Multiple CI improvements

.devcontainer/devcontainer.json

@@ -8,7 +8,9 @@
 		"ghcr.io/eitsupi/devcontainer-features/go-task:1": {},
 		"ghcr.io/rio/features/k3d:1": {},
 		"ghcr.io/devcontainers-contrib/features/wget-apt-get:1": {},
-		"ghcr.io/devcontainers-extra/features/kubectx-kubens:1": {}
+		"ghcr.io/devcontainers-extra/features/kubectx-kubens:1": {},
+		"ghcr.io/devcontainers-extra/features/yamllint:2": {},
+		"ghcr.io/gickis/devcontainer-features/kubeconform:1": {}
 	},
 	"customizations": {
 		"vscode": {
@@ -18,10 +20,12 @@
 				"matt-rudge.auto-open-preview-panel",
 				"bierner.markdown-preview-github-styles",
 				"Phu1237.vs-browser",
+				"inercia.vscode-k3d",
 				"sandertenbrinke.readme-auto-open",
 				"usernamehw.indent-one-space",
 				"compulim.indent4to2",
-				"shardulm94.trailing-spaces"
+				"shardulm94.trailing-spaces",
+				"tommasov.hosts"
 			]
 		}
 	},

.github/workflows/kubeconform.yml

@@ -0,0 +1,96 @@
+name: Validate Kubernetes Resources
+on: push
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Check if Services have changed
+      id: changed-services
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45
+      with:
+        files: |
+          apps/**/svc.yaml
+          apps/**/*-svc.yaml
+    - name: Check if Deployments/Statefulsets have changed
+      id: changed-workloads
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45
+      with:
+        files: |
+          apps/**/deployment.yaml
+          apps/**/statefulset.yaml
+    - name: Check if configMap/Secrets have changed
+      id: changed-configs
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45
+      with:
+        files: |
+          apps/**/cm.yaml
+          apps/**/secret.yaml
+    - name: Check if Permissions have changed
+      id: changed-rbac
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45
+      with:
+        files: |
+          apps/**/rb.yaml
+          apps/**/crb.yaml
+          apps/**/role.yaml
+          apps/**/cr.yaml
+    - name: Check if Storage resources have changed
+      id: changed-storage
+      uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275 # v45
+      with:
+        files: |
+          apps/**/pvc.yaml
+          apps/**/class.yaml
+          apps/**/pv.yaml
+    - name: Install Kubeconform
+      run: |
+        (wget -qO- https://github.com/yannh/kubeconform/releases/download/v0.6.7/kubeconform-linux-amd64.tar.gz | sudo tar xvz -C /usr/bin) && sudo chmod +x /usr/bin/kubeconform
+    - name: Validate new Services
+      id: validate-service
+      uses: mathiasvr/command-output@v1
+      if: steps.changed-services.outputs.any_changed == 'true'
+      with:
+        run: |
+          find . -maxdepth 15 -name svc.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+
+    - name: Validate new Workloads
+      id: validate-workloads
+      uses: mathiasvr/command-output@v1
+      if: steps.changed-workloads.outputs.any_changed == 'true'
+      with:
+        run: |
+          find . -maxdepth 15 -name deployment.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name statefulset.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+
+    - name: Validate new configMaps or Secrets
+      id: validate-configs-cm
+      uses: mathiasvr/command-output@v1
+      if: steps.changed-configs.outputs.any_changed == 'true'
+      with:
+        run: |
+          find . -maxdepth 15 -name cm.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name secret.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+
+    - name: Validate new Permissions and RBAC resources
+      id: validate-configs-rbac
+      uses: mathiasvr/command-output@v1
+      if: steps.changed-rbac.outputs.any_changed == 'true'
+      with:
+        run: |
+          find . -maxdepth 15 -name rb.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name crb.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name role.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name cr.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+
+    - name: Validate new Storage resources
+      id: validate-configs
+      uses: mathiasvr/command-output@v1
+      if: steps.changed-storage.outputs.any_changed == 'true'
+      with:
+        run: |
+          find . -maxdepth 15 -name pvc.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name pv.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;
+          find . -maxdepth 15 -name clas.yaml -exec kubeconform --verbose -exit-on-error -ignore-missing-schemas -kubernetes-version "1.26.0" -schema-location default {} \;

