diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 958183504c1..3923345f3a6 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -102,6 +102,7 @@ jobs: make test-e2e - name: Save logs + if: ${{ always() }} run: | kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json @@ -139,6 +140,7 @@ jobs: make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} ENABLE_MUTATION_TESTS=1 - name: Save logs + if: ${{ always() }} run: | kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json @@ -147,7 +149,52 @@ jobs: uses: actions/upload-artifact@v2 if: ${{ always() }} with: - name: logs + name: helm-logs + path: | + logs-*.json + + build_test_externaldata: + name: "[External Data] Build and Test" + runs-on: ubuntu-latest + timeout-minutes: 15 + strategy: + matrix: + KUBERNETES_VERSION: ["1.22.0"] + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + + - name: Set up Go 1.17 + uses: actions/setup-go@v2 + with: + go-version: 1.17 + + - name: Bootstrap e2e + run: | + mkdir -p $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} + + - name: Run e2e + run: | + make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest + make e2e-build-load-externaldata-image + make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_EXTERNAL_DATA=true + # there should be no additional manifest changes + git diff --exit-code + make test-e2e ENABLE_EXTERNAL_DATA_TESTS=1 + + - name: Save logs + if: ${{ always() }} + run: | + kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-externaldata-controller.json + kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-externaldata-audit.json + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + if: ${{ always() }} + with: + name: externaldata-logs path: | logs-*.json diff --git a/Makefile b/Makefile index b5c611775b5..7530a5e76ee 100644 --- a/Makefile +++ b/Makefile @@ -116,6 +116,10 @@ e2e-bootstrap: e2e-build-load-image: docker-buildx kind load docker-image --name kind ${IMG} ${CRD_IMG} +e2e-build-load-externaldata-image: docker-buildx-builder + docker buildx build --platform="linux/amd64" -t dummy-provider:test --load -f test/externaldata/dummy-provider/Dockerfile test/externaldata/dummy-provider + kind load docker-image --name kind dummy-provider:test + e2e-verify-release: patch-image deploy test-e2e echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n ${GATEKEEPER_NAMESPACE} -l control-plane=controller-manager @@ -195,6 +199,7 @@ deploy-mutation: patch-image deploy: patch-image manifests ifeq ($(ENABLE_EXTERNAL_DATA),true) @grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml + @grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=audit/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml endif docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \ k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \ @@ -283,13 +288,14 @@ docker-build: build-crds docker build --pull -f crd.Dockerfile .staging/crds/ --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -t ${CRD_IMG} docker build --pull . --build-arg LDFLAGS=${LDFLAGS} -t ${IMG} -# Build docker image with buildx -# Experimental docker feature to build cross platform multi-architecture docker images -# https://docs.docker.com/buildx/working-with-buildx/ -docker-buildx: build-crds +docker-buildx-builder: if ! docker buildx ls | grep -q container-builder; then\ docker buildx create --name container-builder --use;\ fi + +# Build image with buildx to build cross platform multi-architecture docker images +# https://docs.docker.com/buildx/working-with-buildx/ +docker-buildx: build-crds docker-buildx-builder docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64" \ -t $(IMG) \ . --load @@ -297,37 +303,24 @@ docker-buildx: build-crds -t $(CRD_IMG) \ -f crd.Dockerfile .staging/crds/ --load -docker-buildx-dev: - @if ! docker buildx ls | grep -q container-builder; then\ - docker buildx create --name container-builder --use;\ - fi +docker-buildx-dev: docker-buildx-builder docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64,linux/arm64,linux/arm/v7" \ -t $(REPOSITORY):$(DEV_TAG) \ -t $(REPOSITORY):dev \ . --push -docker-buildx-crds-dev: build-crds - @if ! docker buildx ls | grep -q container-builder; then\ - docker buildx create --name container-builder --use;\ - fi - +docker-buildx-crds-dev: build-crds docker-buildx-builder docker buildx build --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --platform "linux/amd64,linux/arm64,linux/arm/v7" \ -t $(CRD_REPOSITORY):$(DEV_TAG) \ -t $(CRD_REPOSITORY):dev \ -f crd.Dockerfile .staging/crds/ --push -docker-buildx-release: - @if ! docker buildx ls | grep -q container-builder; then\ - docker buildx create --name container-builder --use;\ - fi +docker-buildx-release: docker-buildx-builder docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64,linux/arm64,linux/arm/v7" \ -t $(REPOSITORY):$(VERSION) \ . --push -docker-buildx-crds-release: build-crds - @if ! docker buildx ls | grep -q container-builder; then\ - docker buildx create --name container-builder --use;\ - fi +docker-buildx-crds-release: build-crds docker-buildx-builder docker buildx build --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --platform "linux/amd64,linux/arm64,linux/arm/v7" \ -t $(CRD_REPOSITORY):$(VERSION) \ -f crd.Dockerfile .staging/crds/ --push diff --git a/build/tooling/Dockerfile b/build/tooling/Dockerfile index 15699dfdba7..bfc8b695b42 100644 --- a/build/tooling/Dockerfile +++ b/build/tooling/Dockerfile @@ -1,6 +1,6 @@ FROM golang:1.17 -RUN GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0 +RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.5.0 RUN mkdir /gatekeeper WORKDIR /gatekeeper diff --git a/go.mod b/go.mod index 6bd2f69f65f..7fda0df5f4d 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.16.0 github.com/open-policy-agent/cert-controller v0.2.0 - github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7 + github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5 github.com/open-policy-agent/opa v0.29.4 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.11.0 diff --git a/go.sum b/go.sum index 8f38e6d4b78..f2e78b2bc33 100644 --- a/go.sum +++ b/go.sum @@ -607,8 +607,8 @@ github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/open-policy-agent/cert-controller v0.2.0 h1:Z+IPOYDor28l6cjEo2WvTZY6Bv5oYR6wECEIP8pyG/M= github.com/open-policy-agent/cert-controller v0.2.0/go.mod h1:SWS7Ame8oKHF11cDsQCFlULrrOMV5Z59FIGEAF/M6YI= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7 h1:X2dfeC/XNGcoBlytXDKnlom0roCCM8bS75Ms+vqDe/s= -github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7/go.mod h1:sxECOn2E9o4DIK6ttinq1frfiErxi0Z8oIgtz7VDVBc= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5 h1:v5CdVF+Gk0OGPZM+6g0CKjaUWjehnf5e/sezx1Qp7vw= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5/go.mod h1:sxECOn2E9o4DIK6ttinq1frfiErxi0Z8oIgtz7VDVBc= github.com/open-policy-agent/opa v0.29.4 h1:rNa/Gd3Fs0xWgL0aZoyblRwCZLJsSLDQOhnck6DWpaA= github.com/open-policy-agent/opa v0.29.4/go.mod h1:ZCOTD3yyFR8JvF8ETdWdiSPn9WcF1dXeQWOv7VoPorU= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= diff --git a/test/bats/test.bats b/test/bats/test.bats index ee7e43ba979..9a19a9bc088 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -75,6 +75,8 @@ teardown_file() { assert_equal "" "${output}" kubectl delete --ignore-not-found svc mutate-svc + kubectl delete --ignore-not-found assignmetadata k8sownerlabel + kubectl delete --ignore-not-found assign k8sexternalip } @test "applying sync config" { @@ -222,10 +224,49 @@ __required_labels_audit_test() { } @test "disable http.send" { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml" + kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sdenynamehttpsend" run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_http_send.yaml assert_failure run kubectl get constrainttemplate/k8sdenynamehttpsend -o jsonpath="{.status}" assert_match 'undefined function http.send' "${output}" } + +@test "external data provider crd is established" { + if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then + skip "skipping external data tests" + fi + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for condition=established --timeout=60s crd/providers.externaldata.gatekeeper.sh" +} + +@test "gatekeeper external data validation test" { + if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then + skip "skipping external data validation tests" + fi + + # deployment, service and provider for dummy-provider + run kubectl apply -f test/externaldata/dummy-provider/manifest + assert_success + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for=condition=Ready --timeout=60s pod -l run=dummy-provider -n dummy-provider" + + kubectl apply -f test/externaldata/dummy-provider/policy/template.yaml + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f test/externaldata/dummy-provider/policy/constraint.