Merge pull request #101 from vmware/vasundharas/schema-image-policy

Schema for Image Registry Policy

Author: Shreyas Sreenivas

internal/models/policy/recipe/image/allowed_name_tag.go

@@ -0,0 +1,84 @@
+/*
+Copyright © 2022 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+Code generated by go-swagger; DO NOT EDIT.
+*/
+
+package policyrecipeimagemodel
+
+import (
+	"github.com/go-openapi/swag"
+
+	policyrecipeimagecommonmodel "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/policy/recipe/image/common"
+)
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag is model for allowed-name-tag recipe version v1
+//
+// The input schema for image policy allowed-name-tag recipe.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag struct {
+
+	// Audit (dry-run)
+	// Creates this policy for dry-run. Violations will be logged but not denied. Defaults to false (deny).
+	Audit *bool `json:"audit,omitempty"`
+
+	// This specifies a list of rules that defines allowed image patterns.
+	// Required: true
+	// Min Items: 1
+	Rules []*VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules `json:"rules"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTag
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules Rules.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules struct {
+
+	// Allowed image names, wildcards are supported(for example: fooservice/*). Empty field is equivalent to *.
+	ImageName string `json:"imageName,omitempty"`
+
+	// Tag
+	Tag *policyrecipeimagecommonmodel.VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag `json:"tag,omitempty"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1AllowedNameTagRules
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}

internal/models/policy/recipe/image/block_latest_tag-require_digest.go

@@ -0,0 +1,42 @@
+/*
+Copyright © 2022 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+Code generated by go-swagger; DO NOT EDIT.
+*/
+
+package policyrecipeimagemodel
+
+import "github.com/go-openapi/swag"
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe is model for block-latest-tag and require-digest recipes version v1
+//
+// The input schema for image policy block-latest-tag and require-digest recipes.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe struct {
+
+	// Audit (dry-run)
+	// Creates this policy for dry-run. Violations will be logged but not denied. Defaults to false (deny).
+	Audit *bool `json:"audit,omitempty"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CommonRecipe
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}

internal/models/policy/recipe/image/common/rules_tag.go

@@ -0,0 +1,44 @@
+/*
+Copyright © 2022 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+Code generated by go-swagger; DO NOT EDIT.
+*/
+
+package policyrecipeimagecommonmodel
+
+import "github.com/go-openapi/swag"
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag Tag
+//
+// Allowed image tag, wildcards are supported (for example: v1.*). No validation is performed on tag if the field is empty.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag struct {
+
+	// The negate flag used to exclude certain tag patterns.
+	Negate *bool `json:"negate,omitempty"`
+
+	// The value (support wildcard) is used to validate against the tag of the image.
+	Value string `json:"value,omitempty"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}

internal/models/policy/recipe/image/custom.go

@@ -0,0 +1,93 @@
+/*
+Copyright © 2022 VMware, Inc. All Rights Reserved.
+SPDX-License-Identifier: MPL-2.0
+Code generated by go-swagger; DO NOT EDIT.
+*/
+
+package policyrecipeimagemodel
+
+import (
+	"github.com/go-openapi/swag"
+
+	policyrecipeimagecommonmodel "github.com/vmware/terraform-provider-tanzu-mission-control/internal/models/policy/recipe/image/common"
+)
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom is model for custom recipe version v1
+//
+// The input schema for image policy custom recipe.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom struct {
+
+	// Audit (dry-run)
+	// Creates this policy for dry-run. Violations will be logged but not denied. Defaults to false (deny).
+	Audit *bool `json:"audit,omitempty"`
+
+	// This specifies a list of rules that defines allowed image patterns.
+	// Required: true
+	// Min Items: 1
+	Rules []*VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules `json:"rules"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1Custom
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}
+
+// VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules Rules.
+//
+// swagger:model VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules
+type VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules struct {
+
+	// Allowed image hostnames, wildcards are supported(for example: *.mycompany.com). Empty field is equivalent to *.
+	Hostname string `json:"hostname,omitempty"`
+
+	// Allowed image names, wildcards are supported(for example: fooservice/*). Empty field is equivalent to *.
+	ImageName string `json:"imageName,omitempty"`
+
+	// Allowed port(if presented) of the image hostname, must associate with valid hostname. Wildcards are supported.
+	Port string `json:"port,omitempty"`
+
+	// The flag used to enforce digest to appear in container images.
+	RequireDigest *bool `json:"requireDigest,omitempty"`
+
+	// Tag
+	Tag *policyrecipeimagecommonmodel.VmwareTanzuManageV1alpha1CommonPolicySpecImageV1RulesTag `json:"tag,omitempty"`
+}
+
+// MarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules) UnmarshalBinary(b []byte) error {
+	var res VmwareTanzuManageV1alpha1CommonPolicySpecImageV1CustomRules
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+
+	*m = res
+
+	return nil
+}

