Skip to content
/ gator-helm-test Public

Example of using Gator to validate helm charts before install/upgrade.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

clarenceb/gator-helm-test

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
app-v1
app-v1
 
 
app-v2
app-v2
 
 
policies
policies
 
 
README.md
README.md
 
 

Repository files navigation

Gator CLI test with Helm charts

Example of using Gator CLI with Helm charts. This is just a basic example and doesn't showcase all the features of Gatekeeper or Gator CLI.

Contraint Template and Contraint Files:

policies/                         # Contraint templates and contraints go here
  constraint-templates/           # Contraint templates go here
    replicalimits-template.yaml   # Sample contraints template for validating min/max replica limits
  contraints/                     # Specific contraints configured using the contraint templates
    replicalimits.yaml            # Sample contraint for validating min/max replica limits

Charts:

  • Good chart (app-v1) - has 3 replicas (see app-v1/values.yaml)
  • Bad chart (app-v2) - has 1 replica (see app-v2/values.yaml)

These were created with:

helm create app-v1
helm create app-v2

Then app-v2/values.yaml was edited:

replicaCount: 1

Render Helm chart as YAML template

helm template ./app-v1 | less
helm template ./app-v2 | less

If you use helm upgrade --install app ./app-v1 --dry-run -o yaml you'll not be able to pass that directly to gator since it includes additional information, not just the manifests. you'd need to strip that out and just select the manifests section.

e.g. error:

helm upgrade --install app ./app-v1 --dry-run=client -o yaml | gator test --filename=policies/
# auditing objects: adding data of GVK "/, Kind=": admission.k8s.gatekeeper.sh: invalid request object: resource  has no version

The output contains additional chart metadata, not just the manifests.

helm upgrade --install app ./app-v1 --dry-run -o yaml

Sample output structure:

chart:
  files:
  - data: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    name: .helmignore
  lock: null
  metadata:
    apiVersion: v2
    appVersion: 1.16.0
    description: A Helm chart for Kubernetes
    name: app-v1
    type: application
    version: 0.1.0
  schema: null
  templates:
  - data: xxxxxxxxxxxxxxxxxxxx
  ...
hooks:
- events:
  - test
  kind: Pod
  ...
manifest: |
  ---
  # Source: app-v1/templates/serviceaccount.yaml
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: app-app-v1
    ...

The section after manifest: | is what we need to pass to gator.

Testing Helm manifests prior to applying to the Kubernetes cluster

helm template ./app-v1 | gator test --filename=policies/
echo $?
# 0


helm template ./app-v2 | gator test --filename=policies/
# apps/v1/Deployment release-name-app-v2: ["replica-limits"] Message: "The provided number of replicas is not allowed for Deployment: release-name-app-v2. Allowed ranges: {\"ranges\": [{\"max_replicas\": 20, \"min_replicas\": 2}]}"
echo $?
# 1

Resources

  • The gator CLI - The gator CLI is a tool for evaluating Gatekeeper ConstraintTemplates and Constraints in a local environment.

About

Example of using Gator to validate helm charts before install/upgrade.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages