feat(opa): add conftest OPA policies and pre-commit hook
ci/woodpecker/pr/pre-commit Pipeline failed
ci/woodpecker/pr/kubeconform Pipeline was successful

Adds three policy files under policy/ plus a pre-commit hook that
runs conftest against all staged YAML manifests (excluding chart
templates).

Policies:
  no_ingress.rego
    Deny Ingress resources — cluster uses Gateway API only.

  gateway_api.rego
    HTTPRoute/TLSRoute: require explicit group/kind on parentRefs and
    group/kind/weight on backendRefs (PR #162, #165).
    Gateway: require explicit group on certificateRefs (PR #153).
    All fields are defaulted by the controller; omitting them causes
    permanent ArgoCD OutOfSync.

  resource_normalization.rego
    CPU integer: deny unquoted integer cpu values (PR #163).
    CPU milliCPU: deny values like 1000m/2000m that normalise to "1"/"2" (PR #164).
    Memory Mi→Gi: deny 1024Mi/2048Mi etc. that normalise to 1Gi/2Gi (PR #163).
    clusterIP null: deny Service with explicit null clusterIP (PR #166).

Also fixes all existing violations found by the new policies across
puppet deployments and reposync cronjobs (resource normalization).
kanidm/tlsroute.yaml and puppet/service_puppetdb.yaml are excluded
from this commit as they are addressed in PRs #165 and #166.
This commit is contained in:
2026-05-25 00:00:37 +10:00
parent dd282f59fb
commit d0b3c26223
12 changed files with 298 additions and 11 deletions
+1 -1
View File
@@ -150,7 +150,7 @@ spec:
memory: 350Mi
cpu: 100m
limits:
memory: 1024Mi
memory: 1Gi
cpu: 500m
securityContext:
runAsNonRoot: true
+1 -1
View File
@@ -35,7 +35,7 @@ spec:
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 1
cpu: "1"
memory: 1536Mi
requests:
cpu: 250m
@@ -31,11 +31,11 @@ spec:
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
memory: 3072Mi
cpu: "2"
memory: 3Gi
requests:
cpu: 500m
memory: 1024Mi
memory: 1Gi
ports:
- containerPort: 8140
name: puppetserver
@@ -35,11 +35,11 @@ spec:
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 2
cpu: "2"
memory: 3500Mi
requests:
cpu: 250m
memory: 1024Mi
memory: 1Gi
ports:
- containerPort: 8140
name: puppetserver