Upgrade conftest to v0.62.0 (after opa v1.0 upgrade) #2656
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simonbaird
changed the title
simonbaird
force-pushed
the
conftest-upgrade
branch
2 times, most recently
from
2cfc119 to
72c9c12
Compare
Member
Author
|
The acceptance tests passed for me locally, so not sure why they failed in GitHub. Will try running them again. |
simonbaird
force-pushed
the
conftest-upgrade
branch
from
72c9c12 to
94b4a78
Compare
Contributor
|
LGTM |
Acepresso
approved these changes
Aug 6, 2025
simonbaird
force-pushed
the
conftest-upgrade
branch
from
4d4bfbc to
3fe5863
Compare
Member
Author
|
I reworked the "Provide data source dir list.." commit so it correctly handles data inside nested subdirectories. |
Codecov Report❌ Patch coverage is
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Member
Author
|
I don't particularly want to add test coverage for |
Member
Author
|
I'm slightly worried about https://issues.redhat.com/browse/EC-1418 , so I might hold off merging this now. |
st3penta
reviewed
Aug 7, 2025
Comment on lines
+687
to
+690
| dataDirs := []string{} | ||
| for dir := range dirsWithDataFiles { | ||
| dataDirs = append(dataDirs, dir) | ||
| } |
Contributor
There was a problem hiding this comment.
do you know that with go 1.23 we have helper functions for this? not a big gain from the vanilla approach though 😄
Suggested change
| dataDirs := []string{} | |
| for dir := range dirsWithDataFiles { | |
| dataDirs = append(dataDirs, dir) | |
| } | |
| dataDirs := slices.Collect(maps.Keys(dirsWithDataFiles)) |
Member
Author
There was a problem hiding this comment.
Ooh, no I didn't. I really like it! For this PR I guess I wanna to stick with the old conventions for consistency with the rest of the code. Maybe we do a bigger refactor/cleanup in the near future and adopt the nice new style everywhere.
simonbaird
added a commit
to simonbaird/conforma-cli
that referenced
this pull request
Aug 7, 2025
The motivation is to make sure PR conforma#2656 doesn't change this behavior and potentially break things. The two things being verified: - If the value of the top level key is a map, then the map keys from each data source get merged - If the value of the top level key is not a map, then we fail hard with an error. Ref: https://issues.redhat.com/browse/EC-1418
Member
Author
|
Setting to draft since I want to merge #2681 then rebase this on top of it. |
simonbaird
force-pushed
the
conftest-upgrade
branch
from
3fe5863 to
eb4a166
Compare
Member
Author
|
Not sure why acceptance test failed in Sealights, but passed otherwise.. 🤔 |
simonbaird
added a commit
to simonbaird/conforma-cli
that referenced
this pull request
Aug 8, 2025
The motivation is to make sure PR conforma#2656 doesn't change this behavior and potentially break things. The two things being verified: - If the value of the top level key is a map, then the map keys from each data source get merged - If the value of the top level key is not a map, then we fail hard with an error. Ref: https://issues.redhat.com/browse/EC-1418
simonbaird
added a commit
to simonbaird/conforma-cli
that referenced
this pull request
Aug 8, 2025
The motivation is to make sure PR conforma#2656 doesn't change this behavior and potentially break things. The two things being verified: - If the value of the top level key is a map, then the map keys from each data source get merged - If the value of the top level key is not a map, then we fail hard with an error. Ref: https://issues.redhat.com/browse/EC-1418
Notably this is the first version of the conftest module that uses/supports the v1.x opa module. It required a little extra manual tweaking to remove the `replace muzzammil.xyz/jsonc ...` which is not needed now after open-policy-agent/conftest#1133 was merged. At this point I'm not sure exactly what the impact will be, but we have not updated this for a while. Now that we updated opa, let's update this also. Edit: There was quite a lot of impact actually, see the other commits in this PR. Ref: https://issues.redhat.com/browse/EC-1408 Ref: https://issues.redhat.com/browse/EC-1130
Looks like a refactor was done upstream related to how exit codes are handled. This updates our code to use the new methods and get builds working. Ref: https://issues.redhat.com/browse/EC-1408
Deal with an upstream refactor of the conftest module related to how capabilities and loaded. Also add the new RegoVersion "v1" attribute. Ref: https://issues.redhat.com/browse/EC-1408
