feat: add kubeconform workflow and make kubeconform/kustomize required (

#1159)
onedr0p · Jan 15, 2024 · ea31a49 · ea31a49
1 parent e6fbc6e
commit ea31a49
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 5 deletions.
diff --git a/scripts/kubeconform.sh → .github/scripts/kubeconform.sh b/scripts/kubeconform.sh → .github/scripts/kubeconform.sh
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -114,7 +114,7 @@ jobs:
 
       - name: Run kubeconform
         shell: bash
-        run: ./scripts/kubeconform.sh ./kubernetes
+        run: ./.github/scripts/kubeconform.sh ./kubernetes
 
       - name: List Hosts with Ansible
         if: ${{ steps.config-env.outputs.distribution == 'k3s' || steps.config-env.outputs.distribution == 'k0s' }}

diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
@@ -0,0 +1,28 @@
+---
+name: "Kubeconform"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+
+env:
+  KUBERNETES_DIR: ./kubernetes
+
+jobs:
+  kubeconform:
+    name: Kubeconform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Workflow Tools
+        run: brew install fluxcd/tap/flux kubeconform kustomize
+
+      - name: Run kubeconform
+        shell: bash
+        run: ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }}
diff --git a/.taskfiles/Workstation/ArchPackages b/.taskfiles/Workstation/ArchPackages
@@ -13,3 +13,4 @@ kustomize
 moreutils
 sops
 stern-bin
+talhelper-bin
diff --git a/.taskfiles/Workstation/Brewfile b/.taskfiles/Workstation/Brewfile
@@ -15,4 +15,5 @@ brew "kustomize"
 brew "moreutils"
 brew "sops"
 brew "stern"
+brew "talhelper"
 brew "yq"
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -48,11 +48,11 @@ tasks:
     desc: Configure repository from Ansible vars
     prompt: Any conflicting config in the root kubernetes and ansible directories will be overwritten... continue?
     cmds:
-      - task: .validate
+      - task: .pre-validate
       - task: .template
-      - task: sops:encrypt:all
+      - task: .post-validate
 
-  .validate:
+  .pre-validate:
     internal: true
     cmd: ./.venv/bin/ansible-playbook {{.BOOTSTRAP_DIR}}/validate.yaml
     env:
@@ -65,9 +65,17 @@ tasks:
     internal: true
     cmds:
       - ./.venv/bin/makejinja
+      - task: sops:encrypt:all
+      # TODO: https://github.com/mirkolenz/makejinja/issues/94
       - find {{.ANSIBLE_DIR}} {{.KUBERNETES_DIR}} -type d -empty -delete
     preconditions:
       - { msg: "bootstrap addons file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/addons.yaml" }
       - { msg: "bootstrap config file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/config.yaml" }
       - { msg: "makejinja loader file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/scripts/loader.py" }
       - { msg: "makejinja config file not found", sh: "test -f {{.ROOT_DIR}}/makejinja.toml" }
+
+  .post-validate:
+    internal: true
+    cmd: ./.github/scripts/kubeconform.sh {{.KUBERNETES_DIR}}
+    preconditions:
+      - { msg: "kubeconform file not found", sh: "test -f ./.github/scripts/kubeconform.sh" }
diff --git a/bootstrap/tasks/validation/cli.yaml b/bootstrap/tasks/validation/cli.yaml
@@ -2,7 +2,7 @@
 - name: Check if required CLI tools are present
   ansible.builtin.shell: |
     command -v {{ item }} >/dev/null 2>&1
-  loop: [age, cloudflared, flux, sops, jq]
+  loop: ["age", "cloudflared", "flux", "sops", "jq", "kubeconform", "kustomize"]
   changed_when: false
   check_mode: false
   register: result