From 6a7b766c6b3dc2e2af73e8b0de1621526f2f6a4e Mon Sep 17 00:00:00 2001
From: Samir Tahir <30797145+samirtahir91@users.noreply.github.com>
Date: Sat, 13 Jul 2024 10:07:20 +0100
Subject: [PATCH] feat: Add gatekeeper policy (#67)

---
 README.md                                  |  3 +++
 gatekeeper-policy/constraint-template.yaml | 22 ++++++++++++++++++++++
 gatekeeper-policy/constraint.yaml          |  9 +++++++++
 3 files changed, 34 insertions(+)
 create mode 100644 gatekeeper-policy/constraint-template.yaml
 create mode 100644 gatekeeper-policy/constraint.yaml

diff --git a/README.md b/README.md
index 6353321..53b4b6a 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,9 @@ The `github-app-operator` is a Kubernetes operator that generates an access toke
 - Stores the access token in a secret specified by `accessTokenSecret`.
 
 ### Private Key Retrieval Options
+> [!TIP]
+> There is a sample constraint template and constraint for Gatekeeper to restrict the type of private key source in the `gatekeeper-policy` folder since we can't restrict it to be unique in the GithubApp CRD.
+
 
 #### 1. Using a Kubernetes Secret
 - **Configuration:**
diff --git a/gatekeeper-policy/constraint-template.yaml b/gatekeeper-policy/constraint-template.yaml
new file mode 100644
index 0000000..70da732
--- /dev/null
+++ b/gatekeeper-policy/constraint-template.yaml
@@ -0,0 +1,22 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: githubappprivatekey
+spec:
+  crd:
+    spec:
+      names:
+        kind: GithubAppPrivateKey
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package githubappsecrets
+
+        violation[{"msg": msg}] {
+          target_keys := {"privateKeySecret", "googlePrivateKeySecret", "vaultPrivateKey"}
+          provided_keys := {key | _ = input.review.object.spec[key]}
+          intersection := target_keys & provided_keys
+          count(intersection) != 1
+          invalid := provided_keys - target_keys
+          msg := "Exactly one of privateKeySecret, googlePrivateKeySecret or vaultPrivateKey are allowed"
+        }
\ No newline at end of file
diff --git a/gatekeeper-policy/constraint.yaml b/gatekeeper-policy/constraint.yaml
new file mode 100644
index 0000000..690f484
--- /dev/null
+++ b/gatekeeper-policy/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GithubAppPrivateKey
+metadata:
+  name: githubapp-unique-key-constraint
+spec:
+  match:
+    kinds:
+      - apiGroups: ["githubapp.samir.io"]
+        kinds: ["GithubApp"]