Add support for setting the configuration policy annotations

This will allow users to disable policy templating on generated
configuration policies.

Relates:
https://github.com/stolostron/backlog/issues/23078

Signed-off-by: mprahl <[email protected]>

Author: mprahl

docs/policygenerator-reference.yaml

@@ -17,6 +17,10 @@ policyDefaults:
   # annotation. This defaults to ["CM Configuration Management"].
   categories:
     - "CM Configuration Management"
+  # Optional. Key-value pairs of annotations to set on generated configuration policies. For
+  # example, to disable policy templates, you can set this to:
+  # {"policy.open-cluster-management.io/disable-templates": "true"}. This defaults to {}.
+  configurationPolicyAnnotations: {}
   # Optional. Array of controls to be used in the policy.open-cluster-management.io/controls
   # annotation. This defaults to ["CM-2 Baseline Configuration"].
   controls:
@@ -149,6 +153,8 @@ policies:
     # Optional. Determines the policy controller behavior when comparing the manifest to objects on
     # the cluster ("musthave",  "mustonlyhave", or "mustnothave"). Defaults to "musthave".
     complianceType: "musthave"
+    # Optional. (See policyDefaults.configurationPolicyAnnotations for description.)
+    configurationPolicyAnnotations: {}
     # Optional. (See policyDefaults.metadataComplianceType for description.)
     metadataComplianceType: ""
     # Optional. (See policyDefaults.controls for description.)

internal/plugin.go

@@ -399,6 +399,14 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.Categories = p.PolicyDefaults.Categories
 		}
 
+		if policy.ConfigurationPolicyAnnotations == nil {
+			annotations := map[string]string{}
+			for k, v := range p.PolicyDefaults.ConfigurationPolicyAnnotations {
+				annotations[k] = v
+			}
+			policy.ConfigurationPolicyAnnotations = annotations
+		}
+
 		if policy.Standards == nil {
 			policy.Standards = p.PolicyDefaults.Standards
 		}

internal/plugin_test.go

@@ -2235,3 +2235,81 @@ func TestGenerateEvaluationInterval(t *testing.T) {
 		}
 	}
 }
+
+func TestCreatePolicyWithConfigPolicyAnnotations(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	tests := []struct {
+		name        string
+		annotations map[string]string
+	}{
+		{name: "no-override", annotations: nil},
+		{
+			name: "override",
+			annotations: map[string]string{
+				"policy.open-cluster-management.io/disable-templates": "true",
+			},
+		},
+		{
+			name:        "override-empty",
+			annotations: map[string]string{},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			p := Plugin{}
+			p.PolicyDefaults.Namespace = "my-policies"
+			p.PolicyDefaults.ConfigurationPolicyAnnotations = map[string]string{"test-default-annotation": "default"}
+			policyConf := types.PolicyConfig{
+				Name: "policy-app-config", Manifests: []types.Manifest{
+					{Path: path.Join(tmpDir, "configmap.yaml")},
+				},
+			}
+			if test.annotations != nil {
+				policyConf.ConfigurationPolicyAnnotations = test.annotations
+			}
+
+			p.Policies = append(p.Policies, policyConf)
+			p.applyDefaults(map[string]interface{}{})
+
+			err := p.createPolicy(&p.Policies[0])
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+
+			output := p.outputBuffer.Bytes()
+			policyManifests, err := unmarshalManifestBytes(output)
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			// nolint: forcetypeassert
+			policyTemplates := (*policyManifests)[0]["spec"].(map[string]interface{})["policy-templates"].([]interface{})
+			// nolint: forcetypeassert
+			configPolicy := policyTemplates[0].(map[string]interface{})["objectDefinition"].(map[string]interface{})
+			// nolint: forcetypeassert
+			metadata := configPolicy["metadata"].(map[string]interface{})
+
+			if test.annotations != nil && len(test.annotations) == 0 {
+				assertEqual(t, metadata["annotations"], nil)
+			} else {
+				annotations := map[string]string{}
+				for key, val := range metadata["annotations"].(map[string]interface{}) {
+					// nolint: forcetypeassert
+					annotations[key] = val.(string)
+				}
+
+				if test.annotations == nil {
+					assertReflectEqual(t, annotations, map[string]string{"test-default-annotation": "default"})
+				} else {
+					assertReflectEqual(t, annotations, test.annotations)
+				}
+			}
+		})
+	}
+}

internal/types/types.go

@@ -41,18 +41,19 @@ type PolicyConfig struct {
 	Name              string            `json:"name,omitempty" yaml:"name,omitempty"`
 	NamespaceSelector NamespaceSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
 	// This is named Placement so that eventually PlacementRules and Placements will be supported
-	Placement                  PlacementConfig    `json:"placement,omitempty" yaml:"placement,omitempty"`
-	RemediationAction          string             `json:"remediationAction,omitempty" yaml:"remediationAction,omitempty"`
-	Severity                   string             `json:"severity,omitempty" yaml:"severity,omitempty"`
-	Standards                  []string           `json:"standards,omitempty" yaml:"standards,omitempty"`
-	ConsolidateManifests       bool               `json:"consolidateManifests,omitempty" yaml:"consolidateManifests,omitempty"`
-	Disabled                   bool               `json:"disabled,omitempty" yaml:"disabled,omitempty"`
-	InformGatekeeperPolicies   bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
-	InformKyvernoPolicies      bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
-	GeneratePlacementWhenInSet bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`
-	PolicySets                 []string           `json:"policySets,omitempty" yaml:"policySets,omitempty"`
-	EvaluationInterval         EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
-	PolicyAnnotations          map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
+	Placement                      PlacementConfig    `json:"placement,omitempty" yaml:"placement,omitempty"`
+	RemediationAction              string             `json:"remediationAction,omitempty" yaml:"remediationAction,omitempty"`
+	Severity                       string             `json:"severity,omitempty" yaml:"severity,omitempty"`
+	Standards                      []string           `json:"standards,omitempty" yaml:"standards,omitempty"`
+	ConsolidateManifests           bool               `json:"consolidateManifests,omitempty" yaml:"consolidateManifests,omitempty"`
+	Disabled                       bool               `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+	InformGatekeeperPolicies       bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
+	InformKyvernoPolicies          bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
+	GeneratePlacementWhenInSet     bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`
+	PolicySets                     []string           `json:"policySets,omitempty" yaml:"policySets,omitempty"`
+	EvaluationInterval             EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
+	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
+	ConfigurationPolicyAnnotations map[string]string  `json:"configurationPolicyAnnotations,omitempty" yaml:"configurationPolicyAnnotations,omitempty"`
 }
 
