Skip to content

An always up to date collection of useful tools for your Kubernetes linting and auditing needs.

License

Notifications You must be signed in to change notification settings

chgl/kube-powertools

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

kube-powertools

Last Version License CI OpenSSF Scorecard SLSA 3

An always up to date collection of useful tools for your Kubernetes linting and auditing needs.

Usage

Mount a folder containing your Helm or raw Kubernetes manifests:

docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.39

The container image is pushed to these two registries:

  • docker.io/chgl/kube-powertools:v2.3.39
  • ghcr.io/chgl/kube-powertools:v2.3.39

Helm Chart Repositories

The kube-powertools image includes a few helpful scripts to simplify working with Helm chart repositories.

Linting

The image includes a chart-powerlint.sh script which can be used to apply several linters to Helm chart repos.

For example, you can mount this repository into the kube-powertools container and run the following to lint the sample chart in the /samples/charts dir:

$ docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.39
bash-5.1# CHARTS_DIR=samples/charts chart-powerlint.sh

Generating Chart Documentation

You can auto-generate and format Markdown docs from the chart's values.yaml using generate-docs.sh. This scripts uses either chart-doc-gen if the chart dir contains a doc.yaml, or helm-docs if it doesn't.

Generating Chart Schemas

You can auto-generate the Helm schema from the chart's values.yaml using generate-schemas.sh.

Generating CHANGELOG files

Finally, there's generate-chart-changelog.sh, which can be used to generate a CHANGELOG.md file from the contents of a Chart.yaml's artifacthub.io/changes annotation.

You can use this file in conjunction with the chart-releaser tool's --release-notes-file option to produce release notes for a GitHub release. See https://github.com/chgl/charts/blob/master/.github/workflows/release.yaml#L32 and https://github.com/chgl/charts/blob/master/.github/ct/ct.yaml#L16 for a sample workflow.

What's included

Testing locally

docker build -t kube-powertools:dev .
$ docker run --rm -it -v $PWD:/root/workspace kube-powertools:dev
bash-5.1# CHARTS_DIR=samples/charts scripts/chart-powerlint.sh

Image signature and provenance verification

Prerequisites:

First, determine the digest of the container image to verify. This digest is also visible on the packages page on GitHub: https://github.com/chgl/kube-powertools/pkgs/container/kube-powertools.

IMAGE=ghcr.io/chgl/kube-powertools:v2.3.39
IMAGE_DIGEST=$(crane digest $IMAGE)
IMAGE_TAG="${IMAGE#*:}"

Verify the container signature:

cosign verify \
   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
   --certificate-identity-regexp="https://github.com/chgl/.github/.github/workflows/standard-build.yaml@.*" \
   --certificate-github-workflow-name="ci" \
   --certificate-github-workflow-repository="chgl/kube-powertools" \
   --certificate-github-workflow-trigger="release" \
   --certificate-github-workflow-ref="refs/tags/${IMAGE_TAG}" \
   "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

Verify the container SLSA level 3 provenance attestation:

slsa-verifier verify-image \
    --source-uri github.com/chgl/kube-powertools \
    --source-tag ${IMAGE_TAG} \
    --source-branch master \
    "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

See also https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification for details on verifying the image integrity using automated policy controllers.