chore: Upgrade CF for multi-engine (#2616)

Signed-off-by: Max Smythe <smythe@google.com>

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.8.4
 	github.com/onsi/gomega v1.27.2
 	github.com/open-policy-agent/cert-controller v0.4.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.14.0
 	github.com/spf13/cobra v1.6.1

go.sum

@@ -946,8 +946,8 @@ github.com/onsi/gomega v1.27.2 h1:SKU0CXeKE/WVgIV1T61kSa3+IRE8Ekrv9rdXDwwTqnY=
 github.com/onsi/gomega v1.27.2/go.mod h1:5mR3phAHpkAVIDkHEUBY6HGVsU+cpcEscrGPB4oPlZI=
 github.com/open-policy-agent/cert-controller v0.4.0 h1:AQntgNq7fsoHgnoKrOk0lpRyab1na09vibeJCX4YBCs=
 github.com/open-policy-agent/cert-controller v0.4.0/go.mod h1:uOQW+2tMU51vSxy1Yt162oVUTMdqLuotC0aObQxrh6k=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2 h1:+ttWrgw5pmieSfAhq843CtJ5JoEunuH/n6PCh/vj6Kk=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230303021054-89ae905c94d2/go.mod h1:jggTVbseMnEQmCSgMRXByS4P7ykSBz6pLlxsbncSALM=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211 h1:Ma5rn7r3rPwyP9OXi6zNKjNDsCHYccjcno9M83SHgO0=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230304011918-d82cbe189211/go.mod h1:jggTVbseMnEQmCSgMRXByS4P7ykSBz6pLlxsbncSALM=
 github.com/open-policy-agent/opa v0.49.2 h1:n8ntRq/yDWy+cmYaqSLrHXmrT3tX8WlK28vjFQdC6W8=
 github.com/open-policy-agent/opa v0.49.2/go.mod h1:7L3lN5qe8xboRmEHxC5lGjo5KsRMdK+CCLiFoOCP7rU=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=

main.go

@@ -30,7 +30,7 @@ import (
 	"github.com/go-logr/zapr"
 	"github.com/open-policy-agent/cert-controller/pkg/rotator"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
 	api "github.com/open-policy-agent/gatekeeper/apis"
 	configv1alpha1 "github.com/open-policy-agent/gatekeeper/apis/config/v1alpha1"
@@ -335,11 +335,11 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 	<-setupFinished
 
 	var providerCache *frameworksexternaldata.ProviderCache
-	args := []local.Arg{local.Tracing(false), local.DisableBuiltins(disabledBuiltins.ToSlice()...)}
+	args := []rego.Arg{rego.Tracing(false), rego.DisableBuiltins(disabledBuiltins.ToSlice()...)}
 	mutationOpts := mutation.SystemOpts{Reporter: mutation.NewStatsReporter()}
 	if *externaldata.ExternalDataEnabled {
 		providerCache = frameworksexternaldata.NewCache()
-		args = append(args, local.AddExternalDataProviderCache(providerCache))
+		args = append(args, rego.AddExternalDataProviderCache(providerCache))
 		mutationOpts.ProviderCache = providerCache
 
 		certFile := filepath.Join(*certDir, certName)
@@ -359,13 +359,13 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 		}
 
 		// register the client cert watcher to the driver
-		args = append(args, local.EnableExternalDataClientAuth(), local.AddExternalDataClientCertWatcher(certWatcher))
+		args = append(args, rego.EnableExternalDataClientAuth(), rego.AddExternalDataClientCertWatcher(certWatcher))
 
 		// register the client cert watcher to the mutation system
 		mutationOpts.ClientCertWatcher = certWatcher
 	}
 	// initialize OPA
-	driver, err := local.New(args...)
+	driver, err := rego.New(args...)
 	if err != nil {
 		setupLog.Error(err, "unable to set up Driver")
 		return err

manifest_staging/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   labels:
     gatekeeper.sh/system: "yes"
   name: constrainttemplates.templates.gatekeeper.sh
@@ -61,6 +61,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string
@@ -156,6 +174,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string
@@ -251,6 +287,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string

manifest_staging/charts/gatekeeper/crds/provider-customresourcedefinition.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   labels:
     gatekeeper.sh/system: "yes"
   name: providers.externaldata.gatekeeper.sh

manifest_staging/deploy/gatekeeper.yaml

@@ -1927,7 +1927,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   labels:
     gatekeeper.sh/system: "yes"
   name: constrainttemplates.templates.gatekeeper.sh
@@ -1986,6 +1986,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string
@@ -2081,6 +2099,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string
@@ -2176,6 +2212,24 @@ spec:
               targets:
                 items:
                   properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
                     libs:
                       items:
                         type: string
@@ -3048,7 +3102,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
+    controller-gen.kubebuilder.io/version: v0.11.3
   labels:
     gatekeeper.sh/system: "yes"
   name: providers.externaldata.gatekeeper.sh

pkg/controller/config/config_controller_test.go

@@ -24,7 +24,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/onsi/gomega"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	configv1alpha1 "github.com/open-policy-agent/gatekeeper/apis/config/v1alpha1"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller/config/process"
 	"github.com/open-policy-agent/gatekeeper/pkg/fakes"
@@ -127,7 +127,7 @@ func TestReconcile(t *testing.T) {
 	c := testclient.NewRetryClient(mgr.GetClient())
 