 type PolicyDefaults struct {
@@ -63,18 +64,19 @@ type PolicyDefaults struct {
 	Namespace              string            `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	NamespaceSelector      NamespaceSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
 	// This is named Placement so that eventually PlacementRules and Placements will be supported
-	Placement                  PlacementConfig    `json:"placement,omitempty" yaml:"placement,omitempty"`
-	RemediationAction          string             `json:"remediationAction,omitempty" yaml:"remediationAction,omitempty"`
-	Severity                   string             `json:"severity,omitempty" yaml:"severity,omitempty"`
-	Standards                  []string           `json:"standards,omitempty" yaml:"standards,omitempty"`
-	ConsolidateManifests       bool               `json:"consolidateManifests,omitempty" yaml:"consolidateManifests,omitempty"`
-	Disabled                   bool               `json:"disabled,omitempty" yaml:"disabled,omitempty"`
-	InformGatekeeperPolicies   bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
-	InformKyvernoPolicies      bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
-	GeneratePlacementWhenInSet bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`
-	PolicySets                 []string           `json:"policySets,omitempty" yaml:"policySets,omitempty"`
-	EvaluationInterval         EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
-	PolicyAnnotations          map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
+	Placement                      PlacementConfig    `json:"placement,omitempty" yaml:"placement,omitempty"`
+	RemediationAction              string             `json:"remediationAction,omitempty" yaml:"remediationAction,omitempty"`
+	Severity                       string             `json:"severity,omitempty" yaml:"severity,omitempty"`
+	Standards                      []string           `json:"standards,omitempty" yaml:"standards,omitempty"`
+	ConsolidateManifests           bool               `json:"consolidateManifests,omitempty" yaml:"consolidateManifests,omitempty"`
+	Disabled                       bool               `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+	InformGatekeeperPolicies       bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
+	InformKyvernoPolicies          bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
+	GeneratePlacementWhenInSet     bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`
+	PolicySets                     []string           `json:"policySets,omitempty" yaml:"policySets,omitempty"`
+	EvaluationInterval             EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
+	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
+	ConfigurationPolicyAnnotations map[string]string  `json:"configurationPolicyAnnotations,omitempty" yaml:"configurationPolicyAnnotations,omitempty"`
 }
 
 type PolicySetConfig struct {

internal/utils.go

@@ -251,7 +251,7 @@ func buildPolicyTemplate(
 		"objectDefinition": {
 			"apiVersion": policyAPIVersion,
 			"kind":       configPolicyKind,
-			"metadata": map[string]string{
+			"metadata": map[string]interface{}{
 				"name": name,
 			},
 			"spec": map[string]interface{}{
@@ -262,6 +262,10 @@ func buildPolicyTemplate(
 		},
 	}
 
+	if len(policyConf.ConfigurationPolicyAnnotations) > 0 {
+		policyTemplate["objectDefinition"]["metadata"].(map[string]interface{})["annotations"] = policyConf.ConfigurationPolicyAnnotations
+	}
+
 	if evaluationInterval.Compliant != "" || evaluationInterval.NonCompliant != "" {
 		evalInterval := map[string]interface{}{}
 

internal/utils_test.go

@@ -121,7 +121,7 @@ data:
 
 		policyTemplate := policyTemplates[0]
 		objdef := policyTemplate["objectDefinition"]
-		assertEqual(t, objdef["metadata"].(map[string]string)["name"], "policy-app-config")
+		assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 		spec, ok := objdef["spec"].(map[string]interface{})
 		if !ok {
 			t.Fatal("The spec field is an invalid format")
@@ -248,7 +248,7 @@ data:
 			if i > 0 {
 				name += fmt.Sprintf("%d", i+1)
 			}
-			assertEqual(t, objdef["metadata"].(map[string]string)["name"], name)
+			assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), name)
 			spec, ok := objdef["spec"].(map[string]interface{})
 			if !ok {
 				t.Fatal("The spec field is an invalid format")
@@ -440,7 +440,7 @@ data:
 
 	policyTemplate := policyTemplates[0]
 	objdef := policyTemplate["objectDefinition"]
-	assertEqual(t, objdef["metadata"].(map[string]string)["name"], "policy-app-config")
+	assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 	spec, ok := objdef["spec"].(map[string]interface{})
 	if !ok {
 		t.Fatal("The spec field is an invalid format")
@@ -522,7 +522,7 @@ data:
 
 	policyTemplate := policyTemplates[0]
 	objdef := policyTemplate["objectDefinition"]
-	assertEqual(t, objdef["metadata"].(map[string]string)["name"], "policy-app-config")
+	assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 	spec, ok := objdef["spec"].(map[string]interface{})
 	if !ok {
 		t.Fatal("The spec field is an invalid format")