Fix ingress template keys (#269)

Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

artifacthub/library/general/uniqueingresshost/1.0.2/artifacthub-pkg.yml

@@ -0,0 +1,25 @@
+version: 1.0.2
+name: k8suniqueingresshost
+displayName: Unique Ingress Host
+createdAt: "2022-12-14T02:34:11Z"
+description: |-
+    Requires all Ingress rule hosts to be unique.
+    Does not handle hostname wildcards: https://kubernetes.io/docs/concepts/services-networking/ingress/
+digest: df9eb5f0e313c41b9c1650a73288e1eba162d4ec279861c7fb854fbe297d1fa3
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/uniqueingresshost
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Unique Ingress Host
+    Requires all Ingress rule hosts to be unique.
+    Does not handle hostname wildcards: https://kubernetes.io/docs/concepts/services-networking/ingress/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/uniqueingresshost/1.0.2/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/uniqueingresshost/1.0.2/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/constraint.yaml

@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sUniqueIngressHost
+metadata:
+  name: unique-ingress-host
+spec:
+  match:
+    kinds:
+      - apiGroups: ["extensions", "networking.k8s.io"]
+        kinds: ["Ingress"]

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/example_allowed.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host-allowed
+  namespace: default
+spec:
+  rules:
+  - host: example-allowed-host.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80
+  - host: example-allowed-host1.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx2
+            port:
+              number: 80

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/example_disallowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host-disallowed
+  namespace: default
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/example_disallowed2.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host-disallowed2
+  namespace: default
+spec:
+  rules:
+  - host: example-host2.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80
+  - host: example-host3.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx2
+            port:
+              number: 80

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/example_inventory_disallowed.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host-example
+  namespace: default
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80

artifacthub/library/general/uniqueingresshost/1.0.2/samples/unique-ingress-host/example_inventory_disallowed2.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host-example2
+  namespace: default
+spec:
+  rules:
+  - host: example-host2.example.com
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nginx
+            port:
+              number: 80

artifacthub/library/general/uniqueingresshost/1.0.2/suite.yaml

@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: uniqueingresshost
+tests:
+- name: block-endpoint-default-role
+  template: template.yaml
+  constraint: samples/unique-ingress-host/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/unique-ingress-host/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/unique-ingress-host/example_disallowed.yaml
+    inventory:
+    - samples/unique-ingress-host/example_inventory_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed2
+    object: samples/unique-ingress-host/example_disallowed2.yaml
+    inventory:
+    - samples/unique-ingress-host/example_inventory_disallowed2.yaml
+    assertions:
+    - violations: yes

artifacthub/library/general/uniqueingresshost/1.0.2/sync.yaml

@@ -0,0 +1,17 @@
+apiVersion: config.gatekeeper.sh/v1alpha1
+kind: Config
+metadata:
+  name: config
+  namespace: "gatekeeper-system"
+spec:
+  sync:
+    syncOnly:
+      - group: "extensions"
+        version: "v1beta1"
+        kind: "Ingress"
+      - group: "networking.k8s.io"
+        version: "v1beta1"
+        kind: "Ingress"
+      - group: "networking.k8s.io"
+        version: "v1"
+        kind: "Ingress"

artifacthub/library/general/uniqueingresshost/1.0.2/template.yaml

@@ -0,0 +1,52 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8suniqueingresshost
+  annotations:
+    metadata.gatekeeper.sh/title: "Unique Ingress Host"
+    metadata.gatekeeper.sh/version: 1.0.2
+    metadata.gatekeeper.sh/requiresSyncData: |
+      "[
+        [
+          {
+            "groups": ["extensions"],
+            "versions": ["v1beta1"],
+            "kinds": ["Ingress"]
+          },
+          {
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
+          }
+        ]
+      ]"
+    description: >-
+      Requires all Ingress rule hosts to be unique.
+
+      Does not handle hostname wildcards:
+      https://kubernetes.io/docs/concepts/services-networking/ingress/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sUniqueIngressHost
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8suniqueingresshost
+
+        identical(obj, review) {
+          obj.metadata.namespace == review.object.metadata.namespace
+          obj.metadata.name == review.object.metadata.name
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
+          host := input.review.object.spec.rules[_].host
+          other := data.inventory.namespace[_][otherapiversion]["Ingress"][name]
+          re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
+          other.spec.rules[_].host == host
+          not identical(other, input.review)
+          msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
+        }

library/general/uniqueingresshost/template.yaml

@@ -4,19 +4,19 @@ metadata:
   name: k8suniqueingresshost
   annotations:
     metadata.gatekeeper.sh/title: "Unique Ingress Host"
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
     metadata.gatekeeper.sh/requiresSyncData: |
       "[
         [
           {
-            "groups":["extensions"],
+            "groups": ["extensions"],
             "versions": ["v1beta1"],
             "kinds": ["Ingress"]
           },
           {
-            "group": ["networking.k8s.io"],
-            "version": ["v1beta1", "v1"],
-            "kind": ["Ingress"]
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
           }
         ]
       ]"

src/general/uniqueingresshost/constraint.tmpl

@@ -4,19 +4,19 @@ metadata:
   name: k8suniqueingresshost
   annotations:
     metadata.gatekeeper.sh/title: "Unique Ingress Host"
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
     metadata.gatekeeper.sh/requiresSyncData: |
       "[
         [
           {
-            "groups":["extensions"],
+            "groups": ["extensions"],
             "versions": ["v1beta1"],
             "kinds": ["Ingress"]
           },
           {
-            "group": ["networking.k8s.io"],
-            "version": ["v1beta1", "v1"],
-            "kind": ["Ingress"]
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
           }
         ]
       ]"

website/docs/uniqueingresshost.md

@@ -17,19 +17,19 @@ metadata:
   name: k8suniqueingresshost
   annotations:
     metadata.gatekeeper.sh/title: "Unique Ingress Host"
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.0.2
     metadata.gatekeeper.sh/requiresSyncData: |
       "[
         [
           {
-            "groups":["extensions"],
+            "groups": ["extensions"],
             "versions": ["v1beta1"],
             "kinds": ["Ingress"]
           },
           {
-            "group": ["networking.k8s.io"],
-            "version": ["v1beta1", "v1"],
-            "kind": ["Ingress"]
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
           }
         ]
       ]"