-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #993 from simonbaird/quay-expires-after
Prevent release with quay expires-after set
- Loading branch information
Showing
4 changed files
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# | ||
# METADATA | ||
# title: Quay expiration | ||
# description: >- | ||
# Policies to prevent releasing an image to quay that has a quay | ||
# expiration date. In Konflux images with an expiration date are | ||
# produced by "on-pr" build pipelines, i.e. pre-merge CI builds, | ||
# so this is intended to prevent accidentally releasing a CI build. | ||
# | ||
package policy.release.quay_expiration | ||
|
||
import rego.v1 | ||
|
||
import data.lib | ||
|
||
# METADATA | ||
# title: Expires label | ||
# description: >- | ||
# Check the image metadata for the presence of a "quay.expires-after" | ||
# label. If it's present then produce a violation. This check is enforced | ||
# only for a "release" pipeline, as determined by the value of the | ||
# `pipeline_intention` rule data. | ||
# custom: | ||
# short_name: expires_label | ||
# failure_msg: The image has a 'quay.expires-after' label set to '%s' | ||
# solution: >- | ||
# Make sure the image is built without setting the "quay.expires-after" label. This | ||
# label is usually set if the container image was built by an "on-pr" pipeline | ||
# during pre-merge CI. | ||
# collections: | ||
# - redhat | ||
# | ||
deny contains result if { | ||
_expires_label_check_applies | ||
|
||
# This is where we can access the image labels | ||
some label_name, label_value in input.image.config.Labels | ||
|
||
# The quay.expires-after label is present | ||
label_name == "quay.expires-after" | ||
|
||
# This is an edge case that may never happen, but let's assume that if | ||
# the value is an empty string then it is not an expiration and therefore | ||
# can be permitted | ||
count(label_value) > 0 | ||
|
||
# Send up the violation the details | ||
result := lib.result_helper(rego.metadata.chain(), [label_value]) | ||
} | ||
|
||
# The check only applies if we're intending to release the image | ||
default _expires_label_check_applies := false | ||
|
||
_expires_label_check_applies if { | ||
lib.rule_data("pipeline_intention") == "release" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package policy.release.quay_expiration_test | ||
|
||
import rego.v1 | ||
|
||
import data.lib | ||
import data.policy.release.quay_expiration | ||
|
||
test_ci_pipeline if { | ||
# Should not produce violations when we're in a non-release pipeline | ||
lib.assert_equal(false, quay_expiration._expires_label_check_applies) with data.rule_data as _rule_data_for_ci | ||
|
||
lib.assert_empty(quay_expiration.deny) with input.image as _image_expires_none | ||
with data.rule_data as _rule_data_for_ci | ||
|
||
lib.assert_empty(quay_expiration.deny) with input.image as _image_expires_blank | ||
with data.rule_data as _rule_data_for_ci | ||
|
||
lib.assert_empty(quay_expiration.deny) with input.image as _image_expires_5d | ||
with data.rule_data as _rule_data_for_ci | ||
} | ||
|
||
test_release_pipeline if { | ||
# Should produce violations when we're in a release pipeline | ||
lib.assert_equal(true, quay_expiration._expires_label_check_applies) with data.rule_data as _rule_data_for_release | ||
|
||
lib.assert_empty(quay_expiration.deny) with input.image as _image_expires_none | ||
with data.rule_data as _rule_data_for_release | ||
|
||
lib.assert_empty(quay_expiration.deny) with input.image as _image_expires_blank | ||
with data.rule_data as _rule_data_for_release | ||
|
||
expected := {{ | ||
"code": "quay_expiration.expires_label", | ||
"msg": "The image has a 'quay.expires-after' label set to '5d'", | ||
}} | ||
lib.assert_equal_results(expected, quay_expiration.deny) with input.image as _image_expires_5d | ||
with data.rule_data as _rule_data_for_release | ||
} | ||
|
||
_image_expires_5d := {"config": {"Labels": { | ||
"foo": "bar", | ||
"quay.expires-after": "5d", | ||
}}} | ||
|
||
_image_expires_blank := {"config": {"Labels": { | ||
"foo": "bar", | ||
"quay.expires-after": "", | ||
}}} | ||
|
||
_image_expires_none := {"config": {"Labels": {"foo": "bar"}}} | ||
|
||
_rule_data_for_ci := {} | ||
|
||
_rule_data_for_release := {"pipeline_intention": "release"} |