onos-config: rearranging openpolicyagent (#474)

onosproject · Jul 13, 2021 · 669b39a · 669b39a
1 parent 91c9ae0
commit 669b39a
Show file tree

Hide file tree

Showing 8 changed files with 197 additions and 18 deletions.
diff --git a/onos-config/Chart.yaml b/onos-config/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: onos-config
-version: 1.2.2
+version: 1.2.3
 kubeVersion: ">=1.17.0"
 appVersion: v0.8.4
 description: ONOS Config Manager

diff --git a/onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json
@@ -0,0 +1,37 @@
+[
+  {
+    "cont1a": {
+      "cont2a": [
+        {
+          "leaf2b": "1.4567"
+        }
+      ],
+      "list2a": [
+        {
+          "name": "first",
+          "tx-power": 19
+        }
+      ],
+      "list4": [
+        {
+          "id": "first",
+          "leaf4b": "initial value",
+          "list4a": [
+            {
+              "displayname": "this is a list",
+              "fkey1": "abc",
+              "fkey2": 8
+            }
+          ]
+        }
+      ],
+      "list5": [
+        {
+          "key1": "abc",
+          "key2": 8,
+          "leaf5a": "Leaf 5a"
+        }
+      ]
+    }
+  }
+]
diff --git a/onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json
@@ -0,0 +1,66 @@
+{
+  "groups": [
+    "mixedGroup",
+    "acme"
+  ],
+  "cont1a": {
+    "cont2a": {
+      "leaf2a": 13,
+      "leaf2b": "1.4567",
+      "leaf2d": 1.2345,
+      "leaf2e": [
+        12345,
+        54321
+      ],
+      "leaf2f": "aGVsbG8K",
+      "leaf2g": false
+    },
+    "leaf1a": "test val",
+    "list2a": [
+      {
+        "name": "first",
+        "tx-power": 19
+      },
+      {
+        "name": "second",
+        "tx-power": 19
+      },
+      {
+        "name": "third",
+        "tx-power": 19
+      }
+    ],
+    "list4": [
+      {
+        "id": "first",
+        "leaf4b": "initial value",
+        "list4a": [
+          {
+            "displayname": "this is a list",
+            "fkey1": "abc",
+            "fkey2": 8
+          }
+        ]
+      },
+      {
+        "id": "fifth",
+        "leaf4b": "initial value",
+        "list4a": [
+          {
+            "displayname": "this is a 2nd list",
+            "fkey1": "abc",
+            "fkey2": 8
+          }
+        ]
+      }
+    ],
+    "list5": [
+      {
+        "key1": "abc",
+        "key2": 8,
+        "leaf5a": "Leaf 5a"
+      }
+    ]
+  },
+  "leafAtTopLevel": "top level leaf"
+}
diff --git a/onos-config/files/openpolicyagent/testdevice-1.0.0.rego b/onos-config/files/openpolicyagent/testdevice-1.0.0.rego
@@ -0,0 +1,74 @@
+# Copyright 2021-present Open Networking Foundation.
+#//
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package testdevice_1_0_0
+
+countlist2a[numelems] {
+    numelems := count(input.cont1a.list2a)
+}
+
+countlist4[numelems] {
+    numelems := count(input.cont1a.list4)
+}
+
+allowed[config] {
+    list2a := list2as # refer to rule below
+    list4 := list4s
+    list5 := list5s
+    config := {
+        "cont1a": {
+            "cont2a": cont2aLeafs,
+            "leaf1a": input.cont1a.leaf1a,
+            "list2a": list2a,
+            "list4": list4,
+            "list5": list5,
+        },
+        "leafAtTopLevel": input.leafAtTopLevel,
+    }
+}
+
+cont2aLeafs[name] = val {
+    val := input.cont1a.cont2a[i]
+    name := i
+}
+
+leaf2aRef[leaf2a] = val{
+    leaf2a := "leaf2a"
+    val := input.cont1a.cont2a.leaf2a
+    leaf2a != null
+}
+
+leaf2cRef[leaf2c] = val{
+    leaf2c := "leaf2c"
+    val := input.cont1a.cont2a.leaf2c
+    leaf2c != null
+}
+
+list2as[list2a] {
+    list2a := input.cont1a.list2a[_]
+    list4 := input.cont1a.list4[_]
+    # Only allow instances of list2a that have name == id of list4
+    list2a.name == list4.id
+}
+
+list4s[list4] {
+    list4 := input.cont1a.list4[_]
+    list2a := input.cont1a.list2a[_]
+    # Only allow instances of list4 that have id == name of list2a
+    list2a.name == list4.id
+}
+
+list5s[list5] {
+    list5 := input.cont1a.list5[_]
+}
diff --git a/onos-config/templates/configmap.yaml b/onos-config/templates/configmap.yaml
@@ -34,15 +34,3 @@ data:
       {{- end }}
   logging.yaml: |-
 {{ toYaml .Values.logging | indent 4 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "onos-config.fullname" . }}-rego
-  labels:
-    app: {{ template "onos-config.fullname" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
-    release: "{{ .Release.Name }}"
-    heritage: "{{ .Release.Service }}"
-data:
-{{ toYaml .Values.openpolicyagent.rego | indent 4 }}
diff --git a/onos-config/templates/deployment.yaml b/onos-config/templates/deployment.yaml
@@ -143,7 +143,7 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 10
           volumeMounts:
-            - name: rego
+            - name: openpolicyagent
               mountPath: /etc/onos/rego
               readOnly: true
         {{end}}
@@ -152,12 +152,14 @@ spec:
         - name: config
           configMap:
             name: {{ template "onos-config.fullname" . }}-config
-        - name: rego
-          configMap:
-            name: {{ template "onos-config.fullname" . }}-rego
         - name: secret
           secret:
             secretName: {{ template "onos-config.fullname" . }}-secret
+        {{- if .Values.openpolicyagent.enabled }}
+        - name: openpolicyagent
+          configMap:
+            name: {{ .Values.openpolicyagent.regoConfigMap }}
+        {{- end}}
     {{- with .Values.nodeSelector }}
     nodeSelector:
       {{- toYaml . | nindent 8 }}

diff --git a/onos-config/templates/openpolicyagent.yaml b/onos-config/templates/openpolicyagent.yaml
@@ -0,0 +1,12 @@
+{{ if .Values.openpolicyagent.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "onos-config.fullname" . }}-openpolicyagent
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+{{ (.Files.Glob "files/openpolicyagent/*.rego").AsConfig | indent 2 }}
+{{end}}
diff --git a/onos-config/values.yaml b/onos-config/values.yaml
@@ -122,4 +122,4 @@ openpolicyagent:
     repository: openpolicyagent/opa
     registry: ""
     tag: 0.29.4
-  rego:
+  regoConfigMap: onos-config-openpolicyagent