Add --policy-overlay flag to merge things into the main --policy#3260
Draft
simonbaird wants to merge 2 commits intoconforma:mainfrom
Draft
Add --policy-overlay flag to merge things into the main --policy#3260simonbaird wants to merge 2 commits intoconforma:mainfrom
simonbaird wants to merge 2 commits intoconforma:mainfrom
Conversation
Introduces support for layering EnterpriseContractPolicy configurations using overlay files, similar to CSS or Kustomize. This allows teams to maintain a standard base policy and apply team-specific customizations on top. Key changes: - Add MergePolicyConfigs() function with deep merge semantics: - Maps: deeply merged (overlay keys override base) - Arrays: concatenated (base + overlay items) - Scalars: last-wins (overlay replaces base) - Add --policy-overlay flag to ec validate image: - Can be specified multiple times - Overlays applied in order - Backward compatible (no overlay = existing behavior) - Supports same formats as --policy (files, git, inline JSON/YAML) - Include example files demonstrating usage: - Standard base policy - Team-specific overlay (excludes, ruleData) - Hotfix overlay (temporary overrides) - README with usage examples Benefits: - DRY: update standard policy once, all teams benefit - Team autonomy: customize without forking - Debuggability: see effective merged configuration Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds a new `ec inspect ecp` command to display the effective
EnterpriseContractPolicy configuration after merging overlays.
This provides visibility into what policy will actually be
evaluated during validation.
Usage:
# Inspect base policy
ec inspect ecp --policy standard.yaml
# Inspect merged result
ec inspect ecp --policy standard.yaml --policy-overlay team.yaml
# Multiple overlays
ec inspect ecp --policy standard.yaml \
--policy-overlay team.yaml \
--policy-overlay hotfix.yaml
The command outputs the final merged YAML configuration to stdout,
making it easy to understand and debug policy composition.
Includes comprehensive acceptance tests covering:
- Single policy inspection
- Single and multiple overlay merges
- Array concatenation behavior
- Map override semantics
- Deep nested structure merging
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'm not sure if this is a good idea, just created a POC to see if we like it.
One challenge, the overlays are almost guaranteed to not be valid ECPs, so to have them available in the cluster we might need to create a new CRD called
ConformaPolicyOverlayfor example.An alternative design that might work better than this: extend ECP so allows specifying a "base" config, and changes that should be applied to it.