Make kubeval hermetic (#233)

* make kubeval hermetic

* use json parser

* openapi2jsonschema should handle strict

* rebase on new fork openapi2jsonschema

.gitignore

@@ -6,6 +6,7 @@ node_modules
 .DS_Store
 .nyc_output
 bin/
+__pycache__
 
 # We use sed -i.bak when doing in-line replace, because it works better cross-platform
 *.bak

examples/kubeval/simple/.expected/results.yaml

@@ -1,3 +1,14 @@
+- message: Additional property templates is not allowed
+  severity: error
+  resourceRef:
+    apiVersion: v1
+    kind: ReplicationController
+    namespace: ''
+    name: bob
+  file:
+    path: resources.yaml
+  field:
+    path: templates
 - message: 'Invalid type. Expected: [integer,null], given: string'
   severity: error
   resourceRef:

examples/kubeval/simple/README.md

@@ -1,32 +1,34 @@
-# Kubeval
+# kubeval: simple example
 
 The `kubeval` KRM config function validates Kubernetes resources using kubeval.
 Learn more on the [kubeval website].
 
-This example invokes the kubeval function against Kubernetes v1.18.0.
+This example invokes the kubeval function against the builtin Kubernetes
+v1.19.8 schema.
 
 ## Function invocation
 
 Get this example and try it out by running the following commands:
 
-<!-- TODO: no --network. See: https://github.com/GoogleContainerTools/kpt/issues/1621 -->
-
 ```sh
 kpt pkg get https://github.com/GoogleContainerTools/kpt-functions-catalog.git/examples/kubeval .
-kpt fn run kubeval --network
+kpt fn run kubeval
 ```
 
 ## Expected Results
 
 This should give the following output:
 
 ```sh
-[ERROR] Invalid type. Expected: [integer,null], given: string in object 'v1/ReplicationController//bob' in file example-config.yaml in field spec.replicas
+[ERROR] Additional property templates is not allowed in object 'v1/ReplicationController//bob' in file resources.yaml in field templates
+[ERROR] Invalid type. Expected: [integer,null], given: string in object 'v1/ReplicationController//bob' in file resources.yaml in field spec.replicas
 error: exit status 1
 ```
 
-In the `example-config.yaml` file, replace the value of `spec.replicas`
-with an integer to pass validation and rerun the command. This will return
-success (no output).
+There are validation error in the `resources.yaml` file, to fix them:
+- replace the value of `spec.replicas` with an integer
+- change `templates` to `template`
+
+Rerun the command, and it will return success (no output).
 
 [kubeval website]: https://www.kubeval.com/

examples/kubeval/simple/fn-config.yaml

@@ -6,7 +6,6 @@ metadata:
     config.k8s.io/function: |
       container:
         image: gcr.io/kpt-fn/kubeval:unstable
-        network: true
     config.kubernetes.io/local-config: 'true'
 data:
-  schema_location: https://kubernetesjsonschema.dev/
+  strict: 'true'

functions/ts/kubeval/build/kubeval.Dockerfile

@@ -1,6 +1,6 @@
 FROM node:14.15-alpine3.12 as builder
 
-ARG KUBEVAL_VERSION="0.15.0"
+ARG KUBEVAL_VERSION="v0.16.1"
 RUN apk add curl && \
     curl -sSLf https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz | \
     tar xzf - -C /usr/local/bin
@@ -27,16 +27,21 @@ RUN npm run build && \
 
 FROM node:14.15-alpine3.12
 
+RUN apk add --update --no-cache python3 py3-pip && ln -sf python3 /usr/bin/python
+RUN pip install pyyaml jsonref click
+COPY third_party/github.com/instrumenta/openapi2jsonschema/openapi2jsonschema/*.py /openapi2jsonschema/
+RUN chmod +x /openapi2jsonschema/command.py && ln -s /openapi2jsonschema/command.py /usr/bin/openapi2jsonschema
+
 # Run as non-root user as a best-practices:
 # https://github.com/nodejs/docker-node/blob/master/docs/BestPractices.md
 USER node
 
 WORKDIR /home/node/app
 
 COPY --from=builder /home/node/app /home/node/app
-
 COPY --from=builder /usr/local/bin /usr/local/bin
+COPY openapi.json /home/node/
 
-ENV PATH /usr/local/bin:$PATH
+ENV LOG_TO_STDERR=true
 
 ENTRYPOINT ["node", "/home/node/app/dist/kubeval_run.js"]