Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(pe): add policy-engine component #152

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

feat(pe): add policy-engine component #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
928cace
feat(pe): add policy-engine component
dogonthehorizon Sep 15, 2022
7393dab
fix: Switch to 0.2.2 which includes the create app fix
ovidiupopa07 Sep 15, 2022
b40d3a3
feat(pe): remove error in rego policy
dogonthehorizon Sep 15, 2022
8be5e53
fix: Add policy for save pipeline action
ovidiupopa07 Sep 15, 2022
856fc58
Merge remote-tracking branch 'origin/feat/add-policy-engine-component…
ovidiupopa07 Sep 15, 2022
91771d6
feat(pe): failOpen to true
dogonthehorizon Sep 15, 2022
e4fea21
feat(pe): use snapshot release
dogonthehorizon Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions armory/patch-policy-engine-plugin.yml → armory/features/policy-engine/feature.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,18 @@ spec:
spinnaker:
armory:
policyEngine:
failOpen: true
opa:
# Replace with the actual URL to your Open Policy Agent deployment
baseUrl: http://opa:8181/v1/data
# Optional. The number of seconds that the Policy Engine will wait for a response from the OPA server. Default is 10 seconds if omitted.
# timeoutSeconds: <integer>
# timeoutSeconds: <integer>
spinnaker:
extensibility:
repositories:
policyEngine:
enabled: true
url: https://raw.githubusercontent.com/armory-plugins/policy-engine-releases/master/repositories.json
url: https://raw.githubusercontent.com/armory-plugins/pluginRepository/master/repositories.json
gate:
spinnaker:
extensibility:
Expand All @@ -46,7 +47,7 @@ spec:
plugins:
Armory.PolicyEngine:
enabled: true
version: &version 0.2.0
version: &version 0.3.0-snapshot.master.b1bdd2d

orca:
spinnaker:
Expand Down
16 changes: 16 additions & 0 deletions armory/features/policy-engine/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources:
- opa.yml

patchesStrategicMerge:
- feature.yml

configMapGenerator:
# ConfigMap holding OPA policy definitions for use by Armory's Policy Engine.
# Required by patch-policy-engine-plugin.yml
- name: spin-policies
files:
- policies/manual-judgement.rego
- policies/save-pipeline.rego
0 infrastructure/opa.yml → armory/features/policy-engine/opa.yml
View file
Open in desktop
File renamed without changes.
1 change: 0 additions & 1 deletion armory/policies/manual-judgement.rego → ...icy-engine/policies/manual-judgement.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,4 @@ deny["Every pipeline must have a Manual Judgment stage"] {
manual_judgment_stages = [d | d = input.pipeline.stages[_].type; d == "manualJudgment"]
count(input.pipeline.stages[_]) > 0
count(manual_judgment_stages) == 0
1 := 0
}
7 changes: 7 additions & 0 deletions armory/features/policy-engine/policies/save-pipeline.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# manual-judgment.rego. Notice the package. The opa.pipelines package is used for policies that get checked when a pipeline is saved.
package spinnaker.persistence.pipelines.before

deny["Every pipeline must have a Manual Judgment stage"] {

1 == 0
}