chore: upgrade cf to have the defaults injection (open-policy-agent#2811

) Signed-off-by: Alex Pana <[email protected]> Signed-off-by: alex <[email protected]>
julianKatz · Jun 7, 2023 · cac4f35 · cac4f35
1 parent b7230e0
commit cac4f35
Show file tree

Hide file tree

Showing 7 changed files with 122 additions and 12 deletions.
diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.9.5
 	github.com/onsi/gomega v1.27.6
 	github.com/open-policy-agent/cert-controller v0.4.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230602003713-ce7b1a7bad19
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.14.0
 	github.com/spf13/cobra v1.6.1

diff --git a/go.sum b/go.sum
@@ -958,8 +958,8 @@ github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/open-policy-agent/cert-controller v0.4.0 h1:AQntgNq7fsoHgnoKrOk0lpRyab1na09vibeJCX4YBCs=
 github.com/open-policy-agent/cert-controller v0.4.0/go.mod h1:uOQW+2tMU51vSxy1Yt162oVUTMdqLuotC0aObQxrh6k=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa h1:1r6gnPhbsswSIem/Fa11fKo/MhjijzvqSxWIu+3HQeY=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa/go.mod h1:nrGEsNJ9LyQa68eqwV6snwCc7pbkvwUJLPZlq6zz6Fs=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230602003713-ce7b1a7bad19 h1:gT2q5XmdAMKWnrm1S+5DntPXncWLT29k27xYhIbTVvw=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230602003713-ce7b1a7bad19/go.mod h1:nrGEsNJ9LyQa68eqwV6snwCc7pbkvwUJLPZlq6zz6Fs=
 github.com/open-policy-agent/opa v0.51.0 h1:2hS5xhos8HtkN+mgpqMhNJSFtn/1n/h3wh+AeTPJg6Q=
 github.com/open-policy-agent/opa v0.51.0/go.mod h1:OjmwLfXdeR7skSxrt8Yd3ScXTqPxyJn7GeTRJrcEerU=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=

diff --git a/test/gator/test/fixtures/manifests/with-policies/with-violations-and-defaults.yaml b/test/gator/test/fixtures/manifests/with-policies/with-violations-and-defaults.yaml
@@ -0,0 +1,75 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabelsdefault
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabelsDefault
+      validation:
+        legacySchema: false
+        openAPIV3Schema:
+          properties:
+            labels:
+              description: A list of labels and values the object must specify.
+              default:
+                - key: "aRequiredLabel"
+              items:
+                properties:
+                  key:
+                    description: The required label.
+                    type: string
+                type: object
+              type: array
+            message:
+              default: "aRequiredMessage"
+              type: string
+            placeholder: # needed to showcase defaulting of the other two props above.
+              type: string
+          type: object
+  targets:
+  - rego: |
+      package k8srequiredlabels
+
+      get_message(parameters, _default) = msg {
+        not parameters.message
+        msg := _default
+      }
+
+      get_message(parameters, _default) = msg {
+        msg := parameters.message
+      }
+
+      violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+        provided := {label | input.review.object.metadata.labels[label]}
+        required := {label | label := input.parameters.labels[_].key}
+        missing := required - provided
+        count(missing) > 0
+
+        msg := input.parameters.message
+      }
+
+    target: admission.k8s.gatekeeper.sh
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabelsDefault
+metadata:
+  name: all-must-have-owner
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    placeholder: "placeholder"
+# notice no parameters that are used in the validaiton code are defined, 
+# the defaults are applied from the ConstraintTemplate's open api v3 schema definition
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-ns
+# Missing owner label
+#  labels:
+#    owner: user.agilebank.demo
diff --git a/test/gator/test/test.bats b/test/gator/test/test.bats
@@ -245,3 +245,18 @@ match_yaml_msg () {
   want_msg="you must provide labels: {\"geo\"}"
   match_yaml_msg "${output[*]}" "${want_msg}"
 }
+
+@test "observe open api v3 defaults being applied" {
+  run bin/gator test \
+    -f="$BATS_TEST_DIRNAME/fixtures/manifests/with-policies/with-violations-and-defaults.yaml" \
+    -o=yaml
+
+  [ "$status" -eq 1 ]
+
+  # these are defined in the template's default fields for the parameters
+  want_msg_1="aRequiredLabel" 
+  want_msg_2="aRequiredMessage"
+
+  match_substring "${output[*]}" "${want_msg_1}"
+  match_substring "${output[*]}" "${want_msg_2}"
+}
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/client.go
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/template_client.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -437,7 +437,7 @@ github.com/onsi/gomega/types
 # github.com/open-policy-agent/cert-controller v0.4.0
 ## explicit; go 1.17
 github.com/open-policy-agent/cert-controller/pkg/rotator
-# github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa
+# github.com/open-policy-agent/frameworks/constraint v0.0.0-20230602003713-ce7b1a7bad19
 ## explicit; go 1.18
 github.com/open-policy-agent/frameworks/constraint/deploy
 github.com/open-policy-agent/frameworks/constraint/pkg/apis