Merge branch 'swarm-PLATFORM-2126-rollout-restart' into 'master'

PLATFORM-2126-roll-restart See merge request !62

Merge branch 'swarm-PLATFORM-2126-rollout-restart' into 'master'
PLATFORM-2126-roll-restart See merge request !62
1c9dc3c3 · Mark Williams · c04e531a · 06c23ee3 · 1c9dc3c3 · 1c9dc3c3
Commit 1c9dc3c3 authored 1 year ago by Mark Williams
--- a/Chart.yaml
+++ b/Chart.yaml
 apiVersion: v2
 name: constraint-templates
-version: 1.4.27
+version: 1.5.0
 appVersion: 1.0.0
--- a/rego/allow_rollout_restart/policy.rego
+++ b/rego/allow_rollout_restart/policy.rego
 package allow_rollout_restart

-
+# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
    not input.review.userInfo.username == "flux"
+    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
    input.review.kind.kind == "Deployment"
-	input.review.operation == "PATCH"
-    new_annotations := json.remove(input.review.object,["metadata/annotations/kubectl.kubernetes.io.restartedAt"])
-    old_annotations := json.remove(input.review.oldObject,["metadata/annotations/kubectl.kubernetes.io.restartedAt"]) 
+    input.review.operation == "UPDATE"
+    new_annotations := json.remove(input.review.object,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
+    old_patched_annotations := json.patch(input.review.oldObject,[{"op": "add", "path": "spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt", "value": 3}])
+    old_annotations := json.remove(old_patched_annotations,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
    old_annotations != new_annotations
-	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. Used '%v'", [input.review.object.metadata.annotations] )
+	msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. ",[])
+
 }

+
+contains(grouparray,testgroup) {
+    grouparray[_] = testgroup
+}
\ No newline at end of file
--- a/rego/allow_rollout_restart/policy_test.rego
+++ b/rego/allow_rollout_restart/policy_test.rego
@@ -65,17 +65,25 @@ review_deployment_patch_extra_annotations(annotationname,annotationvalue,usernam
        "kind": "Deployment"
      },
      "object": {
-        "metadata": {
-            "annotations": {
-                "dreaded_gazebo": "indeed",
-                annotationname: annotationvalue
+        "spec": {
+          "template: {
+            "metadata": {
+              "annotations": {
+                  "dreaded_gazebo": "indeed",
+                  annotationname: annotationvalue
+              }
            }
+          }
        }
      },
      "oldObject": {
-        "metadata": {
-          "annotations": {
-            "kubectl.kubernetes.io.restartedAt": previousrestarted
+        "spec": {
+          "template: {
+            "metadata": {
+              "annotations": {
+                "kubectl.kubernetes.io.restartedAt": previousrestarted
+              }
+            } 
          }
        }
      }
@@ -94,16 +102,24 @@ review_deployment_patch_existing(annotationname,annotationvalue,username,previou
        "kind": "Deployment"
      },
      "object": {
-        "metadata": {
-            "annotations": {
-                annotationname: annotationvalue
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {
+                  annotationname: annotationvalue
+              }
            }
+          }
        }
      },
      "oldObject": {
-        "metadata": {
-          "annotations": {
-            "kubectl.kubernetes.io.restartedAt": previousrestarted
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {
+                "kubectl.kubernetes.io.restartedAt": previousrestarted
+              }
+            }
          }
        }
      }
@@ -122,15 +138,23 @@ review_deployment_patch_absent(annotationname,annotationvalue,username) = out {
        "kind": "Deployment"
      },
      "oldObject": {
-        "metadata": {
-            "annotations": {}
+        "spec": {
+          "template": {
+            "metadata": {
+              "annotations": {}
+            }
+          }
        }
      }, 
      "object": {
-        "metadata": {
-            "annotations": {
-                annotationname: annotationvalue
+        "spec": {
+          "template": {
+            "metadata": {
+                "annotations": {
+                    annotationname: annotationvalue
+                }
            }
+          }
        }
      }
    }