Update values-aks-dev.yaml to disable RBAC plugin in Helm chart #59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # THREE HORIZONS ACCELERATOR - CONTINUOUS INTEGRATION | |
| # ============================================================================= | |
| # | |
| # Enhanced CI workflow with comprehensive validation, security scanning, | |
| # and cost estimation for Terraform changes. | |
| # | |
| # ============================================================================= | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| TF_VERSION: "1.6.6" | |
| TFLINT_VERSION: "0.50.2" | |
| GO_VERSION: "1.21" | |
| PYTHON_VERSION: "3.11" | |
| KUBECONFORM_VERSION: "0.6.4" | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| security-events: write | |
| jobs: | |
| # =========================================================================== | |
| # DETECT CHANGES | |
| # =========================================================================== | |
| detect-changes: | |
| name: Detect Changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| terraform: ${{ steps.changes.outputs.terraform }} | |
| kubernetes: ${{ steps.changes.outputs.kubernetes }} | |
| scripts: ${{ steps.changes.outputs.scripts }} | |
| docs: ${{ steps.changes.outputs.docs }} | |
| agents: ${{ steps.changes.outputs.agents }} | |
| golden-paths: ${{ steps.changes.outputs.golden-paths }} | |
| argocd: ${{ steps.changes.outputs.argocd }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Detect Changes | |
| id: changes | |
| uses: dorny/paths-filter@v3 | |
| with: | |
| filters: | | |
| terraform: | |
| - 'terraform/**' | |
| - '.tflint.hcl' | |
| kubernetes: | |
| - 'deploy/**' | |
| - 'argocd/**' | |
| scripts: | |
| - 'scripts/**' | |
| docs: | |
| - 'docs/**' | |
| - '*.md' | |
| agents: | |
| - 'agents/**' | |
| - '.github/agents/**' | |
| - '.apm/**' | |
| golden-paths: | |
| - 'golden-paths/**' | |
| argocd: | |
| - 'argocd/**' | |
| # =========================================================================== | |
| # TERRAFORM VALIDATION | |
| # =========================================================================== | |
| terraform-validate: | |
| name: Terraform Validate | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.terraform == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ env.TF_VERSION }} | |
| - name: Terraform Format Check | |
| id: fmt | |
| run: | | |
| cd terraform | |
| terraform fmt -check -recursive -diff | |
| continue-on-error: true # Format is a soft check - warns but doesn't block | |
| - name: Terraform Init | |
| id: init | |
| run: | | |
| cd terraform | |
| terraform init -backend=false | |
| - name: Terraform Validate | |
| id: validate | |
| run: | | |
| cd terraform | |
| terraform validate -no-color | |
| - name: Format Check Summary | |
| if: steps.fmt.outcome == 'failure' | |
| run: | | |
| echo "## Terraform Format Check Failed" >> $GITHUB_STEP_SUMMARY | |
| echo "Run \`terraform fmt -recursive\` to fix formatting issues." >> $GITHUB_STEP_SUMMARY | |
| # =========================================================================== | |
| # TFLINT | |
| # =========================================================================== | |
| terraform-lint: | |
| name: TFLint | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.terraform == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup TFLint | |
| uses: terraform-linters/setup-tflint@v4 | |
| with: | |
| tflint_version: v${{ env.TFLINT_VERSION }} | |
| - name: Init TFLint | |
| run: tflint --init | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run TFLint | |
| run: | | |
| cd terraform | |
| tflint --recursive --format=compact | |
| # =========================================================================== | |
| # TFSEC SECURITY SCAN | |
| # =========================================================================== | |
| terraform-security: | |
| name: TFSec Security Scan | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.terraform == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: TFSec | |
| uses: aquasecurity/tfsec-action@v1.0.3 | |
| with: | |
| working_directory: terraform | |
| soft_fail: false # Block pipeline on security issues | |
| format: sarif | |
| sarif_file: tfsec.sarif | |
| - name: Upload SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: tfsec.sarif | |
| continue-on-error: true # Upload failure shouldn't block CI | |
| # =========================================================================== | |
| # CHECKOV SECURITY SCAN | |
| # =========================================================================== | |
| terraform-checkov: | |
| name: Checkov Security Scan | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.terraform == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Checkov | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| directory: terraform/ | |
| framework: terraform | |
| output_format: cli,sarif | |
| output_file_path: console,checkov.sarif | |
| soft_fail: false # Block pipeline on security issues | |
| skip_check: CKV_AZURE_35,CKV_AZURE_59,CKV2_AZURE_1,CKV2_AZURE_18 | |
| - name: Upload SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: checkov.sarif | |
| continue-on-error: true # Upload failure shouldn't block CI | |
| # =========================================================================== | |
| # INFRACOST - COST ESTIMATION | |
| # =========================================================================== | |
