pluralsh · floreks · Feb 20, 2025 · Feb 20, 2025 · Feb 20, 2025 · Feb 20, 2025
diff --git a/assets/src/generated/graphql.ts b/assets/src/generated/graphql.ts
@@ -4846,6 +4846,8 @@ export type PolicyConstraintEdge = {
 /** Configuration for applying policy enforcement to a stack */
 export type PolicyEngine = {
   __typename?: 'PolicyEngine';
+  /** the maximum allowed severity without failing the stack run */
+  maxSeverity?: Maybe<VulnSeverity>;
   /** the policy engine to use with this stack */
   type: PolicyEngineType;
 };

diff --git a/charts/controller/crds/deployments.plural.sh_infrastructurestacks.yaml b/charts/controller/crds/deployments.plural.sh_infrastructurestacks.yaml
@@ -8376,6 +8376,29 @@ spec:
                   - observabilityProviderRef
                   type: object
                 type: array
+              policyEngine:
+                description: PolicyEngine is a configuration for applying policy enforcement
+                  to a stack.
+                properties:
+                  maxSeverity:
+                    description: MaxSeverity is the maximum allowed severity without
+                      failing the stack run
+                    enum:
+                    - UNKNOWN
+                    - LOW
+                    - MEDIUM
+                    - HIGH
+                    - CRITICAL
+                    - NONE
+                    type: string
+                  type:
+                    description: Type is the policy engine to use with this stack
+                    enum:
+                    - TRIVY
+                    type: string
+                required:
+                - type
+                type: object
               projectRef:
                 description: |-
                   ProjectRef references project this stack belongs to.

diff --git a/go/client/client.go b/go/client/client.go
diff --git a/go/client/graph/stack.graphql b/go/client/graph/stack.graphql
@@ -24,6 +24,7 @@ fragment InfrastructureStackStatusFragment on InfrastructureStack {
 
 fragment PolicyEngineFragment on PolicyEngine {
     type
+    maxSeverity
 }
 
 fragment InfrastructureStackFragment on InfrastructureStack {
@@ -125,6 +126,7 @@ fragment StackViolationCauseFragment on StackViolationCause {
     start
     end
     resource
+    filename
     lines { ...StackViolationCauseLineFragment }
 }
 

diff --git a/go/client/models_gen.go b/go/client/models_gen.go
diff --git a/go/controller/api/v1alpha1/infrastructurestack_types.go b/go/controller/api/v1alpha1/infrastructurestack_types.go
@@ -138,6 +138,10 @@ type InfrastructureStackSpec struct {
 	// stack Type (except [console.StackTypeCustom]).
 	// +kubebuilder:validation:Optional
 	Variables *runtime.RawExtension `json:"variables,omitempty"`
+
+	// PolicyEngine is a configuration for applying policy enforcement to a stack.
+	// +kubebuilder:validation:Optional
+	PolicyEngine *PolicyEngine `json:"policyEngine,omitempty"`
 }
 
 type StackFile struct {
@@ -244,3 +248,26 @@ type ObservableMetric struct {
 	// +kubebuilder:validation:Required
 	ObservabilityProviderRef corev1.ObjectReference `json:"observabilityProviderRef"`
 }
+
+type PolicyEngine struct {
+	// Type is the policy engine to use with this stack
+	// +kubebuilder:validation:Enum=TRIVY
+	// +kubebuilder:validation:Required
+	Type console.PolicyEngineType `json:"type"`
+
+	// MaxSeverity is the maximum allowed severity without failing the stack run
+	// +kubebuilder:validation:Enum=UNKNOWN;LOW;MEDIUM;HIGH;CRITICAL;NONE
+	// +kubebuilder:validation:Optional
+	MaxSeverity *console.VulnSeverity `json:"maxSeverity,omitempty"`
+}
+
+func (in *PolicyEngine) Attributes() *console.PolicyEngineAttributes {
+	if in == nil {
+		return nil
+	}
+
+	return &console.PolicyEngineAttributes{
+		Type:        in.Type,
+		MaxSeverity: in.MaxSeverity,
+	}
+}
diff --git a/go/controller/api/v1alpha1/zz_generated.deepcopy.go b/go/controller/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/go/controller/config/crd/bases/deployments.plural.sh_infrastructurestacks.yaml b/go/controller/config/crd/bases/deployments.plural.sh_infrastructurestacks.yaml
@@ -8376,6 +8376,29 @@ spec:
                   - observabilityProviderRef
                   type: object
                 type: array
+              policyEngine:
+                description: PolicyEngine is a configuration for applying policy enforcement
+                  to a stack.
+                properties:
+                  maxSeverity:
+                    description: MaxSeverity is the maximum allowed severity without
+                      failing the stack run
+                    enum:
+                    - UNKNOWN
+                    - LOW
+                    - MEDIUM
+                    - HIGH
+                    - CRITICAL
+                    - NONE
+                    type: string
+                  type:
+                    description: Type is the policy engine to use with this stack
+                    enum:
+                    - TRIVY
+                    type: string
+                required:
+                - type
+                type: object
               projectRef:
                 description: |-
                   ProjectRef references project this stack belongs to.