public/policy-generator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

full parsing of config file and validation logic.

Browse Source
This commit is contained in:
Erik Brakkee 2025-01-02 12:17:41 +01:00
parent f99e885f7a
commit 8c5a099082
4 changed files with 117 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
DESIGN.md
View File

@ -74,7 +74,10 @@ communications:
- from: - from:
- httpd-wamblee-org - httpd-wamblee-org
to: to:
- nexus-server:8081,8082 - nexus-server
porst:
- 8081
- 8082
Handling of capabilities: Handling of capabilities:

69
cmd/policygen/config.go
View File

@ -1,6 +1,8 @@
package main package main
import ( import (
"errors"
"fmt"
"github.com/goccy/go-yaml" "github.com/goccy/go-yaml"
"net" "net"
) )
@ -32,8 +34,8 @@ func (c CIDR) MarshalYAML() ([]byte, error) {
return []byte(string(c)), nil return []byte(string(c)), nil
} }
// CIDRS represents each network entry in the YAML // Network represents each network entry in the YAML
type CIDRS struct { type Network struct {
Name string `yaml:"name"` Name string `yaml:"name"`
CIDR CIDR `yaml:"cidr"` CIDR CIDR `yaml:"cidr"`
Except []CIDR `yaml:"except,omitempty"` Except []CIDR `yaml:"except,omitempty"`
@ -46,13 +48,70 @@ type Application struct {
} }
type Namespace struct { type Namespace struct {
Namespace string `yaml:"namespace"` Name string `yaml:"name"`
Capabilities []string `yaml:"capabilities"` Capabilities []string `yaml:"capabilities"`
Applications []Application `yaml:"applications"` Applications []Application `yaml:"applications"`
} }
type Communication struct {
From []string `yaml:"from"`
To []string `yaml:"to"`
Ports []string `yaml:"ports"`
}
// Config represents the top-level YAML structure // Config represents the top-level YAML structure
type Config struct { type Config struct {
Networks []CIDRS `yaml:"networks"` Networks []Network `yaml:"networks,omitempty"`
Namespaces []Namespace `yaml:"namespaces"` Namespaces []Namespace `yaml:"namespaces,omitempty"`
Communications []Communication `yaml:"communications,omitempty"`
}
func (c Config) Validate() error {
errs := make([]error, 0)
// namesapaces must be unique
ns := make(map[string]bool)
for _, namespace := range c.Namespaces {
if ns[namespace.Name] {
errs = append(errs, fmt.Errorf("Duplicate namespace name %s", namespace.Name))
}
ns[namespace.Name] = true
}
// network names mus tbe unique
networks := make(map[string]bool)
for _, network := range c.Networks {
if networks[network.Name] {
errs = append(errs, fmt.Errorf("Duplicate network name %s", network.Name))
}
networks[network.Name] = true
}
// application names must be unique
apps := make(map[string]bool)
for _, namespace := range c.Namespaces {
for _, app := range namespace.Applications {
if apps[app.Name] {
errs = append(errs, fmt.Errorf("Duplicate application %s (%s)", app.Name, namespace.Name))
}
apps[app.Name] = true
}
}
// applications mentioned in a communication must exist
for _, communication := range c.Communications {
for _, from := range communication.From {
if !apps[from] {
errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", from, communication))
}
}
for _, to := range communication.To {
if !apps[to] {
errs = append(errs, fmt.Errorf("Application does not exist: %s referenced in a communication (%+v)", to, communication))
}
}
}
return errors.Join(errs...)
} }

19
cmd/policygen/main.go
View File

@ -9,13 +9,17 @@ import (
) )
type Options struct { type Options struct {
cni string
policyType string
} }
func execute(files []string, options *Options) error { func execute(files []string, options *Options) error {
if len(files) != 1 { if len(files) == 0 {
return fmt.Errorf("File expected") return fmt.Errorf("File expected")
} }
yamlFile, err := os.ReadFile(files[0]) for _, file := range files {
fmt.Fprintf(os.Stderr, "Reading config %s\n", file)
yamlFile, err := os.ReadFile(file)
if err != nil { if err != nil {
return fmt.Errorf("Error reading YAML file: %v", err) return fmt.Errorf("Error reading YAML file: %v", err)
} }
@ -30,13 +34,20 @@ func execute(files []string, options *Options) error {
if err != nil { if err != nil {
return fmt.Errorf("Error parsing YAML: %v", err) return fmt.Errorf("Error parsing YAML: %v", err)
} }
err = config.Validate()
if err != nil {
return err
}
fmt.Printf("PARSED %+v\n", config) fmt.Printf("PARSED %+v\n", config)
}
return nil return nil
} }
func main() { func main() {
options := Options{} options := Options{
cni: "cilium",
policyType: "netpol",
}
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "policygen", Use: "policygen",
Short: "Generate network policies", Short: "Generate network policies",

23
example/config.yaml
View File

@ -11,7 +11,7 @@ networks:
namespaces: namespaces:
- namespace: wamblee-org - name: wamblee-org
capabilities: capabilities:
- linkerd - linkerd
applications: applications:
@ -24,8 +24,27 @@ namespaces:
matchLabels: matchLabels:
app: nexus-server app: nexus-server
- namespace: exposure - name: exposure
applications: applications:
- name: httpd-wamblee-org - name: httpd-wamblee-org
matchLabels: matchLabels:
app: wamblee-org app: wamblee-org
communications:
- from: # can we support both string and list of strings?
- httpd-wamblee-org
to:
- nexus-server
- wamblee-static
- wamblee-safe
# or limiting ports further
- from:
- httpd-wamblee-org
to:
- nexus-server
ports:
- 8081
- 8082