search

elastisys / compliantkubernetes-apps

Elastisys Compliant Kubernetes is an open source, Certified Kubernetes distribution designed according to the ISO27001 controls: providing you with security tooling and observability from day one.
https://elastisys.io/compliantkubernetes/
Apache License 2.0
46 stars 7 forks source link

Config validation warnings on unrelated charts #2335

Open davidumea opened 5 days ago

davidumea commented 5 days ago

Description

When setting up a new environment you may only want to apply a smaller selection of charts, e.g. you may want to apply ingress-nginx to set up a LoadBalancer before applying the rest of the apps.

So in this case when running ./bin/ck8s ops helmfile sc -l app=ingress-nginx apply you will be warned about failed config validation that is completely unrelated to the chart:

1 of 1 failed validation
.networkPolicies.global.objectStorage.ips.0 = "set-me"
.networkPolicies.global.objectStorage.ports.0 = "set-me"
.networkPolicies.global.scIngress.ips.0 = "set-me"
.networkPolicies.global.wcApiserver.ips.0 = "set-me"
.networkPolicies.global.wcIngress.ips.0 = "set-me"
.networkPolicies.global.wcNodes.ips.0 = "set-me"

It would be great if only the config that is relevant for the chart(s) that you want to apply are validated.

Maybe a simpler solution would be to specify parts of the schema to ignore when validating if you know that the values will be incorrect at this moment, but they may be needed later on.

Additional context

No response

Definition of done

simonklb commented 5 days ago

As part of solving this, starting by investigating which parts of the config does not have valid defaults might be useful. For example, if this is only problematic for the network policy configuration (which we can't know until some resources have already been created) then it might be possible to solve this by modifying the config validation depending on which state the cluster is in.