Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Schema for SecretProviderClass manifests #21

Open
jpbulloch5 opened this issue Nov 4, 2022 · 6 comments
Open

No Schema for SecretProviderClass manifests #21

jpbulloch5 opened this issue Nov 4, 2022 · 6 comments

Comments

@jpbulloch5
Copy link

There are currently no schemas for SecretProviderClass (used in our case for connecting Azure Key Vaults to our Deployments).

Azure Documentation related to our use case:
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret

Currently, the lack of a schema for SecretProviderClass manifests means we have to use --ignore-missing-schemas in our pipelines when linting our Kubernetes manifests.

Thanks!
@eyarz
Copy link

eyarz commented Nov 5, 2022

@jpbulloch5 SecretProviderClass are not native K8s objects (they are CRDs), so they are not part of the default schemas that are checked by Kubeconform.

You can use Kubeconform and set the CRDs-catalog as an external schema location. This will work because SecretProviderClass are already part of the catalog.

@yannh
Copy link
Owner

yannh commented Nov 5, 2022

@eyarz Maybe we could link to the CRD catalog in the README

@eyarz
Copy link

eyarz commented Nov 6, 2022

@eyarz Maybe we could link to the CRD catalog in the README

Sure! I will open a PR.

@jpbulloch5
Copy link
Author

Our CI/CD use case pipes the output from kustomize build to kubeval to check that the manifests build correctly from their Kustomize templates. We are not checking each manifest independently, so I hoped for a solution that used kubeval since it works for the rest of our manifests without issue.

@eyarz
Copy link

eyarz commented Nov 9, 2022

In the CRDs-catalog repo, you also have instructions on how to use it with kubeval.

@jpbulloch5
Copy link
Author

As a custom solution based on your feedback (thanks), I added the following to the dockerfile for the custom image that runs the kubeval lint job in our CI/CD pipelines:

RUN mkdir --parents crd-schemas/master-standalone-strict \
    && wget \
        --quiet \
        --output-document crd-schemas/master-standalone-strict/secretproviderclass-secrets-store-v1alpha1.json \
        https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1alpha1.json

In the script that executes the job I added file:/crd-schemas to our list of --additional-schema-locations.
That fixed it for our use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yannh @eyarz @jpbulloch5