elastisys
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 2 additions & 0 deletions b/‎.github/pull_request_template.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.vscode/settings.json‎
Lines changed: 5 additions & 0 deletions b/‎.vscode/settings.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bin/common.bash‎
Lines changed: 31 additions & 4 deletions b/‎bin/common.bash‎
Lines changed: 31 additions & 4 deletions
diff --git a/‎config/schemas/README.md‎
Lines changed: 99 additions & 0 deletions b/‎config/schemas/README.md‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎config/schemas/config.yaml‎
Lines changed: 131 additions & 0 deletions b/‎config/schemas/config.yaml‎
Lines changed: 131 additions & 0 deletions
@@ -112,3 +112,5 @@ Include screenshots if applicable to help explain these changes.
   - [ ] The change does not cause any alerts to be generated by Falco
 - Bug checks:
   - [ ] The bug fix is covered by regression tests
+- Config checks:
+  - [ ] The schema was updated
@@ -0,0 +1,5 @@
+{
+  "yaml.schemas": {
+    "config/schemas/config.yaml": "config/config/*-config.yaml"
+  }
+}
@@ -113,7 +113,7 @@ check_tools() {
   warn=0
   err=0
 
-  for executable in jq yq4 s3cmd sops kubectl helm helmfile dig pwgen htpasswd; do
+  for executable in jq yq4 s3cmd sops kubectl helm helmfile dig pwgen htpasswd yajsv; do
     if ! command -v "${executable}" > /dev/null; then
       log_error "Required dependency ${executable} missing"
       err=1
@@ -288,13 +288,13 @@ load_config() {
 
     if [[ "${1}" == "sc" ]]; then
         check_config "${config[default_sc]}" "${config[override_sc]}"
-        config[config_file_sc]=$(mktemp)
+        config[config_file_sc]=$(mktemp --suffix="_sc-config.yaml")
         append_trap "rm ${config[config_file_sc]}" EXIT
         merge_config "${config[default_sc]}" "${config[override_sc]}" "${config[config_file_sc]}"
 
     elif [[ "${1}" == "wc" ]]; then
         check_config "${config[default_wc]}" "${config[override_wc]}"
-        config[config_file_wc]=$(mktemp)
+        config[config_file_wc]=$(mktemp --suffix="_wc-config.yaml")
         append_trap "rm ${config[config_file_wc]}" EXIT
         merge_config "${config[default_wc]}" "${config[override_wc]}" "${config[config_file_wc]}"
 
@@ -362,7 +362,30 @@ validate_config() {
         fi
     }
 
-    template_file=$(mktemp)
+    schema_validate() {
+        merged_config="${1}"
+        schema_file="${2}"
+
+        schema_validation_result="$(mktemp  --suffix='.txt')"
+        append_trap "rm ${schema_validation_result}" EXIT
+
+        if ! yajsv -s "${schema_file}" "${merged_config}" > "${schema_validation_result}"; then
+            log_warning "Failed schema validation:"
+            sed -r 's/^.*_(..-config\.yaml): fail: (.*)/\1: \2/; / failed validation$/q' < "${schema_validation_result}"
+            grep -oP '(?<=fail: )[^:]+' "${schema_validation_result}" | sort -u |
+            while read -r jpath; do
+              echo -n ".$jpath = "
+              yq4 -oj ".$jpath" "${merged_config}"
+            done
+            maybe_exit="true"
+        fi
+
+        if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then
+            ask_abort
+        fi
+    }
+
+    template_file=$(mktemp --suffix="-tpl.yaml")
     append_trap "rm ${template_file}" EXIT
 
