Rego Policy return message

[fseldow]

Context

Currently, in v1.0.0-rc.7, we have OPA rego policy built inside the ratify and constraintTemplate rego outside. When they are both enabled, there will be two times of rego evaulation.

• The first time is rego policy that goes through the reports and returns a boolean as result.
• The second time is constraint template rego. Compared with the internal rego policy, the difference is that the input of rego has one more field isSuccess sample link

Issue may have

• since the constraint template rego gets input that includes the input as rego policy, if we make constraint template rego logic same as rego policy. The rego policy evaulation is useless.
• If constraint template rego directly check the isSuccess as the output of rego policy ignoring the verificationReports. It will lose the violation messages.

Solution to discuss

• the rego policy not only report isSuccess, it will also return violation messages.
• The benifit is that, the outside constraint template no longer need to check the verification reports. It can directly get the msg it needs. It can also avoid the gap between ratify version vs constraint template rego logic. Because the the verifier report structure might be changing. Let alone rego policy, at least constraint template rego could be static for all versions.
• If getting more feedback that verifier reports are no longer used in constraint template rego, maybe we can remove it in the gatekeeper response, which might shorten the external data response size?