From 0d5310d844c3059fc20bd2887f6f63b7df28251e Mon Sep 17 00:00:00 2001 From: Max Smythe Date: Tue, 7 Mar 2023 17:44:45 -0800 Subject: [PATCH] chore: Upgrade CF for multi-engine (#2616) Signed-off-by: Max Smythe --- go.mod | 2 +- go.sum | 4 +- main.go | 10 +- ...ainttemplate-customresourcedefinition.yaml | 56 +++- .../provider-customresourcedefinition.yaml | 2 +- manifest_staging/deploy/gatekeeper.yaml | 58 +++- .../config/config_controller_test.go | 6 +- .../constrainttemplate_controller_test.go | 6 +- ...onstrainttemplatestatus_controller_test.go | 4 +- .../externaldata_controller_test.go | 6 +- pkg/gator/opa.go | 4 +- pkg/gator/test/test.go | 4 +- pkg/readiness/ready_tracker_test.go | 4 +- pkg/target/target_integration_test.go | 19 +- pkg/target/target_test.go | 4 +- pkg/webhook/policy.go | 4 +- pkg/webhook/policy_test.go | 17 +- .../frameworks/constraint/deploy/crds.yaml | 161 ++++++++-- .../templates/v1/constrainttemplate_types.go | 20 ++ .../pkg/apis/templates/v1/conversion.go | 41 +++ .../templates/v1/zz_generated.conversion.go | 79 ++++- .../templates/v1/zz_generated.deepcopy.go | 26 ++ .../v1alpha1/constrainttemplate_types.go | 19 ++ .../pkg/apis/templates/v1alpha1/conversion.go | 41 +++ .../v1alpha1/zz_generated.conversion.go | 79 ++++- .../v1alpha1/zz_generated.deepcopy.go | 26 ++ .../v1beta1/constrainttemplate_types.go | 19 ++ .../pkg/apis/templates/v1beta1/conversion.go | 41 +++ .../v1beta1/zz_generated.conversion.go | 79 ++++- .../v1beta1/zz_generated.deepcopy.go | 26 ++ .../constraint/pkg/client/client.go | 279 ++++++++++++++---- .../constraint/pkg/client/client_opts.go | 16 +- .../pkg/client/drivers/interface.go | 10 +- .../client/drivers/{local => rego}/args.go | 2 +- .../client/drivers/{local => rego}/builtin.go | 2 +- .../drivers/{local => rego}/compilers.go | 33 ++- .../client/drivers/{local => rego}/driver.go | 20 +- .../pkg/client/drivers/{local => rego}/new.go | 2 +- .../client/drivers/{local => rego}/rego.go | 2 +- .../pkg/client/drivers/rego/schema/schema.go | 70 +++++ .../drivers/{local => rego}/storages.go | 2 +- .../constraint/pkg/client/errors.go | 3 + .../constraint/pkg/client/errors/errors.go | 1 + .../constraint/pkg/client/new_client.go | 6 +- .../constraint/pkg/client/template_client.go | 17 ++ .../templates/constrainttemplate_types.go | 63 ++++ .../core/templates/zz_generated.deepcopy.go | 28 +- .../constraint/pkg/schema/yaml_constant.go | 126 ++++++-- vendor/modules.txt | 5 +- 49 files changed, 1350 insertions(+), 204 deletions(-) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/args.go (99%) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/builtin.go (98%) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/compilers.go (88%) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/driver.go (96%) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/new.go (97%) rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/rego.go (99%) create mode 100644 vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema/schema.go rename vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/{local => rego}/storages.go (99%) diff --git a/go.mod b/go.mod index bdb6aeb12d7..f2b77b49451 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/onsi/ginkgo/v2 v2.8.4 github.com/onsi/gomega v1.27.2 github.com/open-policy-agent/cert-controller v0.4.0 - github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2 + github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.14.0 github.com/spf13/cobra v1.6.1 diff --git a/go.sum b/go.sum index fac497c3b41..ac74610dd29 100644 --- a/go.sum +++ b/go.sum @@ -946,8 +946,8 @@ github.com/onsi/gomega v1.27.2 h1:SKU0CXeKE/WVgIV1T61kSa3+IRE8Ekrv9rdXDwwTqnY= github.com/onsi/gomega v1.27.2/go.mod h1:5mR3phAHpkAVIDkHEUBY6HGVsU+cpcEscrGPB4oPlZI= github.com/open-policy-agent/cert-controller v0.4.0 h1:AQntgNq7fsoHgnoKrOk0lpRyab1na09vibeJCX4YBCs= github.com/open-policy-agent/cert-controller v0.4.0/go.mod h1:uOQW+2tMU51vSxy1Yt162oVUTMdqLuotC0aObQxrh6k= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2 h1:+ttWrgw5pmieSfAhq843CtJ5JoEunuH/n6PCh/vj6Kk= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2/go.mod h1:jggTVbseMnEQmCSgMRXByS4P7ykSBz6pLlxsbncSALM= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211 h1:Ma5rn7r3rPwyP9OXi6zNKjNDsCHYccjcno9M83SHgO0= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211/go.mod h1:jggTVbseMnEQmCSgMRXByS4P7ykSBz6pLlxsbncSALM= github.com/open-policy-agent/opa v0.49.2 h1:n8ntRq/yDWy+cmYaqSLrHXmrT3tX8WlK28vjFQdC6W8= github.com/open-policy-agent/opa v0.49.2/go.mod h1:7L3lN5qe8xboRmEHxC5lGjo5KsRMdK+CCLiFoOCP7rU= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= diff --git a/main.go b/main.go index 4ca91ea4522..00e75773f3b 100644 --- a/main.go +++ b/main.go @@ -30,7 +30,7 @@ import ( "github.com/go-logr/zapr" "github.com/open-policy-agent/cert-controller/pkg/rotator" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" api "github.com/open-policy-agent/gatekeeper/apis" configv1alpha1 "github.com/open-policy-agent/gatekeeper/apis/config/v1alpha1" @@ -339,11 +339,11 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea <-setupFinished var providerCache *frameworksexternaldata.ProviderCache - args := []local.Arg{local.Tracing(false), local.DisableBuiltins(disabledBuiltins.ToSlice()...)} + args := []rego.Arg{rego.Tracing(false), rego.DisableBuiltins(disabledBuiltins.ToSlice()...)} mutationOpts := mutation.SystemOpts{Reporter: mutation.NewStatsReporter()} if *externaldata.ExternalDataEnabled { providerCache = frameworksexternaldata.NewCache() - args = append(args, local.AddExternalDataProviderCache(providerCache)) + args = append(args, rego.AddExternalDataProviderCache(providerCache)) mutationOpts.ProviderCache = providerCache certFile := filepath.Join(*certDir, certName) @@ -363,13 +363,13 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea } // register the client cert watcher to the driver - args = append(args, local.EnableExternalDataClientAuth(), local.AddExternalDataClientCertWatcher(certWatcher)) + args = append(args, rego.EnableExternalDataClientAuth(), rego.AddExternalDataClientCertWatcher(certWatcher)) // register the client cert watcher to the mutation system mutationOpts.ClientCertWatcher = certWatcher } // initialize OPA - driver, err := local.New(args...) + driver, err := rego.New(args...) if err != nil { setupLog.Error(err, "unable to set up Driver") return err diff --git a/manifest_staging/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml index a4da4e9e90f..737e3aff15b 100644 --- a/manifest_staging/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -61,6 +61,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -156,6 +174,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -251,6 +287,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string diff --git a/manifest_staging/charts/gatekeeper/crds/provider-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/provider-customresourcedefinition.yaml index 177afbb6780..95e66a8b8aa 100644 --- a/manifest_staging/charts/gatekeeper/crds/provider-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/provider-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 7529be733e0..6641c63d01d 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -1927,7 +1927,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -1986,6 +1986,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2081,6 +2099,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2176,6 +2212,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -3147,7 +3201,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh diff --git a/pkg/controller/config/config_controller_test.go b/pkg/controller/config/config_controller_test.go index ffbc731f663..d843b201ca2 100644 --- a/pkg/controller/config/config_controller_test.go +++ b/pkg/controller/config/config_controller_test.go @@ -24,7 +24,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/onsi/gomega" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" configv1alpha1 "github.com/open-policy-agent/gatekeeper/apis/config/v1alpha1" "github.com/open-policy-agent/gatekeeper/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/pkg/fakes" @@ -127,7 +127,7 @@ func TestReconcile(t *testing.T) { c := testclient.NewRetryClient(mgr.GetClient()) // initialize OPA - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } @@ -382,7 +382,7 @@ func TestConfig_DeleteSyncResources(t *testing.T) { func setupController(mgr manager.Manager, wm *watch.Manager, tracker *readiness.Tracker, events <-chan event.GenericEvent) error { // initialize OPA - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { return fmt.Errorf("unable to set up Driver: %w", err) } diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go index 36bb0a3f319..cfe2495c7ab 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go @@ -25,7 +25,7 @@ import ( templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1" "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" statusv1beta1 "github.com/open-policy-agent/gatekeeper/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/pkg/fakes" "github.com/open-policy-agent/gatekeeper/pkg/readiness" @@ -114,7 +114,7 @@ func TestReconcile(t *testing.T) { } // initialize OPA - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } @@ -537,7 +537,7 @@ violation[{"msg": "denied!"}] { } // initialize OPA - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } diff --git a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller_test.go b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller_test.go index a7d49b4938c..972452cef09 100644 --- a/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller_test.go +++ b/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller_test.go @@ -9,7 +9,7 @@ import ( "github.com/onsi/gomega" "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" podstatus "github.com/open-policy-agent/gatekeeper/apis/status/v1beta1" "github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate" "github.com/open-policy-agent/gatekeeper/pkg/fakes" @@ -113,7 +113,7 @@ violation[{"msg": "denied!"