search

ckotzbauer / kyverno-test-action

A Github Action to test YAMLs and Helm-Charts against Kyverno policies.
MIT License
4 stars 4 forks source link

Error: The process '/opt/hostedtoolcache/helm/3.8.1/x64/linux-amd64/helm' failed with exit code 1 #134

Closed angelwcrypto closed 2 years ago

angelwcrypto commented 2 years ago

Hello,

Thank you for creating the actions. Would like to ask for help with this. I tried to use the actions but get the following error. Thanks a lot!

 Run ckotzbauer/kyverno-test-action@v1
  with:
    chart-dir: charts/argo-cd
    value-files: argo-cd/values.yaml

    policy-files: policies/validate-crd.yaml

    token: ***
    kyverno-version: v1.4.3
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.7.1[2](https://github.com/XXXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:2)/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/[3](https://github.com/XXXXXXXXXruns/6172126892?check_suite_focus=true#step:9:3).7.12/x6[4](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:4)/lib
    CT_CONFIG_DIR: /opt/hostedtoolcache/ct/v3.[5](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:5).1/x8[6](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:6)_64/etc
    VIRTUAL_ENV: /opt/hostedtoolcache/ct/v3.5.1/x86_64/venv
Download kyverno from url: https://github.com/kyverno/kyverno/releases/download/v1.4.3/kyverno-cli_v1.4.3_linux_x86_64.tar.gz
Extract kyverno archive: /home/runner/work/_temp/d34eea58-e9b3-4bd0-be25-a549e4ade6e4
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/01c5040[7](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:7)-5740-4216-[8](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:8)6d4-3da0be180fd[9](https://github.com/XXXXXXXX/runs/6172126892?check_suite_focus=true#step:9:9) -f /home/runner/work/_temp/d34eea58-e9b3-4bd0-be25-a549e4ade6e4
Error: The process '/opt/hostedtoolcache/helm/3.8.1/x64/linux-amd64/helm' failed with exit code 1

This is my ci config:

    validate-helm-config:
    runs-on: ubuntu-latest
    needs:
      - validate-kyverno-policies
    strategy:
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Set up Helm
        uses: azure/setup-helm@v1
        with:
          version: v3.8.1

      - uses: actions/setup-python@v2
        with:
          python-version: 3.7

      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.2.1

      - name: Run chart-testing (lint)
        run: ct lint --config ct.yaml

      - name: Create kind cluster
        uses: helm/kind-action@v1.2.0

      - name: Run chart-testing (install)
        run: ct install --config ct.yaml

      - name: Test against Kyverno policies
        uses: ckotzbauer/kyverno-test-action@v1
        with:
          chart-dir: charts/argo-cd
          # chart-dir: "${{ matrix.chart }}"
          value-files: |
            argo-cd/values.yaml
          policy-files: |
            policies/validate-crd.yaml

This is the folder structure:

