bentito
commented
4 days ago Have you thought about which libraries might be good choices for helping with the validating of Helm charts to ensure we can work with them? We need to rule out chart with non-deterministic template functions and hooks, so something like:
customChecks := []*config.Check{
{
Name: "detect-non-deterministic-functions",
Description: "Detect non-deterministic template functions in Helm charts",
Template: "template-name",
Params: map[string]interface{}{
"functions": []string{"randAlphaNum", "randAlpha", "randNumeric", "randAlphaSpecial", "now"},
},
},
{
Name: "detect-helm-hooks",
Description: "Detect Helm hooks in Helm charts",
Template: "template-name",
Params: map[string]interface{}{
"hooks": []string{"pre-install", "post-install", "pre-delete", "post-delete", "pre-upgrade", "post-upgrade", "pre-rollback", "post-rollback"},
},
},in Stackrox's kube-linter terms, though I can't quite make a working example yet. Maybe there are other libs that would work better?
In OLMv1, we plan to support the
registry+v1bundle format in order to provide a means for migration from OLMv0. However, we recognize the many pain points and limitations of that format (to name a few: limited types of supported objects, lack of templating, too opinionated out how RBAC is generated)In order to provide operator authors and cluster admins with more flexibility and control, this epic tracks the work necessary to support managing native helm charts in OLMv1.
Some items to consider: