Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.2 Fixes #38

Open
wants to merge 33 commits into
base: main
Choose a base branch
from
Open

1.2 Fixes #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
c99fb9a
Added chartmuseum support
rarchk-amagi May 31, 2023
1debf94
update README
rarchk-amagi May 31, 2023
9560a6f
updated github release version
rarchk-amagi May 31, 2023
34d6a1d
updated github release version
rarchk-amagi May 31, 2023
afeb638
upload an existing chart
rarchk-amagi May 31, 2023
a08756a
update chart version
rarchk-amagi May 31, 2023
3c4ca0b
diff based workflow committed
rarchk-amagi Oct 24, 2023
2241af0
Merge pull request #1 from rarchk/pre-commit-hooks
rarchk Oct 24, 2023
f9cb843
adding debug statements.
rarchk-amagi Oct 24, 2023
4e298cd
Merge pull request #2 from rarchk/pre-commit-hooks
rarchk Oct 24, 2023
feda721
chart not present error handled
rarchk-amagi Oct 24, 2023
d18f0aa
Merge pull request #3 from rarchk/pre-commit-hooks
rarchk Oct 24, 2023
0bdada7
adding much simpler fixes.
rarchk-amagi Oct 24, 2023
a32d9e6
Merge pull request #4 from rarchk/pre-commit-hooks
rarchk Oct 24, 2023
58008df
adding lint and diff action separately
rarchk-amagi Oct 25, 2023
be0b1cf
removing dependency of PR number from output.
rarchk-amagi Oct 25, 2023
9ddb8fc
Merge pull request #5 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
3b46546
event export
rarchk-amagi Oct 25, 2023
ed61ce9
Merge pull request #6 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
df39c8d
updated hlem checks.
rarchk-amagi Oct 25, 2023
2718b4a
updated hlem checks.
rarchk-amagi Oct 25, 2023
1d7ece7
fixing typo
rarchk-amagi Oct 25, 2023
100554b
Merge pull request #7 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
5733053
adding non-failable differ
rarchk-amagi Oct 25, 2023
a40d904
Merge pull request #8 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
4e3adbb
updating generalized helm differ
rarchk-amagi Oct 25, 2023
97e7a5b
Merge pull request #9 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
76d59fd
undo -u changes
rarchk-amagi Oct 25, 2023
661b88d
Merge pull request #10 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
f0a8f39
undo -u changes
rarchk-amagi Oct 25, 2023
6f18fed
Merge pull request #11 from rarchk/pre-commit-hooks
rarchk Oct 25, 2023
1ace031
Enable audit and diff features (#12)
rarchk Jan 6, 2024
78d27e7
Removed helm chart version dependency to package contruct
rarchk-amagi Jan 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 124 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,12 @@ _Note this action is written to specifically work with Helm repos in Artifactory

`action` - `[package, test, publish]`

- `lint` - Runs helm linter along with dependency build.
- `diff` - Runs helm diff using templates along with dependency build.
- `audit` - Runs audit on helm files
- `package` - Involves helm client only and does dependency build, lint and package chart
- `publish` - Uses helm artifactory plugin to uploads the chart
- `publish-artifactory` - Uses helm artifactory plugin to uploads the chart
- `publish-chartmuseum` - Uses helm cm plugin to uploads the chart
Comment on lines -14 to +18
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change, it cannot be marked as 1.2 fixes

- `publish-gar` - Uses helm (helm 3.8 or greater), to push on Google Artifactory Registry using OCI

