Search code examples
opaopen-policy-agentrego

Rego check env values file

I am a new in Rego. I have values file for helm template and want check that all envs (envmap or envNginxSocket, envPhpSocket, etc) in global section are in quotes. Example, REDIS_PORT: 6379 - value can not be without quotes. Here is my values file

global:
  release: &release "{{ .ReleaseTag }}"
  env: "{{ .Environment }}"
  namespace: &namespace "{{ .Namespace }}"
  cluster: "{{ .Cluster }}"
  envMap: &service-env
    APP_ENV: "prod"
    APP_DEBUG: "0"
    WEB_HOST: "https://example.com"
    ENDPOINT_PATH: "/api"
    JWT_SECRET_KEY: "%kernel.project_dir%/config/jwt/private.pem"
    JWT_PUBLIC_KEY: "%kernel.project_dir%/config/jwt/public.pem"
    JWT_TOKEN_TTL: "86400"
    REFRESH_JWT_TOKEN_TTL: "2592000"
    LOG_ENVIRONMENT: "prod"
    REDIS_HOST: "redis.service.consul"
    REDIS_PORT: "6379"
    ...
  envNginxSocket: &nginx-socket-env
    BACKEND_LISTEN: "unix:/tmp/php/php.socket"
    FCGI_CONNECT: "/tmp/php/php.socket"
    PHP_FPM_SCRAPE_URI: "unix:///tmp/php/php.socket;/status"
    ...
  envPhpSocket: &php-socket-env
    PHP_WWW_PM_MAX_CHILD: "32"
    PHP_WWW_LISTEN: "/tmp/php/php.socket"
    FCGI_CONNECT: "/tmp/php/php.socket"
    ...

My plan

  1. Input global section
  2. Filter only env*
  3. Check values

But I don't have an idea How to do that from 2 to 3 steps. Here is my code

violation[msg] {
    some key
    k8s_values := input.global[key]
    c := split(concat(",", [ v | v := key ]), ",")
    arr := [cont | cont = c[i] ; regex.match(".*env.*", c[i])]
    1 + 0 != 0 # only for check result
    msg := sprintf("%v | Values",[arr])
}

Result

+---------+-----------------------------+-----------+-----------------------------+
| RESULT  |            FILE             | NAMESPACE |           MESSAGE           |
+---------+-----------------------------+-----------+-----------------------------+
| failure | deployment/values-prod.yaml | main      | ["env"] | Values            |
| failure | deployment/values-prod.yaml | main      | ["envMap"] | Values         |
| failure | deployment/values-prod.yaml | main      | ["envNginxSocket"] | Values |
| failure | deployment/values-prod.yaml | main      | ["envPhpSocket"] | Values   |
| failure | deployment/values-prod.yaml | main      | [] | Values                 |
+---------+-----------------------------+-----------+-----------------------------+

Any suggestions/advise?

Solution

  • Do you mean something like this?

    violation[msg] {
    value := input.global[group][key]
    startswith(group, "env")
    not is_string(value)
    msg := sprintf("%s in %s is not a string (%v)", [key, group, value])
}

    An interactive example: https://play.openpolicyagent.org/p/Ckn9LvgBWG

    If this doesn't generate the expected outcome, please point out what I've misunderstood.