Upgrading to k8s 1.31 as well as other tooling.

Signed-off-by: Steven Wade <[email protected]>

.github/workflows/main.yaml

@@ -25,7 +25,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           build-args: |
-            KUBERNETES_VERSION=1.21.8
+            KUBERNETES_VERSION=1.31.0
           context: .
           push: true
-          tags: eu.gcr.io/swade1987/kubernetes-toolkit:1.21.8
+          tags: eu.gcr.io/swade1987/kubernetes-toolkit:1.31.0

Dockerfile

@@ -1,5 +1,5 @@
-FROM alpine:3.15
-LABEL MAINTAINER Steven Wade <[email protected]>
+FROM alpine:3.20.3
+LABEL MAINTAINER="Steven Wade <[email protected]>"
 
 ARG KUBERNETES_VERSION="Unknown"
 
@@ -14,6 +14,9 @@ RUN apk add --no-cache \
   openssh-client \
   && rm -rf /var/cache/apk/*
 
+# Install Python 3
+RUN apk add --update python3 py3-pip
+
 # Install necessary packages
 COPY src/install-dependencies.sh /install-dependencies.sh
 RUN /install-dependencies.sh ${KUBERNETES_VERSION}

Makefile

@@ -2,7 +2,7 @@
 # Project build information
 #------------------------------------------------------------------
 PROJNAME := kubernetes-toolkit
-KUBERNETES_VERSION := 1.21.8
+KUBERNETES_VERSION := 1.31.0
 
 GCR_REPO := eu.gcr.io/swade1987
 GCLOUD_SERVICE_KEY ?="unknown"

bin/hrval

@@ -4,8 +4,7 @@ set -o errexit
 
 DIR=${1}
 IGNORE_VALUES=${2-false}
-KUBE_VER=${3-master}
-HELM_VER=${4-v2}
+HELM_VER=${3-v2}
 HRVAL="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )/hrval.sh"
 
 if [[ ${HELM_VER} == "v2" ]]; then
@@ -14,7 +13,7 @@ fi
 
 # If the path provided is actually a file, just run hrval against this one file
 if test -f "${DIR}"; then
-  ${HRVAL} "${DIR}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}"
+  ${HRVAL} "${DIR}" "${IGNORE_VALUES}" "${HELM_VER}"
   exit 0
 fi
 
@@ -38,12 +37,12 @@ DIR_PATH=$(echo "${DIR}" | sed "s/^\///;s/\/$//")
 FILES_TESTED=0
 for f in `find ${DIR} -type f -name '*.yaml' -or -name '*.yml'`; do
   if [[ $(isHelmRelease "${f}") == "true" ]]; then
-    ${HRVAL} "${f}" "${IGNORE_VALUES}" "${KUBE_VER}" "${HELM_VER}"
+    ${HRVAL} "${f}" "${IGNORE_VALUES}" "${HELM_VER}"
     FILES_TESTED=$(( FILES_TESTED+1 ))
   else
     echo "Ignoring ${f} not a HelmRelease"
   fi
 done
 
 # This will set the GitHub actions output 'numFilesTested'
-echo "::set-output name=numFilesTested::${FILES_TESTED}"
+echo "numFilesTested=${FILES_TESTED}" >> $GITHUB_OUTPUT

