diff --git a/.travis.yml b/.travis.yml index 995d765f..c2e2bb27 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,6 +18,7 @@ before_install: - export WS_PRODUCTNAME=${WS_PRODUCTNAME} - export WS_PROJECTNAME=RemoteResource - export WS_WSS_URL=https://ibmets.whitesourcesoftware.com/agent + - ./build/download-kubelint.sh jobs: include: @@ -33,8 +34,6 @@ jobs: - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-amd64" . - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-amd64 quay.io/razee/remoteresource:${TRAVIS_TAG}-amd64; fi - docker images - - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml - before_deploy: - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io @@ -64,7 +63,6 @@ jobs: - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-ppc64le" . - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-ppc64le quay.io/razee/remoteresource:${TRAVIS_TAG}-ppc64le; fi - docker images - - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml before_deploy: - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io @@ -96,7 +94,6 @@ jobs: - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-s390x" . - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-s390x quay.io/razee/remoteresource:${TRAVIS_TAG}-s390x; fi - docker images - - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml before_deploy: - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io @@ -123,6 +120,7 @@ jobs: script: - if [[ $TRAVIS_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml + - kubelint /tmp/resource.yaml - export DOCKER_CLI_EXPERIMENTAL=enabled - sudo chown -R $USER:$USER /etc/docker/ - | diff --git a/build/download-kubelint.sh b/build/download-kubelint.sh new file mode 100755 index 00000000..680e8de1 --- /dev/null +++ b/build/download-kubelint.sh @@ -0,0 +1,23 @@ +#!/bin/bash +kubelint() { + DEPLOYMENT_DIR="${1}" + KUBELINT_CONFIG="${2}" + KUBELINT_VERSION="${3}" + if [[ -z "${DEPLOYMENT_DIR}" ]]; then + echo "usage: 'kubelint DEPLOYMENT_DIR KUBELINT_CONFIG KUBELINT_VERSION'" + exit 1 + fi + [[ -z "${KUBELINT_VERSION}" ]] && KUBELINT_VERSION=latest + [[ -z "${KUBELINT_CONFIG}" ]] && KUBELINT_CONFIG=kubelint-config.yaml + mkdir -p "${HOME}/bin" + curl -sL -o "${HOME}/bin/kube-linter" "https://github.com/stackrox/kube-linter/releases/${KUBELINT_VERSION}/download/kube-linter-linux" + chmod +x "${HOME}/bin/kube-linter" + if [[ "$FAIL_ON_INVALID_RESOURCE" = "false" ]]; then + kube-linter lint -v --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}" + else + kube-linter lint -v --fail-on-invalid-resource --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}" + fi +} +mkdir -p "${HOME}/bin" +echo -e "#!/bin/bash\n$(declare -f kubelint)\nkubelint \"\$@\"" > "${HOME}/bin/kubelint" +chmod +x "${HOME}/bin/kubelint" diff --git a/kubelint-config.yaml b/kubelint-config.yaml new file mode 100644 index 00000000..d939c074 --- /dev/null +++ b/kubelint-config.yaml @@ -0,0 +1,17 @@ +--- +checks: + exclude: + - "no-read-only-root-fs" # impacts AT event writing + - "unset-cpu-requirements" # cpu limits are bad https://home.robusta.dev/blog/stop-using-cpu-limits + - "mismatching-selector" # selectors are immutable + - "non-existent-service-account" # razeedeploy-sa created in razeedeploy-delta +customChecks: + - name: ensure-environment-variables-populated + template: env-var + params: + name: "." + value: \$.* #ensures no environment variable values in the deployment start with a $ + remediation: Ensure all of your environment variables are correctly substituted with envstub + scope: + objectKinds: + - DeploymentLike