Add support for object-templates-raw

Adds support for manifest files with only object-templates-raw field, which gets
put into a ConfigurationPolicy.

Signed-off-by: Jeffrey Luo <[email protected]>

Author: JeffeyL

internal/plugin_config_test.go

@@ -83,6 +83,29 @@ spec:
 	}
 }
 
+func createObjectTemplatesRawManifest(t *testing.T, tmpDir, filename string) {
+	t.Helper()
+
+	manifestsPath := path.Join(tmpDir, filename)
+	yamlContent := `
+object-templates-raw: |
+  - complianceType: musthave
+    objectDefinition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: example
+        namespace: default
+      data:
+        extraData: data
+`
+
+	err := os.WriteFile(manifestsPath, []byte(yamlContent), 0o666)
+	if err != nil {
+		t.Fatalf("Failed to write %s", manifestsPath)
+	}
+}
+
 func TestConfig(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

internal/plugin_test.go

@@ -1364,6 +1364,73 @@ spec:
 	assertEqual(t, output, expected)
 }
 
+func TestCreatePolicyFromObjectTemplatesRawManifest(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createObjectTemplatesRawManifest(t, tmpDir, "objectTemplatesRawPluginTest.yaml")
+
+	p := Plugin{}
+	p.PolicyDefaults.Namespace = "my-policies"
+	policyConf := types.PolicyConfig{
+		PolicyOptions: types.PolicyOptions{
+			Categories: []string{"AC Access Control"},
+			Controls:   []string{"AC-3 Access Enforcement"},
+			Standards:  []string{"NIST SP 800-53"},
+		},
+		Name: "policy-app-config",
+		Manifests: []types.Manifest{
+			{Path: path.Join(tmpDir, "objectTemplatesRawPluginTest.yaml")},
+		},
+	}
+	p.Policies = append(p.Policies, policyConf)
+	p.applyDefaults(map[string]interface{}{})
+
+	err := p.createPolicy(&p.Policies[0])
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output := p.outputBuffer.String()
+
+	expected := `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: AC Access Control
+        policy.open-cluster-management.io/controls: AC-3 Access Enforcement
+        policy.open-cluster-management.io/description: ""
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                object-templates-raw: |
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        kind: ConfigMap
+                        metadata:
+                          name: example
+                          namespace: default
+                        data:
+                          extraData: data
+                remediationAction: inform
+                severity: low
+    remediationAction: inform
+`
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+}
+
 func TestCreatePolicyWithGkConstraintTemplate(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

internal/utils.go

@@ -189,6 +189,16 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]interface{
 			if isPolicyTypeManifest {
 				policyTemplate := map[string]interface{}{"objectDefinition": manifest}
 
+				_, found, _ := unstructured.NestedString(manifest, "object-templates-raw")
+				if found {
+					policyTemplate = buildPolicyTemplate(
+						policyConf,
+						len(policyTemplates)+1,
+						manifest["object-templates-raw"],
+						&policyConf.Manifests[i].ConfigurationPolicyOptions,
+					)
+				}
+
 				// Only set dependency options if it's an OCM policy
 				if isOcmPolicy {
 					setTemplateOptions(policyTemplate, ignorePending, extraDeps)
@@ -309,6 +319,13 @@ func setTemplateOptions(tmpl map[string]interface{}, ignorePending bool, extraDe
 // - the manifest is a root policy manifest
 // - the manifest is invalid because it is missing a name
 func isPolicyTypeManifest(manifest map[string]interface{}, informGatekeeperPolicies bool) (bool, bool, error) {
+	// check for object-templates-raw separate from policies since they have separate requirements
+	_, found, _ := unstructured.NestedString(manifest, "object-templates-raw")
+	if found {
+		// return true for isPolicyType, since object-templates-raw is in a ConfigurationPolicy
+		return true, false, nil
+	}
+
 	apiVersion, found, err := unstructured.NestedString(manifest, "apiVersion")
 	if !found || err != nil {
 		return false, false, errors.New("invalid or not found apiVersion")
@@ -398,7 +415,7 @@ func processKustomizeDir(path string) ([]map[string]interface{}, error) {
 func buildPolicyTemplate(
 	policyConf *types.PolicyConfig,
 	policyNum int,
-	objectTemplates []map[string]interface{},
+	objectTemplates interface{},
 	configPolicyOptionsOverrides *types.ConfigurationPolicyOptions,
 ) map[string]interface{} {
 	var name string
@@ -408,18 +425,26 @@ func buildPolicyTemplate(
 		name = policyConf.Name
 	}
 
+	policySpec := map[string]interface{}{
+		"remediationAction": policyConf.RemediationAction,
+		"severity":          policyConf.Severity,
+	}
+
+	switch objectTemplates.(type) {
+	case string:
+		policySpec["object-templates-raw"] = objectTemplates
+	case []map[string]interface{}:
+		policySpec["object-templates"] = objectTemplates
+	}
+
 	policyTemplate := map[string]interface{}{
 		"objectDefinition": map[string]interface{}{
 			"apiVersion": policyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata": map[string]interface{}{
 				"name": name,
 			},
-			"spec": map[string]interface{}{
-				"object-templates":  objectTemplates,
-				"remediationAction": policyConf.RemediationAction,
-				"severity":          policyConf.Severity,
-			},
+			"spec": policySpec,
 		},
 	}
 

internal/utils_test.go

@@ -1262,6 +1262,74 @@ func TestGetPolicyTemplateInvalidManifest(t *testing.T) {
 	assertEqual(t, err.Error(), expected)
 }
 
+func TestGetPolicyTemplateObjectTemplatesRaw(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	manifestPath := path.Join(tmpDir, "configmap.yaml")
+	manifestYAML := `
+object-templates-raw: |
+  - complianceType: musthave
+    objectDefinition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: example
+        namespace: default
+      data:
+        extraData: data
+`
+	manifestYAMLContent := `- complianceType: musthave
+  objectDefinition:
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: example
+      namespace: default
+    data:
+      extraData: data
+`
+
+	err := os.WriteFile(manifestPath, []byte(manifestYAML), 0o666)
+	if err != nil {
+		t.Fatalf("Failed to write %s", manifestPath)
+	}
+
+	policyConf := types.PolicyConfig{
+		PolicyOptions: types.PolicyOptions{
+			ConsolidateManifests: true,
+		},
+		ConfigurationPolicyOptions: types.ConfigurationPolicyOptions{
+			ComplianceType:    "musthave",
+			RemediationAction: "enforce",
+			Severity:          "low",
+		},
+		Manifests: []types.Manifest{{Path: manifestPath}},
+		Name:      "configpolicy-object-templates-raw-config",
+	}
+
+	policyTemplates, err := getPolicyTemplates(&policyConf)
+	if err != nil {
+		t.Fatalf("Failed to get the policy templates: %v", err)
+	}
+
+	assertEqual(t, len(policyTemplates), 1)
+
+	policyTemplate := policyTemplates[0]
+	objdef := policyTemplate["objectDefinition"].(map[string]interface{})
+
+	spec, ok := objdef["spec"].(map[string]interface{})
+	if !ok {
+		t.Fatal("The spec field is an invalid format")
+	}
+
+	objectTemplatesRaw, ok := spec["object-templates-raw"].(string)
+	if !ok {
+		t.Fatal("The object-templates-raw field is an invalid format")
+	}
+
+	assertEqual(t, len(objectTemplatesRaw), len(manifestYAMLContent))
+}
+
 func TestUnmarshalManifestFile(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()