helm-manifest-parser
Gatekeeper's Rego implementation does not have enough library functions to parse Helm manifests: A GZip decompression
function would be required to parse Helm 3 manifests, and Helm 2 manifests use a custom binary format where we're even
more out of luck. To add this missing parsing function, this helper program provides an HTTP endpoint that Rego
expressions can call via the http.send
built-in.
Usage
The helper itself is completely stateless. The only configuration is the listen address for the HTTP server, which must
be supplied as the only command-line argument:
helm-manifest-parser 0.0.0.0:8080
Even though Helm manifests often contain secrets, there aren't really any security considerations for this component: It
only gets Helm manifests by the API. It doesn't read the Kubernetes database itself.
API
The HTTP endpoint for manifest parsing is POST /v3
for Helm 3 manifests. (There used to be POST /v2
for Helm 2
manifests, but it has since been removed.) The request body must be the data.release
field of the respective ConfigMap
(for Helm 2 manifests) or Secret (for Helm 3 manifests). In both cases, the response body is a JSON document like this:
{
"items": [
{
"apiVersion": "v1",
"kind": "Pod",
"spec": {
...
},
"status": {
...
}
},
...
],
"values": {
"global": {
"region": "lab1"
},
...
},
"owner_info": {}
}
The main parts of the response object are the objects in the manifest (in the .items
array) and the values that were
used to render the chart templates (in the .values
object). Additionally, if the release manifest contains a ConfigMap
called owner-of-${RELEASE_NAME}
, then its data section will be repeated in the .owner_info
object. This ConfigMap is
usually generated by the owner-info
subchart.
Besides the POST /v3
endpoint, a health check endpoint is provided at GET /healthcheck
, which always returns the
plain text string "OK".
Logging
HTTP requests are logged, but by default, only failed requests (HTTP status code != 200) are logged. To enable full
logging, set the environment variable LOG_ALL_REQUESTS=true
.