open-policy-agent
Pass additional info in the mutation request to external data provider
Describe the solution you'd like
Ratify is implementing a namespaced-level multi-tenancy feature. We'd like to have both validation/mutation requests taking namespace and image to Ratify. We could easily support the validation case in the constraint template. But for mutation requests, seems we can only pass in the location value which is image in our use case since we don't actually mutate namespace. Wonder if any mutators could support users specify additional info besides the mutating fields.
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
Environment:
- Gatekeeper version: 3.15.0
- Kubernetes version: (use
kubectl version): 1.29.2
I was talking to @binbin-li offline. Sounds like ratify is storing credentials to retrieve registry info (for updating tag->digest) as secrets, the additional namespace metadata will be used for the provider to find the secret in the applicable namespace.
@maxsmythe @ritazh wdyt? does it make sense to add an "additional metadata" type of field to external data for mutation?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.