Closed anishnagaraj closed 1 year ago
That's a really good question.
AppProject
makes use of the Kubernetes types. We cannot consume them with TinyGo, that's why we had to generate our lightweight version of them.
Moreover, the AppProject
also has a series of additional methods that provide additional features. I see for example that portions of GRPC are included. This could make the compilation fail or, even if it passes, they will make the resulting binary bigger.
The key question is: what is your validation going to do? Does it need all these helper methods, functions and structs defined inside of the source code that is being included?
You can use the gjson
library to extract the relevant fields from the incoming request. This approach is described inside of our docs.
Let's say you want to validate AppProject.Spec.Destinations. You can use gjson
to extract this portion from the request and perform your validation.
By default, Go ignores unknown keys when unmarshalling a JSON object into a struct. You can leverage that to create your own stripped down version of AppProject
. This struct will include only the fields you care about.
For example:
import (
apimachinery_pkg_apis_meta_v1 "github.com/kubewarden/k8s-objects/apimachinery/pkg/apis/meta/v1"
)
type AppProject struct {
APIVersion string `json:"apiVersion,omitempty"`
Kind string `json:"kind,omitempty"`
Metadata *apimachinery_pkg_apis_meta_v1.ObjectMeta `json:"metadata,omitempty"`
Spec *AppProjectSpec `json:"spec,omitempty"`
}
type AppProjectSpec struct {
// Destinations contains list of destinations available for deployment
Destinations []ApplicationDestination `json:"destinations,omitempty" protobuf:"bytes,2,name=destination"`
}
// ApplicationDestination holds information about the application's destination
type ApplicationDestination struct {
// Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.
Server string `json:"server,omitempty" protobuf:"bytes,1,opt,name=server"`
// Namespace specifies the target namespace for the application's resources.
// The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
// Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.
Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
// nolint:govet
isServerInferred bool `json:"-"`
}
As you can see, I just copied and pasted the relevant snippet from the struct definitions from the Argo project. I just replaced some metadata attributes to use the k8s objects module provided by Kubewarden. Note: you can even avoid defining them if you don't care about their contents.
I hope that helps. Feel free to provide us more details about the type of validation you're trying to build. We can help you figuring out the right approach.
We are also considering a way to generate some TinyGo compatible struct definitions starting from an existing Go file (or an openapi spec).
This helps! I just want to validate the labels for now. So I will go with solution 1 to ge the kind, apigroup and labels.
Solution 1 is suitable for my scenario
If you need to validate labels, you could use the safe-labels
policy and deploy it to target the ArgoProject resources.
However, here here you can see how safe-labels uses qjson to validate the labels.
But then I also need the kind
and apiVersion
to make sure the policy is applied on the right object.
But then I also need the kind and apiVersion to make sure the policy is applied on the right object.
Yes, exactly
Is there an existing issue for this?
Current Behavior
In one of my policy I have to validate the argoproj.io/v1alpha1/AppProject object. To do this I need the following library in my go.mod
github.com/argoproj/argo-cd/v2 v2.4.15
But upon running
go mod tidy
the librarygithub.com/kubewarden/k8s-objects v1.27.0-kw2
moves from the direct dependencies section to the indirection section.Because of this, whenever I try to run this command
tinygo build -o policy.wasm -target=wasi -no-debug .
, I get the following error.../../../../../../../../usr/local/go/src/os/user/cgo_lookup_cgo.go:14:6: not implemented: build constraints in #cgo line ../../../../../../../../usr/local/go/src/os/user/cgo_lookup_cgo.go:18:10: fatal: 'pwd.h' file not found ../../../../../../../../usr/local/go/src/os/user/getgrouplist_unix.go:12:10: fatal: 'grp.h' file not found
Expected Behavior
I expect
policy.wasm
to be builtSteps To Reproduce
go.mod
content:Run
go mod tidy
andgo mod vendor
Run
tinygo build -o policy.wasm -target=wasi -no-debug .
Environment
Anything else?
No response