Skip to content
This repository has been archived by the owner on Dec 17, 2021. It is now read-only.

A GitHub App that uses kubeval to validate all of that Kubernetes YAML in your repo

License

Notifications You must be signed in to change notification settings

urcomputeringpal/kubevalidator

Repository files navigation

kubevalidator

A GitHub App that validates the Kubernetes YAML in your GitHub PRs using kubeval.

Example

Goals

  • Improve the experience of changing and reviewing YAML documents representing Kubernetes resources by detecting and highlighting errors automatically.
  • Allow validation against multiple schemas to support applications deployed to multiple Kubernetes clusters with disparate versions.
  • Explore the viability of writing a generalized Probot-like GitHub App toolkit in Golang.

Non-goals

  • Validate the syntax of your YAML. (Shameless plug: use YAMBURGER for that! It's kinda dope!)

Configuration

kubevalidator depends on you to tell it which YAML in your repository it should validate using a file at .github/kubevalidator.yaml. This repo's config is a decent example:

apiversion: v1alpha
kind: KubeValidatorConfig
spec:
  manifests:
  - glob: config/kubernetes/default/*/*.yaml
    schemas:
    - version: 1.13.0
    - version: 1.13.3
    #
    # Schema options and their defaults. See config.go for more details.
    #

    # version: 'master'
    # name: 'human readable name' # defaults to the value of version

    # If the schemas in https://github.com/garethr/kubernetes-json-schema
    # don't work for you, fork it and drop your username here! Your schemas
    # will be used instead.
    #
    # schemaFork: garethr

    # Set this to openshift to use schemas from
    # https://github.com/garethr/openshift-json-schema instead.
    #
    # type: kubernetes

Hacking

See CONTRIBUTING.md

Deploying your own instance

These instructions are untested. Please open a new issue or PR if you run into any problems or would prefer to use another deployment tool!

  • Fork & clone this repo.
  • Edit or delete the included Ingress and/or Service resources to match your target cluster's load balancing requirements.
  • Create a new GitHub App with the following settings:
    • Homepage URL: the URL to the GitHub repository for your app
    • Webhook URL: Use https://example.com/ for now, we'll come back in a minute to update this with the URL of your deployed app.
    • Webhook Secret: Generate a unique secret with openssl rand -base64 32 and save it because you'll need it in a minute to configure your deployed app
    • Permissions:
      • Checks: Read & Write
      • Repository contents: Read-only
      • Repository metadata: Read-only
      • Pull requests: Read-only
    • Webhooks:
      • Check Suite
      • Pull Request
  • Generate and download a new key for your app. Note the path.
  • Create a secret with values to authenticate your instance of kubevalidator as your GitHub app
kubectl create secret generic kubevalidator
    --from-file=PRIVATE_KEY=~/Downloads/path-to-kubeval-key.pem \
    --from-literal=APP_ID=1234 \
    --from-literal=WEBHOOK_SECRET=1234 \
    --dry-run=true -o yaml > config/kubernetes/default/secrets/kubeval.yaml
  • Configure access to a Kubernetes cluster.
  • Create a kubevalidator namespace on that cluster.
  • Install Skaffold.
  • Point build.artifacts[0].image in skaffold.yaml to an accessible docker image path, and make sure it matches the image specified in the kubernetes/default/deployments/kubevalidator.yaml deployment manifest
  • Run skaffold run to deploy this application to your cluster!

Acknowledgements

  • 🙇 to @keavy, @kytrinyx, @lizzhale and many more for your work on GitHub Checks. PRs aren't ever going to be the same.
  • 🙇 to @garethr for your work on kubeval. It does all of the heavy lifting here, I've just put some GitHub-flavored window dressing on top.
  • 🙇 to @bkeepers for your work on Probot. I've learned a ton building Probot apps in the past few months, and hope that you don't mind that I've poorly re-implemented a small portion of it in Golang in this project. 😉

Questions?

Please file an issue! If you'd prefer to reach out in private, please send an email to [email protected].