}] { } // initialize OPA - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } diff --git a/pkg/controller/externaldata/externaldata_controller_test.go b/pkg/controller/externaldata/externaldata_controller_test.go index 6d8fa7a5967..f16adbefd2c 100644 --- a/pkg/controller/externaldata/externaldata_controller_test.go +++ b/pkg/controller/externaldata/externaldata_controller_test.go @@ -11,7 +11,7 @@ import ( externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" externaldatav1beta1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" "github.com/open-policy-agent/gatekeeper/pkg/externaldata" "github.com/open-policy-agent/gatekeeper/pkg/readiness" @@ -84,8 +84,8 @@ func TestReconcile(t *testing.T) { pc := frameworksexternaldata.NewCache() // initialize OPA - args := []local.Arg{local.Tracing(false), local.AddExternalDataProviderCache(pc)} - driver, err := local.New(args...) + args := []rego.Arg{rego.Tracing(false), rego.AddExternalDataProviderCache(pc)} + driver, err := rego.New(args...) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } diff --git a/pkg/gator/opa.go b/pkg/gator/opa.go index 952dce8931f..d0405d202f5 100644 --- a/pkg/gator/opa.go +++ b/pkg/gator/opa.go @@ -2,12 +2,12 @@ package gator import ( constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/gatekeeper/pkg/target" ) func NewOPAClient(includeTrace bool) (Client, error) { - driver, err := local.New(local.Tracing(includeTrace)) + driver, err := rego.New(rego.Tracing(includeTrace)) if err != nil { return nil, err } diff --git a/pkg/gator/test/test.go b/pkg/gator/test/test.go index b3f5f0778cf..06aada6c98f 100644 --- a/pkg/gator/test/test.go +++ b/pkg/gator/test/test.go @@ -7,7 +7,7 @@ import ( "github.com/open-policy-agent/frameworks/constraint/pkg/apis" templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/gatekeeper/pkg/expansion" "github.com/open-policy-agent/gatekeeper/pkg/gator/expand" "github.com/open-policy-agent/gatekeeper/pkg/gator/reader" @@ -30,7 +30,7 @@ func init() { func Test(objs []*unstructured.Unstructured, includeTrace bool) (*GatorResponses, error) { // create the client - driver, err := local.New(local.Tracing(includeTrace)) + driver, err := rego.New(rego.Tracing(includeTrace)) if err != nil { return nil, err } diff --git a/pkg/readiness/ready_tracker_test.go b/pkg/readiness/ready_tracker_test.go index 81037eac6e2..2b9792a1b46 100644 --- a/pkg/readiness/ready_tracker_test.go +++ b/pkg/readiness/ready_tracker_test.go @@ -28,7 +28,7 @@ import ( externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" "github.com/open-policy-agent/gatekeeper/pkg/controller" "github.com/open-policy-agent/gatekeeper/pkg/controller/config/process" @@ -90,7 +90,7 @@ func setupManager(t *testing.T) (manager.Manager, *watch.Manager) { func setupOpa(t *testing.T) *constraintclient.Client { // initialize OPA - driver, err := local.New(local.Tracing(false)) + driver, err := rego.New(rego.Tracing(false)) if err != nil { t.Fatalf("setting up Driver: %v", err) } diff --git a/pkg/target/target_integration_test.go b/pkg/target/target_integration_test.go index 20f8b189d8d..d6391cc4149 100644 --- a/pkg/target/target_integration_test.go +++ b/pkg/target/target_integration_test.go @@ -6,10 +6,12 @@ import ( "testing" "github.com/ghodss/yaml" + templatesv1beta1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" + api "github.com/open-policy-agent/gatekeeper/apis" admissionv1 "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -412,10 +414,15 @@ func TestConstraintEnforcement(t *testing.T) { }, } + scheme := runtime.NewScheme() + if err := api.AddToScheme(scheme); err != nil { + t.Fatalf("could not initialize scheme: %s", err) + } + for _, tc := range tcs { t.Run(tc.name, func(t *testing.T) { target := &K8sValidationTarget{} - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatalf("unable to set up Driver: %v", err) } @@ -425,10 +432,14 @@ func TestConstraintEnforcement(t *testing.T) { t.Fatalf("unable to set up OPA client: %s", err) } - tmpl := &templates.ConstraintTemplate{} - if err := yaml.Unmarshal([]byte(testTemplate), tmpl); err != nil { + versionedTmpl := &templatesv1beta1.ConstraintTemplate{} + if err := yaml.Unmarshal([]byte(testTemplate), versionedTmpl); err != nil { t.Fatalf("unable to unmarshal template: %s", err) } + tmpl := &templates.ConstraintTemplate{} + if err := scheme.Convert(versionedTmpl, tmpl, nil); err != nil { + t.Fatalf("could not convert template: %s", err) + } ctx := context.Background() if _, err := c.AddTemplate(ctx, tmpl); err != nil { t.Fatalf("unable to add template: %s", err) diff --git a/pkg/target/target_test.go b/pkg/target/target_test.go index 9d5c37bb09a..a79a22b85d3 100644 --- a/pkg/target/target_test.go +++ b/pkg/target/target_test.go @@ -10,7 +10,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/frameworks/constraint/pkg/core/constraints" "github.com/open-policy-agent/gatekeeper/apis/mutations/unversioned" "github.com/open-policy-agent/gatekeeper/pkg/mutation/match" @@ -26,7 +26,7 @@ import ( func TestFrameworkInjection(t *testing.T) { target := &K8sValidationTarget{} - driver, err := local.New(local.Tracing(true)) + driver, err := rego.New(rego.Tracing(true)) if err != nil { t.Fatal(err) } diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index 2a91d5fbb12..0c0cc456784 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -29,7 +29,7 @@ import ( externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" rtypes "github.com/open-policy-agent/frameworks/constraint/pkg/types" @@ -377,7 +377,7 @@ func (h *validationHandler) validateTemplate(ctx context.Context, req *admission // Create a temporary Driver and attempt to add the Template to it. This // ensures the Rego code both parses and compiles. - d, err := local.New() + d, err := rego.New() if err != nil { return false, fmt.Errorf("unable to create Driver: %w", err) } diff --git a/pkg/webhook/policy_test.go b/pkg/webhook/policy_test.go index cdef1cf5058..0cb7e3b6e09 100644 --- a/pkg/webhook/policy_test.go +++ b/pkg/webhook/policy_test.go @@ -9,7 +9,7 @@ import ( "github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints" templatesv1beta1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" - "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" rtypes "github.com/open-policy-agent/frameworks/constraint/pkg/types" "github.com/open-policy-agent/gatekeeper/apis/config/v1alpha1" @@ -165,12 +165,17 @@ func validRegoTemplate() *templates.ConstraintTemplate { }, Targets: []templates.Target{{ Target: target.Name, - Rego: ` + Code: []templates.Code{{ + Engine: "Rego", + Source: &templates.Anything{ + Value: map[string]interface{}{"rego": ` package goodrego - violation[{"msg": msg}] { - msg := "Maybe this will work?" - }`, +violation[{"msg": msg}] { + msg := "Maybe this will work?" +}`}, + }, + }}, }}, }, } @@ -202,7 +207,7 @@ func invalidRegoTemplate() *templates.ConstraintTemplate { func makeOpaClient() (*constraintclient.Client, error) { t := &target.K8sValidationTarget{} - driver, err := local.New(local.Tracing(false)) + driver, err := rego.New(rego.Tracing(false)) if err != nil { return nil, err } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/deploy/crds.yaml b/vendor/github.com/open-policy-agent/frameworks/constraint/deploy/crds.yaml index 203ff3ff44a..3015bcad338 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/deploy/crds.yaml +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/deploy/crds.yaml @@ -2,7 +2,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null name: constrainttemplates.templates.gatekeeper.sh spec: group: templates.gatekeeper.sh @@ -17,13 +18,18 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -59,6 +65,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -75,11 +102,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -93,7 +122,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -112,13 +142,18 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -154,6 +189,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -170,11 +226,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -188,7 +246,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -207,13 +266,18 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -249,6 +313,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -265,11 +350,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -283,7 +370,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -304,7 +392,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null name: providers.externaldata.gatekeeper.sh spec: @@ -317,17 +405,22 @@ spec: scope: Cluster versions: - deprecated: true - deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 + instead. name: v1alpha1 schema: openAPIV3Schema: description: Provider is the Schema for the Provider API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -335,13 +428,16 @@ spec: description: Spec defines the Provider specifications. properties: caBundle: - description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + description: CABundle is a base64-encoded string that contains the + TLS CA bundle in PEM format. It is used to verify the signature + of the provider's certificate. type: string timeout: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with https://. + description: URL is the url for the provider. URL is prefixed with + https://. type: string type: object type: object @@ -353,10 +449,14 @@ spec: description: Provider is the Schema for the providers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -364,13 +464,16 @@ spec: description: Spec defines the Provider specifications. properties: caBundle: - description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + description: CABundle is a base64-encoded string that contains the + TLS CA bundle in PEM format. It is used to verify the signature + of the provider's certificate. type: string timeout: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with https://. + description: URL is the url for the provider. URL is prefixed with + https://. type: string type: object type: object diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/constrainttemplate_types.go index 3d71846de68..ca272adbf10 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/constrainttemplate_types.go @@ -16,6 +16,7 @@ limitations under the License. package v1 import ( + "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -48,6 +49,7 @@ type Validation struct { // +kubebuilder:validation:Schemaless // +kubebuilder:validation:Type=object // +kubebuilder:pruning:PreserveUnknownFields + // +k8s:conversion-gen=false OpenAPIV3Schema *apiextensionsv1.JSONSchemaProps `json:"openAPIV3Schema,omitempty"` // +kubebuilder:default=false LegacySchema *bool `json:"legacySchema,omitempty"` // *bool allows for "unset" state which we need to apply appropriate defaults @@ -57,6 +59,24 @@ type Target struct { Target string `json:"target,omitempty"` Rego string `json:"rego,omitempty"` Libs []string `json:"libs,omitempty"` + // The source code options for the constraint template. "Rego" can only + // be specified in one place (either here or in the "rego" field) + // +listType=map + // +listMapKey=engine + // +kubebuilder:validation:Required + Code []Code `json:"code,omitempty"` +} + +type Code struct { + // The engine used to evaluate the code. Example: "Rego". Required. + // +kubebuilder:validation:Required + Engine string `json:"engine"` + + // +kubebuilder:validation:Required + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + // The source code for the template. Required. + Source *templates.Anything `json:"source"` } // CreateCRDError represents a single error caught during parsing, compiling, etc. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/conversion.go index 7081c15e95e..0c448123b1b 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/conversion.go @@ -16,6 +16,9 @@ limitations under the License. package v1 import ( + "unsafe" + + regoSchema "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" coreTemplates "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/schema" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" @@ -61,3 +64,41 @@ func Convert_v1_Validation_To_templates_Validation(in *Validation, out *coreTemp return nil } + +func Convert_v1_Target_To_templates_Target(in *Target, out *coreTemplates.Target, s conversion.Scope) error { // nolint:revive // Required exact function name. + out.Target = in.Target + out.Rego = in.Rego + out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + + out.Code = make([]coreTemplates.Code, len(in.Code)) + for i := range in.Code { + if err := Convert_v1_Code_To_templates_Code(&(in.Code[i]), &(out.Code[i]), s); err != nil { + return err + } + } + + if in.Rego == "" { + return nil + } + + regoSource := ®oSchema.Source{} + regoSource.Rego = in.Rego + regoSource.Libs = append(regoSource.Libs, in.Libs...) + + injected := false + for i := range out.Code { + if out.Code[i].Engine == regoSchema.Name { + out.Code[i].Source.Value = regoSource.ToUnstructured() + injected = true + break + } + } + if !injected { + out.Code = append(out.Code, coreTemplates.Code{ + Engine: regoSchema.Name, + Source: &coreTemplates.Anything{Value: regoSource.ToUnstructured()}, + }) + } + + return nil +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.conversion.go index 4bacd6c3c56..453cd658c17 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.conversion.go @@ -65,6 +65,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Code)(nil), (*templates.Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Code_To_templates_Code(a.(*Code), b.(*templates.Code), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*templates.Code)(nil), (*Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_templates_Code_To_v1_Code(a.(*templates.Code), b.(*Code), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ConstraintTemplate)(nil), (*templates.ConstraintTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_ConstraintTemplate_To_templates_ConstraintTemplate(a.(*ConstraintTemplate), b.(*templates.ConstraintTemplate), scope) }); err != nil { @@ -125,11 +135,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*templates.Target)(nil), (*Target)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_templates_Target_To_v1_Target(a.(*templates.Target), b.(*Target), scope) }); err != nil { @@ -140,6 +145,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*Validation)(nil), (*templates.Validation)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_Validation_To_templates_Validation(a.(*Validation), b.(*templates.Validation), scope) }); err != nil { @@ -238,6 +248,28 @@ func Convert_templates_CRDSpec_To_v1_CRDSpec(in *templates.CRDSpec, out *CRDSpec return autoConvert_templates_CRDSpec_To_v1_CRDSpec(in, out, s) } +func autoConvert_v1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_v1_Code_To_templates_Code is an autogenerated conversion function. +func Convert_v1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + return autoConvert_v1_Code_To_templates_Code(in, out, s) +} + +func autoConvert_templates_Code_To_v1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_templates_Code_To_v1_Code is an autogenerated conversion function. +func Convert_templates_Code_To_v1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + return autoConvert_templates_Code_To_v1_Code(in, out, s) +} + func autoConvert_v1_ConstraintTemplate_To_templates_ConstraintTemplate(in *ConstraintTemplate, out *templates.ConstraintTemplate, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1_ConstraintTemplateSpec_To_templates_ConstraintTemplateSpec(&in.Spec, &out.Spec, s); err != nil { @@ -316,7 +348,17 @@ func autoConvert_v1_ConstraintTemplateSpec_To_templates_ConstraintTemplateSpec(i if err := Convert_v1_CRD_To_templates_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]templates.Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]templates.Target, len(*in)) + for i := range *in { + if err := Convert_v1_Target_To_templates_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -329,7 +371,17 @@ func autoConvert_templates_ConstraintTemplateSpec_To_v1_ConstraintTemplateSpec(i if err := Convert_templates_CRD_To_v1_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]Target, len(*in)) + for i := range *in { + if err := Convert_templates_Target_To_v1_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -410,18 +462,15 @@ func autoConvert_v1_Target_To_templates_Target(in *Target, out *templates.Target out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]templates.Code)(unsafe.Pointer(&in.Code)) return nil } -// Convert_v1_Target_To_templates_Target is an autogenerated conversion function. -func Convert_v1_Target_To_templates_Target(in *Target, out *templates.Target, s conversion.Scope) error { - return autoConvert_v1_Target_To_templates_Target(in, out, s) -} - func autoConvert_templates_Target_To_v1_Target(in *templates.Target, out *Target, s conversion.Scope) error { out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]Code)(unsafe.Pointer(&in.Code)) return nil } @@ -430,6 +479,12 @@ func Convert_templates_Target_To_v1_Target(in *templates.Target, out *Target, s return autoConvert_templates_Target_To_v1_Target(in, out, s) } +func autoConvert_v1_Validation_To_templates_Validation(in *Validation, out *templates.Validation, s conversion.Scope) error { + // INFO: in.OpenAPIV3Schema opted out of conversion generation + out.LegacySchema = (*bool)(unsafe.Pointer(in.LegacySchema)) + return nil +} + func autoConvert_templates_Validation_To_v1_Validation(in *templates.Validation, out *Validation, s conversion.Scope) error { if in.OpenAPIV3Schema != nil { in, out := &in.OpenAPIV3Schema, &out.OpenAPIV3Schema diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go index 00df042db11..797b58ef42a 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go @@ -81,6 +81,25 @@ func (in *CRDSpec) DeepCopy() *CRDSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Code) DeepCopyInto(out *Code) { + *out = *in + if in.Source != nil { + in, out := &in.Source, &out.Source + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Code. +func (in *Code) DeepCopy() *Code { + if in == nil { + return nil + } + out := new(Code) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConstraintTemplate) DeepCopyInto(out *ConstraintTemplate) { *out = *in @@ -228,6 +247,13 @@ func (in *Target) DeepCopyInto(out *Target) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = make([]Code, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go index 061926cf5b9..71f337e2622 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go @@ -16,6 +16,7 @@ limitations under the License. package v1alpha1 import ( + "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -48,6 +49,7 @@ type Validation struct { // +kubebuilder:validation:Schemaless // +kubebuilder:validation:Type=object // +kubebuilder:pruning:PreserveUnknownFields + // +k8s:conversion-gen=false OpenAPIV3Schema *apiextensionsv1.JSONSchemaProps `json:"openAPIV3Schema,omitempty"` // +kubebuilder:default=true LegacySchema *bool `json:"legacySchema,omitempty"` // *bool allows for "unset" state which we need to apply appropriate defaults @@ -57,6 +59,23 @@ type Target struct { Target string `json:"target,omitempty"` Rego string `json:"rego,omitempty"` Libs []string `json:"libs,omitempty"` + // The source code options for the constraint template. "Rego" can only + // be specified in one place (either here or in the "rego" field) + // +listType=map + // +listMapKey=engine + Code []Code `json:"code,omitempty"` +} + +type Code struct { + // The engine used to evaluate the code. Example: "Rego". Required. + // +kubebuilder:validation:Required + Engine string `json:"engine"` + + // +kubebuilder:validation:Required + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + // The source code for the template. Required. + Source *templates.Anything `json:"source"` } // CreateCRDError represents a single error caught during parsing, compiling, etc. