Skip to content

Helm Chart: Move vulnerability processing to be a cronjob by default #716

Helm Chart: Move vulnerability processing to be a cronjob by default

Helm Chart: Move vulnerability processing to be a cronjob by default #716

Workflow file for this run

name: pr-helm
on:
pull_request:
paths:
- 'charts/**'
- '.github/workflows/pr-helm.yaml'
- '.github/scripts/helm-check-expected.sh'
- 'tools/ci/helm-values/**'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
sanity-check:
strategy:
matrix:
kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: create temp dir
run: mkdir -p helm-temp
- name: helm template -- default values
run: |
helm template \
--namespace fleet \
--release-name fleet \
--values charts/fleet/values.yaml \
charts/fleet \
> helm-temp/output-defaults.yaml
- name: helm template -- other configurations
run: |
VALUES_FILES=$(find tools/ci/helm-values -type f)
for FILE_PATH in ${VALUES_FILES}; do
FILE=$(echo ${FILE_PATH} | rev | cut -d"/" -f1 | rev)
REL_NAME=$(echo ${FILE} | cut -d"." -f1)
helm template \
--namespace ${REL_NAME} \
--release-name ${REL_NAME} \
--values ${FILE_PATH} \
charts/fleet \
> helm-temp/${FILE}
done
- name: kubeval sanity check
uses: instrumenta/kubeval-action@5915e4adba5adccac07cb156b82e54c3fed74921 # master
with:
files: helm-temp
version: ${{ matrix.kube-version }}
- name: install yq
env:
YQ_VERSION: 4.4.1
run: |
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64
curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/checksums
echo "$(grep linux_amd64 checksums | awk '{print $19}') yq_linux_amd64" > sha256
sha256sum --check sha256
chmod +x yq_linux_amd64
mkdir -p ${HOME}/.bin
mv yq_linux_amd64 ${HOME}/.bin/yq
echo PATH=${PATH}:${HOME}/.bin >> $GITHUB_ENV
- name: check default values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/output-defaults.yaml" \
'FLEET_FILESYSTEM_STATUS_LOG_FILE FLEET_FILESYSTEM_RESULT_LOG_FILE FLEET_FILESYSTEM_ENABLE_LOG_ROTATION FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION' \
'fleet-tls osquery-logs'
- name: check pubsub values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-pubsub.yaml" \
'FLEET_PUBSUB_PROJECT FLEET_PUBSUB_STATUS_TOPIC FLEET_PUBSUB_RESULT_TOPIC' \
'fleet-tls'
- name: check firehose accesskey values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-firehose-accesssid.yaml" \
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_ACCESS_KEY_ID FLEET_FIREHOSE_SECRET_ACCESS_KEY' \
'fleet-tls'
- name: check firehose sts values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/logger-firehose-sts.yaml" \
'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN' \
'fleet-tls'
- name: check mysql tls enabled values
run: |
.github/scripts/helm-check-expected.sh \
"helm-temp/enable-mysql-tls.yaml" \
'FLEET_MYSQL_TLS_CA FLEET_MYSQL_TLS_CERT FLEET_MYSQL_TLS_KEY FLEET_MYSQL_TLS_CONFIG FLEET_MYSQL_TLS_SERVER_NAME' \
'fleet-tls osquery-logs mysql-tls'