internal/provider/provider.go

@@ -18,6 +18,8 @@ import (
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/namespace"
 	custompolicy "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/custom"
 	custompolicyresource "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/custom/resource"
+	imagepolicy "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/image"
+	imagepolicyresource "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/image/resource"
 	securitypolicy "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/security"
 	securitypolicyresource "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/security/resource"
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/workspace"
@@ -36,6 +38,7 @@ func Provider() *schema.Provider {
 			iampolicy.ResourceName:      iampolicy.ResourceIAMPolicy(),
 			custompolicy.ResourceName:   custompolicyresource.ResourceCustomPolicy(),
 			securitypolicy.ResourceName: securitypolicyresource.ResourceSecurityPolicy(),
+			imagepolicy.ResourceName:    imagepolicyresource.ResourceImageRegistryPolicy(),
 			credential.ResourceName:     credential.ResourceCredential(),
 			integration.ResourceName:    integration.ResourceIntegration(),
 		},

internal/resources/policy/constants.go

@@ -11,21 +11,9 @@ const (
 	KeyKey                    = "key"
 	OperatorKey               = "operator"
 	ValuesKey                 = "values"
-	ScopeKey                  = "scope"
-	clusterKey                = "cluster"
-	clusterGroupKey           = "cluster_group"
-	organizationKey           = "organization"
 	SpecKey                   = "spec"
 	NameKey                   = "name"
 	InputKey                  = "input"
 	RecipeVersionDefaultValue = "v1"
 	UnknownRecipe             = ""
 )
-
-// Allowed scopes.
-const (
-	UnknownScope Scope = iota
-	ClusterScope
-	ClusterGroupScope
-	OrganizationScope
-)

internal/resources/policy/kind/custom/resource/resource_custom_policy.go

@@ -13,6 +13,7 @@ import (
 	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy"
 	policykindcustom "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/kind/custom"
 	policyoperations "github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/operations"
+	"github.com/vmware/terraform-provider-tanzu-mission-control/internal/resources/policy/scope"
 )
 
 func ResourceCustomPolicy() *schema.Resource {
@@ -23,7 +24,7 @@ func ResourceCustomPolicy() *schema.Resource {
 		DeleteContext: schema.DeleteContextFunc(policyoperations.ResourceOperation(policyoperations.WithResourceName(policykindcustom.ResourceName), policyoperations.WithOperationType(policyoperations.Delete))),
 		Schema:        customPolicySchema,
 		CustomizeDiff: customdiff.All(
-			policy.ValidateScope,
+			scope.ValidateScope,
 			policykindcustom.ValidateInput,
 			policy.ValidateSpecLabelSelectorRequirement,
 		),
@@ -37,7 +38,7 @@ var customPolicySchema = map[string]*schema.Schema{
 		Required:    true,
 		ForceNew:    true,
 	},
-	policy.ScopeKey: policy.ScopeSchema,
-	common.MetaKey:  common.Meta,
-	policy.SpecKey:  policykindcustom.SpecSchema,
+	scope.ScopeKey: scope.ScopeSchema,
+	common.MetaKey: common.Meta,
+	policy.SpecKey: policykindcustom.SpecSchema,
 }