Add ability to create partial Constraint resources for policies with …

…parameters The opt-in constraints-for-parameters flag instructs Konstraint to create Constraint resources for policies with parameters, setting each value to null. Subsequent tools in the pipeline such as Kustomize can then set the values for each parameter. Signed-off-by: James Alseth <james@jalseth.me>
plexsystems · Jan 22, 2022 · dd898e9 · dd898e9
1 parent deb52b1
commit dd898e9
Showing 1 changed file with 23 additions and 4 deletions.
diff --git a/internal/commands/create.go b/internal/commands/create.go
@@ -38,18 +38,18 @@ Create constraints with the Gatekeeper enforcement action set to dryrun
 			if err := viper.BindPFlag("dryrun", cmd.PersistentFlags().Lookup("dryrun")); err != nil {
 				return fmt.Errorf("bind dryrun flag: %w", err)
 			}
-
 			if err := viper.BindPFlag("output", cmd.PersistentFlags().Lookup("output")); err != nil {
 				return fmt.Errorf("bind output flag: %w", err)
 			}
-
 			if err := viper.BindPFlag("skip-constraints", cmd.PersistentFlags().Lookup("skip-constraints")); err != nil {
 				return fmt.Errorf("bind skip-constraints flag: %w", err)
 			}
-
 			if err := viper.BindPFlag("constraint-template-version", cmd.PersistentFlags().Lookup("constraint-template-version")); err != nil {
 				return fmt.Errorf("bind constraint-template-version flag: %w", err)
 			}
+			if err := viper.BindPFlag("constraints-for-parameters", cmd.PersistentFlags().Lookup("constraints-for-parameters")); err != nil {
+				return fmt.Errorf("bind constraints-for-parameters flag: %w", err)
+			}
 
 			path := "."
 			if len(args) > 0 {
@@ -64,6 +64,7 @@ Create constraints with the Gatekeeper enforcement action set to dryrun
 	cmd.PersistentFlags().BoolP("dryrun", "d", false, "Sets the enforcement action of the constraints to dryrun, overriding the @enforcement tag")
 	cmd.PersistentFlags().Bool("skip-constraints", false, "Skip generation of constraints")
 	cmd.PersistentFlags().String("constraint-template-version", "v1beta1", "Set the version of ConstraintTemplates")
+	cmd.PersistentFlags().Bool("constraints-for-parameters", false, "Generate partial Constraints for policies with parameters")
 
 	return &cmd
 }
@@ -124,7 +125,7 @@ func runCreateCommand(path string) error {
 		}
 
 		// Skip Constraint generation if there are parameters on the template.
-		if len(violation.Parameters()) > 0 {
+		if len(violation.Parameters()) > 0 && !viper.GetBool("constraints-for-parameters") {
 			logger.Warn("skipping constraint generation due to use of parameters")
 			continue
 		}
@@ -286,9 +287,27 @@ func getConstraint(violation rego.Rego) (unstructured.Unstructured, error) {
 		}
 	}
 
+	if len(violation.Parameters()) > 0 && viper.GetBool("constraints-for-parameters") {
+		if err := addParametersToConstraint(&constraint, violation.Parameters()); err != nil {
+			return unstructured.Unstructured{}, fmt.Errorf("add parameters %v to constraint: %w", violation.Parameters(), err)
+		}
+	}
+
 	return constraint, nil
 }
 
+func addParametersToConstraint(constraint *unstructured.Unstructured, parameters []rego.Parameter) error {
+	params := make(map[string]interface{})
+	for _, p := range parameters {
+		params[p.Name] = nil
+	}
+	if err := unstructured.SetNestedField(constraint.Object, params, "spec", "parameters"); err != nil {
+		return fmt.Errorf("set parameters map: %w", err)
+	}
+
+	return nil
+}
+
 func setKindMatcher(constraint *unstructured.Unstructured, kindMatchers []rego.KindMatcher) error {
 	var kinds []string
 	var apiGroups []string