New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding some policies for conftest #91
Conversation
Thank you for your contribution and Welcome to our Open Source Community! To make sure your pull request is accepted successfully, we ask all our open source contributors to sign a Contributor License Agreement. Having reviewed our contributor list, we require a CLA for the following people : (@leefaus). If you need help obtaining a CLA, please read the Requirements for Contributions section of our CLA wiki or email help@finos.org with your questions. Thanks once again for your contribution. Let us work with you to make the CLA process quick, easy and efficient so we can move forward with reviewing and accepting your pull request. cc @finos-admin |
This is really cool @leefaus & @eddie-knight ! Is it be possible to link each test case to the policies written in the Service Approval Accelerator in some way, so that you can have traceability of the whole flow from policy to test execution? |
Hi @leefaus - Thanks for sending across your signed FINOS ICLA. I have been advised to pursue a FINOS CCLA with Armory and have sent you a response via email. It would be great to catch up to discuss. |
@alfredtommy and @pudern, During the last Cloud Service Certification meeting #89, @leefaus advised we should get the GCP IaC contributors together to run through the GCP Service Accelerator Template and IaC to build the BDD OPA testing requirements. We are now really close to closing the loop on the first GCP GKE user journey and would really appreciate your input, help and support. Many thanks, James 🚀 |
@danizheleva - I have been thinking about this. The company backing the Open Policy Agent, Styra, have been in communication with me about this. We are talking through a few solutions. |
Awesome, thanks for the update Lee. Interested to hear what you come up with |
A working group session has been scheduled to discuss and prioritise actions related to testing certified cloud services. Cloud Service Certification - Automated Testing Group SessionTuesday 2nd March @ 9am ET / 2pm UK
Related issues ... #84 (comment), #62 |
One of my gripes with conftest is that it doesn't tell you what policies were actually evaluated, it just tracks the number of policies that have been successfully evaluated. This makes generating an audit and managing provenance tricky. That said, it's really easy to write policies and unit test them, so there's definitely value in conftest in developing and testing policies but I feel that we need something more explicit when using the policies against real life deployments. In Probr we've created some OPA-oriented "probes". For these we have used individual Rego functions, which return an explicit ...which we call from Cucumber statements, like these The code to add a new rego function is quick to add, using a common helper function we've written - Perhaps we could restructure the Rego, so that the |
Any chance we can have a dedicated call to go over this pull request? |
Hi @leefaus, I have extended CSC Sprint 2 until 17th June '21 due to team member annual leave and have added this item to the #127 agenda to discuss in relation to completion and Sprint 3. FYI, I am working with the Armory team on completing the CCLA so your pull requests can be accepted and merged. I have a meeting with the team on Monday 14th June to step through the LF EasyCLA process. Cheers, James 🚀 |
@leefaus - The Armory CCLA is now signed and you have been added to the FINOS CLA Bot. You are also free to move forward according to the following comment ... #119 (comment) |
@leefaus - The CSC project moved to backlog at the end of Sprint 3 #131 @leefaus to decide whether to bring into Sprint 4 https://github.com/orgs/finos/projects/1#column-15157368 |
@leefaus , we'll need a run-down session on the files involved in this pull request. |
@leefaus @eddie-knight and @peter-thomas-db - I have closed this PR as we can now refer to the awesome work done by @leefaus as we move forward with OC-CDMC and Probr. Thanks @leefaus for your awesome contrib to the project ❤️ |
@eddie-knight and @leefaus worked on some policies based on the existing GKE Terraform scripts already created to do some validations. To test that these policies work you should follow these steps:
Also check the diffs to see that I made some changes so we could see the test actually fail.