bin/hrval-whole-kustomize-repo.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+set -eu
+
+IGNORE_VALUES=false
+KUBE_VERSION=1.18.0
+HELM_VERSION=v3
+
+TMP_DIR="$(mktemp -d)"
+
+function get_targets {
+  find . -maxdepth 3 -name kustomization.yaml -exec dirname {} \;
+  find . -mindepth 4 -maxdepth 4 -name kustomization.yaml -exec dirname {} \; | sort | uniq | grep variant
+}
+
+function patched_kustomization {
+  local env_path flux_patch
+  env_path=$1
+  flux_patch="$env_path/flux-patch.yaml"
+  kustomize create
+  kustomize edit add resource "$env_path"
+  if [ -s "$flux_patch" ]; then
+    echo "patches:" >> kustomization.yaml
+    echo "- ${flux_patch}" >> kustomization.yaml
+  fi
+}
+
+function build {
+  local ref="$1"
+  printf "\n\nChecking out ref: %s\n" "$ref"
+  git checkout "$ref" --quiet
+  for env_path in $(get_targets); do
+    local build_dir
+    if ! [ -d "$env_path" ]; then continue; fi
+    build_dir="$TMP_DIR/$ref/${env_path#*kustomize/}"
+    printf "\n\nCreating build directory: %s\n" "$build_dir"
+    mkdir -p "$build_dir"
+    patched_kustomization "$env_path"
+    echo "Running kustomize"
+    kustomize build . -o "$build_dir"
+    rm kustomization.yaml
+  done
+}
+
+function changed_yamls {
+  git diff \
+    --no-index \
+    --diff-filter AM \
+    --name-only \
+    "$TMP_DIR/$CI_MERGE_REQUEST_DIFF_BASE_SHA" "$TMP_DIR/$CI_COMMIT_SHA" \
+  | grep -E '\.(yaml|yml)$'
+}
+
+function is_helm_release {
+  local kind yaml
+  yaml=$1
+  kind=$(yq r "$yaml" kind)
+  if [[ $kind == "HelmRelease" ]]; then
+      echo true
+  else
+    echo false
+  fi
+}
+
+function main {
+  local exit_code hrval_output returned
+  exit_code=0
+
+  build "$CI_COMMIT_SHA"
+  build "$CI_MERGE_REQUEST_DIFF_BASE_SHA"
+
+  set +e
+  for yaml in $(changed_yamls); do
+    if [[ $(is_helm_release "$yaml") == "true" ]]; then
+      hrval_output=$(/usr/local/bin/hrval.sh "$yaml" "${IGNORE_VALUES}" "${KUBE_VERSION}" "${HELM_VERSION}")
+      returned=$?
+      if [[ $returned -ne 0 ]]; then
+        exit_code=$returned
+      fi
+      printf "%s\n\n" "$hrval_output"
+    fi
+  done
+  set -e
+
+  exit $exit_code
+}
+
+main

bin/hrval.sh

@@ -4,8 +4,7 @@ set -o errexit
 
 HELM_RELEASE=${1}
 IGNORE_VALUES=${2}
-KUBE_VER=${3-master}
-HELM_VER=${4-v2}
+HELM_VER=${3-v2}
 
 if test ! -f "${HELM_RELEASE}"; then
   echo "\"${HELM_RELEASE}\" Helm release file not found!"
@@ -15,7 +14,7 @@ fi
 echo "Processing ${HELM_RELEASE}"
 
 function isHelmRelease {
-  KIND=$(yq r ${1} kind)
+  KIND=$(yq e '.kind' "${1}")
   if [[ ${KIND} == "HelmRelease" ]]; then
       echo true
   else
@@ -24,13 +23,13 @@ function isHelmRelease {
 }
 
 function download {
-  CHART_REPO=$(yq r "${1}" spec.chart.repository)
-  CHART_NAME=$(yq r "${1}" spec.chart.name)
-  CHART_VERSION=$(yq r "${1}" spec.chart.version)
+  CHART_REPO=$(yq e '.spec.chart.repository' "${1}")
+  CHART_NAME=$(yq e '.spec.chart.name' "${1}")
+  CHART_VERSION=$(yq e '.spec.chart.version' "${1}")
   CHART_DIR=${2}/${CHART_NAME}
 
