80 lines
2.9 KiB
JavaScript
80 lines
2.9 KiB
JavaScript
#!/usr/bin/env node
|
|
// SPEC: PJ2026-01060703 CI/CD branch follower runtime GitOps verify.
|
|
// Responsibility: fail publish before Argo when rendered runtime GitOps violates UniDesk overlay gates.
|
|
import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
|
|
import path from "node:path";
|
|
|
|
const repoDir = process.cwd();
|
|
const overlay = readOverlay();
|
|
const runtimePath = requiredOverlayString("runtimePath");
|
|
const runtimeDir = path.resolve(repoDir, runtimePath);
|
|
const prometheusOperatorKinds = new Set(["ServiceMonitor", "PrometheusRule", "PodMonitor", "Probe"]);
|
|
|
|
if (!existsSync(runtimeDir)) {
|
|
fail("runtime-path-missing", { runtimePath });
|
|
}
|
|
|
|
const checks = [];
|
|
if (overlay?.observability?.prometheusOperator === false) {
|
|
checks.push("prometheus-operator-disabled");
|
|
const refs = findPrometheusOperatorResources();
|
|
if (refs.length > 0) fail("prometheus-operator-resource-present", { runtimePath, refs: refs.slice(0, 12), refCount: refs.length });
|
|
}
|
|
|
|
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: true, runtimePath, checks }));
|
|
|
|
function findPrometheusOperatorResources() {
|
|
const refs = [];
|
|
for (const file of listYamlFiles(runtimeDir)) {
|
|
const rel = path.relative(repoDir, file);
|
|
for (const doc of splitYamlDocuments(readFileSync(file, "utf8"))) {
|
|
const ref = prometheusOperatorResourceRef(doc, rel);
|
|
if (ref !== null) refs.push(ref);
|
|
}
|
|
}
|
|
return refs;
|
|
}
|
|
|
|
function splitYamlDocuments(text) {
|
|
return text.split(/^---[ \t]*(?:#.*)?$/mu).map((doc) => doc.trim()).filter(Boolean);
|
|
}
|
|
|
|
function prometheusOperatorResourceRef(text, file) {
|
|
const api = text.match(/^\s*apiVersion:\s*["']?(monitoring\.coreos\.com\/[^"'\s#]+)["']?\s*(?:#.*)?$/mu);
|
|
const kind = text.match(/^\s*kind:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
|
|
if (!api || !kind || !prometheusOperatorKinds.has(kind[1])) return null;
|
|
const name = text.match(/^\s*name:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu);
|
|
return { file, kind: kind[1], name: name ? name[1] : null, container: null };
|
|
}
|
|
|
|
function listYamlFiles(root) {
|
|
const out = [];
|
|
for (const name of readdirSync(root)) {
|
|
const file = path.join(root, name);
|
|
const stat = statSync(file);
|
|
if (stat.isDirectory()) {
|
|
out.push(...listYamlFiles(file));
|
|
} else if (/\.(ya?ml)$/u.test(name)) {
|
|
out.push(file);
|
|
}
|
|
}
|
|
return out.sort();
|
|
}
|
|
|
|
function readOverlay() {
|
|
const encoded = process.env.UNIDESK_RUNTIME_GITOPS_OVERLAY_B64;
|
|
if (!encoded) throw new Error("UNIDESK_RUNTIME_GITOPS_OVERLAY_B64 is required");
|
|
return JSON.parse(Buffer.from(encoded, "base64").toString("utf8"));
|
|
}
|
|
|
|
function requiredOverlayString(name) {
|
|
const value = overlay[name];
|
|
if (typeof value !== "string" || value.length === 0) throw new Error(`overlay.${name} is required`);
|
|
return value;
|
|
}
|
|
|
|
function fail(reason, extra = {}) {
|
|
console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: false, reason, ...extra }));
|
|
process.exit(48);
|
|
}
|