From db98d6b36f1a40857a292c563505630fcd140e3b Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:35:00 +0200 Subject: [PATCH] contrast: use kata-specific genpolicy binary for bare-metal platforms Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- cli/cmd/generate.go | 2 +- cli/genpolicy/assets/{genpolicy => genpolicy-kata} | 0 cli/genpolicy/assets/genpolicy-microsoft | 1 + cli/genpolicy/config.go | 10 ++++++++-- cli/genpolicy/genpolicy.go | 4 ++-- cli/genpolicy/genpolicy_test.go | 4 ++-- packages/by-name/contrast/package.nix | 4 ++-- 7 files changed, 16 insertions(+), 9 deletions(-) rename cli/genpolicy/assets/{genpolicy => genpolicy-kata} (100%) create mode 100644 cli/genpolicy/assets/genpolicy-microsoft diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index f0a8fbcaa3..17ba8083cb 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -251,7 +251,7 @@ func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []str return fmt.Errorf("creating default policy.rego file: %w", err) } - runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath) + runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, cfg.Bin) if err != nil { return fmt.Errorf("preparing genpolicy: %w", err) } diff --git a/cli/genpolicy/assets/genpolicy b/cli/genpolicy/assets/genpolicy-kata similarity index 100% rename from cli/genpolicy/assets/genpolicy rename to cli/genpolicy/assets/genpolicy-kata diff --git a/cli/genpolicy/assets/genpolicy-microsoft b/cli/genpolicy/assets/genpolicy-microsoft new file mode 100644 index 0000000000..5c169759e7 --- /dev/null +++ b/cli/genpolicy/assets/genpolicy-microsoft @@ -0,0 +1 @@ +# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go index d8e5c8922c..19a5c07611 100644 --- a/cli/genpolicy/config.go +++ b/cli/genpolicy/config.go @@ -10,8 +10,10 @@ import ( ) var ( - //go:embed assets/genpolicy - genpolicyBin []byte + //go:embed assets/genpolicy-microsoft + aksGenpolicyBin []byte + //go:embed assets/genpolicy-kata + kataGenpolicyBin []byte //go:embed assets/genpolicy-settings-microsoft.json aksSettings []byte //go:embed assets/genpolicy-settings-kata.json @@ -28,6 +30,8 @@ type Config struct { Rules []byte // Settings is a json config file that holds platform-specific configuration. Settings []byte + // Bin is the genpolicy binary. + Bin []byte } // NewConfig selects the appropriate genpolicy configuration for the target platform. @@ -37,11 +41,13 @@ func NewConfig(platform platforms.Platform) *Config { return &Config{ Rules: aksRules, Settings: aksSettings, + Bin: aksGenpolicyBin, } case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: return &Config{ Rules: kataRules, Settings: kataSettings, + Bin: kataGenpolicyBin, } default: return nil diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go index 787b436c18..8fd6cbc477 100644 --- a/cli/genpolicy/genpolicy.go +++ b/cli/genpolicy/genpolicy.go @@ -28,9 +28,9 @@ type Runner struct { } // New creates a new Runner for the given configuration. -func New(rulesPath, settingsPath, cachePath string) (*Runner, error) { +func New(rulesPath, settingsPath, cachePath string, bin []byte) (*Runner, error) { e := embedbin.New() - genpolicy, err := e.Install("", genpolicyBin) + genpolicy, err := e.Install("", bin) if err != nil { return nil, fmt.Errorf("installing genpolicy: %w", err) } diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go index 4401f3eb8e..2d21888e0e 100644 --- a/cli/genpolicy/genpolicy_test.go +++ b/cli/genpolicy/genpolicy_test.go @@ -48,7 +48,7 @@ func TestRunner(t *testing.T) { logger := slog.Default() d := t.TempDir() - genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d)) + genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d)) expectedRulesPath := "/rules.rego" rulesPathFile := filepath.Join(d, "rules_path") @@ -58,7 +58,7 @@ func TestRunner(t *testing.T) { expectedYAMLPath := filepath.Join(d, "test.yaml") yamlPathFile := filepath.Join(d, "yaml_path") - r, err := New(expectedRulesPath, expectedSettingsPath, cachePath) + r, err := New(expectedRulesPath, expectedSettingsPath, cachePath, genpolicyBin) require.NoError(err) require.NoError(r.Run(ctx, expectedYAMLPath, logger)) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 3736b5821d..f0d2e1a290 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -7,7 +7,6 @@ buildGoTest, microsoft, kata, - genpolicy ? microsoft.genpolicy, contrast, installShellFiles, }: @@ -174,7 +173,8 @@ buildGoModule rec { subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ]; prePatch = '' - install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy + install -D ${lib.getExe microsoft.genpolicy} cli/genpolicy/assets/genpolicy-microsoft + install -D ${lib.getExe kata.genpolicy} cli/genpolicy/assets/genpolicy-kata install -D ${microsoft.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-microsoft.rego install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json