bluejay-infra/tests/bluejay-infra-lint/conftest.dev/02_public_method_allowlist.rego

package bluejayinfra.public_method_allowlist

public_hosts := {
  "brochure.flowercore.io",
  "dist.flowercore.io",
  "dns.iamworkin.lan",
  "update.flowercore.io",
  "updates.flowercore.io",
}

deny[msg] {
  input.kind == "IngressRoute"
  route := input.spec.routes[_]
  match := object.get(route, "match", "")
  host := public_hosts[_]
  contains(match, sprintf("Host(`%s`)", [host]))
  not contains(match, "Method(`GET`)")
  msg := sprintf("IngressRoute %s/%s is missing Method(GET) for public read-only host %s", [input.metadata.namespace, input.metadata.name, host])
}

deny[msg] {
  input.kind == "IngressRoute"
  route := input.spec.routes[_]
  match := object.get(route, "match", "")
  host := public_hosts[_]
  contains(match, sprintf("Host(`%s`)", [host]))
  not contains(match, "Method(`HEAD`)")
  msg := sprintf("IngressRoute %s/%s is missing Method(HEAD) for public read-only host %s", [input.metadata.namespace, input.metadata.name, host])
}