Skip to content

Add per product control files #14060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 6, 2025
Merged

Add per product control files #14060

merged 7 commits into from
Nov 6, 2025
+111 −29

Conversation

@Mab879
Copy link
Member

@Mab879 Mab879 commented Oct 29, 2025
edited
Loading

Description:

Adds the ability for control files to come from the product folder.

This is a very draft to get feedback. I plan on exploring inheritance vs the total overriding like today.

Rationale:

Fixes #14036

Review Hints:

  • Move some control files for other products to product specific folder.
  • Play with duplicate control file ids, make sure that overriding works as expected. You should get warning when you do.

@Mab879 Mab879 added the Infrastructure Our content build system label Oct 29, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 29, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 29, 2025
@vojtapolasek vojtapolasek self-assigned this Oct 30, 2025
@Mab879 Mab879 added this to the 0.1.79 milestone Oct 30, 2025
@Mab879 Mab879 changed the title Add Per product control files Add per product control files Oct 30, 2025
@Mab879
Copy link
Member Author

Mab879 commented Nov 4, 2025

@ComplianceAsCode/suse-maintainers currently if same control id is in the product controls folder and the product controls it will fully override it for that product is that expected behavior you for?

@svet-se
Copy link
Contributor

svet-se commented Nov 5, 2025

@ComplianceAsCode/suse-maintainers currently if same control id is in the product controls folder and the product controls it will fully override it for that product is that expected behavior you for?

Hey @Mab879, yes, in the current context, it makes sense for the product controls to override the controls.

@Mab879 Mab879 marked this pull request as ready for review November 5, 2025 15:06
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 5, 2025
@Mab879
Copy link
Member Author

Mab879 commented Nov 5, 2025

/packit retest-failed

@Mab879 Mab879 force-pushed the per_product_control_files branch from 2761c9d to 08bbba8 Compare November 5, 2025 15:10
vojtapolasek
vojtapolasek requested changes Nov 5, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, please see my specific comment.

ssg/controls.py Outdated
Comment on lines 823 to 824
if policy in self.policies:
raise ValueError("Policy %s already exists" % policy)
Copy link
Collaborator

@vojtapolasek vojtapolasek Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be always True.

Suggested change
if policy in self.policies:
raise ValueError("Policy %s already exists" % policy)
if policy.id in self.policies:
raise ValueError(f"Policy {policy.id} was defined first at {self.policies[policy.id].filepath} and now another policy with the same ID is being loaded from {policy.filepath}.")

Copy link
Member Author

@Mab879 Mab879 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Always was false, but I moved this to a warning. I did not think this should be an error.

Copy link
Collaborator

@vojtapolasek vojtapolasek Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct. This is not about overriding of controls, but whole policies.

@Mab879
Remove the error on loading duplicate policies
7bfaf6b 
Products can override global policies if they want to.
@teacup-on-rockingchair teacup-on-rockingchair mentioned this pull request Nov 6, 2025
Merged
@vojtapolasek
Copy link
Collaborator

vojtapolasek commented Nov 6, 2025

/retest

@openshift-ci
Copy link

openshift-ci bot commented Nov 6, 2025

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 7bfaf6b link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance 7bfaf6b link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@vojtapolasek
Copy link
Collaborator

vojtapolasek commented Nov 6, 2025

I am waiving OCP tests, it looks like an infrastructure error. Moreover, we are not touching the ocp4 product.

vojtapolasek
vojtapolasek approved these changes Nov 6, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now, thank you.

@vojtapolasek vojtapolasek merged commit 2c08291 into ComplianceAsCode:master Nov 6, 2025
135 of 140 checks passed
@Mab879 Mab879 deleted the per_product_control_files branch November 6, 2025 14:19
@huiwangredhat huiwangredhat mentioned this pull request Nov 7, 2025
Open
@marcusburghardt
Copy link
Member

marcusburghardt commented Nov 7, 2025

Hi @Mab879 , it broke a transformation workflow to OSCAL: https://github.com/ComplianceAsCode/content/actions/runs/19137808094/job/54694313641

Is that something experimental or already defined? If so, we probably need to also adapt integrations relying in control files.

@Mab879
Copy link
Member Author

Mab879 commented Nov 7, 2025

We might add inheritance vs the straight replacement of policies, but that is TBD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

@ggbecker ggbecker Awaiting requested review from ggbecker ggbecker is a code owner

@marcusburghardt marcusburghardt Awaiting requested review from marcusburghardt marcusburghardt is a code owner

Assignees

@vojtapolasek vojtapolasek

Labels

Infrastructure Our content build system

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

4 participants

@Mab879 @svet-se @vojtapolasek @marcusburghardt