apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: cscingressconstraint
spec:
  crd:
    spec:
      names:
        kind: CSCIngressConstraint
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package cscingressconstraint
        
        operations = {"CREATE", "UPDATE"}
        subdomain = ".k8s.csclub.cloud"
        
        violation[{"msg": msg, "details": {}}] {
          input.review.kind.kind == "Ingress"
          operations[input.review.operation]
          not is_admin_user(input.review.userInfo)
          username := input.review.userInfo.username
          host := input.review.object.spec.rules[_].host
          not is_valid_domain(username, host)
          msg := "Invalid domain name, please contact the Systems Committee for assistance"
        }

        is_admin_user(userInfo) {
          userInfo.groups[_] == "system:masters"
        }

        is_valid_domain(username, host) {
          endswith(host, subdomain)
          prefix := trim_suffix(host, subdomain)
          parts := split(prefix, ".")
          last_part := parts[count(parts) - 1]
          is_valid_last_part_of_prefix(username, last_part)
        }

        is_valid_last_part_of_prefix(username, last_part) {
          username == last_part
        }

        is_valid_last_part_of_prefix(username, last_part) {
          suffix := concat("", ["-", username])
          endswith(last_part, suffix)
        }