Allow templates to use local policies (#452)

* Allow templates to use local policies

This makes it possible to use `topaz templates install` with
a policy image that has been built locally but not pushed to a
remote registry.

It is especially useful in policy repos when testing local changes
or validating pull requests in CI.

* Add '--local' flag to `config new` command

And deprecate --local-policy-image

* Replace `--local` with `--from [remote|local]` enum

pkg/cc/config/generator.go

@@ -22,8 +22,8 @@ func (g *Generator) WithVersion(version int) *Generator {
 	return g
 }
 
-func (g *Generator) WithLocalPolicyImage(image string) *Generator {
-	g.LocalPolicyImage = image
+func (g *Generator) WithLocalPolicy(local bool) *Generator {
+	g.LocalPolicy = local
 	return g
 }
 

pkg/cc/config/templates.go

@@ -2,10 +2,10 @@ package config
 
 type templateParams struct {
 	Version           int
-	LocalPolicyImage  string
 	PolicyName        string
 	Resource          string
 	Authorization     string
+	LocalPolicy       bool
 	EdgeDirectory     bool
 	SeedMetadata      bool
 	EnableDirectoryV2 bool
@@ -34,7 +34,7 @@ opa:
   graceful_shutdown_period_seconds: 2
   # max_plugin_wait_time_seconds: 30 set as default
   local_bundles:
-    local_policy_image: {{ .LocalPolicyImage }}
+    local_policy_image: {{ .Resource }}
     watch: true
     skip_verification: true
 `
@@ -148,8 +148,8 @@ jwt:
 # authentication configuration
 auth:
   api_keys:
-    # "<API key>": <Identity>  
-    # "<Password>": <Identity>  
+    # "<API key>": <Identity>
+    # "<Password>": <Identity>
   options:
     default:
       enable_api_key: false
@@ -457,7 +457,7 @@ api:
         read_header_timeout: 2s
         write_timeout: 2s
         idle_timeout: 30s
-  
+
     authorizer:
       needs:
         - reader

pkg/cli/cmd/configure/new.go

@@ -13,19 +13,28 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	FromRemote = "remote"
+	FromLocal  = "local"
+)
+
 type NewConfigCmd struct {
 	Name             ConfigName `short:"n" help:"config name"`
-	LocalPolicyImage string     `short:"l" help:"local policy image name"`
-	Resource         string     `short:"r" help:"resource url"`
-	Stdout           bool       `short:"p" help:"print to stdout"`
+	Resource         string     `short:"r" help:"policy uri (e.g. ghcr.io/org/policy:tag)"`
+	From             string     `enum:"remote,local" default:"remote" help:"load policy from remote or local image"`
+	Stdout           bool       `short:"p" help:"print to stdout" default:"false"`
 	EdgeDirectory    bool       `short:"d" help:"enable edge directory" default:"false"`
-	Force            bool       `flag:"" default:"false" short:"f" required:"false" help:"skip confirmation prompt"`
+	Force            bool       `short:"f" flag:"" default:"false" required:"false" help:"skip confirmation prompt"`
+	LocalPolicyImage string     `short:"l" help:"[deprecated: use --local instead] local policy image name"`
 }
 
 func (cmd *NewConfigCmd) Run(c *cc.CommonCtx) error {
-	if cmd.Name == "" && cmd.Resource == "" {
+	if cmd.Resource == "" {
 		if cmd.LocalPolicyImage == "" {
-			return errors.New("you either need to provide a local policy image or the resource and the policy name for the configuration")
+			return errors.New("no policy specified. Please provide a policy URI with the --resource (-r) option")
+		} else {
+			c.Con().Warn().Msg("The --local-policy-image options (-l) is deprecated and will be removed in a future release. " +
+				"Please use the --local flag instead.")
 		}
 	}
 
@@ -39,11 +48,17 @@ func (cmd *NewConfigCmd) Run(c *cc.CommonCtx) error {
 		c.Con().Info().Msg(">>> configure policy\n")
 	}
 
+	// Backward-compatibility with deprecated LocalPolicyImage option.
+	resource, local := cmd.Resource, cmd.From == FromLocal
+	if cmd.LocalPolicyImage != "" {
+		resource, local = cmd.LocalPolicyImage, true
+	}
+
 	configGenerator := config.NewGenerator(cmd.Name.String()).
 		WithVersion(config.ConfigFileVersion).
-		WithLocalPolicyImage(cmd.LocalPolicyImage).
 		WithPolicyName(cmd.Name.String()).
-		WithResource(cmd.Resource).
+		WithResource(resource).
+		WithLocalPolicy(local).
 		WithEdgeDirectory(cmd.EdgeDirectory)
 
 	_, err := configGenerator.CreateConfigDir()
@@ -85,8 +100,8 @@ func (cmd *NewConfigCmd) Run(c *cc.CommonCtx) error {
 	}
 
 	if !cmd.Stdout {
-		if cmd.LocalPolicyImage != "" {
-			c.Con().Info().Msg("using local policy image: %s", cmd.LocalPolicyImage)
+		if local {
+			c.Con().Info().Msg("using local policy image: %s", resource)
 			return configGenerator.GenerateConfig(w, config.LocalImageTemplate)
 		}
 

pkg/cli/cmd/templates/install.go

@@ -14,6 +14,7 @@ import (
 	"github.com/aserto-dev/topaz/pkg/cli/cmd/configure"
 	"github.com/aserto-dev/topaz/pkg/cli/cmd/directory"
 	"github.com/aserto-dev/topaz/pkg/cli/cmd/topaz"
+	"github.com/samber/lo"
 )
 
 type InstallTemplateCmd struct {
@@ -177,6 +178,7 @@ func (cmd *InstallTemplateCmd) prepareTopaz(c *cc.CommonCtx, tmpl *template, cus
 		command := configure.NewConfigCmd{
 			Name:     configure.ConfigName(name),
 			Resource: tmpl.Assets.Policy.Resource,
+			From:     lo.Ternary(tmpl.Assets.Policy.Local, configure.FromLocal, configure.FromRemote),
 			Force:    true,
 		}
 		if err := command.Run(c); err != nil {

pkg/cli/cmd/templates/template.go

@@ -46,6 +46,7 @@ type template struct {
 		Policy   struct {
 			Name     string `json:"name"`
 			Resource string `json:"resource"`
+			Local    bool   `json:"local"`
 		} `json:"policy,omitempty"`
 		IdentityData []string `json:"idp_data,omitempty"`
 		DomainData   []string `json:"domain_data,omitempty"`