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldata dummy" + + run kubectl apply -f test/externaldata/dummy-provider/policy/examples/error.yaml + assert_match 'denied the request' "${output}" + assert_match 'error_test/image:latest_invalid' "${output}" + assert_failure + + run kubectl apply -f test/externaldata/dummy-provider/policy/examples/system-error.yaml + assert_match 'denied the request' "${output}" + assert_match 'testing system error' "${output}" + assert_failure + + run kubectl apply -f test/externaldata/dummy-provider/policy/examples/valid.yaml + assert_success + + kubectl delete --ignore-not-found -f test/externaldata/dummy-provider/manifest + kubectl delete --ignore-not-found deploy error-deployment valid-deployment system-error-deployment + kubectl delete --ignore-not-found constrainttemplate k8sexternaldata +} diff --git a/test/externaldata/dummy-provider/Dockerfile b/test/externaldata/dummy-provider/Dockerfile new file mode 100644 index 00000000000..305572e91ba --- /dev/null +++ b/test/externaldata/dummy-provider/Dockerfile @@ -0,0 +1,35 @@ +ARG BUILDPLATFORM="linux/amd64" +ARG BUILDERIMAGE="golang:1.17" +ARG BASEIMAGE="gcr.io/distroless/static:nonroot" + +FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder + +ARG TARGETPLATFORM +ARG TARGETOS +ARG TARGETARCH +ARG TARGETVARIANT="" +ARG LDFLAGS + +ENV GO111MODULE=on \ + CGO_ENABLED=0 \ + GOOS=${TARGETOS} \ + GOARCH=${TARGETARCH} \ + GOARM=${TARGETVARIANT} + +WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/test/externaldata/dummy-provider + +COPY . . + +RUN go mod init && go mod tidy + +RUN go build -o provider provider.go + +FROM $BASEIMAGE + +WORKDIR / + +COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/test/externaldata/dummy-provider . + +USER 65532:65532 + +ENTRYPOINT ["/provider"] diff --git a/test/externaldata/dummy-provider/manifest/deployment.yaml b/test/externaldata/dummy-provider/manifest/deployment.yaml new file mode 100644 index 00000000000..85de934d207 --- /dev/null +++ b/test/externaldata/dummy-provider/manifest/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: dummy-provider +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dummy-provider + namespace: dummy-provider +spec: + replicas: 1 + selector: + matchLabels: + run: dummy-provider + template: + metadata: + labels: + run: dummy-provider + spec: + containers: + - image: dummy-provider:test + imagePullPolicy: Never + name: dummy-provider + ports: + - containerPort: 8090 + protocol: TCP + restartPolicy: Always + nodeSelector: + kubernetes.io/os: linux diff --git a/test/externaldata/dummy-provider/manifest/provider.yaml b/test/externaldata/dummy-provider/manifest/provider.yaml new file mode 100644 index 00000000000..7dd4ed15a9e --- /dev/null +++ b/test/externaldata/dummy-provider/manifest/provider.yaml @@ -0,0 +1,7 @@ +apiVersion: externaldata.gatekeeper.sh/v1alpha1 +kind: Provider +metadata: + name: dummy-provider +spec: + url: http://dummy-provider.dummy-provider:8090/validate + timeout: 2 diff --git a/test/externaldata/dummy-provider/manifest/service.yaml b/test/externaldata/dummy-provider/manifest/service.yaml new file mode 100644 index 00000000000..f3daf5da456 --- /dev/null +++ b/test/externaldata/dummy-provider/manifest/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: dummy-provider + namespace: dummy-provider +spec: + ports: + - port: 8090 + protocol: TCP + targetPort: 8090 + selector: + run: dummy-provider + sessionAffinity: None diff --git a/test/externaldata/dummy-provider/policy/constraint.yaml b/test/externaldata/dummy-provider/policy/constraint.yaml new file mode 100644 index 00000000000..37470d470e4 --- /dev/null +++ b/test/externaldata/dummy-provider/policy/constraint.yaml @@ -0,0 +1,10 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sExternalData +metadata: + name: dummy +spec: + enforcementAction: deny + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] diff --git a/test/externaldata/dummy-provider/policy/examples/error.yaml b/test/externaldata/dummy-provider/policy/examples/error.yaml new file mode 100644 index 00000000000..841c2590efe --- /dev/null +++ b/test/externaldata/dummy-provider/policy/examples/error.