Set up policies

Author: tmuntaner

.github/actions/get-policy-metadata/action.yaml

@@ -0,0 +1,67 @@
+name: "Get policy information"
+branding:
+  icon: "package"
+  color: "blue"
+inputs:
+  policy-working-dir:
+    description: "Policy folder"
+    required: true
+    type: string
+outputs:
+  policy-id:
+    description: "Policy ID extract from the policy OCI URL"
+    value: ${{ steps.policy-info.outputs.policy-id}}
+  policy-rust-package:
+    description: "Rust package name from Cargo.toml"
+    value: ${{ steps.policy-info.outputs.policy-rust-package}}
+  policy-language:
+    description: "Policy programming language detected"
+    value: ${{ steps.policy-info.outputs.policy-language}}
+  policy-version:
+    description: "Policy version from the metadata.yaml"
+    value: ${{ steps.policy-info.outputs.policy-version}}
+  policy-basename:
+    description: "Policy directory basename"
+    value: ${{ steps.policy-info.outputs.policy-basename}}
+runs:
+  using: "composite"
+  steps:
+    - name: Get policy info
+      shell: bash
+      id: policy-info
+      run: |
+        if [ ! -d "${{ inputs.policy-working-dir }}" ]; then
+          echo "$policy_working_dir does not exist, policy not found";
+          exit 1;
+        fi
+
+        policy_ociUrl=$(yq -r '.annotations."io.kubewarden.policy.ociUrl"' '${{ inputs.policy-working-dir}}/metadata.yml')
+        policy_version=$(yq -r '.annotations."io.kubewarden.policy.version"' '${{ inputs.policy-working-dir}}/metadata.yml')
+        policy_id=${policy_ociUrl##*/}
+        policy_basename=$(basename ${{inputs.policy-working-dir}})
+        policy_language=""
+        policy_rust_package=""
+
+        if [ -f '${{ inputs.policy-working-dir}}/Cargo.toml' ]; then
+          policy_language="rust"
+          policy_rust_package=$(sed  -n 's,^name = \"\(.*\)\",\1,p' "${{ inputs.policy-working-dir}}/Cargo.toml")
+          if [ '$policy_rust_package' == "" ]; then
+            echo 'cannot get rust policy ${{ inputs.policy-working-dir }} package name';
+            exit 1;
+          fi
+        else
+          # Currently this repository supports go and rust policies only
+          policy_language="go"
+        fi
+
+        echo "policy_language=$policy_language"
+        echo "policy_rust_package=$policy_rust_package"
+        echo "policy-id=$policy_id"
+        echo "policy-version=$policy_version"
+        echo "policy-basename=$policy_basename"
+
+        echo "policy-language=$policy_language" >> $GITHUB_OUTPUT
+        echo "policy-rust-package=$policy_rust_package" >> $GITHUB_OUTPUT
+        echo "policy-id=$policy_id" >> $GITHUB_OUTPUT
+        echo "policy-version=$policy_version" >> $GITHUB_OUTPUT
+        echo "policy-basename=$policy_basename" >> $GITHUB_OUTPUT

