From 669b39afcc588c72a2a8998be7f6a710ece1fcd9 Mon Sep 17 00:00:00 2001 From: Sean Condon Date: Tue, 13 Jul 2021 07:52:00 +0100 Subject: [PATCH] onos-config: rearranging openpolicyagent (#474) --- onos-config/Chart.yaml | 2 +- .../test/testdevice-1.0.0-expected.json | 37 ++++++++++ .../test/testdevice-1.0.0-test.json | 66 +++++++++++++++++ .../openpolicyagent/testdevice-1.0.0.rego | 74 +++++++++++++++++++ onos-config/templates/configmap.yaml | 12 --- onos-config/templates/deployment.yaml | 10 ++- onos-config/templates/openpolicyagent.yaml | 12 +++ onos-config/values.yaml | 2 +- 8 files changed, 197 insertions(+), 18 deletions(-) create mode 100644 onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json create mode 100644 onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json create mode 100644 onos-config/files/openpolicyagent/testdevice-1.0.0.rego create mode 100644 onos-config/templates/openpolicyagent.yaml diff --git a/onos-config/Chart.yaml b/onos-config/Chart.yaml index b58ea48d..818db9dc 100644 --- a/onos-config/Chart.yaml +++ b/onos-config/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: onos-config -version: 1.2.2 +version: 1.2.3 kubeVersion: ">=1.17.0" appVersion: v0.8.4 description: ONOS Config Manager diff --git a/onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json new file mode 100644 index 00000000..d44f7448 --- /dev/null +++ b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-expected.json @@ -0,0 +1,37 @@ +[ + { + "cont1a": { + "cont2a": [ + { + "leaf2b": "1.4567" + } + ], + "list2a": [ + { + "name": "first", + "tx-power": 19 + } + ], + "list4": [ + { + "id": "first", + "leaf4b": "initial value", + "list4a": [ + { + "displayname": "this is a list", + "fkey1": "abc", + "fkey2": 8 + } + ] + } + ], + "list5": [ + { + "key1": "abc", + "key2": 8, + "leaf5a": "Leaf 5a" + } + ] + } + } +] \ No newline at end of file diff --git a/onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json new file mode 100644 index 00000000..d7673eaf --- /dev/null +++ b/onos-config/files/openpolicyagent/test/testdevice-1.0.0-test.json @@ -0,0 +1,66 @@ +{ + "groups": [ + "mixedGroup", + "acme" + ], + "cont1a": { + "cont2a": { + "leaf2a": 13, + "leaf2b": "1.4567", + "leaf2d": 1.2345, + "leaf2e": [ + 12345, + 54321 + ], + "leaf2f": "aGVsbG8K", + "leaf2g": false + }, + "leaf1a": "test val", + "list2a": [ + { + "name": "first", + "tx-power": 19 + }, + { + "name": "second", + "tx-power": 19 + }, + { + "name": "third", + "tx-power": 19 + } + ], + "list4": [ + { + "id": "first", + "leaf4b": "initial value", + "list4a": [ + { + "displayname": "this is a list", + "fkey1": "abc", + "fkey2": 8 + } + ] + }, + { + "id": "fifth", + "leaf4b": "initial value", + "list4a": [ + { + "displayname": "this is a 2nd list", + "fkey1": "abc", + "fkey2": 8 + } + ] + } + ], + "list5": [ + { + "key1": "abc", + "key2": 8, + "leaf5a": "Leaf 5a" + } + ] + }, + "leafAtTopLevel": "top level leaf" +} diff --git a/onos-config/files/openpolicyagent/testdevice-1.0.0.rego b/onos-config/files/openpolicyagent/testdevice-1.0.0.rego new file mode 100644 index 00000000..850a35f8 --- /dev/null +++ b/onos-config/files/openpolicyagent/testdevice-1.0.0.rego @@ -0,0 +1,74 @@ +# Copyright 2021-present Open Networking Foundation. +#// +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package testdevice_1_0_0 + +countlist2a[numelems] { + numelems := count(input.cont1a.list2a) +} + +countlist4[numelems] { + numelems := count(input.cont1a.list4) +} + +allowed[config] { + list2a := list2as # refer to rule below + list4 := list4s + list5 := list5s + config := { + "cont1a": { + "cont2a": cont2aLeafs, + "leaf1a": input.cont1a.leaf1a, + "list2a": list2a, + "list4": list4, + "list5": list5, + }, + "leafAtTopLevel": input.leafAtTopLevel, + } +} + +cont2aLeafs[name] = val { + val := input.cont1a.cont2a[i] + name := i +} + +leaf2aRef[leaf2a] = val{ + leaf2a := "leaf2a" + val := input.cont1a.cont2a.leaf2a + leaf2a != null +} + +leaf2cRef[leaf2c] = val{ + leaf2c := "leaf2c" + val := input.cont1a.cont2a.leaf2c + leaf2c != null +} + +list2as[list2a] { + list2a := input.cont1a.list2a[_] + list4 := input.cont1a.list4[_] + # Only allow instances of list2a that have name == id of list4 + list2a.name == list4.id +} + +list4s[list4] { + list4 := input.cont1a.list4[_] + list2a := input.cont1a.list2a[_] + # Only allow instances of list4 that have id == name of list2a + list2a.name == list4.id +} + +list5s[list5] { + list5 := input.cont1a.list5[_] +} \ No newline at end of file diff --git a/onos-config/templates/configmap.yaml b/onos-config/templates/configmap.yaml index d7d7ddec..836f2e9f 100644 --- a/onos-config/templates/configmap.yaml +++ b/onos-config/templates/configmap.yaml @@ -34,15 +34,3 @@ data: {{- end }} logging.yaml: |- {{ toYaml .Values.logging | indent 4 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "onos-config.fullname" . }}-rego - labels: - app: {{ template "onos-config.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -data: -{{ toYaml .Values.openpolicyagent.rego | indent 4 }} diff --git a/onos-config/templates/deployment.yaml b/onos-config/templates/deployment.yaml index e81d5bd7..fb2a1852 100644 --- a/onos-config/templates/deployment.yaml +++ b/onos-config/templates/deployment.yaml @@ -143,7 +143,7 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 volumeMounts: - - name: rego + - name: openpolicyagent mountPath: /etc/onos/rego readOnly: true {{end}} @@ -152,12 +152,14 @@ spec: - name: config configMap: name: {{ template "onos-config.fullname" . }}-config - - name: rego - configMap: - name: {{ template "onos-config.fullname" . }}-rego - name: secret secret: secretName: {{ template "onos-config.fullname" . }}-secret + {{- if .Values.openpolicyagent.enabled }} + - name: openpolicyagent + configMap: + name: {{ .Values.openpolicyagent.regoConfigMap }} + {{- end}} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/onos-config/templates/openpolicyagent.yaml b/onos-config/templates/openpolicyagent.yaml new file mode 100644 index 00000000..7534e79a --- /dev/null +++ b/onos-config/templates/openpolicyagent.yaml @@ -0,0 +1,12 @@ +{{ if .Values.openpolicyagent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "onos-config.fullname" . }}-openpolicyagent + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: +{{ (.Files.Glob "files/openpolicyagent/*.rego").AsConfig | indent 2 }} +{{end}} \ No newline at end of file diff --git a/onos-config/values.yaml b/onos-config/values.yaml index ff0a12d1..79f4e892 100644 --- a/onos-config/values.yaml +++ b/onos-config/values.yaml @@ -122,4 +122,4 @@ openpolicyagent: repository: openpolicyagent/opa registry: "" tag: 0.29.4 - rego: + regoConfigMap: onos-config-openpolicyagent