kind create cluster --name gatekeeper

# Add the Gatekeeper Helm repository
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts

# Install the latest version of Gatekeeper with the external data feature enabled.
helm install gatekeeper/gatekeeper \
    --set enableExternalData=true \
    --set emitAdmissionEvents=true \
    --set emitAuditEvents=true \
    --set validatingWebhookFailurePolicy=Fail \
    --set validatingWebhookTimeoutSeconds=10 \
    --set postInstall.probeWebhook.enabled=false \
    --set postInstall.labelNamespace.enabled=false \
    --name-template=gatekeeper \
    --namespace security \
    --create-namespace

git clone https://github.com/docker/attest-provider.git
cd attest-provider

# if you are not planning to establish mTLS between the provider and Gatekeeper,
# deploy the provider to a separate namespace. Otherwise, do not run the following command
# and deploy the provider to the same namespace as Gatekeeper.
export NAMESPACE=security

# generate a self-signed certificate for the external data provider
./scripts/generate-tls-cert.sh

# build the image via docker buildx
make docker-buildx

# load the image into kind
make kind-load-image

# deploy attest provider
helm install attest-provider charts/attest-provider \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --set image="docker/attest-provider:dev" \
    --namespace "${NAMESPACE:-gatekeeper-system}"

kubectl apply -f validation/attest-constraint-template.yaml
kubectl apply -f validation/attest-constraint.yaml

kubectl create ns test
kubectl run nginx --image nginx -n test --dry-run=server -ojson

make reload

kubectl delete -f validation/
# kubectl delete -f mutation/ TODO: implement mutation
helm uninstall attest-provider --namespace "${NAMESPACE:-gatekeeper-system}"
helm uninstall gatekeeper --namespace security