add custom policies support

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>
networkservicemesh · Dec 16, 2022 · baebfde · baebfde
1 parent 7d9b269
commit baebfde
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -39,12 +39,13 @@ const (
 
 // Config holds configuration parameters from environment variables
 type Config struct {
-	Name                  string        `default:"vfio-server" desc:"name of VFIO Server" split_words:"true"`
-	BaseDir               string        `default:"./" desc:"base directory" split_words:"true"`
-	ConnectTo             url.URL       `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"`
-	MaxTokenLifetime      time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"`
-	LogLevel              string        `default:"INFO" desc:"Log level" split_words:"true"`
-	OpenTelemetryEndpoint string        `default:"otel-collector.observability.svc.cluster.local:4317" desc:"OpenTelemetry Collector Endpoint"`
+	Name                   string        `default:"vfio-server" desc:"name of VFIO Server" split_words:"true"`
+	BaseDir                string        `default:"./" desc:"base directory" split_words:"true"`
+	ConnectTo              url.URL       `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"`
+	MaxTokenLifetime       time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"`
+	RegistryClientPolicies []string      `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"`
+	LogLevel               string        `default:"INFO" desc:"Log level" split_words:"true"`
+	OpenTelemetryEndpoint  string        `default:"otel-collector.observability.svc.cluster.local:4317" desc:"OpenTelemetry Collector Endpoint"`
 
 	ServiceNames    []ServiceConfig `default:"" desc:"list of supported services" split_words:"true"`
 	RegisterService bool            `default:"true" desc:"if true then registers network service on startup" split_words:"true"`

diff --git a/main.go b/main.go
@@ -212,7 +212,8 @@ func main() {
 		nsRegistryClient := registryclient.NewNetworkServiceRegistryClient(ctx,
 			registryclient.WithClientURL(&cfg.ConnectTo),
 			registryclient.WithDialOptions(clientOptions...),
-			registryclient.WithAuthorizeNSRegistryClient(registryauthorize.NewNetworkServiceRegistryClient()))
+			registryclient.WithAuthorizeNSRegistryClient(registryauthorize.NewNetworkServiceRegistryClient(
+				registryauthorize.WithPolicies(cfg.RegistryClientPolicies...))))
 		for i := range cfg.ServiceNames {
 			nsName := cfg.ServiceNames[i].Name
 			nsPayload := cfg.ServiceNames[i].Payload
@@ -233,7 +234,8 @@ func main() {
 			clientinfo.NewNetworkServiceEndpointRegistryClient(),
 			sendfd.NewNetworkServiceEndpointRegistryClient(),
 		),
-		registryclient.WithAuthorizeNSERegistryClient(registryauthorize.NewNetworkServiceEndpointRegistryClient()),
+		registryclient.WithAuthorizeNSERegistryClient(registryauthorize.NewNetworkServiceEndpointRegistryClient(
+			registryauthorize.WithPolicies(cfg.RegistryClientPolicies...))),
 	)
 	nse, err := nseRegistryClient.Register(ctx, registryEndpoint(listenOn, cfg))
 	if err != nil {