diff --git a/Makefile b/Makefile index f1d808e4b..f84bafb90 100644 --- a/Makefile +++ b/Makefile @@ -125,10 +125,10 @@ lint: lint-custom $(GOLANGCI_LINT) #HELP Run golangci linter. lint-helm: $(HELM) $(CONFTEST) #HELP Run helm linter helm lint helm/olmv1 helm lint helm/prometheus - (helm template olmv1 helm/olmv1; helm template prometheus helm/prometheus) | $(CONFTEST) test --policy hack/conftest/policy/ --combine -n main -n prometheus - + (set -euo pipefail; helm template olmv1 helm/olmv1; helm template prometheus helm/prometheus) | $(CONFTEST) test --policy hack/conftest/policy/ --combine -n main -n prometheus - .PHONY: lint-deployed-resources -lint-deployed-resources: $(KUBE_SCORE) #HELP Lint deployed resources. +lint-deployed-resources: $(KUBE_SCORE) #EXHELP Lint deployed resources. (for ns in $$(printf "olmv1-system\n%s\n" "$(CATD_NAMESPACE)" | uniq); do \ for resource in $$(kubectl api-resources --verbs=list --namespaced -o name); do \ kubectl get $$resource -n $$ns -o yaml ; \ diff --git a/hack/conftest/policy/README.md b/hack/conftest/policy/README.md index 21225dae3..ff1a16bc6 100644 --- a/hack/conftest/policy/README.md +++ b/hack/conftest/policy/README.md @@ -41,7 +41,7 @@ These policies are automatically run as part of: ```bash # Run all policies (main + prometheus namespaces) -helm template olmv1 helm/olmv1 | conftest test --policy hack/conftest/policy/ --combine -n main -n prometheus - +(helm template olmv1 helm/olmv1; helm template prometheus helm/prometheus) | conftest test --policy hack/conftest/policy/ --combine -n main -n prometheus - # Run only OLM policies helm template olmv1 helm/olmv1 | conftest test --policy hack/conftest/policy/ --combine -n main - diff --git a/hack/conftest/policy/olm-networkpolicies.rego b/hack/conftest/policy/olm-networkpolicies.rego index df0c81426..493a4fdd6 100644 --- a/hack/conftest/policy/olm-networkpolicies.rego +++ b/hack/conftest/policy/olm-networkpolicies.rego @@ -101,7 +101,7 @@ deny contains msg if { deny contains msg if { count(catalogd_policies) == 1 not catalogd_has_egress - msg := "Missing egress rules in catalogd-controller-manager NetworkPolicy. General egress is required to enables operator-controller to pull bundle images from arbitrary image registries, connect to catalogd's HTTPS server for metadata, and interact with the Kubernetes API server." + msg := "Missing egress rules in catalogd-controller-manager NetworkPolicy. General egress is required to enable catalogd-controller to pull bundle images from arbitrary image registries, and interact with the Kubernetes API server." } # Check that a NetworkPolicy exists for operator-controller-controller-manager that: @@ -156,5 +156,5 @@ deny contains msg if { deny contains msg if { count(operator_controller_policies) == 1 not operator_controller_has_egress - msg := "Missing egress rules in operator-controller-controller-manager NetworkPolicy. General egress is required to enables operator-controller to pull bundle images from arbitrary image registries, connect to catalogd's HTTPS server for metadata, and interact with the Kubernetes API server." + msg := "Missing egress rules in operator-controller-controller-manager NetworkPolicy. General egress is required to enable operator-controller to pull bundle images from arbitrary image registries, connect to catalogd's HTTPS server for metadata, and interact with the Kubernetes API server." }