| terraform-cost: | |
| name: Infracost Cost Estimation | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: | | |
| needs.detect-changes.outputs.terraform == 'true' && | |
| github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Infracost | |
| uses: infracost/actions/setup@v3 | |
| with: | |
| api-key: ${{ secrets.INFRACOST_API_KEY }} | |
| - name: Checkout Base Branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| path: base | |
| - name: Generate Infracost Diff | |
| run: | | |
| infracost breakdown --path=base/terraform --format=json --out-file=/tmp/infracost-base.json || true | |
| infracost breakdown --path=terraform --format=json --out-file=/tmp/infracost.json | |
| infracost diff --path=terraform --format=json --compare-to=/tmp/infracost-base.json --out-file=/tmp/infracost-diff.json || true | |
| continue-on-error: true # Cost estimation is informational only | |
| - name: Post Infracost Comment | |
| uses: infracost/actions/comment@v1 | |
| with: | |
| path: /tmp/infracost-diff.json | |
| behavior: update | |
| continue-on-error: true # PR comment failure shouldn't block CI | |
| # =========================================================================== | |
| # KUBERNETES VALIDATION | |
| # =========================================================================== | |
| kubernetes-validate: | |
| name: Kubernetes Validate | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: | | |
| needs.detect-changes.outputs.kubernetes == 'true' || | |
| needs.detect-changes.outputs.argocd == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Kubeconform | |
| run: | | |
| wget -q https://github.com/yannh/kubeconform/releases/download/v${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz | |
| tar xzf kubeconform-linux-amd64.tar.gz | |
| sudo mv kubeconform /usr/local/bin/ | |
| - name: Validate Kubernetes Manifests | |
| run: | | |
| echo "## Kubernetes Validation Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=0 | |
| for dir in deploy argocd; do | |
| if [ -d "$dir" ]; then | |
| echo "### Validating $dir/" >> $GITHUB_STEP_SUMMARY | |
| find "$dir" \( -name "*.yaml" -o -name "*.yml" \) ! -name "kustomization*" ! -path "*/templates/*" -print0 | \ | |
| xargs -0 -I {} sh -c 'kubeconform -strict -summary {} || exit 1' || ERRORS=$((ERRORS+1)) | |
| fi | |
| done | |
| if [ $ERRORS -gt 0 ]; then | |
| echo "::error::Kubernetes manifest validation failed" | |
| exit 1 | |
| fi | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: "v3.14.0" | |
| - name: Validate Helm Charts | |
| run: | | |
| if [ -d "deploy/helm" ]; then | |
| for chart in deploy/helm/*/; do | |
| if [ -f "${chart}Chart.yaml" ]; then | |
| echo "Linting $chart..." | |
| helm lint "$chart" | |
| fi | |
| done | |
| fi | |
| - name: Kubesec Security Scan | |
| uses: controlplaneio/kubesec-action@v0.0.2 | |
| with: | |
| input: deploy/ | |
| # Security scan blocks CI on critical findings | |
| # =========================================================================== | |
| # GOLDEN PATHS VALIDATION | |
| # =========================================================================== | |
| golden-paths-validate: | |
| name: Golden Paths Validate | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.golden-paths == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Dependencies | |
| run: pip install pyyaml | |
| - name: Validate Golden Path Templates | |
| run: | | |
| echo "## Golden Path Validation" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=0 | |
| for template in $(find golden-paths -name 'template.yaml' 2>/dev/null); do | |
| echo "Validating $template..." | |
| if python3 -c "import yaml; yaml.safe_load(open('$template'))" 2>/dev/null; then | |
| echo "- OK: $template" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "- FAIL: $template - Invalid YAML" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=$((ERRORS+1)) | |
| fi | |
| done | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Total templates found:** $(find golden-paths -name 'template.yaml' | wc -l)" >> $GITHUB_STEP_SUMMARY | |
| if [ $ERRORS -gt 0 ]; then | |
| echo "::error::$ERRORS templates failed validation" | |
| exit 1 | |
| fi | |
| # =========================================================================== | |
| # SCRIPTS LINTING | |
| # =========================================================================== | |
| scripts-lint: | |
| name: Scripts Lint | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.scripts == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: ShellCheck | |
| uses: ludeeus/action-shellcheck@master | |
| with: | |
| scandir: ./scripts | |
| severity: warning | |
| format: tty | |
| - name: Check Executable Permissions | |
| run: | | |
| echo "## Script Permissions" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| find scripts -name "*.sh" -type f | while read -r script; do | |
| if [[ -x "$script" ]]; then | |
| echo "- OK: $script" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "- WARNING: $script (not executable)" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done | |
| # =========================================================================== | |
| # DOCUMENTATION LINTING | |
| # =========================================================================== | |
| docs-lint: | |
| name: Documentation Lint | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.docs == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Markdown Lint | |
| uses: DavidAnson/markdownlint-cli2-action@v15 | |
| with: | |
| config: .markdownlint.json | |
| globs: | | |
| **/*.md | |
| !**/node_modules/** | |
| !golden-paths/** | |
| continue-on-error: true # Documentation lint is a soft check | |
| - name: Check Links | |
| uses: lycheeverse/lychee-action@v2 | |
| with: | |
| args: --verbose --no-progress --exclude-all-private './**/*.md' | |
| fail: false | |
| # =========================================================================== | |
| # YAML LINTING | |
| # =========================================================================== | |
| yaml-lint: | |
| name: YAML Lint | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: | | |
| needs.detect-changes.outputs.kubernetes == 'true' || | |
| needs.detect-changes.outputs.argocd == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install yamllint | |
| run: pip install yamllint | |
| - name: Run yamllint | |
| run: yamllint -c .yamllint.yml deploy/ argocd/ config/ --format github | |
| continue-on-error: true # YAML lint is a soft check for style issues | |
| # =========================================================================== | |
| # AGENTS VALIDATION | |
| # =========================================================================== | |
| agents-validate: | |
| name: Agents Validate | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.agents == 'true' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Validate Agent Specifications | |
| run: | | |
| echo "## Agent Validation" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=0 | |
| for agent in $(find agents .github/agents -name "*.md" 2>/dev/null); do | |
| if [ -f "$agent" ]; then | |
| if head -1 "$agent" | grep -q "^---"; then | |
| echo "- OK: $agent" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "- FAIL: $agent - Missing YAML frontmatter" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=$((ERRORS+1)) | |
| fi | |
| fi | |
| done | |
| if [ -f "config/apm.yml" ]; then | |
| if python3 -c "import yaml; yaml.safe_load(open('config/apm.yml'))" 2>/dev/null; then | |
| echo "- OK: config/apm.yml" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "- FAIL: config/apm.yml - Invalid YAML" >> $GITHUB_STEP_SUMMARY | |
| ERRORS=$((ERRORS+1)) | |
| fi | |
| fi | |
| if [ $ERRORS -gt 0 ]; then | |
| echo "::error::$ERRORS agent specs failed validation" | |
| exit 1 | |
| fi | |
| # =========================================================================== | |
| # SECURITY SCANNING | |
| # =========================================================================== | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Gitleaks Secret Detection | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # CRITICAL: Secret detection must block CI - no continue-on-error | |
| - name: Dependency Review | |
| if: github.event_name == 'pull_request' | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| # CRITICAL: High severity vulnerabilities must block CI - no continue-on-error | |
| - name: OSSF Scorecard | |
| if: github.event_name != 'pull_request' | |
| uses: ossf/scorecard-action@v2.3.1 | |
| with: | |
| results_file: scorecard.sarif | |
| results_format: sarif | |
| publish_results: true | |
| continue-on-error: true # Informational only - scorecard results don't block CI | |
| # =========================================================================== | |
| # CI SUMMARY | |
| # =========================================================================== | |
| ci-summary: | |
| name: CI Summary | |
| runs-on: ubuntu-latest | |
| needs: | |
| - detect-changes | |
| - terraform-validate | |
| - terraform-lint | |
| - terraform-security | |
| - terraform-checkov | |
| - terraform-cost | |
| - kubernetes-validate | |
| - golden-paths-validate | |
| - scripts-lint | |
| - docs-lint | |
| - yaml-lint | |
| - agents-validate | |
| - security-scan | |
| if: always() | |
| steps: | |
| - name: Generate Summary | |
| run: | | |
| echo "# CI Pipeline Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| Terraform Validate | ${{ needs.terraform-validate.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| TFLint | ${{ needs.terraform-lint.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| TFSec | ${{ needs.terraform-security.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Checkov | ${{ needs.terraform-checkov.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Infracost | ${{ needs.terraform-cost.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Kubernetes | ${{ needs.kubernetes-validate.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Golden Paths | ${{ needs.golden-paths-validate.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Scripts | ${{ needs.scripts-lint.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Docs | ${{ needs.docs-lint.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| YAML | ${{ needs.yaml-lint.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Agents | ${{ needs.agents-validate.result || 'skipped' }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Security | ${{ needs.security-scan.result }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "---" >> $GITHUB_STEP_SUMMARY | |
| echo "*Generated at: $(date -u)*" >> $GITHUB_STEP_SUMMARY | |
| - name: Check for Failures | |
| if: contains(needs.*.result, 'failure') | |
| run: | | |
| echo "::error::One or more CI jobs failed" | |
| exit 1 |