Pulumi crossguard policy doesn't apply for k8s.helm.v3.Chart

[awoimbee]

What happened?

Following #1672 (comment) I tried to create a policypack.
I'm using pulumi preview --non-interactive --policy-pack ../crossguard-policies

This works:

new PolicyPack("kubernetes-typescript", {
  policies: [{
    name: "helm-charts-are-up-to-date",
    description: "Helm charts deployments should use the latest version.",
    enforcementLevel: "mandatory",//"advisory",
     validateResource: validateResourceOfType(k8s.core.v1.Service, (config, args, reportViolation) => {
      reportViolation(`:0`);
     })
  }],
});

But not this:

new PolicyPack("kubernetes-typescript", {
  policies: [{
    name: "helm-charts-are-up-to-date",
    description: "Helm charts deployments should use the latest version.",
    enforcementLevel: "mandatory",//"advisory",
     validateResource: validateResourceOfType(k8s.helm.v3.Chart, (config, args, reportViolation) => {
      reportViolation(`:0`);
     })
  }],
});

The callback is never called on k8s.helm.v3.Chart.

Steps to reproduce

• Create a crossguard policy that validates k8s.helm.v3.Chart
• The validateResource callback is never called

Expected Behavior

The validation callback is called

Actual Behavior

The validation callback is not called

Versions used

CLI
Version      3.35.3
Go Version   go1.17.11
Go Compiler  gc

Plugins
NAME    VERSION
nodejs  unknown

Host
OS       arch
Version  21.3.2
Arch     x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v18.3.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mikhailshilkov]

Thank you @awoimbee for reporting this.

I took a quick look at this and it looks like validateResourceOfType expects a __pulumiType tag on each resource type to identify its type token: https://github.com/pulumi/pulumi-policy/blob/b252390ed5ffc5a3974a2b319402afee7e06d12e/sdk/nodejs/policy/server.ts#L574

All custom resources have it, e.g. https://github.com/pulumi/pulumi-kubernetes/blob/master/sdk/nodejs/authorization/v1/localSubjectAccessReview.ts#L25

But not the Chart component: https://github.com/pulumi/pulumi-kubernetes/blob/4f2602184e0032e29485479fee3c850e347ce53d/sdk/nodejs/helm/v3/helm.ts

Therefore, I moved the issue to pulumi-kubernetes.

[jkodroff]

Hi @awoimbee. I've submitted a PR that (I hope - this is my first contribution to this repo) fixes the issue.

[awoimbee]

@jkodroff Your changes did not fix the issue, please reopen and remove the resolution/fixed label (I just tested on "@pulumi/kubernetes": "3.20.1").
This bug is pretty bad since it ignores the policy without any warning (at first glance it looks like everything is OK).

[awoimbee]

@viveklak you seem to be active in the issues, maybe you can help ?

[awoimbee]

Oh come on ! How did you test your code @jkodroff ?
It now calls the callback in validateResourceOfType but the config (supposed to be UnwrappedObject<k8s.helm.v3.ChartOpts>) is empty !

new PolicyPack("kubernetes-typescript", {
  policies: [{
    name: "helm-charts-are-up-to-date",
    description: "Helm charts deployments should use the latest version.",
    enforcementLevel: "advisory",
    validateResource: validateResourceOfType(k8s.helm.v3.Chart, async (config, args, reportViolation) => {
      reportViolation(`AAAH ${config} '${Object.keys(config)}' '${Object.getOwnPropertyNames(config)}' '${Object.getPrototypeOf(config) === Object.prototype}'`);    }),
  }],
});

    [advisory]  kubernetes-typescript v0.0.1  helm-charts-are-up-to-date (kubernetes:helm.sh/v3:Chart: redis)
    Helm charts deployments should use the latest version.
    AAAH [object Object] '' '' 'true'

pulumi cli v3.38.0, "@pulumi/kubernetes": "^3.20.5", "@pulumi/policy": "^1.4.0"