From eb9b69dd3d710cb7afa1dfb6e23a5987842b21cc Mon Sep 17 00:00:00 2001
From: Dan Duvall <dduvall@wikimedia.org>
Date: Tue, 6 Mar 2018 20:31:58 -0800
Subject: Allow for configuration policies

Summary:
Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

    enforcements:
      - path: <path>
        rule: <rule>

Where `<path>` is a YAML-ish path to a config field and `<rule>` is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in `config.validation.go`).

Example policy:

    enforcements:
      - path: variants.production.base
        rule: oneof=debian:jessie debian:stretch
      - path: variants.production.runs.as
        rule: ne=foo
      - path: variants.production.node.dependencies
        rule: isfalse

Command flag parsing was implemented in `main.go` to support the new
`--policy=uri` flag and improve existing handling of `--version` and the
usage statement.

Test Plan: Run `go test ./...`.

Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team

Reviewed By: thcipriani, #release-engineering-team

Tags: #release-engineering-team

Differential Revision: https://phabricator.wikimedia.org/D999
---
 policy.example.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 policy.example.yaml

(limited to 'policy.example.yaml')

diff --git a/policy.example.yaml b/policy.example.yaml
new file mode 100644
index 0000000..2ca553b
--- /dev/null
+++ b/policy.example.yaml
@@ -0,0 +1,5 @@
+enforcements:
+  - path: variants.production.base
+    rule: oneof=debian:jessie debian:jessie-slim
+  - path: variants.production.node.dependencies
+    rule: istrue
-- 
cgit v1.2.1