Allow placement generation to be shut off

When Policies are generated separately from PolicySets, it may be
desirable to only generate the Policies and not the placement manifests.

Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

docs/policygenerator-reference.yaml

@@ -152,6 +152,10 @@ policyDefaults:
   # generated for the policy since one is generated for the set. Set policies[*].generatePlacementWhenInSet 
   # or policyDefaults.generatePlacementWhenInSet to override.
   policySets: []
+  # Optional. Whether to generate placement manifests for policies. Placement generation occurs except when policies are
+  # part of a policy set. Use this setting to turn off placement generation for policies not in policy sets. This
+  # defaults to "true".
+  generatePolicyPlacement: true
   # Optional. When a policy is part of a policy set, by default the generator will not generate the placement
   # for this policy since a placement is generated for the policy set. If a placement should still be generated, 
   # set it to "true" so that the policy will be deployed with both policy placement and policy set placement. 

internal/plugin.go

@@ -142,9 +142,10 @@ func (p *Plugin) Generate() ([]byte, error) {
 	plcNameToPolicyAndSetIdxs := map[string]map[string][]int{}
 
 	for i := range p.Policies {
-		// only generate placement when GeneratePlacementWhenInSet equals to true or policy is not
-		// part of any policy sets
-		if p.Policies[i].GeneratePlacementWhenInSet || len(p.Policies[i].PolicySets) == 0 {
+		// only generate placement when GeneratePlacementWhenInSet equals to true, GeneratePlacement is true,
+		// or policy is not part of any policy sets
+		if p.Policies[i].GeneratePlacementWhenInSet ||
+			(p.Policies[i].GeneratePolicyPlacement && len(p.Policies[i].PolicySets) == 0) {
 			plcName, err := p.createPlacement(&p.Policies[i].Placement, p.Policies[i].Name)
 			if err != nil {
 				return nil, err
@@ -429,6 +430,14 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 		p.PolicyDefaults.Standards = defaults.Standards
 	}
 
+	// GeneratePolicyPlacement defaults to true unless explicitly set in the config.
+	gppValue, setGpp := getDefaultBool(unmarshaledConfig, "generatePolicyPlacement")
+	if setGpp {
+		p.PolicyDefaults.GeneratePolicyPlacement = gppValue
+	} else {
+		p.PolicyDefaults.GeneratePolicyPlacement = true
+	}
+
 	// Generate temporary sets to later merge the policy sets declared in p.Policies[*] and p.PolicySets
 	plcsetToPlc := make(map[string]map[string]bool)
 	plcToPlcset := make(map[string]map[string]bool)
@@ -516,10 +525,18 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.PolicySets = p.PolicyDefaults.PolicySets
 		}
 
-		// GeneratePlacementWhenInSet default to false unless explicitly set in the config.
-		gpValue, setGp := getPolicyBool(unmarshaledConfig, i, "generatePlacementWhenInSet")
-		if setGp {
-			policy.GeneratePlacementWhenInSet = gpValue
+		// GeneratePolicyPlacement defaults to true unless explicitly set in the config.
+		gppValue, setGpp := getPolicyBool(unmarshaledConfig, i, "generatePolicyPlacement")
+		if setGpp {
+			policy.GeneratePolicyPlacement = gppValue
+		} else {
+			policy.GeneratePolicyPlacement = p.PolicyDefaults.GeneratePolicyPlacement
+		}
+
+		// GeneratePlacementWhenInSet defaults to false unless explicitly set in the config.
+		gpsetValue, setGpset := getPolicyBool(unmarshaledConfig, i, "generatePlacementWhenInSet")
+		if setGpset {
+			policy.GeneratePlacementWhenInSet = gpsetValue
 		} else {
 			policy.GeneratePlacementWhenInSet = p.PolicyDefaults.GeneratePlacementWhenInSet
 		}
@@ -824,6 +841,12 @@ func (p *Plugin) assertValidConfig() error {
 		defaultPlacementOptions++
 	}
 
+	if defaultPlacementOptions > 0 && !p.PolicyDefaults.GeneratePolicyPlacement {
+		return errors.New(
+			"policyDefaults must not specify a placement when generatePlacement is set to false",
+		)
+	}
+
 	if defaultPlacementOptions > 1 {
 		return errors.New(
 			"policyDefaults must specify only one of placement selector, placement path, or placement name",
@@ -1106,6 +1129,12 @@ func (p *Plugin) assertValidConfig() error {
 			policyPlacementOptions++
 		}
 
