Helm Chart: Move vulnerability processing to be a cronjob by default #715
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pr-helm | |
on: | |
pull_request: | |
paths: | |
- 'charts/**' | |
- '.github/workflows/pr-helm.yaml' | |
- '.github/scripts/helm-check-expected.sh' | |
- 'tools/ci/helm-values/**' | |
# This allows a subsequently queued workflow run to interrupt previous runs | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
cancel-in-progress: true | |
defaults: | |
run: | |
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
shell: bash | |
permissions: | |
contents: read | |
jobs: | |
sanity-check: | |
strategy: | |
matrix: | |
kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26 | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: create temp dir | |
run: mkdir -p helm-temp | |
- name: helm template -- default values | |
run: | | |
helm template \ | |
--namespace fleet \ | |
--release-name fleet \ | |
--values charts/fleet/values.yaml \ | |
charts/fleet \ | |
> helm-temp/output-defaults.yaml | |
- name: helm template -- other configurations | |
run: | | |
VALUES_FILES=$(find tools/ci/helm-values -type f) | |
for FILE_PATH in ${VALUES_FILES}; do | |
FILE=$(echo ${FILE_PATH} | rev | cut -d"/" -f1 | rev) | |
REL_NAME=$(echo ${FILE} | cut -d"." -f1) | |
helm template \ | |
--namespace ${REL_NAME} \ | |
--release-name ${REL_NAME} \ | |
--values ${FILE_PATH} \ | |
charts/fleet \ | |
> helm-temp/${FILE} | |
done | |
- name: kubeval sanity check | |
uses: instrumenta/kubeval-action@5915e4adba5adccac07cb156b82e54c3fed74921 # master | |
with: | |
files: helm-temp | |
version: ${{ matrix.kube-version }} | |
- name: install yq | |
env: | |
YQ_VERSION: 4.4.1 | |
run: | | |
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64 | |
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/checksums | |
echo "$(grep linux_amd64 checksums | awk '{print $19}') yq_linux_amd64" > sha256 | |
sha256sum --check sha256 | |
chmod +x yq_linux_amd64 | |
mkdir -p ${HOME}/.bin | |
mv yq_linux_amd64 ${HOME}/.bin/yq | |
echo PATH=${PATH}:${HOME}/.bin >> $GITHUB_ENV | |
- name: check default values | |
run: | | |
.github/scripts/helm-check-expected.sh \ | |
"helm-temp/output-defaults.yaml" \ | |
'FLEET_FILESYSTEM_STATUS_LOG_FILE FLEET_FILESYSTEM_RESULT_LOG_FILE FLEET_FILESYSTEM_ENABLE_LOG_ROTATION FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION' \ | |
'fleet-tls osquery-logs' | |
- name: check pubsub values | |
run: | | |
.github/scripts/helm-check-expected.sh \ | |
"helm-temp/logger-pubsub.yaml" \ | |
'FLEET_PUBSUB_PROJECT FLEET_PUBSUB_STATUS_TOPIC FLEET_PUBSUB_RESULT_TOPIC' \ | |
'fleet-tls' | |
- name: check firehose accesskey values | |
run: | | |
.github/scripts/helm-check-expected.sh \ | |
"helm-temp/logger-firehose-accesssid.yaml" \ | |
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_ACCESS_KEY_ID FLEET_FIREHOSE_SECRET_ACCESS_KEY' \ | |
'fleet-tls' | |
- name: check firehose sts values | |
run: | | |
.github/scripts/helm-check-expected.sh \ | |
"helm-temp/logger-firehose-sts.yaml" \ | |
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN' \ | |
'fleet-tls' | |
- name: check mysql tls enabled values | |
run: | | |
.github/scripts/helm-check-expected.sh \ | |
"helm-temp/enable-mysql-tls.yaml" \ | |
'FLEET_MYSQL_TLS_CA FLEET_MYSQL_TLS_CERT FLEET_MYSQL_TLS_KEY FLEET_MYSQL_TLS_CONFIG FLEET_MYSQL_TLS_SERVER_NAME' \ | |
'fleet-tls osquery-logs mysql-tls' |