feat(ci): add helm lint / kubeconform validation on pull requests#11
Open
jonathandieu wants to merge 9 commits into
Open
feat(ci): add helm lint / kubeconform validation on pull requests#11jonathandieu wants to merge 9 commits into
jonathandieu wants to merge 9 commits into
Conversation
jonathandieu
commented
Jun 26, 2026
jonathandieu
commented
Owner
- Runs helm lint and kubeconform against every chart on each PR.
- Catches invalid chart structure, wrong API versions, and missing required fields before ArgoCD tries to apply them.
- Adds Chart.lock files for charts that were missing them (envoy-gateway OCI dep, keda, opencost).
There was a problem hiding this comment.
Pull request overview
Adds a pull-request CI workflow to validate Helm charts early (lint + rendered-manifest schema validation) and checks in missing dependency lockfiles to make chart dependencies reproducible.
Changes:
- Introduces a new GitHub Actions workflow that runs
helm dependency build,helm lint, andhelm template | kubeconformon PRs. - Adds
Chart.lockfiles for charts that were missing dependency lockfiles (envoy-gateway, keda, opencost).
Reviewed changes
Copilot reviewed 1 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/ci.yml |
New PR CI workflow to lint and schema-validate rendered Helm manifests. |
charts/infrastructure/envoy-gateway/Chart.lock |
Adds dependency lock file for envoy-gateway chart dependencies (OCI). |
charts/infrastructure/keda/Chart.lock |
Adds dependency lock file for keda (currently only lockfile present in directory). |
charts/infrastructure/opencost/Chart.lock |
Adds dependency lock file for opencost (currently only lockfile present in directory). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+33
to
+36
| run: | | ||
| curl -sL https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz \ | ||
| | tar xz -C /tmp | ||
| sudo mv /tmp/kubeconform /usr/local/bin/ |
jonathandieu
force-pushed
the
7/ci-helm-lint-kubeconform
branch
from
9a19118 to
03f7d8f
Compare
Helm template diffNo template changes detected. |
Helm template diffNo template changes detected. |
…dd path filters, fix argocd validation
Helm template diffdiff -u --recursive --label base --label head base head
--- base
+++ head
@@ -1,13889 +0,0 @@
----
-# Source: cert-manager/charts/cert-manager/templates/cainjector-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: release-cert-manager-cainjector
- namespace: default
- labels:
- app: cainjector
- app.kubernetes.io/name: cainjector
- app.kubernetes.io/instance: release
- app.kubernetes.io/component: "cainjector"
- app.kubernetes.io/version: "v1.20.2"
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v1.20.2
-
----
-# Source: cert-manager/charts/cert-manager/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: release-cert-manager
- namespace: default
- labels:
- app: cert-manager
- app.kubernetes.io/name: cert-manager
- app.kubernetes.io/instance: release
- app.kubernetes.io/component: "controller"
- app.kubernetes.io/version: "v1.20.2"
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v1.20.2
-
----
-# Source: cert-manager/charts/cert-manager/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
- name: release-cert-manager-webhook
- namespace: default
- labels:
- app: webhook
- app.kubernetes.io/name: webhook
- app.kubernetes.io/instance: release
- app.kubernetes.io/component: "webhook"
- app.kubernetes.io/version: "v1.20.2"
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v1.20.2
-
----
-# Source: cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_challenges.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: "challenges.acme.cert-manager.io"
- annotations:
- helm.sh/resource-policy: keep
- labels:
- app: "cert-manager"
- app.kubernetes.io/name: "cert-manager"
- app.kubernetes.io/instance: "release"
- app.kubernetes.io/component: "crds"
- app.kubernetes.io/version: "v1.20.2"
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: cert-manager-v1.20.2
-spec:
- group: acme.cert-manager.io
- names:
- categories:
- - cert-manager
- - cert-manager-acme
- kind: Challenge
- listKind: ChallengeList
- plural: challenges
- singular: challenge
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.state
- name: State
- type: string
- - jsonPath: .spec.dnsName
- name: Domain
- type: string
- - jsonPath: .status.reason
- name: Reason
- priority: 1
- type: string
- - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1
- schema:
- openAPIV3Schema:
- description: Challenge is a type to represent a Challenge request with an ACME server
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- authorizationURL:
- description: |-
- The URL to the ACME Authorization resource that this
- challenge is a part of.
