Initial commit

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+on:
+  push:
+    branches:
+    - main
+    tags:
+    - 'v*'
+
+name: publish Wasm module
+
+jobs:
+  build:
+    name: Create new release with Wasm artifact
+    runs-on: ubuntu-latest
+    env:
+      WASM_BINARY_NAME: psp_apparmor
+      OCI_TARGET: ghcr.io/chimera-kube/policies/psp-apparmor
+    steps:
+      -
+        name: Checkout code
+        uses: actions/checkout@v2
+      -
+        name: Prepare Rust environment
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          target: wasm32-unknown-unknown
+      -
+        name: Download wasm-to-oci
+        uses: i3h/download-release-asset@v1
+        with:
+          owner: engineerd
+          repo: wasm-to-oci
+          tag: v0.1.1
+          file: linux-amd64-wasm-to-oci
+      -
+        name: fix wasm-to-oci permissions
+        run: |
+          chmod 755 linux-amd64-wasm-to-oci
+      -
+        name: Build Wasm module
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --target=wasm32-unknown-unknown --release
+      -
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.CR_PAT }}
+      -
+        name: Publish Wasm policy artifact to OCI registry with the 'latest' tag
+        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        run: |
+          ./linux-amd64-wasm-to-oci push target/wasm32-unknown-unknown/release/${WASM_BINARY_NAME}.wasm ${OCI_TARGET}:latest
+      -
+        name: Publish Wasm policy artifact to OCI registry with the version tag and 'latest'
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          export OCI_TAG=$(echo $GITHUB_REF | sed -e "s|refs/tags/||")
+          ./linux-amd64-wasm-to-oci push target/wasm32-unknown-unknown/release/${WASM_BINARY_NAME}.wasm ${OCI_TARGET}:${OCI_TAG}
+      -
+        name: Create Release
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: false
+      -
+        name: Upload Release Asset
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: target/wasm32-unknown-unknown/release/${{ env.WASM_BINARY_NAME }}.wasm
+          asset_name: policy.wasm
+          asset_content_type: application/wasm

.github/workflows/tests.yml

@@ -0,0 +1,64 @@
+on: [push, pull_request]
+
+name: Continuous integration
+
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: check
+
+  test:
+    name: Test Suite
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: test
+
+  fmt:
+    name: Rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - run: rustup component add rustfmt
+      - uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --all -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - run: rustup component add clippy
+      - uses: actions-rs/cargo@v1
+        with:
+          command: clippy
+          args: -- -D warnings

.gitignore

@@ -0,0 +1,2 @@
+*.wasm
+target

Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "psp-apparmor"
+version = "0.1.0"
+authors = ["Flavio Castelli <[email protected]>"]
+edition = "2018"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+anyhow = "1.0"
+jmespatch = "0.3.0"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+wapc-guest = "0.4.0"
+chimera-kube-policy-sdk = { git = "https://github.com/chimera-kube/policy-sdk-rust.git", branch = "main" }