.github/workflows/linter.yaml

@@ -0,0 +1,17 @@
+name: yamllinter
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+jobs:
+  yaml-linter:
+    name: Yaml Linter
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: yaml-lint
+      uses: ibiqlik/action-yamllint@v3
+      with:
+        config_file: .yamllint
+    - run: echo ${{ steps.yaml-lint.outputs.logfile }}

.gitignore

@@ -26,13 +26,11 @@ override.tf.json
 
 .terraformrc
 terraform.rc
-config/tls/base/tls-secret.yaml
-.vscode
-.vscode/*
-!.vscode/settings.json
+config/tls/base/tls-secret.yam
 !.vscode/tasks.json
 !.vscode/launch.json
 !.vscode/extensions.json
+!.vscode/extensions.json
 *.code-workspace
 .terraform.lock.hcl
 terraform/*.terraform

tasks/argocd.yaml → .tasks/argocd.yaml

@@ -11,8 +11,8 @@ silent: true
 tasks:
   default:
     cmds:
-      - task: install
-      - task: password
+    - task: install
+    - task: password
     ignore_error: true
 
   secret:
@@ -34,9 +34,6 @@ tasks:
     ignore_error: true
 
   repo:
-    vars:
-      GIT_URI:
-        sh: git config --get remote.origin.url | sed -e 's/:/\//g'| sed -e 's/ssh\/\/\///g'| sed -e 's/git@/https:\/\//g' | sed 's/.git$//'
     cmds:
     - |
       kubectl apply -f - << EOF
@@ -49,7 +46,7 @@ tasks:
           argocd.argoproj.io/secret-type: repository
       stringData:
         type: git
-        url: {{.GIT_URI}}
+        url: https://github.com/gruberdev/local-gitops
       EOF
     ignore_error: true
 

.vscode/settings.json

@@ -0,0 +1,34 @@
+{
+  "yaml.schemas": {
+    "https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/crds/application-crd.yaml": [
+      "**/argocd/base/apps/*.yaml",
+      "**/argocd/base/core/*.yaml",
+      "**/argocd/*application*.yaml",
+      "apps/argocd/base/apps/*.yaml"
+    ],
+    "https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/crds/appproject-crd.yaml": [
+      "**/argocd/base/projects/*.yaml",
+      "apps/argocd/base/projects/*.yaml"
+    ],
+    "https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/crds/applicationset-crd.yaml": [
+      "**/argocd/*applicationset*.yaml",
+      "**/argocd/applicationsets/*.yaml"
+    ],
+    "https://taskfile.dev/schema.json": [
+      "Taskfile.yml",
+      "Taskfile.yaml",
+      "**/.tasks/*.yaml",
+      "**/.tasks/**/*.yaml",
+      "file:///c%3A/Users/gruber/projects/local-gitops/.tasks/tools/darwin.yaml"
+    ],
+    "https://json.schemastore.org/github-action.json": [
+      ".github/workflows/*.yml",
+      ".github/workflows/*.yaml"
+    ],
+    "https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json": [
+      "**/ingress.yaml",
+      "apps/argocd/base/core/ingress.yaml",
+      "apps/example/ingress.yaml"
+    ]
+  }
+}

.yamllint

@@ -0,0 +1,31 @@
+rules:
+  braces: disable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start: disable
+  empty-lines: enable
+  empty-values: disable
+  hyphens: enable
+  indentation:
+    spaces: 2
+    indent-sequences: whatever
+    check-multi-line-strings: false
+  key-duplicates: enable
+  key-ordering: disable
+  line-length:
+    level: warning
+    max: 250
+  new-line-at-end-of-file: enable
+  new-lines: disable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    allowed-values: ['true', 'false', "yes", "no"]
+    level: warning

README.md

@@ -10,7 +10,7 @@
 >
 > [The repository is automated through Taskfiles][tasks-internal], so deployment is straightforward, but you can still dig into individual tasks if you want to understand what's happening under the hood.
 
