ci: switch from kubeval to kubeconform (#1199)

- Switch from kubeval, which is unmaintained and outdated, to
  kubeconform
- Update kubernetes versions in test matrices
- Use upstream schema for CRDs, so we don't have to ignore missing
  schemas in validation
- Switch away from deprecated output
  https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
- Switch CI nodeSelector examples to use disktype: ssd to avoid
  creating duplicates with baked in os defaults

---------

Co-authored-by: Cedric Lamoriniere <cedric.lamoriniere@datadoghq.com>

.github/kubeconform.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+KUBECONFORM_VERSION="v0.6.4"
+# https://github.com/yannh/kubeconform/issues/51
+CRD_SPEC_URL="https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json"
+# Remove after v1.16 support / testing is dropped
+LEGACY_SCHEMA_URL="https://github.com/instrumenta/kubernetes-json-schema"
+OS=$(uname)
+
+CHANGED_CHARTS=${CHANGED_CHARTS:-${1:-}}
+if [ -n "$CHANGED_CHARTS" ];
+then
+  CHART_DIRS=$CHANGED_CHARTS
+else
+  CHART_DIRS=$(ls -d charts/*)
+fi
+
+# install kubeconform
+curl --silent --show-error --fail --location --output /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-${OS}-amd64.tar.gz"
+tar -xf /tmp/kubeconform.tar.gz kubeconform
+
+# validate charts
+for CHART_DIR in ${CHART_DIRS}; do
+  echo "Running kubeconform for folder: '$CHART_DIR'"
+
+  # Note: -ignore-missing-schemas could be added if needed, but not currently
+  # needed since we have the schema necessary to validate the CRDs themselves.
+  #
+  # Also, if at some point we needed to validate things _using_ these CRDs,
+  # they're available via
+  # https://github.com/datreeio/CRDs-catalog/tree/main/datadoghq.com
+  helm dep up "${CHART_DIR}" && helm template --kube-version "${KUBERNETES_VERSION#v}" \
+        --values "${CHART_DIR}/ci/kubeconform-values.yaml" "${CHART_DIR}" \
+    | ./kubeconform -strict -schema-location default -schema-location "$CRD_SPEC_URL" \
+        -schema-location $LEGACY_SCHEMA_URL -output pretty \
+        -verbose -kubernetes-version "${KUBERNETES_VERSION#v}" -
+done

.github/workflows/ci.yaml

@@ -33,7 +33,9 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo -n "Charts changed:"
             echo "$changed"
-            echo "::set-output name=changed::$changed"
+            echo "changed<<EOF" >> $GITHUB_OUTPUT
+            echo "$changed" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
           else
             echo "PR without any chart changes - failing"
             exit 1
@@ -68,7 +70,7 @@ jobs:
       - name: Run helm-docs
         run: .github/helm-docs.sh
 
-  kubeval-chart:
+  kubeconform-chart:
     runs-on: ubuntu-latest
     needs:
       - changed
@@ -80,12 +82,12 @@ jobs:
         # https://github.com/instrumenta/kubernetes-json-schema is no
         # longer updated
         k8s:
-          # - v1.14.10 (deprecated with kind 1.16)
-          - v1.16.15
+          - v1.16.4
           - v1.18.20
-          - v1.22.9
-          - v1.24.2
-          # v1.25.2 (when agent 7.40 is out)
+          - v1.22.17
+          - v1.24.17
+          - v1.25.16
+          - v1.26.13
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -95,27 +97,27 @@ jobs:
         run: helm repo add datadog https://helm.datadoghq.com && helm repo update
       - name: Add KSM helm repo
         run: helm repo add kube-state-metrics https://prometheus-community.github.io/helm-charts
-      - name: Run kubeval
+      - name: Run kubeconform
         env:
           KUBERNETES_VERSION: ${{ matrix.k8s }}
           CHANGED_CHARTS: ${{needs.changed.outputs.charts}}
-        run: .github/kubeval.sh
+        run: .github/kubeconform.sh
 
   install-chart:
     name: install-chart
     runs-on: ubuntu-20.04
     timeout-minutes: 60
     needs:
       - lint-chart
-      - kubeval-chart
+      - kubeconform-chart
     strategy:
       matrix:
         k8s:
-          - v1.16.15
           - v1.18.20
           - v1.22.9
           - v1.24.2
-          - v1.25.2
+          - v1.25.16
+          - v1.26.13
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.gitignore

@@ -1,6 +1,6 @@
 charts/*/charts
 helm-docs
-kubeval
+kubeconform
 .idea
 vendor/
 .vscode

charts/datadog-crds/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 1.3.1
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 1.3.0
 * Update CRDs from Datadog Operator v1.3.0 tag.
 

charts/datadog-crds/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: datadog-crds
 description: Datadog Kubernetes CRDs chart
-version: 1.3.0
+version: 1.3.1
 appVersion: "1"
 keywords:
 - monitoring

charts/datadog-crds/README.md

@@ -1,6 +1,6 @@
 # Datadog CRDs
 
-![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square)
+![Version: 1.3.1](https://img.shields.io/badge/Version-1.3.1-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square)
 
