{"id":26256621,"url":"https://github.com/netcracker/qubership-env-checker","last_synced_at":"2025-12-27T12:08:07.198Z","repository":{"id":274652852,"uuid":"908556390","full_name":"Netcracker/qubership-env-checker","owner":"Netcracker","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-05T10:20:09.000Z","size":64,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-05T11:26:40.109Z","etag":null,"topics":["observability"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Netcracker.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-26T11:07:18.000Z","updated_at":"2025-02-06T10:49:09.000Z","dependencies_parsed_at":"2025-02-26T09:26:33.969Z","dependency_job_id":"4c45f865-7cff-4993-8f71-95aa8e4871fa","html_url":"https://github.com/Netcracker/qubership-env-checker","commit_stats":null,"previous_names":["netcracker/qubership-env-checker"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcracker%2Fqubership-env-checker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcracker%2Fqubership-env-checker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcracker%2Fqubership-env-checker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Netcracker%2Fqubership-env-checker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Netcracker","download_url":"https://codeload.github.com/Netcracker/qubership-env-checker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243475363,"owners_count":20296714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["observability"],"created_at":"2025-03-13T20:18:41.257Z","updated_at":"2025-12-27T12:08:07.190Z","avatar_url":"https://github.com/Netcracker.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Qubership Environment Checker\n\n[![Build](https://img.shields.io/github/actions/workflow/status/Netcracker/qubership-env-checker/build.yaml?branch=main\u0026style=flat-square)](https://github.com/Netcracker/qubership-env-checker/actions/workflows/build.yaml)\n[![Docker](https://img.shields.io/badge/docker-ghcr.io-blue?style=flat-square)](https://github.com/Netcracker/qubership-env-checker/pkgs/container/qubership-env-checker)\n[![Release](https://img.shields.io/github/v/release/Netcracker/qubership-env-checker?style=flat-square)](https://github.com/Netcracker/qubership-env-checker/releases)\n[![Docs](https://img.shields.io/badge/docs-available-green?style=flat-square)](docs/InstallationGuide.md)\n\nAn independent microservice designed to validate Kubernetes or OpenShift environments in the cloud. Built on Jupyter ecosystem (JupyterLab + JupyterHub), this environment checker inspects infrastructure, Kubernetes entities, labels, annotations, variables, and more. It generates detailed reports that can be sent to storage or monitoring systems for identifying and troubleshooting environment issues.\n\n## Features\n\n- **Environment Validation**: Comprehensive validation of Kubernetes and OpenShift environments\n- **Infrastructure Inspection**: Analyze Kubernetes entities, labels, annotations, and variables\n- **Detailed Reporting**: Generate comprehensive reports for troubleshooting and monitoring\n- **Flexible Deployment Modes**: Two distinct operational modes for different environments\n- **Real-time Debugging**: Interactive environment analysis through Jupyter-based interface\n- **Automated Execution**: Job-based execution for production environments\n- **Authentication Integration**: OAuth2/Keycloak integration for secure access in non-production\n- **Cloud-Native**: Designed specifically for cloud Kubernetes deployments\n\n## Deployment Modes\n\nThe env-checker supports two operational modes:\n\n### 🔧 Non-Production Mode\n\n- **Interactive UI**: Full Jupyter interface (JupyterLab + JupyterHub) for real-time debugging\n- **OAuth2 Authentication**: Secure web access via Keycloak/IDP integration\n- **Architecture**: `OAuth2 Proxy` → `Ingress` → `Service` → `Env-Checker Pod`\n\n### 🔒 Production Mode\n\n- **Job-based Execution**: Automated validation via Kubernetes Jobs/CronJobs\n- **No UI Access**: No web interface or interactive components\n- **Architecture**: `Kubernetes Job` → `Env-Checker Pod`\n\n\u003e **⚠️ Security**: Different modes exist because env-checker requires cluster-wide `view` permissions. Production mode eliminates interactive access.\n\n## Requirements\n\n| Component  | Requirement | Version |\n|------------|-------------|---------|\n| Kubernetes | Mandatory   | 1.21+   |\n| Helm       | Mandatory   | 3.0+    |\n| Docker     | Optional    | 20.0+   |\n\n\u003e **Note**: This service installs last stable kubectl version internally. Ensure compatibility with your cluster version.