package bluejayinfra.auth_probe_path

protected_deployments := {
  "messageboard-web",
  "scoreboard-web",
  "segmentdisplay-web",
  "signalcontrol-web",
}

deny[msg] {
  input.kind == "Deployment"
  protected_deployments[input.metadata.name]
  container := input.spec.template.spec.containers[_]
  probe := object.get(container, "readinessProbe", {})
  http_get := object.get(probe, "httpGet", {})
  object.get(http_get, "path", "") == "/health"
  msg := sprintf("Deployment %s/%s must not use readinessProbe.httpGet /health behind API key middleware", [input.metadata.namespace, input.metadata.name])
}

deny[msg] {
  input.kind == "Deployment"
  protected_deployments[input.metadata.name]
  container := input.spec.template.spec.containers[_]
  probe := object.get(container, "livenessProbe", {})
  http_get := object.get(probe, "httpGet", {})
  object.get(http_get, "path", "") == "/health"
  msg := sprintf("Deployment %s/%s must not use livenessProbe.httpGet /health behind API key middleware", [input.metadata.namespace, input.metadata.name])
}