feat: add more openshift modules

openshift-check-routes/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-check-routes` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-check-routes)

openshift-check-routes/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-check-routes"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-check-routes` is a KCL validation module"

openshift-check-routes/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["Route"]:
+        assert "tls" in item.spec, "HTTP routes are not allowed. Configure TLS for secure routes."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-check-security-context-constraint/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-check-security-context-constraint` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-check-security-context-constraint)

openshift-check-security-context-constraint/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-check-security-context-constraint"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-check-security-context-constraint` is a KCL validation module"

openshift-check-security-context-constraint/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["ClusterRole", "Role"]:
+        assert "anyuid" not in sum([r.resourceNames for r in item.rules], []), "Use of the SecurityContextConstraint (SCC) anyuid is not allowed"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-check-security-context-roleref/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-check-security-context-roleref` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-check-security-context-roleref)

openshift-check-security-context-roleref/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-check-security-context-roleref"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-check-security-context-roleref` is a KCL validation module"

openshift-check-security-context-roleref/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["ClusterRole", "Role"]:
+        assert "system:openshift:scc:anyuid" != item.roleRef.name, "Use of the SecurityContextConstraint (SCC) anyuid is not allowed"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-check-self-provisioner-binding-no-subject/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-check-self-provisioner-binding-no-subject` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-check-self-provisioner-binding-no-subject)

openshift-check-self-provisioner-binding-no-subject/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-check-self-provisioner-binding-no-subject"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-check-self-provisioner-binding-no-subject` is a KCL validation module"

openshift-check-self-provisioner-binding-no-subject/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["ClusterRoleBinding"]:
+        assert len(item.subjects or {}) == 0 if item.metadata.name == "self-provisioners", "Binding to the self-provisioners cluster role is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-check-self-provisioner-binding-with-subject/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-check-self-provisioner-binding-with-subject` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-check-self-provisioner-binding-with-subject)

openshift-check-self-provisioner-binding-with-subject/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-check-self-provisioner-binding-with-subject"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-check-self-provisioner-binding-with-subject` is a KCL validation module"

openshift-check-self-provisioner-binding-with-subject/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["ClusterRoleBinding"]:
+        assert "self-provisioner" not in item.roleRef.name if item.metadata.name != "self-provisioners", "Binding to the self-provisioners cluster role is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-disallow-deprecated-apis/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-disallow-deprecated-apis` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-disallow-deprecated-apis)

openshift-disallow-deprecated-apis/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-disallow-deprecated-apis"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-disallow-deprecated-apis` is a KCL validation module"

openshift-disallow-deprecated-apis/main.k

@@ -0,0 +1,16 @@
+DEPRECATED_APIS = [
+    "authorization.openshift.io/v1/ClusterRole"
+    "authorization.openshift.io/v1/ClusterRoleBinding"
+    "authorization.openshift.io/v1/Role"
+    "authorization.openshift.io/v1/RoleBinding"
+]
+get_kind = lambda item: {str:} -> str {
+    (item?.apiVersion or "") + (item?.kind or "")
+}
+validate = lambda item {
+    kind = get_kind(item)
+    assert kind not in DEPRECATED_APIS, "${kind} is deprecated."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-disallow-jenkins-pipeline-strategy/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-disallow-jenkins-pipeline-strategy` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-disallow-jenkins-pipeline-strategy)

openshift-disallow-jenkins-pipeline-strategy/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-disallow-jenkins-pipeline-strategy"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-disallow-jenkins-pipeline-strategy` is a KCL validation module"

openshift-disallow-jenkins-pipeline-strategy/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["BuildConfig"]:
+        assert "jenkinsPipelineStrategy" not in item.spec.strategy, "Jenkins Pipeline Build Strategy has been deprecated and is not allowed"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-enforce-etcd-encryption/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-enforce-etcd-encryption` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-enforce-etcd-encryption)

openshift-enforce-etcd-encryption/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-enforce-etcd-encryption"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-enforce-etcd-encryption` is a KCL validation module"

openshift-enforce-etcd-encryption/main.k

@@ -0,0 +1,11 @@
+keys: lambda obj: {str:} -> [str] {
+    [k for k in obj]
+}
+
+validate = lambda item {
+    if item.kind in ["APIServer"]:
+        assert "encryption" in keys(item.spec), "Encryption should be enabled for etcd"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-inject-infrastructure-name/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-inject-infrastructure-name` is a KCL mutation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-inject-infrastructure-name)

openshift-inject-infrastructure-name/kcl.mod

@@ -0,0 +1,6 @@
+[package]
+name = "openshift-inject-infrastructure-name"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-inject-infrastructure-name` is a KCL mutation module"
+

openshift-inject-infrastructure-name/main.k

@@ -0,0 +1,9 @@
+import json
+
+name: str = option("params")?.name or ""
+# Validate All resource
+items = [item | {
+    if item.kind in ["MachineSet"]:
+        metadata = json.decode(json.encode(item.metadata).replace("TEMPLATE", name))
+        spec = json.decode(json.encode(item.spec).replace("TEMPLATE", name))
+} for item in option("items") or []]

openshift-team-validate-ns-name/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-team-validate-ns-name` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-team-validate-ns-name)

openshift-team-validate-ns-name/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-team-validate-ns-name"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-team-validate-ns-name` is a KCL validation module"

openshift-team-validate-ns-name/main.k

@@ -0,0 +1,8 @@
+validate = lambda item {
+    if item.kind in ["Namespace", "ProjectRequest", "Project"]:
+        names = ["-".join([g, "*"]) for g in item.userInfo.groups if ":" not in g]
+        assert item.metadata.name not in names, "The only names approved for your Namespaces are the ones starting by <group-name>-* that not contains '*'"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

openshift-unique-routes/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`openshift-unique-routes` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/openshift-unique-routes)

openshift-unique-routes/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "openshift-unique-routes"
+edition = "*"
+version = "0.1.0"
+description = "`openshift-unique-routes` is a KCL validation module"

openshift-unique-routes/main.k

@@ -0,0 +1,7 @@
+validate = lambda item {
+    if item.kind in ["Route"]:
+        assert isunique(item.spec.host or []), "The Route host name must be unique."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]