https://github.com/datreeio/helm-datree

A Helm plugin to validate charts against the Datree's CLI tool
https://github.com/datreeio/helm-datree

helm kubernetes

Last synced: 8 days ago
JSON representation

A Helm plugin to validate charts against the Datree's CLI tool

• Host: GitHub
• URL: https://github.com/datreeio/helm-datree
• Owner: datreeio
• License: mit
• Created: 2021-05-16T07:46:14.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2023-10-27T15:46:07.000Z (over 1 year ago)
• Last Synced: 2024-05-22T12:32:57.963Z (11 months ago)
• Topics: helm, kubernetes
• Language: Shell
• Homepage: https://hub.datree.io/integrations
• Size: 48.8 KB
• Stars: 110
• Watchers: 13
• Forks: 26
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

• awesome-datree - Datree Helm Plugin - A Helm plugin to validate charts against the Datree policy **by datreeio** (💻 Projects)

README

        
# Datree Helm Plugin

A [Helm](https://www.datree.io/helm-chart) plugin to validate charts against the Datree policy  

## Installation

```

helm plugin install https://github.com/datreeio/helm-datree

```

⚠️ Helm plugins are not supported on Windows OS ⚠️  

_Windows users can work around this by using [Helm under WSL](https://github.com/helm/helm-2to3#for-windows-using-wsl)_

### Update Datree's plugin version

```

helm plugin update datree

```

### Uninstall

```

helm plugin uninstall datree

```

## Usage

### Trigger datree policy check via the helm CLI

```

helm datree test [CHART_DIRECTORY]

```

### Passing arguments

If you need to pass helm arguments to your template, you will need to add `--` before them:

```

helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod

```

### Test files

By default, test files generated by Helm will be skipped. If you wish to include test files in your policy check, add the `--include-tests` flag:

```

helm datree test --include-tests [CHART_DIRECTORY]

```

### Check plugin version

```

helm datree version

```

### See help text

```

helm datree help

```

### Using other helm command

Helm might be installed through other tooling like microk8s. The `DATREE_HELM_COMMAND` allows specifying a command to run helm (default: `helm`):

```

DATREE_HELM_COMMAND="microk8s helm3" helm datree test [CHART_DIRECTORY]

```

## Testing multiple charts

If you have multiple charts inside a single directory, you can test all of them sequentially using the following script:

```bash

#!/bin/bash

path="${1:-.}"

final_exit_code=0

while read -r helmchart; do

	dir="$(dirname "$helmchart")"

    echo "*** Proceeding to test Helm chart: $helmchart ***"

	set +e

	helm datree test "$dir"

	exitcode=$?

	set -e

	if [ "$exitcode" -gt "$final_exit_code" ]; then

        final_exit_code="$exitcode"

    fi

    echo ""

done < <(find "$path" -type f -name 'Chart.y*ml')

if [ "$final_exit_code" = 0 ]; then

    echo "Success"

else

    echo "Violations found, returning exit code $final_exit_code"

fi

exit "$final_exit_code"

```

The script will run a policy check against all charts before exiting, and return 0 only if no violations were found in any of them.  

This is useful for CI, to avoid the need to call `datree test` multiple times.  

## Examples

### Basic usage

```

helm plugin install https://github.com/datreeio/helm-datree

git clone [email protected]:datreeio/examples.git

helm datree test examples/helm-chart/nginx

```

![image](https://user-images.githubusercontent.com/19731161/131975552-b66a84f8-5aa9-4d70-a08e-aae97aa76116.png)

### GitHub Workflow

```yaml

on:

  push:

    branches: [ main ]

  pull_request:

    branches: [ main ]

    

env:

  DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 

jobs:

  k8sPolicyCheck:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout

        uses: actions/checkout@v2

        

      - name: Run Datree Policy Check

        uses: datreeio/action-datree@main

        with:

          path: 'myChartDirectory'

          cliArguments: '--only-k8s-files'

          isHelmChart: true

          helmArguments: '--values values.yaml'

```

## Troubleshooting

### Error: plugin "datree" exited with error

This is actually expected behavior because it's raised by Helm itself every time a plugin returns a [non-zero exit code](https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html#:~:text=A%20non%2Dzero%20exit%20status,N%20as%20the%20exit%20status.).  

Therefore, if you will run datree plugin on a Chart that will pass the policy check, it will return 0 as exit code, and you will not see this error.

### K8s schema validation error

This error occurs when trying to scan Chart.yaml or values.yaml files instead of the chart directory.  

**Solution:** Pass the helm chart directory path to Datree's CLI, instead of to the file itself:  

* Correct - `helm datree test examples/helm-chart/nginx`

* Wrong - `helm datree test examples/helm-chart/nginx/values.yaml`

### The policy check returns false-positive results

The best way to determine if a false-positive result is a bug or a true misconfiguration, is by rendering the Kubernetes manifest with helm and then checking it manually:

```

helm template [CHART_DIRECTORY]

```

If after eyeballing the rendered manifest you still suspect it's a bug, please open an issue.