[ui] Sentinel Policies CRUD UI

[philrenaud]

Provides access to Create, Edit, and Delete Sentinel Policies via the web UI.

By virtue of being within the /administration/ route (née /access-control/), this requires a management token. Additionally, this requires sentinel policies in the features list provided by the agent, which is an enterprise feature.

Sentinel policies are enforced and shown at plan and run stage, and can be set as hard-mandatory, soft-mandatory, or advisory (warning but not preventing).

This PR also provides a Gallery of demo/jumping-off-point sentinel policies for things like "no friday deploys" or "must include canaries".

Side-effects:

• Renamed the "Access Control" section to "Administration" with an eye toward adding further sub-sections, like node pool CRUD.
• Administration card layout widened to accommodate a default of 5 cards (was originally built for 3)

TODO:

• Determine what we should do with the placeholder-commented-out-templates (constraint-enforcement.js etc.)

[github-actions]

Ember Test Audit comparison

	main	03faca2	change
passes	1559	1562	+3
failures	0	0	0
flaky	0	0	0
duration	11m 40s 429ms	11m 27s 189ms	-13s 240ms

[philrenaud]

A big TODO with this PR: do we launch this without the commented-out policies (which are currently just placeholders below), or can we write them in such a way that they make sense as starter templates (knowing Nomad ships with Sentinel v0.15.x?)

[david-yu]

Awesome, thank you. Does anyone know how to bump the sentinel version to the latest?

[david-yu]

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

[tgross]

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

@david-yu I had a look at that this morning, and we can't update Sentinel without also updating our HCL2 library. But we're on a fork of HCL2 with languages changes we needed to prevent breaking backwards compatibility when we shipped HCL2 support in Nomad 1.0. We made an attempt to update in #18122 but that never got wrapped up and it's now behind 2.19.

Ideally we'd either (a) get our HCL2 changes upstreamed to main, but that's going to be a lift because it involves language changes, or (b) accept that we're going to break backcompat in the jobspec as we probably should have done when we originally switched to HCL2 for Nomad 1.0. In any case, unfortunately this is work we'll need to plan rather than just a quick dependency bump. 😿

[tgross]

LGTM!

I've left a few minor questions but nothing blocking.

[david-yu]

@philrenaud Also wondering if Sentinel will show up as a submenu here?

[david-yu]

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

@david-yu I had a look at that this morning, and we can't update Sentinel without also updating our HCL2 library. But we're on a fork of HCL2 with languages changes we needed to prevent breaking backwards compatibility when we shipped HCL2 support in Nomad 1.0. We made an attempt to update in #18122 but that never got wrapped up and it's now behind 2.19.

Ideally we'd either (a) get our HCL2 changes upstreamed to main, but that's going to be a lift because it involves language changes, or (b) accept that we're going to break backcompat in the jobspec as we probably should have done when we originally switched to HCL2 for Nomad 1.0. In any case, unfortunately this is work we'll need to plan rather than just a quick dependency bump. 😿

It looks like we're going to try to attempt a, and get our HCL2 changes into main for hcl2.

[philrenaud]

Also wondering if Sentinel will show up as a submenu here?
@david-yu confirming that it does (when running ENT Nomad):

[david-yu]

Submenu looks great, thank you!

[angrycub]

This is looking so good. I've been using it while developing out sample policies and noticed a couple of things:

• If I re-save the policy, could that auto-dismiss any previous result? Sometimes I get result buildup in the corner and partially dismiss some before saving again which leaves an odd visible state.

• For some reason, I do not necessarily see the Sentinel editor UI the first pass into the Administration page and have to refresh it to get that card to appear the first time I enter the UI. (this has been intermittent)

• Since we have hard validation rules for sentinel policy names, can we prevalidate the value without having to round trip it? Like with an invalid highlight on the box or something? (especially since the name is on the far side of the box from the submit.)

• There is the seems syntax highlight hiccup around multiline block comments. (This is probably due to the highlighter picking a language that looks like Sentinel.

[david-yu]

Would be nice if its possible to add a template to prevent job descriptions: #18292

[philrenaud]

Since we have hard validation rules for sentinel policy names, can we prevalidate the value without having to round trip it? Like with an invalid highlight on the box or something? (especially since the name is on the far side of the box from the submit.)

Noting that we throw this error without roundtripping:

I'll highlight the name box on this error, though