From 11397d21312c11a6818583126d59c74fde60ce98 Mon Sep 17 00:00:00 2001
From: k3forx <kanata.miyahana@bebit.com>
Date: Fri, 14 May 2021 18:02:39 +0900
Subject: [PATCH] Add CI check for Kubernetes YAML files

---
 .github/actions/calculate-kube-scores.sh      |  6 +++
 .github/workflows/kube-score.yaml             | 45 +++++++++++++++++++
 k8s/fastapi/base/deployment.yaml              |  7 ++-
 .../overlays/api-app/kustomization.yaml       | 12 +++--
 4 files changed, 65 insertions(+), 5 deletions(-)
 create mode 100755 .github/actions/calculate-kube-scores.sh
 create mode 100644 .github/workflows/kube-score.yaml

diff --git a/.github/actions/calculate-kube-scores.sh b/.github/actions/calculate-kube-scores.sh
new file mode 100755
index 0000000..f2d8004
--- /dev/null
+++ b/.github/actions/calculate-kube-scores.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -x
+
+DIR=$1
+kubectl kustomize "${DIR}" | kube-score score - --ignore-test pod-networkpolicy -o ci | grep -v OK
diff --git a/.github/workflows/kube-score.yaml b/.github/workflows/kube-score.yaml
new file mode 100644
index 0000000..25dae56
--- /dev/null
+++ b/.github/workflows/kube-score.yaml
@@ -0,0 +1,45 @@
+name: kube-score
+
+on:
+  pull_request:
+    paths:
+      - "k8s/**/*.yaml"
+
+jobs:
+  kube-score:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up kubectl command
+        run: |
+          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+          chmod +x ./kubectl
+          sudo mv ./kubectl /usr/local/bin/kubectl
+          kubectl version --client
+
+      - name: Set up kube score command
+        run: |
+          wget https://github.com/zegl/kube-score/releases/download/v1.11.0/kube-score_1.11.0_linux_amd64.tar.gz
+          tar xvzf kube-score_1.11.0_linux_amd64.tar.gz
+          chmod +x ./kube-score
+          sudo mv ./kube-score /usr/local/bin/kube-score
+          kube-score version
+
+      - name: Perform static check
+        run: |
+          touch check-result.txt
+          TARGET_DIRS=$(find . | grep ".overlays/.*/kustomization.yaml" | sed 's%kustomization.yaml%%' | grep -ve prometheus -ve grafana -ve alertmanager) # Remove applications for monitoring
+          for DIR in $TARGET_DIRS; do
+            echo "Check Kubernetes manifest files in" $DIR
+            bash ./.github/actions/calculate-kube-scores.sh $DIR >> check-result.txt
+          done;
+
+      - name: Show check result
+        run: |
+          TOTAL_CRITICAL_ISSUE_NUM=$(cat check-result.txt | grep CRITICAL | wc -l)
+          echo "TOTAL_CRITICAL_ISSUE_NUM:" $TOTAL_CRITICAL_ISSUE_NUM
+          if [[ "$TOTAL_CRITICAL_ISSUE_NUM" != 0 ]]; then
+            cat check-result.txt
+            exit 1
+          fi
diff --git a/k8s/fastapi/base/deployment.yaml b/k8s/fastapi/base/deployment.yaml
index 38d993d..534c0a4 100644
--- a/k8s/fastapi/base/deployment.yaml
+++ b/k8s/fastapi/base/deployment.yaml
@@ -5,10 +5,15 @@ metadata:
   labels:
     app: fastapi
 spec:
-  replicas: 3
+  replicas: 1
   selector:
     matchLabels:
       app: fastapi
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:
diff --git a/k8s/fastapi/overlays/api-app/kustomization.yaml b/k8s/fastapi/overlays/api-app/kustomization.yaml
index ed29c9a..70586cb 100644
--- a/k8s/fastapi/overlays/api-app/kustomization.yaml
+++ b/k8s/fastapi/overlays/api-app/kustomization.yaml
@@ -1,13 +1,17 @@
 namespace: api-app
+
 bases:
   - ../../base
+
 patchesStrategicMerge:
   - deployment.yaml
+
 configMapGenerator:
   - name: fastapi-configmap
     literals:
-    - MYSQL_HOST=mysql-0.mysql-headless.database.svc.cluster.local
-    - MYSQL_USER=root
-    - MYSQL_DATABASE=test
+      - MYSQL_HOST=mysql-0.mysql-headless.database.svc.cluster.local
+      - MYSQL_USER=root
+      - MYSQL_DATABASE=test
+
 resources:
-    - secret.yaml
+  - secret.yaml