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/conversion.go index 68cf0201462..bdfaef9751d 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/conversion.go @@ -16,6 +16,9 @@ limitations under the License. package v1alpha1 import ( + "unsafe" + + regoSchema "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" coreTemplates "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/schema" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" @@ -61,3 +64,41 @@ func Convert_v1alpha1_Validation_To_templates_Validation(in *Validation, out *co return nil } + +func Convert_v1alpha1_Target_To_templates_Target(in *Target, out *coreTemplates.Target, s conversion.Scope) error { // nolint:revive // Required exact function name. + out.Target = in.Target + out.Rego = in.Rego + out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + + out.Code = make([]coreTemplates.Code, len(in.Code)) + for i := range in.Code { + if err := Convert_v1alpha1_Code_To_templates_Code(&(in.Code[i]), &(out.Code[i]), s); err != nil { + return err + } + } + + if in.Rego == "" { + return nil + } + + regoSource := ®oSchema.Source{} + regoSource.Rego = in.Rego + regoSource.Libs = append(regoSource.Libs, in.Libs...) + + injected := false + for i := range out.Code { + if out.Code[i].Engine == regoSchema.Name { + out.Code[i].Source.Value = regoSource.ToUnstructured() + injected = true + break + } + } + if !injected { + out.Code = append(out.Code, coreTemplates.Code{ + Engine: regoSchema.Name, + Source: &coreTemplates.Anything{Value: regoSource.ToUnstructured()}, + }) + } + + return nil +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go index ef3792ae516..38fe6f4cd88 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go @@ -65,6 +65,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Code)(nil), (*templates.Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_Code_To_templates_Code(a.(*Code), b.(*templates.Code), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*templates.Code)(nil), (*Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_templates_Code_To_v1alpha1_Code(a.(*templates.Code), b.(*Code), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ConstraintTemplate)(nil), (*templates.ConstraintTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_ConstraintTemplate_To_templates_ConstraintTemplate(a.(*ConstraintTemplate), b.(*templates.ConstraintTemplate), scope) }); err != nil { @@ -125,11 +135,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*templates.Target)(nil), (*Target)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_templates_Target_To_v1alpha1_Target(a.(*templates.Target), b.(*Target), scope) }); err != nil { @@ -140,6 +145,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*Validation)(nil), (*templates.Validation)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_Validation_To_templates_Validation(a.(*Validation), b.(*templates.Validation), scope) }); err != nil { @@ -238,6 +248,28 @@ func Convert_templates_CRDSpec_To_v1alpha1_CRDSpec(in *templates.CRDSpec, out *C return autoConvert_templates_CRDSpec_To_v1alpha1_CRDSpec(in, out, s) } +func autoConvert_v1alpha1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_v1alpha1_Code_To_templates_Code is an autogenerated conversion function. +func Convert_v1alpha1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + return autoConvert_v1alpha1_Code_To_templates_Code(in, out, s) +} + +func autoConvert_templates_Code_To_v1alpha1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_templates_Code_To_v1alpha1_Code is an autogenerated conversion function. +func Convert_templates_Code_To_v1alpha1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + return autoConvert_templates_Code_To_v1alpha1_Code(in, out, s) +} + func autoConvert_v1alpha1_ConstraintTemplate_To_templates_ConstraintTemplate(in *ConstraintTemplate, out *templates.ConstraintTemplate, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1alpha1_ConstraintTemplateSpec_To_templates_ConstraintTemplateSpec(&in.Spec, &out.Spec, s); err != nil { @@ -316,7 +348,17 @@ func autoConvert_v1alpha1_ConstraintTemplateSpec_To_templates_ConstraintTemplate if err := Convert_v1alpha1_CRD_To_templates_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]templates.Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]templates.Target, len(*in)) + for i := range *in { + if err := Convert_v1alpha1_Target_To_templates_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -329,7 +371,17 @@ func autoConvert_templates_ConstraintTemplateSpec_To_v1alpha1_ConstraintTemplate if err := Convert_templates_CRD_To_v1alpha1_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]Target, len(*in)) + for i := range *in { + if err := Convert_templates_Target_To_v1alpha1_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -410,18 +462,15 @@ func autoConvert_v1alpha1_Target_To_templates_Target(in *Target, out *templates. out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]templates.Code)(unsafe.Pointer(&in.Code)) return nil } -// Convert_v1alpha1_Target_To_templates_Target is an autogenerated conversion function. -func Convert_v1alpha1_Target_To_templates_Target(in *Target, out *templates.Target, s conversion.Scope) error { - return autoConvert_v1alpha1_Target_To_templates_Target(in, out, s) -} - func autoConvert_templates_Target_To_v1alpha1_Target(in *templates.Target, out *Target, s conversion.Scope) error { out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]Code)(unsafe.Pointer(&in.Code)) return nil } @@ -430,6 +479,12 @@ func Convert_templates_Target_To_v1alpha1_Target(in *templates.Target, out *Targ return autoConvert_templates_Target_To_v1alpha1_Target(in, out, s) } +func autoConvert_v1alpha1_Validation_To_templates_Validation(in *Validation, out *templates.Validation, s conversion.Scope) error { + // INFO: in.OpenAPIV3Schema opted out of conversion generation + out.LegacySchema = (*bool)(unsafe.Pointer(in.LegacySchema)) + return nil +} + func autoConvert_templates_Validation_To_v1alpha1_Validation(in *templates.Validation, out *Validation, s conversion.Scope) error { if in.OpenAPIV3Schema != nil { in, out := &in.OpenAPIV3Schema, &out.OpenAPIV3Schema diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go index 1ce321d28ef..6720c01f769 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go @@ -81,6 +81,25 @@ func (in *CRDSpec) DeepCopy() *CRDSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Code) DeepCopyInto(out *Code) { + *out = *in + if in.Source != nil { + in, out := &in.Source, &out.Source + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Code. +func (in *Code) DeepCopy() *Code { + if in == nil { + return nil + } + out := new(Code) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConstraintTemplate) DeepCopyInto(out *ConstraintTemplate) { *out = *in @@ -228,6 +247,13 @@ func (in *Target) DeepCopyInto(out *Target) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = make([]Code, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go index 51167178b96..8eda89973b4 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go @@ -16,6 +16,7 @@ limitations under the License. package v1beta1 import ( + "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -48,6 +49,7 @@ type Validation struct { // +kubebuilder:validation:Schemaless // +kubebuilder:validation:Type=object // +kubebuilder:pruning:PreserveUnknownFields + // +k8s:conversion-gen=false OpenAPIV3Schema *apiextensionsv1.JSONSchemaProps `json:"openAPIV3Schema,omitempty"` // +kubebuilder:default=true LegacySchema *bool `json:"legacySchema,omitempty"` // *bool allows for "unset" state which we need to apply appropriate defaults @@ -57,6 +59,23 @@ type Target struct { Target string `json:"target,omitempty"` Rego string `json:"rego,omitempty"` Libs []string `json:"libs,omitempty"` + // The source code options for the constraint template. "Rego" can only + // be specified in one place (either here or in the "rego" field) + // +listType=map + // +listMapKey=engine + Code []Code `json:"code,omitempty"` +} + +type Code struct { + // The engine used to evaluate the code. Example: "Rego". Required. + // +kubebuilder:validation:Required + Engine string `json:"engine"` + + // +kubebuilder:validation:Required + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + // The source code for the template. Required. + Source *templates.Anything `json:"source"` } // CreateCRDError represents a single error caught during parsing, compiling, etc. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/conversion.go index 9bb69b0c74e..915782b83fd 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/conversion.go @@ -16,6 +16,9 @@ limitations under the License. package v1beta1 import ( + "unsafe" + + regoSchema "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" coreTemplates "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/schema" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" @@ -61,3 +64,41 @@ func Convert_v1beta1_Validation_To_templates_Validation(in *Validation, out *cor return nil } + +func Convert_v1beta1_Target_To_templates_Target(in *Target, out *coreTemplates.Target, s conversion.Scope) error { // nolint:revive // Required exact function name. + out.Target = in.Target + out.Rego = in.Rego + out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + + out.Code = make([]coreTemplates.Code, len(in.Code)) + for i := range in.Code { + if err := Convert_v1beta1_Code_To_templates_Code(&(in.Code[i]), &(out.Code[i]), s); err != nil { + return err + } + } + + if in.Rego == "" { + return nil + } + + regoSource := ®oSchema.Source{} + regoSource.Rego = in.Rego + regoSource.Libs = append(regoSource.Libs, in.Libs...) + + injected := false + for i := range out.Code { + if out.Code[i].Engine == regoSchema.Name { + out.Code[i].Source.Value = regoSource.ToUnstructured() + injected = true + break + } + } + if !injected { + out.Code = append(out.Code, coreTemplates.Code{ + Engine: regoSchema.Name, + Source: &coreTemplates.Anything{Value: regoSource.ToUnstructured()}, + }) + } + + return nil +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go index 2a46ec4b1e2..b992505278b 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go @@ -65,6 +65,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*Code)(nil), (*templates.Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_Code_To_templates_Code(a.(*Code), b.(*templates.Code), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*templates.Code)(nil), (*Code)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_templates_Code_To_v1beta1_Code(a.(*templates.Code), b.(*Code), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*ConstraintTemplate)(nil), (*templates.ConstraintTemplate)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta1_ConstraintTemplate_To_templates_ConstraintTemplate(a.(*ConstraintTemplate), b.(*templates.ConstraintTemplate), scope) }); err != nil { @@ -125,11 +135,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*templates.Target)(nil), (*Target)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_templates_Target_To_v1beta1_Target(a.(*templates.Target), b.(*Target), scope) }); err != nil { @@ -140,6 +145,11 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*Target)(nil), (*templates.Target)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_Target_To_templates_Target(a.(*Target), b.(*templates.Target), scope) + }); err != nil { + return err + } if err := s.AddConversionFunc((*Validation)(nil), (*templates.Validation)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1beta1_Validation_To_templates_Validation(a.(*Validation), b.(*templates.Validation), scope) }); err != nil { @@ -238,6 +248,28 @@ func Convert_templates_CRDSpec_To_v1beta1_CRDSpec(in *templates.CRDSpec, out *CR return autoConvert_templates_CRDSpec_To_v1beta1_CRDSpec(in, out, s) } +func autoConvert_v1beta1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_v1beta1_Code_To_templates_Code is an autogenerated conversion function. +func Convert_v1beta1_Code_To_templates_Code(in *Code, out *templates.Code, s conversion.Scope) error { + return autoConvert_v1beta1_Code_To_templates_Code(in, out, s) +} + +func autoConvert_templates_Code_To_v1beta1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + out.Engine = in.Engine + out.Source = (*templates.Anything)(unsafe.Pointer(in.Source)) + return nil +} + +// Convert_templates_Code_To_v1beta1_Code is an autogenerated conversion function. +func Convert_templates_Code_To_v1beta1_Code(in *templates.Code, out *Code, s conversion.Scope) error { + return autoConvert_templates_Code_To_v1beta1_Code(in, out, s) +} + func autoConvert_v1beta1_ConstraintTemplate_To_templates_ConstraintTemplate(in *ConstraintTemplate, out *templates.ConstraintTemplate, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1beta1_ConstraintTemplateSpec_To_templates_ConstraintTemplateSpec(&in.Spec, &out.Spec, s); err != nil { @@ -316,7 +348,17 @@ func autoConvert_v1beta1_ConstraintTemplateSpec_To_templates_ConstraintTemplateS if err := Convert_v1beta1_CRD_To_templates_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]templates.Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]templates.Target, len(*in)) + for i := range *in { + if err := Convert_v1beta1_Target_To_templates_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -329,7 +371,17 @@ func autoConvert_templates_ConstraintTemplateSpec_To_v1beta1_ConstraintTemplateS if err := Convert_templates_CRD_To_v1beta1_CRD(&in.CRD, &out.CRD, s); err != nil { return err } - out.Targets = *(*[]Target)(unsafe.Pointer(&in.Targets)) + if in.Targets != nil { + in, out := &in.Targets, &out.Targets + *out = make([]Target, len(*in)) + for i := range *in { + if err := Convert_templates_Target_To_v1beta1_Target(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Targets = nil + } return nil } @@ -410,18 +462,15 @@ func autoConvert_v1beta1_Target_To_templates_Target(in *Target, out *templates.T out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]templates.Code)(unsafe.Pointer(&in.Code)) return nil } -// Convert_v1beta1_Target_To_templates_Target is an autogenerated conversion function. -func Convert_v1beta1_Target_To_templates_Target(in *Target, out *templates.Target, s conversion.Scope) error { - return autoConvert_v1beta1_Target_To_templates_Target(in, out, s) -} - func autoConvert_templates_Target_To_v1beta1_Target(in *templates.Target, out *Target, s conversion.Scope) error { out.Target = in.Target out.Rego = in.Rego out.Libs = *(*[]string)(unsafe.Pointer(&in.Libs)) + out.Code = *(*[]Code)(unsafe.Pointer(&in.Code)) return nil } @@ -430,6 +479,12 @@ func Convert_templates_Target_To_v1beta1_Target(in *templates.Target, out *Targe return autoConvert_templates_Target_To_v1beta1_Target(in, out, s) } +func autoConvert_v1beta1_Validation_To_templates_Validation(in *Validation, out *templates.Validation, s conversion.Scope) error { + // INFO: in.OpenAPIV3Schema opted out of conversion generation + out.LegacySchema = (*bool)(unsafe.Pointer(in.LegacySchema)) + return nil +} + func autoConvert_templates_Validation_To_v1beta1_Validation(in *templates.Validation, out *Validation, s conversion.Scope) error { if in.OpenAPIV3Schema != nil { in, out := &in.OpenAPIV3Schema, &out.OpenAPIV3Schema diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go index 593de641923..27a564e25ca 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go @@ -81,6 +81,25 @@ func (in *CRDSpec) DeepCopy() *CRDSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Code) DeepCopyInto(out *Code) { + *out = *in + if in.Source != nil { + in, out := &in.Source, &out.Source + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Code. +func (in *Code) DeepCopy() *Code { + if in == nil { + return nil + } + out := new(Code) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConstraintTemplate) DeepCopyInto(out *ConstraintTemplate) { *out = *in @@ -228,6 +247,13 @@ func (in *Target) DeepCopyInto(out *Target) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = make([]Code, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go index e0b9b3adf4a..8d9cd57b4f7 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go @@ -11,6 +11,8 @@ import ( apiconstraints "github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints" "github.com/open-policy-agent/frameworks/constraint/pkg/client/crds" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" + regoSchema "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors" clienterrors "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/handler" @@ -31,9 +33,22 @@ const statusField = "status" // allowed to continue running. Thus, this problem can only safely be handled // by the caller. type Client struct { - // driver contains the Rego runtime environments to run queries against. - // Does not require mutex locking as Driver is threadsafe. - driver drivers.Driver + // driver priority specifies the preference for which driver should + // be preferred if a template specifies multiple kinds of source + // code. It is determined by the order with which drivers are + // added to the client. + driverPriority map[string]int + + // ignoreNoReferentialDriverWarning toggles whether we warn the user + // when there is no registered driver that supports referential data when + // they call AddData() + ignoreNoReferentialDriverWarning bool + + // drivers contains the drivers for policy engines understood + // by the constraint framework client. + // Does not require mutex locking as Driver is threadsafe + // and the map should be created during bootstrapping. + drivers map[string]drivers.Driver // targets are the targets supported by this Client. // Assumed to be constant after initialization. targets map[string]handler.TargetHandler @@ -45,6 +60,26 @@ type Client struct { templates map[string]*templateClient } +// driverForTemplate returns the driver to be used for a template according +// to the driver priority in the client. An empty string means the constraint +// template does not contain a language the client has a driver for. +func (c *Client) driverForTemplate(template *templates.ConstraintTemplate) string { + if len(template.Spec.Targets) == 0 { + return "" + } + language := "" + for _, v := range template.Spec.Targets[0].Code { + priority, ok := c.driverPriority[v.Engine] + if !ok { + continue + } + if priority < c.driverPriority[language] || c.driverPriority[language] == 0 { + language = v.Engine + } + } + return language +} + // CreateCRD creates a CRD from template. func (c *Client) CreateCRD(ctx context.Context, templ *templates.ConstraintTemplate) (*apiextensions.CustomResourceDefinition, error) { if templ == nil { @@ -93,7 +128,9 @@ func (c *Client) AddTemplate(ctx context.Context, templ *templates.ConstraintTem } } - if cachedCpy != nil && cachedCpy.SemanticEqual(templ) { + // if there is more than one active driver for the template, there is some cleanup to do + // from a botched driver swap. + if cachedCpy != nil && cachedCpy.SemanticEqual(templ) && len(cached.activeDrivers) == 1 { resp.Handled[targetName] = true return resp, nil } @@ -135,29 +172,72 @@ func (c *Client) AddTemplate(ctx context.Context, templ *templates.ConstraintTem return resp, err } - if err := c.driver.AddTemplate(ctx, templ); err != nil { + newDriverN := c.driverForTemplate(templ) + + driver, ok := c.drivers[newDriverN] + if !ok { + return resp, fmt.Errorf("%w: available drivers: %v, wanted %q", clienterrors.ErrNoDriver, c.driverPriority, c.driverForTemplate(templ)) + } + + // TODO: because different targets may have different code sets, + // the driver should be told which targets to load code for. + // this is moot right now, since templates only have one target + if err := driver.AddTemplate(ctx, templ); err != nil { return resp, err } templateName := templ.GetName() - template := c.templates[templateName] + cacheEntry := c.templates[templateName] // We don't want to use the usual "if found/ok" idiom here - if the value // stored for templateName is nil, we need to update it to be non-nil to avoid // a panic. - if template == nil { - template = &templateClient{ - constraints: make(map[string]*constraintClient), + if cacheEntry == nil { + cacheEntry = newTemplateClient() + c.templates[templateName] = cacheEntry + } + + cacheEntry.activeDrivers[newDriverN] = true + + // For drivers that require a local cache of constraints, we ensure that + // cache is current if the active driver has changed. + if cachedCpy != nil { + oldDriverN := c.driverForTemplate(cachedCpy) + if oldDriverN != newDriverN { + cacheEntry.needsConstraintReplay = true } + } - c.templates[templateName] = template + if cacheEntry.needsConstraintReplay { + for _, constraintEntry := range cacheEntry.constraints { + cstr := constraintEntry.getConstraint() + if err := driver.AddConstraint(ctx, cstr); err != nil { + return resp, fmt.Errorf("%w: while replaying constraints", err) + } + } + cacheEntry.needsConstraintReplay = false } - // This state mutation needs to happen last so that the semantic equal check - // at the beginning does not incorrectly return true when updating did not - // succeed previously. - template.Update(templ, crd, target) + // This state mutation needs to happen after the new driver is fully ready + // to enforce the template + cacheEntry.Update(templ, crd, target) + + // Remove old drivers last so that templates can be enforced + // despite a botched update + for oldDriverN := range cacheEntry.activeDrivers { + if oldDriverN == newDriverN { + continue + } + oldDriver, ok := c.drivers[oldDriverN] + if !ok { + return resp, fmt.Errorf("%w: while changing drivers", clienterrors.ErrNoDriver) + } + if err := oldDriver.RemoveTemplate(ctx, cachedCpy); err != nil { + return resp, fmt.Errorf("%w: while changing drivers", err) + } + delete(cacheEntry.activeDrivers, oldDriverN) + } resp.Handled[targetName] = true return resp, nil @@ -189,22 +269,33 @@ func (c *Client) RemoveTemplate(ctx context.Context, templ *templates.Constraint c.mtx.Lock() defer c.mtx.Unlock() - err := c.driver.RemoveTemplate(ctx, templ) - if err != nil { - return resp, err - } - name := templ.GetName() - template, found := c.templates[name] - + cached, found := c.templates[name] if !found { return resp, nil } + template := cached.getTemplate() + + // remove the template from all active drivers + // to ensure cleanup in case of a botched update + for driverN := range cached.activeDrivers { + driver, ok := c.drivers[driverN] + if !ok { + return resp, fmt.Errorf("%w: could not clean up %q", clienterrors.ErrNoDriver, driverN) + } + + err := driver.RemoveTemplate(ctx, template) + if err != nil { + return resp, err + } + delete(cached.activeDrivers, driverN) + } + delete(c.templates, name) - for _, target := range template.targets { + for _, target := range cached.targets { resp.Handled[target.GetName()] = true } @@ -253,25 +344,32 @@ func (c *Client) AddConstraint(ctx context.Context, constraint *unstructured.Uns } kind := constraint.GetKind() - template := c.getTemplateForKind(kind) - if template == nil { + cached := c.getTemplateForKind(kind) + if cached == nil { templateName := strings.ToLower(kind) return resp, templateNotFound(templateName) } - changed, err := template.AddConstraint(constraint) + template := cached.getTemplate() + + driver, ok := c.drivers[c.driverForTemplate(template)] + if !ok { + return resp, clienterrors.ErrNoDriver + } + + changed, err := cached.AddConstraint(constraint) if err != nil { return resp, err } if changed { - err = c.driver.AddConstraint(ctx, constraint) + err = driver.AddConstraint(ctx, constraint) if err != nil { return resp, err } } - for _, target := range template.targets { + for _, target := range cached.targets { resp.Handled[target.GetName()] = true } @@ -291,25 +389,34 @@ func (c *Client) RemoveConstraint(ctx context.Context, constraint *unstructured. return resp, err } - err = c.driver.RemoveConstraint(ctx, constraint) - if err != nil { - return nil, err - } - kind := constraint.GetKind() - template := c.getTemplateForKind(kind) - if template == nil { + cached := c.getTemplateForKind(kind) + if cached == nil { // The Template has been deleted, so nothing to do and no reason to return // error. return resp, nil } - for _, target := range template.targets { + // Remove the constraint from all active drivers + // in case we are in the middle of a botched update + for driverN := range cached.activeDrivers { + driver, ok := c.drivers[driverN] + if !ok { + return resp, clienterrors.ErrNoDriver + } + + err = driver.RemoveConstraint(ctx, constraint) + if err != nil { + return nil, err + } + } + + for _, target := range cached.targets { resp.Handled[target.GetName()] = true } - template.RemoveConstraint(constraint.GetName()) + cached.RemoveConstraint(constraint.GetName()) return resp, nil } @@ -431,14 +538,22 @@ func (c *Client) AddData(ctx context.Context, data interface{}) (*types.Response continue } - err = c.driver.AddData(ctx, name, key, processedDataCpy) - if err != nil { - errMap[name] = err + // To avoid maintaining duplicate caches, only Rego should get its own + // storage. We should work to remove the need for this special case + // by building a global storage object. Right now Rego needs its own + // cache to cache constraints. + if _, ok := c.drivers[regoSchema.Name]; ok { + err = c.drivers[regoSchema.Name].AddData(ctx, name, key, processedDataCpy) + if err != nil { + errMap[name] = err - if cache != nil { - cache.Remove(key) + if cache != nil { + cache.Remove(key) + } + continue } - continue + } else if !c.ignoreNoReferentialDriverWarning { + errMap[name] = ErrNoReferentialDriver } resp.Handled[name] = true @@ -468,10 +583,18 @@ func (c *Client) RemoveData(ctx context.Context, data interface{}) (*types.Respo continue } - err = c.driver.RemoveData(ctx, target, relPath) - if err != nil { - errMap[target] = err - continue + // To avoid maintaining duplicate caches, only Rego should get its own + // storage. We should work to remove the need for this special case + // by building a global storage object. Right now Rego needs its own + // cache to cache constraints. + if _, ok := c.drivers[regoSchema.Name]; ok { + err = c.drivers[regoSchema.Name].RemoveData(ctx, target, relPath) + if err != nil { + errMap[target] = err + continue + } + } else if !c.ignoreNoReferentialDriverWarning { + errMap[target] = ErrNoReferentialDriver } resp.Handled[target] = true @@ -573,27 +696,75 @@ func (c *Client) Review(ctx context.Context, obj interface{}, opts ...drivers.Qu func (c *Client) review(ctx context.Context, target string, constraints []*unstructured.Unstructured, review interface{}, opts ...drivers.QueryOpt) (*types.Response, error) { var results []*types.Result var tracesBuilder strings.Builder + errs := &errors.ErrorMap{} - results, trace, err := c.driver.Query(ctx, target, constraints, review, opts...) - if err != nil { - return nil, err + driverToConstraints := map[string][]*unstructured.Unstructured{} + + for _, constraint := range constraints { + template, ok := c.templates[strings.ToLower(constraint.GetObjectKind().GroupVersionKind().Kind)] + if !ok { + return nil, fmt.Errorf("%w: while loading driver for constraint %s", ErrMissingConstraintTemplate, constraint.GetName()) + } + driver := c.driverForTemplate(template.template) + if driver == "" { + return nil, fmt.Errorf("%w: while loading driver for constraint %s", clienterrors.ErrNoDriver, constraint.GetName()) + } + driverToConstraints[driver] = append(driverToConstraints[driver], constraint) } - if trace != nil { - tracesBuilder.WriteString(*trace) - tracesBuilder.WriteString("\n\n") + for driverName, driver := range c.drivers { + if len(driverToConstraints[driverName]) == 0 { + continue + } + driverResults, trace, err := driver.Query(ctx, target, driverToConstraints[driverName], review, opts...) + if err != nil { + errs.Add(driverName, err) + continue + } + results = append(results, driverResults...) + + if trace != nil { + tracesBuilder.WriteString(fmt.Sprintf("DRIVER %s:\n\n", driverName)) + tracesBuilder.WriteString(*trace) + tracesBuilder.WriteString("\n\n") + } + } + + traceStr := tracesBuilder.String() + var trace *string + if len(traceStr) != 0 { + trace = &traceStr + } + + // golang idiom is nil on no errors, so we should + // only return errs if it is non-empty, otherwise + // we get a non-nil interface (even if errs is nil, since + // the interface would still hold type info). + var errRet error + if len(*errs) > 0 { + errRet = errs } return &types.Response{ Trace: trace, Target: target, Results: results, - }, nil + }, errRet } // Dump dumps the state of OPA to aid in debugging. func (c *Client) Dump(ctx context.Context) (string, error) { - return c.driver.Dump(ctx) + var dumpBuilder strings.Builder + for driverName, driver := range c.drivers { + dump, err := driver.Dump(ctx) + if err != nil { + return "", err + } + dumpBuilder.WriteString(fmt.Sprintf("DRIVER: %s:\n\n", driverName)) + dumpBuilder.WriteString(dump) + dumpBuilder.WriteString("\n\n") + } + return dumpBuilder.String(), nil } // knownTargets returns a sorted list of known target names. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_opts.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_opts.go index e1a16d53433..0a70fb9b59a 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_opts.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client_opts.go @@ -54,7 +54,21 @@ func validateTargetNames(ts []handler.TargetHandler) []string { // Driver defines the Rego execution environment. func Driver(d drivers.Driver) Opt { return func(client *Client) error { - client.driver = d + if d.Name() == "" { + return ErrNoDriverName + } + if _, ok := client.drivers[d.Name()]; ok { + return fmt.Errorf("%w: %s", ErrDuplicateDriver, d.Name()) + } + client.drivers[d.Name()] = d + client.driverPriority[d.Name()] = len(client.drivers) + return nil + } +} + +func IgnoreNoReferentialDriverWarning(ignore bool) Opt { + return func(client *Client) error { + client.ignoreNoReferentialDriverWarning = ignore return nil } } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/interface.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/interface.go index 1a1754d1faa..4f8da7cafd8 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/interface.