Does konstraint support input like Conftest's --data flag? about konstraint HOT 12 CLOSED

@artis3n Gatekeeper only supports data.lib.XYZ imports, so that is also what Konstraint supports. This has caused issues in the past with attempting to have conftest be able to test with input parameters supplied via the --data flag (#108 and #86). However, it's up to the Gatekeeper team about what is allowed. Relevant discussion is here: open-policy-agent/gatekeeper#1046

from konstraint.

Ah ha, thanks for that context. There's the additional difference that the lib/ directory under the examples in this repo only contains rego files. I don't see any data imports to mimic the yaml that can be passed into conftest [verify/test] --data. I am guessing konstraint only supports rego data imports then?

from konstraint.

Yes, that is correct. It would be possible to add a --data flag that would generate key:value pairs from YAML/JSON into Rego to include at a pre-determined data.lib.X path, but I'd like to have a better understanding of the use case and benefits compared to just including that data in the policy itself or another object that Gatekeeper could sync and use in decisions such as a ConfigMap.

from konstraint.

I am trying to generate policy documentation from a policy importing data with https://www.conftest.dev/options/#-data

Now I'm not using Gatekeeper...at the moment. We're using Conftest and then using Konstraint solely to generate policy documentation so I'm a bit out there as an edge case . But if this tool is supposed to maintain parity between conftest and gatekeeper I think this request is reasonable.

I have a policy looking at a Dockerfile and saying hey, only these private registries can be used. The registries are currently hard-coded into the rego as a variable but I want to break them out to publish the generic policy and let others be able to enter their own registry data without having to change the policy code.

Similarly using Conftest to enforce internal npm packages are published within our npm org scope. Want to publish that policy and similarly want to be able to do that and let other groups pass in --data to conftest to set the appropriate npm org while still being able to conftest pull <policy> and run it with their data without having to modify the rego source.

And in that world I want to leverage konstraint for nice policy documentation! Although I am not against going and replicating konstraint's policy documentation features in a separate tool that is tied to conftest, not gatekeeper, to handle more flexibility. I know this isn't the focus of your tool.

from konstraint.

Ah, OK I understand the intended use case now. Would the documentation include the input from the --data flag somehow? Or do you just need Konstraint to not error in this case?

from konstraint.

Yeah I don't see a reason the documentation needs to validate the rego, just mirror it in the markdown. If you want a --data flag to do validation that works, but honestly just not checking the content and mirroring the rego source into the documentation would be fine.

from konstraint.

I assume the validation is more of a side effect of this than an intentional thing? Don't have all the moving pieces in my head yet
https://github.com/plexsystems/konstraint/blob/main/internal/commands/document.go#L112

from konstraint.

Well, I think we do want to parse the Rego to make sure it's valid, but we don't need to scan the imports for documentation generation so it sounds like removing that would fit your use case without straying from the purpose of Konstraint. I'll get something together to address this in the next few days.

from konstraint.

@artis3n Can you build from https://github.com/jalseth/konstraint/tree/fix-185 and let me know if it resolves your issue?

from konstraint.

That successfully generated my documentation in my test that was previously failing, thanks for the quick fix!

from konstraint.

Great! This has been included in the latest patch release.

from konstraint.

Thank you!

from konstraint.