openshift schemas in nvim with yamlls

[ikke-t]

Summary

How to get schemas to work with nvim and yamlls? When I enable yamlls on pod definition file I get this in red at very first line:

$ref '/definitions/io.openshift.cloudcredential.v1.CredentialsRequest' in 'file:///var/home/user/src/ocp-json-schema/k8s-manifest-validation/schemas/openshift-json-schema/master-standalone/_definitions.json' can not be resolved.

I have created schemas for openshift following these instructions like this:

python3 scripts/build_schema.py -u $(oc whoami --show-server) -t $(oc whoami -t) 

which goes through fine. It lists three schemas that need to get skipped, and creates lots of schemas.

If I then take out registry yaml from kube (openshift), I can verify it with kubeval:

➤ kubeval  --schema-location=file:///var/home/user/src/ocp-json-schema/k8s-manifest-validation/schemas/openshift-json-schema/ /tmp/registry.yaml       
PASS - /tmp/registry.yaml contains a valid Pod (openshift-image-registry.image-registry-596bbd5585-5m6t5)

I set the path to nvim yamlls like this (note, the path goes further than for kubeval, the shorter path won't work): full config here

  -- schemas available in Telescope picker
  schemas = {
    -- not loaded automatically, manually select with
    -- :Telescope yaml_schema
    -- find new ones: https://www.schemastore.org/json/
    {
      name = 'OpanShift 4.14',
      uri = 'file:///var/home/user/src/ocp-json-schema/k8s-manifest-validation/schemas/openshift-json-schema/master-standalone/all.json',
    },
  },
  lspconfig = {
    settings = {
      yaml = {
        validate = true,
        schemaStore = {
          enable = false,
          url = '',
        },

        -- schemas from store, matched by filename
        -- loaded automatically
        schemas = require('schemastore').yaml.schemas {
          select = {
            'kustomization.yaml',
            'GitHub Workflow',
          },
        },
      },
    },

Here is the pod yaml I verified, just randomly selected something from the same cluster that I took the schemas from:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    imageregistry.operator.openshift.io/dependencies-checksum: sha256:0cc89bdb04184a943c7d7a5dcc0520eca7f11db9c670c5f59e80df4c9320f3fe
    k8s.v1.cni.cncf.io/network-status: |-
      [{
          "name": "openshift-sdn",
          "interface": "eth0",
          "ips": [
              "10.132.6.192"
          ],
          "default": true,
          "dns": {}
      }]
    openshift.io/scc: restricted-v2
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    docker-registry: default
    pod-template-hash: 596bbd5585
  name: image-registry-596bbd5585-5m6t5
  namespace: openshift-image-registry
spec:
  containers:
  - command:
    - /bin/sh
    - -c
    - mkdir -p /etc/pki/ca-trust/extracted/edk2 /etc/pki/ca-trust/extracted/java /etc/pki/ca-trust/extracted/openssl
      /etc/pki/ca-trust/extracted/pem && update-ca-trust extract && exec /usr/bin/dockerregistry
    env:
    - name: REGISTRY_STORAGE
      value: filesystem
    - name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
      value: /registry
    - name: REGISTRY_HTTP_ADDR
      value: :5000
    - name: REGISTRY_HTTP_NET
      value: tcp
    - name: REGISTRY_HTTP_SECRET
      value: f1aded97522319274804ee4626560c1ce64d8d48986dfb3ee21c2c55e9659dee3a8eede712a866c0ee9a5d009aa75ea08afdaf49cc5d2f62c1b3b9a7d480f2ed
    - name: REGISTRY_LOG_LEVEL
      value: info
    - name: REGISTRY_OPENSHIFT_QUOTA_ENABLED
      value: "true"
    - name: REGISTRY_STORAGE_CACHE_BLOBDESCRIPTOR
      value: inmemory
    - name: REGISTRY_STORAGE_DELETE_ENABLED
      value: "true"
    - name: REGISTRY_HEALTH_STORAGEDRIVER_ENABLED
      value: "true"
    - name: REGISTRY_HEALTH_STORAGEDRIVER_INTERVAL
      value: 10s
    - name: REGISTRY_HEALTH_STORAGEDRIVER_THRESHOLD
      value: "1"
    - name: REGISTRY_OPENSHIFT_METRICS_ENABLED
      value: "true"
    - name: REGISTRY_OPENSHIFT_SERVER_ADDR
      value: image-registry.openshift-image-registry.svc:5000
    - name: REGISTRY_HTTP_TLS_CERTIFICATE
      value: /etc/secrets/tls.crt
    - name: REGISTRY_HTTP_TLS_KEY
      value: /etc/secrets/tls.key
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:dd3f61e5ddf7b2345e3586615bbfad892bfa04ccda7935357fe5c842cacbb712
    lifecycle:
      preStop:
        exec:
          command:
          - sleep
          - "25"
    livenessProbe:
      httpGet:
        path: /healthz
        port: 5000
        scheme: HTTPS
      initialDelaySeconds: 5
      timeoutSeconds: 5
    name: registry
    ports:
    - containerPort: 5000
    readinessProbe:
      httpGet:
        path: /healthz
        port: 5000
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 5
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      runAsUser: 1000340000
    volumeMounts:
    - mountPath: /registry
      name: registry-storage
    - mountPath: /etc/secrets
      name: registry-tls
    - mountPath: /etc/pki/ca-trust/extracted
      name: ca-trust-extracted
    - mountPath: /etc/pki/ca-trust/source/anchors
      name: registry-certificates
    - mountPath: /usr/share/pki/ca-trust-source
      name: trusted-ca
    - mountPath: /var/lib/kubelet/
      name: installation-pull-secrets
    - mountPath: /var/run/secrets/openshift/serviceaccount
      name: bound-sa-token
      readOnly: true
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-vqklw
      readOnly: true
  imagePullSecrets:
  - name: registry-dockercfg-8xcch
  nodeSelector:
    kubernetes.io/os: linux
  preemptionPolicy: PreemptLowerPriority
  priority: 2000000000
  priorityClassName: system-cluster-critical
  securityContext:
    fsGroup: 1000340000
    fsGroupChangePolicy: OnRootMismatch
    seLinuxOptions:
      level: s0:c18,c17
    seccompProfile:
      type: RuntimeDefault
  serviceAccountName: registry
  terminationGracePeriodSeconds: 55
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  - effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
  topologySpreadConstraints:
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
  - labelSelector:
      matchLabels:
        docker-registry: default
    maxSkew: 1
    topologyKey: node-role.kubernetes.io/worker
    whenUnsatisfiable: DoNotSchedule
  volumes:
  - name: registry-storage
    persistentVolumeClaim:
      claimName: image-registry-storage
  - name: registry-tls
    projected:
      sources:
      - secret:
          name: image-registry-tls
  - name: ca-trust-extracted
  - configMap:
      name: image-registry-certificates
    name: registry-certificates
  - configMap:
      items:
      - key: ca-bundle.crt
        path: anchors/ca-bundle.crt
      name: trusted-ca
      optional: true
    name: trusted-ca
  - name: installation-pull-secrets
    secret:
      items:
      - key: .dockerconfigjson
        path: config.json
      optional: true
      secretName: installation-pull-secrets
  - name: bound-sa-token
    projected:
      sources:
      - serviceAccountToken:
          audience: openshift
          path: token
  - name: kube-api-access-vqklw
    projected:
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              fieldPath: metadata.namespace
            path: namespace
      - configMap:
          items:
          - key: service-ca.crt
            path: service-ca.crt
          name: openshift-service-ca.crt