ci: switch from kubeval to kubeconform

- Switch from kubeval, which is unmaintained and outdated, to
  kubeconform
- Update kubernetes versions in test matrices
- Use upstream schema for CRDs, so we don't have to ignore missing
  schemas in validation
- Switch away from deprecated output
  https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

.github/kubeconform.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -euo pipefail
+
+KUBECONFORM_VERSION="v0.6.3"
+# https://github.com/yannh/kubeconform/issues/51
+CRD_SPEC_URL="https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json"
+OS=$(uname)
+
+CHANGED_CHARTS=${CHANGED_CHARTS:-${1:-}}
+if [ -n "$CHANGED_CHARTS" ];
+then
+  CHART_DIRS=$CHANGED_CHARTS
+else
+  CHART_DIRS=$(ls -d charts/*)
+fi
+
+# install kubeconform
+curl --silent --show-error --fail --location --output /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-${OS}-amd64.tar.gz"
+tar -xf /tmp/kubeconform.tar.gz kubeconform
+
+# validate charts
+for CHART_DIR in ${CHART_DIRS}; do
+  echo "Running kubeconform for folder: '$CHART_DIR'"
+
+  # Note: -ignore-missing-schemas could be added if needed, but not currently
+  # needed since we have the schema necessary to validate the CRDs themselves.
+  #
+  # Also, if at some point we needed to validate things _using_ these CRDs,
+  # they're available via
+  # https://github.com/datreeio/CRDs-catalog/tree/main/datadoghq.com
+  helm dep up "${CHART_DIR}" && helm template --kube-version "${KUBERNETES_VERSION#v}" \
+        --values "${CHART_DIR}"/ci/kubeconform-values.yaml "${CHART_DIR}" \
+    | ./kubeconform -schema-location default -schema-location "$CRD_SPEC_URL" \
+        -output pretty -verbose -kubernetes-version "${KUBERNETES_VERSION#v}" -
+done

.github/workflows/ci.yaml

@@ -33,7 +33,7 @@ jobs:
           if [[ -n "$changed" ]]; then
             echo -n "Charts changed:"
             echo "$changed"
-            echo "::set-output name=changed::$changed"
+            echo "{changed}=$changed" >> $GITHUB_OUTPUT
           else
             echo "PR without any chart changes - failing"
             exit 1
@@ -68,7 +68,7 @@ jobs:
       - name: Run helm-docs
         run: .github/helm-docs.sh
 
-  kubeval-chart:
+  kubeconform-chart:
     runs-on: ubuntu-latest
     needs:
       - changed
@@ -80,12 +80,11 @@ jobs:
         # https://github.com/instrumenta/kubernetes-json-schema is no
         # longer updated
         k8s:
-          # - v1.14.10 (deprecated with kind 1.16)
-          - v1.16.15
           - v1.18.20
-          - v1.22.9
-          - v1.24.2
-          # v1.25.2 (when agent 7.40 is out)
+          - v1.22.17
+          - v1.24.17
+          - v1.25.15
+          - v1.26.10
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -95,26 +94,26 @@ jobs:
         run: helm repo add datadog https://helm.datadoghq.com && helm repo update
       - name: Add KSM helm repo
         run: helm repo add kube-state-metrics https://prometheus-community.github.io/helm-charts
-      - name: Run kubeval
+      - name: Run kubeconform
         env:
           KUBERNETES_VERSION: ${{ matrix.k8s }}
           CHANGED_CHARTS: ${{needs.changed.outputs.charts}}
-        run: .github/kubeval.sh
+        run: .github/kubeconform.sh
 
   install-chart:
     name: install-chart
     runs-on: ubuntu-20.04
     needs:
       - lint-chart
-      - kubeval-chart
+      - kubeconform-chart
     strategy:
       matrix:
         k8s:
-          - v1.16.15
           - v1.18.20
           - v1.22.9
           - v1.24.2
-          - v1.25.2
+          - v1.25.14
+          - v1.26.9
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.gitignore

@@ -1,6 +1,6 @@
 charts/*/charts
 helm-docs
-kubeval
+kubeconform
 .idea
 vendor/
 .vscode