This reverts this merged PR: https://github.com/kubewarden/go-policy-template/pull/22/files

Unfortunately one of the dependencies of gjson is not compatible with TinyGo. Building the template policy leads to the following build time failure:

-: blocking operation in exported function: __guest_call

traceback:
__guest_call
main.validate
fmt.Sprintf
(*fmt.pp).doPrintf
(*fmt.pp).printArg
(*fmt.pp).printValue
internal/fmtsort.Sort
sort.Stable
sort.stable
sort.insertionSort
(sort.Interface).Less
(*github.com/tidwall/pretty.byKeyVal).Less
(*github.com/tidwall/pretty.byKeyVal).isLess
github.com/tidwall/pretty.parsestr
encoding/json.Unmarshal
(*encoding/json.decodeState).unmarshal
(*encoding/json.decodeState).value
(*encoding/json.decodeState).object
encoding/json.cachedTypeFields
(*sync.Map).LoadOrStore
(*sync.Mutex).Lock
make: *** [Makefile:4: policy.wasm] Error 1

CC @floriankoch

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | github.com/kubewarden/policy-sdk-go | require | minor | v0.1.3 -> v0.2.1 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

Do not merge: this is for internal demo purposes still

This takes advantage of the work I've done to have Kubernetes data types compatible with TinyGo.

This template has been broken since we merged https://github.com/kubewarden/go-policy-template/pull/22

Building the policy via make was broken because of the following reasons:

That's because:

• The vendored files were not updated
• The containerized build relied on tinygo 0.18.0, which didn't support some of the features requested by the vanilla gjson

This PR address both issues by:

• Update the vendored directory and doing a cleanup of it via go mod tidy
• Upgrade to latest release of tinygo: 0.23.0

Updating to tinygo 0.23 causes also a compilation error inside of the container because the git executable is not found. That's because upstream Go, since release 1.18, embeds the git repository details inside of the final binaries, as reported inside of the release notes:

The go command now embeds version control information in binaries. It includes the currently checked-out revision, commit time, and a flag indicating whether edited or untracked files are present. Version control information is embedded if the go command is invoked in a directory within a Git, Mercurial, Fossil, or Bazaar repository, and the main package and its containing main module are in the same repository. This information may be omitted using the flag -buildvcs=false.

We don't want to add the git binary to the official tinygo container images, hence we're turning off this feature. It's important to note that tinygo build command doesn't support the buildvcs flag. However setting the flag via the GOFLAGS environment variable works.

As a final note, in order to prevent this kind of breakages from happening again, this PR enables the GitHub action that runs the tests and e2e tests against the reference policy contained inside of this repository

Updates the Valid() method in the Settings type. Thus, the caller can get a explanation why the settings are not valid and print a proper error message.

The sample ingress has owner: some-owner but it'll be rejected by the tests in the tutorial unexpectedly. e.g.: https://docs.kubewarden.io/writing-policies/go/04-validation.html

func TestAcceptRequestWithConstraintLabel(t *testing.T) {
    constrainedLabels := make(map[string]*RegularExpression)
    re, err := CompileRegularExpression(`^team-`)
    (snip)
    constrainedLabels["owner"] = re

The project should be created with a metadata.yml file that looks like:

rules:
- apiGroups: [""]
  apiVersions: ["v1"]
  resources: ["pods"]
  operations: ["CREATE", "UPDATE"]
mutating: false
labels:
  production: false
annotations:
  name.castelli.hello: world
  io.kubewarden.policy.title: psp-apparmor
  io.kubewarden.policy.description: Replacement for the Kubernetes Pod Security Policy that controls the usage of AppArmor profiles
  io.kubewarden.policy.author: Flavio Castelli
  io.kubewarden.policy.url: https://github.com/kubewarden/psp-apparmor
  io.kubewarden.policy.source: https://github.com/kubewarden/psp-apparmor
  io.kubewarden.policy.license: Apache-2.0
  io.kubewarden.policy.usage: |
    This policy works by defining a whitelist of allowed AppArmor profiles. Pods are then inspected at creation and update time, to ensure only approved profiles are used.

    When no AppArmor profile is defined, Kubernetes will leave the final choice to the underlying container runtime. This will result in using the default AppArmor profile provided by Container Runtime. Because of that, the default behaviour of this policy is to accept workloads that do not have an AppArmor profile specified.

    The policy can be configured with the following data structure:
    ```yaml
    # list of allowed profiles
    allowed_profiles:
    - runtime/default
    - localhost/my-special-workload
    ```

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | github.com/wapc/wapc-guest-tinygo | require | patch | v0.3.2 -> v0.3.3 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | github.com/wapc/wapc-guest-tinygo | require | patch | v0.3.1 -> v0.3.2 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

It would be great to have a SBOM file for each policy release.

Action items

• Figure out how to automate the SBOM creation -> a user cloning our template should get this action automatically configured and enabled
• Propagate this change to our existing policies

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | go (source) | golang | minor | 1.17 -> 1.19 |

Release Notes

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• [ ] Check this box to trigger a request for Renovate to run again on this repository