You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 21, 2025. It is now read-only.
conftest allows to test configuration data such as K8s resources defined by Helm charts. Because testing the chart against the policies required rendering the chart, it likely makes sense to integrate it into the task to avoid inconsistencies with rendering.
Some considerations:
A new param is needed which indicates from where to pull policies (e.g. named conftest-policy). The value is a string accepted by go-getter. By default the param is empty which means conftest would not run.
If this param is prefixed with k8s::, then the part after the prefix is interpreted as a K8s secret name, which is expected to have a key named location. Its value is then passed to contest pull, providing an easy mechanism to hide secrets in policy locations (e.g. basic auth in HTTPS URLs).
If the conftest-policy param is set, then conftest is run against the rendered helm chart as the first thing in the task. The chart is rendered in the same way as the diff, just with the template command.
If rendering succeeds, the rendered chart is piped to conftest test
By default, conftest checks the input against the policies with conftest test --all-namespaces -. It should be possible to customise this by having a param named e.g. conftest-flags, which defaults to --all-namespaces
When conftest test returns a non-zero exit code, the task is stopped
conftest allows to test configuration data such as K8s resources defined by Helm charts. Because testing the chart against the policies required rendering the chart, it likely makes sense to integrate it into the task to avoid inconsistencies with rendering.
Some considerations:
conftest-policy). The value is a string accepted by go-getter. By default the param is empty which means conftest would not run.k8s::, then the part after the prefix is interpreted as a K8s secret name, which is expected to have a key namedlocation. Its value is then passed tocontest pull, providing an easy mechanism to hide secrets in policy locations (e.g. basic auth in HTTPS URLs).conftest-policyparam is set, then conftest is run against the rendered helm chart as the first thing in the task. The chart is rendered in the same way as the diff, just with thetemplatecommand.conftest testconftest test --all-namespaces -. It should be possible to customise this by having a param named e.g.conftest-flags, which defaults to--all-namespacesconftest testreturns a non-zero exit code, the task is stopped