Page MenuHomePhabricator

Allow for configuration policies
ClosedPublic

Authored by dduvall on Mar 7 2018, 4:43 AM.

Details

Reviewers
thcipriani
demon
hashar
mmodell
Group Reviewers
Release-Engineering-Team
Commits
rGBLBReb9b69dd3d71: Allow for configuration policies
Patch without arc
git checkout -b D999 && curl -L https://phabricator.wikimedia.org/D999?download=true | git apply
Summary

Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

enforcements:
  - path: <path>
    rule: <rule>

Where <path> is a YAML-ish path to a config field and <rule> is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in config.validation.go).

Example policy:

enforcements:
  - path: variants.production.base
    rule: oneof=debian:jessie debian:stretch
  - path: variants.production.runs.as
    rule: ne=foo
  - path: variants.production.node.dependencies
    rule: isfalse

Command flag parsing was implemented in main.go to support the new
--policy=uri flag and improve existing handling of --version and the
usage statement.

Test Plan

Run go test ./....

Diff Detail

Repository
rGBLBR Blubber
Branch
try/policies
Lint
Lint OK
Unit
Unit Tests OK
Build Status
Buildable 2834
Build 4733: arc lint + arc unit

Event Timeline

dduvall created this revision.Mar 7 2018, 4:43 AM
Restricted Application added a reviewer: Release-Engineering-Team. · View Herald TranscriptMar 7 2018, 4:43 AM
Restricted Application added a project: Release-Engineering-Team. · View Herald Transcript
dduvall requested review of this revision.Mar 7 2018, 4:43 AM
dduvall updated this revision to Diff 2625.Mar 8 2018, 8:01 PM

Removed unecessary vendor updates

dduvall updated this revision to Diff 2626.Mar 8 2018, 11:14 PM
dduvall retitled this revision from WIP Proof of concept for Blubber policies to Allow for configuration policies.
dduvall edited the summary of this revision. (Show Details)

Refactored policy format and implemented loading of policies from URIs.

dduvall updated this revision to Diff 2627.Mar 8 2018, 11:15 PM

Fixed linter warning

dduvall updated this revision to Diff 2628.Mar 9 2018, 9:50 PM

Replaced use of flag with github.com/pborman/getopt/v2

dduvall updated this revision to Diff 2646.Mar 19 2018, 8:41 PM
dduvall edited the summary of this revision. (Show Details)

Modified the Diff description to match the git commit because... arcanist.

thcipriani accepted this revision.Mar 19 2018, 10:47 PM

Seems to work well, code looks fine to me (My browser really hates this diff though :)).

I was initially surprised that this validated a variant I wasn't trying to build at the time. In retrospect, I think my expectations were wrong, but in an understandable way.

policy.example.yaml
6

FWIW, this policy doesn't work with blubber.example.yaml in the repo

This revision is now accepted and ready to land.Mar 19 2018, 10:47 PM
This revision was automatically updated to reflect the committed changes.