{"id":24956710,"url":"https://github.com/doodlescheduling/flux-build","last_synced_at":"2025-09-25T20:10:20.760Z","repository":{"id":168235976,"uuid":"641911227","full_name":"DoodleScheduling/flux-build","owner":"DoodleScheduling","description":"Build and test kustomize overlays with flux2 HelmRelease support","archived":false,"fork":false,"pushed_at":"2025-04-10T13:00:30.000Z","size":1093,"stargazers_count":34,"open_issues_count":26,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-10T14:45:40.941Z","etag":null,"topics":["ci-pipeline","flux","github-action","gitops","helm","kubernetes","kustomize","validation"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DoodleScheduling.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-17T12:26:10.000Z","updated_at":"2025-03-13T05:25:27.000Z","dependencies_parsed_at":"2023-09-28T01:45:14.385Z","dependency_job_id":"264eb2df-0da4-40c4-828f-f2520ac9f0cb","html_url":"https://github.com/DoodleScheduling/flux-build","commit_stats":null,"previous_names":["doodlescheduling/flux-kustomize-action","doodlescheduling/flux-build"],"tags_count":31,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoodleScheduling%2Fflux-build","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoodleScheduling%2Fflux-build/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoodleScheduling%2Fflux-build/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoodleScheduling%2Fflux-build/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DoodleScheduling","download_url":"https://codeload.github.com/DoodleScheduling/flux-build/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248279152,"owners_count":21077392,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-pipeline","flux","github-action","gitops","helm","kubernetes","kustomize","validation"],"created_at":"2025-02-03T06:40:51.129Z","updated_at":"2025-09-25T20:10:15.734Z","avatar_url":"https://github.com/DoodleScheduling.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Build and test kustomize overlays with flux support\n\n[![release](https://img.shields.io/github/release/DoodleScheduling/flux-build/all.svg)](https://github.com/DoodleScheduling/flux-build/releases)\n[![release](https://github.com/doodlescheduling/flux-build/actions/workflows/release.yaml/badge.svg)](https://github.com/doodlescheduling/flux-build/actions/workflows/release.yaml)\n[![report](https://goreportcard.com/badge/github.com/DoodleScheduling/flux-build)](https://goreportcard.com/report/github.com/DoodleScheduling/flux-build)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/DoodleScheduling/flux-build/badge)](https://api.securityscorecards.dev/projects/github.com/DoodleScheduling/flux-build)\n[![Coverage Status](https://coveralls.io/repos/github/DoodleScheduling/flux-build/badge.svg?branch=master)](https://coveralls.io/github/DoodleScheduling/flux-build?branch=master)\n[![license](https://img.shields.io/github/license/DoodleScheduling/flux-build.svg)](https://github.com/DoodleScheduling/flux-build/blob/master/LICENSE)\n\nTest kustomize overlays with suppport for templating flux2 HelmReleases.\nErrors must be acknowledged as early as possible in a delivery pipeline. Errors emerging from HelmReleases often only occur once a HelmRelease is already applied to the cluster.\nThis app can be used locally and in a ci pipeline to validate kustomize overlays early.\n\nIt builds a kustomization overlay similar how the behaviour of the kustomize-controller is.\nThe built manifests are dumped to stdout (or to the configured output).\nWhile this is great the big feature is that it also includes all manifests templated from each HelmRelease discovered within the kustomize build.\n\nLike for a flux2 kustomization it automatically creates the kustomize.yaml if none exists.\n\n* Recursively kustomizes a folder\n* Templates all HelmReleases found\n* Supports all HelmRelease features including in-line values, ConfigMaps, Secrets and postRender patches\n* Made to work without accessing any kubernetes clusters\n\nThe built manifests can be used for further tests like kubeconform tests, kyverno checks and other tooling or just to inspect\nlocally how manifests will look like after installing the HelmRelease.\n\nflux-build basically behaves like `kustomize build` but supports HelmRelease templating in addition.\n\n## Usage\n\n```\nflux-build path/to/kustomize\n```\n\nWhich will dump all manifests to stdout.\nIt is also possible to chain multiple paths, this is useful in cases one HelmRelease should be templated but the values and or the source are in a different directory/kustomize overlay.