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/interface.go @@ -11,6 +11,10 @@ import ( // A Driver implements Rego query execution of Templates and Constraints. type Driver interface { + // Name returns the name of the driver, used to uniquely identify a driver + // and in errors returned to the user. + Name() string + // AddTemplate compiles a Template's code to be specified by // Constraints and referenced in Query. Replaces the existing Template if it // already exists. @@ -29,10 +33,12 @@ type Driver interface { RemoveConstraint(ctx context.Context, constraint *unstructured.Unstructured) error // AddData caches data to be used for referential Constraints. Replaces data - // if it already exists at the specified path. + // if it already exists at the specified path. This is a deprecated method that + // will only be called for the "Rego" driver. AddData(ctx context.Context, target string, path storage.Path, data interface{}) error // RemoveData removes cached data, so the data at the specified path can no - // longer be used in referential Constraints. + // longer be used in referential Constraints. This is a deprecated method that + // will only be called for the "Rego" driver. RemoveData(ctx context.Context, target string, path storage.Path) error // Query runs the passed target's Constraints against review. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/args.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/args.go similarity index 99% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/args.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/args.go index 8a4d8794e58..9868cc3080c 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/args.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/args.go @@ -1,4 +1,4 @@ -package local +package rego import ( "fmt" diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/builtin.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go similarity index 98% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/builtin.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go index ee27249f3da..106ea1fce1b 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/builtin.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/builtin.go @@ -1,4 +1,4 @@ -package local +package rego import ( "net/http" diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/compilers.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/compilers.go similarity index 88% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/compilers.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/compilers.go index 908513a9e94..0fc072deae8 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/compilers.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/compilers.go @@ -1,15 +1,19 @@ -package local +package rego import ( + "errors" "fmt" "sync" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" clienterrors "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/regorewriter" "github.com/open-policy-agent/opa/ast" ) +var ErrNoRego = errors.New("Could not extract Rego from the constraint template") + // Compilers is a threadsafe store of Compilers for ConstraintTemplates. type Compilers struct { mtx sync.RWMutex @@ -125,8 +129,9 @@ func parseConstraintTemplate(templ *templates.ConstraintTemplate, externs []stri } mods := make(map[string][]*ast.Module) - for _, target := range templ.Spec.Targets { - targetMods, err := parseConstraintTemplateTarget(rr, target) + for i := range templ.Spec.Targets { + target := templ.Spec.Targets[i] + targetMods, err := parseConstraintTemplateTarget(rr, &target) if err != nil { return nil, err } @@ -137,8 +142,24 @@ func parseConstraintTemplate(templ *templates.ConstraintTemplate, externs []stri return mods, nil } -func parseConstraintTemplateTarget(rr *regorewriter.RegoRewriter, targetSpec templates.Target) ([]*ast.Module, error) { - entryPoint, err := parseModule(templatePath, targetSpec.Rego) +func parseConstraintTemplateTarget(rr *regorewriter.RegoRewriter, targetSpec *templates.Target) ([]*ast.Module, error) { + var regoCode templates.Code + found := false + for _, code := range targetSpec.Code { + if code.Engine == schema.Name { + found = true + regoCode = code + break + } + } + if !found { + return nil, ErrNoRego + } + regoSrc, err := schema.GetSource(regoCode) + if err != nil { + return nil, err + } + entryPoint, err := parseModule(templatePath, regoSrc.Rego) if err != nil { return nil, fmt.Errorf("%w: %v", clienterrors.ErrInvalidConstraintTemplate, err) } @@ -160,7 +181,7 @@ func parseConstraintTemplateTarget(rr *regorewriter.RegoRewriter, targetSpec tem } rr.AddEntryPointModule(templatePath, entryPoint) - for idx, libSrc := range targetSpec.Libs { + for idx, libSrc := range regoSrc.Libs { libPath := fmt.Sprintf(`%s["lib_%d"]`, templateLibPrefix, idx) m, err := parseModule(libPath, libSrc) diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/driver.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/driver.go similarity index 96% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/driver.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/driver.go index 55c5754e3ab..c1b546e127f 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/driver.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/driver.go @@ -1,4 +1,4 @@ -package local +package rego import ( "bytes" @@ -13,6 +13,7 @@ import ( "github.com/open-policy-agent/frameworks/constraint/pkg/apis/constraints" "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema" clienterrors "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors" "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" @@ -73,14 +74,19 @@ type Driver struct { clientCertWatcher *certwatcher.CertWatcher } -// RegoEvaluationMeta has rego specific metadata from evaluation. -type RegoEvaluationMeta struct { +// EvaluationMeta has rego specific metadata from evaluation. +type EvaluationMeta struct { // TemplateRunTime is the number of milliseconds it took to evaluate all constraints for a template. TemplateRunTime float64 `json:"templateRunTime"` // ConstraintCount indicates how many constraints were evaluated for an underlying rego engine eval call. ConstraintCount uint `json:"constraintCount"` } +// Name returns the name of the driver. +func (d *Driver) Name() string { + return schema.Name +} + // AddTemplate adds templ to Driver. Normalizes modules into usable forms for // use in queries. func (d *Driver) AddTemplate(ctx context.Context, templ *templates.ConstraintTemplate) error { @@ -113,9 +119,13 @@ func (d *Driver) RemoveTemplate(ctx context.Context, templ *templates.Constraint d.mtx.Lock() defer d.mtx.Unlock() + if err := d.storage.removeDataEach(ctx, constraintParent); err != nil { + return err + } + d.compilers.removeTemplate(kind) delete(d.targets, kind) - return d.storage.removeDataEach(ctx, constraintParent) + return nil } // AddConstraint adds Constraint to Rego storage. Future calls to Query will @@ -291,7 +301,7 @@ func (d *Driver) Query(ctx context.Context, target string, constraints []*unstru } for _, result := range kindResults { - result.EvaluationMeta = RegoEvaluationMeta{ + result.EvaluationMeta = EvaluationMeta{ TemplateRunTime: float64(evalEndTime.Nanoseconds()) / 1000000, ConstraintCount: uint(len(kindResults)), } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/new.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/new.go similarity index 97% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/new.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/new.go index 654e1fe1d0a..de433764b93 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/new.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/new.go @@ -1,4 +1,4 @@ -package local +package rego import ( "github.com/open-policy-agent/opa/rego" diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/rego.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/rego.go similarity index 99% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/rego.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/rego.go index 00df19ed182..2037bc028fe 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/rego.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/rego.go @@ -1,4 +1,4 @@ -package local +package rego import "github.com/open-policy-agent/opa/ast" diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema/schema.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema/schema.go new file mode 100644 index 00000000000..da1bd4c0434 --- /dev/null +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema/schema.go @@ -0,0 +1,70 @@ +package schema + +import ( + "errors" + "fmt" + + "github.com/open-policy-agent/frameworks/constraint/pkg/core/templates" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +// Name is the name of the driver. +const Name = "Rego" + +var ( + ErrBadType = errors.New("Could not recognize the type") + ErrMissingField = errors.New("Rego source missing required field") +) + +type Source struct { + // Rego holds the main code for the constraint template. The `Violations` rule is the entry point. + Rego string `json:"rego,omitempty"` + // Libs holds supporting code for the main rego library. Modules can be imported from `data.libs`. + Libs []string `json:"libs,omitempty"` +} + +func (in *Source) ToUnstructured() map[string]interface{} { + if in == nil { + return nil + } + + out := map[string]interface{}{} + + out["rego"] = in.Rego + + if in.Libs != nil { + var libs []interface{} + for _, v := range in.Libs { + libs = append(libs, v) + } + out["libs"] = libs + } + + return out +} + +func GetSource(code templates.Code) (*Source, error) { + rawCode := code.Source + v, ok := rawCode.Value.(map[string]interface{}) + if !ok { + return nil, ErrBadType + } + source := &Source{} + rego, found, err := unstructured.NestedString(v, "rego") + if err != nil { + return nil, fmt.Errorf("%w: while extracting Rego source", err) + } + if !found { + return nil, fmt.Errorf("%w: rego", ErrMissingField) + } + source.Rego = rego + + libs, found, err := unstructured.NestedStringSlice(v, "libs") + if err != nil { + return nil, fmt.Errorf("%w: while extracting Rego libs", err) + } + if found { + source.Libs = libs + } + return source, nil +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/storages.