diff --git a/.github/scripts/validate-manifests.sh b/.github/scripts/validate-manifests.sh new file mode 100755 index 00000000..72b59d94 --- /dev/null +++ b/.github/scripts/validate-manifests.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +# mirror kustomize-controller build options +kustomize_flags=("--load-restrictor=LoadRestrictionsNone") +kustomize_config="kustomization.yaml" + +# skip Kubernetes Secrets due to SOPS fields failing validation +kubeconform_flags=("-skip=Secret") +kubeconform_config=("-strict" "-ignore-missing-schemas" "-schema-location" "default" "-schema-location" "/tmp/flux-crd-schemas" "-verbose") + +echo "🔍 INFO - Downloading Flux OpenAPI schemas" +mkdir -p /tmp/flux-crd-schemas/master-standalone-strict +curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict + +find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; do + echo "🔍 INFO - Validating $file" + yq e 'true' "$file" >/dev/null +done + +echo "🔍 INFO - Validating clusters" +find ./k8s/clusters -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; do + kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}" "${file}" + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done + +echo "🔍 INFO - Validating kustomize overlays" +find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; do + echo "🔍 INFO - Validating kustomization ${file/%$kustomize_config/}" + kustomize build "${file/%$kustomize_config/}" "${kustomize_flags[@]}" | + kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}" + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done diff --git a/.github/workflows/update-flux.yaml b/.github/workflows/update-flux.yaml index 7f9b5f4e..65ade1ca 100644 --- a/.github/workflows/update-flux.yaml +++ b/.github/workflows/update-flux.yaml @@ -1,4 +1,4 @@ -name: update-flux +name: Update Flux on: workflow_dispatch: @@ -10,7 +10,7 @@ permissions: pull-requests: write jobs: - components: + update-flux: runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/validate-manifests.yaml b/.github/workflows/validate-manifests.yaml new file mode 100644 index 00000000..99e9d9f5 --- /dev/null +++ b/.github/workflows/validate-manifests.yaml @@ -0,0 +1,25 @@ +name: Validate manifests + +env: + SCRIPTS_DIR: ./.github/scripts + +on: + pull_request: + push: + branches: [ '*' ] + tags-ignore: [ '*' ] + +jobs: + validate-manifests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup yq + uses: fluxcd/pkg/actions/yq@main + - name: Setup kubeconform + uses: fluxcd/pkg/actions/kubeconform@main + - name: Setup kustomize + uses: fluxcd/pkg/actions/kustomize@main + - name: Validate manifests + run: $SCRIPTS_DIR/validate-manifests.sh \ No newline at end of file