Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
October 13, 2021 02:58 am GMT

Validate Kubernetes Manifests in GitHub Actions with Datree

In this second article dedicated to Datree we will explore how to use the tool with GitHub Actions to validate and secure our Kubernetes deployments.

Video

As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.

Link to the video: https://youtu.be/aM7EVflmEt4. This part about GitHub Actions starts at minute 14:12

If you rather prefer reading, well... let's just continue :)

The Basics

While I will not cover how to install and use the service in general (check the video and the first article of this series if you want to know more about it), there are few things worth remembering and that will be useful later on in this article:

  • Datree is a CLI tool, which works on Linux, MacOS and Windows
  • The Centralized Policy Management uses a Token as connection between the scans and the account

Datree in GitHub Actions

Alright, let's do this. First thing we have to do, as we would in a local environment, is to install the CLI

      - name: Install DaTree        run: curl https://get.datree.io | /bin/bash

In this case the workflow is running on Linux, so I can use the bash script for installing it.

This step will take only few seconds to execute

This is necessary if you are using the GitHub Hosted Runners. If you are instead on Self-hosted Runners you can install the CLI directly on the agent machine so you can skip this step. However, you'd need to manually take care of updating the CLI

Next, we can invoke the validation command:

      - name: Scan with DaTree        run: datree test ./kubernetes/*.yml        env:          DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}

As you can see, nothing different from what we would normally do.

Since we don't have access to the config file in our CI environment, we need to pass the Token as environment variable. Best practice is to save it as a secret in the repo, and retrieve it using ${{ secrets.YOUR_SECRET_NAME }}

In the example above the Token is passed as environment variable directly in the step to minimize exposure. If you have multiple scans in the same workflow, you can also add it as job or workflow environment variable.

And this is basically all you need.

So the full workflow will look like this:

name: K8S YAML Validationon:  push:    branches: [ main ]  pull_request:    branches: [ main ]  workflow_dispatch:jobs:  build:    runs-on: ubuntu-latest    steps:      - uses: actions/[email protected]      - name: Install DaTree        run: curl https://get.datree.io | /bin/bash      - name: Scan with DaTree        run: datree test ./kubernetes/*.yml        env:          DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 

Of course you can also integrate this into your own CI or PR validation workflows rather than keeping it separate if you wish so.

Execution and Results

First thing to notice is that, as Ive said before, the installation step is very quick.

Installation

This is why it is probably a good idea to leave it there even on Self-hosted runners so you don't have to worry about updating it.

Execution

And the validation scan is also very quick.

Second thing to notice is that by design if a validation fails it will break the build/run. This is to ensure the enforcement of the policies and best practices.

Finally, let's take a look at the results.

Results

As you can see, the output is exactly the same as when executing the CLI on any local environment, or anywhere else for what batters, keeping the experience very consistent.

Offer

Datree is free to use up to 1000 scans per month, and you can pay for more scans and enhanced support. However...

A Month for Free

You can get 1 month of the Premium plan for FREE is you use this link: https://app.datree.io/?utm_source=coder-dave&medium=youtube

Conclusions

So, what do you think about Datree? Is it something you will adopt as part of your workflow? Let me know in the comment section below, I'd really like to know it.

You may also want to watch this video in which show you how to deploy to Kubernetes in Azure Pipelines starting from scratch.

Like, share and follow me for more content:

YouTube
Buy me a coffee
Patreon
Newsletter
CoderDave.io Website
Merch
Facebook page
GitHub
Twitter
LinkedIn
Podcast

Buy Me A Coffee


Original Link: https://dev.to/n3wt0n/validate-kubernetes-manifests-in-github-actions-with-datree-1190

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To