Add CI check for Kubernetes YAML files

Author: k3forx

.github/actions/calculate-kube-scores.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -x
+
+DIR=$1
+kubectl kustomize "${DIR}" | kube-score score - --ignore-test pod-networkpolicy -o ci | grep -v OK

.github/workflows/kube-score.yaml

@@ -0,0 +1,45 @@
+name: kube-score
+
+on:
+  pull_request:
+    paths:
+      - "k8s/**/*.yaml"
+
+jobs:
+  kube-score:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up kubectl command
+        run: |
+          curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+          chmod +x ./kubectl
+          sudo mv ./kubectl /usr/local/bin/kubectl
+          kubectl version --client
+
+      - name: Set up kube score command
+        run: |
+          wget https://github.com/zegl/kube-score/releases/download/v1.11.0/kube-score_1.11.0_linux_amd64.tar.gz
+          tar xvzf kube-score_1.11.0_linux_amd64.tar.gz
+          chmod +x ./kube-score
+          sudo mv ./kube-score /usr/local/bin/kube-score
+          kube-score version
+
+      - name: Perform static check
+        run: |
+          touch check-result.txt
+          TARGET_DIRS=$(find . | grep ".overlays/.*/kustomization.yaml" | sed 's%kustomization.yaml%%')
+          for DIR in $TARGET_DIRS; do
+            echo "Check Kubernetes resources in" $DIR
+            bash ./.github/actions/calculate-kube-scores.sh $DIR >> check-result.txt
+          done;
+
+      - name: Show check result
+        run: |
+          TOTAL_CRITICAL_ISSUE_NUM=$(cat check-result.txt | grep CRITICAL | wc -l)
+          echo "TOTAL_CRITICAL_ISSUE_NUM:" $TOTAL_CRITICAL_ISSUE_NUM
+          if [[ "$TOTAL_CRITICAL_ISSUE_NUM" != 0 ]]; then
+            cat check-result.txt
+            exit 1
+          fi

k8s/fastapi/base/deployment.yaml

@@ -5,10 +5,15 @@ metadata:
   labels:
     app: fastapi
 spec:
-  replicas: 3
+  replicas: 1
   selector:
     matchLabels:
       app: fastapi
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
   template:
     metadata:
       labels:

k8s/fastapi/overlays/api-app/kustomization.yaml

@@ -1,13 +1,18 @@
 namespace: api-app
+
 bases:
   - ../../base
+
 patchesStrategicMerge:
   - deployment.yaml
+
 configMapGenerator:
   - name: fastapi-configmap
     literals:
-    - MYSQL_HOST=mysql-0.mysql-headless.database.svc.cluster.local
-    - MYSQL_USER=root
-    - MYSQL_DATABASE=test
+      - MYSQL_HOST=mysql-0.mysql-headless.database.svc.cluster.local
+      - MYSQL_USER=root
+      - MYSQL_DATABASE=test
+
 resources:
-    - secret.yaml
+  - secret.yaml
+  - network-policy.yaml