CI: Improved lint Helm CI workflow

* Removed Tetragon openapi JSON CRD schemas * Unified lint-helm.yaml GH workflow logic * Unified install/kubernetes/Makefile logic Signed-off-by: Philip Schmid <[email protected]>
cilium · Oct 2, 2024 · 71e4b06 · 71e4b06
1 parent 6ecc2fd
commit 71e4b06
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 6,031 deletions.
diff --git a/.github/workflows/lint-helm.yaml b/.github/workflows/lint-helm.yaml
@@ -13,7 +13,6 @@ on:
     - 'install/kubernetes/**'
     - 'pkg/k8s/apis/cilium.io/client/crds/v1alpha1/*.yaml'
     - '.github/workflows/lint-helm.yaml'
-  workflow_call:
 
 permissions:
   pull-requests: write
@@ -27,55 +26,41 @@ jobs:
   generated-files:
     runs-on: ubuntu-latest
     steps:
-      # Get source
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout source code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      # Check / install dependencies
-      - name: Check if vendored openapi2jsonschema.py script is up to date
+      # Build Tetragon Helm chart
+      - name: Check if Tetragon Helm chart is up to date
         run: |
-          make -C install/kubernetes openapi2jsonschema.py
-          test -z "$(git status --porcelain)"
-          if [ $? != 0 ]; then
-            git status --porcelain
-            echo "Vendored openapi2jsonschema.py script is out of date."
-            echo "Please run 'make -C install/kubernetes openapi2jsonschema.py' and submit your changes."; exit 1
-          fi
-      - name: Check if vendored CRD JSON schemas are up to date
-        run: |
-          make -C install/kubernetes generate-jsonschemas
+          make -C install/kubernetes
           test -z "$(git status --porcelain)"
           if [ $? != 0 ]; then
             git status --porcelain
-            echo "Vendored CRD JSON schemas are out of date."
-            echo "Please run 'make -C install/kubernetes generate-jsonschemas' and submit your changes."; exit 1
+            echo "The Tetragon Helm chart is outdated."
+            echo "Please run 'make -C install/kubernetes' and submit your changes."; exit 1
           fi
-      - name: Install Helm CLI # Required for the Helm chart templating
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
-      # Validate Helm chart
-      - name: Generate Helm chart
-        id: generate_helm_chart
-        run: |
-          make -C install/kubernetes
-      - name: Validate generated files
+      # Validate Tetragon Helm chart
+      - name: Check if openapi2jsonschema.py is up-to-date
+        id: validate_openapi2jsonschema_script
         run: |
+          make -C install/kubernetes openapi2jsonschema.py
           test -z "$(git status --porcelain)"
           if [ $? != 0 ]; then
             git status --porcelain
-            echo "Please run 'make -C install/kubernetes' and submit your changes."; exit 1
+            echo "openapi2jsonschema.py seems to be outdated."
+            echo "Please run 'make -C install/kubernetes openapi2jsonschema.py' and submit your changes."; exit 1
           fi
-
-      # (Re-)run Kubeconform checks explicitly once again to catch specific errors in that regard (to get the STDOUT/STDERR)
       - name: Run Kubeconform with minimum supported K8s version
-        if: success() || steps.generate_helm_chart.outcome == 'failure'
+        if: success() || steps.validate_openapi2jsonschema_script.outcome == 'failure'
         id: kubeconform_min_k8s_version
         uses: mathiasvr/command-output@34408ea3d0528273faff3d9e201761ae96106cd0 # v2.0.0
         with:
           shell: bash
           run: |
             make -C install/kubernetes kubeconform K8S_VERSION=${{ env.MIN_K8S_VERSION }}
       - name: Run Kubeconform with latest K8s version
-        if: success() || steps.generate_helm_chart.outcome == 'failure'
+        if: success() || steps.validate_openapi2jsonschema_script.outcome == 'failure'
         id: kubeconform_latest_k8s_version
         uses: mathiasvr/command-output@34408ea3d0528273faff3d9e201761ae96106cd0 # v2.0.0
         with:

diff --git a/install/kubernetes/Makefile b/install/kubernetes/Makefile
@@ -1,39 +1,63 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright Authors of Tetragon
 
+include ../../Makefile.defs
+
+#
+# -- Images
+#
 # renovate: datasource=docker
-HELM_IMAGE=docker.io/alpine/helm:3.16.1@sha256:e057182827e6273fc7e64b8b2b8809cbb71d84e0dd0f88310712f45879854062
+HELM_IMAGE = docker.io/alpine/helm:3.16.1@sha256:e057182827e6273fc7e64b8b2b8809cbb71d84e0dd0f88310712f45879854062
 # renovate: datasource=docker
-KUBECONFORM_IMAGE=ghcr.io/yannh/kubeconform:v0.6.7-alpine@sha256:824e0c248809e4b2da2a768b16b107cf17ada88a89ec6aa6050e566ba93ebbc6
+KUBECONFORM_IMAGE = ghcr.io/yannh/kubeconform:v0.6.7-alpine@sha256:824e0c248809e4b2da2a768b16b107cf17ada88a89ec6aa6050e566ba93ebbc6
 # renovate: datasource=docker
-HELMDOCS_IMAGE=docker.io/jnorwood/helm-docs:v1.14.2@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c
-# renovate: datasource=github-releases depName=yannh/kubeconform
-KUBECONFORM_VERSION := v0.6.7
+HELMDOCS_IMAGE = docker.io/jnorwood/helm-docs:v1.14.2@sha256:7e562b49ab6b1dbc50c3da8f2dd6ffa8a5c6bba327b1c6335cc15ce29267979c
 # renovate: datasource=docker
-PYTHON_IMAGE := docker.io/python:3.12-slim-bookworm
-K8S_VERSION := master
-HELM_VALUES_OVERRIDE := "helm_lint_values_override.yaml"
+PYTHON_IMAGE = docker.io/python:3.12-slim-bookworm
 
-REPO_ROOT := $(shell git rev-parse --show-toplevel)
-TETRAGON_CHART := tetragon
-CRDS_RELATIVE_DIR := pkg/k8s/apis/cilium.io/client/crds/v1alpha1
-CRDS := $(REPO_ROOT)/$(CRDS_RELATIVE_DIR)
-JSON_SCHEMAS := $(REPO_ROOT)/install/kubernetes/schemas
+#
+# -- Versions
+#
+# renovate: datasource=github-releases depName=yannh/kubeconform
+KUBECONFORM_VERSION = v0.6.7
+K8S_VERSION = master
 
-HELM ?= docker run --rm -v $(CURDIR)/$(TETRAGON_CHART):/apps -v $(CURDIR)/$(HELM_VALUES_OVERRIDE):/$(HELM_VALUES_OVERRIDE) $(HELM_IMAGE)
-PYTHON ?= docker run --rm -v $(REPO_ROOT):/code --workdir=/code/install/kubernetes -e FILENAME_FORMAT='{kind}-{fullgroup}' $(PYTHON_IMAGE)
+#
+# -- Variables
+#
+HELM_VALUES_OVERRIDE = helm_lint_values_override.yaml
+ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+TETRAGON_CHART = tetragon
+CRDS_RELATIVE_DIR = pkg/k8s/apis/cilium.io/client/crds/v1alpha1
+CRDS := $(ROOT_DIR)/$(CRDS_RELATIVE_DIR)
+JSON_SCHEMAS := $(ROOT_DIR)/install/kubernetes/schemas
 
-.PHONY: all
-all: $(TETRAGON_CHART)/crds-yaml lint docs generate-jsonschemas kubeconform
+#
+# -- Commands
+#
+PYTHON := docker run --rm \
+		-v $(ROOT_DIR):/code \
+		--workdir=/code/install/kubernetes \
+		-e FILENAME_FORMAT='{kind}-{fullgroup}' \
+		$(PYTHON_IMAGE)
+HELM := docker run --rm -u $(shell id -u):$(shell id -g) \
+		-v $(CURDIR)/$(TETRAGON_CHART):/apps \
+		-v $(CURDIR)/$(HELM_VALUES_OVERRIDE):/$(HELM_VALUES_OVERRIDE) \
+		$(HELM_IMAGE)
 
