From fd767c3ee4c8130faa5f536ea47e29a449708487 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Wei=C3=9Fe?= <david.weisse@gmx.net>
Date: Mon, 17 Jun 2024 10:40:58 +0200
Subject: [PATCH 1/2] genpolicy: allow contrast env vars for coordinator

---
 .../genpolicy_msft_settings_coordinator.patch | 21 +++++++++++++++++++
 .../genpolicy_msft_settings_dev.patch         | 14 +++++++++++--
 .../by-name/microsoft/genpolicy/package.nix   |  5 +++++
 packages/scripts.nix                          |  2 +-
 4 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch

diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch
new file mode 100644
index 0000000000..6f55c99e85
--- /dev/null
+++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch
@@ -0,0 +1,21 @@
+diff --git a/genpolicy-settings.json b/genpolicy-settings.json
+index 7d35862a..4eacc7cd 100644
+--- a/genpolicy-settings.json
++++ b/genpolicy-settings.json
+@@ -307,7 +307,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
+@@ -322,4 +323,4 @@
+         "UpdateEphemeralMountsRequest": false,
+         "WriteStreamRequest": false
+     }
+-}
+\ No newline at end of file
++}
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch
index 47a9246a43..86e2b69c19 100644
--- a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch
+++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch
@@ -1,8 +1,18 @@
 diff --git a/genpolicy-settings.json b/genpolicy-settings.json
-index 7d35862..536c10e 100644
+index 7d35862a..f469b201 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -315,11 +315,13 @@
+@@ -307,7 +307,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
+@@ -315,11 +316,13 @@
          ],
          "ExecProcessRequest": {
              "commands": [],
diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
index d2b03ecfd2..577d400270 100644
--- a/packages/by-name/microsoft/genpolicy/package.nix
+++ b/packages/by-name/microsoft/genpolicy/package.nix
@@ -74,6 +74,11 @@ rustPlatform.buildRustPackage rec {
       '';
     };
 
+    settings-coordinator = applyPatches {
+      src = settings;
+      patches = [ ./genpolicy_msft_settings_coordinator.patch ];
+    };
+
     # Settings that allow exec into CVM pods - not safe for production use!
     settings-dev = applyPatches {
       src = settings;
diff --git a/packages/scripts.nix b/packages/scripts.nix
index ff0ffa170e..872b1380cc 100644
--- a/packages/scripts.nix
+++ b/packages/scripts.nix
@@ -168,7 +168,7 @@
 
       pushd "$tmpdir" >/dev/null
       cp ${pkgs.microsoft.genpolicy.rules-coordinator}/genpolicy-rules.rego rules.rego
-      cp ${pkgs.microsoft.genpolicy.settings}/genpolicy-settings.json .
+      cp ${pkgs.microsoft.genpolicy.settings-coordinator}/genpolicy-settings.json .
       genpolicy < "$tmpdir/coordinator_base.yml"
       popd >/dev/null
     '';

From 8dc4aae28ffad12f1dcedb5d855b59f5c9eafb53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Wei=C3=9Fe?= <david.weisse@gmx.net>
Date: Mon, 17 Jun 2024 10:56:38 +0200
Subject: [PATCH 2/2] docs: coordinator policy allows logging vars

---
 docs/docs/troubleshooting.md | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/docs/docs/troubleshooting.md b/docs/docs/troubleshooting.md
index 6ff2b816e2..0818d70298 100644
--- a/docs/docs/troubleshooting.md
+++ b/docs/docs/troubleshooting.md
@@ -50,23 +50,6 @@ spec: # v1.PodSpec
     # ...
 ```
 
-After changing the Coordinator configuration you have to regenerate the policies
-for the `coordinator.yml` file.
-
-```sh
-contrast generate coordinator.yml
-```
-
-:::info
-
-When updating the Coordinator policy, the policy hash is stored in the
-`coordinator-policy.sha256` file. This hash needs to be passed to every
-subsequent call to `contrast set` and `contrast verify` using the
-`--coordinator-policy-hash` flag, as the hash now differs from the one embedded
-into the CLI.
-
-:::
-
 To access the logs generated by the Coordinator, you can use `kubectl` with the
 following command.