   # Use the md5 sum of the repository URL so we don't keep adding a helm repo per helm chart.
-  CHART_REPO_MD5=`/bin/echo $CHART_REPO | /usr/bin/md5sum | cut -f1 -d" "`
+  CHART_REPO_MD5=$(/bin/echo "$CHART_REPO" | /usr/bin/md5sum | cut -f1 -d" ")
   helm repo add "${CHART_REPO_MD5}" "${CHART_REPO}"
   helm repo update
   helm fetch --version "${CHART_VERSION}" --untar "${CHART_REPO_MD5}"/"${CHART_NAME}" --untardir "${2}"
@@ -39,16 +38,16 @@ function download {
 
 function clone {
   ORIGIN=$(git rev-parse --show-toplevel)
-  GIT_REPO=$(yq r ${1} spec.chart.git)
+  GIT_REPO=$(yq e '.spec.chart.git' "${1}")
   if [[ -n "${GITHUB_TOKEN}" ]]; then
     BASE_URL=$(echo "${GIT_REPO}" | sed -e 's/ssh:\/\///' -e 's/git@//' -e 's/:/\//')
     GIT_REPO="https://${GITHUB_TOKEN}:x-oauth-basic@${BASE_URL}"
   elif [[ -n "${GITLAB_CI_TOKEN}" ]]; then
     BASE_URL=$(echo "${GIT_REPO}" | sed -e 's/ssh:\/\///' -e 's/git@//' -e 's/:/\//')
     GIT_REPO="https://gitlab-ci-token:${GITLAB_CI_TOKEN}@${BASE_URL}"
   fi
-  GIT_REF=$(yq r "${1}" spec.chart.ref)
-  CHART_PATH=$(yq r "${1}" spec.chart.path)
+  GIT_REF=$(yq e '.spec.chart.ref' "${1}")
+  CHART_PATH=$(yq e '.spec.chart.path' "${1}")
   cd "${2}"
   git init -q
   git remote add origin "${GIT_REPO}"
@@ -65,25 +64,25 @@ function validate {
   fi
 
   TMPDIR=$(mktemp -d)
-  CHART_PATH=$(yq r "${HELM_RELEASE}" spec.chart.path)
+  CHART_PATH=$(yq e '.spec.chart.path' "${HELM_RELEASE}")
 
-  if [[ -z "${CHART_PATH}" ]]; then
+  if [[ "${CHART_PATH}" == null ]]; then
     echo "Downloading to ${TMPDIR}"
     CHART_DIR=$(download "${HELM_RELEASE}" "${TMPDIR}"| tail -n1)
   else
     echo "Cloning to ${TMPDIR}"
-    CHART_DIR=$(clone ${HELM_RELEASE} ${TMPDIR}| tail -n1)
+    CHART_DIR=$(clone "${HELM_RELEASE}" "${TMPDIR}"| tail -n1)
   fi
 
-  HELM_RELEASE_NAME=$(yq r "${HELM_RELEASE}" metadata.name)
-  HELM_RELEASE_NAMESPACE=$(yq r "${HELM_RELEASE}" metadata.namespace)
+  HELM_RELEASE_NAME=$(yq e '.metadata.name' "${HELM_RELEASE}")
+  HELM_RELEASE_NAMESPACE=$(yq e '.metadata.namespace' "${HELM_RELEASE}")
 
   if [[ ${IGNORE_VALUES} == "true" ]]; then
-    echo "Ingnoring Helm release values"
+    echo "Ignoring Helm release values"
     echo "" > "${TMPDIR}"/"${HELM_RELEASE_NAME}".values.yaml
   else
     echo "Extracting values to ${TMPDIR}/${HELM_RELEASE_NAME}.values.yaml"
-    yq r "${HELM_RELEASE}" spec.values > "${TMPDIR}"/"${HELM_RELEASE_NAME}".values.yaml
+    yq e '.spec.values' "${HELM_RELEASE}" > "${TMPDIR}"/"${HELM_RELEASE_NAME}".values.yaml
   fi
 
   echo "Writing Helm release to ${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml"
@@ -98,7 +97,7 @@ function validate {
       -f "${TMPDIR}"/"${HELM_RELEASE_NAME}".values.yaml > "${TMPDIR}"/"${HELM_RELEASE_NAME}".release.yaml
   else
     if [[ "${CHART_PATH}" ]]; then
-      helm dependency build ${CHART_DIR}
+      helm dependency build "${CHART_DIR}"
     fi
     helm template "${CHART_DIR}" \
       --name "${HELM_RELEASE_NAME}" \
@@ -108,8 +107,17 @@ function validate {
 
