Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPA Constraint Template - Query Regarding OPA Custom Function Usage Across Multiple ConstraintTemplates #3831

Open
dore-0803 opened this issue Feb 27, 2025 · 4 comments
Open

OPA Constraint Template - Query Regarding OPA Custom Function Usage Across Multiple ConstraintTemplates #3831

dore-0803 opened this issue Feb 27, 2025 · 4 comments

Comments

@dore-0803
Copy link

Hi Team,

I have a question regarding the usage of custom functions in OPA.

How can I use a function defined in A-ConstraintTemplate.yaml within B-ConstraintTemplate.yaml?

For instance, if we have 10 policies, I would like to write common utility functions only once and reuse those functions across all policies. How can this be achieved?

request you to provide your inputs.

thanks.
@JaydipGabani
Copy link
Contributor

As of not CT can only execute the code defined in rego and lib fields. Importing code outside of the ConstraintTemplate is not allowed. This might help you get some more context - #3558 (comment) on how to reuse common functions.

@dore-0803
Copy link
Author

Can we have common Functions in separate .rego file. And is there any way we can use the functions from .rego file in constraint template files.

Suggest Any other ways to reuse the code/common Functions across all constraint template files.

@JaydipGabani
Copy link
Contributor

@dore-0803 You can look at how gatekeeper library constructs constraint template with having a src.rego file and implement something similar according to your use case.

@dore-0803
Copy link
Author

Hi,

https://github.com/open-policy-agent/gatekeeper-library/tree/master/src/general/allowedreposv2

tha above code is not working.

i just applied constraint.tmpl ,

$ kaf constraint.tmpl
constrainttemplate.templates.gatekeeper.sh/k8sallowedreposv2 created

when i checked the logs it gave the below error.
$ kubectl describe constrainttemplates k8sallowedreposv2

  Code:               ingest_error
  Message:            Could not ingest Rego: invalid ConstraintTemplate: 1 error occurred: template:1: rego_parse_error: unexpected string token: non-terminated set
                      {{ file.Read "src/general/allowedreposv2/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
                                   ^
Id:                   gatekeeper-controller-manager-6d546f5575-zjnrt
Observed Generation:  1

is there any other way to use common functions in separate file(.rego or any other). and use it across all constraint templates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JaydipGabani @dore-0803