name: pr-helm on: pull_request: paths: - 'charts/**' - '.github/workflows/pr-helm.yaml' - '.github/scripts/helm-check-expected.sh' - 'tools/ci/helm-values/**' # This allows a subsequently queued workflow run to interrupt previous runs concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} cancel-in-progress: true defaults: run: # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference shell: bash permissions: contents: read jobs: sanity-check: strategy: matrix: kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26 runs-on: ubuntu-20.04 steps: - name: checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: create temp dir run: mkdir -p helm-temp - name: helm template -- default values run: | helm template \ --namespace fleet \ --release-name fleet \ --values charts/fleet/values.yaml \ charts/fleet \ > helm-temp/output-defaults.yaml - name: helm template -- other configurations run: | VALUES_FILES=$(find tools/ci/helm-values -type f) for FILE_PATH in ${VALUES_FILES}; do FILE=$(echo ${FILE_PATH} | rev | cut -d"/" -f1 | rev) REL_NAME=$(echo ${FILE} | cut -d"." -f1) helm template \ --namespace ${REL_NAME} \ --release-name ${REL_NAME} \ --values ${FILE_PATH} \ charts/fleet \ > helm-temp/${FILE} done - name: kubeval sanity check uses: instrumenta/kubeval-action@5915e4adba5adccac07cb156b82e54c3fed74921 # master with: files: helm-temp version: ${{ matrix.kube-version }} - name: install yq env: YQ_VERSION: 4.4.1 run: | curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/yq_linux_amd64 curl -LO https://github.com/mikefarah/yq/releases/download/v$YQ_VERSION/checksums echo "$(grep linux_amd64 checksums | awk '{print $19}') yq_linux_amd64" > sha256 sha256sum --check sha256 chmod +x yq_linux_amd64 mkdir -p ${HOME}/.bin mv yq_linux_amd64 ${HOME}/.bin/yq echo PATH=${PATH}:${HOME}/.bin >> $GITHUB_ENV - name: check default values run: | .github/scripts/helm-check-expected.sh \ "helm-temp/output-defaults.yaml" \ 'FLEET_FILESYSTEM_STATUS_LOG_FILE FLEET_FILESYSTEM_RESULT_LOG_FILE FLEET_FILESYSTEM_ENABLE_LOG_ROTATION FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION' \ 'fleet-tls osquery-logs' - name: check pubsub values run: | .github/scripts/helm-check-expected.sh \ "helm-temp/logger-pubsub.yaml" \ 'FLEET_PUBSUB_PROJECT FLEET_PUBSUB_STATUS_TOPIC FLEET_PUBSUB_RESULT_TOPIC' \ 'fleet-tls' - name: check firehose accesskey values run: | .github/scripts/helm-check-expected.sh \ "helm-temp/logger-firehose-accesssid.yaml" \ 'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_ACCESS_KEY_ID FLEET_FIREHOSE_SECRET_ACCESS_KEY' \ 'fleet-tls' - name: check firehose sts values run: | .github/scripts/helm-check-expected.sh \ "helm-temp/logger-firehose-sts.yaml" \ 'FLEET_FIREHOSE_REGION FLEET_FIREHOSE_STATUS_STREAM FLEET_FIREHOSE_RESULT_STREAM FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN' \ 'fleet-tls' - name: check mysql tls enabled values run: | .github/scripts/helm-check-expected.sh \ "helm-temp/enable-mysql-tls.yaml" \ 'FLEET_MYSQL_TLS_CA FLEET_MYSQL_TLS_CERT FLEET_MYSQL_TLS_KEY FLEET_MYSQL_TLS_CONFIG FLEET_MYSQL_TLS_SERVER_NAME' \ 'fleet-tls osquery-logs mysql-tls'