\n\n```\nflux-build --workers=50 path/to/overlay /path/to/helmreposiories /path/to/configmapvalues\n```\n\nThe rendering also works if a single path to a helmrelease is given:\n```\nflux-build helmrelease.yaml /path/to/helmreposiories\n```\n\n## Installation\n\n### Brew\n```\nbrew tap doodlescheduling/flux-build\nbrew install flux-build\n```\n\n### Docker\n```\ndocker pull ghcr.io/doodlescheduling/flux-build:v3\n```\n\n## Arguments\n\n| Flag | Env | Default | Description |\n| ------------- | ------------- | ------------- | ------------- |\n| `` | `PATHS` | `` | **REQUIRED**: One or more paths comma separated to kustomize |\n| `--workers` | `WORKERS` | `Number of CPU cores` | Workers used to template the HelmReleases. Greatly improves speed if there are many HelmReleases |\n| `--fail-fast` | `FAIL_FAST` | `false` | Exit early if an error occured |\n| `--allow-failure` | `ALLOW_FAILURE` | `false` | Do not exit \u003e 0 if an error occured |\n| `--cache` | `CACHE` | `inmemory` | Type of Helm charts cache to use, options: `none`, `inmemory`, `fs`|\n| `--cache-dir` | `CACHE_DIR` | `` | Directory for `fs` Helm charts cache |\n| `--api-versions` | `API_VERSIONS` | `` | Kubernetes api versions used for Capabilities.APIVersions (See helm help) |\n| `--kube-version` | `KUBE_VERSION` | `1.31.0` | Kubernetes version (Some helm charts validate manifests against a specific kubernetes version) |\n| `--output` | `OUTPUT` | `/dev/stdout` | Path to output file |\n| `--include-helm-hooks` | `INCLUDE_HELM_HOOKS` | `false` | Include helm hooks in the output |\n\n\n## Github Action\n\nThis app works also great on CI, in fact this was the original reason why it was created.\n\n### Example usage\n\n```yaml\nname: flux-build\non:\n- pull_request\n\njobs:\n build:\n strategy:\n matrix:\n cluster: [staging, production]\n\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0\n - uses: docker://ghcr.io/doodlescheduling/flux-build:v3\n env:\n PATHS: ./${{ matrix.cluster }}\n OUTPUT: /dev/null\n```\n\n### Advanced example\n\nWhile a simple gitops pipeline just verifies if kustomizations can be built and HelmReleases installed a more advanced pipeline\nincludes follow-up validations like kyverno tests, kubeval validations or kubeaudit tests.\n\n```yaml\nname: flux-build\non:\n- pull_request\n\njobs:\n build:\n strategy:\n matrix:\n cluster: [staging, production]\n\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0\n - uses: docker://ghcr.io/doodlescheduling/flux-build:v3\n env:\n PATHS: ./${{ matrix.cluster }}\n WORKERS: \"50\"\n OUTPUT: ./build.yaml\n - name: Setup kubeconform\n shell: bash\n run: |\n curl -L -v --fail https://github.com/yannh/kubeconform/releases/download/v0.6.1/kubeconform-linux-amd64.tar.gz -o kubeconform.tgz\n tar xvzf kubeconform.tgz\n sudo mv kubeconform /usr/bin/\n - name: Setup openapi2jsonschema\n shell: bash\n run: |\n curl -L -v --fail https://raw.githubusercontent.com/yannh/kubeconform/v0.6.2/scripts/openapi2jsonschema.py -o openapi2jsonschema.py\n sudo mv openapi2jsonschema.py /usr/bin/openapi2jsonschema\n sudo chmod +x /usr/bin/openapi2jsonschema\n - name: Setup yq\n uses: chrisdickinson/setup-yq@3d931309f27270ebbafd53f2daee773a82ea1822 #v1.0.1\n with:\n yq-version: v4.24.5\n - name: Convert CRD to json schemas\n shell: bash\n run: |\n echo \"openapi2jsonschema ./build.yaml\"\n mkdir \"schemas\"\n cat $m | yq -e 'select(.kind == \"CustomResourceDefinition\")' \u003e schemas/crds.yaml\n pip install pyyaml\n openapi2jsonschema schemas/*.yaml\n - name: Run conform\n shell: bash\n env:\n KUBERNETES_VERSION: \"${{ inputs.kubernetes-version }}\"\n run: |\n echo \"kubeconform $m\"\n cat ./build.yaml | kubeconform -kubernetes-version $KUBERNETES_VERSION -schema-location default -schema-location \"schemas/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json\" --skip CustomResourceDefinition,APIService --strict --summary\n - name: Setup kyverno\n shell: bash\n run: |\n curl -LO --fail https://github.com/kyverno/kyverno/releases/download/v1.7.2/kyverno-cli_v1.7.2_linux_x86_64.tar.gz\n tar -xvf kyverno-cli_v1.7.2_linux_x86_64.tar.gz\n sudo cp kyverno /usr/local/bin/\n - name: Test kyverno policies\n shell: bash\n run: |\n kyverno apply kyverno-policies -r ./build.yaml\n```\n\n## Dealing with secrets\n\nSecrets are usually in an encrypted form and only available as v1.Secret on the cluster directly if following best GitOps practices.\nThis means flux-build has not directly access to these secrets but some resources might still have a dependecy to them.\n\nIt depends whether the secrets value is actually a hard dependency or a soft one. Example for hard dependencies are if the secret is used in HelmRepository\nas repository credentials.\nIf flux-build is used on a ci build, a way to achieve this is to store the plain v1.Secret as a ci secret and inject it into the folder which gets\nbuilt by flux-build. Locally one might first need to pull the decrypted secret from the cluster.\n\nFor soft dependencies meaning the actual secrets value is only required at runtime on the cluster but flux-build can use any value.\nTo achieve this a good practice is to add a dummy secret which is available to flux-build but not synced to the cluster (Either by placing the dummies in a folder which is not targeted by a flux kustomization or by annotating\nthe dummy secrets with `kustomize.toolkit.fluxcd.io/reconcile: disabled`).\nExamples for this case are usually if a HelmRelease refers to v1.Secrets as values.\n\n\n## License notice\n\nMany internal packages have been cloned from [source-controller](https://github.com/fluxcd/source-controller) and [helm-controller](https://github.com/fluxcd/helm-controller) to achive the same functionilty for this\naction as at controller runtime.\n\nPlease see upstream [license](https://github.com/fluxcd/source-controller/blob/main/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoodlescheduling%2Fflux-build","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdoodlescheduling%2Fflux-build","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoodlescheduling%2Fflux-build/lists"}