 	// initialize OPA
-	driver, err := local.New(local.Tracing(true))
+	driver, err := rego.New(rego.Tracing(true))
 	if err != nil {
 		t.Fatalf("unable to set up Driver: %v", err)
 	}
@@ -382,7 +382,7 @@ func TestConfig_DeleteSyncResources(t *testing.T) {
 
 func setupController(mgr manager.Manager, wm *watch.Manager, tracker *readiness.Tracker, events <-chan event.GenericEvent) error {
 	// initialize OPA
-	driver, err := local.New(local.Tracing(true))
+	driver, err := rego.New(rego.Tracing(true))
 	if err != nil {
 		return fmt.Errorf("unable to set up Driver: %w", err)
 	}

pkg/controller/constrainttemplate/constrainttemplate_controller_test.go

@@ -26,7 +26,7 @@ import (
 	templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	statusv1beta1 "github.com/open-policy-agent/gatekeeper/apis/status/v1beta1"
 	"github.com/open-policy-agent/gatekeeper/pkg/fakes"
 	"github.com/open-policy-agent/gatekeeper/pkg/readiness"
@@ -162,7 +162,7 @@ func TestReconcile(t *testing.T) {
 	}
 
 	// initialize OPA
-	driver, err := local.New(local.Tracing(true))
+	driver, err := rego.New(rego.Tracing(true))
 	if err != nil {
 		t.Fatalf("unable to set up Driver: %v", err)
 	}
@@ -585,7 +585,7 @@ violation[{"msg": "denied!"}] {
 	}
 
 	// initialize OPA
-	driver, err := local.New(local.Tracing(true))
+	driver, err := rego.New(rego.Tracing(true))
 	if err != nil {
 		t.Fatalf("unable to set up Driver: %v", err)
 	}

pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/onsi/gomega"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	podstatus "github.com/open-policy-agent/gatekeeper/apis/status/v1beta1"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate"
 	"github.com/open-policy-agent/gatekeeper/pkg/fakes"
@@ -113,7 +113,7 @@ violation[{"msg": "denied!"}] {
 	}
 
 	// initialize OPA
-	driver, err := local.New(local.Tracing(true))
+	driver, err := rego.New(rego.Tracing(true))
 	if err != nil {
 		t.Fatalf("unable to set up Driver: %v", err)
 	}

pkg/controller/externaldata/externaldata_controller_test.go

@@ -11,7 +11,7 @@ import (
 	externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned"
 	externaldatav1beta1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/v1beta1"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
 	"github.com/open-policy-agent/gatekeeper/pkg/externaldata"
 	"github.com/open-policy-agent/gatekeeper/pkg/readiness"
@@ -84,8 +84,8 @@ func TestReconcile(t *testing.T) {
 	pc := frameworksexternaldata.NewCache()
 
 	// initialize OPA
-	args := []local.Arg{local.Tracing(false), local.AddExternalDataProviderCache(pc)}
-	driver, err := local.New(args...)
+	args := []rego.Arg{rego.Tracing(false), rego.AddExternalDataProviderCache(pc)}
+	driver, err := rego.New(args...)
 	if err != nil {
 		t.Fatalf("unable to set up Driver: %v", err)
 	}

pkg/gator/opa.go

@@ -2,12 +2,12 @@ package gator
 
 import (
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	"github.com/open-policy-agent/gatekeeper/pkg/target"
 )
 
 func NewOPAClient(includeTrace bool) (Client, error) {
-	driver, err := local.New(local.Tracing(includeTrace))
+	driver, err := rego.New(rego.Tracing(includeTrace))
 	if err != nil {
 		return nil, err
 	}

pkg/gator/test/test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/open-policy-agent/frameworks/constraint/pkg/apis"
 	templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	"github.com/open-policy-agent/gatekeeper/pkg/expansion"
 	"github.com/open-policy-agent/gatekeeper/pkg/gator/expand"
 	"github.com/open-policy-agent/gatekeeper/pkg/gator/reader"
@@ -30,7 +30,7 @@ func init() {
 func Test(objs []*unstructured.Unstructured, includeTrace bool) (*GatorResponses, error) {
 	// create the client
 
-	driver, err := local.New(local.Tracing(includeTrace))
+	driver, err := rego.New(rego.Tracing(includeTrace))
 	if err != nil {
 		return nil, err
 	}

pkg/readiness/ready_tracker_test.go

@@ -28,7 +28,7 @@ import (
 	externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
-	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	frameworksexternaldata "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller/config/process"
@@ -89,7 +89,7 @@ func setupManager(t *testing.T) (manager.Manager, *watch.Manager) {
 
 func setupOpa(t *testing.T) *constraintclient.Client {
 	// initialize OPA
-	driver, err := local.New(local.Tracing(false))
+	driver, err := rego.New(rego.Tracing(false))
 	if err != nil {
 		t.Fatalf("setting up Driver: %v", err)
 	}