From b67f51139c6979db2e8b9e293a5e1429fbe5595e Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 9 Jul 2023 14:08:36 +0200 Subject: [PATCH] add flux-local to build clusters for better audit results with polaris --- Dockerfile | 5 ++++- overlay/usr/local/bin/flux-audit | 35 ++++++++++++----------------- overlay/usr/local/bin/flux-validate | 2 +- 3 files changed, 19 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index c3e50f4..14a8d9d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,8 +26,11 @@ ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" # renovate: datasource=github-releases depName=FairwindsOps/polaris ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" +# renovate: datasource=pypi depName=flux-local +ENV FLUX_LOCAL_VERSION="${FLUX_LOCAL_VERSION:-3.0.0}" -RUN apk --update add curl tar bash python3 py3-yaml findutils && \ +RUN apk --update add curl tar bash python3 py3-yaml py3-pip findutils git && \ + pip install -qq --no-cache-dir flux-local=="$FLUX_LOCAL_VERSION" && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl-convert "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl-convert" && \ curl -SsfL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit index c8664b9..dc6975f 100755 --- a/overlay/usr/local/bin/flux-audit +++ b/overlay/usr/local/bin/flux-audit @@ -1,16 +1,8 @@ #!/usr/bin/env bash set -eo pipefail -KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") -KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml" - FLUX_PATH="${1:-.}" -# shellcheck disable=SC2128 -IFS=', ' read -r -a POLARIS_EXCLUDE_PATHS <<<"$POLARIS_EXCLUDE_PATHS" - -echo "${POLARIS_EXCLUDE_PATHS[@]}" - if [ -z "$POLARIS_CONFIG" ]; then POLARIS_CONFIG=( "--format=pretty" @@ -24,20 +16,21 @@ else IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG" fi -printf "\nINFO - Auditing kustomize overlays\n" -find "${FLUX_PATH%/}" -type f -iwholename "$KUSTOMIZE_CONFIG" -print0 | while IFS= read -r -d $'\0' file; do - KUSTOMIZE_BASENAME=$(basename "$KUSTOMIZE_CONFIG") - KUSTOMIZE_BUILD="${file/%$KUSTOMIZE_BASENAME/}" - - for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do - if [ "$EXCLUDE" == "$KUSTOMIZE_BUILD" ]; then - printf "INFO - Skipping kustomization %s\n" "$KUSTOMIZE_BUILD" - continue 2 - fi - done +if [ -z "$FLUX_LOCAL_CONFIG" ]; then + FLUX_LOCAL_CONFIG=( + "--enable-helm" + "--skip-secrets" + "--skip-crds" + ) +else + # shellcheck disable=SC2128 + IFS=' ' read -r -a FLUX_LOCAL_CONFIG <<<"$FLUX_LOCAL_CONFIG" +fi - printf "INFO - Auditing kustomization %s\n" "$KUSTOMIZE_BUILD" - kustomize build "$KUSTOMIZE_BUILD" "${KUSTOMIZE_FLAGS[@]}" | +printf "\nINFO - Auditing clusters\n" +find "${FLUX_PATH%/}" -mindepth 1 -maxdepth 1 -type d -print0 | while IFS= read -r -d $'\0' cluster; do + printf "INFO - Auditing cluster %s\n" "${cluster##*/}" + flux-local build "${FLUX_LOCAL_CONFIG[@]}" "${cluster}" | polaris audit "${POLARIS_CONFIG[@]}" echo if [[ ${PIPESTATUS[0]} != 0 ]]; then diff --git a/overlay/usr/local/bin/flux-validate b/overlay/usr/local/bin/flux-validate index 4062d9b..9dbface 100755 --- a/overlay/usr/local/bin/flux-validate +++ b/overlay/usr/local/bin/flux-validate @@ -46,7 +46,7 @@ if [ -z "$KUBECONFORM_CONFIG" ]; then ) else # shellcheck disable=SC2128 - IFS=', ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" + IFS=' ' read -r -a KUBECONFORM_CONFIG <<<"$KUBECONFORM_CONFIG" fi printf "\nINFO - Validating clusters\n"