Add support for the copyPolicyMetadata field

Relates:
https://issues.redhat.com/browse/ACM-1690

Signed-off-by: mprahl <[email protected]>

Author: mprahl

docs/policygenerator-reference.yaml

@@ -31,6 +31,10 @@ policyDefaults:
   # Optional. This determines if a single configuration policy should be generated for all the manifests being wrapped
   # in the policy. If set to false, a configuration policy per manifest will be generated. This defaults to true.
   consolidateManifests: true
+  # Optional. If set to true (default), all the policy's labels and annotations will be copied to the replicated policy.
+  # If set to false, only the policy framework specific policy labels and annotations will be copied to the replicated
+  # policy.
+  copyPolicyMetadata: true
   # Optional. A list of objects that should be in specific compliance states before this policy is applied. Cannot be
   # specified when policyDefaults.orderPolicies is set to true.
   dependencies:
@@ -240,6 +244,8 @@ policies:
     complianceType: "musthave"
     # Optional. (See policyDefaults.configurationPolicyAnnotations for description.)
     configurationPolicyAnnotations: {}
+    # Optional. (See policyDefaults.copyPolicyMetadata for description.)
+    copyPolicyMetadata: true
     # Optional. (See policyDefaults.metadataComplianceType for description.)
     metadataComplianceType: ""
     # Optional. (See policyDefaults.controls for description.)

internal/plugin.go

@@ -432,6 +432,13 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 		p.PolicyDefaults.Controls = defaults.Controls
 	}
 
+	cpmValue, setCPM := getPolicyDefaultBool(unmarshaledConfig, "copyPolicyMetadata")
+	if setCPM {
+		p.PolicyDefaults.CopyPolicyMetadata = cpmValue
+	} else {
+		p.PolicyDefaults.CopyPolicyMetadata = true
+	}
+
 	// Policy expanders default to true unless explicitly set in the config.
 	// Gatekeeper policy expander policyDefault
 	igvValue, setIgv := getPolicyDefaultBool(unmarshaledConfig, "informGatekeeperPolicies")
@@ -523,6 +530,13 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.ConfigurationPolicyAnnotations = annotations
 		}
 
+		cpmValue, setCpm := getPolicyBool(unmarshaledConfig, i, "copyPolicyMetadata")
+		if setCpm {
+			policy.CopyPolicyMetadata = cpmValue
+		} else {
+			policy.CopyPolicyMetadata = p.PolicyDefaults.CopyPolicyMetadata
+		}
+
 		if policy.Standards == nil {
 			policy.Standards = p.PolicyDefaults.Standards
 		}
@@ -1307,6 +1321,12 @@ func (p *Plugin) createPolicy(policyConf *types.PolicyConfig) error {
 		spec["dependencies"] = policyConf.Dependencies
 	}
 
+	// When copyPolicyMetadata is unset, it defaults to the behavior of true, so this leaves it out entirely when set to
+	// true to avoid unnecessarily including it in the Policy YAML.
+	if !policyConf.CopyPolicyMetadata {
+		spec["copyPolicyMetadata"] = false
+	}
+
 	policy := map[string]interface{}{
 		"apiVersion": policyAPIVersion,
 		"kind":       policyKind,

internal/plugin_test.go

@@ -3593,3 +3593,82 @@ spec:
 	expected = strings.TrimPrefix(expected, "\n")
 	assertEqual(t, output, expected)
 }
+
+func TestCreatePolicyWithCopyPolicyMetadata(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	bTrue := true
+	bFalse := false
+
+	tests := []struct {
+		name               string
+		copyPolicyMetadata *bool
+		expected           *bool
+	}{
+		{name: "unset", copyPolicyMetadata: nil, expected: nil},
+		{name: "true", copyPolicyMetadata: &bTrue, expected: nil},
+		{name: "false", copyPolicyMetadata: &bFalse, expected: &bFalse},
+	}
+
+	for _, mode := range []string{"policyDefault", "policy"} {
+		mode := mode
+
+		for _, test := range tests {
+			test := test
+			t.Run(mode+" "+test.name, func(t *testing.T) {
+				t.Parallel()
+
+				p := Plugin{}
+				p.PolicyDefaults.Namespace = "my-policies"
+				policyConf := types.PolicyConfig{
+					Name: "policy-app-config", Manifests: []types.Manifest{
+						{Path: path.Join(tmpDir, "configmap.yaml")},
+					},
+				}
+
+				policyDefaultsUnmarshaled := map[string]interface{}{}
+				policyUnmarshaled := map[string]interface{}{}
+
+				if test.copyPolicyMetadata != nil {
+					if mode == "policyDefault" {
+						policyDefaultsUnmarshaled["copyPolicyMetadata"] = *test.copyPolicyMetadata
+					} else if mode == "policy" {
+						policyUnmarshaled["copyPolicyMetadata"] = *test.copyPolicyMetadata
+					}
+				}
+
+				p.Policies = append(p.Policies, policyConf)
+				p.applyDefaults(
+					map[string]interface{}{
+						"policyDefaults": policyDefaultsUnmarshaled,
+						"policies":       []interface{}{policyUnmarshaled},
+					},
+				)
+
+				err := p.createPolicy(&p.Policies[0])
+				if err != nil {
+					t.Fatal(err.Error())
+				}
+
+				output := p.outputBuffer.Bytes()
+				policyManifests, err := unmarshalManifestBytes(output)
+				if err != nil {
+					t.Fatal(err.Error())
+				}
+
+				// nolint: forcetypeassert
+				spec := policyManifests[0]["spec"].(map[string]interface{})
+
+				if test.expected == nil {
+					if _, set := spec["copyPolicyMetadata"]; set {
+						t.Fatal("Expected the policy's spec.copyPolicyMetadata to be unset")
+					}
+				} else {
+					assertEqual(t, spec["copyPolicyMetadata"], *test.expected)
+				}
+			})
+		}
+	}
+}

internal/types/types.go

@@ -10,6 +10,7 @@ import (
 type PolicyOptions struct {
 	Categories                     []string           `json:"categories,omitempty" yaml:"categories,omitempty"`
 	Controls                       []string           `json:"controls,omitempty" yaml:"controls,omitempty"`
+	CopyPolicyMetadata             bool               `json:"copyPolicyMetadata,omitempty" yaml:"copyPolicyMetadata,omitempty"`
 	Dependencies                   []PolicyDependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"`
 	ExtraDependencies              []PolicyDependency `json:"extraDependencies,omitempty" yaml:"extraDependencies,omitempty"`
 	Placement                      PlacementConfig    `json:"placement,omitempty" yaml:"placement,omitempty"`