In this third article dedicated to Datree we will explore how to use the tool with Azure Pipelines to validate and secure our Kubernetes deployments.
Video
As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.
Link to the video: https://youtu.be/aM7EVflmEt4. The part about Azure Pipelines starts at minute 16:33
If you rather prefer reading, well... let's just continue :)
The Basics
While I will not cover how to install and use the service in general (check the video and the first article of this series if you want to know more about it), there are few things worth remembering and that will be useful later on in this article:
- Datree is a CLI tool, which works on Linux, MacOS and Windows
- The Centralized Policy Management uses a Token as connection between the scans and the account
Datree in Azure Pipelines
Alright, let's do this. First thing we have to do, as we would in a local environment, is to install the CLI
- script: curl https://get.datree.io | /bin/bash
displayName: 'Install Datree'
In this case the pipeline is running on Linux, so I can use the bash script for installing it.
This step will take only few seconds to execute.
This is necessary if you are using the Microsoft Hosted Agents. If you are instead on Self-hosted Agents you can install the CLI directly on the agent machine so you can skip this step. However, you'd need to manually take care of updating the CLI
Next, we can invoke the validation command:
- script: datree test ~/.datree/k8s-demo.yaml
env:
DATREE_TOKEN: $(DATREE_TOKEN)
displayName: 'Run the datree scan'
As you can see, nothing different from what we would normally do.
Since we don't have access to the config file in our CI environment, we need to pass the Token as environment variable. Best practice is to save it as a protected variable in Pipelines, and retrieve it using $(YOUR_SECRET_NAME)
In the example above the Token is passed as environment variable directly in the task to minimize exposure. If you have multiple scans in the same workflow, you can also add it as job, stage, or pipeline environment variable.
And this is basically all you need.
So the full pipeline will look like this:
# Pipeline to show Datree scan
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: curl https://get.datree.io | /bin/bash
displayName: 'Install Datree'
- script: datree test ~/.datree/k8s-demo.yaml
env:
DATREE_TOKEN: $(DATREE_TOKEN)
displayName: 'Run the datree scan'
Of course you can also integrate this into your own CI or PR validation pipelines rather than keeping it separate if you wish so.
Execution and Results
First thing to notice is that, as Ive said before, the installation step is very quick.
This is why it is probably a good idea to leave it there even on Self-hosted agents so you don't have to worry about updating it.
And the validation scan is also very quick.
Second thing to notice is that by design if a validation fails it will break the build/run. This is to ensure the enforcement of the policies and best practices.
Finally, let's take a look at the results.
As you can see, the output is exactly the same as when executing the CLI on any local environment, or anywhere else for what batters, keeping the experience very consistent.
Offer
Datree is free to use up to 1000 scans per month, and you can pay for more scans and enhanced support. However...
You can get 1 month of the Premium plan for FREE is you use this link: https://app.datree.io/?utm_source=coder-dave&medium=youtube
Conclusions
So, what do you think about Datree? Is it something you will adopt as part of your workflow? Let me know in the comment section below, I'd really like to know it.
You may also want to watch this video in which show you how to deploy to Kubernetes in Azure Pipelines starting from scratch.
Like, share and follow me π for more content:
π½ YouTube
β Buy me a coffee
π Patreon
π§ Newsletter
π CoderDave.io Website
π Merch
π¦π» Facebook page
π±βπ» GitHub
π²π» Twitter
π΄π» LinkedIn
π Podcast