Allow to run policies with different runtimes

[ereslibre]

Depends on: https://github.com/kubewarden/policy-evaluator/issues/21

In kwctl, an optional --runtime-mode flag has to be exposed with options: autodetect (default), kubewarden-wapc, opa and opa-gatekeeper that will be forwarded to the policy-evaluator. If autodetect is used (the default), the the policy-evaluator will be the responsible for running the given heuristics defined in https://github.com/kubewarden/policy-evaluator/issues/21.

[flavio]

I partially agree, let me explain.

Preamble:

• The wasm binaries ran by kwctl must be properly annotated via kwctl annotate. The policy metadata includes information about what kind of runtime has to be used (see https://github.com/kubewarden/kwctl/issues/57)

Having said that, I think it would be nice to allow a cli flag as the one you described. This can be handy when doing quick prototyping of a policy. When the user provides this flag, the policy-evaluator will ignore the metadata (if present) and just use the runtime specified by the user

[ereslibre]

+1, we are in agreement. I also mention that this new flag is optional, and by default will honor the metadata in the policy.

[flavio]

To recap:

• kwctl run does not require the policy to be annotated. This is the current behavior and we don't intend to change it
• When a wasm file is annotated:
  • If the kubewarden metadata includes information about the runtime to use:
  • if the user didn't invoke with --runtime-mode: kwctl will use this information to pick the right runtime
  • if the user specified a value for --runtime-mode: we error out if the value provided by the user does not match with the value inside of the wasm metadata
  • If the kubewarden metadata does NOT include information about the runtime to use (such as all the policies that currently exist), then kwctl will assume the policy is a kubewarden one, and use that runtime
• When a wasm file is NOT annotated:
  • If the user does not provide the --runtime-mode flag:
  • We do a quick heuristic to understand if the policy is Rego base (we look for the presence of the OPA ABI constants):
    • If we do not find the OPA ABI constant -> we assume the policy is a kubewarden one
    • If we do find the OPA ABI constant, kwctl exists with an error because the user has to specify whether this is a OPA or Gatekeeper policy (that influences how kwctl builds the input and data variables)
  • If the user does provide the --runtime-mode flag: we use the runtime the user specified