From cbda7f9a797c8308db6b6b6f5998e26118cd2276 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:05:05 +0530 Subject: [PATCH 01/10] add kubeconform action --- .gitea/workflows/kubeconform.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .gitea/workflows/kubeconform.yml diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml new file mode 100644 index 0000000..3dc16c1 --- /dev/null +++ b/.gitea/workflows/kubeconform.yml @@ -0,0 +1,18 @@ +name: Validate Kubernetes Manifests + +on: + pull_request: + branches: [ main] + +jobs: + kubeconform: + runs-on: ubuntu-latest + container: + image: ghcr.io/yannh/kubeconform:latest + steps: + - name: Checkout code + run: | + git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt + - name: Validate Manifests + run: | + /kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml -- 2.49.1 From fec651cc0aebbf1c038351b52639b99f08b5e572 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:11:35 +0530 Subject: [PATCH 02/10] update kubeconform workflow to use Arch Linux container and install kubeconform --- .gitea/workflows/kubeconform.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 3dc16c1..1f0c34f 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -8,11 +8,14 @@ jobs: kubeconform: runs-on: ubuntu-latest container: - image: ghcr.io/yannh/kubeconform:latest + image: docker.io/archlinux/archlinux:latest steps: + - name: Setup environment + run: | + pacman -Syu --noconfirm kubeconform git - name: Checkout code run: | git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - /kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml + kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml -- 2.49.1 From 6700fd5efca8e47c7f880e696d4136da88ac6036 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:17:07 +0530 Subject: [PATCH 03/10] remove -kinds --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 1f0c34f..027450e 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,4 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml + kubeconform -verbose -summary -schema-location default /mnt/**/*.yml -- 2.49.1 From 8cf09a25a3acda7e1ab1146e9eb825f898c372da Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:22:47 +0530 Subject: [PATCH 04/10] update kubeconform workflow to install findutils and improve manifest validation command --- .gitea/workflows/kubeconform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 027450e..feec6b6 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Setup environment run: | - pacman -Syu --noconfirm kubeconform git + pacman -Syu --noconfirm kubeconform git findutils - name: Checkout code run: | git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - kubeconform -verbose -summary -schema-location default /mnt/**/*.yml + find /mnt -type f \( -iname "*.yml" -o -iname "*.yaml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default -- 2.49.1 From 4b10b0cda6715f028edf8bbafb2f9a001dcc0b02 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:31:09 +0530 Subject: [PATCH 05/10] remove '*.yaml' and add schemas --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index feec6b6..0f34633 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,4 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" -o -iname "*.yaml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default + find /mnt -type f \( -iname "*.yml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' -- 2.49.1 From dad9ac0a27719a988d2d5d04076d7b9220098b54 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:46:53 +0530 Subject: [PATCH 06/10] add more schemas --- .gitea/workflows/kubeconform.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 0f34633..bf441b2 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,11 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + find /mnt -type f \( -iname "*.yml" \) -print0 \ + | xargs -0 --no-run-if-empty kubeconform -verbose -summary \ + -schema-location default \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' -- 2.49.1 From f3996fc6325e252143106f7b255f4363f515647c Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:59:11 +0530 Subject: [PATCH 07/10] exclude actions folder and add missing \ --- .gitea/workflows/kubeconform.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index bf441b2..a8374d3 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,11 +18,14 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" \) -print0 \ - | xargs -0 --no-run-if-empty kubeconform -verbose -summary \ + find /mnt -type f \( -name "*.yml" -o -name "*.yaml" \) \ + -not -path "*/.gitea/*" \ + -print0 | xargs -0 --no-run-if-empty kubeconform \ + -verbose \ + -summary \ -schema-location default \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' -- 2.49.1 From bb6b1680ec245da71b003db1291d256868458843 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:01:24 +0530 Subject: [PATCH 08/10] exclude .yaml files --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index a8374d3..3e760a7 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,7 +18,7 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -name "*.yml" -o -name "*.yaml" \) \ + find /mnt -type f \( -name "*.yml" \) \ -not -path "*/.gitea/*" \ -print0 | xargs -0 --no-run-if-empty kubeconform \ -verbose \ -- 2.49.1 From c65fef70ff8da4f16ab103a123e1a842b27dc46a Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:07:22 +0530 Subject: [PATCH 09/10] refactor --- .gitea/workflows/kubeconform.yml | 76 ++++++++++++++++++++++++++------ 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 3e760a7..ee0cb9e 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -2,7 +2,7 @@ name: Validate Kubernetes Manifests on: pull_request: - branches: [ main] + branches: [main] jobs: kubeconform: @@ -12,20 +12,68 @@ jobs: steps: - name: Setup environment run: | - pacman -Syu --noconfirm kubeconform git findutils + pacman -Syu --noconfirm kubeconform git yq nodejs npm + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Create kubeconform configuration run: | - git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt + cat > /tmp/kubeconform-config.yaml << 'EOF' + schema_location: + - default + - "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json" + EOF + - name: Validate Manifests run: | - find /mnt -type f \( -name "*.yml" \) \ - -not -path "*/.gitea/*" \ - -print0 | xargs -0 --no-run-if-empty kubeconform \ - -verbose \ - -summary \ - -schema-location default \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' + # Create a cache directory for schemas + mkdir -p /tmp/kubeconform-cache + + # Validate manifests with proper schema resolution + find . -type f \( -name "*.yml" \) \ + -not -path "./.gitea/*" \ + -exec sh -c ' + for file do + echo "=== Validating: $file ===" + if yq -e "select(.kind == \"HelmRelease\")" "$file" >/dev/null 2>&1; then + echo "Found HelmRelease - using fluxcd schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"HelmRepository\")" "$file" >/dev/null 2>&1; then + echo "Found HelmRepository - using fluxcd schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"L2Advertisement\")" "$file" >/dev/null 2>&1; then + echo "Found L2Advertisement - using metallb schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"IPAddressPool\")" "$file" >/dev/null 2>&1; then + echo "Found IPAddressPool - using metallb schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"SealedSecret\")" "$file" >/dev/null 2>&1; then + echo "Found SealedSecret - using bitnami schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json" \ + -output json \ + "$file" + else + echo "Validating with default schemas" + kubeconform \ + -schema-location default \ + -output json \ + "$file" + fi + done + ' sh {} + -- 2.49.1 From 60a0827608fb6c295048ccd555523b8af3c2a640 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:11:45 +0530 Subject: [PATCH 10/10] exclude system-upgrade --- .gitea/workflows/kubeconform.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index ee0cb9e..2225880 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -35,6 +35,7 @@ jobs: # Validate manifests with proper schema resolution find . -type f \( -name "*.yml" \) \ -not -path "./.gitea/*" \ + -not -path "./clusters/default/system-upgrade/*" \ -exec sh -c ' for file do echo "=== Validating: $file ===" -- 2.49.1