As mentioned in the comments, it's not causing any specific harm, but for now it causes many snapshot comparisons to fail when running the tests. Let's remove it. Ref: https://issues.redhat.com/browse/EC-1408
The code in cmd/test/test.go is meant to be an "almost" copy of the conftest cmd/test/test.go. (It's only functional difference is to support one additional output format, the "appstudio" format). To update the file I used this helper to compare the upstream conftest file with our local copy: DIFF_TOOL=vimdiff make conftest-test-cmd-diff There are some flags changing here, so this could be a breaking change for users of `ec test`. As well as the cmd change, there is a snapshot adjustment due to a new metadata key that Conftest is producing. FWIW I don't think this is a good strategy long term. Maintaining this file manually is quite difficult. Maybe it's possible to do it a different way, e.g. the way it's done in cmd/opa, but still add support for the additional format. Also I'm not sure if anyone is using this experimental feature, so we could consider dropping it. (But let's worry about all that later.) Ref: https://issues.redhat.com/browse/EC-1408
We need to use the newer opa v1 syntax. This fixes a failing acceptance test in features/initialize.feature. Side-note: The `ec init policy` command is a bit undercooked, and I don't it's been used much. In this commit I'm just doing the minimum required to make the tests pass, and resisting the urge to also try to improve it. Ref: https://issues.redhat.com/browse/EC-1408
The timestamp part was removed a while ago in commit 1ca0a62 . Minor fixup while working on... Ref: https://issues.redhat.com/browse/EC-1408
I'm assuming there's no good reason to be ignoring that error. An incidental improvement while working on... Ref: https://issues.redhat.com/browse/EC-1408
..instead of just the top level data dir.
After updating conftest, the way the data is passed into the rego
evaluator somehow changed. (Actually I'm not sure how/where that
happened, or whether it was due to a change in the underlying opa
engine, or in the conftest wrapper.)
The change is related to using data subdirectory names as keys in
the data. So for example if you provide "./data" as the data
directory, and there was a file there like "data/foo/bar/config.json"
the foo and bar directory names become keys in the data structure
visible to rego, e.g. "data.foo.bar.whatever".
We don't want that, particularly because we place data from each
data source in a subdirectory with a generated name based on a
checksum of the source url.
Also, for the trusted task data bundle, we end up with the actual
yaml file under several levels of subdirectories, something like
{{workdir}}/data/e8a615778/data/data/trusted_tekton_tasks.yml, which
means we'd need to look for the trusted tasks in
data.e8a615778.data.data.trusted_tasks[refkey] instead of
data.trusted_tasks[refkey].
To avoid the directories becoming keys in the data we need to
provide an explicit list of the data directories to the engine
instead of just the one top level data directory. In the above
example, we'd need to provide (effectively) `--data "data/foo/bar"
instead of `--data "data"`.
There's also a related change for the config.json to place it in
"data/config/config.json" instead of at the top level, i.e.
"data/config.json" so its location is consistent with the other data
sources.
Ref: https://issues.redhat.com/browse/EC-1408
Co-authored-by: Claude Sonnet 4
See also the explanations in the previous commit. This change adds some more visibly obvious test coverage for that behavior. If it wasn't for the changes in the previous commit, we'd see foo and bar become keys in the data and the test would fail. Ref: https://issues.redhat.com/browse/EC-1408
simonbaird
force-pushed
the
conftest-upgrade
branch
from
eb4a166 to
73b94d2
Compare
simonbaird
changed the title
Member
Author
|
/retest |
Member
Author
|
Looking at the Codecov report it seems to me mostly these: Getting coverage on those err handling code paths is very low value, so I'm not going to pay attention to the failure. |
Member
Author
|
With the test coverage from #2681 I'm now pretty confident about this. Let's merge. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ref: https://issues.redhat.com/browse/EC-1408