Skip to content

DoodleScheduling/xunpack

Unpack manifests from crossplane resources

release Go Report Card OpenSSF Scorecard Coverage Status

This small utility extracts manifests from crossplane packages as well as converts any CompositeResourceDefinitions into CustomResourceDefinitions.

Crossplane packages are installed at runtime and any crossplane manifests are only available within the cluster. The same applies for CompositeResourceDefinitions. Any CompositeResourceDefinitions are only installed at runtime. This makes is hard to validate crossplane providers and/or custom crossplane resources before runtime. However with this tool these manifests are available beforehand and resources can be validated in ci pipelines.

Installation

Brew

brew tap doodlescheduling/xunpack
brew install xunpack

Docker

docker pull ghcr.io/doodlescheduling/xunpack:v0

Arguments

Flag Short Env Default Description
--file -f IFILE /dev/stdin Path to input
--workers `` WORKERS Number of CPU cores Number of workers to process the manifest
--fail-fast `` FAIL_FAST false Exit early if an error occurred
--allow-failure `` ALLOW_FAILURE false Do not exit > 0 if an error occurred
--output -o OUTPUT /dev/stdout Path to output file

Github Action

This app works also great on CI, in fact this was the original reason why it was created.

Example usage

name: xunpack
on:
- pull_request

jobs:
  build:
    strategy:
      matrix:
        cluster: [staging, production]

    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
    - uses: docker://ghcr.io/doodlescheduling/xunpack:v0
      env:
        PATHS: ./${{ matrix.cluster }}
        OUTPUT: build.yaml

Advanced example

While a simple gitops pipeline just verifies if kustomizations can be built and HelmReleases installed a more advanced pipeline includes follow-up validations like kyverno tests, kubeval validations or kubeaudit tests.

name: xunpack
on:
- pull_request

jobs:
  build:
    strategy:
      matrix:
        cluster: [staging, production]

    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
    - uses: docker://ghcr.io/doodlescheduling/xunpack:v0
      env:
        PATHS: ./${{ matrix.cluster }}
        WORKERS: "50"
        OUTPUT: ./build.yaml
    - name: Setup kubeconform
      shell: bash
      run: |
        curl -L -v --fail https://github.com/yannh/kubeconform/releases/download/v0.6.1/kubeconform-linux-amd64.tar.gz -o kubeconform.tgz
        tar xvzf kubeconform.tgz
        sudo mv kubeconform /usr/bin/
    - name: Setup openapi2jsonschema
      shell: bash
      run: |
        curl -L -v --fail https://raw.githubusercontent.com/yannh/kubeconform/v0.6.2/scripts/openapi2jsonschema.py -o openapi2jsonschema.py
        sudo mv openapi2jsonschema.py /usr/bin/openapi2jsonschema
        sudo chmod +x /usr/bin/openapi2jsonschema
    - name: Setup yq
      uses: chrisdickinson/setup-yq@3d931309f27270ebbafd53f2daee773a82ea1822 #v1.0.1
      with:
        yq-version: v4.24.5
    - name: Convert CRD to json schemas
      shell: bash
      run: |
        echo "openapi2jsonschema ./build.yaml"
        mkdir "schemas"
        cat $m | yq -e 'select(.kind == "CustomResourceDefinition")' > schemas/crds.yaml
        pip install pyyaml
        openapi2jsonschema schemas/*.yaml
    - name: Run conform
      shell: bash
      env: 
        KUBERNETES_VERSION: "${{ inputs.kubernetes-version }}"
      run: |
        echo "kubeconform $m"
        cat ./build.yaml | kubeconform -kubernetes-version $KUBERNETES_VERSION -schema-location default -schema-location "schemas/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json" --skip CustomResourceDefinition,APIService --strict --summary
    - name: Setup kyverno
      shell: bash
      run: |
        curl -LO --fail https://github.com/kyverno/kyverno/releases/download/v1.7.2/kyverno-cli_v1.7.2_linux_x86_64.tar.gz
        tar -xvf kyverno-cli_v1.7.2_linux_x86_64.tar.gz
        sudo cp kyverno /usr/local/bin/
    - name: Test kyverno policies
      shell: bash
      run: |
        kyverno apply kyverno-policies -r ./build.yaml