replicatedhq / kots-lint Goto Github PK
View Code? Open in Web Editor NEWLint a KOTS application before deploying it
Home Page: https://kots.io
License: Apache License 2.0
Lint a KOTS application before deploying it
Home Page: https://kots.io
License: Apache License 2.0
This may be a problem downstream, but I noticed a couple of deployment failures on some YAML files that passed linting successfully:
Secret
. YAML that passed linting:apiVersion: v1
kind: Secret
metadata:
name: object_store
value should be object-store
, not object_store
Error from attempted deploy:
Error from server (Invalid): error when creating "/Users/iristyle/source/holodeck/holodeck-manifests/output/cd4pe/overlays/midstream": Secret "object_store" is invalid: metadata.name: Invalid value: "object_store": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
Deployment
(only relevant YAML shown):apiVersion: apps/v1
kind: Deployment
metadata:
name: cd4pe
namespace: 'cd4pe'
spec:
selector:
matchLabels:
app.kubernetes.io/name: cd4pe
template:
metadata:
labels:
app.kubernetes.io/name: cd4pe
spec:
initContainers:
- name: create-bucket
image: minio/mc
env:
- name: MINIO_ACCESS_KEY
valueFrom:
secretKeyRef:
name: object_store
key: accessKey
value should be object-store
, not object_store
Error message
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "cd4pe", Namespace: "cd4pe"
for: "/Users/iristyle/source/holodeck/holodeck-manifests/output/cd4pe/overlays/midstream": Deployment.apps "cd4pe" is invalid: [spec.template.spec.containers[0].env[13].valueFrom.secretKeyRef.name: Invalid value: "object_store": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'),
apiVersion: troubleshoot.replicated.com/v1beta1
kind: Preflight
metadata:
name: cd4pe-preflight
spec:
collectors:
- run:
name: object_store
collectorName: object_store_credentials_valid
image: minio/mc
object_store_credentials_valid
should be object-store-credentials-valid
Add url parameter to force processing of all uploaded files before returning results, regardless of errors. This would be very helpful for CI use cases to avoid ugly repetition of builds to work through multiple files with issues. Currently, the workaround requires uploading each file individually, and compiling the results for each, which takes an unacceptable amount of time to process.
It seems the check for may-contain-secrets frequently surfaces false positives, adding to a lot of noise in linter output.
I'd like to suggest that we disable this check until the false positive rate is lower.
For example, there are no irresponsible secrets in this bundle of manifests, but the linter comes up with several warnings:
https://github.com/replicatedhq/kotsapps/tree/master/postgres-snapshots/manifests
may-contain-secrets info manifests/pg-consumer.yaml It looks like there might be secrets in this file
may-contain-secrets info manifests/pg-snapshot.yaml 29 It looks like there might be secrets in this file
may-contain-secrets info manifests/postgres-secret.yaml 24 It looks like there might be secrets in this file
may-contain-secrets info manifests/postgres-secret.yaml 18 It looks like there might be secrets in this file
For example, this file triggers the warning, but is clearly safe
apiVersion: v1
kind: Secret
metadata:
name: postgres
data:
DB_HOST: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl Base64Encode "postgres" }}
{{repl else}}
{{repl ConfigOption "external_postgres_host" | Base64Encode }}
{{repl end}}
DB_PORT: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl Base64Encode "5432" }}
{{repl else}}
{{repl ConfigOption "external_postgres_port" | Base64Encode }}
{{repl end}}
DB_USER: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl Base64Encode "postgres" }}
{{repl else}}
{{repl ConfigOption "external_postgres_user" | Base64Encode }}
{{repl end}}
DB_PASSWORD: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl ConfigOption "embedded_postgres_password" | Base64Encode }}
{{repl else}}
{{repl ConfigOption "external_postgres_password" | Base64Encode }}
{{repl end}}
DB_NAME: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl Base64Encode "postgres" }}
{{repl else}}
{{repl ConfigOption "external_postgres_db" | Base64Encode }}
{{repl end}}
SCHEMAHERO_URI: >-
{{repl if ConfigOptionEquals "postgres_type" "embedded_postgres" }}
{{repl Base64Encode (printf "postgresql://postgres:%s@postgres:5432/postgres?connect_timeout=10&sslmode=disable" (ConfigOption "embedded_postgres_password")) }}
{{repl else}}
{{repl Base64Encode (printf "postgresql://%s:%s@%s:%s/%s?connect_timeout=10&sslmode=disable" (ConfigOption "external_postgres_user") (ConfigOption "external_postgres_password") (ConfigOption "external_postgres_password") (ConfigOption "external_postgres_host") (ConfigOption "external_postgres_port") (ConfigOption "external_postgres_db")) }}
{{repl end}}
value: "{{repl RandomssString 32}}"
We've recently switched on the new linter. This has resulted in some situations where previously valid yaml is showing incorrect errors.
---
# Random Comment
---
# Random other Comment
Expected: No errors are returned. Or if an error is returned, it points to the line numbers for the empty file.
Actual: Errors are returned. Error shows a line number for valid yaml, citing that "kind" and "apiVersion" is missing. This is misleading. It could be argued that it's invalid to have an empty file, but given that it was previously passing validating, I'd argue that we should continue to treat it as valid. That is continue to accept empty docs in a multidoc stream.
for example
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-nginx
labels:
app: example
component: nginx
spec:
replicas: 1
replicas: 1
We should add v1.18.x
schemas to kubernetes-json-schema and drop v1.15.7-standalone-strict
schemas
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.