fix: banned image tag policy now checking for empty tag, knative containerPort added

Maurice Faber · Maurice Faber · commit ba05296ac909 · 2021-06-29T18:36:13.000+02:00
diff --git a/charts/team-ns/templates/knative-services.yaml b/charts/team-ns/templates/knative-services.yaml
@@ -40,6 +40,10 @@ spec:
           {{- with $k.command }}
           command: {{ . | toYaml | nindent 12 }}
           {{- end }}
+          {{- with $k.containerPort }}
+          ports:
+            - containerPort: {{ . }}
+          {{- end }}
           {{- with $k.args }}
           args: {{ . | toYaml | nindent 12 }}
           {{- end }}
diff --git a/policies/banned-image-tags/src.rego b/policies/banned-image-tags/src.rego
@@ -11,6 +11,16 @@ import data.lib.pods
 
 policyID = "banned-image-tags"
 
+violation[{"msg": msg}] {
+	not exceptions.is_exception(policyID)
+	pods.containers[container]
+	trace(sprintf("container: %v", [container]))
+	not exceptions.is_container_exception(container.name, policyID)
+	tag := [contains(container.image, ":")]
+	not all(tag)
+	msg := sprintf("Policy: %s - container <%v> didn't specify an image tag <%v>", [policyID, container.name, container.image])
+}
+
 violation[{"msg": msg}] {
 	not exceptions.is_exception(policyID)
 	pods.containers[container]
diff --git a/policies/banned-image-tags/src_test.rego b/policies/banned-image-tags/src_test.rego
@@ -22,10 +22,16 @@ pod_allowed := {
 	"spec": {"containers": [{"name": "allowed", "image": "bla:oktag"}]},
 }
 
-pod_disallowed := {
+pod_disallowed_tag := {
 	"kind": "Pod",
 	"metadata": {"name": "disallowed"},
-	"spec": {"containers": [{"name": "disallowed", "image": "bla:badtag"}]},
+	"spec": {"containers": [{"name": "disallowed-tag", "image": "bla:badtag"}]},
+}
+
+pod_disallowed_notag := {
+	"kind": "Pod",
+	"metadata": {"name": "disallowed"},
+	"spec": {"containers": [{"name": "disallowed-notag", "image": "bla"}]},
 }
 
 test_disabled {
@@ -42,8 +48,15 @@ test_pod_allowed {
 	count(ret) == 0
 }
 
-test_pod_disallowed {
-	ret := violation with input as pod_disallowed
+test_pod_disallowed_tag {
+	ret := violation with input as pod_disallowed_tag
+		 with data.parameters as parameters_enabled
+
+	count(ret) == 1
+}
+
+test_pod_disallowed_notag {
+	ret := violation with input as pod_disallowed_notag
 		 with data.parameters as parameters_enabled
 
 	count(ret) == 1
diff --git a/tests/fixtures/env/teams/services.demo.yaml b/tests/fixtures/env/teams/services.demo.yaml
@@ -46,6 +46,7 @@ teamConfig:
                   id: cb5149c4-8ea5-4c5a-be04-a37258658bd2
                   domain: tlspass.eks.dev.otomi.cloud
                   ksvc:
+                      containerPort: 80
                       image:
                           repository: nginx
                           tag: latest
diff --git a/values-schema.yaml b/values-schema.yaml
@@ -434,7 +434,6 @@ definitions:
       - $ref: '#/definitions/containerSpec'
     type: object
   portNumber:
-    default: 80
     maximum: 32768
     minimum: 80
     type: number
@@ -664,6 +663,10 @@ definitions:
                           - glob
                         title: Glob pattern matching
                     title: Continuous delivery pipeline
+                  containerPort:
+                    $ref: '#/definitions/portNumber'
+                    description: Container port the knative pod will connect with. Leaving this empty will let knative infer the port from the container, which usually works, but might be problematic when the container does not specifically expose a port. (As is the case with nginx derived images!)
+                    title: Container port
                   scaleToZero:
                     default: false
                     description: Scales to zero after 60 seconds and needs approximately 8 seconds to start back up.
diff --git a/values/otomi-api/otomi-api.gotmpl b/values/otomi-api/otomi-api.gotmpl
@@ -9,6 +9,7 @@
 {{- $version := (readFile "../../package.json") | regexFind "\"version\": \"([0-9.]+)\"" | regexFind "[0-9]+.[0-9]+.[0-9]+" -}}
 {{- $sopsEnv := tpl (readFile "../../helmfile.d/snippets/sops-env.gotmpl") ($v | get "kms.sops" dict) }}
 {{- $skipVerify := eq ($cm | get "stage") "staging" }}
+{{- $giteaValuesUrl := print "https://gitea." $v.cluster.domainSuffix }}
 
 replicaCount: 1
 
@@ -37,8 +38,8 @@ secrets:
   
 env:
   # DEBUG: '*'
-  GIT_REPO_URL: {{ $o.git.repoUrl }}
-  GIT_BRANCH: {{ $o.git | get "branch" "main" }}
+  GIT_REPO_URL: {{ $o | get "git.repoUrl" }}
+  GIT_BRANCH: {{ $o | get "git.branch" "main" }}
   CLUSTER_ID: {{ printf "%s/%s" $c.provider $c.name }}
   CLUSTER_NAME: {{ $c.apiName }}
   CLUSTER_APISERVER: {{ $c.apiServer }}
