-
Notifications
You must be signed in to change notification settings - Fork 3
/
Makefile
116 lines (92 loc) · 4.83 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
KONSTRAINT_VERSION := v0.14.2
KONSTRAINT_IMAGE := ghcr.io/plexsystems/konstraint:$(KONSTRAINT_VERSION)
OPA_VERSION := 0.29.4
OPA_IMAGE := openpolicyagent/opa:$(OPA_VERSION)
ALPINE_GIT_VERSION := v2.30.2
ALPINE_GIT_IMAGE := alpine/git:$(ALPINE_GIT_VERSION)
CLUSTER_NAME := test-gatekeeper
KUBECONFIG := $(HOME)/.kube/k8s-gatekeeper-policies-example
INFRA_MANIFESTS_OUTPUT_DIR := $(PWD)/gatekeeper-infra-manifests
GATEKEEPER_NAMESPACE := gatekeeper-system
INGRESS_NGINX_NAMESPACE := ingress-nginx
POLICY_MANIFESTS_DIR := $(PWD)/manifests
.PHONY: help
default: help
help: ## Show this help
@echo "k8s-gatekeeper-policies-example"
@echo "======================"
@echo
@echo "Creation of policies to apply to k8s clusters"
@echo
@fgrep -h " ## " $(MAKEFILE_LIST) | fgrep -v fgrep | sed -Ee 's/([a-z.]*):[^#]*##(.*)/\1##\2/' | column -t -s "##"
.PHONY: constraints
constraints: ## create constraints
docker run --rm -w /src -v $(PWD):/src $(KONSTRAINT_IMAGE) \
create policies/
.PHONY: docs
docs: ## create docs
docker run --rm -w /src -v $(PWD):/src $(KONSTRAINT_IMAGE) \
doc policies/
.PHONY: migrate_manifests
migrate_manifests: ## migrate manifests from policies/ directory to manifests/
docker run --rm --entrypoint sh -w /src -v $(PWD):/src $(ALPINE_GIT_IMAGE) \
scripts/migrate_manifests.sh
.PHONY: opa_format_check
opa_format_check: ## check if any rego files need formatting
docker run --rm -w /src -v $(PWD):/src $(OPA_IMAGE) \
fmt policies/ --fail
.PHONY: opa_format_write
opa_format_write: ## format all rego files
docker run --rm -w /src -v $(PWD):/src $(OPA_IMAGE) \
fmt policies/ --write
.PHONY: opa_check
opa_check: ## check if issues with any rego files
docker run --rm -w /src -v $(PWD):/src $(OPA_IMAGE) \
check policies/ --ignore *.yaml --ignore *.yml
.PHONY: opa_test
opa_test: ## run rego tests
docker run --rm -w /src -v $(PWD):/src $(OPA_IMAGE) \
test policies/ -v --ignore *.yaml --ignore *.yml
.PHONY: manifests_diff
manifests_diff: ## run git diff check on manifests/ directory
docker run --rm --entrypoint sh -w /src -v $(PWD):/src \
-e DIRECTORY=manifests \
$(ALPINE_GIT_IMAGE) \
scripts/git_diff.sh
.PHONY: generate_all
generate_all: opa_check opa_format_write opa_test constraints migrate_manifests docs ## used for local dev to quickly iterate on changes
@echo "ran generate_all"
.PHONY: brew_install_kubectl
brew_install_kubectl: ## brew installs kubectl if not present
brew list kubectl || brew install kubectl
.PHONY: brew_install_kind
brew_install_kind: ## brew installs kind if not present
brew list kind || brew install kind
.PHONY: kind_cluster_setup
kind_cluster_setup: ## creates a kind cluster and needed namespaces
kind create cluster --name $(CLUSTER_NAME) --kubeconfig $(KUBECONFIG) --config=$(PWD)/scripts/kind-config.yml
kubectl --kubeconfig $(KUBECONFIG) get namespace $(GATEKEEPER_NAMESPACE) || kubectl --kubeconfig $(KUBECONFIG) create namespace $(GATEKEEPER_NAMESPACE)
kubectl --kubeconfig $(KUBECONFIG) get namespace $(INGRESS_NGINX_NAMESPACE) || kubectl --kubeconfig $(KUBECONFIG) create namespace $(INGRESS_NGINX_NAMESPACE)
.PHONY: kind_cluster_teardown
kind_cluster_teardown: ## deletes the created kind cluster
kind delete cluster --name $(CLUSTER_NAME)
.PHONY: kubectl_apply_gatekeeper_infra
kubectl_apply_gatekeeper_infra: ## applies gatekeeper and nginx-ingress infra manifests
kubectl --kubeconfig $(KUBECONFIG) get namespace $(INGRESS_NGINX_NAMESPACE) || kubectl --kubeconfig $(KUBECONFIG) create namespace $(INGRESS_NGINX_NAMESPACE)
kubectl --kubeconfig $(KUBECONFIG) apply -R -f $(INFRA_MANIFESTS_OUTPUT_DIR)/$(INGRESS_NGINX_NAMESPACE) -n $(INGRESS_NGINX_NAMESPACE)
kubectl --kubeconfig $(KUBECONFIG) get namespace $(GATEKEEPER_NAMESPACE) || kubectl --kubeconfig $(KUBECONFIG) create namespace $(GATEKEEPER_NAMESPACE)
kubectl --kubeconfig $(KUBECONFIG) apply -R -f $(INFRA_MANIFESTS_OUTPUT_DIR)/$(GATEKEEPER_NAMESPACE) -n $(GATEKEEPER_NAMESPACE)
.PHONY: kubectl_apply_policies
kubectl_apply_policies: ## applies the generated policies
kubectl --kubeconfig $(KUBECONFIG) apply -R -f $(POLICY_MANIFESTS_DIR)/template
kubectl --kubeconfig $(KUBECONFIG) apply -R -f $(POLICY_MANIFESTS_DIR)/constraint
kubectl --kubeconfig $(KUBECONFIG) apply -f $(POLICY_MANIFESTS_DIR)
.PHONY: port_forward_gatekeeper_policy_manager_ui
port_forward_gatekeeper_policy_manager_ui: ## kubectl portfoward to the gatekeeper policy manager ui
kubectl --kubeconfig $(KUBECONFIG) -n $(GATEKEEPER_NAMESPACE) port-forward svc/gatekeeper-policy-manager 8080:80
.PHONY: update_gatekeeper_infra_manifests
update_gatekeeper_infra_manifests: ## templates out helm chart manfiests for gatekeeper infrastructure
MANIFESTS_OUTPUT_DIR=$(INFRA_MANIFESTS_OUTPUT_DIR) sh scripts/update_gatekeeper_infra_manifests.sh
.PHONY: update_github_gists
update_github_gists: ## add gists to github for use in the medium article series
sh scripts/update_github_gists.sh