Validate YAML in your PR with Monokle's GitHub Bot

Manually enabling validation as a part of the development process is a tedious task. It will not only limit the validation information with the developers but will also be prone to policy violations. This problem grows exponentially when working with multiple teams. When you are reviewing PR from different teams, it is hard to understand and validate the changes in PRs especially in the case of Helm and Kustomize. Any miss in policy validation and lead to security and performance issues.

There are measures in place like having different environments, however, the process of validating a PR is still manual. Nowadays many developers also working on configuring deployments, and any miss from their end means that the SRE teams are again required to revisit and ensure deployments follow the standards. For a smoother and more robust process, we need a smarter and more automated way to review manifest files against a set of policies earlier in the PR process.

Monokle bot is a tool that allows authorized members to add automated validation checks as part of Pull Requests (PR). It allows both the developer and the SRE to have enough information right on the PR about the changes and their impact based on the guidelines and policies laid down. In this blog post, we will understand how this bot can be enabled to review a PR and make validation part of the early pipeline.

What is a Monokle GitHub Bot?

Monokle GitHub Bot is programmed to perform automated validation. It allows integration of validation with the GitHub PR pipeline to enhance GitOps workflow and automate policy checks. The validation includes standard OPA policies, Kubernetes schema validation, resource link checks, or custom organization policies. These can be configured and enabled along with the criticality level.

In Monokle Cloud IDE for Policy Enforcement, you can create a project and add multiple GitHub repositories in it for which you want to enable validation. Monokle supports collaboration by allowing the feature to onboard multiple team members as part of the project. Once the bot is enabled, all the PRs raised by anyone in the team for the repository configured in the project will be automatically validated first. The results can be viewed in the PR on GitHub. The details related to the policies can be viewed in the Monokle Cloud IDE.

Benefits of Monokle GitHub Bot

• Easy Helm & Kustomize validation: Without any comparison tool, it is difficult to understand the context for complex Helm charts and Kustomizations. On top of that to do the translation where you can just see the input, the process could prone to errors. With validation automated in Monokle Cloud, it will be possible to check even for a large codebase the policies applied or violated. You can preview the Helm and Kustomizations, compare with the target branch containing the changes, and audit and fix misconfigurations.
  
  
• Code quality assurance: Monokle Cloud helps in tracking organizational policies adhered to. Without proper standardized policies maintained and followed, it can leave the developers, the SREs, and the platform engineers confused and unable to ensure code quality. That can lead to vulnerabilities too. These policies enable consistent validation ensuring that the code quality is maintained across the repository. You can tailor these policies to your codebase requirements.
  
  
• Consistent code review and transparent development workflow: The teams lack complete information regarding the impact of the changes because of no record of validation being done. With Monokle GitHub Bot automating validation as a part of PR, it becomes easier to review thus allowing a consistent code review. Since the process can be viewed by all authorized team members, Monokle Cloud allows a transparent development workflow making it easy to flag potential issues.

• Better collaboration across teams: With policies established in the PR, teams can collaborate better and share information. It would help in reducing the time to detect or respond to an issue since they have better insights into the resources. Monokle GitHub bot notifies via mail on the registered email address with the validation results that can be viewed in Monokle Cloud.

How to validate using Monokle GitHub Bot?

Monokle Cloud IDE provides the ability to enable the Monokle GitHub Bot in a lightweight browser-based dashboard. We will show you with the help of the monokle-demo Github repository how to make use of Monokle’s architecture to add a repository to Monokle Cloud and enable validation for new PRs.

Monokle’s architecture

Monokle organizes your work into workspaces, projects and repositories. Every workspace can have multiple projects and every project can have multiple repositories. Let us understand this with an example. Suppose your organization has multiple products. Monokle helps you control your GitOps workflow by segmenting your workspace, allowing you to create multiple workspaces based on products. You can have a dedicated workspace for each of your products. 

A product can have multiple projects like the free version and paid version. These versions can be individual projects that can maintain repositories dedicated to that project. Connecting with the above example, there can be a separate repository for the UI, backend, and core plugins of the product. An SRE can control access rights to the workspace as well as the project. Monokle gives a granular level of control over the repositories. Let us get started with the initial setup.

Initial setup

• Access the Monokle Cloud IDE for Policy Enforcement in your browser.

• Click on “Sign in with GitHub”. Monokle needs confirmation to verify your GitHub identity and add Monokle Cloud to the authorized apps category.

• Monokle loads the lightweight UI in the browser with successful authorization. Click on Explore to scan the public GitHub repository. Click on Workspaces to get started with GitOps.
  

• Monokle creates a Default Workspace during the setup of the account with your logged-in user set as OWNER role. Monokle allows the owner to set roles for other members as Owner, Admin, or Member based on their access rights.
  
  Click on Create to create a new workspace and add projects to it. For the learning purpose, we will make use of the Default workspace.
  

Each workspace can have multiple projects. Below the workspace name, you can find the text, “1 project available”. 

Monokle creates a Default project in the Default workspace at the time of account setup for ease in getting started. Click on Default to view workspace details.

‍

Using this, you can create new projects to add repositories in it, invite members to this workspace, control your billing, and edit workspace settings like workspace name and description.

Create a project and add the repository

• Click on Add project to create a project in the workspace. Enter a project name. Monokle shows the workspace in which project will be created. You can change it using the dropdown menu. We have selected Default Workspace. You can also add members to the project from here who are already in the workspace and set roles. We have skipped that for now since we can also do that later once the project is set up.

‍

• Click on Create. Monokle shows the notification “Success” and loads the newly created project.
  

‍

• Click on “Add repository”. Monokle loads the dashboard to add the GitHub account and repository details.

