Skip to content

Latest commit

 

History

History
137 lines (103 loc) · 6.06 KB

README.md

File metadata and controls

137 lines (103 loc) · 6.06 KB

kube-powertools

Last Version License CI OpenSSF Scorecard SLSA 3

An always up to date collection of useful tools for your Kubernetes linting and auditing needs.

Usage

Mount a folder containing your Helm or raw Kubernetes manifests:

docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.36

The container image is pushed to these two registries:

  • docker.io/chgl/kube-powertools:v2.3.36
  • ghcr.io/chgl/kube-powertools:v2.3.36

Helm Chart Repositories

The kube-powertools image includes a few helpful scripts to simplify working with Helm chart repositories.

Linting

The image includes a chart-powerlint.sh script which can be used to apply several linters to Helm chart repos.

For example, you can mount this repository into the kube-powertools container and run the following to lint the sample chart in the /samples/charts dir:

$ docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.36
bash-5.1# CHARTS_DIR=samples/charts chart-powerlint.sh

Generating Chart Documentation

You can auto-generate and format Markdown docs from the chart's values.yaml using generate-docs.sh. This scripts uses either chart-doc-gen if the chart dir contains a doc.yaml, or helm-docs if it doesn't.

Generating Chart Schemas

You can auto-generate the Helm schema from the chart's values.yaml using generate-schemas.sh.

Generating CHANGELOG files

Finally, there's generate-chart-changelog.sh, which can be used to generate a CHANGELOG.md file from the contents of a Chart.yaml's artifacthub.io/changes annotation.

You can use this file in conjunction with the chart-releaser tool's --release-notes-file option to produce release notes for a GitHub release. See https://github.com/chgl/charts/blob/master/.github/workflows/release.yaml#L32 and https://github.com/chgl/charts/blob/master/.github/ct/ct.yaml#L16 for a sample workflow.

What's included

Testing locally

docker build -t kube-powertools:dev .
$ docker run --rm -it -v $PWD:/root/workspace kube-powertools:dev
bash-5.1# CHARTS_DIR=samples/charts scripts/chart-powerlint.sh

Image signature and provenance verification

Prerequisites:

First, determine the digest of the container image to verify. This digest is also visible on the packages page on GitHub: https://github.com/chgl/kube-powertools/pkgs/container/kube-powertools.

IMAGE=ghcr.io/chgl/kube-powertools:v2.3.36
IMAGE_DIGEST=$(crane digest $IMAGE)
IMAGE_TAG="${IMAGE#*:}"

Verify the container signature:

cosign verify \
   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
   --certificate-identity-regexp="https://github.com/chgl/.github/.github/workflows/standard-build.yaml@.*" \
   --certificate-github-workflow-name="ci" \
   --certificate-github-workflow-repository="chgl/kube-powertools" \
   --certificate-github-workflow-trigger="release" \
   --certificate-github-workflow-ref="refs/tags/${IMAGE_TAG}" \
   "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

Verify the container SLSA level 3 provenance attestation:

slsa-verifier verify-image \
    --source-uri github.com/chgl/kube-powertools \
    --source-tag ${IMAGE_TAG} \
    --source-branch master \
    "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

See also https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification for details on verifying the image integrity using automated policy controllers.