node-version: '22'
- name: Validate Renovate config
run: |
set -euo pipefail
# The validator looks at the filename to decide global vs repo
# config; .github/renovate.json5 is treated as global, which
# surfaces the same packageRules / managers errors we care about.
npx --yes --package=renovate renovate-config-validator --strict .github/renovate.json5
shellcheck:
name: Shell Script Lint (Informational)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install shellcheck
run: |
set -euo pipefail
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Run shellcheck on scripts
run: |
set -euo pipefail
shellcheck -S warning scripts/*.sh