Integrate conftest

[michaelsauter]

conftest allows to test configuration data such as K8s resources defined by Helm charts. Because testing the chart against the policies required rendering the chart, it likely makes sense to integrate it into the task to avoid inconsistencies with rendering.

Some considerations:

• A new param is needed which indicates from where to pull policies (e.g. named conftest-policy). The value is a string accepted by go-getter. By default the param is empty which means conftest would not run.
• If this param is prefixed with k8s::, then the part after the prefix is interpreted as a K8s secret name, which is expected to have a key named location. Its value is then passed to contest pull, providing an easy mechanism to hide secrets in policy locations (e.g. basic auth in HTTPS URLs).
• If the conftest-policy param is set, then conftest is run against the rendered helm chart as the first thing in the task. The chart is rendered in the same way as the diff, just with the template command.
• If rendering succeeds, the rendered chart is piped to conftest test
• By default, conftest checks the input against the policies with conftest test --all-namespaces -. It should be possible to customise this by having a param named e.g. conftest-flags, which defaults to --all-namespaces
• When conftest test returns a non-zero exit code, the task is stopped