Skip to content

Commit

Permalink
constraint: Update OPA to v1
Browse files Browse the repository at this point in the history 
This is an initial PoC to show how rego.v1 support might look.

The main thing I am unsure of is the regorewriter. This could have some
issues even with v0 as I understand it. For example, `some x in
data.lib` will not be rewritten correctly. Anyone with more knowledge on
this component, it'd be interesting to better know how this is used and
how it should work when supporting both v0 and v1.

The next obvious thing to consider here is that attempting parsing in
more than one rego version is not ideal. This is done here since we will
not know the source version of the rego until we try to parse it. We
might consider something like this to allow users to force GK to use a
given version.

```
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      version: v1
      rego: |
        package k8srequiredlabels

        violation contains {"msg": msg, "details": {"foo": "bar"}} if {
          ...
        }
```

Signed-off-by: Charlie Egan <[email protected]>
  • Loading branch information
@charlieegan3
charlieegan3 committed Jan 23, 2025
1 parent 9e57a57 commit b776de3
Show file tree
Hide file tree
Showing 1,296 changed files with 37,492 additions and 98,572 deletions.
45 changes: 15 additions & 30 deletions constraint/deploy/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@ spec:
- name: v1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates
API
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -76,8 +75,7 @@ spec:
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -112,8 +110,7 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -127,8 +124,7 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the
status
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
Expand All @@ -147,8 +143,7 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates
API
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -206,8 +201,7 @@ spec:
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -242,8 +236,7 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -257,8 +250,7 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the
status
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
Expand All @@ -277,8 +269,7 @@ spec:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates
API
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -336,8 +327,7 @@ spec:
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -372,8 +362,7 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -387,8 +376,7 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the
status
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
Expand Down Expand Up @@ -421,8 +409,7 @@ spec:
scope: Cluster
versions:
- deprecated: true
deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1
instead.
deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead.
name: v1alpha1
schema:
openAPIV3Schema:
Expand Down Expand Up @@ -457,8 +444,7 @@ spec:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with
https://.
description: URL is the url for the provider. URL is prefixed with https://.
type: string
type: object
type: object
Expand Down Expand Up @@ -498,8 +484,7 @@ spec:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with
https://.
description: URL is the url for the provider. URL is prefixed with https://.
type: string
type: object
type: object
Expand Down
61 changes: 31 additions & 30 deletions constraint/go.mod
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,20 @@
module github.com/open-policy-agent/frameworks/constraint

go 1.22.0
go 1.22.7

toolchain go1.22.5
toolchain go1.22.10

require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
github.com/golang/glog v1.2.1
github.com/golang/glog v1.2.2
github.com/google/go-cmp v0.6.0
github.com/onsi/gomega v1.33.1
github.com/open-policy-agent/opa v0.68.0
github.com/open-policy-agent/opa v1.0.1
github.com/spf13/cobra v1.8.1
github.com/spf13/pflag v1.0.5
golang.org/x/net v0.30.0
k8s.io/api v0.30.3
golang.org/x/net v0.33.0
k8s.io/apiextensions-apiserver v0.30.3
k8s.io/apimachinery v0.30.3
k8s.io/apiserver v0.30.3
k8s.io/client-go v0.30.3
k8s.io/utils v0.0.0-20230726121419-3b25d923346b
sigs.k8s.io/controller-runtime v0.18.4
Expand All @@ -25,18 +23,17 @@ require (

require (
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
Expand All @@ -47,11 +44,12 @@ require (
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/cel-go v0.17.8 // indirect
github.com/google/flatbuffers v25.1.21+incompatible // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
github.com/imdario/mergo v0.3.13 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
Expand All @@ -63,7 +61,7 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.20.2 // indirect
github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
Expand All @@ -74,29 +72,32 @@ require (
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/yashtewari/glob-intersection v0.2.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
go.opentelemetry.io/otel/metric v1.28.0 // indirect
go.opentelemetry.io/otel/sdk v1.28.0 // indirect
go.opentelemetry.io/otel/trace v1.28.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
go.opentelemetry.io/otel/metric v1.33.0 // indirect
go.opentelemetry.io/otel/sdk v1.33.0 // indirect
go.opentelemetry.io/otel/trace v1.33.0 // indirect
go.opentelemetry.io/proto/otlp v1.4.0 // indirect
golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
golang.org/x/oauth2 v0.21.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0 // indirect
golang.org/x/text v0.19.0 // indirect
golang.org/x/time v0.6.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
google.golang.org/grpc v1.66.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
golang.org/x/oauth2 v0.24.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.8.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
google.golang.org/grpc v1.69.2 // indirect
google.golang.org/protobuf v1.35.2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.30.3 // indirect
k8s.io/apiserver v0.30.3 // indirect
k8s.io/component-base v0.30.3 // indirect
k8s.io/klog/v2 v2.120.1 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
Expand Down
Loading

0 comments on commit b776de3

Please sign in to comment.