From ea31a4981704ed3b5051a8f1602e464c312735f7 Mon Sep 17 00:00:00 2001
From: Devin Buhl <onedr0p@users.noreply.github.com>
Date: Mon, 15 Jan 2024 09:42:50 -0500
Subject: [PATCH] feat: add kubeconform workflow and make kubeconform/kustomize
 required (#1159)

---
 {scripts => .github/scripts}/kubeconform.sh |  0
 .github/workflows/e2e.yaml                  |  2 +-
 .github/workflows/kubeconform.yaml          | 28 +++++++++++++++++++++
 .taskfiles/Workstation/ArchPackages         |  1 +
 .taskfiles/Workstation/Brewfile             |  1 +
 Taskfile.yaml                               | 14 ++++++++---
 bootstrap/tasks/validation/cli.yaml         |  2 +-
 7 files changed, 43 insertions(+), 5 deletions(-)
 rename {scripts => .github/scripts}/kubeconform.sh (100%)
 create mode 100644 .github/workflows/kubeconform.yaml

diff --git a/scripts/kubeconform.sh b/.github/scripts/kubeconform.sh
similarity index 100%
rename from scripts/kubeconform.sh
rename to .github/scripts/kubeconform.sh
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index e8bd93cbc6f..18f4176fd82 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -114,7 +114,7 @@ jobs:
 
       - name: Run kubeconform
         shell: bash
-        run: ./scripts/kubeconform.sh ./kubernetes
+        run: ./.github/scripts/kubeconform.sh ./kubernetes
 
       - name: List Hosts with Ansible
         if: ${{ steps.config-env.outputs.distribution == 'k3s' || steps.config-env.outputs.distribution == 'k0s' }}
diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml
new file mode 100644
index 00000000000..ad5e6613511
--- /dev/null
+++ b/.github/workflows/kubeconform.yaml
@@ -0,0 +1,28 @@
+---
+name: "Kubeconform"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+
+env:
+  KUBERNETES_DIR: ./kubernetes
+
+jobs:
+  kubeconform:
+    name: Kubeconform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Workflow Tools
+        run: brew install fluxcd/tap/flux kubeconform kustomize
+
+      - name: Run kubeconform
+        shell: bash
+        run: ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }}
diff --git a/.taskfiles/Workstation/ArchPackages b/.taskfiles/Workstation/ArchPackages
index b15f79ff85c..427222415e6 100644
--- a/.taskfiles/Workstation/ArchPackages
+++ b/.taskfiles/Workstation/ArchPackages
@@ -13,3 +13,4 @@ kustomize
 moreutils
 sops
 stern-bin
+talhelper-bin
diff --git a/.taskfiles/Workstation/Brewfile b/.taskfiles/Workstation/Brewfile
index 8e037a46975..5d696965d5f 100644
--- a/.taskfiles/Workstation/Brewfile
+++ b/.taskfiles/Workstation/Brewfile
@@ -15,4 +15,5 @@ brew "kustomize"
 brew "moreutils"
 brew "sops"
 brew "stern"
+brew "talhelper"
 brew "yq"
diff --git a/Taskfile.yaml b/Taskfile.yaml
index 8b13e1d3a81..6ea1609e416 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -48,11 +48,11 @@ tasks:
     desc: Configure repository from Ansible vars
     prompt: Any conflicting config in the root kubernetes and ansible directories will be overwritten... continue?
     cmds:
-      - task: .validate
+      - task: .pre-validate
       - task: .template
-      - task: sops:encrypt:all
+      - task: .post-validate
 
-  .validate:
+  .pre-validate:
     internal: true
     cmd: ./.venv/bin/ansible-playbook {{.BOOTSTRAP_DIR}}/validate.yaml
     env:
@@ -65,9 +65,17 @@ tasks:
     internal: true
     cmds:
       - ./.venv/bin/makejinja
+      - task: sops:encrypt:all
+      # TODO: https://github.com/mirkolenz/makejinja/issues/94
       - find {{.ANSIBLE_DIR}} {{.KUBERNETES_DIR}} -type d -empty -delete
     preconditions:
       - { msg: "bootstrap addons file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/addons.yaml" }
       - { msg: "bootstrap config file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/vars/config.yaml" }
       - { msg: "makejinja loader file not found", sh: "test -f {{.BOOTSTRAP_DIR}}/scripts/loader.py" }
       - { msg: "makejinja config file not found", sh: "test -f {{.ROOT_DIR}}/makejinja.toml" }
+
+  .post-validate:
+    internal: true
+    cmd: ./.github/scripts/kubeconform.sh {{.KUBERNETES_DIR}}
+    preconditions:
+      - { msg: "kubeconform file not found", sh: "test -f ./.github/scripts/kubeconform.sh" }
diff --git a/bootstrap/tasks/validation/cli.yaml b/bootstrap/tasks/validation/cli.yaml
index a1e53295621..46dbdb56123 100644
--- a/bootstrap/tasks/validation/cli.yaml
+++ b/bootstrap/tasks/validation/cli.yaml
@@ -2,7 +2,7 @@
 - name: Check if required CLI tools are present
   ansible.builtin.shell: |
     command -v {{ item }} >/dev/null 2>&1
-  loop: [age, cloudflared, flux, sops, jq]
+  loop: ["age", "cloudflared", "flux", "sops", "jq", "kubeconform", "kustomize"]
   changed_when: false
   check_mode: false
   register: result