Rendering Kustomize Manifests in Code as Pre-Processor for go validate (#326)

Author: tbarnes94

cmd/validate_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/Azure/draft/pkg/safeguards"
+	"github.com/Azure/draft/pkg/safeguards/preprocessing"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -95,3 +96,32 @@ func TestRunValidate(t *testing.T) {
 	numViolations = countTestViolations(v)
 	assert.Greater(t, numViolations, 0)
 }
+
+// TestRunValidate_Kustomize tests the run command for `draft validate` for proper returns when given a kustomize project
+func TestRunValidate_Kustomize(t *testing.T) {
+	ctx := context.TODO()
+	kustomizationPath, _ := filepath.Abs("../pkg/safeguards/tests/kustomize/overlays/production")
+	kustomizationFilePath, _ := filepath.Abs("../pkg/safeguards/tests/kustomize/overlays/production/kustomization.yaml")
+
+	makeTempDir(t)
+	t.Cleanup(func() { cleanupDir(t, tempDir) })
+
+	var manifestFiles []safeguards.ManifestFile
+	var err error
+
+	// Scenario 1a: kustomizationPath leads to a directory containing kustomization.yaml - expect success
+	manifestFiles, err = preprocessing.RenderKustomizeManifest(kustomizationPath, tempDir)
+	assert.Nil(t, err)
+	v, err := safeguards.GetManifestResults(ctx, manifestFiles)
+	assert.Nil(t, err)
+	numViolations := countTestViolations(v)
+	assert.Equal(t, numViolations, 1)
+
+	// Scenario 1b: kustomizationFilePath path leads to a specific kustomization.yaml - expect success
+	manifestFiles, err = preprocessing.RenderKustomizeManifest(kustomizationFilePath, tempDir)
+	assert.Nil(t, err)
+	v, err = safeguards.GetManifestResults(ctx, manifestFiles)
+	assert.Nil(t, err)
+	numViolations = countTestViolations(v)
+	assert.Equal(t, numViolations, 1)
+}

cmd/validate_test_helpers.go

@@ -1,6 +1,14 @@
 package cmd
 
-import "github.com/Azure/draft/pkg/safeguards"
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/Azure/draft/pkg/safeguards"
+)
+
+var tempDir, _ = filepath.Abs("./testdata")
 
 func countTestViolations(results []safeguards.ManifestResult) int {
 	numViolations := 0
@@ -10,3 +18,16 @@ func countTestViolations(results []safeguards.ManifestResult) int {
 
 	return numViolations
 }
+
+func makeTempDir(t *testing.T) {
+	if err := os.MkdirAll(tempDir, 0755); err != nil {
+		t.Fatalf("failed to create temporary output directory: %s", err)
+	}
+}
+
+func cleanupDir(t *testing.T, dir string) {
+	err := os.RemoveAll(dir)
+	if err != nil {
+		t.Fatalf("Failed to clean directory: %s", err)
+	}
+}

pkg/safeguards/helpers.go

@@ -15,7 +15,6 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
 	log "github.com/sirupsen/logrus"
-
 	"golang.org/x/mod/semver"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"