- type: string
- dnsName:
- description: |-
- dnsName is the identifier that this challenge is for, e.g., example.com.
- If the requested DNSName is a 'wildcard', this field MUST be set to the
- non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
- type: string
- issuerRef:
- description: |-
- References a properly configured ACME-type Issuer which should
- be used to create this Challenge.
- If the Issuer does not exist, processing will be retried.
- If the Issuer is not an 'ACME' Issuer, an error will be returned and the
- Challenge will be marked as failed.
- properties:
- group:
- description: |-
- Group of the issuer being referred to.
- Defaults to 'cert-manager.io'.
- type: string
- kind:
- description: |-
- Kind of the issuer being referred to.
- Defaults to 'Issuer'.
- type: string
- name:
- description: Name of the issuer being referred to.
- type: string
- required:
- - name
- type: object
- key:
- description: |-
- The ACME challenge key for this challenge
- For HTTP01 challenges, this is the value that must be responded with to
- complete the HTTP01 challenge in the format:
- `<private key JWK thumbprint>.<key from acme server for challenge>`.
- For DNS01 challenges, this is the base64 encoded SHA256 sum of the
- `<private key JWK thumbprint>.<key from acme server for challenge>`
- text that must be set as the TXT record content.
- type: string
- solver:
- description: |-
- Contains the domain solving configuration that should be used to
- solve this challenge resource.
- properties:
- dns01:
- description: |-
- Configures cert-manager to attempt to complete authorizations by
- performing the DNS01 challenge flow.
- properties:
- acmeDNS:
- description: |-
- Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
- DNS01 challenge records.
- properties:
- accountSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- host:
- type: string
- required:
- - accountSecretRef
- - host
- type: object
- akamai:
- description: Use the Akamai DNS zone management API to manage DNS01 challenge records.
- properties:
- accessTokenSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- clientTokenSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- serviceConsumerDomain:
- type: string
- required:
- - accessTokenSecretRef
- - clientSecretSecretRef
- - clientTokenSecretRef
- - serviceConsumerDomain
- type: object
- azureDNS:
- description: Use the Microsoft Azure DNS API to manage DNS01 challenge records.
- properties:
- clientID:
- description: |-
- Auth: Azure Service Principal:
- The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
- If set, ClientSecret and TenantID must also be set.
- type: string
- clientSecretSecretRef:
- description: |-
- Auth: Azure Service Principal:
- A reference to a Secret containing the password associated with the Service Principal.
- If set, ClientID and TenantID must also be set.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- environment:
- description: name of the Azure environment (default AzurePublicCloud)
- enum:
- - AzurePublicCloud
- - AzureChinaCloud
- - AzureGermanCloud
- - AzureUSGovernmentCloud
- type: string
- hostedZoneName:
- description: name of the DNS zone that should be used
- type: string
- managedIdentity:
- description: |-
- Auth: Azure Workload Identity or Azure Managed Service Identity:
- Settings to enable Azure Workload Identity or Azure Managed Service Identity
- If set, ClientID, ClientSecret and TenantID must not be set.
- properties:
- clientID:
- description: client ID of the managed identity, cannot be used at the same time as resourceID
- type: string
- resourceID:
- description: |-
- resource ID of the managed identity, cannot be used at the same time as clientID
- Cannot be used for Azure Managed Service Identity
- type: string
- tenantID:
- description: tenant ID of the managed identity, cannot be used at the same time as resourceID
- type: string
- type: object
- resourceGroupName:
- description: resource group the DNS zone is located in
- type: string
- subscriptionID:
- description: ID of the Azure subscription
- type: string
- tenantID:
- description: |-
- Auth: Azure Service Principal:
- The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
- If set, ClientID and ClientSecret must also be set.
- type: string
- zoneType:
- description: |-
- ZoneType determines which type of Azure DNS zone to use.
-
- Valid values are:
- - AzurePublicZone (default): Use a public Azure DNS zone.
- - AzurePrivateZone: Use an Azure Private DNS zone.
-
- If not specified, AzurePublicZone is used.
-
- Support for Azure Private DNS zones is currently
- experimental and may change in future releases.
- enum:
- - AzurePublicZone
- - AzurePrivateZone
- type: string
- required:
- - resourceGroupName
- - subscriptionID
- type: object
- cloudDNS:
- description: Use the Google Cloud DNS API to manage DNS01 challenge records.
- properties:
- hostedZoneName:
- description: |-
- HostedZoneName is an optional field that tells cert-manager in which
- Cloud DNS zone the challenge record has to be created.
- If left empty cert-manager will automatically choose a zone.
- type: string
- project:
- type: string
- serviceAccountSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- required:
- - project
- type: object
- cloudflare:
- description: Use the Cloudflare API to manage DNS01 challenge records.
- properties:
- apiKeySecretRef:
- description: |-
- API key to use to authenticate with Cloudflare.
- Note: using an API token to authenticate is now the recommended method
- as it allows greater control of permissions.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- apiTokenSecretRef:
- description: API token used to authenticate with Cloudflare.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- email:
- description: Email of the account, only required when using API key based authentication.
- type: string
- type: object
- cnameStrategy:
- description: |-
- CNAMEStrategy configures how the DNS01 provider should handle CNAME
- records when found in DNS zones.
- enum:
- - None
- - Follow
- type: string
- digitalocean:
- description: Use the DigitalOcean DNS API to manage DNS01 challenge records.
- properties:
- tokenSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- required:
- - tokenSecretRef
- type: object
- rfc2136:
- description: |-
- Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
- to manage DNS01 challenge records.
- properties:
- nameserver:
- description: |-
- The IP address or hostname of an authoritative DNS server supporting
- RFC2136 in the form host:port. If the host is an IPv6 address it must be
- enclosed in square brackets (e.g [2001:db8::1]); port is optional.
- This field is required.
- type: string
- protocol:
- description: Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
- enum:
- - TCP
- - UDP
- type: string
- tsigAlgorithm:
- description: |-
- The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
- when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
- Supported values are (case-insensitive): ``HMACMD5`` (default),
- ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
- type: string
- tsigKeyName:
- description: |-
- The TSIG Key name configured in the DNS.
- If ``tsigSecretSecretRef`` is defined, this field is required.
- type: string
- tsigSecretSecretRef:
- description: |-
- The name of the secret containing the TSIG value.
- If ``tsigKeyName`` is defined, this field is required.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- required:
- - nameserver
- type: object
- route53:
- description: Use the AWS Route53 API to manage DNS01 challenge records.
- properties:
- accessKeyID:
- description: |-
- The AccessKeyID is used for authentication.
- Cannot be set when SecretAccessKeyID is set.
- If neither the Access Key nor Key ID are set, we fall back to using env
- vars, shared credentials file, or AWS Instance metadata,
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- type: string
- accessKeyIDSecretRef:
- description: |-
- The SecretAccessKey is used for authentication. If set, pull the AWS
- access key ID from a key within a Kubernetes Secret.
- Cannot be set when AccessKeyID is set.
- If neither the Access Key nor Key ID are set, we fall back to using env
- vars, shared credentials file, or AWS Instance metadata,
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- auth:
- description: Auth configures how cert-manager authenticates.
- properties:
- kubernetes:
- description: |-
- Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
- by passing a bound ServiceAccount token.
