feat: Add OPA Rego v1 support

.github/workflows/cron_e2e.yaml

@@ -61,11 +61,14 @@ jobs:
         with:
           name: konstraint
 
-      - name: generate resources
+      - name: generate resources (v0)
         run: |
           chmod +x ./konstraint
           ./konstraint create -o e2e-resources examples
 
+      - name: generate resources (v1)
+        run: ./konstraint create -o e2e-resources-v1 --rego-version v1 examples
+
       - name: create kind cluster
         run: kind create cluster
 
@@ -77,9 +80,23 @@ jobs:
           kubectl create ns gatekeeper-system
           helm install gatekeeper gk/gatekeeper -n gatekeeper-system --set replicas=1 --version ${GK_VERSION} --set psp.enabled=false
 
-      - name: apply resources
+      - name: apply resources (v0)
         working-directory: e2e-resources
         run: |
           for ct in $(ls template*); do kubectl apply -f $ct; done
           sleep 60 # gatekeeper takes some time to create the CRDs
           for c in $(ls constraint*); do kubectl apply -f $c; done
+
+      - name: cleanup resources (v0)
+        working-directory: e2e-resources
+        run: |
+          for c in $(ls constraint*); do kubectl delete -f $c; done
+          for ct in $(ls template*); do kubectl delete -f $ct; done
+          sleep 60
+
+      - name: apply resources (v1)
+        working-directory: e2e-resources-v1
+        run: |
+          for ct in $(ls template*); do kubectl apply -f $ct; done
+          sleep 60 # gatekeeper takes some time to create the CRDs
+          for c in $(ls constraint*); do kubectl apply -f $c; done

.github/workflows/pull_request.yaml

@@ -130,9 +130,12 @@ jobs:
         with:
           version: latest
 
-      - name: opa check strict
+      - name: opa check strict (v0)
         run: opa check --v0-compatible --strict --ignore "*.yaml" examples
 
+      - name: opa check strict (v1)
+        run: opa check --strict --ignore "*.yaml" examples
+
       - name: setup regal
         uses: styrainc/setup-regal@v1.0.0
         with:
@@ -190,11 +193,15 @@ jobs:
         with:
           name: konstraint-ubuntu-latest
 
-      - name: generate resources
+      - name: generate resources (v0)
         run: |
           chmod +x ./konstraint
           ./konstraint create -o e2e-resources examples
 
+      - name: generate resources (v1)
+        run: |
+          ./konstraint create -o e2e-resources-v1 --rego-version v1 examples
+
       - name: create kind cluster
         run: kind create cluster
 
@@ -206,9 +213,23 @@ jobs:
           kubectl create ns gatekeeper-system
           helm install gatekeeper gk/gatekeeper -n gatekeeper-system --set replicas=1 --version ${GK_VERSION} --set psp.enabled=false
 
-      - name: apply resources
+      - name: apply resources (v0)
         working-directory: e2e-resources
         run: |
           for ct in $(ls template*); do kubectl apply -f $ct; done
           sleep 60 # gatekeeper takes some time to create the CRDs
           for c in $(ls constraint*); do kubectl apply -f $c; done
+
+      - name: cleanup resources (v0)
+        working-directory: e2e-resources
+        run: |
+          for c in $(ls constraint*); do kubectl delete -f $c --ignore-not-found; done
+          for ct in $(ls template*); do kubectl delete -f $ct --ignore-not-found; done
+          sleep 30 # wait for cleanup
+
+      - name: apply resources (v1)
+        working-directory: e2e-resources-v1
+        run: |
+          for ct in $(ls template*); do kubectl apply -f $ct; done
+          sleep 60 # gatekeeper takes some time to create the CRDs
+          for c in $(ls constraint*); do kubectl apply -f $c; done

README.md

@@ -25,7 +25,7 @@ To create the Gatekeeper resources, use `konstraint create <policy_dir>`.
 
 To generate the accompanying documentation, use `konstraint doc <policy_dir>`.
 
-Both commands support the `--output` flag to specify where to save the output. For more detailed usage documentation, see the [CLI Documentation](docs/cli/konstraint.md).
+Both commands support the `--output` flag to specify where to save the output. Use `--rego-version v1` to generate OPA Rego v1 compatible ConstraintTemplates with the `code` field structure. For more detailed usage documentation, see the [CLI Documentation](docs/cli/konstraint.md).
 
 ## Why this tool exists
 

docs/cli/konstraint_create.md

@@ -30,7 +30,9 @@ Create constraints with the Gatekeeper enforcement action set to dryrun
       --log-level string                                  Set a log level. Options: error, info, debug, trace (default "info")
   -o, --output string                                     Specify an output directory for the Gatekeeper resources
       --partial-constraints                               Generate partial Constraints for policies with parameters
+      --rego-version string                               Set the Rego version for parsing and template generation (v0, v1) (default "v0")
       --skip-constraints                                  Skip generation of constraints
+      --strip-v0-imports                                  Strip v0 compatibility imports from generated templates: import future.keywords[.if|.in|.every|.contains], import rego.v1 (only valid with --rego-version v1)
 ```
 
 ### SEE ALSO

docs/cli/konstraint_doc.md

@@ -26,6 +26,8 @@ Set the URL where the policies are hosted at
       --include-comments       Include comments from the rego source in the documentation
       --no-rego                Do not include the Rego in the policy documentation
   -o, --output string          Output location (including filename) for the policy documentation (default "policies.md")
+      --rego-version string    Rego version for parsing policies (v0, v1) (default "v0")
+      --strip-v0-imports       Strip v0 compatibility imports from documentation: import future.keywords[.if|.in|.every|.contains], import rego.v1 (only valid with --rego-version v1)
       --template-file string   File to read the template from (default: "")
       --url string             The URL where the policy files are hosted at (e.g. https://github.com/policies)
 ```

internal/commands/constrainttemplate_template.tpl

@@ -14,8 +14,19 @@ spec:
           properties: {{- .AnnotationParameters | toJSON | fromJSON | toIndentYAML 2 | nindent 12 }}
       {{- end }}
   targets:
+  {{- if eq .Version.String "v1" }}
+  - code:
+    - engine: Rego
+      source:
+        libs: {{- range .RenderedDependencies }}
+        - |- {{- . | nindent 10 }}
+        {{- end }}
+        rego: |- {{- .RenderedSource | nindent 10 }}
+        version: v1
+  {{- else }}
   - libs: {{- range .Dependencies }}
     - |- {{- . | nindent 6 -}}
     {{ end }}
     rego: |- {{- .Source | nindent 6 }}
+  {{- end }}
     target: admission.k8s.gatekeeper.sh