pulumi-kubernetes icon indicating copy to clipboard operation
pulumi-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Pulumi crossguard policy on Helm chart: config and args.props of validateResourceOfType callback are empty objects

Open awoimbee opened this issue 2 years ago • 4 comments

What happened?

https://github.com/pulumi/pulumi-kubernetes/issues/2057#issuecomment-1217858853

Steps to reproduce

new PolicyPack("kubernetes-typescript", {
  policies: [{
    name: "helm-charts-are-up-to-date",
    description: "Helm charts deployments should use the latest version.",
    enforcementLevel: "advisory",
    validateResource: validateResourceOfType(k8s.helm.v3.Chart, async (config, args, reportViolation) => {
      reportViolation(`AAAH ${config} '${Object.keys(args.props)}' '${Object.getOwnPropertyNames(config)}' '${Object.getPrototypeOf(config) === Object.prototype}' '${args.props.fetchOpts?.repo}'`);
    }),
  }],
});

Expected Behavior

    [advisory]  kubernetes-typescript v0.0.1  helm-charts-are-up-to-date (kubernetes:helm.sh/v3:Chart: redis)
    Helm charts deployments should use the latest version.
    AAAH [object Object] ''{lots of text here}'' '{lots of text here}' 'false' 'https://charts.bitnami.com/bitnami'

Actual Behavior

    [advisory]  kubernetes-typescript v0.0.1  helm-charts-are-up-to-date (kubernetes:helm.sh/v3:Chart: redis)
    Helm charts deployments should use the latest version.
    AAAH [object Object] '' '' 'true' 'undefined'

Output of pulumi about

CLI
Version      3.38.0

        "@pulumi/kubernetes": "^3.20.5",
        "@pulumi/policy": "^1.4.0",

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

awoimbee avatar Aug 17 '22 13:08 awoimbee

Hi @awoimbee

I apologise for the issues here - I am going to mark this as a high priority issue internally so that we can get this taken care of for you

Paul

stack72 avatar Aug 17 '22 22:08 stack72

Hi @awoimbee

So after speaking to other people in the team, it seems that it wasn't correct suggesting that we could fix the issue and turn this into a policy. Input properties of component resources are not currently available to be inspected from policies - the work to track that is https://github.com/pulumi/pulumi-policy/issues/140

The way that component resources are currently designed are talked about - https://github.com/pulumi/pulumi/pull/2296#issuecomment-447709691

I am really sorry for misleading you in this respect :/ I will make sure that we learn to not allow this to happen again and will look at how we can unblock this functionality

If you'd like to talk more about this, I'd happily facilitate that

Paul

stack72 avatar Aug 30 '22 17:08 stack72

Thanks for the very professional response. For now I'm using the open source version so I'm just grateful to be able to use pulumi. But as I understand, crossguard policies are part of the "Business Critical" offering, don't let your clients have the same issues as me !

awoimbee avatar Aug 31 '22 09:08 awoimbee

Hi @awoimbee

Thank you for the understanding here - we are talking about this internally to see what we can do

Paul

stack72 avatar Aug 31 '22 14:08 stack72