feat: add fairwinds polaris (#57)

Reviewed-on: docker/kube-tools#57

Dockerfile

@@ -12,6 +12,7 @@ ARG YQ_VERSION
 ARG HELM_VERSION
 ARG KUSTOMIZE_VERSION
 ARG KUBECONFORM_VERSION
+ARG POLARIS_VERSION
 
 # renovate: datasource=github-releases depName=kubernetes/kubernetes
 ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}"
@@ -23,8 +24,13 @@ ENV HELM_VERSION="${HELM_VERSION:-v3.12.1}"
 ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}"
 # renovate: datasource=github-releases depName=yannh/kubeconform
 ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}"
+# renovate: datasource=github-releases depName=FairwindsOps/polaris
+ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}"
+# renovate: datasource=pypi depName=flux-local
+ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.0.0}"
 
-RUN apk --update add curl tar bash python3 py3-yaml && \
+RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \
+    pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \
     curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
     curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \
     curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \
@@ -34,6 +40,8 @@ RUN apk --update add curl tar bash python3 py3-yaml && \
         | tar xz -C /usr/local/bin kustomize && \
     curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \
         | tar xz -C /usr/local/bin kubeconform && \
+    curl -SsfL "https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz" \
+        | tar xz -C /usr/local/bin polaris && \
     chmod 755 /usr/local/bin/kubectl && \
     chmod 755 /usr/local/bin/kubectl-convert && \
     chmod 755 /usr/local/bin/yq && \

overlay/usr/local/bin/flux-audit

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+FLUX_PATH="${1:-.}"
+
+if [ -z "$POLARIS_CONFIG" ]; then
+    POLARIS_CONFIG=(
+        "--format=pretty"
+        "--set-exit-code-on-danger"
+        "--set-exit-code-below-score=80"
+        "--only-show-failed-tests=true"
+        "--audit-path=-"
+    )
+else
+    # shellcheck disable=SC2128
+    IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG"
+fi
+
+if [ -z "$FLUX_LOCAL_CONFIG" ]; then
+    FLUX_LOCAL_CONFIG=(
+        "--enable-helm"
+        "--skip-secrets"
+        "--skip-crds"
+    )
+else
+    # shellcheck disable=SC2128
+    IFS=' ' read -r -a FLUX_LOCAL_CONFIG <<<"$FLUX_LOCAL_CONFIG"
+fi
+
+printf "\nINFO - Auditing clusters\n"
+find "${FLUX_PATH%/}" -mindepth 1 -maxdepth 1 -type d -print0 | while IFS= read -r -d $'\0' cluster; do
+    printf "INFO - Auditing cluster %s\n" "${cluster##*/}"
+    flux-local build "${FLUX_LOCAL_CONFIG[@]}" "${cluster}" |
+        polaris audit "${POLARIS_CONFIG[@]}"
+    echo
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done

overlay/usr/local/bin/flux-validate

@@ -46,7 +46,7 @@ if [ -z "$KUBECONFORM_CONFIG" ]; then
     )
 else
     # shellcheck disable=SC2128
-    IFS=', ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG"
+    IFS=' ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG"
 fi
 
 printf "\nINFO - Validating clusters\n"