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: error-deployment + labels: + app: error-deployment +spec: + replicas: 0 # testing purposes only + selector: + matchLabels: + app: error-deployment + template: + metadata: + labels: + app: error-deployment + spec: + containers: + - name: error + image: error_test/image:latest diff --git a/test/externaldata/dummy-provider/policy/examples/system-error.yaml b/test/externaldata/dummy-provider/policy/examples/system-error.yaml new file mode 100644 index 00000000000..290982aba35 --- /dev/null +++ b/test/externaldata/dummy-provider/policy/examples/system-error.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: system-error-deployment + labels: + app: system-error-deployment +spec: + replicas: 0 # testing purposes only + selector: + matchLabels: + app: system-error-deployment + template: + metadata: + labels: + app: system-error-deployment + spec: + containers: + - name: system-error + image: test/image:latest_systemError diff --git a/test/externaldata/dummy-provider/policy/examples/valid.yaml b/test/externaldata/dummy-provider/policy/examples/valid.yaml new file mode 100644 index 00000000000..d3dcb405581 --- /dev/null +++ b/test/externaldata/dummy-provider/policy/examples/valid.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: valid-deployment + labels: + app: valid-deployment +spec: + replicas: 0 # testing purposes only + selector: + matchLabels: + app: valid-deployment + template: + metadata: + labels: + app: valid-deployment + spec: + containers: + - name: valid + image: test/image:v1 diff --git a/test/externaldata/dummy-provider/policy/template.yaml b/test/externaldata/dummy-provider/policy/template.yaml new file mode 100644 index 00000000000..7102b389e1f --- /dev/null +++ b/test/externaldata/dummy-provider/policy/template.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sexternaldata +spec: + crd: + spec: + names: + kind: K8sExternalData + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sexternaldata + + violation[{"msg": msg}] { + # build a list of keys containing images + images := [img | img = input.review.object.spec.template.spec.containers[_].image] + + # send external data request + response := external_data({"provider": "dummy-provider", "keys": images}) + + response_with_error(response) + + msg := sprintf("invalid response: %v", [response]) + } + + response_with_error(response) { + count(response.errors) > 0 + errs := response.errors[_] + contains(errs[1], "_invalid") + } + + response_with_error(response) { + count(response.system_error) > 0 + } diff --git a/test/externaldata/dummy-provider/provider.go b/test/externaldata/dummy-provider/provider.go new file mode 100644 index 00000000000..2b4f25bf2af --- /dev/null +++ b/test/externaldata/dummy-provider/provider.go @@ -0,0 +1,118 @@ +package main + +import ( + "context" + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "strings" + "time" + + "github.com/open-policy-agent/frameworks/constraint/pkg/externaldata" +) + +const ( + timeout = 1 * time.Second + apiVersion = "externaldata.gatekeeper.sh/v1alpha1" +) + +func main() { + fmt.Println("starting server...") + http.HandleFunc("/validate", processTimeout(validate, timeout)) + + if err := http.ListenAndServe(":8090", nil); err != nil { + panic(err) + } +} + +func validate(w http.ResponseWriter, req *http.Request) { + // only accept POST requests + if req.Method != http.MethodPost { + sendResponse(nil, "only POST is allowed", w) + return + } + + // read request body + requestBody, err := ioutil.ReadAll(req.Body) + if err != nil { + sendResponse(nil, fmt.Sprintf("unable to read request body: %v", err), w) + return + } + + // parse request body + var providerRequest externaldata.ProviderRequest + err = json.Unmarshal(requestBody, &providerRequest) + if err != nil { + sendResponse(nil, fmt.Sprintf("unable to unmarshal request body: %v", err), w) + return + } + + results := make([]externaldata.Item, 0) + // iterate over all keys + for _, key := range providerRequest.Request.Keys { + // Providers should add a caching mechanism to avoid extra calls to external data sources. + + // following checks are for testing purposes only + // check if key contains "_systemError" to trigger a system error + if strings.HasSuffix(key, "_systemError") { + sendResponse(nil, "testing system error", w) + return + } + + // check if key contains "error_" to trigger an error + if strings.HasPrefix(key, "error_") { + results = append(results, externaldata.Item{ + Key: key, + Error: key + "_invalid", + }) + } else if !strings.HasSuffix(key, "_valid") { + // valid key will have "_valid" appended as return value + results = append(results, externaldata.Item{ + Key: key, + Value: key + "_valid", + }) + } + } + sendResponse(&results, "", w) +} + +// sendResponse sends back the response to Gatekeeper. +func sendResponse(results *[]externaldata.Item, systemErr string, w http.ResponseWriter) { + response := externaldata.ProviderResponse{ + APIVersion: apiVersion, + Kind: "ProviderResponse", + } + + if results != nil { + response.Response.Items = *results + } else { + response.Response.SystemError = systemErr + } + + w.WriteHeader(http.StatusOK) + if err := json.NewEncoder(w).Encode(response); err != nil { + panic(err) + } +} + +func processTimeout(h http.HandlerFunc, duration time.Duration) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + ctx, cancel := context.WithTimeout(r.Context(), duration) + defer cancel() + + r = r.WithContext(ctx) + + processDone := make(chan bool) + go func() { + h(w, r) + processDone <- true + }() + + select { + case <-ctx.Done(): + sendResponse(nil, "operation timed out", w) + case <-processDone: + } + } +} diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go index d0276d60007..be7ef6282a2 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go @@ -126,20 +126,6 @@ func (d *driver) Init(ctx context.Context) error { if err := ast.As(regorequest.Value, ®oReq); err != nil { return nil, err } - // only primitive types are allowed for keys - for _, key := range regoReq.Keys { - switch v := key.(type) { - case int: - case int32: - case int64: - case string: - case float64: - case float32: - break - default: - return externaldata.HandleError(http.StatusBadRequest, fmt.Errorf("type %v is not supported in external_data", v)) - } - } provider, err := d.providerCache.Get(regoReq.ProviderName) if err != nil { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go index b8337f4a3b3..05e9b5d9a3a 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/request.go @@ -5,7 +5,7 @@ type RegoRequest struct { // ProviderName is the name of the external data provider. ProviderName string `json:"provider"` // Keys is the list of keys to send to the external data provider. - Keys []interface{} `json:"keys"` + Keys []string `json:"keys"` } // ProviderRequest is the API request for the external data provider. @@ -21,11 +21,11 @@ type ProviderRequest struct { // Request is the struct that contains the keys to query. type Request struct { // Keys is the list of keys to send to the external data provider. - Keys []interface{} `json:"keys,omitempty"` + Keys []string `json:"keys,omitempty"` } // NewRequest creates a new request for the external data provider. -func NewProviderRequest(keys []interface{}) *ProviderRequest { +func NewProviderRequest(keys []string) *ProviderRequest { return &ProviderRequest{ APIVersion: "externaldata.gatekeeper.sh/v1alpha1", Kind: "ProviderRequest", diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/response.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/response.go index 6c34c9c3779..11ac3fd7e5d 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/response.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/externaldata/response.go @@ -45,7 +45,7 @@ type Response struct { // Items is the struct that contains the key, value or error from a provider response. type Item struct { // Key is the request from the provider. - Key interface{} `json:"key,omitempty"` + Key string `json:"key,omitempty"` // Value is the response from the provider. Value interface{} `json:"value,omitempty"` // Error is the error from the provider. diff --git a/vendor/modules.txt b/vendor/modules.txt index 5b9dcf8f7ce..011fa0fc7f1 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -159,7 +159,7 @@ github.com/onsi/gomega/types # github.com/open-policy-agent/cert-controller v0.2.0 ## explicit github.com/open-policy-agent/cert-controller/pkg/rotator -# github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7 +# github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5 ## explicit github.com/open-policy-agent/frameworks/constraint/deploy github.com/open-policy-agent/frameworks/constraint/pkg/apis