+		if policyPlacementOptions > 0 && !policy.GeneratePolicyPlacement {
+			return fmt.Errorf(
+				"policy %s must not specify a placement when generatePlacement is set to false", policy.Name,
+			)
+		}
+
 		if policyPlacementOptions > 1 {
 			return fmt.Errorf(
 				"policy %s must specify only one of placement selector, placement path, or placement name", policy.Name,

internal/plugin_config_test.go

@@ -379,6 +379,74 @@ policies:
 	assertEqual(t, err.Error(), expected)
 }
 
+func TestConfigDefaultPlacementWithDisabledPlacement(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+	config := fmt.Sprintf(`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  generatePolicyPlacement: false
+  placement:
+    clusterSelectors:
+      cloud: red hat
+policies:
+- name: policy-app-config
+  manifests:
+    - path: %s
+`,
+		path.Join(tmpDir, "configmap.yaml"),
+	)
+	p := Plugin{}
+
+	err := p.Config([]byte(config), tmpDir)
+	if err == nil {
+		t.Fatal("Expected an error but did not get one")
+	}
+
+	expected := "policyDefaults must not specify " +
+		"a placement when generatePlacement is set to false"
+	assertEqual(t, err.Error(), expected)
+}
+
+func TestConfigPlacementWithDisabledPlacement(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+	config := fmt.Sprintf(`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  placement:
+    clusterSelectors:
+      cloud: red hat
+policies:
+- name: policy-app-config
+  generatePolicyPlacement: false
+  manifests:
+    - path: %s
+`,
+		path.Join(tmpDir, "configmap.yaml"),
+	)
+	p := Plugin{}
+
+	err := p.Config([]byte(config), tmpDir)
+	if err == nil {
+		t.Fatal("Expected an error but did not get one")
+	}
+
+	expected := "policy policy-app-config must not specify " +
+		"a placement when generatePlacement is set to false"
+	assertEqual(t, err.Error(), expected)
+}
+
 func TestConfigMultiplePlacementsClusterSelectorAndPlRPath(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

internal/plugin_test.go

@@ -291,6 +291,88 @@ policies:
 	}
 }
 
+func TestGeneratePolicyDisablePlacement(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	p := Plugin{}
+	var err error
+
+	p.baseDirectory, err = filepath.EvalSymlinks(tmpDir)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	p.PolicyDefaults.Namespace = "my-policies"
+	p.PolicyDefaults.MetadataComplianceType = "musthave"
+	policyConf := types.PolicyConfig{
+		Name: "policy-app-config",
+		Manifests: []types.Manifest{
+			{
+				Path: path.Join(tmpDir, "configmap.yaml"),
+			},
+		},
+	}
+	p.Policies = append(p.Policies, policyConf)
+	p.applyDefaults(map[string]interface{}{
+		"policyDefaults": map[string]interface{}{
+			"generatePolicyPlacement": false,
+		},
+	})
+	assertEqual(t, p.Policies[0].GeneratePolicyPlacement, false)
+	// Default all policy ConsolidateManifests flags are set to true
+	// unless explicitly set
+	assertEqual(t, p.Policies[0].ConsolidateManifests, true)
+
+	if err := p.assertValidConfig(); err != nil {
+		t.Fatal(err.Error())
+	}
+
+	expected := `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: CM Configuration Management
+        policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                object-templates:
+                    - complianceType: musthave
+                      metadataComplianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: inform
+                severity: low
+    remediationAction: inform
+`
+	expected = strings.TrimPrefix(expected, "\n")
+
+	output, err := p.Generate()
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	assertEqual(t, string(output), expected)
+}
+
 func TestGeneratePolicyExistingPlacementRuleName(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

internal/types/types.go

@@ -20,6 +20,7 @@ type PolicyOptions struct {
 	IgnorePending                  bool               `json:"ignorePending,omitempty" yaml:"ignorePending,omitempty"`
 	InformGatekeeperPolicies       bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
 	InformKyvernoPolicies          bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
+	GeneratePolicyPlacement        bool               `json:"generatePolicyPlacement,omitempty" yaml:"generatePolicyPlacement,omitempty"`
 	GeneratePlacementWhenInSet     bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`
 	PolicySets                     []string           `json:"policySets,omitempty" yaml:"policySets,omitempty"`
 	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`