pkg/safeguards/preprocessing/preprocessing.go

@@ -0,0 +1,142 @@
+package preprocessing
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Azure/draft/pkg/safeguards"
+	log "github.com/sirupsen/logrus"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/engine"
+	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// Given a Helm chart directory or file, renders all templates and writes them to the specified directory
+func RenderHelmChart(isFile bool, mainChartPath, tempDir string) ([]safeguards.ManifestFile, error) {
+	if isFile { // Get the directory that the Chart.yaml lives in
+		mainChartPath = filepath.Dir(mainChartPath)
+	}
+
+	mainChart, err := loader.Load(mainChartPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load main chart: %s", err)
+	}
+
+	loadedCharts := make(map[string]*chart.Chart) // map of chart path to chart object
+	loadedCharts[mainChartPath] = mainChart
+
+	// Load subcharts and dependencies
+	for _, dep := range mainChart.Metadata.Dependencies {
+		// Resolve the chart path based on the main chart's directory
+		chartPath := filepath.Join(mainChartPath, dep.Repository[len("file://"):])
+		chartPath = filepath.Clean(chartPath)
+
+		subChart, err := loader.Load(chartPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load chart: %s", err)
+		}
+		loadedCharts[chartPath] = subChart
+	}
+
+	var manifestFiles []safeguards.ManifestFile
+	for chartPath, chart := range loadedCharts {
+		valuesPath := filepath.Join(chartPath, "values.yaml") // Enforce that values.yaml must be at same level as Chart.yaml
+		mergedValues, err := getValues(chart, valuesPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load values: %s", err)
+		}
+		e := engine.Engine{Strict: true}
+		renderedFiles, err := e.Render(chart, mergedValues)
+		if err != nil {
+			return nil, fmt.Errorf("failed to render chart: %s", err)
+		}
+
+		// Write each rendered file to the output directory with the same name as in templates/
+		for renderedPath, content := range renderedFiles {
+			outputFilePath := filepath.Join(tempDir, filepath.Base(renderedPath))
+			if err := os.WriteFile(outputFilePath, []byte(content), 0644); err != nil {
+				return nil, fmt.Errorf("failed to write manifest file: %s", err)
+			}
+			manifestFiles = append(manifestFiles, safeguards.ManifestFile{Name: filepath.Base(renderedPath), Path: outputFilePath})
+		}
+	}
+
+	return manifestFiles, nil
+}
+
+// CreateTempDir creates a temporary directory on the user's file system for rendering templates
+func CreateTempDir(p string) error {
+	err := os.MkdirAll(p, 0755)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return err
+}
+
+// IsKustomize checks whether a given path should be treated as a kustomize project
+func IsKustomize(p string) bool {
+	var err error
+	if safeguards.IsYAML(p) {
+		return strings.Contains(p, "kustomization.yaml")
+	} else if _, err = os.Stat(filepath.Join(p, "kustomization.yaml")); err == nil {
+		return true
+	} else if _, err = os.Stat(filepath.Join(p, "kustomization.yml")); err == nil {
+		return true
+	}
+	return false
+}
+
+// Given a kustomization manifest file within kustomizationPath, RenderKustomizeManifest will render templates out to tempDir
+func RenderKustomizeManifest(kustomizationPath, tempDir string) ([]safeguards.ManifestFile, error) {
+	log.Debugf("Rendering kustomization.yaml...")
+	if safeguards.IsYAML(kustomizationPath) {
+		kustomizationPath = filepath.Dir(kustomizationPath)
+	}
+
+	options := &krusty.Options{
+		Reorder:          "none",
+		LoadRestrictions: types.LoadRestrictionsRootOnly,
+		PluginConfig:     &types.PluginConfig{},
+	}
+	k := krusty.MakeKustomizer(options)
+
+	// Run the build to generate the manifests
+	kustomizeFS := filesys.MakeFsOnDisk()
+	resMap, err := k.Run(kustomizeFS, kustomizationPath)
+	if err != nil {
+		return nil, fmt.Errorf("Error building manifests: %s\n", err.Error())
+	}
+
+	// Output the manifests
+	var manifestFiles []safeguards.ManifestFile
+	kindMap := make(map[string]int)
+	for _, res := range resMap.Resources() {
+		yamlRes, err := res.AsYAML()
+		if err != nil {
+			return nil, fmt.Errorf("Error converting resource to YAML: %s\n", err.Error())
+		}
+
+		// index of every kind of manifest for outputRenderPath
+		kindMap[res.GetKind()] += 1
+		outputRenderPath := filepath.Join(tempDir, strings.ToLower(res.GetKind())) + fmt.Sprintf("-%d.yaml", kindMap[res.GetKind()])
+
+		err = kustomizeFS.WriteFile(outputRenderPath, yamlRes)
+		if err != nil {
+			return nil, fmt.Errorf("Error writing yaml resource: %s\n", err.Error())
+		}
+
+		// write yamlRes to dir
+		manifestFiles = append(manifestFiles, safeguards.ManifestFile{
+			Name: res.GetName(),
+			Path: outputRenderPath,
+		})
+	}
+
+	return manifestFiles, nil
+}

pkg/safeguards/preprocessing/preprocessing_helpers.go

@@ -0,0 +1,54 @@
+package preprocessing
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+)
+
+// Returns values from values.yaml and release options specified in values.yaml
+func getValues(chart *chart.Chart, valuesPath string) (chartutil.Values, error) {
+	// Load values file
+	valuesFile, err := os.ReadFile(valuesPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read values file: %s", err)
+	}
+
+	vals := map[string]interface{}{}
+	if err := yaml.Unmarshal(valuesFile, &vals); err != nil {
+		return nil, fmt.Errorf("failed to parse values.yaml: %s", err)
+	}
+
+	mergedValues, err := getReleaseOptions(chart, vals)
+	return mergedValues, err
+}
+
+func getReleaseOptions(chart *chart.Chart, vals map[string]interface{}) (chartutil.Values, error) {
+	// Extract release options from values
+	releaseName, ok := vals["releaseName"].(string)
+	if !ok || releaseName == "" {
+		return nil, fmt.Errorf("releaseName not found or empty in values.yaml")
+	}
+
+	releaseNamespace, ok := vals["releaseNamespace"].(string)
+	if !ok || releaseNamespace == "" {
+		return nil, fmt.Errorf("releaseNamespace not found or empty in values.yaml")
+	}
+
+	options := chartutil.ReleaseOptions{
+		Name:      releaseName,
+		Namespace: releaseNamespace,
+	}
+
+	// Combine chart values with release options
+	config := chartutil.Values(vals)
+	mergedValues, err := chartutil.ToRenderValues(chart, config, options, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to merge values: %s", err)
+	}
+
+	return mergedValues, nil
+}