- properties:
- serviceAccountRef:
- description: |-
- A reference to a service account that will be used to request a bound
- token (also known as "projected token"). To use this field, you must
- configure an RBAC rule to let cert-manager request a token.
- properties:
- audiences:
- description: |-
- TokenAudiences is an optional list of audiences to include in the
- token passed to AWS. The default token consisting of the issuer's namespace
- and name is always included.
- If unset the audience defaults to `sts.amazonaws.com`.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- name:
- description: Name of the ServiceAccount used to request a token.
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- required:
- - kubernetes
- type: object
- hostedZoneID:
- description: If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
- type: string
- region:
- description: |-
- Override the AWS region.
-
- Route53 is a global service and does not have regional endpoints but the
- region specified here (or via environment variables) is used as a hint to
- help compute the correct AWS credential scope and partition when it
- connects to Route53. See:
- - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
- - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
-
- If you omit this region field, cert-manager will use the region from
- AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
- in the cert-manager controller Pod.
-
- The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
- Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
- [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
- In this case this `region` field value is ignored.
-
- The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
- Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
- [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
- In this case this `region` field value is ignored.
- type: string
- role:
- description: |-
- Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
- or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
- type: string
- secretAccessKeySecretRef:
- description: |-
- The SecretAccessKey is used for authentication.
- If neither the Access Key nor Key ID are set, we fall back to using env
- vars, shared credentials file, or AWS Instance metadata,
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used.
- Some instances of this field may be defaulted, in others it may be
- required.
- type: string
- name:
- description: |-
- Name of the resource being referred to.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- type: string
- required:
- - name
- type: object
- type: object
- webhook:
- description: |-
- Configure an external webhook based DNS01 challenge solver to manage
- DNS01 challenge records.
- properties:
- config:
- description: |-
- Additional configuration that should be passed to the webhook apiserver
- when challenges are processed.
- This can contain arbitrary JSON data.
- Secret values should not be specified in this stanza.
- If secret values are needed (e.g., credentials for a DNS service), you
- should use a SecretKeySelector to reference a Secret resource.
- For details on the schema of this field, consult the webhook provider
- implementation's documentation.
- x-kubernetes-preserve-unknown-fields: true
- groupName:
- description: |-
- The API group name that should be used when POSTing ChallengePayload
- resources to the webhook apiserver.
- This should be the same as the GroupName specified in the webhook
- provider implementation.
- type: string
- solverName:
- description: |-
- The name of the solver to use, as defined in the webhook provider
- implementation.
- This will typically be the name of the provider, e.g., 'cloudflare'.
- type: string
- required:
- - groupName
- - solverName
- type: object
- type: object
- http01:
- description: |-
- Configures cert-manager to attempt to complete authorizations by
- performing the HTTP01 challenge flow.
- It is not possible to obtain certificates for wildcard domain names
- (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
- properties:
- gatewayHTTPRoute:
- description: |-
- The Gateway API is a sig-network community API that models service networking
- in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
- create HTTPRoutes with the specified labels in the same namespace as the challenge.
- This solver is experimental, and fields / behaviour may change in the future.
- properties:
- labels:
- additionalProperties:
- type: string
- description: |-
- Custom labels that will be applied to HTTPRoutes created by cert-manager
- while solving HTTP-01 challenges.
- type: object
- parentRefs:
- description: |-
- When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
- cert-manager needs to know which parentRefs should be used when creating
- the HTTPRoute. Usually, the parentRef references a Gateway. See:
- https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
- items:
- description: |-
- ParentReference identifies an API object (usually a Gateway) that can be considered
- a parent of this resource (usually a route). There are two kinds of parent resources
- with "Core" support:
-
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
-
- This API may be extended in the future to support additional kinds of parent
- resources.
-
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
-
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
-
- There are two kinds of parent resources with "Core" support:
-
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
-
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
-
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
-
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
-
- <gateway:experimental:description>
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
-
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
- </gateway:experimental:description>
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
-
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
-
- <gateway:experimental:description>
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
- </gateway:experimental:description>
-
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
-
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
-
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
-
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
-
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
-
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
-
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-type: atomic
- podTemplate:
- description: |-
- Optional pod template used to configure the ACME challenge solver pods
- used for HTTP01 challenges.
- properties:
- metadata:
- description: |-
- ObjectMeta overrides for the pod used to solve HTTP01 challenges.
- Only the 'labels' and 'annotations' fields may be set.
- If labels or annotations overlap with in-built values, the values here
- will override the in-built values.
- properties:
- annotations:
- additionalProperties:
- type: string
- description: Annotations that should be added to the created ACME HTTP01 solver pods.
- type: object
- labels:
- additionalProperties:
- type: string
- description: Labels that should be added to the created ACME HTTP01 solver pods.
- type: object
- type: object
- spec:
- description: |-
- PodSpec defines overrides for the HTTP01 challenge solver pod.
- Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
- All other fields will be ignored.
- properties:
- affinity:
- description: If specified, the pod's scheduling constraints
- properties:
- nodeAffinity:
- description: Describes node affinity scheduling rules for the pod.
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- description: |-
- The scheduler will prefer to schedule pods to nodes that satisfy
- the affinity expressions specified by this field, but it may choose
- a node that violates one or more of the expressions. The node that is
- most preferred is the one with the greatest sum of weights, i.e.
- for each node that meets all of the scheduling requirements (resource
- request, requiredDuringScheduling affinity expressions, etc.),
- compute a sum by iterating through the elements of this field and adding
- "weight" to the sum if the node matches the corresponding matchExpressions; the
- node(s) with the highest sum are the most preferred.
- items:
- description: |-
- An empty preferred scheduling term matches all objects with implicit weight 0
- (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
- properties:
- preference:
- description: A node selector term, associated with the corresponding weight.
- properties:
- matchExpressions:
- description: A list of node selector requirements by node's labels.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- operator:
- description: |-
- Represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
- type: string
- values:
- description: |-
- An array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. If the operator is Gt or Lt, the values
- array must have a single element, which will be interpreted as an integer.
- This array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- description: A list of node selector requirements by node's fields.
- items:
- description: |-
- A node selector requirement is a selector that contains values, a key, and an operator
- that relates the key and values.
- properties:
- key:
- description: The label key that the selector applies to.
- type: string
- o |
Helm template diffNo template changes detected. |
|
|
||
| - name: Lint and validate charts | ||
| run: | | ||
| set -e |
Comment on lines
+20
to
+21
| curl -sL https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz \ | ||
| | tar xz -C /tmp |
Comment on lines
+84
to
+87
| name=$(basename "$chart") | ||
| helm dependency build "$chart" 2>/dev/null || true | ||
| helm template release "$chart" > /tmp/$dir/$name.yaml 2>/dev/null || true | ||
| done |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | ||
| with: | ||
| path: ~/.cache/helm | ||
| key: helm-${{ hashFiles('charts/**/Chart.yaml', 'charts/**/Chart.lock') }} |
Comment on lines
+16
to
+33
| - name: Add helm repos | ||
| shell: bash | ||
| run: | | ||
| python3 -c " | ||
| import yaml, glob | ||
| repos = set() | ||
| for f in glob.glob('charts/**/Chart.yaml', recursive=True) + glob.glob('*/charts/**/Chart.yaml', recursive=True): | ||
| with open(f) as fh: | ||
| data = yaml.safe_load(fh) | ||
| for dep in (data or {}).get('dependencies', []): | ||
| repo = dep.get('repository', '') | ||
| if repo and not repo.startswith('oci://'): | ||
| repos.add(repo) | ||
| for i, repo in enumerate(sorted(repos)): | ||
| print(f'helm repo add repo-{i} {repo}') | ||
| " | bash | ||
| helm repo update | ||
| mkdir -p ~/.docker && echo '{}' > ~/.docker/config.json |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.