In this post we're going to explore - with the help of a simple example - how we can make our Helm charts more robust, introducing a way to validate semantic versions. This kind of validation can be really helpful if you would like to control the features that can or cannot be used on a specific application distributed via Helm Charts.
Overview
Helm is the de-facto standard package manager for Kubernetes, simplifying and automating the creation, distribution and deployment of Kubernetes applications through the so-called Helm Charts.
Helm charts are composed of templates describing your Kubernetes applications and cluster's resources, like Deployments, Services, Network Policies and so on. These templates can be reused and customised via a values.yaml file, where users can put their own configuration values.
Let's have a look at a template example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
labels:
app: my-deployment
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: my-deployment
template:
metadata:
labels:
app: my-deployment
spec:
containers:
- name: nginx
image: "nginx:{{ .Values.image.version }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
This template is describing a Deployment resource with an nginx container, and it allows to customise:
- the replica count
- the nginx version to use
- the image pull policy
How? Simply by defining a values.yaml file and setting a value for each {{ .Values.xxx }} entry:
replicaCount: 1
image:
pullPolicy: IfNotPresent
version: "1.16.0"
To render the template, you can run the helm template command and the resulting output will be the final k8s manifest describing the Deployment resource:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
labels:
app: my-deployment
spec:
replicas: 1
selector:
matchLabels:
app: my-deployment
template:
metadata:
labels:
app: my-deployment
spec:
containers:
- name: nginx
image: "nginx:1.16.0"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
Easy, right?
But what if we would like to make sure users won't be able to use nginx versions that are either too old (and may contain security vulnerabilities) or too new (that may contain breaking changes)? Luckily, Helm charts provide a semverCompare function we can leverage on.
semverCompare function
The semverCompare function can be used to compare semantic version values, using the following syntax:
semverCompare "<condition>" "<semVerValue>"
The condition clause is very flexible, allowing us to use:
- basic comparisons, e.g.
> 1.16.0tells the function that the version must be greater than1.16.0 - range comparisons, e.g.
1.16.0 - 2.0.0tells the function that the version must be greater than1.16.0but lower than2.0.0 - wildcards, using the
x,Xor*character:>= 1.2.xis equivalent to>= 1.2.0
For the full list of available features, have a look at the official docs.
This function is quite powerful, but how can we use it effectively in our Helm charts?
Putting it all toghether
Helm charts allow to define helper files, also called partials: they have a .tpl extension, and they allow to define helper functions or parts of templates that then can be included and reused in multiple templates simply referencing them by name.
Let's define a template partial validating nginx version in the default _helpers.tpl file:
# fail if nginx version set in values.yaml is lower than minimumVersion
{{- define "nginx.versionValidation" }}
{{- $selectedVersion := . }}
{{- $minimumVersion := "1.16.0" }}
{{- $semverCompareCondition := printf ">= %s" $minimumVersion }}
{{- if not (semverCompare $semverCompareCondition $selectedVersion) }}
{{- fail (printf "Nginx version must be greater or equal than %s" $minimumVersion) }}
{{- end }}
{{- $selectedVersion }}
{{- end }}
Let's break down the above code snippet:
- The first line (
{{- define "nginx.versionValidation" }}) is defining the partial name: this means that other templates can include this partial using thenginx.versionValidationreference - On the second line we set the
$selectedVersionvariable as the argument (.) passed when invoking this template partial, whereas on the third line we set the$minimumVersionvariable to1.16.0, as we would like our version to be greater or equal than this minimum version. - On lines 4-6 we setup the
semverComparecondition with>= $minimumVersion, and we invoke thesemverComparefunction: if it's not satisfied, we let it fail with a message error:fail (printf "Nginx version must be greater or equal than %s" $minimumVersion). - Finally, if instead the condition is satisfied, we print the
$selectedVersion(line 8), which will be included in the template invoking this partial.
Now, let's see how to include this helper inside our deployment template:
...
spec:
containers:
- name: nginx
image: "nginx:{{ include "nginx.versionValidation" .Values.image.version }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
...
As you can see, we used the include keyword followed by the partial name ("nginx.versionValidation"), and the argument to be passed to the partial - which is the version set by the user in the values.yaml file - .Values.image.version.
So, what would happen now if we try to invoke helm template command setting a version lower than the one required? Let's give it a try!
First of all we update our values.yaml with an invalid version, like this:
replicaCount: 1
image:
pullPolicy: IfNotPresent
# The minimum required is 1.16.0
version: "1.15.0"
And then invoke the helm template command:
> helm template .
Error: execution error at (nginx-helm-chart/templates/deployment.yaml:19:52): Nginx version must be greater or equal than 1.16.0
Use --debug flag to render out invalid YAML
As expected, the validation kicked in and prevented us from creating the k8s manifest! 🎉
The full source code for this example is available on Github at this link, along with another partial showing how to do a range validation. In one of the next posts, we'll see how we can write automated tests to make sure our Helm charts behave as expected, without the need to manually run the helm template command every time. Stay tuned!