> tree
.
├── README.md
├── charts
│   └── argo-cd
│       ├── Chart.lock
│       ├── Chart.yaml
│       ├── README.md
│       ├── charts
│       │   └── redis-ha
│       │       ├── Chart.yaml
│       │       ├── README.md
│       │       ├── ci
│       │       │   └── haproxy-enabled-values.yaml
│       │       ├── templates
│       │       │   ├── NOTES.txt
│       │       │   ├── _configs.tpl
│       │       │   ├── _helpers.tpl
│       │       │   ├── redis-auth-secret.yaml
│       │       │   ├── redis-ha-announce-service.yaml
│       │       │   ├── redis-ha-configmap.yaml
│       │       │   ├── redis-ha-exporter-script-configmap.yaml
│       │       │   ├── redis-ha-health-configmap.yaml
│       │       │   ├── redis-ha-pdb.yaml
│       │       │   ├── redis-ha-psp.yaml
│       │       │   ├── redis-ha-role.yaml
│       │       │   ├── redis-ha-rolebinding.yaml
│       │       │   ├── redis-ha-secret.yaml
│       │       │   ├── redis-ha-service.yaml
│       │       │   ├── redis-ha-serviceaccount.yaml
│       │       │   ├── redis-ha-servicemonitor.yaml
│       │       │   ├── redis-ha-statefulset.yaml
│       │       │   ├── redis-haproxy-deployment.yaml
│       │       │   ├── redis-haproxy-psp.yaml
│       │       │   ├── redis-haproxy-role.yaml
│       │       │   ├── redis-haproxy-rolebinding.yaml
│       │       │   ├── redis-haproxy-service.yaml
│       │       │   ├── redis-haproxy-serviceaccount.yaml
│       │       │   ├── redis-haproxy-servicemonitor.yaml
│       │       │   ├── redis-tls-secret.yaml
│       │       │   ├── sentinel-auth-secret.yaml
│       │       │   └── tests
│       │       │       ├── test-redis-ha-configmap.yaml
│       │       │       └── test-redis-ha-pod.yaml
│       │       └── values.yaml
│       ├── crds
│       │   ├── crd-application.yaml
│       │   ├── crd-applicationset.yaml
│       │   ├── crd-extension.yaml
│       │   └── crd-project.yaml
│       ├── templates
│       │   ├── NOTES.txt
│       │   ├── _helpers.tpl
│       │   ├── argocd-aggregate-roles.yaml
│       │   ├── argocd-application-controller
│       │   │   ├── clusterrole.yaml
│       │   │   ├── clusterrolebinding.yaml
│       │   │   ├── deployment.yaml
│       │   │   ├── metrics-service.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── poddisruptionbudget.yaml
│       │   │   ├── prometheusrule.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── service.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   └── servicemonitor.yaml
│       │   ├── argocd-applicationset
│       │   │   ├── deployment.yaml
│       │   │   ├── metrics-service.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── service.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   ├── servicemonitor.yaml
│       │   │   └── webhook-ingress.yaml
│       │   ├── argocd-configs
│       │   │   ├── applications.yaml
│       │   │   ├── argocd-cm.yaml
│       │   │   ├── argocd-gpg-keys-cm.yaml
│       │   │   ├── argocd-rbac-cm.yaml
│       │   │   ├── argocd-secret.yaml
│       │   │   ├── argocd-ssh-known-hosts-cm.yaml
│       │   │   ├── argocd-styles-cm.yaml
│       │   │   ├── argocd-tls-certs-cm.yaml
│       │   │   ├── cluster-secrets.yaml
│       │   │   ├── externalredis-secret.yaml
│       │   │   ├── projects.yaml
│       │   │   ├── repository-credentials-secret-legacy.yaml
│       │   │   ├── repository-credentials-secret.yaml
│       │   │   └── repository-secret.yaml
│       │   ├── argocd-notifications
│       │   │   ├── bots
│       │   │   │   └── slack
│       │   │   │       ├── deployment.yaml
│       │   │   │       ├── role.yaml
│       │   │   │       ├── rolebinding.yaml
│       │   │   │       ├── service.yaml
│       │   │   │       └── serviceaccount.yaml
│       │   │   ├── configmap.yaml
│       │   │   ├── deployment.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── secret.yaml
│       │   │   ├── service-metrics.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   └── servicemonitor.yaml
│       │   ├── argocd-repo-server
│       │   │   ├── clusterrole.yaml
│       │   │   ├── clusterrolebinding.yaml
│       │   │   ├── deployment.yaml
│       │   │   ├── hpa.yaml
│       │   │   ├── metrics-service.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── poddisruptionbudget.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── service.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   └── servicemonitor.yaml
│       │   ├── argocd-server
│       │   │   ├── alb-grpc-service.yaml
│       │   │   ├── backendconfig.yaml
│       │   │   ├── certificate.yaml
│       │   │   ├── clusterrole.yaml
│       │   │   ├── clusterrolebinding.yaml
│       │   │   ├── deployment.yaml
│       │   │   ├── extensions-rolebinding.yaml
│       │   │   ├── extensions.yaml
│       │   │   ├── extentions-role.yaml
│       │   │   ├── frontendconfig.yaml
│       │   │   ├── hpa.yaml
│       │   │   ├── ingress-grpc.yaml
│       │   │   ├── ingress.yaml
│       │   │   ├── managedCertificate.yaml
│       │   │   ├── metrics-service.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── poddisruptionbudget.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── route.yaml
│       │   │   ├── service.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   └── servicemonitor.yaml
│       │   ├── dex
│       │   │   ├── deployment.yaml
│       │   │   ├── networkpolicy.yaml
│       │   │   ├── poddisruptionbudget.yaml
│       │   │   ├── role.yaml
│       │   │   ├── rolebinding.yaml
│       │   │   ├── service.yaml
│       │   │   ├── serviceaccount.yaml
│       │   │   └── servicemonitor.yaml
│       │   ├── extra-manifests.yaml
│       │   ├── networkpolicy-default-deny.yaml
│       │   └── redis
│       │       ├── deployment.yaml
│       │       ├── metrics-service.yaml
│       │       ├── networkpolicy.yaml
│       │       ├── poddisruptionbudget.yaml
│       │       ├── service.yaml
│       │       ├── serviceaccount.yaml
│       │       └── servicemonitor.yaml
│       └── values.yaml
├── ct.yaml
└── policies
    └── validate-crd.yaml
ckotzbauer commented 2 years ago

Hi @angelwcrypto, the helm-error is not really descriptive. Can you do a "helm template charts/argo-cd -f charts/argo-cd/values.yaml? Does this succeed?

angelwcrypto commented 2 years ago

Hello @ckotzbauer thanks for quick response :) Yes it is successful.

angelwcrypto commented 2 years ago

The Chart is downloaded from argo/argo-cd without modifications, thank you.

ckotzbauer commented 2 years ago

Okay, could you please do the following:

angelwcrypto commented 2 years ago
image

There is no more debug information showing

  validate-helm-config:
    runs-on: ubuntu-latest
    needs:
      - validate-kyverno-policies
    strategy:
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Set up Helm
        uses: azure/setup-helm@v1
        with:
          version: v3.8.1

      - uses: actions/setup-python@v2
        with:
          python-version: 3.7

      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.2.1

      - name: Run chart-testing (lint)
        run: ct lint --config ct.yaml

      - name: Create kind cluster
        uses: helm/kind-action@v1.2.0
        # if: steps.list-changed.outputs.changed == 'true'

      - name: Run chart-testing (install)
        run: ct install --config ct.yaml

      - name: Test against Kyverno policies
        uses: ckotzbauer/kyverno-test-action@v1
        with:
          chart-dir: charts/argo-cd
          value-files: |
            argo-cd/values.yaml
          policy-files: |
            policies/validate-crd.yaml
          debug: true

These are the config I use: ct.yaml

helm-extra-args: --timeout 600s
chart-dirs:
  - charts
target-branch: main

policies/validate-crd.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-applicationset
spec:
  validationFailureAction: enforce
  rules:
  - name: require-applicationset
    match:
      any:
      - resources:
          kinds:
          - CustomResourceDefinition
    validate:
      message: "ApplicationSet is required in ArgoCD."  
      pattern:
        spec:
          kind:
          - name: ApplicationSet
ckotzbauer commented 2 years ago

Please update the action to v2 as I told you above, the v1 doesn't know the debug input (as the warning says)

angelwcrypto commented 2 years ago

Ok, it seems that the file is not rendered.

image image
ckotzbauer commented 2 years ago

The path from value-files is wrong. The paths have to be relative to the repo root.

angelwcrypto commented 2 years ago

Thank you @ckotzbauer It works, however I am not sure if it is supposed to have 0 test passes and fails.

image
ckotzbauer commented 2 years ago

That's correct according the helm docs: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you

"There is now a special directory called crds that you can create in your chart to hold your CRDs. These CRDs are not templated, but will be installed by default ..."

This action can only execute tests for resources emitted by "helm template".