 This chart was designed to allow other "datadog" charts to share `CustomResourceDefinitions` such as the `DatadogMetric`.
 

charts/datadog-operator/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.4.2
+
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 1.4.1
 
 * Add configuration for Operator flag `datadogSLOEnabled` : this parameter is used to enable the Datadog SLO Controller. It is disabled by default.

charts/datadog-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: datadog-operator
-version: 1.4.1
+version: 1.4.2
 appVersion: 1.3.0
 description: Datadog Operator
 keywords:

charts/datadog-operator/README.md

@@ -1,6 +1,6 @@
 # Datadog Operator
 
-![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
+![Version: 1.4.2](https://img.shields.io/badge/Version-1.4.2-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
 
 ## Values
 

charts/datadog/CHANGELOG.md

@@ -1,12 +1,16 @@
 # Datadog changelog
 
+## 3.54.1
+
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 3.53.3
 
 * Update `fips.image.tag` to `1.1.1`
 
 ## 3.53.2
 
-* Exclude agent pod from labels injection from the admission controller 
+* Exclude agent pod from labels injection from the admission controller.
 
 ## 3.53.1
 

charts/datadog/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: datadog
-version: 3.53.3
+version: 3.54.1
 appVersion: "7"
 description: Datadog Agent
 keywords:

charts/datadog/README.md

@@ -1,6 +1,6 @@
 # Datadog
 
-![Version: 3.53.3](https://img.shields.io/badge/Version-3.53.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
+![Version: 3.54.1](https://img.shields.io/badge/Version-3.54.1-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
 

charts/datadog/ci/kubeval-values.yaml → charts/datadog/ci/kubeconform-values.yaml

@@ -36,7 +36,7 @@ clusterAgent:
   enabled: true
   createPodDisruptionBudget: true
   nodeSelector:
-    kubernetes.io/os: linux
+    disktype: ssd
   metricsProvider:
     enabled: false
   admissionController:
@@ -46,10 +46,10 @@ clusterChecksRunner:
   enabled: true
   createPodDisruptionBudget: true
   nodeSelector:
-    kubernetes.io/os: linux
+    disktype: ssd
 agents:
   nodeSelector:
-    kubernetes.io/os: linux
+    disktype: ssd
   podSecurity:
     podSecurityPolicy:
       create: true

charts/extended-daemon-set/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.3.1
+
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 0.3.0
 
 * Updated for EDS 0.8.0.

charts/extended-daemon-set/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v0.8.0
 description: Extended Daemonset Controller
 name: extendeddaemonset
-version: v0.3.0
+version: v0.3.1
 keywords:
   - monitoring
   - alerting

charts/extended-daemon-set/README.md

@@ -1,6 +1,6 @@
 # Extended DaemonSet
 
-![Version: v0.3.0](https://img.shields.io/badge/Version-v0.3.0-informational?style=flat-square) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square)
+![Version: v0.3.1](https://img.shields.io/badge/Version-v0.3.1-informational?style=flat-square) ![AppVersion: v0.8.0](https://img.shields.io/badge/AppVersion-v0.8.0-informational?style=flat-square)
 
 This chart installs the Extended DaemonSet (EDS). It aims to provide a new implementation of the Kubernetes DaemonSet resource with key features:
 - Canary Deployment: Deploy a new DaemonSet version with only a few nodes.

charts/observability-pipelines-worker/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.8.1
+
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 1.8.0
 
 * Official image `1.8.0`

charts/observability-pipelines-worker/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: observability-pipelines-worker
-version: "1.8.0"
+version: "1.8.1"
 description: Observability Pipelines Worker
 type: application
 keywords:

charts/observability-pipelines-worker/README.md

@@ -1,6 +1,6 @@
 # Observability Pipelines Worker
 
-![Version: 1.8.0](https://img.shields.io/badge/Version-1.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square)
+![Version: 1.8.1](https://img.shields.io/badge/Version-1.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square)
 
 ## How to use Datadog Helm repository
 

charts/synthetics-private-location/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 0.15.26
+
+* Migrate from `kubeval` to `kubeconform` for ci chart validation.
+
 ## 0.15.25
 
 * Update private location image version to `1.44.0`.

charts/synthetics-private-location/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: synthetics-private-location
-version: 0.15.25
+version: 0.15.26
 appVersion: 1.44.0
 description: Datadog Synthetics Private Location
 keywords:

charts/synthetics-private-location/README.md

@@ -1,6 +1,6 @@
 # Datadog Synthetics Private Location
 
-![Version: 0.15.25](https://img.shields.io/badge/Version-0.15.25-informational?style=flat-square) ![AppVersion: 1.44.0](https://img.shields.io/badge/AppVersion-1.44.0-informational?style=flat-square)
+![Version: 0.15.26](https://img.shields.io/badge/Version-0.15.26-informational?style=flat-square) ![AppVersion: 1.44.0](https://img.shields.io/badge/AppVersion-1.44.0-informational?style=flat-square)
 
 [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds a Datadog Synthetics Private Location Deployment. For more information about synthetics monitoring with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/synthetics/private_locations).