Add LabelSelector to NamespaceSelector

Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

internal/plugin.go

@@ -533,11 +533,12 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			}
 		}
 
-		// Only use defaults when when both include and exclude are not set on the policy
+		// Only use defaults when when the namespaceSelector is not set on the policy
 		nsSelector := policy.NamespaceSelector
 		defNsSelector := p.PolicyDefaults.NamespaceSelector
 
-		if nsSelector.Exclude == nil && nsSelector.Include == nil {
+		if nsSelector.Exclude == nil && nsSelector.Include == nil &&
+			nsSelector.MatchLabels == nil && nsSelector.MatchExpressions == nil {
 			policy.NamespaceSelector = defNsSelector
 		}
 

internal/plugin_test.go

@@ -6,9 +6,11 @@ import (
 	"io/ioutil"
 	"path"
 	"path/filepath"
+	"reflect"
 	"strings"
 	"testing"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"open-cluster-management.io/ocm-kustomize-generator-plugins/internal/types"
 )
 
@@ -2365,3 +2367,103 @@ func TestCreatePolicyWithConfigPolicyAnnotations(t *testing.T) {
 		})
 	}
 }
+
+func TestCreatePolicyWithNamespaceSelector(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	tests := map[string]struct {
+		name              string
+		namespaceSelector types.NamespaceSelector
+	}{
+		"nil-selector": {namespaceSelector: types.NamespaceSelector{}},
+		"empty-selector-values": {
+			namespaceSelector: types.NamespaceSelector{
+				Include:          []string{},
+				Exclude:          []string{},
+				MatchLabels:      &map[string]string{},
+				MatchExpressions: &[]metav1.LabelSelectorRequirement{},
+			},
+		},
+		"completely-filled-values": {
+			namespaceSelector: types.NamespaceSelector{
+				Include: []string{"test-ns-1", "test-ns-2"},
+				Exclude: []string{"*-ns-[1]"},
+				MatchLabels: &map[string]string{
+					"testing": "is awesome",
+				},
+				MatchExpressions: &[]metav1.LabelSelectorRequirement{{
+					Key:      "door",
+					Operator: "Exists",
+				}},
+			},
+		},
+		"include-exclude-only": {
+			namespaceSelector: types.NamespaceSelector{
+				Include: []string{"test-ns-1", "test-ns-2"},
+				Exclude: []string{"*-ns-[1]"},
+			},
+		},
+		"label-selectors-only": {
+			namespaceSelector: types.NamespaceSelector{
+				MatchLabels: &map[string]string{
+					"testing": "is awesome",
+				},
+				MatchExpressions: &[]metav1.LabelSelectorRequirement{{
+					Key:      "door",
+					Operator: "Exists",
+				}},
+			},
+		},
+	}
+
+	for name, test := range tests {
+		test := test
+
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			p := Plugin{}
+			p.PolicyDefaults.Namespace = "my-policies"
+			p.PolicyDefaults.NamespaceSelector = types.NamespaceSelector{
+				MatchLabels: &map[string]string{},
+			}
+			policyConf := types.PolicyConfig{
+				Name: "policy-app-config", Manifests: []types.Manifest{
+					{Path: path.Join(tmpDir, "configmap.yaml")},
+				},
+			}
+			policyConf.NamespaceSelector = test.namespaceSelector
+
+			p.Policies = append(p.Policies, policyConf)
+			p.applyDefaults(map[string]interface{}{})
+
+			err := p.createPolicy(&p.Policies[0])
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+
+			output := p.outputBuffer.Bytes()
+			policyManifests, err := unmarshalManifestBytes(output)
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			// nolint: forcetypeassert
+			spec := (*policyManifests)[0]["spec"].(map[string]interface{})
+			policyTemplates := spec["policy-templates"].([]interface{})
+			// nolint: forcetypeassert
+			configPolicy := policyTemplates[0].(map[string]interface{})["objectDefinition"].(map[string]interface{})
+			// nolint: forcetypeassert
+			configPolicySpec := configPolicy["spec"].(map[string]interface{})
+			// nolint: forcetypeassert
+			configPolicySelector := configPolicySpec["namespaceSelector"].(map[string]interface{})
+
+			if reflect.DeepEqual(test.namespaceSelector, types.NamespaceSelector{}) {
+				assertSelectorEqual(t, configPolicySelector, p.PolicyDefaults.NamespaceSelector)
+			} else {
+				assertSelectorEqual(t, configPolicySelector, test.namespaceSelector)
+			}
+		})
+	}
+}

internal/types/types.go

@@ -1,6 +1,12 @@
 // Copyright Contributors to the Open Cluster Management project
 package types
 
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
 type Manifest struct {
 	ComplianceType         string                   `json:"complianceType,omitempty" yaml:"complianceType,omitempty"`
 	MetadataComplianceType string                   `json:"metadataComplianceType,omitempty" yaml:"metadataComplianceType,omitempty"`
@@ -10,8 +16,28 @@ type Manifest struct {
 }
 
 type NamespaceSelector struct {
-	Exclude []string `json:"exclude,omitempty" yaml:"exclude,omitempty"`
-	Include []string `json:"include,omitempty" yaml:"include,omitempty"`
+	Exclude          []string                           `json:"exclude,omitempty" yaml:"exclude,omitempty"`
+	Include          []string                           `json:"include,omitempty" yaml:"include,omitempty"`
+	MatchLabels      *map[string]string                 `json:"matchLabels,omitempty" yaml:"matchLabels,omitempty"`
+	MatchExpressions *[]metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty" yaml:"matchExpressions,omitempty"`
+}
+
+// Define String() so that the LabelSelector is dereferenced in the logs
+func (t NamespaceSelector) String() string {
+	fmtSelectorStr := "{include:%s,exclude:%s,matchLabels:%+v,matchExpressions:%+v}"
+	if t.MatchLabels == nil && t.MatchExpressions == nil {
+		return fmt.Sprintf(fmtSelectorStr, t.Include, t.Exclude, nil, nil)
+	}
+
+	if t.MatchLabels == nil {
+		return fmt.Sprintf(fmtSelectorStr, t.Include, t.Exclude, nil, *t.MatchExpressions)
+	}
+
+	if t.MatchExpressions == nil {
+		return fmt.Sprintf(fmtSelectorStr, t.Include, t.Exclude, *t.MatchLabels, nil)
+	}
+
+	return fmt.Sprintf(fmtSelectorStr, t.Include, t.Exclude, *t.MatchLabels, *t.MatchExpressions)
 }
 
 type PlacementConfig struct {

internal/utils.go

@@ -235,9 +235,13 @@ func isPolicyTypeManifest(manifest map[string]interface{}) (bool, error) {
 
 // setNamespaceSelector sets the namespace selector, if set, on the input policy template.
 func setNamespaceSelector(policyConf *types.PolicyConfig, policyTemplate *map[string]map[string]interface{}) {
-	if policyConf.NamespaceSelector.Exclude != nil || policyConf.NamespaceSelector.Include != nil {
+	selector := policyConf.NamespaceSelector
+	if selector.Exclude != nil ||
+		selector.Include != nil ||
+		selector.MatchLabels != nil ||
+		selector.MatchExpressions != nil {
 		spec := (*policyTemplate)["objectDefinition"]["spec"].(map[string]interface{})
-		spec["namespaceSelector"] = policyConf.NamespaceSelector
+		spec["namespaceSelector"] = selector
 	}
 }
 

internal/utils_test.go

@@ -30,6 +30,83 @@ func assertReflectEqual(t *testing.T, a interface{}, b interface{}) {
 	}
 }
 
+func assertSelectorEqual(t *testing.T, a map[string]interface{}, b types.NamespaceSelector) {
+	t.Helper()
+
+	if !compareSelectors(a, b) {
+		t.Fatalf("%s != %s", a, b)
+	}
+}
+
+func compareStringArrays(a []interface{}, b []string) bool {
+	// Account for when b is []string(nil)
+	if len(a) == 0 && len(b) == 0 {
+		return true
+	}
+
+	// Create a string array from []interface{}
+	aTyped := make([]string, len(a))
+	for i, val := range a {
+		aTyped[i] = val.(string)
+	}
+
+	return reflect.DeepEqual(aTyped, b)
+}
+
+func compareSelectors(a map[string]interface{}, b types.NamespaceSelector) bool {
+	if includeA, ok := a["include"].([]interface{}); ok {
+		if !compareStringArrays(includeA, b.Include) {
+			return false
+		}
+	} else if len(b.Include) != 0 {
+		return false
+	}
+
+	if excludeA, ok := a["exclude"].([]interface{}); ok {
+		if !compareStringArrays(excludeA, b.Exclude) {
+			return false
+		}
+	} else if len(b.Exclude) != 0 {
+		return false
+	}
+
+	if matchLabelsA, ok := a["matchLabels"].(map[string]string); ok {
+		if !reflect.DeepEqual(matchLabelsA, b.MatchLabels) {
+			return false
+		}
+	} else if matchLabelsA != nil && b.MatchLabels != nil {
+		return false
+	}
+
+	if matchExpressionsA, ok := a["matchExpressions"].([]interface{}); ok {
+		if a["matchExpressions"] != b.MatchExpressions {
+			if b.MatchExpressions == nil {
+				return false
+			}
+
+			if len(matchExpressionsA) != len(*b.MatchExpressions) {
+				return false
+			}
+
+			for i := range matchExpressionsA {
+				meA := matchExpressionsA[i]
+				valuesA := meA.(map[string]interface{})["values"].([]interface{})
+				meB := (*b.MatchExpressions)[i]
+
+				if meA.(map[string]interface{})["key"].(string) != meB.Key ||
+					meA.(map[string]interface{})["operator"].(string) != string(meB.Operator) ||
+					!compareStringArrays(valuesA, meB.Values) {
+					return false
+				}
+			}
+		}
+	} else if matchExpressionsA != nil && b.MatchExpressions != nil {
+		return false
+	}
+
+	return true
+}
+
 func TestGetPolicyTemplate(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()