Convert non-string labels and annotations

Previously, if labels or annotations inside an objectTemplate used
values that were not strings, the ConfigurationPolicy might try to
remove all labels or annotations on that object. That behavior was
potentially destructive, and it was easy for a policy author to
accidentally trigger by getting some quotes wrong in their template, or
by using `yes` as a value (which is interpreted by some parsers as a
boolean `true`).

Now, the ConfigurationPolicy will force all values in labels and
annotations to be strings, which is most likely what the policy author
intended. In the case of a `yes` string or something similar, there may
still be a discrepancy, but the value in the ConfigurationPolicy will
already be a boolean, so we can't detect or handle that case.

Refs:
 - https://issues.redhat.com/browse/ACM-26186

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

controllers/configurationpolicy_controller.go

@@ -3553,17 +3553,33 @@ func handleKeys(
 			continue
 		}
 
-		// only look at labels and annotations for metadata - configurationPolicies do not update other metadata fields
 		if key == "metadata" {
-			// if it's not the right type, the map will be empty
-			mdMap, _ := mergedObj.(map[string]interface{})
+			if mdMap, ok := mergedObj.(map[string]any); ok {
+				// ConfigurationPolicies should not affect metadata fields other than labels and
+				// annotations, and they should only be updated if the merged object has the right
+				// format.
+				mergedAnnos, found, err := unstructured.NestedMap(mdMap, "annotations")
+				if found && err == nil {
+					// Force all annotation values to be strings
+					annos := make(map[string]string)
+					for k, v := range mergedAnnos {
+						annos[k] = fmt.Sprint(v)
+					}
+
+					existingObj.SetAnnotations(annos)
+				}
 
-			// if either isn't found, they'll just be empty
-			mergedAnnotations, _, _ := unstructured.NestedStringMap(mdMap, "annotations")
-			mergedLabels, _, _ := unstructured.NestedStringMap(mdMap, "labels")
+				mergedLabels, found, err := unstructured.NestedMap(mdMap, "labels")
+				if found && err == nil {
+					// Force all label values to be strings
+					labels := make(map[string]string)
+					for k, v := range mergedLabels {
+						labels[k] = fmt.Sprint(v)
+					}
 
-			existingObj.SetAnnotations(mergedAnnotations)
-			existingObj.SetLabels(mergedLabels)
+					existingObj.SetLabels(labels)
+				}
+			}
 		} else {
 			existingObj.UnstructuredContent()[key] = mergedObj
 		}

test/dryrun/kind_field/pod_annotation_match/input_1.yaml

@@ -5,8 +5,10 @@ metadata:
   namespace: managed
   annotations:
     test: e2e10
+    foo: "true"
   labels:
     test: e2e10
+    bar: "7"
 spec:
   containers:
     - image: nginx:1.7.9

test/dryrun/kind_field/pod_annotation_match/policy.yaml

@@ -19,7 +19,10 @@ spec:
         kind: Pod
         metadata:
           namespace: managed
+          name: nginx-pod-e2e-10
           annotations:
             test: e2e10
+            foo: yes
           labels:
             test: e2e10
+            bar: 7

test/dryrun/kind_field/pod_annotation_mismatch/input_1.yaml

@@ -7,6 +7,7 @@ metadata:
     test: e2e10
   labels:
     test: e2e10
+    bar: fail
 spec:
   containers:
     - image: nginx:1.7.9

test/dryrun/kind_field/pod_annotation_mismatch/output.txt

@@ -1,5 +1,24 @@
 # Diffs:
-v1 Pod managed/-:
-
+v1 Pod managed/nginx-pod-e2e-10:
+--- managed/nginx-pod-e2e-10 : existing
++++ managed/nginx-pod-e2e-10 : updated
+@@ -1,13 +1,14 @@
+ apiVersion: v1
+ kind: Pod
+ metadata:
+   annotations:
+-    test: e2e10
++    foo: "true"
++    test: fail
+   labels:
+-    bar: fail
+-    test: e2e10
++    bar: "7"
++    test: fail
+   name: nginx-pod-e2e-10
+   namespace: managed
+ spec:
+   containers:
+   - image: nginx:1.7.9
 # Compliance messages:
-NonCompliant; violation - pods found but not as specified in namespace managed
+NonCompliant; violation - pods [nginx-pod-e2e-10] found but not as specified in namespace managed

test/dryrun/kind_field/pod_annotation_mismatch/policy.yaml

@@ -12,7 +12,10 @@ spec:
         kind: Pod
         metadata:
           namespace: managed
+          name: nginx-pod-e2e-10
           annotations:
             test: fail
+            foo: yes
           labels:
             test: fail
+            bar: 7