‍

• Grant permission to Monokle Cloud to add a GitHub account that has the repository you want to add. Here we have selected All repositories. In case you want to allow access to selected repositories, you can do that by clicking on Only select repositories. Click on Install and Authorize.
  

‍

• On successful authorization, Monokle redirects you back to the Monokle Cloud dashboard and displays the GitHub account linked. Click on Select a repository and you can view your repository there now being directly available to you. Select the repository monokle-demo and click on Add repository.

‍

‍

Monokle adds the selected repository to the project and loads the IDE to show options with which you can configure policies and enable GitHub Bot. So let us go ahead and enable GitHub Bot for the repository to allow PR validation.

Configure policy for the project

Monokle provides standard policies that can be configured to enable validation pre-deployment. You can also add custom policies and enable them tailored to your organization's requirements. We are going to enable National Security Agency(NSA) policy that adheres to Kubernetes hardening guidance and meets our organization's standards.

• In the Projects, Click on Policy.

‍

• Select the policy based on your requirements. Monokle loads the rules that will be enabled along with the criticality level. Click on Save to configure the policies.
  
  

‍

Enable GitHub Bot

With policies configured, you can now enable the GitHub bot for your repository that will validate any new PR based on the rules mentioned in the policy.

• In the Projects, Click on GitHub Bot and enable the bot using the toggle button. Monokle loads all the repositories in the project to enable validation in PR. Use the checkbox to select the repository.

‍

‍

We have selected our product’s repository for which the Monokle bot will be enabled. This helps us with the optimized usage of resources and enables bots only in those repositories where needed.

Automatically validate the PR

Now that the policies are in place and the GitHub bot is enabled, any new PR will be automatically validated by Monokle. This saves a lot of time and manual effort. It is also the efficient utilization of an SRE’s potential as they can now immediately see which policies are adhered to against the changes. Let’s go ahead, make some changes, and raise a PR to see how validation works.

• We have some changes pending to be done like changing the port for local for happy-cms kustomization. Click on Back to projects. Select the project you are working on and click on the repository. Monokle will load it in IDE with all the files by segregating Helm charts, Kustomizations, and images. Make the changes using the Monokle editor.

‍

• Click on “View Git Operations in the toolbar”. Monokle loads the changes are done. We have changed the port number for local overlay of happy-cms Kustomization from 80 to 8080. Stage the changes.

• Click on Commit & Sync. Add a relevant commit message and select the option to start a PR. Click on Commit & Sync 1 file.
  

‍

Note: Make sure that pop-ups are not blocked in browser for Monokle.

• Monokle loads GitHub in a new tab to add more details to the PR that will be raised. Select the branch you want to raise PR against from here and also verify the commits. Click on Create pull request.

‍

• PR will be created in GitHub where you can see the status of validation. Validation has been successful for the PR we raised.

‍

Monokle GitHub bot has done the validation and we can see there are 7 warnings mentioned by the bot. Click on the validation button that shows the result to check the warnings. GitHub will redirect you to Monokle Cloud where only authorized members of the project can view all the warnings or errors. 

‍

In the above example, we can see 7 warnings as policy violations in Monokle Cloud. In the Validation Overview section, Monokle lists the file path, the line number which has a warning, and the warning message on that line. Click on the warning to view in Editor the Source and Info. Monokle highlights the line which has a warning in the source section. The info section provides the rule applied and its relevant information like its description, severity level, hint to debug, and more. 

This helps in collaborating with the developers, sharing insights with them, and working on fixing these. SREs can make use of this audit view to check for the validations that have failed. To understand the impact of these, they can compare the current changes in PR with the last commit for any manifest. Let us see how to compare manifests.

Compare with the target branch

Monokle provides a feature to compare resources. SREs can compare simple manifests as well as Kustomization or Helm charts. Monokle provides the ability to dry run the resources in PR and compare the target branch with the last commit using the Kustomization/Helm dry run. They can understand the impact of changes and then suggest the next steps. 

For the changes we did in our Kustomize local overlay, we can compare the resources easily using this feature. Click on Compare in Monokle Cloud to compare the target branch “local-overlay” with “main” using the Kustomization dry run. You can also achieve this directly by clicking on Compare with `main` in Monokle Cloud option available in the PR.

‍

Monokle loads all the relevant resources which this kustomization will create and shows a diff button for the resources that have changed since the last merge. Click on diff to view the changes.

‍

With this, you can easily view the changes against each line giving you a granular level of control and better visibility of resources. It helps in identifying certain hidden semantic errors which could easily make their way to production if not manually debug by you which is very time-consuming. You can configure policies in Monokle Cloud and enable the GitHub Bot to automatically validate all the PRs. Monokle makes it easy and takes a lot of load off the SRE's shoulders by providing the feature to compare resources.

Conclusion

Monokle is a suite of tools that work together to improve your configuration management capabilities. Along with Monokle Cloud IDE for Policy Enforcement, you can also have similar capabilities that can be executed locally, like Monokle Desktop and the Monokle CLI.

Monokle Cloud IDE for Policy Enforcement allows enabling of standard as well as custom policies to validate manifest pre-deployment. The new feature Monokle GitHub Bot helps in automating the standard policies enforcement, making validation an early step in PR. It takes away most of the manual effort needed in PR review and provides better visibility to authorized teams.

In this blog post, we have added created a project in Monokle’s default workspace and added a repository. We have configured policies for this repository and automated validation by using Monokle GitHub Bot. So, whether you're a developer or SRE doing reviews, or just someone interested in keeping your organization on track, Monokle Cloud IDE for Policy Enforcement is an absolute must-have.

You can also reach out to Monokle Product Leader Ole if you have feedback about how we can make Monokle work better for you or drop a mail to ole@kubeshop.io for information/assistance. You can also join in conversation with other users via Discord as part of our growing community.