From 26d23292cfe9695338c1e4d38dd7a8823de16cd7 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 20:13:49 +0530 Subject: [PATCH 1/4] use ghcr.io/yannh/kubeconform:v0.7.0-alpine image --- .gitea/workflows/kubeconform.yml | 120 +++++++++++++++++-------------- 1 file changed, 65 insertions(+), 55 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 2225880..e1ef161 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -8,17 +8,21 @@ jobs: kubeconform: runs-on: ubuntu-latest container: - image: docker.io/archlinux/archlinux:latest + image: ghcr.io/yannh/kubeconform:v0.7.0-alpine steps: - - name: Setup environment - run: | - pacman -Syu --noconfirm kubeconform git yq nodejs npm - - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 + - name: Install dependencies + run: | + apk add --no-cache \ + yq \ + findutils \ + curl \ + jq + - name: Create kubeconform configuration run: | cat > /tmp/kubeconform-config.yaml << 'EOF' @@ -26,55 +30,61 @@ jobs: - default - "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json" EOF - + - name: Validate Manifests run: | - # Create a cache directory for schemas - mkdir -p /tmp/kubeconform-cache + # Define schema mappings + declare -A SCHEMA_MAP=( + ["HelmRelease"]="helm.toolkit.fluxcd.io/helmrelease_v2.json" + ["HelmRepository"]="source.toolkit.fluxcd.io/helmrepository_v1.json" + ["L2Advertisement"]="metallb.io/l2advertisement_v1beta1.json" + ["IPAddressPool"]="metallb.io/ipaddresspool_v1beta1.json" + ["SealedSecret"]="bitnami.com/sealedsecret_v1alpha1.json" + ) - # Validate manifests with proper schema resolution - find . -type f \( -name "*.yml" \) \ - -not -path "./.gitea/*" \ - -not -path "./clusters/default/system-upgrade/*" \ - -exec sh -c ' - for file do - echo "=== Validating: $file ===" - if yq -e "select(.kind == \"HelmRelease\")" "$file" >/dev/null 2>&1; then - echo "Found HelmRelease - using fluxcd schema" - kubeconform \ - -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json" \ - -output json \ - "$file" - elif yq -e "select(.kind == \"HelmRepository\")" "$file" >/dev/null 2>&1; then - echo "Found HelmRepository - using fluxcd schema" - kubeconform \ - -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json" \ - -output json \ - "$file" - elif yq -e "select(.kind == \"L2Advertisement\")" "$file" >/dev/null 2>&1; then - echo "Found L2Advertisement - using metallb schema" - kubeconform \ - -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json" \ - -output json \ - "$file" - elif yq -e "select(.kind == \"IPAddressPool\")" "$file" >/dev/null 2>&1; then - echo "Found IPAddressPool - using metallb schema" - kubeconform \ - -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json" \ - -output json \ - "$file" - elif yq -e "select(.kind == \"SealedSecret\")" "$file" >/dev/null 2>&1; then - echo "Found SealedSecret - using bitnami schema" - kubeconform \ - -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json" \ - -output json \ - "$file" - else - echo "Validating with default schemas" - kubeconform \ - -schema-location default \ - -output json \ - "$file" - fi - done - ' sh {} + + # Create cache directory + export KUBECONFORM_CACHE_DIR="/tmp/kubeconform-cache" + mkdir -p "$KUBECONFORM_CACHE_DIR" + + # Exit code tracking + EXIT_CODE=0 + + # Process all YAML files + while IFS= read -r file; do + echo "=== Validating: $file ===" + + # Skip excluded paths + if [[ "$file" == *".gitea/"* ]] || [[ "$file" == *"clusters/default/system-upgrade/"* ]]; then + echo "Skipping excluded file" + continue + fi + + # Detect resource kind + KIND=$(yq -r '.kind // ""' "$file" 2>/dev/null || echo "") + + if [[ -n "$KIND" && -n "${SCHEMA_MAP[$KIND]}" ]]; then + echo "Found $KIND - using custom schema" + SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}" + + if ! kubeconform \ + -schema-location "$SCHEMA_URL" \ + -cache "$KUBECONFORM_CACHE_DIR" \ + -output json \ + "$file"; then + EXIT_CODE=1 + fi + else + echo "Validating with default schemas" + if ! kubeconform \ + -schema-location default \ + -cache "$KUBECONFORM_CACHE_DIR" \ + -output json \ + "$file"; then + EXIT_CODE=1 + fi + fi + + echo "" + done < <(find . -type f \( -name "*.yml" \) -print) + + exit $EXIT_CODE From df575e0fa2abfd0d612dae8bbc6c4426daa3d79b Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 20:15:46 +0530 Subject: [PATCH 2/4] add nodejs and npm deps --- .gitea/workflows/kubeconform.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index e1ef161..82cd0b9 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -10,10 +10,6 @@ jobs: container: image: ghcr.io/yannh/kubeconform:v0.7.0-alpine steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - name: Install dependencies run: | @@ -21,7 +17,14 @@ jobs: yq \ findutils \ curl \ - jq + jq \ + npm \ + nodejs + + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Create kubeconform configuration run: | From 47ddd8e4b403e45aa1827e65349a2ea015cd4754 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 20:20:09 +0530 Subject: [PATCH 3/4] add bash as dep --- .gitea/workflows/kubeconform.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 82cd0b9..beda49c 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -19,7 +19,8 @@ jobs: curl \ jq \ npm \ - nodejs + nodejs \ + bash - name: Checkout code uses: actions/checkout@v6 @@ -35,6 +36,7 @@ jobs: EOF - name: Validate Manifests + shell: bash run: | # Define schema mappings declare -A SCHEMA_MAP=( From 882d9f78fb4104bd5f4463dced69aedb80d9dba8 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 20:22:07 +0530 Subject: [PATCH 4/4] use absolute path for kubeconform --- .gitea/workflows/kubeconform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index beda49c..c023e1d 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -71,7 +71,7 @@ jobs: echo "Found $KIND - using custom schema" SCHEMA_URL="https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/${SCHEMA_MAP[$KIND]}" - if ! kubeconform \ + if ! /kubeconform \ -schema-location "$SCHEMA_URL" \ -cache "$KUBECONFORM_CACHE_DIR" \ -output json \ @@ -80,7 +80,7 @@ jobs: fi else echo "Validating with default schemas" - if ! kubeconform \ + if ! /kubeconform \ -schema-location default \ -cache "$KUBECONFORM_CACHE_DIR" \ -output json \