Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add policy crd and controller #933

Merged
merged 32 commits into from
Jul 21, 2023
Merged

feat: add policy crd and controller #933

merged 32 commits into from
Jul 21, 2023

Conversation

binbin-li
Copy link
Collaborator

@binbin-li binbin-li commented Jul 13, 2023
edited
Loading

Description

What this PR does / why we need it:

  1. Add Policy CRD to support switching between config/rego policies in runtime.
  2. Add Policy controller that manipulate the active policy in Ratify. There would be at most 1 policy existing in Ratify as Ratify cannot apply multiple policies. That means when users apply a new CR, the old CR would be removed from cluster. And if there are no CR added, config policy will be the default one.
  3. Refactor executor to remove duplicate code, there is no actual logic change.
  4. Add a new API(GetPolicyType) to PolicyProvider interface to distinguish between policy enforcers without featureFlag.
  5. Remove PassthroughMode from featureFlag, add it as a field under RegoPolicyConfig
  6. Remove Use_Rego_Policy from featureFlag, but add it as a regular chart value.
  7. Update docs.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #936

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

Updated e2e tests.
Manual test:

  1. Deploy ratify with config policy.
  2. Apply Rego Policy CR.
  3. Apply Config Policy CR.
  4. Apply Rego Policy CR.
  5. Delete Rego Policy CR.

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@binbin-li
feat: add opa engine and support Rego policy
02319fe
@binbin-li
fix: fix nil config panic
745d939
@binbin-li
feat: support path to rego policy
a333ddd
@binbin-li
fix: remove unused code
e31a611
@binbin-li
Merge branch 'main' into add-opa-engine
b09dfbb
@binbin-li
Merge branch 'main' into add-opa-engine
da86405
@binbin-li
chore: add comments
5b1d360
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-opa-engine
8ef07ef
@binbin-li
refactor
882006f
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-opa-engine
cab5b49
@binbin-li
feat: refactor regoPolicy provider
2d2ca7e
@binbin-li
Merge branch 'main' into add-opa-engine
3dbf871
@binbin-li
chore: rename step
17a4d14
@binbin-li
Merge branch 'main' into add-opa-engine
4f69ae0
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-opa-engine
ae9e6d5
@binbin-li
chore: fix linter warnings
cc53afe
@binbin-li
chore: fix linter warnings
a2f8f1e
@binbin-li
Merge branch 'main' into add-opa-engine
b9e585e
@binbin-li
Merge branch 'add-opa-engine' of github.com:binbin-li/ratify into add…
d62da88 
…-opa-engine
@binbin-li
chore: init rego policy
b0d7960
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-opa-engine
03c0fc4
@binbin-li
chore: address comments
ff2e17b
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-opa-engine
b2d99d0
@binbin-li
chore: remove unused target
3f2774a
@binbin-li
fix: add null check
96f45d0
@binbin-li
Merge branch 'main' into add-opa-engine
79626ac
@binbin-li
feat: add policy CRD and controller
cdece67
@binbin-li
Merge remote-tracking branch 'upstream/main' into add-policy-crd
63acfc3
@binbin-li binbin-li force-pushed the add-policy-crd branch 2 times, most recently from 8a905cb to e5cb8a8 Compare July 17, 2023 12:24
@binbin-li binbin-li marked this pull request as ready for review July 17, 2023 12:25
@binbin-li binbin-li marked this pull request as draft July 18, 2023 05:29
@binbin-li binbin-li marked this pull request as ready for review July 18, 2023 08:35
akashsinghal
akashsinghal reviewed Jul 18, 2023
View reviewed changes
Makefile Show resolved Hide resolved
susanshi
susanshi reviewed Jul 19, 2023
View reviewed changes
api/v1beta1/policy_types.go Outdated Show resolved Hide resolved
config/samples/config_v1beta1_policy_rego.yaml Outdated Show resolved Hide resolved
config/samples/config_v1beta1_policy_rego.yaml Outdated Show resolved Hide resolved
pkg/controllers/policy_controller.go Show resolved Hide resolved
docs/reference/usage.md Show resolved Hide resolved
susanshi
susanshi previously approved these changes Jul 20, 2023
View reviewed changes
Copy link
Collaborator

@susanshi susanshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just left a comment a about small typo, otherwise looks good. thanks!

@binbin-li binbin-li force-pushed the add-policy-crd branch 3 times, most recently from 50b5c74 to f915b7b Compare July 20, 2023 08:08
@binbin-li binbin-li merged commit 2c12e23 into ratify-project:main Jul 21, 2023
11 checks passed
bspaans pushed a commit to bspaans/ratify that referenced this pull request Oct 17, 2023
@binbin-li
feat: add policy crd and controller (ratify-project#933)
ac320c6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akashsinghal akashsinghal akashsinghal left review comments

@susanshi susanshi susanshi approved these changes

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees

@binbin-li binbin-li

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make policy configured by CRD
3 participants
@binbin-li @susanshi @akashsinghal