[Feature] Add Kubernetes manifest validation in pre-commit. (#2380)

Author: LeoLiao123

.github/workflows/test-job.yaml

@@ -17,6 +17,13 @@ jobs:
           curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.60.3
           mv ./bin/golangci-lint /usr/local/bin/golangci-lint
         shell: bash
+
+      - name: Install kubeconform
+        run: |
+          curl -L https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz -o kubeconform.tar.gz
+          tar -xzf kubeconform.tar.gz
+          mv kubeconform /usr/local/bin/
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v3
       - uses: pre-commit/[email protected]

.pre-commit-config.yaml

@@ -31,7 +31,7 @@ repos:
     hooks:
       - id: check-golangci-lint-version
         name: golangci-lint version check
-        entry: bash -c 'version="1.60.3"; [ "$(golangci-lint --version | grep -oP "(?<=version )[\d\.]+")" = "$version" ] || echo "golangci-lint version is not $version"'
+        entry: bash -c 'version="1.60.3"; [ "$(golangci-lint --version | grep -oP "(?<=version )[\d\.]+")" = "$version" ] || { echo "golangci-lint version is not $version"; exit 1; }'
         language: system
         always_run: true
         fail_fast: true
@@ -56,3 +56,21 @@ repos:
         language: golang
         require_serial: true
         files: ^kubectl-plugin/
+
+  - repo: local
+    hooks:
+      - id: check-kubeconform-version
+        name: kubeconform version check
+        entry: bash -c 'version="0.6.7"; [ "$(kubeconform -v | grep -oP "(?<=v)[\d\.]+")" = "$version" ] || { echo "kubeconform version is not $version"; exit 1; }'
+        language: system
+        always_run: true
+        fail_fast: true
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: validate-helm-charts
+        name: validate helm charts with kubeconform
+        entry: bash scripts/validate-helm.sh
+        language: system
+        pass_filenames: false

helm-chart/ray-cluster/templates/raycluster-cluster.yaml

@@ -167,7 +167,9 @@ spec:
             {{- if $values.envFrom }}
             envFrom: {{- toYaml $values.envFrom | nindent 14 }}
             {{- end }}
+            {{- if $values.ports }}
             ports: {{- toYaml $values.ports | nindent 14}}
+            {{- end }}
             {{- if $values.lifecycle }}
             lifecycle:
             {{- toYaml $values.lifecycle | nindent 14 }}
@@ -262,7 +264,9 @@ spec:
             {{- with .Values.worker.envFrom }}
             envFrom: {{- toYaml . | nindent 14}}
             {{- end }}
+            {{- if .Values.worker.ports }}
             ports: {{- toYaml .Values.worker.ports | nindent 14}}
+            {{- end }}
             {{- if .Values.worker.lifecycle }}
             lifecycle:
             {{- toYaml .Values.worker.lifecycle | nindent 14 }}

ray-operator/DEVELOPMENT.md

@@ -203,8 +203,9 @@ helm uninstall kuberay-operator; helm install kuberay-operator --set image.repos
 ## pre-commit hooks
 
 1. Install [golangci-lint](https://github.com/golangci/golangci-lint/releases).
-2. Install [pre-commit](https://pre-commit.com/).
-3. Run `pre-commit install` to install the pre-commit hooks.
+2. Install [kubeconform](https://github.com/yannh/kubeconform/releases).
+3. Install [pre-commit](https://pre-commit.com/).
+4. Run `pre-commit install` to install the pre-commit hooks.
 
