Add RFC 10, Rancher integration of policies

[viccuad]

Description

Relates to #7

Rendered RFC.

[flavio]

Great analysis 👏

I propose a variation on the alternative approach which is an hybrid between the core proposal and alternative "A":

• Store the additional information inside of the Wasm metadata
• Have a tool that reads the embedded metadata and produces as output all the Rancher helm chart files

The rest would work like the core proposal. What do you think?

[viccuad]

As an example of a Helm chart for a policy, see kubewarden/allow-privilege-escalation-psp-policy#30.

This example is implemented directly in the main branch of the policy repo, instead of an orphan branch, and is reusing its readme, license, and files.

[flavio]

I propose a variation on the alternative approach which is an hybrid between the core proposal and alternative "A":

• Store the additional information inside of the Wasm metadata

• Have a tool that reads the embedded metadata and produces as output all the Rancher helm chart files

Looking at the contents created via kubewarden/allow-privilege-escalation-psp-policy#30, I think the only reasonable thing to include inside of the policy metadata would be the questions.yml stuff. I wonder if this is worth the effort...

[viccuad]

Committed clarification of points, and reworded to use folder instead of branch.

Looking at the contents created via kubewarden/allow-privilege-escalation-psp-policy#30, I think the only reasonable thing to include inside of the policy metadata would be the questions.yml stuff. I wonder if this is worth the effort...

It also provides a simple airgap story for the metadata (download Helm charts, mirror OCI wasm modules).

I still favour Alternative B (use OCI's manifest.config). To me, feels like the correct implementation. It's a field that is present for normal container images, simplifies airgap, removes unneeded metadata from artifacthub-pkg.yml.

We just need a client that can pull the manifest of an artifact from an OCI registry (e.g: 30 secs search, https://github.com/Pixeladed/oci-registry-js), and to do so on kwctl push too. We aren't making much of a new promise, just substituting storing the metadata in artifacthub/helm chart for the OCI repo.

[raulcabello]

Thanks @viccuad ! I don't think it is a good idea to place kubewarden policies in https://github.com/rancher/charts

In my opinion we should leave https://github.com/rancher/charts just for apps that can be deployed in your cluster (kubewarden for example)

We could create a separate chart repository for the policies something like https://github.com/rancher/kubewarden-policies-charts. Drawback is that users would need to add it manually, or would it possible to add this new repository when kubewarden is installed? (I don't think that's possible, but I'm not sure..)

[raulcabello]

LGTM. We might need to make some modifications in the future based on the feedback we get for the questions.yaml and where to place the policies. I'm happy merging this now.
Thanks for the hard work @viccuad!

[jvanz]

LGTM! :D
Thank you @viccuad for this work!

[viccuad]

Merging! we can make adjustments later on.