109 lines
4.4 KiB
Ruby
109 lines
4.4 KiB
Ruby
class Gator < Formula
|
|
desc "CLI Utility for Open Policy Agent Gatekeeper"
|
|
homepage "https://open-policy-agent.github.io/gatekeeper/website/docs/gator"
|
|
url "https://github.com/open-policy-agent/gatekeeper/archive/refs/tags/v3.10.0.tar.gz"
|
|
sha256 "cfe47f54738bcd648de94be6fedf182858771fa6938a609cfa416a72a54a7682"
|
|
license "Apache-2.0"
|
|
head "https://github.com/open-policy-agent/gatekeeper.git", branch: "master"
|
|
|
|
bottle do
|
|
sha256 cellar: :any_skip_relocation, arm64_ventura: "59b5dc5b5f4a5bf8239f8b0266d8a71959d3776827478168618b7ffe7add14f7"
|
|
sha256 cellar: :any_skip_relocation, arm64_monterey: "ad03529186c8e1c0c7afaa5289966bc8cf81aadcf7c7f686c0d63e770dffedc2"
|
|
sha256 cellar: :any_skip_relocation, arm64_big_sur: "3afd0effdcd419f6c37a271b8172dd510e57762cd98b4fe110424c9c6ec5f4e3"
|
|
sha256 cellar: :any_skip_relocation, ventura: "392d7684b8d885b80327152d0d5f9a8abcac04e2c3c99aa8691c71ade92e1381"
|
|
sha256 cellar: :any_skip_relocation, monterey: "b5c3dccddb6c948b7ae0170cb4f983124f4753f428738a9be0654f4e0df18788"
|
|
sha256 cellar: :any_skip_relocation, big_sur: "cbde7da56dabf4e055326a881b20298983120264d346926a636e1d41ac353c3b"
|
|
sha256 cellar: :any_skip_relocation, catalina: "80b93cdf2db60f9a2f0cab6c64d002fe2cf9bc4ad300950c96b93dc3d2237185"
|
|
sha256 cellar: :any_skip_relocation, x86_64_linux: "0b31ddafeb957487731427126d30d590b66d60e73c8482f7750c9e602a32f874"
|
|
end
|
|
|
|
depends_on "go" => :build
|
|
|
|
def install
|
|
ldflags = %W[
|
|
-s -w
|
|
-X github.com/open-policy-agent/gatekeeper/pkg/version.Version=#{version}
|
|
]
|
|
system "go", "build", *std_go_args(ldflags: ldflags), "./cmd/gator"
|
|
|
|
generate_completions_from_executable(bin/"gator", "completion")
|
|
end
|
|
|
|
test do
|
|
assert_match "gator is a suite of authorship tools for Gatekeeper", shell_output("#{bin}/gator -h")
|
|
|
|
# Create a test manifest file
|
|
(testpath/"gator-manifest.yaml").write <<~EOS
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: ingress-demo-disallowed
|
|
annotations:
|
|
kubernetes.io/ingress.allow-http: "false"
|
|
spec:
|
|
tls: [{}]
|
|
rules:
|
|
- host: example-host.example.com
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: nginx
|
|
port:
|
|
number: 80
|
|
EOS
|
|
# Create a test constraint tempalte
|
|
(testpath/"template-and-constraints/gator-constraint-template.yaml").write <<~EOS
|
|
apiVersion: templates.gatekeeper.sh/v1
|
|
kind: ConstraintTemplate
|
|
metadata:
|
|
name: k8shttpsonly
|
|
annotations:
|
|
description: >-
|
|
Requires Ingress resources to be HTTPS only.
|
|
Ingress resources must:
|
|
- include a valid TLS configuration
|
|
- include the `kubernetes.io/ingress.allow-http` annotation, set to
|
|
`false`.
|
|
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
|
spec:
|
|
crd:
|
|
spec:
|
|
names:
|
|
kind: K8sHttpsOnly
|
|
targets:
|
|
- target: admission.k8s.gatekeeper.sh
|
|
rego: |
|
|
package k8shttpsonly
|
|
violation[{"msg": msg}] {
|
|
input.review.object.kind == "Ingress"
|
|
re_match("^(extensions|networking.k8s.io)/", input.review.object.apiVersion)
|
|
ingress := input.review.object
|
|
not https_complete(ingress)
|
|
msg := sprintf("Ingress should be https. tls configuration and allow-http=false annotation are required for %v", [ingress.metadata.name])
|
|
}
|
|
https_complete(ingress) = true {
|
|
ingress.spec["tls"]
|
|
count(ingress.spec.tls) > 0
|
|
ingress.metadata.annotations["kubernetes.io/ingress.allow-http"] == "false"
|
|
}
|
|
EOS
|
|
# Create a test constraint file
|
|
(testpath/"template-and-constraints/gator-constraint.yaml").write <<~EOS
|
|
apiVersion: constraints.gatekeeper.sh/v1beta1
|
|
kind: K8sHttpsOnly
|
|
metadata:
|
|
name: ingress-https-only
|
|
spec:
|
|
match:
|
|
kinds:
|
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
kinds: ["Ingress"]
|
|
EOS
|
|
|
|
assert_empty shell_output("#{bin}/gator test -f gator-manifest.yaml -f template-and-constraints/")
|
|
end
|
|
end
|