From e66d8a187f1384c76638c1b1bedfae6b3997c83a Mon Sep 17 00:00:00 2001
From: Ludovic Ortega <ludovic.ortega@adminafk.fr>
Date: Sun, 19 Nov 2023 16:36:04 +0100
Subject: [PATCH] feat: add kubernetes linter

---
 .github/workflows/kubernetes-lint.yml      | 19 +++++++++++++++++++
 README.md                                  |  1 +
 argocd/keycloak/manifests/03_keycloak.yaml |  4 ++++
 3 files changed, 24 insertions(+)
 create mode 100644 .github/workflows/kubernetes-lint.yml

diff --git a/.github/workflows/kubernetes-lint.yml b/.github/workflows/kubernetes-lint.yml
new file mode 100644
index 00000000..4d2c14c0
--- /dev/null
+++ b/.github/workflows/kubernetes-lint.yml
@@ -0,0 +1,19 @@
+---
+name: Kubernetes Lint
+
+on:
+  push:
+    paths:
+      - argocd/**
+      - .github/workflows/kube-lint.yml
+  pull_request:
+
+jobs:
+  kubernetes-lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Scan repo with kube-linter
+      uses: stackrox/kube-linter-action@v1.0.4
+      with:
+        directory: argocd
diff --git a/README.md b/README.md
index 29888254..29b16823 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@ This is my Homelab v3 infrastructure.
 ![Packer Lint](https://github.com/M0NsTeRRR/homelabv3-infra/workflows/Packer%20Lint/badge.svg)
 ![Terraform Lint](https://github.com/M0NsTeRRR/homelabv3-infra/workflows/Terraform%20Lint/badge.svg)
 ![Octodns](https://github.com/M0NsTeRRR/homelabv3-infra/workflows/Octodns/badge.svg)
+![Kubernetes Lint](https://github.com/M0NsTeRRR/homelabv3-infra/workflows/Kubernetes%20Lint/badge.svg)
 
 # Requirements
 
diff --git a/argocd/keycloak/manifests/03_keycloak.yaml b/argocd/keycloak/manifests/03_keycloak.yaml
index ae51a909..ab5d2019 100644
--- a/argocd/keycloak/manifests/03_keycloak.yaml
+++ b/argocd/keycloak/manifests/03_keycloak.yaml
@@ -31,6 +31,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
   annotations:
     reloader.stakater.com/auto: "true"
+    ignore-check.kube-linter.io/no-read-only-root-fs: "https://github.com/keycloak/keycloak/issues/11286"
 spec:
   replicas: 1
   selector:
@@ -108,6 +109,9 @@ spec:
             timeoutSeconds: 5
             failureThreshold: 6
             successThreshold: 1
+          securityContext:
+            runAsNonRoot: True
+            readOnlyRootFilesystem: False
           resources:
               limits:
                 memory: 2Gi