fleet/.github/workflows/pr-helm.yaml

name: pr-helm
on:
  pull_request:
    paths:
    - 'charts/**'
    - '.github/workflows/pr-helm.yaml'
    - '.github/scripts/helm-check-expected.sh'
    - 'tools/ci/helm-values/**'

jobs:
  sanity-check:
    strategy:
      matrix:
        kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26
    runs-on: ubuntu-20.04
    steps:
    - name: checkout
      uses: actions/checkout@v2
    - name: create temp dir
      run: mkdir -p helm-temp
    - name: helm template -- default values
      run: |
        helm template \
          --namespace fleet \
          --release-name fleet \
          --values charts/fleet/values.yaml \
          charts/fleet \
        > helm-temp/output-defaults.yaml
    - name: helm template -- other configurations
      run: |
        VALUES_FILES=$(find tools/ci/helm-values -type f)
        for FILE_PATH in ${VALUES_FILES}; do
          FILE=$(echo ${FILE_PATH} | rev | cut -d"/" -f1 | rev)
          REL_NAME=$(echo ${FILE} | cut -d"." -f1)
          helm template \
            --namespace ${REL_NAME} \
            --release-name ${REL_NAME} \
            --values ${FILE_PATH} \
            charts/fleet \
          > helm-temp/${FILE}
        done
    - name: kubeval sanity check
      uses: instrumenta/kubeval-action@master
      with:
        files: helm-temp
        version: ${{ matrix.kube-version }}
    - name: install yq
      env:
        YQ_VERSION: 4.4.1
      run: |
        curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64
        curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/checksums
        echo "$(grep linux_amd64 checksums | awk '{print $19}') yq_linux_amd64" > sha256
        sha256sum --check sha256
        chmod +x yq_linux_amd64
        mkdir -p ${HOME}/.bin
        mv yq_linux_amd64 ${HOME}/.bin/yq
        echo PATH=${PATH}:${HOME}/.bin >> $GITHUB_ENV
    - name: check default values
      run: |
        .github/scripts/helm-check-expected.sh \
        "helm-temp/output-defaults.yaml" \
        'FLEET_FILESYSTEM_STATUS_LOG_FILE FLEET_FILESYSTEM_RESULT_LOG_FILE FLEET_FILESYSTEM_ENABLE_LOG_ROTATION FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION' \
        'fleet-tls osquery-logs'
    - name: check pubsub values
      run: |
        .github/scripts/helm-check-expected.sh \
        "helm-temp/logger-pubsub.yaml" \
        'FLEET_PUBSUB_PROJECT FLEET_PUBSUB_STATUS_TOPIC FLEET_PUBSUB_RESULT_TOPIC' \
        'fleet-tls'
    - name: check firehose accesskey values
      run: |
        .github/scripts/helm-check-expected.sh \
        "helm-temp/logger-firehose-accesssid.yaml" \
        'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_ACCESS_KEY_ID FLEET_FIREHOSE_SECRET_ACCESS_KEY' \
        'fleet-tls'
    - name: check firehose sts values
      run: |
        .github/scripts/helm-check-expected.sh \
        "helm-temp/logger-firehose-sts.yaml" \
        'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN' \
        'fleet-tls'
    - name: check mysql tls enabled values
      run: |
        .github/scripts/helm-check-expected.sh \
        "helm-temp/enable-mysql-tls.yaml" \
        'FLEET_MYSQL_TLS_CA FLEET_MYSQL_TLS_CERT FLEET_MYSQL_TLS_KEY FLEET_MYSQL_TLS_CONFIG FLEET_MYSQL_TLS_SERVER_NAME' \
        'fleet-tls osquery-logs mysql-tls'