   export KUBEVAL_SCHEMA_LOCATION=file:///usr/local/kubeval/schemas
 
-  echo "Validating Helm release ${HELM_RELEASE_NAME}.${HELM_RELEASE_NAMESPACE} against Kubernetes ${KUBE_VER}"
-  kubeval --strict --ignore-missing-schemas --kubernetes-version ${KUBE_VER} ${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml
+  # Obtain the kubectl minor version
+  KUBECTL_MINOR_VERSION=$(kubectl version --client --output=json | jq -r .clientVersion.gitVersion | cut -c2- | sed 's/.$/0/')
+
+  echo "Validating Helm release ${HELM_RELEASE_NAME}.${HELM_RELEASE_NAMESPACE} against Kubernetes ${KUBECTL_MINOR_VERSION}"
+  kubeval --strict --ignore-missing-schemas --kubernetes-version "${KUBECTL_MINOR_VERSION}" --force-color "${TMPDIR}"/"${HELM_RELEASE_NAME}".release.yaml
+
+  echo "Validating Helm release ${HELM_RELEASE_NAME}.${HELM_RELEASE_NAMESPACE} against Rego policies"
+  conftest test -p /policies ${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml
+
+  echo "Validating Helm release ${HELM_RELEASE_NAME}.${HELM_RELEASE_NAMESPACE} against Pluto deprecations"
+  pluto detect -t k8s=v${KUBECTL_MINOR_VERSION} ${TMPDIR}/${HELM_RELEASE_NAME}.release.yaml
 }
 
-validate
+validate

src/install-dependencies.sh

@@ -8,13 +8,13 @@ curl -sL https://storage.googleapis.com/kubernetes-release/release/v"${KUBECTL}"
 -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
 kubectl version --client
 
-KUSTOMIZE=4.4.1
+KUSTOMIZE=5.4.3
 printf "\nDownloading kustomize %s\n" "${KUSTOMIZE}"
 curl -sL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE}/kustomize_v${KUSTOMIZE}_linux_amd64.tar.gz | \
 tar xz && mv kustomize /usr/local/bin/kustomize
 kustomize version
 
-HELM_V3=3.7.2
+HELM_V3=3.14.3
 printf "\nDownloading helm %s\n" "${HELM_V3}"
 curl -sSL https://get.helm.sh/helm-v${HELM_V3}-linux-amd64.tar.gz | \
 tar xz && mv linux-amd64/helm /usr/local/bin/helmv3 && rm -rf linux-amd64 && ln -s /usr/local/bin/helmv3 /usr/local/bin/helm
@@ -27,81 +27,63 @@ curl -sL https://github.com/instrumenta/kubeval/releases/download/v${KUBEVAL}/ku
 tar xz && mv kubeval /usr/local/bin/kubeval
 kubeval --version
 
-CONFTEST=0.30.0
+CONFTEST=0.55.0
 printf "\nDownloading conftest %s\n" "${CONFTEST}"
 curl -sL https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST}/conftest_${CONFTEST}_Linux_x86_64.tar.gz | \
 tar xz && mv conftest /usr/local/bin/conftest
 conftest --version
 
-ISTIOCTL=1.12.0
+ISTIOCTL=1.23.1
 # shellcheck disable=SC2059
 printf "\nDownloading istioctl %s\n" "${ISTIOCTL}"
 curl -sL https://github.com/istio/istio/releases/download/${ISTIOCTL}/istioctl-${ISTIOCTL}-linux-amd64.tar.gz | \
 tar xz && mv istioctl /usr/local/bin/istioctl
 rm -rf istio-${ISTIOCTL}
 istioctl version --remote=false
 
-YQ=v4.16.2
+YQ=v4.44.3
 printf "\nDownloading yq %s\n" "${YQ}"
 curl -sL https://github.com/mikefarah/yq/releases/download/${YQ}/yq_linux_amd64 \
 -o /usr/local/bin/yq && chmod +x /usr/local/bin/yq
 yq --version
 