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/storages.go similarity index 99% rename from vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/storages.go rename to vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/storages.go index 7b6738ee7e5..26361a1bbb8 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/storages.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/storages.go @@ -1,4 +1,4 @@ -package local +package rego import ( "context" diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors.go index d5271c91a17..b6c918df40c 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors.go @@ -6,6 +6,9 @@ import ( var ( ErrCreatingBackend = errors.New("unable to create backend") + ErrNoDriverName = errors.New("driver has no name") + ErrNoReferentialDriver = errors.New("no driver that supports referential constraints added") + ErrDuplicateDriver = errors.New("duplicate drivers of the same name") ErrCreatingClient = errors.New("unable to create client") ErrMissingConstraint = errors.New("missing Constraint") ErrMissingConstraintTemplate = errors.New("missing ConstraintTemplate") diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors/errors.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors/errors.go index 294599c375a..25a6f211b41 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors/errors.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/errors/errors.go @@ -19,4 +19,5 @@ var ( ErrMissingConstraintTemplate = errors.New("missing ConstraintTemplate") ErrInvalidModule = errors.New("invalid module") ErrChangeTargets = errors.New("ConstraintTemplates with Constraints may not change targets") + ErrNoDriver = errors.New("No language driver is installed that handles this constraint template") ) diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/new_client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/new_client.go index e19d15a36e7..64d153e17dc 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/new_client.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/new_client.go @@ -2,12 +2,16 @@ package client import ( "fmt" + + "github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers" ) // NewClient creates a new client. func NewClient(opts ...Opt) (*Client, error) { c := &Client{ - templates: make(map[string]*templateClient), + templates: make(map[string]*templateClient), + drivers: make(map[string]drivers.Driver), + driverPriority: make(map[string]int), } for _, opt := range opts { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go index b2975bc3375..ef5fa7306c2 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go @@ -30,6 +30,23 @@ type templateClient struct { // this Template. This is used to validate incoming Constraints before adding // them. crd *apiextensions.CustomResourceDefinition + + // if, for some reason, there was an error adding a pre-cached constraint after + // a driver switch, AddTemplate returns an error. We should preserve that state + // so that we know a constraint replay should be attempted the next time AddTemplate + // is called. + needsConstraintReplay bool + + // activeDrivers keeps track of drivers that are in an ambiguous state due to a failed + // cross-driver update. This allows us to clean up stale state on old drivers. + activeDrivers map[string]bool +} + +func newTemplateClient() *templateClient { + return &templateClient{ + constraints: make(map[string]*constraintClient), + activeDrivers: make(map[string]bool), + } } func (e *templateClient) ValidateConstraint(constraint *unstructured.Unstructured) error { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go index b19b66f465d..5e0a7ef019c 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go @@ -16,10 +16,13 @@ limitations under the License. package templates import ( + "bytes" + "encoding/json" "reflect" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" ) // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! @@ -55,6 +58,21 @@ type Target struct { Target string `json:"target,omitempty"` Rego string `json:"rego,omitempty"` Libs []string `json:"libs,omitempty"` + // The source code options for the constraint template, only one of this + // or "rego" can be specified. + Code []Code `json:"code,omitempty"` +} + +type Code struct { + // +kubebuilder:validation:Required + // The engine used to evaluate the code. Example: "Rego". Required. + Engine string `json:"engine,omitempty"` + + // +kubebuilder:validation:Required + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + // The source code for the template. Required. + Source *Anything `json:"source,omitempty"` } // CreateCRDError represents a single error caught during parsing, compiling, etc. @@ -105,6 +123,51 @@ type ConstraintTemplateList struct { Items []ConstraintTemplate `json:"items"` } +// Anything is a struct wrapper around a field of type `interface{}` +// that plays nicely with controller-gen +// +kubebuilder:object:generate=false +// +kubebuilder:validation:Type="" +type Anything struct { + Value interface{} `json:"-"` +} + +func (in *Anything) GetValue() interface{} { + return runtime.DeepCopyJSONValue(in.Value) +} + +func (in *Anything) UnmarshalJSON(val []byte) error { + if bytes.Equal(val, []byte("null")) { + return nil + } + return json.Unmarshal(val, &in.Value) +} + +// MarshalJSON should be implemented against a value +// per http://stackoverflow.com/questions/21390979/custom-marshaljson-never-gets-called-in-go +// credit to K8s api machinery's RawExtension for finding this. +func (in Anything) MarshalJSON() ([]byte, error) { + if in.Value == nil { + return []byte("null"), nil + } + return json.Marshal(in.Value) +} + +func (in *Anything) DeepCopy() *Anything { + if in == nil { + return nil + } + + return &Anything{Value: runtime.DeepCopyJSONValue(in.Value)} +} + +func (in *Anything) DeepCopyInto(out *Anything) { + *out = *in + + if in.Value != nil { + out.Value = runtime.DeepCopyJSONValue(in.Value) + } +} + // SemanticEqual returns whether there have been changes to a constraint that // the framework should know about. It can ignore metadata as it assumes the // two comparables share the same identity. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go index 3fca590ed89..3e0d52bdefb 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go @@ -21,7 +21,7 @@ limitations under the License. package templates import ( - runtime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -81,6 +81,25 @@ func (in *CRDSpec) DeepCopy() *CRDSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Code) DeepCopyInto(out *Code) { + *out = *in + if in.Source != nil { + in, out := &in.Source, &out.Source + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Code. +func (in *Code) DeepCopy() *Code { + if in == nil { + return nil + } + out := new(Code) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConstraintTemplate) DeepCopyInto(out *ConstraintTemplate) { *out = *in @@ -228,6 +247,13 @@ func (in *Target) DeepCopyInto(out *Target) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = make([]Code, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target. diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/schema/yaml_constant.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/schema/yaml_constant.go index f93fe25f0ed..b67a7deb4a8 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/schema/yaml_constant.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/schema/yaml_constant.go @@ -7,7 +7,8 @@ const constraintTemplateCRDYaml = `apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null name: constrainttemplates.templates.gatekeeper.sh spec: group: templates.gatekeeper.sh @@ -22,13 +23,18 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -64,6 +70,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -80,11 +107,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -98,7 +127,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -117,13 +147,18 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -159,6 +194,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -175,11 +231,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -193,7 +251,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -212,13 +271,18 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -254,6 +318,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -270,11 +355,13 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: ByPodStatus defines the observed state of ConstraintTemplate + as seen by an individual controller properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -288,7 +375,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 diff --git a/vendor/modules.txt b/vendor/modules.txt index 34b1063ec31..63e53dbe515 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -415,7 +415,7 @@ github.com/onsi/gomega/types # github.com/open-policy-agent/cert-controller v0.4.0 ## explicit; go 1.17 github.com/open-policy-agent/cert-controller/pkg/rotator -# github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2 +# github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211 ## explicit; go 1.18 github.com/open-policy-agent/frameworks/constraint/deploy github.com/open-policy-agent/frameworks/constraint/pkg/apis @@ -429,7 +429,8 @@ github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1 github.com/open-policy-agent/frameworks/constraint/pkg/client github.com/open-policy-agent/frameworks/constraint/pkg/client/crds github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers -github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local +github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego +github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego/schema github.com/open-policy-agent/frameworks/constraint/pkg/client/errors github.com/open-policy-agent/frameworks/constraint/pkg/core/constraints github.com/open-policy-agent/frameworks/constraint/pkg/core/templates