Compile Constraint Templates to Separate OPA Environments

[maxsmythe]

Currently we are compiling all constraint templates into the same OPA artifact (d.compiler in the following code):

frameworks/constraint/pkg/client/drivers/local/local.go

Lines 212 to 229 in 2924b2c

	c := ast.NewCompiler().WithPathConflictsCheck(storage.NonEmpty(ctx, d.storage, txn)).
	WithCapabilities(d.capabilities)
	if c.Compile(updatedModules); c.Failed() {
	d.storage.Abort(ctx, txn)
	return 0, c.Errors
	}
	for name, mod := range insert {
	if err := d.storage.UpsertPolicy(ctx, txn, name, []byte(mod.text)); err != nil {
	d.storage.Abort(ctx, txn)
	return 0, err
	}
	}
	if err := d.storage.Commit(ctx, txn); err != nil {
	return 0, err
	}
	d.compiler = c
	d.modules = updatedModules

Which is then used to evaluate constraints here:

frameworks/constraint/pkg/client/drivers/local/local.go

Lines 326 to 348 in 2924b2c

	func (d *driver) eval(ctx context.Context, path string, input interface{}, cfg *drivers.QueryCfg) (rego.ResultSet, *string, error) {
	d.modulesMux.RLock()
	defer d.modulesMux.RUnlock()
	args := []func(*rego.Rego){
	rego.Compiler(d.compiler),
	rego.Store(d.storage),
	rego.Input(input),
	rego.Query(path),
	}
	if d.traceEnabled || cfg.TracingEnabled {
	buf := topdown.NewBufferTracer()
	args = append(args, rego.Tracer(buf))
	rego := rego.New(args...)
	res, err := rego.Eval(ctx)
	b := &bytes.Buffer{}
	topdown.PrettyTrace(b, *buf)
	t := b.String()
	return res, &t, err
	}
	rego := rego.New(args...)
	res, err := rego.Eval(ctx)
	return res, nil, err
	}

With the coordination of executing constraint templates done in Rego here:

frameworks/constraint/pkg/client/regolib/src.go

Lines 5 to 85 in 2924b2c

	package hooks["{{.Target}}"]
	violation[response] {
	data.hooks["{{.Target}}"].library.autoreject_review[rejection]
	review := get_default(input, "review", {})
	constraint := get_default(rejection, "constraint", {})
	spec := get_default(constraint, "spec", {})
	enforcementAction := get_default(spec, "enforcementAction", "deny")
	response = {
	"msg": get_default(rejection, "msg", ""),
	"metadata": {"details": get_default(rejection, "details", {})},
	"constraint": constraint,
	"review": review,
	"enforcementAction": enforcementAction,
	}
	}
	# Finds all violations for a given target
	violation[response] {
	data.hooks["{{.Target}}"].library.matching_constraints[constraint]
	review := get_default(input, "review", {})
	inp := {
	"review": review,
	"parameters": get_default(get_default(constraint, "spec", {}), "parameters", {}),
	}
	inventory[inv]
	data.templates["{{.Target}}"][constraint.kind].violation[r] with input as inp with data.inventory as inv
	spec := get_default(constraint, "spec", {})
	enforcementAction := get_default(spec, "enforcementAction", "deny")
	response = {
	"msg": r.msg,
	"metadata": {"details": get_default(r, "details", {})},
	"constraint": constraint,
	"review": review,
	"enforcementAction": enforcementAction,
	}
	}
	# Finds all violations in the cached state of a given target
	audit[response] {
	data.hooks["{{.Target}}"].library.matching_reviews_and_constraints[[review, constraint]]
	inp := {
	"review": review,
	"parameters": get_default(get_default(constraint, "spec", {}), "parameters", {}),
	}
	inventory[inv]
	data.templates["{{.Target}}"][constraint.kind].violation[r] with input as inp with data.inventory as inv
	spec := get_default(constraint, "spec", {})
	enforcementAction := get_default(spec, "enforcementAction", "deny")
	response = {
	"msg": r.msg,
	"metadata": {"details": get_default(r, "details", {})},
	"constraint": constraint,
	"review": review,
	"enforcementAction": enforcementAction,
	}
	}
	# get_default(data, "external", {}) seems to cause this error:
	# "rego_type_error: undefined function data.hooks.<target>.get_default"
	inventory[inv] {
	inv = data.external["{{.Target}}"]
	}
	inventory[{}] {
	not data.external["{{.Target}}"]
	}
	# get_default returns the value of an object's field or the provided default value.
	# It avoids creating an undefined state when trying to access an object attribute that does
	# not exist
	get_default(object, field, _default) = object[field]
	get_default(object, field, _default) = _default {
	not has_field(object, field)
	}
	has_field(object, field) {
	_ = object[field]
	}

We should change the compile/execution flow so that each constraint template is compiled and evaluated as separate Rego artifacts, with the execution being coordinated by Golang. This will have a number of benefits:

• No more quadratic runtime for ingestion per Quadratic runtime complexity for adding constraint templates #79
• The ability for individual template authors to leverage OPA's indexing, which the current Rego coordination code likely precludes. This may increase performance.
• The ability to more tightly control cache duration for G8r's external data feature
• Consolidate matcher implementation on Golang (which is used for mutation). This will remove code duplication, should be more performant, and will open up the door for more specialized indexing in the future
• Allows for more granular metrics, per Time taken by each constraint to validate the resources gatekeeper#1496

[maxsmythe]

It would also help with limiting the impact of runtime errors, per: open-policy-agent/gatekeeper#1562

[willbeason]

Done in #202