In this second article dedicated to Datree we will explore how to use the tool with GitHub Actions to validate and secure our Kubernetes deployments.
Video
As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.
Link to the video: https://youtu.be/aM7EVflmEt4. This part about GitHub Actions starts at minute 14:12
If you rather prefer reading, well... let's just continue :)
The Basics
While I will not cover how to install and use the service in general (check the video and the first article of this series if you want to know more about it), there are few things worth remembering and that will be useful later on in this article:
- Datree is a CLI tool, which works on Linux, MacOS and Windows
- The Centralized Policy Management uses a Token as connection between the scans and the account
Datree in GitHub Actions
Alright, let's do this. First thing we have to do, as we would in a local environment, is to install the CLI
- name: Install DaTree
run: curl https://get.datree.io | /bin/bash
In this case the workflow is running on Linux, so I can use the bash script for installing it.
This step will take only few seconds to execute
This is necessary if you are using the GitHub Hosted Runners. If you are instead on Self-hosted Runners you can install the CLI directly on the agent machine so you can skip this step. However, you'd need to manually take care of updating the CLI
Next, we can invoke the validation command:
- name: Scan with DaTree
run: datree test ./kubernetes/*.yml
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
As you can see, nothing different from what we would normally do.
Since we don't have access to the config file in our CI environment, we need to pass the Token as environment variable. Best practice is to save it as a secret in the repo, and retrieve it using ${{ secrets.YOUR_SECRET_NAME }}
In the example above the Token is passed as environment variable directly in the step to minimize exposure. If you have multiple scans in the same workflow, you can also add it as job or workflow environment variable.
And this is basically all you need.
So the full workflow will look like this:
name: K8S YAML Validation
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install DaTree
run: curl https://get.datree.io | /bin/bash
- name: Scan with DaTree
run: datree test ./kubernetes/*.yml
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
Of course you can also integrate this into your own CI or PR validation workflows rather than keeping it separate if you wish so.
Execution and Results
First thing to notice is that, as Ive said before, the installation step is very quick.
This is why it is probably a good idea to leave it there even on Self-hosted runners so you don't have to worry about updating it.
And the validation scan is also very quick.
Second thing to notice is that by design if a validation fails it will break the build/run. This is to ensure the enforcement of the policies and best practices.
Finally, let's take a look at the results.
As you can see, the output is exactly the same as when executing the CLI on any local environment, or anywhere else for what batters, keeping the experience very consistent.
Offer
Datree is free to use up to 1000 scans per month, and you can pay for more scans and enhanced support. However...
You can get 1 month of the Premium plan for FREE is you use this link: https://app.datree.io/?utm_source=coder-dave&medium=youtube
Conclusions
So, what do you think about Datree? Is it something you will adopt as part of your workflow? Let me know in the comment section below, I'd really like to know it.
You may also want to watch this video in which show you how to deploy to Kubernetes in Azure Pipelines starting from scratch.
Like, share and follow me π for more content:
π½ YouTube
β Buy me a coffee
π Patreon
π§ Newsletter
π CoderDave.io Website
π Merch
π¦π» Facebook page
π±βπ» GitHub
π²π» Twitter
π΄π» LinkedIn
π Podcast