.github/actions/install-dependencies/action.yaml

@@ -0,0 +1,125 @@
+name: "kubewarden-policy-gh-action-dependencies"
+description: "Install all the binaries needed inside of GH action"
+branding:
+  icon: "package"
+  color: "blue"
+inputs:
+  KWCTL_VERSION:
+    description: "kwctl release to be installed"
+    required: false
+    default: v1.29.1
+  SYFT_VERSION:
+    description: "syft release to be installed"
+    required: false
+    default: "1.28.0"
+  arch:
+    description: "syft arch to be installed"
+    required: false
+    default: "linux_amd64" # windows_amd64, darwin_amd64
+  BINARYEN_VERSION:
+    description: "binaryen release to be installed"
+    required: false
+    default: "116"
+runs:
+  using: "composite"
+  steps:
+    - name: Install cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+    - name: Install kwctl
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        # Build name of gihub release asset
+        OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]' | sed 's/macos/darwin/')
+        ARCH=$(echo "${{ runner.arch }}" | sed -E 's/X64/x86_64/; s/ARM64/aarch64/')
+        ASSET="kwctl-${OS}-${ARCH}"
+
+        INSTALL_DIR=$HOME/.kwctl
+        RELEASE_URL="download/${{ inputs.KWCTL_VERSION }}"
+        [ "${{ inputs.KWCTL_VERSION }}" == "latest" ] && RELEASE_URL="latest/download"
+
+        mkdir -p $INSTALL_DIR
+        curl -sL https://github.com/kubewarden/kwctl/releases/$RELEASE_URL/$ASSET.zip -o $INSTALL_DIR/$ASSET.zip
+        unzip -o $INSTALL_DIR/$ASSET.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/$ASSET.zip
+
+        mv $INSTALL_DIR/$ASSET $INSTALL_DIR/kwctl
+        chmod 755 $INSTALL_DIR/kwctl
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+        $INSTALL_DIR/kwctl -V
+    - name: Install bats
+      shell: bash
+      run: sudo apt install -y bats
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch != 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION }}/syft_${{ inputs.SYFT_VERSION }}_${{ inputs.arch }}.tar.gz -o $INSTALL_DIR/syft.tar.gz
+        tar xvf $INSTALL_DIR/syft.tar.gz -C $INSTALL_DIR
+        rm $INSTALL_DIR/syft.tar.gz
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch == 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION  }}/syft_${{ inputs.SYFT_VERSION }}_windows_amd64.zip -o $INSTALL_DIR/syft.zip
+        unzip -n $INSTALL_DIR/syft.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/syft.zip
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Install binaryen tool
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.binaryen
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/WebAssembly/binaryen/releases/download/version_${{ inputs.BINARYEN_VERSION }}/binaryen-version_${{ inputs.BINARYEN_VERSION }}-x86_64-linux.tar.gz -o $INSTALL_DIR/binaryen.tar.gz
+        tar xvf $INSTALL_DIR/binaryen.tar.gz -C $INSTALL_DIR
+        mv $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}/bin/* $INSTALL_DIR
+        rm $INSTALL_DIR/binaryen.tar.gz
+        rm -rf $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Setup rust toolchain
+      run: |
+        rustup toolchain install stable  --profile minimal --target wasm32-wasip1
+        rustup override set stable
+      shell: bash
+    - name: Install tinygo
+      shell: bash
+      run: |
+        wget https://github.com/tinygo-org/tinygo/releases/download/v0.39.0/tinygo_0.39.0_amd64.deb
+        sudo dpkg -i tinygo_0.39.0_amd64.deb
+    - name: Install semver tool
+      shell: bash
+      run: |
+        INSTALL_DIR="$HOME"/.semver
+        mkdir -p "$INSTALL_DIR"
+        wget -O "$INSTALL_DIR"/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver
+        chmod +x "$INSTALL_DIR"/semver
+        echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+    - name: Install updatecli
+      uses: updatecli/updatecli-action@719e3592d124cbf826da704cbe557e1221dd4bba # v2.94.0

