Merge pull request #17 from aserto-dev/bugfix/#16

Fix incorrect else condition in decision logs
aserto-dev · Oct 14, 2024 · 1dc5e92 · 1dc5e92
2 parents a275a66 + 9e3801c
commit 1dc5e92
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 38 deletions.
diff --git a/charts/topaz/Chart.yaml b/charts/topaz/Chart.yaml
@@ -20,7 +20,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/topaz/README.md b/charts/topaz/README.md
@@ -101,8 +101,8 @@ There are two ways to specify the poilcy to use:
    plugins.
 
 > [!IMPORTANT]
-> Explicitly specifying a policy image and using a discovery service are mutually exclusive. You must
-> provide configuration for one or the other, but not both.
+> Explicitly specifying a policy image and using a discovery service are mutually exclusive. If discovery
+> configuration is provided, the `oci` section is ignored.
 
 ### Policy Image
 

diff --git a/charts/topaz/ci/test-file-logger.yaml b/charts/topaz/ci/test-file-logger.yaml
@@ -0,0 +1,9 @@
+opa:
+  policy:
+    oci:
+      registry: https://ghcr.io
+      # Policy image URI.
+      image: ghcr.io/aserto-policies/policy-rebac:latest
+
+decisionLogs:
+  enabled: true
diff --git a/charts/topaz/ci/test-values.yaml → charts/topaz/ci/test-minimal-oci.yaml b/charts/topaz/ci/test-values.yaml → charts/topaz/ci/test-minimal-oci.yaml
diff --git a/charts/topaz/templates/_helpers.tpl b/charts/topaz/templates/_helpers.tpl
@@ -335,7 +335,7 @@ config:
       {{- toYaml . | toYaml | nindent 6 }}
     {{- end }}
   {{- end }}
-{{- else if .remote -}}
+{{- else if .file -}}
 type: file
 config:
   log_file_path: /decisions/decisions.log

diff --git a/charts/topaz/templates/config.yaml b/charts/topaz/templates/config.yaml
@@ -103,33 +103,7 @@ stringData:
       config:
         persistence_directory: "/opa-persistence"
         services:
-        {{- if ((.Values.opa).policy).discovery | and ((.Values.opa).policy).oci }}
-          {{- fail "opa.policy.discovery and opa.policy.oci are mutually exclusive" }}
-        {{- end }}
-
-        {{- if ((.Values.opa).policy).oci }}
-          {{- with ((.Values.opa).policy).oci }}
-          oci:
-            type: oci
-            url: {{ .registry | required "opa.policy.oci.registry is required" }}
-          {{- if (.apiKey | or (.apiKeySecret).name) }}
-            credentials:
-              bearer:
-                scheme: basic
-                token: {{ include "topaz.ociCredentials" . }}
-          {{- end }}
-            {{- .serviceConfig | default (dict "response_header_timeout_seconds" 5) | toYaml | nindent 12 }}
-        bundles:
-          topaz_policy:
-            service: oci
-            resource: {{ .image | required "opa.policy.oci.image is required" }}
-            persist: {{ $.Values.opa.persistence.enabled | default "false" }}
-            {{- if .bundleConfig }}
-            config:
-              {{- .bundleConfig | toYaml | nindent 14 }}
-            {{- end }}
-          {{- end }}
-        {{- else if ((.Values.opa).policy).discovery }}
+        {{- if ((.Values.opa).policy).discovery }}
           {{- with ((.Values.opa).policy).discovery }}
           discovery:
             url: {{ .url | default "https://discovery.prod.aserto.com/api/v2/discovery" }}
@@ -152,7 +126,27 @@ stringData:
           persist: {{ $.Values.opa.persistence.enabled | default "false" }}
           {{- end }}
         {{- else }}
-          {{- fail "either opa.policy.discovery or opa.policy.oci must be set"}}
+          {{- with ((.Values.opa).policy).oci }}
+          oci:
+            type: oci
+            url: {{ .registry | required "opa.policy.oci.registry is required" }}
+          {{- if (.apiKey | or (.apiKeySecret).name) }}
+            credentials:
+              bearer:
+                scheme: basic
+                token: {{ include "topaz.ociCredentials" . }}
+          {{- end }}
+            {{- .serviceConfig | default (dict "response_header_timeout_seconds" 5) | toYaml | nindent 12 }}
+        bundles:
+          topaz_policy:
+            service: oci
+            resource: {{ .image | required "opa.policy.oci.image is required" }}
+            persist: {{ $.Values.opa.persistence.enabled | default "false" }}
+            {{- if .bundleConfig }}
+            config:
+              {{- .bundleConfig | toYaml | nindent 14 }}
+            {{- end }}
+          {{- end }}
         {{- end }}
       {{- if (((.Values.directory).edge).sync).address | and (empty ((.Values.directory).remote).address) }}
         plugins:

diff --git a/charts/topaz/values.yaml b/charts/topaz/values.yaml
@@ -286,14 +286,14 @@ opa:
     #     release: "stable"
   policy:
     # The 'oci' and 'discovery' fields are mutually exclusive.
-    # Exactly one of them must be specified.
+    # If both are specified, 'discovery' is used.
 
     # Run policy from an OCI registry.
-    oci: {}
-    #   # oci registry url.
-    #   registry: https://ghcr.io
-    #   # Policy image URI.
-    #   image: "ghcr.io/aserto-policies/policy-rebac:latest"
+    oci:
+      # oci registry url.
+      registry: https://ghcr.io
+      # Policy image URI.
+      image: "ghcr.io/aserto-policies/policy-rebac:latest"
     #   # [Optional] OCI registry user name.
     #   # Note: Some registries including ghcr.io require that the user name is left empty
     #   # when using a personal access token as the API key.