feat: init commit

crates/burrego/test_data/gatekeeper/Makefile

@@ -0,0 +1,10 @@
+test: policy.wasm
+	bats e2e.bats
+
+policy.wasm: policy.rego
+	opa build -t wasm -e policy/violation -o policy.tar.gz policy.rego
+	tar -xf policy.tar.gz /policy.wasm
+	rm policy.tar.gz
+
+clean:
+	rm -f *.wasm *.tar.gz

crates/burrego/test_data/gatekeeper/e2e.bats

@@ -0,0 +1,21 @@
+#!/usr/bin/env bats
+
+@test "[accept in namespace]: valid namespace" {
+  run cargo run --example  cli -- -v eval policy.wasm --input-path request-valid.json
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request accepted
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"result":.*\[\]') -ne 0 ]
+}
+
+@test "[accept in namespace]: not valid namespace" {
+  run cargo run --example  cli -- -v eval policy.wasm --input-path request-not-valid.json
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request accepted
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"msg": "object created under an invalid namespace kube-system; allowed namespaces are \[default test\]"') -ne 0 ]
+}

crates/burrego/test_data/gatekeeper/policy.rego

@@ -0,0 +1,8 @@
+package policy
+
+violation[{"msg": msg}] {
+	object_namespace := input.review.object.metadata.namespace
+	satisfied := [allowed_namespace | namespace = input.parameters.allowed_namespaces[_]; allowed_namespace = object_namespace == namespace]
+	not any(satisfied)
+	msg := sprintf("object created under an invalid namespace %s; allowed namespaces are %v", [object_namespace, input.parameters.allowed_namespaces])
+}

crates/burrego/test_data/gatekeeper/request-not-valid.json

@@ -0,0 +1,26 @@
+{
+  "parameters": {
+    "allowed_namespaces": [
+      "default",
+      "test"
+    ]
+  },
+  "review": {
+    "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
+    "kind": {
+      "group": "networking.k8s.io",
+      "kind": "Ingress",
+      "version": "v1"
+    },
+    "object": {
+      "apiVersion": "networking.k8s.io/v1",
+      "kind": "Ingress",
+      "metadata": {
+        "name": "ingress-wildcard-host",
+        "namespace": "kube-system"
+      },
+      "spec": {
+      }
+    }
+  }
+}

crates/burrego/test_data/gatekeeper/request-valid.json

@@ -0,0 +1,26 @@
+{
+  "parameters": {
+    "allowed_namespaces": [
+      "default",
+      "test"
+    ]
+  },
+  "review": {
+    "uid": "1299d386-525b-4032-98ae-1949f69f9cfc",
+    "kind": {
+      "group": "networking.k8s.io",
+      "kind": "Ingress",
+      "version": "v1"
+    },
+    "object": {
+      "apiVersion": "networking.k8s.io/v1",
+      "kind": "Ingress",
+      "metadata": {
+        "name": "ingress-wildcard-host",
+        "namespace": "default"
+      },
+      "spec": {
+      }
+    }
+  }
+}

crates/burrego/test_data/trace/Makefile

@@ -0,0 +1,10 @@
+test: policy.wasm
+	bats e2e.bats
+
+policy.wasm: policy.rego
+	opa build -t wasm -e policy/main -o policy.tar.gz policy.rego
+	tar -xf policy.tar.gz  /policy.wasm
+	rm policy.tar.gz
+
+clean:
+	rm -f *.wasm *.tar.gz

crates/burrego/test_data/trace/e2e.bats

@@ -0,0 +1,23 @@
+#!/usr/bin/env bats
+
+@test "input message is not valid" {
+  run cargo run --example  cli -- -v eval policy.wasm -i '{ "message": "mondo" }'
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request rejected
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"result":.*false') -ne 0 ]
+  [ $(expr "$output" : ".*input\.message has been set to 'mondo'") -ne 0 ]
+}
+
+@test "input message is valid" {
+  run cargo run --example  cli -- -v eval policy.wasm -i '{ "message": "world" }'
+  # this prints the output when one the checks below fails
+  echo "output = ${output}"
+
+  # request rejected
+  [ "$status" -eq 0 ]
+  [ $(expr "$output" : '.*"result":.*true') -ne 0 ]
+  [ $(expr "$output" : ".*input\.message has been set to 'world'") -ne 0 ]
+}

crates/burrego/test_data/trace/policy.rego

@@ -0,0 +1,9 @@
+package policy
+
+default main = false
+
+main {
+  trace(sprintf("input.message has been set to '%v'", [input.message]));
+  m := input.message;
+  m == "world"
+}