.github/workflows/ci.yaml

@@ -0,0 +1,49 @@
+name: Continuous integration
+on:
+  workflow_dispatch:
+  pull_request:
+  schedule:
+    - cron: "0 21 * * *"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  calculate-policy-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      policy_working_dirs: ${{ steps.calculate-policy-dirs.outputs.policy_working_dirs }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0 # checkout all history to do git diff
+      - name: calculate which policies need a CI job
+        id: calculate-policy-dirs
+        shell: bash
+        run: |
+          git remote -v
+
+          policies_working_dirs=($(find policies -maxdepth 2 -name Makefile -exec dirname '{}' \;))
+          if [ "${{github.event_name}}" == "pull_request" ]; then
+            # list only changes of files in `policies/`:
+            git_files="$(git diff --no-color --find-renames --find-copies --name-only origin/${{ github.base_ref }} ${{ github.sha }} -- policies)"
+
+            # build policy_working_dirs:
+            policies_working_dirs=($(echo "$git_files" | cut -d/ -f1,2 ))
+          fi
+
+          declare -p policies_working_dirs # for debug
+          policy_working_dirs=$(jq --compact-output --null-input '$ARGS.positional | map(select(. != "policies/Cargo.lock" and . != "policies/Cargo.toml" and . != "policies/go.mod" and . != "policies/go.sum")) | unique' --args -- "${policies_working_dirs[@]}")
+          echo "policy_working_dirs=$policy_working_dirs"
+          echo "policy_working_dirs=$policy_working_dirs" >> $GITHUB_OUTPUT
+
+  continuos-integration:
+    uses: ./.github/workflows/reusable-ci.yaml
+    needs: calculate-policy-matrix
+    if: ${{ needs.calculate-policy-matrix.outputs.policy_working_dirs != '[]' }}
+    strategy:
+      matrix:
+        policy-working-dir: ${{ fromJSON(needs.calculate-policy-matrix.outputs.policy_working_dirs) }}
+    with:
+      policy-working-dir: ${{ matrix.policy-working-dir }}

.github/workflows/reusable-ci.yaml

@@ -0,0 +1,78 @@
+on:
+  workflow_call:
+    inputs:
+      policy-working-dir:
+        description: "Working directory of the policy. Useful for repos with policies in folders"
+        required: false
+        type: string
+        default: "."
+
+jobs:
+  linter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy linter
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} lint
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Build policy
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} policy.wasm
+  unit-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy unit tests
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} test
+  e2e-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy integration test
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} e2e-tests

.gitignore

@@ -1,4 +1,5 @@
 qodana.yaml
+.github/workflows/qodana_code_quality.yml
 
 ### VisualStudioCode template
 .vscode/*

policies/istio-gateway/.gitignore

@@ -0,0 +1,2 @@
+target
+*.wasm

policies/istio-gateway/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "policy-istio-gateway"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+k8s-openapi = { version = "0.26.0", default-features = false, features = [
+  "v1_31",
+] }
+kcr_networking_istio_io = "2.20251019.30658"
+kubewarden-policy-sdk = "0.15"
+lazy_static = "1.5"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+slog = "2.7"
+thiserror = "2.0.17"

policies/istio-gateway/Makefile

@@ -0,0 +1,37 @@
+SOURCE_FILES := $(shell test -e src/ && find src -type f)
+
+policy.wasm: $(SOURCE_FILES) Cargo.*
+	cargo build --target=wasm32-wasip1 --release
+	cp target/wasm32-wasip1/release/*.wasm policy.wasm
+
+annotated-policy.wasm: policy.wasm metadata.yml
+	kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm
+
+.PHONY: fmt
+fmt:
+	cargo fmt --all -- --check
+
+.PHONY: lint
+lint:
+	cargo clippy -- -D warnings
+
+.PHONY: e2e-tests
+e2e-tests: annotated-policy.wasm
+	bats e2e.bats
+
+.PHONY: test
+test: fmt lint
+	cargo test
+
+.PHONY: clean
+clean:
+	cargo clean
+	rm -f policy.wasm annotated-policy.wasm
+
+# .PHONY: push_gitlab
+# push_gitlab:
+# 	kwctl push --docker-config-json-path=`pwd` ./annotated-policy.wasm $(CI_REGISTRY)/itpe/core/open-platform/kubewarden-policies/policy-istio-gateway:$(VERSION)
+
+.PHONY: push_harbor
+push_harbor:
+	kwctl push --docker-config-json-path=`pwd` ./annotated-policy.wasm harbor.op-prg2-0-ingress.op.suse.org/policy-istio-gateway/policy-istio-gateway:$(VERSION)