A Helm plugin to validate charts against the Datree policy
helm plugin install https://github.com/datreeio/helm-datree
Windows users can work around this by using Helm under WSL
helm plugin update datree
helm plugin uninstall datree
helm datree test [CHART_DIRECTORY]
If you need to pass helm arguments to your template, you will need to add --
before them:
helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod
By default, test files generated by Helm will be skipped. If you wish to include test files in your policy check, add the --include-tests
flag:
helm datree test --include-tests [CHART_DIRECTORY]
helm datree version
helm datree help
Helm might be installed through other tooling like microk8s. The DATREE_HELM_COMMAND
allows specifying a command to run helm (default: helm
):
DATREE_HELM_COMMAND="microk8s helm3" helm datree test [CHART_DIRECTORY]
If you have multiple charts inside a single directory, you can test all of them sequentially using the following script:
#!/bin/bash
path="${1:-.}"
final_exit_code=0
while read -r helmchart; do
dir="$(dirname "$helmchart")"
echo "*** Proceeding to test Helm chart: $helmchart ***"
set +e
helm datree test "$dir"
exitcode=$?
set -e
if [ "$exitcode" -gt "$final_exit_code" ]; then
final_exit_code="$exitcode"
fi
echo ""
done < <(find "$path" -type f -name 'Chart.y*ml')
if [ "$final_exit_code" = 0 ]; then
echo "Success"
else
echo "Violations found, returning exit code $final_exit_code"
fi
exit "$final_exit_code"
The script will run a policy check against all charts before exiting, and return 0 only if no violations were found in any of them.
This is useful for CI, to avoid the need to call datree test
multiple times.
helm plugin install https://github.com/datreeio/helm-datree
git clone [email protected]:datreeio/examples.git
helm datree test examples/helm-chart/nginx
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
jobs:
k8sPolicyCheck:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Datree Policy Check
uses: datreeio/action-datree@main
with:
path: 'myChartDirectory'
cliArguments: '--only-k8s-files'
isHelmChart: true
helmArguments: '--values values.yaml'
This is actually expected behavior because it's raised by Helm itself every time a plugin returns a non-zero exit code.
Therefore, if you will run datree plugin on a Chart that will pass the policy check, it will return 0 as exit code, and you will not see this error.
This error occurs when trying to scan Chart.yaml or values.yaml files instead of the chart directory.
Solution: Pass the helm chart directory path to Datree's CLI, instead of to the file itself:
- Correct -
helm datree test examples/helm-chart/nginx
- Wrong -
helm datree test examples/helm-chart/nginx/values.yaml
The best way to determine if a false-positive result is a bug or a true misconfiguration, is by rendering the Kubernetes manifest with helm and then checking it manually:
helm template [CHART_DIRECTORY]
If after eyeballing the rendered manifest you still suspect it's a bug, please open an issue.