This tool inspects a Helm
chart URI (file://, https?://, etc)
and returns either a positive result indicating the Helm chart has passed all checks, or a negative result indicating
which checks have failed and remedial actions.
The application is separated in two pieces: a command line interface and a library. This is handy because the command line interface is specific to the user interface, and the library can be generic enough to be used to, for example, inspect Helm chart bytes in flight.
One positive aspect of the command line interface specificity is that its output can be tailored to the methods of consumption the user expects; in other words, the command line interface can be programmed in such way it can be represented as either YAML or JSON formats, in addition to a descriptive representation tailored to human actors.
Primitive functions to manipulate the Helm chart should be provided, since most checks involve inspecting the contents
of the chart itself; for example, whether a README.md file exists, or whether README.md contains the values'
specification, implicating in offering a cache API layer is required to avoid downloading and unpacking the charts for
each test.
Container images built from the source code are hosted in https://quay.io/repository/redhat-certification/chart-verifier
; to download using docker execute the following command:
docker pull quay.io/redhat-certification/chart-verifier
Alternatively, download chart-verifier binary from the release page and run chart-verifier verify command to perform Helm chart checks.
To build chart-verifier locally, execute make bin for macOS and Linux, or make bin_win for Windows.
To build chart-verifier container image, execute hack/build-image.sh or its PowerShell alternative:
PS C:\Users\igors\GolandProjects\chart-verifier> .\hack\build-image.ps1
[+] Building 15.1s (15/15) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 32B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/fedora:31 1.4s
=> [internal] load metadata for docker.io/library/golang:1.15 1.3s
=> [build 1/7] FROM docker.io/library/golang:1.15@sha256:d141a8bca046ade2c96f89e864cd31f5d0ba88d5a71d62d59e0e1f2ecc2451f1 0.0s
=> CACHED [stage-1 1/2] FROM docker.io/library/fedora:31@sha256:ba4fe6a3da48addb248a16e8a63599cc5ff5250827e7232d2e3038279a0e467e 0.0s
=> [internal] load build context 0.5s
=> => transferring context: 43.06MB 0.5s
=> CACHED [build 2/7] WORKDIR /tmp/src 0.0s
=> CACHED [build 3/7] COPY go.mod . 0.0s
=> CACHED [build 4/7] COPY go.sum . 0.0s
=> CACHED [build 5/7] RUN go mod download 0.0s
=> [build 6/7] COPY . . 0.2s
=> [build 7/7] RUN ./hack/build.sh 12.5s
=> [stage-1 2/2] COPY --from=build /tmp/src/out/chart-verifier /app/chart-verifier 0.1s
=> exporting to image 0.2s
=> => exporting layers 0.2s
=> => writing image sha256:7302e88a2805cb4be1b9e130d057bd167381e27f314cbe3c28fbc6cb7ee6f2a1 0.0s
=> => naming to quay.io/redhat-certification/chart-verifier:07e369d
The container image created by the build program is tagged with the commit ID of the working directory at the time of
the build: quay.io/redhat-certification/chart-verifier:0d3706f.
To verify a chart against all available checks:
> out/chart-verifier verify ./chart.tgz
> out/chart-verifier verify ~/src/chart
> out/chart-verifier verify https://www.example.com/chart.tgz
To apply only the is-helm-v3 check:
> out/chart-verifier verify --enable is-helm-v3 https://www.example.com/chart.tgz
To apply all checks except is-helm-v3:
> out/chart-verifier verify --disable is-helm-v3 https://www.example.com/chart.tgz
The container image produced in 'Building chart-verifier' can then be executed with the Docker client
as docker run -it --rm quay.io/redhat-certification/chart-verifier:0d3706f verify.