-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add conftest utility for validating opa policy files #177
Conversation
Conftest can be run as part of the 'otomi validate-policies' command, which will check defined policy files from 'policies' folder against all generated manifests for current the defined values
No, just move it in with validate-templates |
Forget what I said, having it as a separate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking good so far...after this we have to make gatekeeper-operator work with these files. I propose to remove charts/gatekeeper-operator-configs
and put it's templates in values/gatekeeper-operator/config.gotmpl
and iterate over those policies and inject them. We need a hash table of $name: $policyFilename
in the top so we can dryly spit them out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please keep the review policies, so we can easily strip the .review.object
part
create separate folder for gatekeeper policies; add rego helpers for static analysis input definitions
Then don't use that plugin? Is the OPA vscode plugin not doing what you want? It seems to lint beautifully. The plexsystems one you are now using is from a one man show, has 0 issues in it's git repo, and thus seems to not have many users. |
Hi, so i didn't use the official plugin because I never managed to evaluate policies using their embedded feature. Opened an issue here. |
Any progress @rawc0der ? Can I do a review? I see a conflict in |
I fixed quite some issues because you did not rebase often. Please merge with master often! |
Hi, you can review now. probably will add some extra .demo values, but the overall work is done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
made some fixes myself so it can pass
Conftest can be run as part of the 'otomi validate-policies' command, which will check defined policy files from 'policies' folder against generated manifests. * feat: add modularization for policies and constraint templates * feat: add extended Konstraint library for unified rego file syntax Co-authored-by: Maurice Faber <maurice.faber@redkubes.com>
Conftest can be run as part of the 'otomi validate-policies' command, which will check defined policy files from 'policies' folder against generated manifests. * feat: add modularization for policies and constraint templates * feat: add extended Konstraint library for unified rego file syntax Co-authored-by: Maurice Faber <maurice.faber@redkubes.com>
Conftest can be run as part of the 'otomi validate-policies' command, which will check defined
policy files from 'policies' folder against all generated manifests for current the defined values