feat: scaffold KW policy from Kubernetes ValidatingAdmissionPolicy

Add the new `scaffold vap` subcommand. This allows to create a Kubewarden ClusterAdmissionPolicy starting from a Kubernetes ValidatingAdmissionPolicy. Signed-off-by: Flavio Castelli <[email protected]>
kubewarden · Jun 19, 2024 · 27e80c2 · 27e80c2
1 parent c21efb6
commit 27e80c2
Show file tree

Hide file tree

Showing 9 changed files with 423 additions and 18 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,7 +23,7 @@ pem = "3"
 pulldown-cmark-mdcat = { version = "2.1.2", default-features = false, features = [
   "regex-fancy",
 ] }
-policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.17.7" }
+policy-evaluator = { git = "https://github.com/kubewarden/policy-evaluator", tag = "v0.18.0" }
 rustls-pki-types = { version = "1", features = ["alloc"] }
 prettytable-rs = "^0.10"
 pulldown-cmark = { version = "0.9.3", default-features = false }

diff --git a/src/cli.rs b/src/cli.rs
@@ -465,6 +465,27 @@ fn subcommand_scaffold() -> Command {
             .help("Policy URI or SHA prefix. Supported schemes: registry://, https://, file://. If schema is omitted, file:// is assumed, rooted on the current directory."),
     );
 
+    let mut vap_args = vec![
+        Arg::new("cel-policy")
+            .long("cel-policy")
+            .value_name("URI")
+            .default_value("ghcr.io/kubewarden/policies/cel-policy:latest")
+            .help("The CEL policy module to use"),
+        Arg::new("policy")
+            .long("policy")
+            .short('p')
+            .required(true)
+            .value_name("VALIDATING-ADMISSION-POLICY.yaml")
+            .help("The file containining the ValidatingAdmissionPolicy definition"),
+        Arg::new("binding")
+            .long("binding")
+            .short('b')
+            .required(true)
+            .value_name("VALIDATING-ADMISSION-POLICY-BINDING.yaml")
+            .help("The file containining the ValidatingAdmissionPolicyBinding definition"),
+    ];
+    vap_args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
+
     let mut subcommands = vec![
         Command::new("verification-config")
             .about("Output a default Sigstore verification configuration file"),
@@ -474,6 +495,9 @@ fn subcommand_scaffold() -> Command {
         Command::new("manifest")
             .about("Output a Kubernetes resource manifest")
             .args(manifest_args),
+        Command::new("vap")
+            .about("Convert a Kubernetes `ValidatingAdmissionPolicy` into a Kubewarden `ClusterAdmissionPolicy`")
+            .args(vap_args),
     ];
     subcommands.sort_by(|a, b| a.get_name().cmp(b.get_name()));
 

diff --git a/src/main.rs b/src/main.rs
@@ -394,6 +394,20 @@ async fn main() -> Result<()> {
                     )?;
                 };
             }
+            if let Some(matches) = matches.subcommand_matches("scaffold") {
+                if let Some(matches) = matches.subcommand_matches("vap") {
+                    let cel_policy_uri = matches.get_one::<String>("cel-policy").unwrap();
+                    let vap_file: PathBuf = matches.get_one::<String>("policy").unwrap().into();
+                    let vap_binding_file: PathBuf =
+                        matches.get_one::<String>("binding").unwrap().into();
+
+                    scaffold::vap(
+                        cel_policy_uri.as_str(),
+                        vap_file.as_path(),
+                        vap_binding_file.as_path(),
+                    )?;
+                };
+            }
             Ok(())
         }
         Some("completions") => {