Helm Release Expander
Practitioners of the GitOps approach (as applied to Kubernetes) reap a number of
benefits deriving from Git being a source of truth for the state of a cluster.
One such important benefit is an ability to check the resource manifests at the
CI time for errors, security vulnerabilities, etc. However, when using
applications deployed via Flux's HelmRelease
resources, the CI pipeline does not see the actual manifests that a release is
expanded into and thus cannot verify them.
This project's goal is to provide a tool that expands the HelmRelease
resources into
the resulting manifests, thus allowing the verification tools to check them.
Invoke the tool with one or more arguments that are names of the files with the
input manifests. The tool will inspect the resources defined in those manifests
and, if it finds any HelmRelease
objects, will expand them into the resulting
manifests, using charts from the repositories those HelmRelease
objects refer
to. If the repository resources are missing in the input, the tool will fail.
If you do not provide any input files, the tool will read from the standard
input.
For example, here is how you could use the tool to verify the generated resources
with kubeconform:
kustomize build /my/kustomization/root | fouskoti expand --kube-version=1.28 | kubeconform --kubernetes-version=1.28.0
Command line options
The following options are available:
Option |
Description |
--log-level |
A level threshold for logging (must be debug, info, warn, or error) |
--log-format |
Format for the log entries (text or json) |
--credentials-file |
A path to the file with chart repository credentials |
--kube-version |
Kubernetes version to pass to charts in .Capabilities.KubeVersion |
--api-versions |
API version list (comma separated) to pass to charts in .Capabilities.APIVersions |
The --credentials-file
option is required when there are chart repositories
that require authentication. It must be a YAML file with a dictionary, having
the repository URLs as keys and a dictionaries of authentication credentials as
values. Currently, SSH Git repository URLs require two items: identity
(a
private SSH key) and known_hosts
(public keys for the host in the URL).
You can use a $ENV_VAR
as value to use a value of an environment variable.
Example of a credentials file:
ssh://git@github.com/:
credentials:
identity: |
-----BEGIN OPENSSH PRIVATE KEY-----
<snip>
-----END OPENSSH PRIVATE KEY-----
known_hosts: |
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
In some CI systems, SSH keys for your repositories may sometimes not be
available, with your CI pipeline only having access to a repository HTTPS token.
In such situations, you can tell the program to use an HTTPS URL instead of an
SSH one by providing a username
and password
credential instead of an
identity
one. So this configuration will connect to https://github.com/
instead:
ssh://git@github.com/:
credentials:
username: git
password: $GITHUB_TOKEN
Plans
- Add persistent chart caching.
- Improve authentication support for Helm and OCI repositories.
- Add recursive expansion of generated HelmRelease resources.
- Expand the README content describing the program and its usage.