From 8eb07c63326dae7677b1b2f051b824de873c4162 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Wed, 14 Feb 2024 15:38:17 -0600 Subject: [PATCH 1/3] ci: use kubeconform to check k8s manifests Use kubeconform to validate/check k8s manifests. --- .github/workflows/yamllint.yaml | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml index 61b95865..897b7528 100644 --- a/.github/workflows/yamllint.yaml +++ b/.github/workflows/yamllint.yaml @@ -18,23 +18,19 @@ jobs: steps: - uses: actions/checkout@v4 - uses: azure/setup-kubectl@v3 - - name: kustomize build operators + - uses: azure/setup-helm@v4.0.0 + - uses: bmuschko/setup-kubeconform@v1 + - name: validate kustomize with kubeconform run: | - for operator in $(find operators -maxdepth 1 -mindepth 1 -type d); do - echo "${operator}" - kubectl kustomize --enable-helm "${operator}" > /dev/null - done - echo "apps/operators" - kubectl kustomize apps/operators > /dev/null - - name: kustomize build components - run: | - for component in $(find components -maxdepth 1 -mindepth 1 -type d); do - if [[ "${component}" =~ "secrets" ]]; then - echo "Skipping secrets" - else - echo "${component}" - kubectl kustomize --enable-helm "${component}" > /dev/null - fi + set -o errexit + set -o pipefail + items=$(find bootstrap -maxdepth 2 -name kustomization.yaml -exec dirname {} \;) + items+=($(find operators -maxdepth 2 -name kustomization.yaml -exec dirname {} \;)) + items+=($(find components -maxdepth 2 -name kustomization.yaml -exec dirname {} \;)) + items+=($(find apps -maxdepth 2 -name kustomization.yaml -exec dirname {} \;)) + + for item in ${items}; do + echo "${item}" + kubectl kustomize --enable-helm "${item}" | \ + kubeconform -skip=Secret -strict -ignore-missing-schemas done - echo "apps/components" - kubectl kustomize apps/components > /dev/null From 2275a10ee5e276eca23b3efe18e12414401a6282 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Wed, 14 Feb 2024 15:41:55 -0600 Subject: [PATCH 2/3] fix: exit correct and provide debug for sealed-secrets helper Ensure that the sealed-secrets helper script exits successfully, it would fail if the last chunk didn't contain any data. Provide debugging to stderr about the executed steps when it fails. --- scripts/openstack-helm-sealed-secrets.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/openstack-helm-sealed-secrets.sh b/scripts/openstack-helm-sealed-secrets.sh index e0574255..f85bdbdc 100755 --- a/scripts/openstack-helm-sealed-secrets.sh +++ b/scripts/openstack-helm-sealed-secrets.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x # function to process each YAML file process_yaml() { @@ -37,3 +37,4 @@ done # process the last one [[ -n $yaml_acc ]] && process_yaml "$yaml_acc" +exit 0 From 3e51cbb6fd5e2326306364f75b82ee5a538189d9 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Wed, 14 Feb 2024 15:43:21 -0600 Subject: [PATCH 3/3] fix: correct the path for keystone The user is expected to execute this from the top-level so fix the paths. --- components/10-keystone/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/10-keystone/README.md b/components/10-keystone/README.md index 20c113fc..521991e2 100644 --- a/components/10-keystone/README.md +++ b/components/10-keystone/README.md @@ -21,7 +21,6 @@ git clone https://github.com/openstack/openstack-helm git clone https://github.com/openstack/openstack-helm-infra # update the dependencies cause we can't use real helm references ./scripts/openstack-helm-depend-sync.sh keystone -cd components/10-keystone ``` ## Deploy Keystone @@ -41,7 +40,7 @@ Secrets Reference: helm --namespace openstack template \ keystone \ ./openstack-helm/keystone/ \ - -f aio-values.yaml \ + -f components/10-keystone/aio-values.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \