Adjust Gatekeeper Policy Installation For Improved CLI Installations

[cartyc]

This PR moves the gatekeeper constraints from the gatekeeper-policies package to the core-landing-zone package. This will help resolve issue #409 and allow for easier non-gitops based installation approaches as this allows for the ConstraintTemplate to be installed before the gatekeeper constraint file and prevents the issue where one would need to comment out of the constraint file first before apply the gatekeeper-policies package.

The overall goal of this PR is to improve the installation process for users of non-gitops based installs, kpt in particular. This would also allow us to install more constraintTemplates via the gatekeeper-policies package into the cluster without needing to enable them right away.

[fmichaelobrien]

LGTM

• nice, thanks for the constraints move - Chris

[cartyc]

@alaincormier-ssc @davelanglois-ssc @fmichaelobrien I made the changes discussed yesterday and wanted to get your input before I start fixing the README and Kptfiles.

Created a new solution directory called policy-constraint-bundles with 2 bundles, guardrails-v1 and naming-policies.

[alaincormier-ssc]

@alaincormier-ssc @davelanglois-ssc @fmichaelobrien I made the changes discussed yesterday and wanted to get your input before I start fixing the README and Kptfiles.

Created a new solution directory called policy-constraint-bundles with 2 bundles, guardrails-v1 and naming-policies.

that should work
will each bundle be tagged by release-please?

[cartyc]

That's what I was thinking, might be overkill but I believe having specific task based bundles makes sense. I was using the Anthos Gatekeeper Bundles as by point of reference.

[davelanglois-ssc]

Hey @cartyc, I really like the concept. If I understand correctly, the constrainttemplate would remain in the existing gatekeeper-policies package. Do you think that name still make sense ?

[cartyc]

Hey @cartyc, I really like the concept. If I understand correctly, the constrainttemplate would remain in the existing gatekeeper-policies package. Do you think that name still make sense ?

That's correct, the package would just act as a means to load the constrainttemplates into the Config Controller or GKE instances, similar to what happens when you you enable the installation of the default template library on policy controller I think the name gatekeeper-policies still works but maybe the bundle names might need some additional tuning to help keep things more distinct. gatekeeper-policy-templates might be a good option though if we want to rename the package.

[fmichaelobrien]

Thanks Chris. I'll review the template changes post last month's discussion - later today after my last deployment meet. Deploying a new lz anyway.

[fmichaelobrien]

LGTM

• nice
• dryrun is appreciated - in particular for the cost-center/centre ones
• will reapprove if required after lint commit

[cartyc]

Thanks Mike, I was just cracking open an editor to start hacking away at the linting issues.

[fmichaelobrien]

LGTM

[fmichaelobrien]

LGTM
reviewed
c62264b#diff-0e4828475a445061adf098b63da0946c315796e05bb5354d1b142e2ec8b6d427

[fmichaelobrien]

LGTM

[fmichaelobrien]

LGTM

• yes lint is soooo particular on CR/LF spaces...
• thanks for taking the heat

[cartyc]

@davelanglois-ssc should be good for a final review.

[fmichaelobrien]

LGTM
the dryrun is appreciated

[fmichaelobrien]

LGTM

• last change good

[fmichaelobrien]

LGTM

[obriensystems]

closing - keep reference code only