## Required Environment variables
Expand Down Expand Up @@ -60,6 +64,8 @@ GAR_JSON_KEY: "${{ secrets.GAR_DEV_RW_JSON_KEY }}"
# The chart prefix is used to distinguish from app container
# images with the same name pushed on GAR.
CHART_PREFIX: "YOURPREFIX"
UPSTREAM_BRANCH: "main"
CURRENT_BRANCH: "Add your current branch"
```

## Optional Environment variables
Expand All @@ -68,6 +74,7 @@ CHART_PREFIX: "YOURPREFIX"
HELM_VERSION: # Override helm version. Default "3.5.1"
KUBECTL_VERSION: # Override kubectl version. Default "1.21.0"
HELM_ARTIFACTORY_PLUGIN_VERSION: # Override helm artifactory plugin version. Default "v1.0.2"
HELM_CHARTMUSEUM_PLUGIN_VERSION: # Override helm chartmuseum plugin version. Default "0.10.3"
CHART_VERSION: # If defined, override version in Chart.yaml file. Default is unset
DEBUG: # If defined will set debug in shell script.
```
Expand All @@ -78,7 +85,7 @@ DEBUG: # If defined will set debug in shell script.
Never use `main` branch in your github workflows!

```yaml
name: Helm lint, test, package and publish
name: Helm lint, test, package, publish, audit, diff

on: pull_request

Expand All @@ -91,8 +98,9 @@ jobs:
# - name: myOtherJob1
# run:


- name: "Helm publish"
uses: draios/[email protected]
uses: rarchk/[email protected]
Comment on lines -95 to +103
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please revert to the original repo

with:
action: "package"
env:
Expand All @@ -101,10 +109,10 @@ jobs:
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_HELM_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_HELM_PASSWORD }}

- name: "Helm publish"
uses: draios/[email protected]
- name: "Helm publish artifactory"
uses: rarchk/[email protected]
Comment on lines +112 to +113
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please revert to the original repo

with:
action: "publish"
action: "publish-artifactory"
Comment on lines -107 to +115
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as before

env:
CHART_DIR: resources/helm/sdcadminoper
ARTIFACTORY_URL: https://artifactory.internal.sysdig.com:443/artifactory/helm-local/
Expand All @@ -125,7 +133,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: "Helm Publish on GAR"
uses: draios/[email protected]
uses: rarchk/[email protected]
Comment on lines -128 to +136
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

with:
action: "publish-gar"
env:
Expand All @@ -140,3 +148,112 @@ jobs:
GAR_JSON_KEY: "${{ secrets.GAR_DEV_RW_JSON_KEY }}"
CHART_PREFIX: "YOUR_PREFIX"
```
## Addon for chart-museum
```yaml
name: Helm lint, test, package and publish
on: pull_request

jobs:
helm-suite:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: "Helm publish artifactory"
uses: rarchk/[email protected]
with:
action: "publish-chartmuseum"
env:
CHART_DIR: resources/helm/sdcadminoper
ARTIFACTORY_URL: https://artifactory.internal.sysdig.com:443/artifactory/helm-local/
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_HELM_USERNAME }}
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_HELM_PASSWORD }}
```

## Diff as a template
Diff can be used to compute differences between complex helm distributions

```mermaid
graph TD
subgraph ComplexHelmDistributions
HelmFile --> ListOfHelmCharts
CustomRelease --> ListOfHelmCharts
end

subgraph CD_Workflows
ArgoCDApplication --> HelmChart
end
subgraph HELM_Repos
B[HelmChart]
end

CD_Workflows --> D
ComplexHelmDistributions -.-> D
ComplexHelmDistributions -.-> D
ComplexHelmDistributions -.-> D
HELM_Repos --> D
D[[Diff Action Template]]
D --> C(fa:fa-genderless)
```
### Algorithm
1. We would need previous and next version
2. We would need access to remote chart repository
3. We can use this command to generate templates locally and remotely
4. We take following inputs
1. previous version
2. current version[optional] or can be generated locally

```bash
# local templating
helm template <chart_name>.tgz -f values.yaml

# remote templating
helm template <remote_repo>/chart_name --version 1.17.1 -f values.yaml

# search for all versions
helm search repo <remote_repo>/chart_name --versions
```
4. Diff it


### Workflow Example
```yaml
- run: sh -c "sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq"
name: setup yq

- name: Get upstream chart version
id: lookupChartVersion
run: |
sh -c "echo result=$(git fetch -a; git show origin/${{ steps.branch-name.outputs.base_ref_branch }}:${{ matrix.dir }}/Chart.yaml | yq .version) >> $GITHUB_OUTPUT"

- name: Get upstream chart name
id: lookupChartName
run: |
sh -c "echo result=$(yq .name < ${{ matrix.dir }}/Chart.yaml) >> $GITHUB_OUTPUT"


- name: "Helm diff"
id: diff
uses: rarchk/[email protected]
env:
ACTION: "diff"
FROM_CHART: "${{ steps.lookupChartVersion.outputs.result }}"
TO_CHART: ""
CHART_DIR: "${{ matrix.dir }}" #In case TO_CHART is not available
CHART_NAME: "${{ steps.lookupChartName.outputs.result }}"
OPTIONAL_VALUES: "app.ingress.enabled=false"
ARTIFACTORY_URL: ""
ARTIFACTORY_USERNAME: ""
ARTIFACTORY_PASSWORD: ""
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
```

