Add workload resources, linting, validation, and update management (#5)

* Add workload resources

* Add linting and validation

* Lint fix, rule config

* lint fix

* Add names to workflows

* remove other steps... why is this job not running?

* Remove paths

* narrow by branch not path

* Ignore missing schemas since I can't seem to find the kustomize schema

* move YAML patch into in-line

* Add checkov for IaC security scan

* fix checkov issues

* Remove security component, it's not going to work like we'd expect

* linting

* Checkin checkov config

* lint again

.checkov.yaml

@@ -0,0 +1,9 @@
+---
+download-external-modules: false
+evaluate-variables: true
+framework:
+- kustomize
+- github_actions
+quiet: true
+skip-check:
+- CKV2_K8S_6

.github/renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

.github/workflows/lint.yaml

@@ -0,0 +1,17 @@
+---
+name: Lint
+
+# yamllint disable-line rule:truthy
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  yaml-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Lint YAML
+        uses: ibiqlik/action-yamllint@v3.1.1

.github/workflows/validate.yaml

@@ -0,0 +1,34 @@
+---
+name: Validate
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches:
+    - "*"
+  push:
+    branches:
+    - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Login to Github Packages
+      run: echo "${{ github.token }}" | docker login https://ghcr.io -u ${GITHUB_ACTOR} --password-stdin
+    - uses: actions/checkout@v3
+    - name: Run Kubeconform
+      uses: docker://ghcr.io/yannh/kubeconform:v0.6.1
+      with:
+        entrypoint: '/kubeconform'
+        args: "-ignore-missing-schemas -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' -summary components resources"
+
+  security:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run Checkov
+      uses: bridgecrewio/checkov-action@v12

.yamllint.yaml

@@ -0,0 +1,11 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 120
+    level: warning
+  truthy: disable
+  indentation:
+    indent-sequences: consistent
+    spaces: 2

resources/external-secret-store/aws/service-account.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:

resources/external-secret/docker-hub/registry-docker-hub.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:

resources/workload/cronjob/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# resources:
+#   - cronjob.yaml

resources/workload/daemonset/daemonset.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: UNDEFINED
+  namespace: UNDEFINED
+  labels:
+    k8s-app: UNDEFINED
+spec:
+  selector:
+    matchLabels:
+      name: UNDEFINED
+  template:
+    metadata:
+      labels:
+        name: UNDEFINED
+    spec:
+      automountServiceAccountToken: false
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: UNDEFINED
+        image: UNDEFINED@sha256:abcd1234
+        imagePullPolicy: Always
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 20
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 10001
+          runAsGroup: 10001
+    terminationGracePeriodSeconds: 30

resources/workload/daemonset/kustomization.yaml

@@ -0,0 +1,3 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

resources/workload/deployment/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml

resources/workload/job/kustomization.yaml

@@ -0,0 +1,3 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

resources/workload/replicaset/kustomization.yaml

@@ -0,0 +1,3 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

resources/workload/statefulset/kustomization.yaml

@@ -0,0 +1,3 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization