search

yannh / kubeconform

A FAST Kubernetes manifests validator, with support for Custom Resources!
Apache License 2.0
2.22k stars 123 forks source link

kubeconform could not find schema for HTTPProxy since v0.6.0 #217

Closed nozawana44 closed 1 year ago

nozawana44 commented 1 year ago

kubeconform could not find schema for HTTPProxy since v0.6.0. This was not the case in the prior version (v0.5.0) where it functioned as expected.

manifest:

$ cat httpproxy.yml
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: basic
spec:
  virtualhost:
    fqdn: foo-basic.example.com
  routes:
    - conditions:
      - prefix: /
      services:
        - name: s1
          port: 80

v0.5.0

$ docker run -i --rm ghcr.io/yannh/kubeconform:v0.5.0  -summary -debug -schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json  < httpproxy.yml
2023/07/02 05:55:47 could not find schema at https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/httpproxy-projectcontour-v1.json
2023/07/02 05:55:47 using schema found at https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/projectcontour.io/httpproxy_v1.json
Summary: 1 resource found parsing stdin - Valid: 1, Invalid: 0, Errors: 0, Skipped: 0
$

v0.6.0

$ docker run -i --rm ghcr.io/yannh/kubeconform:v0.6.0  -summary -debug -schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json  < httpproxy.yml
2023/07/02 05:55:52 could not find schema at https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/httpproxy-projectcontour-v1.json
2023/07/02 05:55:52 using schema found at https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/projectcontour.io/httpproxy_v1.json
stdin - HTTPProxy basic failed validation: could not find schema for HTTPProxy
Summary: 1 resource found parsing stdin - Valid: 0, Invalid: 0, Errors: 1, Skipped: 0
$
umezawatakeshi commented 1 year ago

I encountered the same problem.

My investigation

I modified kubeconform as follows:

diff --git a/pkg/validator/validator.go b/pkg/validator/validator.go
index f4827c8..3096c6e 100644
--- a/pkg/validator/validator.go
+++ b/pkg/validator/validator.go
@@ -6,6 +6,7 @@ import (
        "errors"
        "fmt"
        "io"
+       "log"

        jsonschema "github.com/santhosh-tekuri/jsonschema/v5"
        _ "github.com/santhosh-tekuri/jsonschema/v5/httploader"
@@ -257,6 +258,7 @@ func downloadSchema(registries []registry.Registry, kind, version, k8sVersion st
                        schema, err := jsonschema.CompileString(path, string(schemaBytes))
                        // If we got a non-parseable response, we try the next registry
                        if err != nil {
+                               log.Print(fmt.Sprintln(err))
                                continue
                        }
                        return schema, err

and I got the following message:

$ cat a.yaml | /home/umezawa/go/src/github.com/yannh/kubeconform/bin/kubeconform --debug --verbose \
    --schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
2023/07/14 18:45:33 using schema found at https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/projectcontour.io/httpproxy_v1.json
2023/07/14 18:45:33 jsonschema https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/projectcontour.io/httpproxy_v1.json compilation failed: '/properties/spec/properties/routes/items/properties/services/items/properties/port/exclusiveMaximum' does not validate with https://json-schema.org/draft/2020-12/schema#/allOf/1/$ref/properties/properties/additionalProperties/$dynamicRef/allOf/1/$ref/properties/properties/additionalProperties/$dynamicRef/allOf/1/$ref/properties/items/$dynamicRef/allOf/1/$ref/properties/properties/additionalProperties/$dynamicRef/allOf/1/$ref/properties/items/$dynamicRef/allOf/1/$ref/properties/properties/additionalProperties/$dynamicRef/allOf/3/$ref/properties/exclusiveMaximum/type: expected number, but got boolean
stdin - HTTPProxy argocd-server failed validation: could not find schema for HTTPProxy

The JSON schema library seems to misunderstand exclusiveMaximum field. kubeconform v0.5.0 and v0.6.0 use different libraries (https://github.com/yannh/kubeconform/pull/168). It seems why v0.5.0 does not have the same problem.

My workaround

Patch HTTPProxy's json schema:

--- json-schemas/httpproxy-projectcontour.io-v1.json 2023-07-14 17:55:44.585104029 +0900
+++ json-schemas/httpproxy-projectcontour.io-v1-patched.json 2023-07-14 18:30:31.444792578 +0900
@@ -1053,8 +1053,7 @@
                     },
                     "port": {
                       "description": "Port (defined as Integer) to proxy traffic to since a service can have multiple defined.",
-                      "exclusiveMaximum": true,
-                      "maximum": 65536,
+                      "maximum": 65535,
                       "minimum": 1,
                       "type": "integer"
                     },
@@ -1445,8 +1444,7 @@
                   },
                   "port": {
                     "description": "Port (defined as Integer) to proxy traffic to since a service can have multiple defined.",
-                    "exclusiveMaximum": true,
-                    "maximum": 65536,
+                    "maximum": 65535,
                     "minimum": 1,
                     "type": "integer"
                   },

and specify it before CRDs-catalog:

$ cat a.yaml | /home/umezawa/go/src/github.com/yannh/kubeconform/bin/kubeconform --debug --verbose \
    --schema-location 'json-schemas/{{.ResourceKind}}-{{.Group}}-{{.ResourceAPIVersion}}-patched.json' \
    --schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
2023/07/14 18:45:45 using schema found at json-schemas/httpproxy-projectcontour.io-v1-patched.json
stdin - HTTPProxy argocd-server is valid
yannh commented 1 year ago

Urgh. That's :100: discovery :heart: Do you think you could build a reproducible use case and report it here ? https://github.com/santhosh-tekuri/jsonschema/issues That would be awesome...

umezawatakeshi commented 1 year ago

Just in case, I checked the corresponding section in JSON schema specification https://json-schema.org/understanding-json-schema/reference/numeric.html#range before reporting. It says that exclusiveMaximum in the Draft 4 is boolean but that in later specifications is the same type as minimum - in the HTTPProxy's case, integer.

... what shall we do?

umezawatakeshi commented 1 year ago

Oops, sorry, I didn't know that CRDs must be written on the basis of Draft 4. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#jsonschemaprops-v1-apiextensions-k8s-io

This problem would be solved just by setting specification version to be referred by the schema compiler.

yannh commented 1 year ago

So we are using the latest version of JSON Schema instead of forcing Draft 4? That sounds like an easy enough fix?

yannh commented 1 year ago

Just tagged v0.6.3 which fixes this issue! Thanks a lot @umezawatakeshi your investigation really helped getting this resolved :heart:

umezawatakeshi commented 1 year ago

Thanks a lot :+1: