Support PruneObjectBehavior

ref: stolostron/backlog#25353
Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

docs/policygenerator-reference.yaml

@@ -43,6 +43,10 @@ policyDefaults:
     # avoid evaluating the policy after it has become a particular compliance state.
     compliant: 30m
     noncompliant: 45s
+  # Optional. Determines whether objects created or monitored by the policy should be deleted when the policy is
+  # deleted. Pruning only takes place if the remediation action of the policy has been set to "enforce". Example values
+  # are "DeleteIfCreated", "DeleteAll", or "None". This defaults to unset, which is equivalent to "None".
+  pruneObjectBehavior: "None"
   # Optional. When the policy references a Kyverno policy manifest, this determines if an additional
   # configuration policy should be generated in order to receive policy violations in Open Cluster
   # Management when the Kyverno policy has been violated. This defaults to true.
@@ -138,6 +142,8 @@ policies:
         metadataComplianceType: ""
          # Optional. (See policyDefaults.evaluationInterval for description.)
         evaluationInterval: {}
+        # Optional. (See policyDefaults.pruneObjectBehavior for description.)
+        pruneObjectBehavior: ""
         # (Note: a path to a directory containing a Kustomize manifest is a supported alternative.) Optional. A
         # Kustomize patch to apply to the manifest(s) at the path. If there are multiple manifests, the patch requires
         # the apiVersion, kind, metadata.name, and metadata.namespace (if applicable) fields to be set so Kustomize can
@@ -174,6 +180,8 @@ policies:
     disabled: false
     # Optional. (See policyDefaults.evaluationInterval for description.)
     evaluationInterval: {}
+    # Optional. (See policyDefaults.pruneObjectBehavior for description.)
+    pruneObjectBehavior: ""
     # Optional. (See policyDefaults.informKyvernoPolicies for description.)
     informKyvernoPolicies: true
     # Optional. (See policyDefaults.consolidateManifests for description.)

internal/plugin.go

@@ -458,6 +458,10 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			}
 		}
 
+		if policy.PruneObjectBehavior == "" {
+			policy.PruneObjectBehavior = p.PolicyDefaults.PruneObjectBehavior
+		}
+
 		if policy.PolicySets == nil {
 			policy.PolicySets = p.PolicyDefaults.PolicySets
 		}
@@ -584,6 +588,10 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 					manifest.EvaluationInterval.NonCompliant = policy.EvaluationInterval.NonCompliant
 				}
 			}
+
+			if manifest.PruneObjectBehavior == "" && policy.PruneObjectBehavior != "" {
+				manifest.PruneObjectBehavior = policy.PruneObjectBehavior
+			}
 		}
 
 		for _, plcsetInPlc := range policy.PolicySets {
@@ -788,6 +796,17 @@ func (p *Plugin) assertValidConfig() error {
 				return err
 			}
 
+			// Verify that consolidated manifests don't specify fields
+			// that can't be overridden at the objectTemplate level
+			if policy.ConsolidateManifests && manifest.PruneObjectBehavior != "" {
+				return fmt.Errorf(
+					"the policy %s has the pruneObjectBehavior value set on manifest[%d] but "+
+						"consolidateManifests is true",
+					policy.Name,
+					j,
+				)
+			}
+
 			evalInterval := &manifest.EvaluationInterval
 			if policy.ConsolidateManifests && (evalInterval.Compliant != "" || evalInterval.NonCompliant != "") {
 				return fmt.Errorf(

internal/plugin_config_test.go

@@ -1008,6 +1008,70 @@ policies:
 	}
 }
 
+func TestConfigInvalidManifestKey(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	tests := map[string]struct {
+		// Individual values can't be used for compliant/noncompliant since an empty string means
+		// to not inherit from the policy defaults.
+		keyName     string
+		defaultKey  string
+		policyKey   string
+		manifestKey string
+		expectedMsg string
+	}{
+		"pruneObjectBehavior specified in manifest": {
+			"pruneObjectBehavior",
+			"",
+			"",
+			"None",
+			`the policy policy-app has the pruneObjectBehavior value set` +
+				` on manifest[0] but consolidateManifests is true`,
+		},
+	}
+
+	for testName, test := range tests {
+		test := test
+
+		t.Run(
+			testName,
+			func(t *testing.T) {
+				t.Parallel()
+				config := fmt.Sprintf(`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  %s: %s
+policies:
+- name: policy-app
+  %s: %s
+  manifests:
+    - path: %s
+      %s: %s
+`,
+					test.keyName, test.defaultKey,
+					test.keyName, test.policyKey,
+					path.Join(tmpDir, "configmap.yaml"),
+					test.keyName, test.manifestKey,
+				)
+
+				p := Plugin{}
+				err := p.Config([]byte(config), tmpDir)
+				if err == nil {
+					t.Fatal("Expected an error but did not get one")
+				}
+
+				assertEqual(t, err.Error(), test.expectedMsg)
+			},
+		)
+	}
+}
+
 func TestConfigNoManifests(t *testing.T) {
 	t.Parallel()
 	const config = `

internal/plugin_test.go

@@ -39,6 +39,7 @@ func TestGenerate(t *testing.T) {
 	p.PolicyDefaults.Placement.Name = "my-placement-rule"
 	p.PolicyDefaults.Namespace = "my-policies"
 	p.PolicyDefaults.MetadataComplianceType = "musthave"
+	p.PolicyDefaults.PruneObjectBehavior = "DeleteAll"
 	patch := map[string]interface{}{
 		"metadata": map[string]interface{}{
 			"labels": map[string]string{
@@ -47,7 +48,8 @@ func TestGenerate(t *testing.T) {
 		},
 	}
 	policyConf := types.PolicyConfig{
-		Name: "policy-app-config",
+		Name:                "policy-app-config",
+		PruneObjectBehavior: "None",
 		Manifests: []types.Manifest{
 			{
 				Path:    path.Join(tmpDir, "configmap.yaml"),
@@ -107,6 +109,7 @@ spec:
                             labels:
                                 chandler: bing
                             name: my-configmap
+                pruneObjectBehavior: None
                 remediationAction: inform
                 severity: low
 ---
@@ -138,6 +141,7 @@ spec:
                         kind: ConfigMap
                         metadata:
                             name: my-configmap
+                pruneObjectBehavior: DeleteAll
                 remediationAction: inform
                 severity: low
 ---

internal/types/types.go

@@ -11,6 +11,7 @@ type Manifest struct {
 	ComplianceType         string                   `json:"complianceType,omitempty" yaml:"complianceType,omitempty"`
 	MetadataComplianceType string                   `json:"metadataComplianceType,omitempty" yaml:"metadataComplianceType,omitempty"`
 	EvaluationInterval     EvaluationInterval       `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
+	PruneObjectBehavior    string                   `json:"pruneObjectBehavior,omitempty" yaml:"pruneObjectBehavior,omitempty"`
 	Patches                []map[string]interface{} `json:"patches,omitempty" yaml:"patches,omitempty"`
 	Path                   string                   `json:"path,omitempty" yaml:"path,omitempty"`
 }
@@ -80,6 +81,7 @@ type PolicyConfig struct {
 	EvaluationInterval             EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
 	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
 	ConfigurationPolicyAnnotations map[string]string  `json:"configurationPolicyAnnotations,omitempty" yaml:"configurationPolicyAnnotations,omitempty"`
+	PruneObjectBehavior            string             `json:"pruneObjectBehavior,omitempty" yaml:"pruneObjectBehavior,omitempty"`
 }
 
 type PolicyDefaults struct {
@@ -103,6 +105,7 @@ type PolicyDefaults struct {
 	EvaluationInterval             EvaluationInterval `json:"evaluationInterval,omitempty" yaml:"evaluationInterval,omitempty"`
 	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
 	ConfigurationPolicyAnnotations map[string]string  `json:"configurationPolicyAnnotations,omitempty" yaml:"configurationPolicyAnnotations,omitempty"`
+	PruneObjectBehavior            string             `json:"pruneObjectBehavior,omitempty" yaml:"pruneObjectBehavior,omitempty"`
 }
 
 type PolicySetConfig struct {

internal/utils.go

@@ -209,6 +209,7 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 					len(policyTemplates)+1,
 					&[]map[string]interface{}{objTemplate},
 					&policyConf.Manifests[i].EvaluationInterval,
+					policyConf.Manifests[i].PruneObjectBehavior,
 				)
 				setNamespaceSelector(policyConf, policyTemplate)
 				policyTemplates = append(policyTemplates, *policyTemplate)
@@ -225,7 +226,13 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 	// just build one policyTemplate by using the above non-empty consolidated objectTemplates
 	// ConsolidateManifests = true or there is non-policy-type manifest
 	if policyConf.ConsolidateManifests && len(objectTemplates) > 0 {
-		policyTemplate := buildPolicyTemplate(policyConf, 1, &objectTemplates, &policyConf.EvaluationInterval)
+		policyTemplate := buildPolicyTemplate(
+			policyConf,
+			1,
+			&objectTemplates,
+			&policyConf.EvaluationInterval,
+			policyConf.PruneObjectBehavior,
+		)
 		setNamespaceSelector(policyConf, policyTemplate)
 		policyTemplates = append(policyTemplates, *policyTemplate)
 	}
@@ -300,6 +307,7 @@ func buildPolicyTemplate(
 	policyNum int,
 	objectTemplates *[]map[string]interface{},
 	evaluationInterval *types.EvaluationInterval,
+	pruneObjectBehavior string,
 ) *map[string]map[string]interface{} {
 	var name string
 	if policyNum > 1 {
@@ -328,6 +336,11 @@ func buildPolicyTemplate(
 		metadata["annotations"] = policyConf.ConfigurationPolicyAnnotations
 	}
 
+	if pruneObjectBehavior != "" {
+		configSpec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
+		configSpec["pruneObjectBehavior"] = policyConf.PruneObjectBehavior
+	}
+
 	if evaluationInterval.Compliant != "" || evaluationInterval.NonCompliant != "" {
 		evalInterval := map[string]interface{}{}
 

internal/utils_test.go

@@ -1338,7 +1338,7 @@ func TestProcessKustomizeDir(t *testing.T) {
 		"kustomization.yaml": `
 resources:
 - configmap.yaml
-- https://github.com/dhaiducek/policy-generator-plugin/examples/input-kustomize/?ref=support-kustomize
+- https://github.com/dhaiducek/policy-generator-plugin/examples/input-kustomize/?ref=kustomize-dir
 
 namespace: kustomize-test
 `,