conftest
General info
conftest is a client which helps you write tests against structured configuration data using the Rego language from Open Policy Agent.
Media type: application/vnd.cncf.openpolicyagent.config.v1+json
Client homepage: https://www.conftest.dev
Usage
Authentication
First, set the BB_USER environment variable to your Bundle Bar username:
BB_USER="<insert_username_here>"
Next, create a token in the Bundle Bar UI and copy it into your clipboard. Set it in the BB_TOKEN environment variable using one of the following commands:
BB_TOKEN="<insert_token_here>" # manual copy-paste
BB_TOKEN="$(pbpaste)" # with pbpaste
BB_TOKEN="$(xclip -o)" # with xclip
Note: the previous commands are intentionally prefixed with a space to prevent them from appearing in your history. This can be enabled in your shell with export HISTCONTROL=ignoreboth.
conftest uses docker's login system to access registries. Run the following command to log in to Bundle Bar using docker:
echo "$BB_TOKEN" | docker login bundle.bar -u $BB_USER --password-stdin
Pushing
# 1. Create a policy directory
mkdir policy
# 2. Create the policy
cat > policy/deny.rego <<EOF
package main
version {
to_number(input.version)
}
deny[msg] {
endswith(input.services[_].image, ":latest")
msg = "No images tagged latest"
}
deny[msg] {
version < 3.5
msg = "Must be using at least version 3.5 of the Compose file format"
}
EOF
# 3. Push the artifact
conftest push bundle.bar/u/$BB_USER/conftest/welcome:v1 policy
Pulling
# 1. Delete the local policy directory, so you can be sure it works
rm -rf policy
# 2. Pull the artifact
conftest pull oci://bundle.bar/u/$BB_USER/conftest/welcome:v1
# 3. Check it out
ls policy
Installation
Official docs
Please see https://www.conftest.dev/install/.
Bundle Bar CDN
Bundle Bar provides a secure mirror of the latest version of conftest on the following platforms:
- Mac x86-64
- Linux x86-64
Release artifacts were downloaded from here and should have identical checksums.
Mac x86-64
Latest version
| Version | Filename | SHA-256 checksum |
|---|---|---|
| 0.20.0 | conftest_0.20.0_Darwin_x86_64.tar.gz | cf9f7c7153e4634409f1159178ea433e1524db43e754ae808cae63a7d1ebe32c |
Install instructions
CONFTEST_VERSION="0.20.0"
CONFTEST_FILENAME="conftest_0.20.0_Darwin_x86_64.tar.gz"
CONFTEST_CHECKSUM="cf9f7c7153e4634409f1159178ea433e1524db43e754ae808cae63a7d1ebe32c"
# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}"
# 2. Verify the checksum
shasum -a 256 "${CONFTEST_FILENAME}" | grep "^${CONFTEST_CHECKSUM} "
# 3. Extract the tarball
tar -xvf "${CONFTEST_FILENAME}"
# 4. Move binary into PATH
mv conftest /usr/local/bin
# 5. Verify install
conftest --help
Optional: Validate signatures
For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:
# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import
# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}.asc"
# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${CONFTEST_FILENAME}.asc" | \
grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
(echo "ERROR: Failed to verify signature" && exit 1)
Linux x86-64
Latest version
| Version | Filename | SHA-256 checksum |
|---|---|---|
| 0.20.0 | conftest_0.20.0_Linux_x86_64.tar.gz | 6647697fd811daa3fcd0777654181b5ad4d7dda67dcab358a01fc821801bc0a1 |
Install instructions
CONFTEST_VERSION="0.20.0"
CONFTEST_FILENAME="conftest_0.20.0_Linux_x86_64.tar.gz"
CONFTEST_CHECKSUM="6647697fd811daa3fcd0777654181b5ad4d7dda67dcab358a01fc821801bc0a1"
# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}"
# 2. Verify the checksum
shasum -a 256 "${CONFTEST_FILENAME}" | grep "^${CONFTEST_CHECKSUM} "
# 3. Extract the tarball
tar -xvf "${CONFTEST_FILENAME}"
# 4. Move binary into PATH
mv conftest /usr/local/bin
# 5. Verify install
conftest --help
Optional: Validate signatures
For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:
# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import
# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}.asc"
# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${CONFTEST_FILENAME}.asc" | \
grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
(echo "ERROR: Failed to verify signature" && exit 1)