Home / decK / decK file overview
Edit
Report

deck file lint

Uses: decK
Related Documentation
All decK Documentation
Tags
#declarative-config #linting
Related Resources
vacuum linting rules

deck file lint is a flexible JSON/YAML linter that allows you to build rules to validate any file in these formats.

There are a few key concepts to understand for linting with decK:

  • Rules define selectors, functions and the failure severity to apply to the provided file.
  • Selectors define a filter to apply to the input file which selects the objects to validate. Selectors are specified in the given keyword on a Rule. Selectors are expressed using JSONPath syntax.
  • Functions accept the filtered values and perform a validation returning information when there are violations.
  • Rulesets are collections of Rules.

For a complete list of available rules, see the vacuum documentation.

deck file lint example

Kong Gateway Services are defined in the services block in the decK file. Services support a number of configuration values including a protocol field which specifies the communication protocol used between the gateway and the upstream Service. To ensure this traffic is secure, you may want to validate that only https protocols are used.

Here is a sample Ruleset file containing a single Rule that accomplishes this:

rules:
  service-https-check:
    description: "Ensure https usage in Kong GW Services"
    given: $.services[*].protocol
    severity: error
    then:
      function: pattern
      functionOptions:
        match: "^https$"

The JSONPath selector specified in given reads the protocol field in every Service under the services key from the incoming file. With each of those values, the pattern function is applied which evaluates the value against a regular expression pattern specified in the match field. In this example, we assert that the string value in the protocol field must match the string https exactly.

Assume you have the following decK declarative configuration file (kong.yaml) that defines a Service and a Route for a simple task tracking system:

_format_version: "3.0"
services:
  - host: tasks.example.com
    name: task-api
    path: /
    protocol: http
    routes:
      - methods:
          - GET
        name: task-api_gettasks
        paths:
          - ~/tasks$

Validating this configuration against the example ruleset, stored in ruleset.yaml, results in the following violations:

deck file lint -s kong.yaml ruleset.yaml

Linting Violations: 1
Failures: 1

[error][7:15] Ensure https usage in Kong GW Services: `http` does not match the expression `^https$`

Modifying the declarative configuration as follows resolves this violation:

_format_version: "3.0"
services:
  - host: tasks.example.com
    name: task-api
    path: /
    protocol: https
    routes:
      - methods:
          - GET
        name: task-api_gettasks
        paths:
          - ~/tasks$

deck file lint -s kong.yaml ruleset.yaml; echo $?

Result:

0

The command results in a 0 (Success) return code. In situations where violations are detected, a non-zero return code is emitted allowing you to abort automated processes and help prevent problematic configurations from leaking into your production codebase and systems.

Common patterns

The following sections define some common linting patterns.

Ensure that configuration files contain select_tags

select_tags allows you to segment your configuration so that it can be managed as multiple, independent configurations.

This linting rule ensures that every configuration file has select_tags defined:

rules:
  select_tags:
    description: "Select Tags should be present."
    given: $._info
    severity: error
    then:
      field: select_tags
      function: defined
  select_tags_length:
    description: "Select Tags should be present."
    given: $._info
    severity: error
    then:
      field: select_tags
      function: schema
      functionOptions:
        schema:
          type: "array"
          minItems: 1
          items:
            type: "string"

Enforce HTTPS only on Routes

To force Kong Gateway to listen on HTTPs only, ensure that protocols is set on every route and it contains a single https entry:

rules:
  protocols_set:
    description: "Ensure route protocols are set"
    given: $.routes[*]
    severity: error
    then:
      field: protocols
      function: "schema"
      functionOptions:
        schema:
          type: "array"
          minItems: 1
          maxItems: 1
          items:
            type: "string"
  protocols_https_only:
    description: "Ensure https usage in Kong GW Routes"
    given: $.routes[*].protocols[0]
    severity: error
    then:
      function: pattern
      functionOptions:
        match: "^https$"
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support