 ## CI/CD
 

scripts/openapi2jsonschema.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+
+# This script is directly derived from:
+# Source: https://github.com/yannh/kubeconform/blob/master/scripts/openapi2jsonschema.py
+
+# Derived from https://github.com/instrumenta/openapi2jsonschema
+import yaml
+import json
+import sys
+import os
+import urllib.request
+if 'DISABLE_SSL_CERT_VALIDATION' in os.environ:
+    import ssl
+    ssl._create_default_https_context = ssl._create_unverified_context
+
+def test_additional_properties():
+    for test in iter([{
+        "input": {"something": {"properties": {}}},
+        "expect": {'something': {'properties': {}, "additionalProperties": False}}
+    },{
+        "input": {"something": {"somethingelse": {}}},
+        "expect": {'something': {'somethingelse': {}}}
+    }]):
+        assert additional_properties(test["input"]) == test["expect"]
+
+def additional_properties(data, skip=False):
+    "This recreates the behaviour of kubectl at https://github.com/kubernetes/kubernetes/blob/225b9119d6a8f03fcbe3cc3d590c261965d928d0/pkg/kubectl/validation/schema.go#L312"
+    if isinstance(data, dict):
+        if "properties" in data and not skip:
+            if "additionalProperties" not in data:
+                data["additionalProperties"] = False
+        for _, v in data.items():
+            additional_properties(v)
+    return data
+
+def test_replace_int_or_string():
+    for test in iter([{
+        "input": {"something": {"format": "int-or-string"}},
+        "expect": {'something': {'oneOf': [{'type': 'string'}, {'type': 'integer'}]}}
+    },{
+        "input": {"something": {"format": "string"}},
+        "expect": {"something": {"format": "string"}},
+    }]):
+        assert replace_int_or_string(test["input"]) == test["expect"]
+
+def replace_int_or_string(data):
+    new = {}
+    try:
+        for k, v in iter(data.items()):
+            new_v = v
+            if isinstance(v, dict):
+                if "format" in v and v["format"] == "int-or-string":
+                    new_v = {"oneOf": [{"type": "string"}, {"type": "integer"}]}
+                else:
+                    new_v = replace_int_or_string(v)
+            elif isinstance(v, list):
+                new_v = list()
+                for x in v:
+                    new_v.append(replace_int_or_string(x))
+            else:
+                new_v = v
+            new[k] = new_v
+        return new
+    except AttributeError:
+        return data
+
+def allow_null_optional_fields(data, parent=None, grand_parent=None, key=None):
+    new = {}
+    try:
+        for k, v in iter(data.items()):
+            new_v = v
+            if isinstance(v, dict):
+                new_v = allow_null_optional_fields(v, data, parent, k)
+            elif isinstance(v, list):
+                new_v = list()
+                for x in v:
+                    new_v.append(allow_null_optional_fields(x, v, parent, k))
+            elif isinstance(v, str):
+                is_non_null_type = k == "type" and v != "null"
+                has_required_fields = grand_parent and "required" in grand_parent
+                if is_non_null_type and not has_required_fields:
+                    new_v = [v, "null"]
+            new[k] = new_v
+        return new
+    except AttributeError:
+        return data
+
+
+def append_no_duplicates(obj, key, value):
+    """
+    Given a dictionary, lookup the given key, if it doesn't exist create a new array.
+    Then check if the given value already exists in the array, if it doesn't add it.
+    """
+    if key not in obj:
+        obj[key] = []
+    if value not in obj[key]:
+        obj[key].append(value)
+
+
+def write_schema_file(schema, filename):
+    schemaJSON = ""
+
+    schema = additional_properties(schema, skip=not os.getenv("DENY_ROOT_ADDITIONAL_PROPERTIES"))
+    schema = replace_int_or_string(schema)
+    schemaJSON = json.dumps(schema, indent=2)
+
+    # Dealing with user input here..
+    filename = os.path.basename(filename)
+    f = open(filename, "w")
+    print(schemaJSON, file=f)
+    f.close()
+    print("JSON schema written to {filename}".format(filename=filename))
+
+
+def construct_value(load, node):
