Home

Awesome

Datree Helm Plugin

A Helm plugin to validate charts against the Datree policy

Installation

helm plugin install https://github.com/datreeio/helm-datree

⚠️ Helm plugins are not supported on Windows OS ⚠️
Windows users can work around this by using Helm under WSL </br>

Update Datree's plugin version

helm plugin update datree

Uninstall

helm plugin uninstall datree

Usage

Trigger datree policy check via the helm CLI

helm datree test [CHART_DIRECTORY]

Passing arguments

If you need to pass helm arguments to your template, you will need to add -- before them:

helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod

Test files

By default, test files generated by Helm will be skipped. If you wish to include test files in your policy check, add the --include-tests flag:

helm datree test --include-tests [CHART_DIRECTORY]

Check plugin version

helm datree version

See help text

helm datree help

Using other helm command

Helm might be installed through other tooling like microk8s. The DATREE_HELM_COMMAND allows specifying a command to run helm (default: helm):

DATREE_HELM_COMMAND="microk8s helm3" helm datree test [CHART_DIRECTORY]

Testing multiple charts

If you have multiple charts inside a single directory, you can test all of them sequentially using the following script:

#!/bin/bash

path="${1:-.}"
final_exit_code=0

while read -r helmchart; do
	dir="$(dirname "$helmchart")"
    echo "*** Proceeding to test Helm chart: $helmchart ***"
	set +e
	helm datree test "$dir"
	exitcode=$?
	set -e
	if [ "$exitcode" -gt "$final_exit_code" ]; then
        final_exit_code="$exitcode"
    fi
    echo ""
done < <(find "$path" -type f -name 'Chart.y*ml')

if [ "$final_exit_code" = 0 ]; then
    echo "Success"
else
    echo "Violations found, returning exit code $final_exit_code"
fi
exit "$final_exit_code"

The script will run a policy check against all charts before exiting, and return 0 only if no violations were found in any of them.
This is useful for CI, to avoid the need to call datree test multiple times.

Examples

Basic usage

helm plugin install https://github.com/datreeio/helm-datree
git clone git@github.com:datreeio/examples.git
helm datree test examples/helm-chart/nginx

image

GitHub Workflow

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
    
env:
  DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 

jobs:
  k8sPolicyCheck:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        
      - name: Run Datree Policy Check
        uses: datreeio/action-datree@main
        with:
          path: 'myChartDirectory'
          cliArguments: '--only-k8s-files'
          isHelmChart: true
          helmArguments: '--values values.yaml'

Troubleshooting

Error: plugin "datree" exited with error

This is actually expected behavior because it's raised by Helm itself every time a plugin returns a non-zero exit code.
Therefore, if you will run datree plugin on a Chart that will pass the policy check, it will return 0 as exit code, and you will not see this error.

K8s schema validation error

This error occurs when trying to scan Chart.yaml or values.yaml files instead of the chart directory.
Solution: Pass the helm chart directory path to Datree's CLI, instead of to the file itself:

The policy check returns false-positive results

The best way to determine if a false-positive result is a bug or a true misconfiguration, is by rendering the Kubernetes manifest with helm and then checking it manually:

helm template [CHART_DIRECTORY]

If after eyeballing the rendered manifest you still suspect it's a bug, please open an issue.