Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update sharing example when using a PAT #553

Merged
merged 1 commit into from
Apr 27, 2021
Merged

Update sharing example when using a PAT #553

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 23 additions & 15 deletions docs/sharing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,37 +2,45 @@

Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies as well as download them. The format reuses the [Bundle defined by Open Policy Agent](https://www.openpolicyagent.org/docs/latest/bundles).

You can download individual policies directly:
## Pulling

```console
conftest pull instrumenta.azurecr.io/test
```
The `pull` command allows you to download policies using either a URL, a specific protocol (such as `git`), or an [OCI Registry](https://stevelasker.blog/2019/01/25/cloud-native-artifact-stores-evolve-from-container-registries/).

The `pull` command also supports other policy locations, such as git or https. Under the hood conftest leverages [go-getter](https://github.com/hashicorp/go-getter) to download policies. For example, to download a policy via https:
### HTTPS

```console
conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego
```

Policies can be stored in OCI registries that support the Artifact specification. You can read more about this idea in [this post](https://stevelasker.blog/2019/01/25/cloud-native-artifact-stores-evolve-from-container-registries/). Conftest supports storing policies using this mechanism leveraging [ORAS](https://github.com/deislabs/oras).
### Git

```console
conftest pull git::https://github.com/<Organization>/<Repository>.git//sub/folder
```

If you have a compatible OCI registry you can also push new policy bundles like so:
### Git (with access token)

```console
conftest push instrumenta.azurecr.io/test
conftest push 127.0.0.1:5000/test
conftest push <some-other-supported-registry>/test
conftest pull git::https://<PersonalAccessToken>@github.com/<Organization>/<Repository>.git//sub/folder
```

OCI bundles can be pulled as well:
### OCI Registry

```console
conftest pull instrumenta.azurecr.io/test
conftest pull 127.0.0.1:5000/test
conftest pull oci://<some-other-supported-registry>/test
conftest pull opa.azurecr.io/test
```

ACR and 127.0.0.1:5000 (The local [Docker Registry](https://github.com/docker/distribution)) are special cases where the URL does not need to be prefixed with the scheme `oci://`, in all other cases the scheme needs to be provided in the URL.
See the [go-getter](https://github.com/hashicorp/go-getter) repository for more examples.

## Pushing to an OCI registry

Policies can be stored in OCI registries that support the artifact specification mentioned above. Conftest accomplishes this by leveraging [ORAS](https://github.com/deislabs/oras).

For example, if you have a compatible OCI registry you can push a new policy bundle like so:

```console
conftest push opa.azurecr.io/test
```

## `--update` flag

Expand Down