One of the biggest problems I needed to overcome while using OPA-Policy-Language with our Helm Chart configuration repositories is that each values.yaml could have a unique structure and ensuring stage specific values don't creep into the wrong stages.
An inital working example can be seen in this bad example. As you can see, the output is messy and with large input documents, could be hard to find the problematic values.
In order to do this effectively, in a readable fashion, I need to evaluate only the scalar leaves of the yaml document.
In Rego, when serialized, everything is one of: scalar value; object/map or array/set.
We can apply the policy only to the scalar values with the combination of walk() sprintf() and some custom helper functions:
- is_object()
- is_collection()
- is_scalar()
The code for this can be found in this Rego playground example as well as this Conftest Example Project.
Here is a screenshot of the code in the playground:
Conclusion
Although this did solve my problem, it doesn't feel right to rely on the serialization of objects/arrays to filter out the non-scalar values.
If you have a better way of doing this with Rego, please let me know!