From ad05b1350a0cea07b7bfb371d07c374df2e6162a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= <pawel@krupa.net.pl>
Date: Mon, 6 Mar 2023 15:19:28 +0100
Subject: [PATCH] *: migrate to cloudflare/pint for prometheus rule checking

---
 .github/workflows/prometheusrule.yml | 15 ++++++----
 .pint.hcl                            | 42 ++++++++++++++++++++++++++++
 Makefile                             |  5 ++++
 hack/unpack-prometheus-rules.sh      | 11 ++++++++
 hack/verify-prometheus-rules.sh      | 25 -----------------
 5 files changed, 67 insertions(+), 31 deletions(-)
 create mode 100644 .pint.hcl
 create mode 100755 hack/unpack-prometheus-rules.sh
 delete mode 100755 hack/verify-prometheus-rules.sh

diff --git a/.github/workflows/prometheusrule.yml b/.github/workflows/prometheusrule.yml
index 7d9f19b48..fee4c0ae8 100644
--- a/.github/workflows/prometheusrule.yml
+++ b/.github/workflows/prometheusrule.yml
@@ -16,13 +16,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - uses: actions/setup-go@v3
         with:
           go-version: '${{ env.golang-version }}'
       - run: go install github.com/brancz/gojsontoyaml@latest
-      #- run: go get -u github.com/prometheus/prometheus/cmd/promtool
-      - name: Download latest release of promtool
-        run: |
-          VERSION=$(curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3)}' | sed 's/v//')
-          curl -s -L "https://github.com/prometheus/prometheus/releases/download/v${VERSION}/prometheus-${VERSION}.linux-amd64.tar.gz" | tar -zxf - -C "${GITHUB_WORKSPACE}/" --strip-components 1 "prometheus-${VERSION}.linux-amd64/promtool"
-      - run: PATH="${PATH}:${GITHUB_WORKSPACE}" ./hack/verify-prometheus-rules.sh
+      - run: PATH="${PATH}:${GITHUB_WORKSPACE}" ./hack/hack/unpack-prometheus-rules.sh
+      - name: Run pint
+        uses: prymitive/pint-action@v1
+        with:
+          token: ${{ github.token }}
+          # directory containing Prometheus rules
+          workdir: 'tmp/rules'
diff --git a/.pint.hcl b/.pint.hcl
new file mode 100644
index 000000000..e1513ce48
--- /dev/null
+++ b/.pint.hcl
@@ -0,0 +1,42 @@
+rule {
+  match {
+    kind = "alerting"
+  }
+/*
+  annotation "summary" {
+    severity = "warning"
+    required = true
+  }
+*/
+/*
+  annotation "description" {
+    severity = "warning"
+    required = true
+  }
+*/
+
+/*
+  annotation "runbook_url" {
+    severity = "warning"
+    required = true
+  }
+
+  annotation "dashboard_url" {
+    severity = "warning"
+    required = true
+  }
+*/
+
+  label "severity" {
+    severity = "bug"
+    value    = "warning|critical|info|none"
+    required = true
+  }
+}
+
+checks {
+  disabled = [
+    "alerts/template",
+    "promql/regexp"
+  ]
+}
diff --git a/Makefile b/Makefile
index b2044c612..ac64252af 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,11 @@ secrets:  ## Check if secrets are not leaked
 validate:  ## Validate kubernetes manifests
 	for d in $(DIRS); do $(MAKE) -C $$d validate || exit 1; done
 
+.PHONY: prometheusrules
+prometheusrules:  ## Validate prometheus rules
+	./hack/unpack-prometheus-rules.sh
+	pint lint tmp/rules
+
 .PHONY: bootstrap
 bootstrap:  ## Bootstrap development environment
 	ggshield install -m local
diff --git a/hack/unpack-prometheus-rules.sh b/hack/unpack-prometheus-rules.sh
new file mode 100755
index 000000000..af296b4c7
--- /dev/null
+++ b/hack/unpack-prometheus-rules.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -euo pipefail
+
+mkdir -p tmp/rules
+
+for f in $(grep -ir --include=*.yaml "PrometheusRule" . | grep kind | grep -v CustomResourceDefinition | sed 's/:.*//'); do
+	tmpfile="$(echo "$f" | sed 's/\//-/g' | sed 's/.-//')"
+	gojsontoyaml -yamltojson < "$f" | jq .spec | gojsontoyaml > "tmp/rules/$tmpfile";
+	echo "Unpacked $f to tmp/rules/$tmpfile"
+done
diff --git a/hack/verify-prometheus-rules.sh b/hack/verify-prometheus-rules.sh
deleted file mode 100755
index 4e28bdbff..000000000
--- a/hack/verify-prometheus-rules.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-mkdir -p tmp/rules
-
-for f in $(grep -ir --include=*.yaml "PrometheusRule" . | grep kind | grep -v CustomResourceDefinition | sed 's/:.*//'); do
-	echo "Checking $f"
-	tmpfile="$(echo "$f" | sed 's/\//-/g' | sed 's/.-//').json"
-	gojsontoyaml -yamltojson < "$f" | jq .spec > "tmp/rules/$tmpfile";
-	( cd tmp/rules && promtool check rules "$tmpfile")
-
-done
-
-ISSUES=0
-for f in $(grep -ir --include=*.yaml "PrometheusRule" . | grep kind | grep -v CustomResourceDefinition | sed 's/:.*//'); do
-	echo "Checking best practices in $f. Issues detected in:"
-	# Validate best practices
-	# Get rules without summary or description annotation
-
-	# TODO: enable when all rules use correct annotations
-	#cat "$f" | gojsontoyaml -yamltojson | jq '.spec.groups[].rules[] | select(.["alert"]) | select(.annotations.description and .annotations.summary | not)' && ISSUES=1 || :
-	cat "$f" | gojsontoyaml -yamltojson | jq -e '.spec.groups[].rules[] | select(.["alert"]) | select([.labels.severity] | inside(["warning", "critical", "info", "none"]) | not)' && ISSUES=1 || :
-done
-exit $ISSUES