Datree Helm Plugin
A Helm plugin to validate charts against the Datree policy
Installation
helm plugin install https://github.com/datreeio/helm-datree
Windows users can work around this by using Helm under WSL
Update Datree's plugin version
helm plugin update datree
Uninstall
helm plugin uninstall datree
Usage
Trigger datree policy check via the helm CLI
helm datree test [CHART_DIRECTORY]
Passing arguments
If you need to pass helm arguments to your template, you will need to add -- before them:
helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod
Test files
By default, test files generated by Helm will be skipped. If you wish to include test files in your policy check, add the --include-tests flag:
helm datree test --include-tests [CHART_DIRECTORY]
Check plugin version
helm datree version
See help text
helm datree help
Using other helm command
Helm might be installed through other tooling like microk8s. The DATREE_HELM_COMMAND allows specifying a command to run helm (default: helm):
DATREE_HELM_COMMAND="microk8s helm3" helm datree test [CHART_DIRECTORY]
Testing multiple charts
If you have multiple charts inside a single directory, you can test all of them sequentially using the following script:
#!/bin/bash
path="${1:-.}"
final_exit_code=0
while read -r helmchart; do
dir="$(dirname "$helmchart")"
echo "*** Proceeding to test Helm chart: $helmchart ***"
set +e
helm datree test "$dir"
exitcode=$?
set -e
if [ "$exitcode" -gt "$final_exit_code" ]; then
final_exit_code="$exitcode"
fi
echo ""
done < <(find "$path" -type f -name 'Chart.y*ml')
if [ "$final_exit_code" = 0 ]; then
echo "Success"
else
echo "Violations found, returning exit code $final_exit_code"
fi
exit "$final_exit_code"The script will run a policy check against all charts before exiting, and return 0 only if no violations were found in any of them.
This is useful for CI, to avoid the need to call datree test multiple times.
Examples
Basic usage
helm plugin install https://github.com/datreeio/helm-datree
git clone [email protected]:datreeio/examples.git
helm datree test examples/helm-chart/nginx
GitHub Workflow
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
jobs:
k8sPolicyCheck:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Datree Policy Check
uses: datreeio/action-datree@main
with:
path: 'myChartDirectory'
cliArguments: '--only-k8s-files'
isHelmChart: true
helmArguments: '--values values.yaml'Troubleshooting
Error: plugin "datree" exited with error
This is actually expected behavior because it's raised by Helm itself every time a plugin returns a non-zero exit code.
Therefore, if you will run datree plugin on a Chart that will pass the policy check, it will return 0 as exit code, and you will not see this error.
K8s schema validation error
This error occurs when trying to scan Chart.yaml or values.yaml files instead of the chart directory.
Solution: Pass the helm chart directory path to Datree's CLI, instead of to the file itself:
- Correct -
helm datree test examples/helm-chart/nginx - Wrong -
helm datree test examples/helm-chart/nginx/values.yaml
The policy check returns false-positive results
The best way to determine if a false-positive result is a bug or a true misconfiguration, is by rendering the Kubernetes manifest with helm and then checking it manually:
helm template [CHART_DIRECTORY]
If after eyeballing the rendered manifest you still suspect it's a bug, please open an issue.