Using Conftest with OPA bundles #924
Labels
Comments
|
Thanks for reporting the issue! conftest/downloader/oci_detector.go Line 50 in acfa9f0 in case they are in the form of 127.0.0.1:port or localhost
From a user experience point of view, as to how you'd store your policies and execute, I'd recommend using We might wanna update the contest docs with local registry use cases for better visibility, any PRs are welcome if you have any cycles:) |
boranx
added
question
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What I tried:
opa build .where.is the location of my policiesoras push <oci registry uri> --config config.json:[...] bundle.tar.gz:[...]as per the OPA documentation websiteconftest test --update <oci registry uri> my-file.yamlNote that my oci registry is on an on-prem instance of artifactory. I'm not 100% sure, but https://github.com/open-policy-agent/conftest/blob/master/downloader/oci_detector.go#L33 uses a regex match on hostnames to determine whether it's a valid OCI registry, which would fail on my on-prem artifactory (since it doesn't use those hostnames).
What I expected
conftest to download the bundle.tar.gz file, unpack it, and then run the tests in the file.
What I observed
Error: running test: load: loading policies: no policies found in [policy]. I saw that thebundle.tar.gzfile had been downloaded.Notes
I also tried with
conftest push-- I was expecting both processes to work the same way. However, when I inspected the registry itself, I saw very different file formats.The
manifest.jsonfor theopa build . && oras pushcommand shows that a single layer was pushed that contained thebundle.tar.gzlayer. However, themanifest.jsonfor theconftest pushcommand shows that multiple layers were pushed, each layer containing a single.regofile.What is the intended behaviour? The documentation mentions the format should reuse the OPA bundle format.
The text was updated successfully, but these errors were encountered: