Store rendered control files #10656
Store rendered control files #10656
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
ggbecker
force-pushed
the
store-rendered-control-files
branch
from
d9a9fb0
to
8515e44
Compare
Questions: What is the use-case for this? In what way do you want to show the relationship of controls and rules? What is the benefit of viewing "resolved controls" instead of the original source or the HTML output online? |
This is a requirement we have been discussing for OpenShift products. They want to have an ability to ship the contents of a resolved control to customers. And the controls file resolved will contain only things that are applicable to a given product and any jinja macros (although there is only one in the project in controls file) will also be resolved and the file can be interpreted as pure yaml file. These files will be bundled whenever the content is built by OpenShift for example and they need to be "versioned" opposed the the HTML output online which represents latest upstream code always. |
|
@ggbecker Thanks for explanation! If it needs to be in a YAML format I would prefer a "nice" YAML, with no build system internal details and no empty fields, so that it would be better readable. |
Agree with the part that no build system internal details, but the empty fields might be useful in the future depending on the needs of a policy. This PR definitely needs more iterations. It doesn't need to be a "nice" YAML since this will be consumed most likely by Compliance Operator which will parse the file and produce something else for example. So the empty fields are not really a problem. |
ggbecker
force-pushed
the
store-rendered-control-files
branch
from
3f2fc21
to
a428a22
Compare
matejak
force-pushed
the
store-rendered-control-files
branch
from
2f7307b
to
734d945
Compare
|
It turned out that this feature interferes with the nested controls feature, when we define (sub)controls inside another controls, and the information is then discarded, so the compiled controls don't have it - they just have the expected rule selections without knowing how those got there. |
matejak
force-pushed
the
store-rendered-control-files
branch
from
c45558f
to
545c2ab
Compare
|
/packit retest-failed |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
It looks good to me, but I think we should provide some examples of how to use the nested controls feature and how people can benefit from it to avoid code duplication. |
jan-cerny
added
the
Highlight
jan-cerny
added
Infrastructure
|
@ggbecker What about the CodeClimate problems? And do you need a 3rd person to a review or do you plan to be the assignee? |
|
So I believe that as Becker and me got our hands dirty with this one, we need e.g. you, @jan-cerny as the 3rd person. Anyway, I wouldn't document the feature further than it is proposed in the README, because we don't have a meaningful and illustrative use case. Moreover, there are open questions about inheritance of attributes that will influence the usefulness of sub-controls in practice. Regarding Code Climate, I think that findings are false positives, because the explicit |
|
CI fail on Rawhide is caused by OpenSCAP and isn't related to the contents of this PR, see OpenSCAP/openscap#1995. |
|
Code Climate has analyzed commit f0506b9 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 97.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.5% change). View more on Code Climate. |
Description:
build/$product/controls/Rationale:
Note: Seeking feedback and help on how to implement this properly.