     if [[ $1 == "sc" ]]; then
@@ -373,7 +396,9 @@ validate_config() {
             "${config_template_path}/config/sc-config.yaml" \
             > "${template_file}"
         validate "${config[config_file_sc]}" "${template_file}"
+        schema_validate "${config[config_file_sc]}" "${config_template_path}/schemas/config.yaml"
         validate "${secrets[secrets_file]}" "${config_template_path}/secrets/sc-secrets.yaml"
+        schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml"
     elif [[ $1 == "wc" ]]; then
         check_config "${config_template_path}/config/common-config.yaml" \
             "${config_template_path}/config/wc-config.yaml" \
@@ -382,7 +407,9 @@ validate_config() {
             "${config_template_path}/config/wc-config.yaml" \
             > "${template_file}"
         validate "${config[config_file_wc]}" "${template_file}"
+        schema_validate "${config[config_file_wc]}" "${config_template_path}/schemas/config.yaml"
         validate "${secrets[secrets_file]}" "${config_template_path}/secrets/wc-secrets.yaml"
+        schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml"
     else
         log_error "ERROR: usage validate_config <sc|wc>"
         exit 1
 
@@ -0,0 +1,99 @@
+# Configuration Schema
+
+Despite the name, JSON Schema can be used to describe most kinds of data
+structures, especially those with a data model very close to JSON, such
+as YAML (if you stay away from the fancier features).
+
+A JSON or YAML value that satisfies a schema is called an "instance".
+
+- [JSON Schema Core](https://json-schema.org/draft/2020-12/json-schema-core) specifies the basic structure of a schema.
+- [Json Schema Validation](https://json-schema.org/draft/2020-12/json-schema-validation) specifies additional ways to validate various values.
+
+For example, given the following config snippet:
+
+``` yaml
+some-service:
+  enabled: true
+  foo: hello
+  bar: [ world ]
+```
+
+A schema describing this might look like:
+
+``` yaml
+properties:
+  some-service:
+    title: An Example
+    description: Some words to describe this schema
+    type: object
+    required:
+    - enabled
+    properties:
+      enabled:
+        type: boolean
+      foo:
+        type: string
+        examples:
+        - hello
+        default: baz
+      bar:
+        type: array
+        items:
+          type: string
+          examples:
+          - world
+    additionalProperties: false
+```
+
+Important things:
+
+`type` declares the accepted type(s) of a value, using the JSON name for types:
+
+- `object`
+- `array`
+- `string`
+- `number` / `integer`
+- `boolean`
+
+`title`, `description` and `examples` serve as documentation, to describe the value.
+Default values can be provided in `default`.
+
+`type: object` must have a `properties` map describing each value in the object.
+
+Any value not covered by `properties` would be tried against the schema in `additionalProperties`.
+In most cases this should be `false`, which causes validation to fail in order to detect e.g. typos or that the schema is  incomplete.
+Objects where all properties of are the same kind can have a schema object instead as `additionalProperties`.
+
+Any object property that is **required** can be specified as a list in `required`.
+Other properties are allowed to be missing.
+
+Lists, `type: array`, has schema for its items in `items`.
+
+Scalar types can have various constraints and validation hints, e.g. length and range constraints, `format: email` etc. <!-- how much of json-schema-validation to duplicate? -->
+
+The tool `bin/genschema.py` can be used to generate a schema from a YAML snippet.
+
+```bash
+cat > conf-snippet.yaml <<EOF
+service:
+  enabled: true
+  features:
+  - nice
+EOF
+./bin/genschema.py ./conf-snippet.yaml | tee ./conf-snippet.yaml
+```
+
+The output can be tweaked and inserted into `config/schemas/config.yaml` under `.properties`.
+
+## VSCode
+
+The plugin `redhat.vscode-yaml` can provide auto completion, validation and help texts from the schema.
+This can be enabled this in other repositories by editing the file `.vscode/settings.json`, adding the path or URL to the schema under the key `.["yaml.schemas"]` like below:
+
+```json
+{
+  "yaml.schemas": {
+    ".../path/to/ck8s-apps/config/schemas/config.yaml": "config/config/*-config.yaml"
+  }
+}
+```
@@ -0,0 +1,131 @@
+$schema: https://json-schema.org/draft/2020-12/schema
