Skip to content

Commit 8df1dc9

Browse files
dhaiducekopenshift-merge-robot
dhaiducek
authored and
openshift-merge-robot
committed
Fix Gatekeeper manifest wrapping
Fixes when `informGatekeeperPolicies` is set to `true`, the Gatekeeper manifests are correctly wrapped in a ConfigurationPolicy. ref: https://issues.redhat.com/browse/ACM-4438 Signed-off-by: Dale Haiducek <[email protected]>
1 parent af428c7 commit 8df1dc9

File tree

3 files changed

+48
-12
lines changed

3 files changed

+48
-12
lines changed

internal/plugin_test.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1190,7 +1190,11 @@ metadata:
11901190
},
11911191
}
11921192
p.Policies = append(p.Policies, policyConf)
1193-
p.applyDefaults(map[string]interface{}{})
1193+
p.applyDefaults(map[string]interface{}{
1194+
"policyDefaults": map[string]interface{}{
1195+
"informGatekeeperPolicies": false,
1196+
},
1197+
})
11941198

11951199
err = p.createPolicy(&p.Policies[0])
11961200
if err != nil {
@@ -1249,7 +1253,11 @@ metadata:
12491253
},
12501254
}
12511255
p.Policies = append(p.Policies, policyConf)
1252-
p.applyDefaults(map[string]interface{}{})
1256+
p.applyDefaults(map[string]interface{}{
1257+
"policyDefaults": map[string]interface{}{
1258+
"informGatekeeperPolicies": false,
1259+
},
1260+
})
12531261

12541262
err = p.createPolicy(&p.Policies[0])
12551263
if err != nil {

internal/utils.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,8 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]interface{
174174
extraDeps := policyConf.Manifests[i].ExtraDependencies
175175

176176
for _, manifest := range manifestGroup {
177-
isPolicyTypeManifest, isOcmPolicy, err := isPolicyTypeManifest(manifest)
177+
isPolicyTypeManifest, isOcmPolicy, err := isPolicyTypeManifest(
178+
manifest, policyConf.InformGatekeeperPolicies)
178179
if err != nil {
179180
return nil, fmt.Errorf(
180181
"%w in manifest path: %s",
@@ -289,7 +290,7 @@ func setTemplateOptions(tmpl map[string]interface{}, ignorePending bool, extraDe
289290
// - apiVersion and kind fields can't be determined
290291
// - the manifest is a root policy manifest
291292
// - the manifest is invalid because it is missing a name
292-
func isPolicyTypeManifest(manifest map[string]interface{}) (bool, bool, error) {
293+
func isPolicyTypeManifest(manifest map[string]interface{}, informGatekeeperPolicies bool) (bool, bool, error) {
293294
apiVersion, found, err := unstructured.NestedString(manifest, "apiVersion")
294295
if !found || err != nil {
295296
return false, false, errors.New("invalid or not found apiVersion")
@@ -315,7 +316,7 @@ func isPolicyTypeManifest(manifest map[string]interface{}) (bool, bool, error) {
315316
isGkConstraint := strings.HasPrefix(apiVersion, "constraints.gatekeeper.sh")
316317
isGkObj := isGkConstraintTemplate || isGkConstraint
317318

318-
isPolicy := isOcmPolicy || isGkObj
319+
isPolicy := isOcmPolicy || (isGkObj && !informGatekeeperPolicies)
319320

320321
if isPolicy {
321322
// metadata.name is required on policy manifests

internal/utils_test.go

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -593,10 +593,11 @@ func TestIsPolicyTypeManifest(t *testing.T) {
593593
t.Parallel()
594594

595595
tests := map[string]struct {
596-
manifest map[string]interface{}
597-
wantIsPolicy bool
598-
wantIsOcmPolicy bool
599-
wantErr string
596+
manifest map[string]interface{}
597+
informGatekeeperPolicies bool
598+
wantIsPolicy bool
599+
wantIsOcmPolicy bool
600+
wantErr string
600601
}{
601602
"valid RandomPolicy": {
602603
manifest: map[string]interface{}{
@@ -622,7 +623,33 @@ func TestIsPolicyTypeManifest(t *testing.T) {
622623
wantIsOcmPolicy: true,
623624
wantErr: "",
624625
},
625-
"valid Gatekeeper Constraint": {
626+
"valid Gatekeeper Constraint with expander": {
627+
manifest: map[string]interface{}{
628+
"apiVersion": "constraints.gatekeeper.sh",
629+
"kind": "Foo",
630+
"metadata": map[string]interface{}{
631+
"name": "foo",
632+
},
633+
},
634+
informGatekeeperPolicies: true,
635+
wantIsPolicy: false,
636+
wantIsOcmPolicy: false,
637+
wantErr: "",
638+
},
639+
"valid Gatekeeper ConstraintTemplate with expander": {
640+
manifest: map[string]interface{}{
641+
"apiVersion": "templates.gatekeeper.sh",
642+
"kind": "ConstraintTemplate",
643+
"metadata": map[string]interface{}{
644+
"name": "foo",
645+
},
646+
},
647+
informGatekeeperPolicies: true,
648+
wantIsPolicy: false,
649+
wantIsOcmPolicy: false,
650+
wantErr: "",
651+
},
652+
"valid Gatekeeper Constraint without expander": {
626653
manifest: map[string]interface{}{
627654
"apiVersion": "constraints.gatekeeper.sh",
628655
"kind": "Foo",
@@ -634,7 +661,7 @@ func TestIsPolicyTypeManifest(t *testing.T) {
634661
wantIsOcmPolicy: false,
635662
wantErr: "",
636663
},
637-
"valid Gatekeeper ConstraintTemplate": {
664+
"valid Gatekeeper ConstraintTemplate without expander": {
638665
manifest: map[string]interface{}{
639666
"apiVersion": "templates.gatekeeper.sh",
640667
"kind": "ConstraintTemplate",
@@ -738,7 +765,7 @@ func TestIsPolicyTypeManifest(t *testing.T) {
738765
t.Run(name, func(t *testing.T) {
739766
t.Parallel()
740767

741-
gotIsPolicy, gotIsOcmPolicy, gotErr := isPolicyTypeManifest(test.manifest)
768+
gotIsPolicy, gotIsOcmPolicy, gotErr := isPolicyTypeManifest(test.manifest, test.informGatekeeperPolicies)
742769
if gotErr != nil {
743770
assertEqual(t, gotErr.Error(), test.wantErr)
744771
}

0 commit comments

Comments
 (0)