feat: initial commit

.github/workflows/release.yml

@@ -0,0 +1,25 @@
+on:
+  push:
+    branches:
+    - main
+    tags:
+    - 'v*'
+
+name: Release policy
+
+jobs:
+
+  test:
+    name: run tests and linters
+    uses: kubewarden/github-actions/.github/workflows/[email protected]
+
+  release:
+    needs: test
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    uses: kubewarden/github-actions/.github/workflows/[email protected]
+    with:
+      oci-target: ghcr.io/foresightminingsoftwarecorporation/policies/ingress-annotations-policy

.github/workflows/test.yml

@@ -0,0 +1,6 @@
+on: [push, pull_request]
+name: Continuous integration
+jobs:
+  test:
+    name: run tests and linters
+    uses: kubewarden/github-actions/.github/workflows/[email protected]

.gitignore

@@ -0,0 +1,137 @@
+/target
+*.wasm
+
+
+# Created by https://www.toptal.com/developers/gitignore/api/rust,jetbrains
+# Edit at https://www.toptal.com/developers/gitignore?templates=rust,jetbrains
+
+### JetBrains ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### JetBrains Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+# https://plugins.jetbrains.com/plugin/7973-sonarlint
+.idea/**/sonarlint/
+
+# SonarQube Plugin
+# https://plugins.jetbrains.com/plugin/7238-sonarqube-community-plugin
+.idea/**/sonarIssues.xml
+
+# Markdown Navigator plugin
+# https://plugins.jetbrains.com/plugin/7896-markdown-navigator-enhanced
+.idea/**/markdown-navigator.xml
+.idea/**/markdown-navigator-enh.xml
+.idea/**/markdown-navigator/
+
+# Cache file creation bug
+# See https://youtrack.jetbrains.com/issue/JBR-2257
+.idea/$CACHE_FILE$
+
+# CodeStream plugin
+# https://plugins.jetbrains.com/plugin/12206-codestream
+.idea/codestream.xml
+
+# Azure Toolkit for IntelliJ plugin
+# https://plugins.jetbrains.com/plugin/8053-azure-toolkit-for-intellij
+.idea/**/azureSettings.xml
+
+### Rust ###
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/
+
+# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
+# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
+Cargo.lock
+
+# These are backup files generated by rustfmt
+**/*.rs.bk
+
+# MSVC Windows builds of rustc generate these, which store debugging information
+*.pdb
+
+# End of https://www.toptal.com/developers/gitignore/api/rust,jetbrains

CODEOWNERS

@@ -0,0 +1 @@
+* @ForesightMiningSoftwareCorporation/infra

Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "ingress-annotations-policy"
+version = "0.1.0"
+authors = ["Loïs Postula <[email protected]>"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+k8s-openapi = { version = "0.17.0", default_features = false, features = ["v1_25"] }
+kubewarden-policy-sdk = "0.8"
+lazy_static = "1.4"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+slog = "2.7"

LICENSE

@@ -0,0 +1,6 @@
+bevy_infinite_grid is dual-licensed under either
+
+* MIT License (docs/LICENSE-MIT or http://opensource.org/licenses/MIT)
+* Apache License, Version 2.0 (docs/LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
+
+at your option.

Makefile

@@ -0,0 +1,37 @@
+SOURCE_FILES := $(shell test -e src/ && find src -type f)
+VERSION := $(shell sed -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml)
+
+policy.wasm: $(SOURCE_FILES) Cargo.*
+	cargo build --target=wasm32-wasi --release
+	cp target/wasm32-wasi/release/*.wasm policy.wasm
+
+artifacthub-pkg.yml: metadata.yml Cargo.toml
+	$(warning If you are updating the artifacthub-pkg.yml file for a release, \
+	  remember to set the VERSION variable with the proper value. \
+	  To use the latest tag, use the following command:  \
+	  make VERSION=$$(git describe --tags --abbrev=0 | cut -c2-) annotated-policy.wasm)
+	kwctl scaffold artifacthub --metadata-path metadata.yml --version $(VERSION) --output artifacthub-pkg.yml
+
+annotated-policy.wasm: policy.wasm metadata.yml
+	kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm
+
+.PHONY: fmt
+fmt:
+	cargo fmt --all -- --check
+
+.PHONY: lint
+lint:
+	cargo clippy -- -D warnings
+
+.PHONY: e2e-tests
+e2e-tests: annotated-policy.wasm
+	bats e2e.bats
+
+.PHONY: test
+test: fmt lint
+	cargo test
+
+.PHONY: clean
+clean:
+	cargo clean
+	rm -f policy.wasm annotated-policy.wasm artifacthub-pkg.yml

