Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm template validation in our CI/CD #279

Closed
3 tasks done
Tracked by #879
consideRatio opened this issue Mar 1, 2021 · 4 comments · Fixed by #1045
Closed
3 tasks done
Tracked by #879

Helm template validation in our CI/CD #279

consideRatio opened this issue Mar 1, 2021 · 4 comments · Fixed by #1045
Assignees
@consideRatio
Labels
Enhancement An improvement to something or creating something new.

Comments

@consideRatio
Copy link
Contributor

consideRatio commented Mar 1, 2021
edited
Loading

Description

Rendering Helm templates is a cheap and easy test that I think would help us catch some potential problems.

We could also use the kubeval plugin for helm or the more rigorous --validate flag, but the latter requires access to a k8s cluster - either the one we actually use or a local CI cluster. These help us validate the rendered templates themselves.

Benefit

Doing this would ensure that we don't have any configuration in our charts that is going to clash with what Kubernetes expects - by validating quickly we can fail early rather than later on as a part of a deployment.

Implementation details

We could add a GitHub action that does a simple helm template command. This wouldn't be a rigorous validation, but would be a way to quickly check that the configuration was reasonable and didn't have errors.

We could use dummy values such as proxy.secretToken if needed to render without our secret config.

For a more rigorous test, we could also investigate using the helm kubeval plugin.

Here's how it is used in the mybinder.org deployment:

https://github.com/jupyterhub/mybinder.org-deploy/blob/2603737e02c6a32632a06ab0bad6608235cc86c0/.github/workflows/lint-validate.yml#L93-L136

Tasks to complete
@consideRatio consideRatio changed the title A test on PRs to verify templates can render and the rendered resources CI: Verify elm templates can render, and that rendered k8s resources are valid Mar 1, 2021
@consideRatio consideRatio changed the title CI: Verify elm templates can render, and that rendered k8s resources are valid CI: Verify Helm templates can render + rendered k8s resources are valid Mar 1, 2021
@choldgraf choldgraf added Enhancement An improvement to something or creating something new. and removed type: goal labels Apr 15, 2021
@choldgraf choldgraf mentioned this issue Aug 16, 2021
Closed
@choldgraf choldgraf changed the title CI: Verify Helm templates can render + rendered k8s resources are valid Helm template validation in our CI/CD Aug 31, 2021
@consideRatio consideRatio mentioned this issue Oct 6, 2021
Merged
@consideRatio consideRatio mentioned this issue Oct 28, 2021
Closed
4 tasks
@choldgraf
Copy link
Member

As a part of #790 we identified that implementing this would have been a quick way to avoid the problem we encountered of using an incorrect configuration structure. I'm going to bump this one on the queue a bit since it seems like a quick win.

@consideRatio consideRatio self-assigned this Nov 24, 2021
@consideRatio
Copy link
Contributor Author

I'm become quite opinionated at this point in time how to go about this based on some additional experience, this is my suggestion.

  1. Whenever helm template is used in any way, we rely on dummy values as replacement of secrets if needed to get a valid config, which makes all of this something that can run without decrypting sensitive secrets etc.
  2. We use helm template without --validate to start with to ensure we can render the templates at all.
  3. As a stretch goal, we use helm template --validate against a temporary k8s cluster to validate the resources are valid as well against a modern version of k8s.
    • Note: CRDs needs to be registered ahead of time, otherwise the k8s api-server sais custom resources, for example in use by dask-gateway and cert-manager, will be invalid.

This is a task I'm willing to tackle, but would love @sgibson91's review assistance!

@choldgraf choldgraf moved this to Todo 👍 in Sprint Board Nov 24, 2021
@consideRatio consideRatio moved this from Todo 👍 to In Progress ⚡ in Sprint Board Nov 24, 2021
@sgibson91
Copy link
Member

I'm loving part 1 🙌🏻 I think the mybinder.org-deploy repo has something along these lines (maybe just for linting though?) if you wanted to crib from there.

@choldgraf
Copy link
Member

I believe that in our team meeting today @consideRatio agreed to pick this one up! Just encoding that decision here :-) let us know how we can help with this @consideRatio , I'm excited to improve the resilience of our deployment infrastructure!

This was referenced Nov 26, 2021
Merged
Closed
@choldgraf choldgraf mentioned this issue Nov 29, 2021
Closed
@choldgraf choldgraf mentioned this issue Dec 7, 2021
Closed
7 tasks
@consideRatio consideRatio mentioned this issue Mar 2, 2022
Merged
Repository owner moved this from In Progress ⚡ to Done 🎉 in Sprint Board Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@consideRatio consideRatio

Labels
Enhancement An improvement to something or creating something new.
Projects
No open projects
Sprint Board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Chart schemas, deployer script validation, and ci integration consideRatio/pilot-hubs
3 participants
@choldgraf @consideRatio @sgibson91