/
validate_workload_declarations.sh
executable file
·113 lines (85 loc) · 2.79 KB
/
validate_workload_declarations.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env bash
main() {
local -a clusters
{ readarray -d '' clusters < <(find_cluster_folders) && wait "$!"; } \
|| exit_with_message 'Error during search for cluster folders.'
printf '%s\n' "${clusters[@]}"
local temporary_file_path
temporary_file_path="$(create_temporary_file)" \
|| exit_with_message $'\nCould not create temporary file for generated workloads.'
set_up_deletion_upon_exit "$temporary_file_path"
for cluster in "${clusters[@]}"; do
validate_workload_declarations_for "$cluster" "$temporary_file_path"
done
}
find_cluster_folders() {
find ./clusters -mindepth 2 -maxdepth 2 -type d -not -name 'bases' -print0
}
create_temporary_file() {
mktemp --tmpdir='.' generated_workloads.XXXXXXXXXX
}
set_up_deletion_upon_exit() {
local file_path="$1"
# Ignore warning because the local variable must be expanded immediately,
# not when the trap is triggered
# shellcheck disable=SC2064
trap "rm --force -- '$file_path'" SIGHUP SIGINT SIGQUIT SIGTERM EXIT
}
validate_workload_declarations_for() {
local cluster="$1"
local workloads_file_path="$2"
cat <<-EOF
====================
check $cluster
====================
EOF
printf '\n%s\n' '... kustomize'
run_in_container "kustomize build ./${cluster}" > "$workloads_file_path" \
|| exit_with_message "$(red '❌ Error while generating workloads')"
printf '%s\n' "$(green '✔️PASS') - Workloads generated."
printf '\n%s\n' '... kubeval'
run_in_container "kubeval --ignore-missing-schemas --exit-on-error < ${workloads_file_path}" \
|| exit_with_message "$(red '❌ Error while validating k8s schemas')"
printf '%s\n' "$(green '✔️PASS') - K8s schemas validated."
printf '\n%s\n' '... conftest'
run_in_container "conftest test ${workloads_file_path}" \
|| exit_with_message "$(red '❌ Error while validating policies')"
printf '%s\n' "$(green '✔️PASS') - Policies validated."
printf '\n%s\n' '... search for unpatched values'
if patch_markers_left "$workloads_file_path"; then
exit_with_message "$(red '❌ Error: Found missing patches')" 1
fi
printf '%s\n' "$(green '✔️PASS') - No unpatched values found."
}
run_in_container() {
local command="$1"
docker run \
--interactive --tty --rm \
--volume "$(pwd)":/workdir \
--workdir /workdir \
deck15/kubeval-tools \
/bin/sh -c "$command"
}
exit_with_message() {
local exit_status="${2:-$?}"
local message="$1"
printf '%s\n' "$message" 'Aborting execution.'
exit "$exit_status"
}
red() {
local last_exit_status="$?"
local text="$1"
printf '\e[31;1m%s\e[0m' "$text"
return "$last_exit_status"
}
green() {
local last_exit_status="$?"
local text="$1"
printf '\e[32;1m%s\e[0m' "$text"
return "$last_exit_status"
}
patch_markers_left() {
local workloads_file_path="$1"
(( $(grep --count '<patched>' "$workloads_file_path") > 0 ))
}
main "$@"