Page MenuHomePhabricator

Allow for configuration policies
ClosedPublic

Authored by dduvall on Mar 7 2018, 4:43 AM.

Details

Reviewers
thcipriani
demon
hashar
mmodell
Group Reviewers
Release-Engineering-Team
Commits
rGBLBReb9b69dd3d71: Allow for configuration policies
Patch without arc
git checkout -b D999 && curl -L https://phabricator.wikimedia.org/D999?download=true | git apply
Summary

Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

enforcements:
  - path: <path>
    rule: <rule>

Where <path> is a YAML-ish path to a config field and <rule> is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in config.validation.go).

Example policy:

enforcements:
  - path: variants.production.base
    rule: oneof=debian:jessie debian:stretch
  - path: variants.production.runs.as
    rule: ne=foo
  - path: variants.production.node.dependencies
    rule: isfalse

Command flag parsing was implemented in main.go to support the new
--policy=uri flag and improve existing handling of --version and the
usage statement.

Test Plan

Run go test ./....

Diff Detail

Repository
rGBLBR Blubber
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Removed unecessary vendor updates

dduvall retitled this revision from WIP Proof of concept for Blubber policies to Allow for configuration policies.
dduvall edited the summary of this revision. (Show Details)

Refactored policy format and implemented loading of policies from URIs.

Replaced use of flag with github.com/pborman/getopt/v2

dduvall edited the summary of this revision. (Show Details)

Modified the Diff description to match the git commit because... arcanist.

Seems to work well, code looks fine to me (My browser really hates this diff though :)).

I was initially surprised that this validated a variant I wasn't trying to build at the time. In retrospect, I think my expectations were wrong, but in an understandable way.

policy.example.yaml
6

FWIW, this policy doesn't work with blubber.example.yaml in the repo

This revision is now accepted and ready to land.Mar 19 2018, 10:47 PM
This revision was automatically updated to reflect the committed changes.