search

open-policy-agent / conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
https://conftest.dev
Other
2.82k stars 298 forks source link

Using Conftest with OPA bundles #924

Open richardmcsong opened 4 months ago

richardmcsong commented 4 months ago

What I tried:

  1. opa build . where . is the location of my policies
  2. oras push <oci registry uri> --config config.json:[...] bundle.tar.gz:[...] as per the OPA documentation website
  3. conftest test --update <oci registry uri> my-file.yaml

Note that my oci registry is on an on-prem instance of artifactory. I'm not 100% sure, but https://github.com/open-policy-agent/conftest/blob/master/downloader/oci_detector.go#L33 uses a regex match on hostnames to determine whether it's a valid OCI registry, which would fail on my on-prem artifactory (since it doesn't use those hostnames).

What I expected

conftest to download the bundle.tar.gz file, unpack it, and then run the tests in the file.

What I observed

Error: running test: load: loading policies: no policies found in [policy]. I saw that the bundle.tar.gz file had been downloaded.

Notes

I also tried with conftest push -- I was expecting both processes to work the same way. However, when I inspected the registry itself, I saw very different file formats.

The manifest.json for the opa build . && oras push command shows that a single layer was pushed that contained the bundle.tar.gz layer. However, the manifest.json for the conftest push command shows that multiple layers were pushed, each layer containing a single .rego file.

What is the intended behaviour? The documentation mentions the format should reuse the OPA bundle format.

boranx commented 1 week ago

hi @richardmcsong

Thanks for reporting the issue! At first glance at the code, I'd say local registries are also supported in conftest: https://github.com/open-policy-agent/conftest/blob/acfa9f0250e5abca384633cba8204c74d300faa9/downloader/oci_detector.go#L50 in case they are in the form of 127.0.0.1:port or localhost

From a user experience point of view, as to how you'd store your policies and execute, I'd recommend using contest push Because, it just takes the parameters as required so you don't have to manage compressing the layers as tarball and handle json files The example format would be conftest push 127.0.0.1:5000/testpolicy path/to/policy-dir

We might wanna update the contest docs with local registry use cases for better visibility, any PRs are welcome if you have any cycles:)