add flux-local to build clusters for better audit results with polaris

Dockerfile

@@ -26,8 +26,11 @@ ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}"
 ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}"
 # renovate: datasource=github-releases depName=FairwindsOps/polaris
 ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}"
+# renovate: datasource=pypi depName=flux-local
+ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.0.0}"
 
-RUN apk --update add curl tar bash python3 py3-yaml findutils && \
+RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \
+    pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \
     curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
     curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \
     curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \

overlay/usr/local/bin/flux-audit

@@ -1,16 +1,8 @@
 #!/usr/bin/env bash
 set -eo pipefail
 
-KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone")
-KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml"
-
 FLUX_PATH="${1:-.}"
 
-# shellcheck disable=SC2128
-IFS=', ' read -r -a POLARIS_EXCLUDE_PATHS <<<"$POLARIS_EXCLUDE_PATHS"
-
-echo "${POLARIS_EXCLUDE_PATHS[@]}"
-
 if [ -z "$POLARIS_CONFIG" ]; then
     POLARIS_CONFIG=(
         "--format=pretty"
@@ -24,20 +16,21 @@ else
     IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG"
 fi
 
-printf "\nINFO - Auditing kustomize overlays\n"
-find "${FLUX_PATH%/}" -type f -iwholename "$KUSTOMIZE_CONFIG" -print0 | while IFS= read -r -d $'\0' file; do
-    KUSTOMIZE_BASENAME=$(basename "$KUSTOMIZE_CONFIG")
-    KUSTOMIZE_BUILD="${file/%$KUSTOMIZE_BASENAME/}"
+if [ -z "$FLUX_LOCAL_CONFIG" ]; then
+    FLUX_LOCAL_CONFIG=(
+        "--enable-helm"
+        "--skip-secrets"
+        "--skip-crds"
+    )
+else
+    # shellcheck disable=SC2128
+    IFS=' ' read -r -a FLUX_LOCAL_CONFIG <<<"$FLUX_LOCAL_CONFIG"
+fi
 
-    for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do
-        if [ "$EXCLUDE" == "$KUSTOMIZE_BUILD" ]; then
-            printf "INFO - Skipping kustomization %s\n" "$KUSTOMIZE_BUILD"
-            continue 2
-        fi
-    done
-
-    printf "INFO - Auditing kustomization %s\n" "$KUSTOMIZE_BUILD"
-    kustomize build "$KUSTOMIZE_BUILD" "${KUSTOMIZE_FLAGS[@]}" |
+printf "\nINFO - Auditing clusters\n"
+find "${FLUX_PATH%/}" -mindepth 1 -maxdepth 1 -type d -print0 | while IFS= read -r -d $'\0' cluster; do
+    printf "INFO - Auditing cluster %s\n" "${cluster##*/}"
+    flux-local build "${FLUX_LOCAL_CONFIG[@]}" "${cluster}" |
         polaris audit "${POLARIS_CONFIG[@]}"
     echo
     if [[ ${PIPESTATUS[0]} != 0 ]]; then

overlay/usr/local/bin/flux-validate

@@ -46,7 +46,7 @@ if [ -z "$KUBECONFORM_CONFIG" ]; then
     )
 else
     # shellcheck disable=SC2128
-    IFS=', ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG"
+    IFS=' ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG"
 fi
 
 printf "\nINFO - Validating clusters\n"