contrast: use kata-specific genpolicy binary for bare-metal platforms

Signed-off-by: Paul Meyer <[email protected]>

cli/cmd/generate.go

@@ -251,7 +251,7 @@ func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []str
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
 
-	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath)
+	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, cfg.Bin)
 	if err != nil {
 		return fmt.Errorf("preparing genpolicy: %w", err)
 	}

cli/genpolicy/assets/genpolicy-microsoft

@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING

cli/genpolicy/config.go

@@ -10,8 +10,10 @@ import (
 )
 
 var (
-	//go:embed assets/genpolicy
-	genpolicyBin []byte
+	//go:embed assets/genpolicy-microsoft
+	aksGenpolicyBin []byte
+	//go:embed assets/genpolicy-kata
+	kataGenpolicyBin []byte
 	//go:embed assets/genpolicy-settings-microsoft.json
 	aksSettings []byte
 	//go:embed assets/genpolicy-settings-kata.json
@@ -28,6 +30,8 @@ type Config struct {
 	Rules []byte
 	// Settings is a json config file that holds platform-specific configuration.
 	Settings []byte
+	// Bin is the genpolicy binary.
+	Bin []byte
 }
 
 // NewConfig selects the appropriate genpolicy configuration for the target platform.
@@ -37,11 +41,13 @@ func NewConfig(platform platforms.Platform) *Config {
 		return &Config{
 			Rules:    aksRules,
 			Settings: aksSettings,
+			Bin:      aksGenpolicyBin,
 		}
 	case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		return &Config{
 			Rules:    kataRules,
 			Settings: kataSettings,
+			Bin:      kataGenpolicyBin,
 		}
 	default:
 		return nil

cli/genpolicy/genpolicy.go

@@ -28,9 +28,9 @@ type Runner struct {
 }
 
 // New creates a new Runner for the given configuration.
-func New(rulesPath, settingsPath, cachePath string) (*Runner, error) {
+func New(rulesPath, settingsPath, cachePath string, bin []byte) (*Runner, error) {
 	e := embedbin.New()
-	genpolicy, err := e.Install("", genpolicyBin)
+	genpolicy, err := e.Install("", bin)
 	if err != nil {
 		return nil, fmt.Errorf("installing genpolicy: %w", err)
 	}

cli/genpolicy/genpolicy_test.go

@@ -48,7 +48,7 @@ func TestRunner(t *testing.T) {
 	logger := slog.Default()
 
 	d := t.TempDir()
-	genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d))
+	genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d))
 
 	expectedRulesPath := "/rules.rego"
 	rulesPathFile := filepath.Join(d, "rules_path")
@@ -58,7 +58,7 @@ func TestRunner(t *testing.T) {
 	expectedYAMLPath := filepath.Join(d, "test.yaml")
 	yamlPathFile := filepath.Join(d, "yaml_path")
 
-	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath)
+	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath, genpolicyBin)
 	require.NoError(err)
 
 	require.NoError(r.Run(ctx, expectedYAMLPath, logger))

packages/by-name/contrast/package.nix

@@ -7,7 +7,6 @@
   buildGoTest,
   microsoft,
   kata,
-  genpolicy ? microsoft.genpolicy,
   contrast,
   installShellFiles,
 }:
@@ -174,7 +173,8 @@ buildGoModule rec {
   subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ];
 
   prePatch = ''
-    install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
+    install -D ${lib.getExe microsoft.genpolicy} cli/genpolicy/assets/genpolicy-microsoft
+    install -D ${lib.getExe kata.genpolicy} cli/genpolicy/assets/genpolicy-kata
     install -D ${microsoft.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-microsoft.rego
     install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego
     install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json