chore: add json schema generation (#1264)

## Description Adds json schemas using the quicktype generation from KFC. In addition has a post-processing step using yq to make the schema behave strictly. ## Related Issue Fixes #1263 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Steps to Validate This doesn't work great within core, but you can test by pointing to the schema from this branch, updating the `.vscode/settings.json` file to: ```json "https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/json-schema/schemas/package-v1alpha1.schema.json": [ "**/uds-package.yaml", "**/package.yaml" ], "https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/json-schema/schemas/exemption-v1alpha1.schema.json": [ "**/uds-exemption.yaml", "**/exemptions.yaml", "**/exemption.yaml" ], ``` Open up a package / exemption file. You may need to change some settings in the bottom right to ensure VSCode uses `yaml` instead of `helm-template` for the file. Then try adding/modifying fields to ensure schema violations are shown. ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
defenseunicorns · Feb 7, 2025 · 9eee462 · 9eee462
1 parent bb634a6
commit 9eee462
Show file tree

Hide file tree

Showing 6 changed files with 1,245 additions and 2 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -21,7 +21,16 @@
     // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
     "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.20.0/zarf.schema.json": [
       "zarf.yaml"
-    ]
+    ],
+    "https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/main/schemas/package-v1alpha1.schema.json": [
+      "**/uds-package.yaml",
+      "**/package.yaml"
+    ],
+    "https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/main/schemas/exemption-v1alpha1.schema.json": [
+      "**/uds-exemption.yaml",
+      "**/exemptions.yaml",
+      "**/exemption.yaml"
+    ],
   },
   "cSpell.words": [
     "alertmanager",

diff --git a/docs/reference/configuration/UDS operator/exemption.md b/docs/reference/configuration/UDS operator/exemption.md
@@ -51,6 +51,10 @@ spec:
         name: "^neuvector-prometheus-exporter-pod.*"
 ```
 
+:::note
+This example may not contain all fields, the full specification for the Exemption CR is documented [here](/reference/configuration/custom-resources/exemptions-v1alpha1-cr). In addition, there is a JSON schema published [here](https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/main/schemas/exemption-v1alpha1.schema.json) for use in your IDE.
+:::
+
 ### Configuring UDS Core Policy Exemptions
 
 Default [policy exemptions](https://uds.defenseunicorns.com/reference/configuration/custom-resources/exemptions-v1alpha1-cr/) and [namespace restriction/config](https://uds.defenseunicorns.com/reference/configuration/uds-configure-policy-exemptions/) are confined to a singular namespace: `uds-policy-exemptions`. We find this to be an optimal approach for UDS due to the following reasons:
@@ -79,4 +83,4 @@ shared:
 
 variables:
  # package specific variables here
-```
+```
diff --git a/docs/reference/configuration/UDS operator/package.md b/docs/reference/configuration/UDS operator/package.md
@@ -90,6 +90,10 @@ spec:
             userinfo.token.claim: "true"
 ```
 
+:::note
+This example may not contain all fields, the full specification for the Package CR is documented [here](/reference/configuration/custom-resources/packages-v1alpha1-cr). In addition, there is a JSON schema published [here](https://raw.githubusercontent.com/defenseunicorns/uds-core/refs/heads/main/schemas/package-v1alpha1.schema.json) for use in your IDE.
+:::
+
 ### Example UDS Package CR with SSO Templating
 
 By default, UDS generates a secret for the Single Sign-On (SSO) client that encapsulates all client contents as an opaque secret. In this setup, each key within the secret corresponds to its own environment variable or file, based on the method used to mount the secret. If customization of the secret rendering is required, basic templating can be achieved using the `secretTemplate` property. Below are examples showing this functionality. To see how templating works, please see the [Regex website](https://regex101.com/r/e41Dsk/3).

diff --git a/schemas/exemption-v1alpha1.schema.json b/schemas/exemption-v1alpha1.schema.json
@@ -0,0 +1,113 @@
+{
+  "$schema": "http://json-schema.org/draft-06/schema#",
+  "$ref": "#/definitions/Exemption",
+  "definitions": {
+    "Exemption": {
+      "type": "object",
+      "additionalProperties": {},
+      "properties": {
+        "spec": {
+          "$ref": "#/definitions/Spec"
+        }
+      },
+      "required": [],
+      "title": "Exemption"
+    },
+    "Spec": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "exemptions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ExemptionElement"
+          },
+          "description": "Policy exemptions"
+        }
+      },
+      "required": [
+        "exemptions"
+      ],
+      "title": "Spec"
+    },
+    "ExemptionElement": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "description": {
+          "type": "string",
+          "description": "Reasons as to why this exemption is needed"
+        },
+        "matcher": {
+          "$ref": "#/definitions/Matcher",
+          "description": "Resource to exempt (Regex allowed for name)"
+        },
+        "policies": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Policy"
+          },
+          "description": "A list of policies to override"
+        },
+        "title": {
+          "type": "string",
+          "description": "title to give the exemption for reporting purposes"
+        }
+      },
+      "required": [
+        "matcher",
+        "policies"
+      ],
+      "title": "ExemptionElement"
+    },
+    "Matcher": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "kind": {
+          "$ref": "#/definitions/Kind"
+        },
+        "name": {
+          "type": "string"
+        },
+        "namespace": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "name",
+        "namespace"
+      ],
+      "title": "Matcher",
+      "description": "Resource to exempt (Regex allowed for name)"
+    },
+    "Kind": {
+      "type": "string",
+      "enum": [
+        "pod",
+        "service"
+      ],
+      "title": "Kind"
+    },
+    "Policy": {
+      "type": "string",
+      "enum": [
+        "DisallowHostNamespaces",
+        "DisallowNodePortServices",
+        "DisallowPrivileged",
+        "DisallowSELinuxOptions",
+        "DropAllCapabilities",
+        "RequireNonRootUser",
+        "RestrictCapabilities",
+        "RestrictExternalNames",
+        "RestrictHostPathWrite",
+        "RestrictHostPorts",
+        "RestrictProcMount",
+        "RestrictSeccomp",
+        "RestrictSELinuxType",
+        "RestrictVolumeTypes"
+      ],
+      "title": "Policy"
+    }
+  }
+}