Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@
coverage.out
input.yaml
input.json
/output
/output
genval
1 change: 1 addition & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ repos:
signed_commit=$(git verify-commit $latest_commit 2>&1)
if [[ $signed_commit == *"Validated Git signature: true"* ]]; then
echo "Latest commit is signed with gitsign."
exit 0
else
echo "WARNING: The latest commit is not signed with gitsign."
fi
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTION.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ import "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
apiVersion: string | *"tekton.dev/v1beta1"
kind: string | *"Pipeline"
...
}

```

Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,4 @@ lint: ## Run a linter on the codebase using golangci-lint.


build: ## builds the GenVal app for defined OS/Arch by passing GOOS=$(GOOS) GOARCH=$GOARCH args.| Example usage `make build GOOS=linux GOARCH=amd64`
@GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags="-X main.Version=$(shell git describe --tags --abbrev=0)" -o ./bin/genval ./cmd
@GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags="-X main.Version=$(shell git describe --tags --abbrev=0)" -o genval ./cmd
74 changes: 64 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7843/badge)](https://www.bestpractices.dev/projects/7843)
[![Go Report Card](https://goreportcard.com/badge/github.com/intelops/genval)](https://goreportcard.com/report/github.com/intelops/genval)
[![Build Status](https://github.com/intelops/genval/actions/workflows/ci.yaml/badge.svg)](https://github.com/intelops/genval/actions?query=workflow%3Abuild)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)


# Genval: Simplifying Configuration Management


Expand All @@ -14,8 +20,8 @@ Genval is a versatile Go utility that simplifies configuration management for a



## Why Genval?

## Why Genval?go install github.com/sigstore/gitsign@latest
go install github.com/sigstore/gitsign@latest


Managing configurations across different tools can be a daunting task. Ensuring that these configurations adhere to best practices is critical but can be time-consuming and error-prone. Genval automates these processes, making configuration management more efficient.
Expand Down Expand Up @@ -137,27 +143,31 @@ To build genval from source:

- Navigate to the project directory: `cd genval`

- Build Genval: `CGO_ENABLED=0 go build -o ./cmd/genval`
- Build Genval: `CGO_ENABLED=0 go build -o ./genval ./cmd`



The generated binary, genval, will be available in the current working directory. You can move it to your PATH or use it from the current directory.

Genval offers two modes:

Genval offers four modes:

- `container` for Dockerfile validation and generation

- `container` for Dockerfile validation with rego policies and generation of validated Dockerfile
- `cue` for Kubernetes and CRD validation and generation
- `k8s` for validating Kubernetes manifests with Rego policies
- `tf` for validating Terraform resource files with Rego policies
- `cel` for validating Kubernetes resource files with CEL policies

A helper mode `showjson` is available for user to view the **JSON** representation of the input files passed to Genval. In `--mode showjson` a user can pass the input file, for example a Dockerfile, Terraform file or a Kubernetes YAML manifests and get the JSON representation of that specific input. As most of the policies are written based on input in a JSON structured format. This would enable user to refer this JSON document to write their custom policies in **Rego** and **CEL**.

> Both modes accept inputs that include local files and files obtained from a remote URL, such as those from a Git repository.

> All the modes accept inputs that include local files and files obtained from a remote URL, such as those from a Git repositoryin raw format.


### Dockerfile Validation and Generation:


Run Genval with the --mode container flag, providing the path to your input JSON or YAML file using the `--reqinput` flag and specifying the desired output path for the generated Dockerfile along with `--inputpolicy` and `--outputpolicy` for validating the input JSON and the generated Dockerfile respectively. Genval will take care of the rest.
Run Genval with the `--mode container` flag, providing the path to your input JSON or YAML file using the `--reqinput` flag and specifying the desired output path for the generated Dockerfile along with `--inputpolicy` and `--outputpolicy` for validating the input JSON and the generated Dockerfile respectively. Genval will take care of the rest.

Example:

Expand All @@ -178,7 +188,6 @@ $ genval --mode container --reqinput ./templates/inputs/dockerfile_input/golang_

### Validation and Generation of Kubernetes configurations



The validation and generation of Kubernetes and CRD manifests are facilitated through the use of [cuelang](https://cuelang.org/docs/). When using Genval for validating and generating Kubernetes and related manifests, make use of the Genval tool in `cue` mode. This mode necessitates JSON input provided via the `--reqinput` flag. Furthermore, you should specify a `resource` flag, indicating the Kubernetes or CRD `Kind` that requires validation. Additionally, attach the `.cue schema definitions` to the `--policy` flag. These policy files can be provided from the users local file system or from a remote URL, like a Git repository.

Expand All @@ -204,6 +213,51 @@ The above command will validate a Deployment manifests using the provided `.cue`
For a detailed workflow illustrating the capabilities of Cue and Genval for validating and generating Kubernetes configurations, you can refer to [this document](./cmd/cueval/example.md).
The workflow for adding a Cue schema for Kubernetes CRDs is failry easy, and demostrated in the [CONTRIBUTION.md document](./CONTRIBUTION.md/#contributing-by-adding-a-cue-schema-to-the-project).

### Validation of Kubernetes resources with Rego policies

To validate Kubernetes manifests with Rego policies, users can use `--mode k8s` with `--reqinput` for providing the required input in JSON or YAML format, and `--policy` flag to pass in the Rego policies.

Example:

```shell
genval --mode k8s --reqinput <Path/to/input/yaml/json file> \
--policy <Path/to/.rego policy>
```

### Validate Terraform resource files with Rego policies

To validate the Terraform resource file in `.tf` format. Use `--mode tf` with two flags as above `--reqinput` and `--policy`. The Genval tool willvalidate the `.tf` resource file with Rego policies.

To write custom policies, users might require to know the `JSON` representation of the input `.tf` file. In order to get the `JSON` representation of the `.tf` users can use `--showjson` mode and pass the `.tf` file as input to get the JSON representation that could help user write rego policies.

Example:

```shell
genval --mode showjson --reqinput ../templates/inputs/terraform/sec-group.tf
{
"resource": [
{
"aws_security_group": {
"allow_tls": {
"description": "Allow TLS inbound traffic",
"egress": [
{
...
<REDACTED>
```

### Validating Kubernetes resource manifest files with CEL policies

Genval enables validating Kubernees manifests using [Common Expression Language — (CEL)](https://github.com/google/cel-spec). To validate different Kubernetes manifest files in `cel` mode. Use `--mode cel` with the same two flags `--reqinput` for passing the input in either **JSON** or **YAML** format and `--policy` to pass the CEL policies in a text file format.

The `./templates/defaultpolicies/cel/cel_policies` contains some sample policies that can be used with `cel` mode.

Example:

```shell
$ genval --mode cel --reqinput ./templates/inputs/k8s/deployment.json --policy ./templates/defaultpolicies/cel/cel_policies
```

### Templates

The `./templates` folder holds some sample files to be used in Genval. the `./templates/inputs` holds JSON input templates for both generating Dockerfiles in `container` mode and Kubernetes manifests in `cue` mode. Similarly, all the default policies for both the modes are stored in `./templates/defaultpolices` directory. User can use these template files to start with and as they go along they can customize these files to suite their specific use cases.
The `./templates` folder holds some sample files to be used in Genval. the `./templates/inputs` holds JSON input templates for both generating Dockerfiles in `container` mode and Kubernetes manifests in `cue` mode. Similarly, all the sample policies for all the modes are stored in `./templates/defaultpolices` directory. User can use these template files to start with and as they go along they can build upon it and customize these policies to suite their specific use cases.
104 changes: 0 additions & 104 deletions cmd/cueval/cueval.go

This file was deleted.

6 changes: 3 additions & 3 deletions cmd/cueval/example.md → cmd/example.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@ In this guide, we'll explore the usage of the Genval tool in Cue mode for valida

## What is Cue

Cue aka [Cuelang](https://cuelang.org/docs) is a versatile configuration language and runtime environment designed to fulfill various tasks, including defining and validating data schemas, configuring files, and generating configuration artifacts. It presents a succinct and expressive syntax tailored for efficient configuration management while providing advanced features like type checking, constraints, and code generation.
Cue is a versatile configuration language and runtime environment designed to fulfill various tasks, including defining and validating data schemas, configuring files, and generating configuration artifacts. It presents a succinct and expressive syntax tailored for efficient configuration management while providing advanced features like type checking, constraints, and code generation.


One of Cue's standout features is its robust [type system](https://cuelang.org/docs/tutorials/tour/types/types/), which empowers developers to specify and enforce data types within their configuration files. This type checking capability greatly enhances the reliability and stability of configurations. Additionally, Cue allows developers to establish [constraints](https://cuelang.org/docs/tutorials/tour/intro/constraints/) or rules that configuration data must follow. Enforcing these constraints ensures that configurations align with specific business requirements or predefined rules, elevating the overall quality and correctness of configurations.

## Flow diagram fo Cue mode

<p align="center">
<img src="https://github.com/intelops/genval/assets/141515226/57fad737-2fa0-436e-92c9-0d336731d993" />
<img src="../cueval.svg" />
</p>


Expand Down Expand Up @@ -64,7 +64,7 @@ $ genval --mode cue --reqinput ./templates/inputs/cue/deploy.json \ # input to b
--policy ./templates/defaultpolicies/cue/deployment.cue # Our Cue schema/policy for Deployment
--policy ./templates/defaultpolicies/cue/metadata.cue # We can pass multiple policies/schemas referring them in the main policy `deployment.cue`.
```
- `--reqinput`: Specifies the input to be validated.
- `--reqinput`: Specifies the input to be validated. The `reqinput` accepts a single Cue Definition or a directory containing multiple Definitions.
- `--resource`: Defines the Kubernetes resource kind to validate and generate. It must correspond to a valid Kind.
- `--policy`: Points to the Cue schema/policy for Deployment. Multiple policies/schemas can be used by referencing them in the main policy `deployment.cue`.

Expand Down
Loading