## Audit example
It statically audits k8s resources
```yaml
- name: "Helm audit"
uses: rarchk/[email protected]
env:
Comment on lines +251 to +255
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example should reflect the name of the repo

ACTION: "audit"
CHART_DIR: "${{ matrix.dir }}"
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
```
107 changes: 100 additions & 7 deletions common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
#!/bin/bash -l
set -eo pipefail

export HELM_VERSION=${HELM_VERSION:="3.5.1"}
export KUBECTL_VERSION=${KUBECTL_VERSION:="1.21.0"}
export HELM_VERSION=${HELM_VERSION:="v3.13.3"}
export KUBECTL_VERSION=${KUBECTL_VERSION:="v1.28.0"}
export HELM_ARTIFACTORY_PLUGIN_VERSION=${HELM_ARTIFACTORY_PLUGIN_VERSION:="v1.0.2"}
export HELM_CHARTMUSEUM_PLUGIN_VERSION=${HELM_CHARTMUSEUM_PLUGIN_VERSION:="0.10.3"}
export CHART_VERSION=${CHART_VERSION:=""}
export CHART_APP_VERSION=${CHART_APP_VERSION:=""}
export DYFF_VERSION=${DYFF_VERSION:="1.6.0"}
export YQ_VERSION=${YQ_VERSION:="v4.40.5"}
export POLARIS_VERSION=${POLARIS_VERSION:="8.5.3"}
export KUBE_SCORE_VERSION=${KUBE_SCORE_VERSION:="1.17.0"}
Comment on lines -4 to +13
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing these version requires a full non-regression test run, it cannot be applied as 1.2 fixes, they need a new major version (especially true for kubectl and helm versions)


export GCLOUD_PROJECT_CHECK=${GCLOUD_PROJECT_CHECK:="true"}

Expand Down Expand Up @@ -47,10 +52,9 @@ get_chart_version(){
}

get_helm() {
print_title "Get helm:${HELM_VERSION}"
curl -L "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | tar xvz
chmod +x linux-amd64/helm
sudo mv linux-amd64/helm /usr/local/bin/helm
print_title "Installing helm:${HELM_VERSION}"
ark get helm --version "${HELM_VERSION}" --quiet
helm version --short -c
Comment on lines +55 to +57
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's nice to use arkade to install tooling but again this cannot be considered a minor fix

}

install_helm() {
Expand All @@ -70,9 +74,17 @@ install_artifactory_plugin(){
fi
}

install_cmpush_plugin(){
print_title "Install helm cm-push plugin"
if ! (helm plugin list | grep -q cm-push); then
helm plugin install https://github.com/chartmuseum/helm-push --version ${HELM_CHARTMUSEUM_PLUGIN_VERSION}
fi
}

remove_helm(){
helm plugin uninstall push-artifactory
sudo rm -rf /usr/local/bin/helm
helm plugin uninstall cm-push
# sudo rm -rf /usr/local/bin/helm
}

function version {
Expand All @@ -86,3 +98,84 @@ check_helm_version_gte_3_8(){
exit 1
fi
}

install_dyff() {
if ! command -v dyff; then
echo "dyff is missing"
get_dyff
elif ! [[ $(dyff version) == *${DYFF_VERSION}* ]]; then
echo "dyfff $(dyff version) is not desired version"
get_dyff
fi
}

get_dyff() {
print_title "Installing dyff:${DYFF_VERSION}"
curl -L "https://github.com/homeport/dyff/releases/download/v${DYFF_VERSION}/dyff_${DYFF_VERSION}_linux_amd64.tar.gz" | tar xvz
chmod +x dyff
sudo mv dyff /usr/local/bin/dyff
}

install_polaris() {
if ! command -v polaris; then
print_title "Installing polaris:${POLARIS_VERSION}"
ark get polaris --version "${POLARIS_VERSION}" --quiet
fi
polaris version
if ! command -v kube-score; then
print_title "Installing kube-score:${POLARIS_VERSION}"
curl -L "https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64.tar.gz" | tar xvz
chmod +x kube-score
sudo mv kube-score /usr/local/bin/kube-score
fi
kube-score version
}
Comment on lines +102 to +132
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be considered a change per se, adding new features


install_yq() {
if ! command -v yq; then
print_title "Installing yq:${YQ_VERSION}"
ark get yq --version "${YQ_VERSION}" --quiet
fi
yq --version
}

install_ark() {
if ! command -v ark; then
echo "ark is missing"
curl -sLS https://get.arkade.dev | sudo sh
fi
export PATH=$PATH:$HOME/.arkade/bin/
}

remove_ark() {
rm -f $HOME/.arkade/bin/*
}

safe_exec(){
start=$(date +%s)
$@
end=$(date +%s)
echo "Elapsed time for executing $@: $(($end-$start)) seconds"
}

send_github_comments() {
if [[ -z "${2}" ]]; then
printf "No data passed. Skipping posting comments"
exit 0
fi
COMMENT="#### $1 Output
<details>
<summary>Details</summary>

$2
</details>"

PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body')
COMMENTS_URL=$(cat "$GITHUB_EVENT_PATH" | jq -r .pull_request.comments_url)
echo "Commenting on PR $COMMENTS_URL"
curl --silent -X POST \
--header 'content-type: application/json' \
--header "Authorization: token $GITHUB_TOKEN" \
--data "$PAYLOAD" "$COMMENTS_URL" > /dev/null
exit 0
}
Loading