-.PHONY: lint
-lint:
-	$(HELM) lint . --with-subcharts
+#
+# -- Make targets
+#
+
+##@ Build
+
+.PHONY: all
+all: docs $(TETRAGON_CHART)/crds-yaml
 
 .PHONY: docs
-docs:
+docs: ## Generate Helm docs for the README.md
 	docker run --rm -v $(CURDIR)/$(TETRAGON_CHART):/helm-docs -u $$(id -u) $(HELMDOCS_IMAGE)
-	./export-doc.sh $(REPO_ROOT)/docs/content/en/docs/reference/helm-chart.md
+	./export-doc.sh $(ROOT_DIR)/docs/content/en/docs/reference/helm-chart.md
 
 # NB: Helm has an "official" way to install CRDs which requires simply putting
 # them in the crds directory. This method doesn't prevents accidental deletion
@@ -45,21 +69,32 @@ docs:
 $(TETRAGON_CHART)/crds-yaml: $(CRDS)
 	cp -rf $(CRDS)/. $(TETRAGON_CHART)/crds-yaml
 
-# openapi2jsonschema.py script generating JSON schema from the CRD YAML spec.
+##@ Validation
+
+.PHONY: validation
+validation: ## Validate/lint the Helm chart and all its resources
+	$(MAKE) lint
+	$(MAKE) kubeconform
+
 .PHONY: openapi2jsonschema.py
-openapi2jsonschema.py:
+openapi2jsonschema.py: ## openapi2jsonschema.py script generating JSON schema from the CRD YAML spec.
 	curl -sSfLO https://raw.githubusercontent.com/yannh/kubeconform/$(KUBECONFORM_VERSION)/scripts/$@
 
-# To validate (using openapi2jsonschema.py) default Ruleset policies included in the Helm chart, we need to pass the
-# JSON schema of the TracingPolicy CRD. This target generates such schema.
-.PHONY: generate-jsonschemas
-generate-jsonschemas: $(CRDS)
-	mkdir -p $(JSON_SCHEMAS)/
-	$(PYTHON) /bin/bash -c "pip install pyyaml && python /code/install/kubernetes/openapi2jsonschema.py /code/$(CRDS_RELATIVE_DIR)/*"
-	mv $(REPO_ROOT)/install/kubernetes/*-cilium.io.json $(JSON_SCHEMAS)/
+.PHONY: lint
+lint: ## Lint the Helm chart
+	$(HELM) lint . --with-subcharts
 
 .PHONY: kubeconform
+# Run kubeconform Helm chart validation checks to validate the templated
+# Kubernetes (custom) resources against their spec.
+# To validate potentially included Tetragon CRs in the Helm chart (using
+# openapi2jsonschema.py), we need to have the JSON schema of the TracingPolicy
+# CRD. Skip validating the Tetragon CRDs themselves (circular dependency).
+kubeconform: ## Validate Helm chart using kubeconform
 kubeconform:
+	mkdir -p $(JSON_SCHEMAS)/
+	$(PYTHON) /bin/bash -c "pip install pyyaml && python /code/install/kubernetes/openapi2jsonschema.py /code/$(CRDS_RELATIVE_DIR)/*"
+	mv $(ROOT_DIR)/install/kubernetes/*-cilium.io.json $(JSON_SCHEMAS)/
 	@echo "## Testing Helm chart: \"$(TETRAGON_CHART)\""
 	$(HELM) template $(TETRAGON_CHART) . \
 	-f values.yaml \
@@ -72,4 +107,10 @@ kubeconform:
 		-skip CustomResourceDefinition \
 		-strict \
 		-kubernetes-version $(K8S_VERSION)
-	@echo ""
+	rm -rf $(JSON_SCHEMAS)/
+
+##@ Documentation
+
+.PHONY: help
+help: ## Display this help, based on https://www.thapaliya.com/en/writings/well-documented-makefiles/
+	$(call print_help_from_comments)
diff --git a/install/kubernetes/schemas/podinfo-cilium.io.json b/install/kubernetes/schemas/podinfo-cilium.io.json