-## Components current versioning
+## Current components versioning
 
 ```bash
  Kubernetes Version: v1.32.2-k3s1
@@ -76,7 +76,7 @@ task tools
 > - Local SSL/TLS certificates will be stored under the [`config/tls/`][tls-uri] folder. All of them are a part of the `.gitignore` file, in order to avoid being commited to your repository once created.
 
 
-### Can I reset the environment?
+### How do I reset the environment?
 
 > Whenever you want to restart from scratch and create a new cluster, just type `task` again. This process will destroy the previous cluster and create a new from scratch.
 

Taskfile.yml

@@ -3,17 +3,18 @@ version: '3'
 vars:
   INT_REGISTRY: registry.localhost
   PATH_ERROR: is not installed or correctly configured in PATH.
+  K8S_VERSION: "1.32.3"
 
 dotenv: [ '.env' ]
 
 silent: true
 
 includes:
-  argocd: ./tasks/argocd.yaml
-  tools: ./tasks/tools/{{OS}}.yaml
-  cluster: ./tasks/cluster/{{OS}}.yaml
-  cli: ./tasks/cli.yaml
-  templates: ./tasks/template.yaml
+  argocd: ./.tasks/argocd.yaml
+  tools: ./.tasks/tools/{{OS}}.yaml
+  cluster: ./.tasks/cluster/{{OS}}.yaml
+  cli: ./.tasks/cli.yaml
+  templates: ./.tasks/template.yaml
 
 tasks:
   help:
@@ -38,20 +39,20 @@ tasks:
     ignore_error: true
 
   fw:
-    deps: [ns:system]
+    deps: [ ns:system ]
     vars:
       ARGOCD_POD:
         sh: "kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o jsonpath='{.items[0].metadata.name}'"
     cmds:
-      - task: cli:clear
-      - kubectl port-forward {{.ARGOCD_POD}} -n argocd 8082:8080
+    - task: cli:clear
+    - kubectl port-forward {{.ARGOCD_POD}} -n argocd 8082:8080
 
   login:
     cmds:
-      - argocd login localhost:8082 --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) --insecure
+    - argocd login localhost:8082 --username admin --password $(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) --insecure
 
   sync:
-    deps: [login]
+    deps: [ login ]
     desc: Sync all applications in ArgoCD
     cmds:
     - |
@@ -68,7 +69,29 @@ tasks:
   explain:
     desc: Explains a certain Task command more in-detail
     cmds:
-      - task {{.CLI_ARGS}} --summary
+    - task {{.CLI_ARGS}} --summary
+
+  lint:
+    desc: Performs lint testing on the YAML files in the repository using the yamllint tool to ensure proper formatting and syntax.
+    preconditions:
+    - sh: "which yamllint"
+      msg: "yamllint {{.PATH_ERROR}}"
+    cmds:
+    - yamllint -c ./.yamllint .
+
+  validate:
+    preconditions:
+    - sh: "which kubeconform"
+      msg: "kubeconform {{.PATH_ERROR}}"
+    desc: Validates your Yaml objects in the repository using Kubeconform
+    cmds:
+    - |
+      objectTypes=("svc" "deployment" "*secret" "cm" "pvc" "pv" "role" "sa" "cr" "rb");
+      for obj in "${objectTypes[@]}"; do
+        echo -e "\nValidating ${obj^} object files";
+        find . -maxdepth 20 -name ${obj}.yaml -exec kubeconform -summary -exit-on-error -ignore-missing-schemas -kubernetes-version "{{.K8S_VERSION}}" -schema-location default {} \;
+      done
+    silent: true
 
   dns:
     desc: Creates the DNS entry required for the local domain to work.

apps/argocd/base/core/argocd.yaml

@@ -2,6 +2,8 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
 spec:
   project: core
   source:
@@ -26,8 +28,8 @@ spec:
         factor: 2
         maxDuration: 15m
   ignoreDifferences:
-    - group: networking.k8s.io
-      kind: Ingress
-      jsonPointers:
-      - /spec/rules
-      - /status
+  - group: networking.k8s.io
+    kind: Ingress
+    jsonPointers:
+    - /spec/rules
+    - /status

apps/argocd/kustomization.yaml

@@ -9,7 +9,8 @@ resources:
 - base/apps/example.yaml
 - base/core/argocd.yaml
 - github.com/argoproj-labs/argocd-extension-metrics/manifests?ref=v1.0.3
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.14.7/manifests/install.yaml
+- github.com/argoproj/argo-rollouts/manifests/cluster-install?ref=v1.8.2
+- github.com/argoproj/argo-cd/manifests/cluster-install?ref=v2.14.7
 
 namespace: argocd
 images:
@@ -119,7 +120,6 @@ patches:
                   cpu: 50m
                   memory: 256Mi
 
-patches:
 - path: overlay/argocd-svc.yaml
 - path: overlay/argocd-rbac.yaml
 - path: overlay/argocd-cm.yaml