Closed viccuad closed 2 years ago
As an example of a Helm chart for a policy, see https://github.com/kubewarden/allow-privilege-escalation-psp-policy/pull/30.
This example is implemented directly in the main
branch of the policy repo, instead of an orphan branch, and is reusing its readme, license, and files.
I propose a variation on the alternative approach which is an hybrid between the core proposal and alternative "A":
Store the additional information inside of the Wasm metadata
Have a tool that reads the embedded metadata and produces as output all the Rancher helm chart files
Looking at the contents created via https://github.com/kubewarden/allow-privilege-escalation-psp-policy/pull/30, I think the only reasonable thing to include inside of the policy metadata would be the questions.yml
stuff. I wonder if this is worth the effort...
Committed clarification of points, and reworded to use folder instead of branch.
Looking at the contents created via https://github.com/kubewarden/allow-privilege-escalation-psp-policy/pull/30, I think the only reasonable thing to include inside of the policy metadata would be the questions.yml stuff. I wonder if this is worth the effort...
It also provides a simple airgap story for the metadata (download Helm charts, mirror OCI wasm modules).
I still favour Alternative B (use OCI's manifest.config
). To me, feels like the correct implementation. It's a field that is present for normal container images, simplifies airgap, removes unneeded metadata from artifacthub-pkg.yml.
We just need a client that can pull the manifest of an artifact from an OCI registry (e.g: 30 secs search, https://github.com/Pixeladed/oci-registry-js), and to do so on kwctl push
too. We aren't making much of a new promise, just substituting storing the metadata in artifacthub/helm chart for the OCI repo.
Merging! we can make adjustments later on.
Description
Relates to https://github.com/kubewarden/rfc/issues/7
Rendered RFC.