+# TODO point to main branch before merge
+$id: https://github.com/elastisys/compliantkubernetes-apps/raw/ka/jsonschema/config/schemas/config.yaml
+title: Compliant Kubernetes Apps settings
+description: |
+  This describes the structure of the configuration for both the service
+  cluster and the workload cluster, but keep in mind that each configuration
+  file will contain different settings.
+$defs:
+  $comment: |
+    Location for common types of things for reuse with a reference like
+
+    ```yaml
+    thing:
+      $ref: "#/$defs/thing"
+    ```
+type: object
+required:
+  - global
+properties:
+  global:
+    title: Global options
+    description: Some common options used in various helm charts.
+    type: object
+    required:
+      - ck8sVersion
+      - ck8sCloudProvider
+      - ck8sEnvironmentName
+      - ck8sFlavor
+      - baseDomain
+      - opsDomain
+    properties:
+      ck8sVersion:
+        title: Compliant Kubernetes Apps version
+        description: |-
+          Use version number if you are exactly at a release tag.
+          Otherwise use full commit hash of current commit.
+          `any`, can be used to disable this validation.
+        type: string
+        examples:
+          - v0.42.1
+          - any
+          - 424442541a567646c232d949bad1af2b5b7cb885
+      ck8sCloudProvider:
+        type: string
+        enum:
+          - aws
+          - baremetal
+          - citycloud
+          - elastx
+          - exoscale
+          - none
+          - safespring
+          - upcloud
+      ck8sEnvironmentName:
+        title: Environment name
+        type: string
+        examples:
+          - my-ck8s-cluster
+      ck8sFlavor:
+        type: string
+        enum:
+          - prod
+          - dev
+          - air-gapped
+      baseDomain:
+        title: Base Domain
+        description: |-
+          Domain intended for ingress usage in the workload cluster
+          and to reach application developer facing services such as Grafana, Harbor and OpenSearch Dashboards.
+          E.g. with 'prod.domain.com', OpenSearch Dashboards is reached via 'opensearch.prod.domain.com'.
+        type: string
+        format: hostname
+      opsDomain:
+        description: |-
+          Domain intended for ingress usage in the service cluster and to reach
+          non-user facing services such as Thanos and OpenSearch.
+          E.g. with 'ops.prod.domain.com', OpenSearch is reached via 'opensearch.ops.prod.domain.com'.
+        type: string
+        format: hostname
+      scDomain:
+        description: If baseDomain for wc and sc are not the same, set the domain of the sc cluster.
+        type: string
+        oneOf: # Templates do not handle missing values so they must be empty strings to disable. Future FIXME?
+          - const: ""
+          - format: hostname
+      scOpsDomain:
+        description: If opsDomain for wc and sc are not the same, set the ops domain of the sc cluster.
+        type: string
+        oneOf:
+          - const: ""
+          - format: hostname
+      issuer:
+        description: |-
+          Default cert-manager issuer to use for issuing certificates for ingresses.
+          Normally one of `letsencrypt-staging` or `letsencrypt-prod`.
+        type: string
+        default: letsencrypt-staging
+        enum:
+          - letsencrypt-staging
+          - letsencrypt-prod
+      verifyTls:
+        description: Verify ingress certificates
+        type: boolean
+        default: true
+      clusterDns:
+        description: IP of the cluster DNS in kubernetes
+        type: string
+        default: 10.233.0.3
+        format: ip-address
+      clusterName:
+        type: string
+      clustersMonitoring:
+        description: |-
+          Names of the workload clusters that sends metrics to this cluster.
+          Mainly used for filtering of metrics.
+        type: array
+        items:
+          type: string
+          pattern: -[sw]c$
+      containerRuntime:
+        title: Container runtime
+        default: containerd
+        type: string
+        enum:
+          - containerd
+          - docker
+    additionalProperties: false
+additionalProperties:
+  type: object
+  properties: {}
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +  "yaml.schemas": {
 +    "config/schemas/config.yaml": "config/config/*-config.yaml"
 +  }
 +}