genpolicy: parse json settings during config init

Decouple initialization of the Settings struct from creating the
AgentPolicy struct, so that the settings are available for evaluating,
extending or overriding command line arguments.

Signed-off-by: Markus Rudy <webmaster@burgerdev.de>

src/tools/genpolicy/src/policy.rs

@@ -13,7 +13,6 @@ use crate::pod;
 use crate::policy;
 use crate::registry;
 use crate::secret;
-use crate::settings;
 use crate::utils;
 use crate::yaml;
 
@@ -47,10 +46,7 @@ pub struct AgentPolicy {
     /// Rego rules read from a file (rules.rego).
     pub rules: String,
 
-    /// Settings loaded from genpolicy-settings.json.
+    /// Policy settings.
-    pub settings: settings::Settings,
-
-    /// Additional Policy settings.
     pub config: utils::Config,
 }
 
@@ -73,7 +69,7 @@ pub struct PolicyData {
 /// is ordered, thus resulting in the same output policy contents every time
 /// when this apps runs with the same inputs. Also, it preserves the upper
 /// case field names, for consistency with the structs used by agent's rpc.rs.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct KataSpec {
     /// Version of the Open Container Initiative Runtime Specification with which the bundle complies.
     #[serde(default = "version_default")]
@@ -402,8 +398,6 @@ impl AgentPolicy {
             }
         }
 
-        let settings = settings::Settings::new(&config.json_settings_path);
-
         if let Some(config_map_files) = &config.config_map_files {
             for file in config_map_files {
                 config_maps.push(config_map::ConfigMap::new(file)?);
@@ -414,7 +408,6 @@ impl AgentPolicy {
             Ok(AgentPolicy {
                 resources,
                 rules,
-                settings,
                 config_maps,
                 secrets,
                 config: config.clone(),
@@ -460,8 +453,8 @@ impl AgentPolicy {
 
         let policy_data = policy::PolicyData {
             containers: policy_containers,
-            request_defaults: self.settings.request_defaults.clone(),
+            request_defaults: self.config.settings.request_defaults.clone(),
-            common: self.settings.common.clone(),
+            common: self.config.settings.common.clone(),
         };
 
         let json_data = serde_json::to_string_pretty(&policy_data).unwrap();
@@ -478,14 +471,21 @@ impl AgentPolicy {
         yaml_container: &pod::Container,
         is_pause_container: bool,
     ) -> ContainerPolicy {
-        let c_settings = self.settings.get_container_settings(is_pause_container);
+        let c_settings = self
+            .config
+            .settings
+            .get_container_settings(is_pause_container);
         let mut root = c_settings.Root.clone();
         root.Readonly = yaml_container.read_only_root_filesystem();
 
         let namespace = if let Some(ns) = resource.get_namespace() {
             ns
         } else {
-            self.settings.cluster_config.default_namespace.clone()
+            self.config
+                .settings
+                .cluster_config
+                .default_namespace
+                .clone()
         };
 
         let use_host_network = resource.use_host_network();
@@ -510,7 +510,7 @@ impl AgentPolicy {
 
         let mut mounts = containerd::get_mounts(is_pause_container, is_privileged);
         mount_and_storage::get_policy_mounts(
-            &self.settings,
+            &self.config.settings,
             &mut mounts,
             yaml_container,
             is_pause_container,
@@ -523,7 +523,7 @@ impl AgentPolicy {
             &mut mounts,
             &mut storages,
             yaml_container,
-            &self.settings,
+            &self.config.settings,
         );
 
         let mut linux = containerd::get_linux(is_privileged);
@@ -570,9 +570,9 @@ impl AgentPolicy {
     ) -> KataProcess {
         // Start with the Default Unix Spec from
         // https://github.com/containerd/containerd/blob/release/1.6/oci/spec.go#L132
-        let mut process = containerd::get_process(is_privileged, &self.settings.common);
+        let mut process = containerd::get_process(is_privileged, &self.config.settings.common);
 
-        yaml_container.apply_capabilities(&mut process.Capabilities, &self.settings.common);
+        yaml_container.apply_capabilities(&mut process.Capabilities, &self.config.settings.common);
 
         let (yaml_has_command, yaml_has_args) = yaml_container.get_process_args(&mut process.Args);
         yaml_container

src/tools/genpolicy/src/settings.rs

@@ -14,7 +14,7 @@ use std::fs::File;
 use std::str;
 
 /// Policy settings loaded from genpolicy-settings.json.
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct Settings {
     pub pause_container: policy::KataSpec,
     pub other_container: policy::KataSpec,

src/tools/genpolicy/src/utils.rs

@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use crate::settings;
 use clap::Parser;
 
 #[derive(Debug, Parser)]
@@ -84,7 +85,7 @@ pub struct Config {
 
     pub yaml_file: Option<String>,
     pub rego_rules_path: String,
-    pub json_settings_path: String,
+    pub settings: settings::Settings,
     pub config_map_files: Option<Vec<String>>,
 
     pub silent_unsupported_fields: bool,
@@ -108,11 +109,13 @@ impl Config {
             None
         };
 
+        let settings = settings::Settings::new(&args.json_settings_path);
+
         Self {
             use_cache: args.use_cached_files,
             yaml_file: args.yaml_file,
             rego_rules_path: args.rego_rules_path,
-            json_settings_path: args.json_settings_path,
+            settings,
             config_map_files: cm_files,
             silent_unsupported_fields: args.silent_unsupported_fields,
             raw_out: args.raw_out,