From a56f2621f6a71f1241d02d0ebc9c1234c8061dd6 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 9 Jul 2023 14:11:11 +0200 Subject: [PATCH] feat: add fairwinds polaris (#57) Reviewed-on: https://gitea.rknet.org/docker/kube-tools/pulls/57 --- Dockerfile | 10 +++++++- overlay/usr/local/bin/flux-audit | 39 +++++++++++++++++++++++++++++ overlay/usr/local/bin/flux-validate | 2 +- 3 files changed, 49 insertions(+), 2 deletions(-) create mode 100755 overlay/usr/local/bin/flux-audit diff --git a/Dockerfile b/Dockerfile index 702d380..14a8d9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ ARG YQ_VERSION ARG HELM_VERSION ARG KUSTOMIZE_VERSION ARG KUBECONFORM_VERSION +ARG POLARIS_VERSION # renovate: datasource=github-releases depName=kubernetes/kubernetes ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}" @@ -23,8 +24,13 @@ ENV HELM_VERSION="${HELM_VERSION:-v3.12.1}" ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" # renovate: datasource=github-releases depName=yannh/kubeconform ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" +# renovate: datasource=github-releases depName=FairwindsOps/polaris +ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" +# renovate: datasource=pypi depName=flux-local +ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.0.0}" -RUN apk --update add curl tar bash python3 py3-yaml && \ +RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \ + pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \ @@ -34,6 +40,8 @@ RUN apk --update add curl tar bash python3 py3-yaml && \ | tar xz -C /usr/local/bin kustomize && \ curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \ | tar xz -C /usr/local/bin kubeconform && \ + curl -SsfL "https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz" \ + | tar xz -C /usr/local/bin polaris && \ chmod 755 /usr/local/bin/kubectl && \ chmod 755 /usr/local/bin/kubectl-convert && \ chmod 755 /usr/local/bin/yq && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit new file mode 100755 index 0000000..dc6975f --- /dev/null +++ b/overlay/usr/local/bin/flux-audit @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +set -eo pipefail + +FLUX_PATH="${1:-.}" + +if [ -z "$POLARIS_CONFIG" ]; then + POLARIS_CONFIG=( + "--format=pretty" + "--set-exit-code-on-danger" + "--set-exit-code-below-score=80" + "--only-show-failed-tests=true" + "--audit-path=-" + ) +else + # shellcheck disable=SC2128 + IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG" +fi + +if [ -z "$FLUX_LOCAL_CONFIG" ]; then + FLUX_LOCAL_CONFIG=( + "--enable-helm" + "--skip-secrets" + "--skip-crds" + ) +else + # shellcheck disable=SC2128 + IFS=' ' read -r -a FLUX_LOCAL_CONFIG <<<"$FLUX_LOCAL_CONFIG" +fi + +printf "\nINFO - Auditing clusters\n" +find "${FLUX_PATH%/}" -mindepth 1 -maxdepth 1 -type d -print0 | while IFS= read -r -d $'\0' cluster; do + printf "INFO - Auditing cluster %s\n" "${cluster##*/}" + flux-local build "${FLUX_LOCAL_CONFIG[@]}" "${cluster}" | + polaris audit "${POLARIS_CONFIG[@]}" + echo + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done diff --git a/overlay/usr/local/bin/flux-validate b/overlay/usr/local/bin/flux-validate index 4062d9b..9dbface 100755 --- a/overlay/usr/local/bin/flux-validate +++ b/overlay/usr/local/bin/flux-validate @@ -46,7 +46,7 @@ if [ -z "$KUBECONFORM_CONFIG" ]; then ) else # shellcheck disable=SC2128 - IFS=', ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" + IFS=' ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" fi printf "\nINFO - Validating clusters\n"