README.md

@@ -0,0 +1,29 @@
+# Kubewarden policy ingress-annotations-policy
+
+## Description
+
+This policy will inject annotations into Ingress Resources.
+
+## Settings
+
+```yaml
+# List of annotations that needs to be added
+annotations:
+  priority: "[123]"
+  cost-center: "^cc-\\d+$"
+  nginx.ingress.kubernetes.io/modsecurity-snippet: |
+    SecRuleEngine On
+    SecRule &REQUEST_HEADERS:X-Azure-FDID \"@eq 0\"  \"log,deny,id:106,status:403,msg:\'Front Door ID not present\'\"
+    SecRule REQUEST_HEADERS:X-Azure-FDID \"@rx ^(?!xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).*$\"  \"log,deny,id:107,status:403,msg:\'Wrong Front Door ID\'\"
+```
+
+## License
+
+`ingress-annotations-policy` is free and open source! All code in this repository is dual-licensed under either:
+
+* MIT License (LICENSE-MIT or <http://opensource.org/licenses/MIT>)
+* Apache License, Version 2.0 (LICENSE-APACHE or <http://www.apache.org/licenses/LICENSE-2.0>)
+
+at your option. This means you can select the license you prefer! This dual-licensing approach is the de-facto standard in the Rust ecosystem and there are very good reasons to include both.
+
+Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

artifacthub-pkg.yml

@@ -0,0 +1,52 @@
+# Kubewarden Artifacthub Package config
+#
+# Use this config to submit the policy to https://artifacthub.io.
+#
+# This config can be saved to its default location with:
+#   kwctl scaffold artifacthub > artifacthub-pkg.yml 
+version: 0.1.0
+name: ingress-annotations-policy
+displayName: Ingress Annotations Policy
+createdAt: 2023-10-06T09:31:25.579777Z
+description: This policy will inject annotations into Ingress Resources.
+license: Apache-2.0 or MIT
+homeURL: https://github.com/foresightminingsoftwarecorporation/ingress-annotations-policy
+containersImages:
+- name: policy
+  image: ghcr.io/foresightminingsoftwarecorporation/policies/ingress-annotations-policy:v0.1.0
+keywords:
+- ingress
+- kubewarden
+links:
+- name: policy
+  url: https://github.com/foresightminingsoftwarecorporation/ingress-annotations-policy/releases/download/v0.1.0/policy.wasm
+- name: source
+  url: https://github.com/foresightminingsoftwarecorporation/ingress-annotations-policy
+install: |
+  The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
+  ```console
+  kwctl pull ghcr.io/foresightminingsoftwarecorporation/policies/ingress-annotations-policy:v0.1.0
+  ```
+  Then, generate the policy manifest and tune it to your liking. For example:
+  ```console
+  kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/foresightminingsoftwarecorporation/policies/ingress-annotations-policy:v0.1.0
+  ```
+maintainers:
+- name: Loïs Postula
+  email: [email protected]
+provider:
+  name: kubewarden
+recommendations:
+- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
+annotations:
+  kubewarden/mutation: 'false'
+  kubewarden/resources: Ingress
+  kubewarden/rules: |
+    - apiGroups:
+      - ''
+      apiVersions:
+      - v1
+      resources:
+      - pods
+      operations:
+      - CREATE

e2e.bats

@@ -0,0 +1,7 @@
+#!/usr/bin/env bats
+
+@test "Add default annotations to ingress" {
+	run kwctl run  --request-path test_data/ingress_creation.json  annotated-policy.wasm
+	[ "$status" -eq 0 ]
+	echo "$output"
+}