-JQ=1.6
+JQ=1.7.1
 printf "\nDownloading jq %s\n" "${JQ}"
 curl -sL https://github.com/stedolan/jq/releases/download/jq-${JQ}/jq-linux64 \
 -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq
 jq --version
 
 # Install Python 3 and additional libraries
-apk add --update --no-cache python3 gcc libxslt-dev libxml2-dev libxml2 libxslt build-base python3-dev nodejs npm && \
-if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
-python3 -m ensurepip && \
-rm -r /usr/lib/python*/ensurepip && \
-pip3 install --no-cache --upgrade pip setuptools wheel && \
-if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
+apk add --update --no-cache python3 gcc libxslt-dev libxml2-dev libxml2 libxslt build-base python3-dev nodejs npm
 
-AWSCLI=1.22.44
-printf "\nDownloading awscli %s\n" "${AWSCLI}"
-pip3 install --quiet --upgrade awscli==${AWSCLI}
-aws --version
-
-HELM_DOCS=1.7.0
+HELM_DOCS=1.14.2
 printf "\nDownloading helm-docs %s\n" "${HELM_DOCS}"
 curl -sL https://github.com/norwoodj/helm-docs/releases/download/v${HELM_DOCS}/helm-docs_${HELM_DOCS}_Linux_x86_64.tar.gz | \
 tar xz && mv helm-docs /usr/local/bin/helm-docs
 rm -rf helm-docs_${HELM_DOCS}_Linux_x86_64
 helm-docs --version
 
-PRE_COMMIT=v2.17.0
-printf "\nDownloading pre-commit %s\n" "${PRE_COMMIT}"
-pip3 install --quiet --upgrade pre-commit==${PRE_COMMIT}
-pre-commit --version
-
-node --version
-npm --version
-
 JSONLINT=1.6.3
 printf "\nDownloading jsonlint %s\n" "${JSONLINT}"
 npm install jsonlint@${JSONLINT} -g
 jsonlint --version || :
 
-PLUTO=5.0.0
+PLUTO=5.20.2
 printf "\nDownloading pluto %s\n" "${PLUTO}"
 curl -sL https://github.com/FairwindsOps/pluto/releases/download/v${PLUTO}/pluto_${PLUTO}_linux_amd64.tar.gz | \
 tar xz && mv pluto /usr/local/bin/pluto
 rm -rf pluto_5.0.0_linux_amd64.tar.gz
 pluto version
 
-SHELLCHECK=v0.7.2
+SHELLCHECK=v0.10.0
 printf "\ndownloading shellcheck %s \n" "${SHELLCHECK}"
 wget https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK}/shellcheck-${SHELLCHECK}.linux.x86_64.tar.xz -O - | tar xJf -
 mv shellcheck-${SHELLCHECK}/shellcheck /usr/local/bin/shellcheck && rm -rf shellcheck-${SHELLCHECK}
 shellcheck --version
 
-printf "\nFetching kubeval kubernetes json schemas for v1.%s.0\n" "$(kubectl version --client=true --short=true | awk '{print $3}' | awk -F'.' '{print $2}')"
+printf "\nFetching kubeval kubernetes json schemas for v1.%s.0\n" "$(kubectl version --client=true -o=json | jq -r '.clientVersion.minor' | tr -d '+')"
 mkdir -p /usr/local/kubeval/schemas
 git clone https://github.com/swade1987/kubernetes-json-schema.git
 # shellcheck disable=SC2046
-cp -R kubernetes-json-schema/v1.$(kubectl version --client=true --short=true | awk '{print $3}' | awk -F'.' '{print $2}').0-standalone-strict /usr/local/kubeval/schemas
+cp -R kubernetes-json-schema/v1.$(kubectl version --client=true -o=json | jq -r '.clientVersion.minor' | tr -d '+').0-standalone-strict /usr/local/kubeval/schemas
 rm -rf kubernetes-json-schema