+    # Handle nodes that start with '='
+    # See https://github.com/yaml/pyyaml/issues/89
+    if not isinstance(node, yaml.ScalarNode):
+        raise yaml.constructor.ConstructorError(
+            "while constructing a value",
+            node.start_mark,
+            "expected a scalar, but found %s" % node.id, node.start_mark
+        )
+    yield str(node.value)
+
+
+if __name__ == "__main__":
+  if len(sys.argv) < 2:
+      print('Missing FILE parameter.\nUsage: %s [FILE]' % sys.argv[0])
+      exit(1)
+
+  for crdFile in sys.argv[1:]:
+      if crdFile.startswith("http"):
+        f = urllib.request.urlopen(crdFile)
+      else:
+        f = open(crdFile)
+      with f:
+          defs = []
+          yaml.SafeLoader.add_constructor(u'tag:yaml.org,2002:value', construct_value)
+          for y in yaml.load_all(f, Loader=yaml.SafeLoader):
+              if y is None:
+                  continue
+              if "items" in y:
+                  defs.extend(y["items"])
+              if "kind" not in y:
+                  continue
+              if y["kind"] != "CustomResourceDefinition":
+                  continue
+              else:
+                  defs.append(y)
+
+          for y in defs:
+              filename_format = os.getenv("FILENAME_FORMAT", "{kind}_{version}")
+              filename = ""
+              if "spec" in y and "versions" in y["spec"] and y["spec"]["versions"]:
+                  for version in y["spec"]["versions"]:
+                      if "schema" in version and "openAPIV3Schema" in version["schema"]:
+                          filename = filename_format.format(
+                              kind=y["spec"]["names"]["kind"],
+                              group=y["spec"]["group"].split(".")[0],
+                              fullgroup=y["spec"]["group"],
+                              version=version["name"],
+                          ).lower() + ".json"
+
+                          schema = version["schema"]["openAPIV3Schema"]
+                          write_schema_file(schema, filename)
+                      elif "validation" in y["spec"] and "openAPIV3Schema" in y["spec"]["validation"]:
+                          filename = filename_format.format(
+                              kind=y["spec"]["names"]["kind"],
+                              group=y["spec"]["group"].split(".")[0],
+                              fullgroup=y["spec"]["group"],
+                              version=version["name"],
+                          ).lower() + ".json"
+
+                          schema = y["spec"]["validation"]["openAPIV3Schema"]
+                          write_schema_file(schema, filename)
+              elif "spec" in y and "validation" in y["spec"] and "openAPIV3Schema" in y["spec"]["validation"]:
+                  filename = filename_format.format(
+                      kind=y["spec"]["names"]["kind"],
+                      group=y["spec"]["group"].split(".")[0],
+                      fullgroup=y["spec"]["group"],
+                      version=y["spec"]["version"],
+                  ).lower() + ".json"
+
+                  schema = y["spec"]["validation"]["openAPIV3Schema"]
+                  write_schema_file(schema, filename)
+
+  exit(0)

scripts/validate-helm.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -euo pipefail
+export KUBERAY_HOME=$(git rev-parse --show-toplevel)
+SCRIPT_PATH="${KUBERAY_HOME}/scripts/openapi2jsonschema.py"
+RAYCLUSTER_CRD_PATH="$KUBERAY_HOME/ray-operator/config/crd/bases/ray.io_rayclusters.yaml"
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' EXIT
+
+# Convert CRD YAML to JSON Schema
+pushd "${tmp}" > /dev/null
+"$SCRIPT_PATH" "$RAYCLUSTER_CRD_PATH"
+popd > /dev/null
+RAYCLUSTER_CRD_SCHEMA="${tmp}/raycluster_v1.json"
+
+# Validate Helm charts with kubeconform
+echo "Validating Helm Charts with kubeconform..."
+helm template "$KUBERAY_HOME/helm-chart/kuberay-apiserver" | kubeconform --summary -schema-location default
+helm template "$KUBERAY_HOME/helm-chart/kuberay-operator" | kubeconform --summary -schema-location default
+helm template "$KUBERAY_HOME/helm-chart/ray-cluster" | kubeconform --summary -schema-location default -schema-location "$RAYCLUSTER_CRD_SCHEMA"