\n\n## Installation\n\n### Quick Start\n\n```bash\n# Non-Production Mode (with UI without Ingress)\nhelm upgrade --install qubership-env-checker \\\n    --namespace=env-checker --create-namespace \\\n    charts/env-checker\n\n# Production Mode (Job-only)\nhelm upgrade --install qubership-env-checker \\\n    --namespace=env-checker --create-namespace \\\n    --set PRODUCTION_MODE=true \\\n    --set ENVIRONMENT_CHECKER_JOB_COMMAND=\"python /scripts/validate.py\" \\\n    charts/env-checker\n```\n\nFor detailed installation instructions, hardware requirements, and advanced configuration, see the [Installation Guide](docs/InstallationGuide.md).\n\n### Required RBAC Configuration\n\n⚠️ **Security Considerations**: The env-checker requires cluster-wide `view` permissions to inspect Kubernetes resources across all namespaces. This is necessary for comprehensive environment validation but represents significant access. **Manual RBAC configuration is required** to ensure explicit authorization.\n\nCreate the necessary ClusterRoleBinding for the service account:\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: view-for-env-checker\nsubjects:\n  - kind: ServiceAccount\n    name: env-checker-sa\n    namespace: env-checker  # Replace with your namespace\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: view\n```\n\n\u003e **Why such broad permissions?** The env-checker needs to validate infrastructure components, inspect labels/annotations on resources across namespaces, analyze network policies, check resource quotas, and examine cluster-wide configurations. The `view` ClusterRole provides read-only access to most Kubernetes resources cluster-wide.\n\n## Usage\n\n**Non-Production Mode**: Access Jupyter UI via browser, create/run notebooks interactively\n**Production Mode**: Pre-built validation scripts run as Kubernetes Jobs/CronJobs\n\n**Access UI** (Non-Production only):\n\n```bash\nkubectl port-forward svc/env-checker 8888:8888 -n env-checker\n# Then open http://localhost:8888\n```\n\n## Configuration\n\n| Parameter | Mode | Mandatory | Default | Description |\n|-----------|------|-----------|---------|-------------|\n| `PRODUCTION_MODE` | Both | No | `false` | Controls deployment mode |\n| `CLOUD_PUBLIC_HOST` | Non-Prod | No | `qubership` | Public host for Ingress (set real domain if using Ingress) |\n| `OPS_IDP_URL` | Non-Prod | No | - | Keycloak URL (enables OAuth2) |\n| `ENVCHECKER_KEYCLOACK_*` | Non-Prod | No | - | Keycloak credentials (required if OAuth2 enabled) |\n| `ENVIRONMENT_CHECKER_UI_ACCESS_TOKEN` | Non-Prod | No | *auto* | UI access token |\n| `ENVIRONMENT_CHECKER_JOB_COMMAND` | Prod | Yes | - | Job execution command |\n| `ENVIRONMENT_CHECKER_CRON_*` | Prod | No | - | CronJob settings |\n\n\u003e **Note**: Namespace is set via `--namespace`, not `--set NAMESPACE`\n\n### OpenShift Configuration\n\nFor OpenShift deployments, set:\n\n```yaml\nCHOWN_HOME: \"yes\"\nCHOWN_HOME_OPTS: \"-R\"\n```\n\nSee the complete parameter reference in the [Installation Guide](docs/InstallationGuide.md).\n\n## API Reference\n\nThe env-checker utilizes the Jupyter Server API (v2.0+) without extensions. For detailed API documentation, refer to the [Jupyter Server API documentation](https://jupyter-server.readthedocs.io/en/latest/developers/rest-api.html).\n\n## Architecture\n\n```mermaid\nflowchart TB\n    subgraph \"Non-Production Mode\"\n        A([User]) --\u003e B[OAuth2 Proxy]\n        B --\u003e C[Ingress]\n        C --\u003e D[Service]\n        D --\u003e E[Env-Checker Pod\u003cbr/\u003eJupyter UI]\n        E --\u003e F[(Kubernetes API)]\n    end\n\n    subgraph \"Production Mode\"\n        I[Kubernetes Job] --\u003e J[Env-Checker Pod\u003cbr/\u003eHeadless]\n        J --\u003e K[(Kubernetes API)]\n    end\n\n    F --\u003e N[(Environment Resources)]\n    K --\u003e N\n```\n\n## Testing\n\n**Verify deployment:**\n\n```bash\nkubectl get pods -n env-checker\nkubectl logs -l app.kubernetes.io/name=env-checker -n env-checker\n```\n\n**Test API access:**\n\n```bash\nkubectl exec -it deployment/env-checker -n env-checker -- kubectl get ns\n```\n\n**Troubleshooting**: If kubectl fails, verify ClusterRoleBinding and RBAC permissions. See [Installation Guide](docs/InstallationGuide.md#tests) for details.\n\n## Contributing\n\nPlease read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests.\n\nSee also:\n\n- [Code of Conduct](CODE-OF-CONDUCT.md)\n- [Security Policy](SECURITY.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetcracker%2Fqubership-env-checker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetcracker%2Fqubership-env-checker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetcracker%2Fqubership-env-checker/lists"}