-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCP Update variable filter to consider go_template #11906
Conversation
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
8fed1ef
to
e1bdec0
Compare
/test |
@rhmdnd: The
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ocp4-pci-dss |
/hold for test |
Verification pass with 4.16.0-0.nightly-2024-04-26-145258 + ghcr.io/complianceascode/k8scontent:11906:
|
/unhold |
/lgtm |
@Vincent056 seems one issue to fix: https://codeclimate.com/github/ComplianceAsCode/content/pull/11906. Could you please take a look? Thanks. |
b636d2b
to
b6ef6c2
Compare
/test e2e-aws-ocp4-pci-dss |
b0124e3
to
f2a9860
Compare
/test e2e-aws-ocp4-pci-dss |
/test 4.15-e2e-aws-ocp4-high |
@Vincent056: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
The stig e2e failure is unrelated and being addressed in a separate PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Looks good from a OpenShift content perspective.
@Mab879 does this seem reasonable from the build perspective? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I built and compared ocp4
ds from this PR branch and the main branch and found no problem. However, I would like to ask you to create tests for this problem to avoid similar problems in future changes. Also, I would like to ask why you are processing the DS after the build? Wouldn't it be better to extend the macros during the build?
def get_variables_from_go_templating(rule, var_ids): | ||
go_templating_pattern = re.compile(r"{{(.*?)}}") | ||
go_templating_var_pattern = re.compile(r"\.([a-zA-Z0-9_]+)") | ||
for ele in rule.itertext(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can go_template
be used only in the text part of a rule or can it be present in an XML element attribute?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
they will present in the text part of the rule as well as in the remediations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think fix is also part of the rule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I was curious. Yes, the fix element is a sub-element of the Rule element.
Update the variable filter to find if a rule is using go-template, if so find any var being used, add them to var list for that rule
Thanks for the review, we have e2e test, but we don't run that in every PR, for example you could run The go_template is use to in our operator when consuming the datastream file, so that we can process the remediation to use xccdf variables as well as other part of rule to be more dynamic. @Honny1 |
Code Climate has analyzed commit 59162ea and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
@Vincent056 Well, I think the |
@Honny1 great, I will do that, we were also depending on go_templating to be able to fetch different kube API, which is defined in warning part of the rule in the compliance operator dynamically based on value of the xccdf variables, among other things such as render value of referenced variables in rule description |
@Vincent056 Okay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the review @Honny1
/lgtm
/packit help |
/packit retest-failed |
This will not be included in
Are there older content/CO versions where this issue is not present (to use as a WA)? |
As #11858 is going into 0.1.73, I think it makes sense to backport this fix there. |
Description:
Update the variable filter to find if a rule is using go-template, if so find any var being used, and add them to the var list for that rule, Compliance Operator use
[go template](https://pkg.go.dev/text/template)
to do additional processing, sometimes we reference a xccdf variable within templated content.