Provide consistent overrides in manifests

dhaiducek · dhaiducek · commit c36d2945dfae · 2022-10-10T14:13:31.000-04:00
This adds missing keys and validation to overrides in `manifests` ref: stolostron/backlog#25982 Signed-off-by: Dale Haiducek <dhaiduce@redhat.com>
diff --git a/docs/policygenerator-reference.yaml b/docs/policygenerator-reference.yaml
@@ -144,10 +144,21 @@ policies:
         complianceType: "musthave"
         # Optional. (See policyDefaults.metadataComplianceType for description.)
         metadataComplianceType: ""
+        # Optional. (See policyDefaults.namespaceSelector for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
+        namespaceSelector: {}
          # Optional. (See policyDefaults.evaluationInterval for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         evaluationInterval: {}
         # Optional. (See policyDefaults.pruneObjectBehavior for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         pruneObjectBehavior: ""
+        # Optional. (See policyDefaults.remediationAction for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
+        remediationAction: ""
+        # Optional. (See policyDefaults.severity for description.)
+        # Cannot be specified when policyDefaults.consolidateManifests is set to true.
+        severity: "low"
         # (Note: a path to a directory containing a Kustomize manifest is a supported alternative.) Optional. A
         # Kustomize patch to apply to the manifest(s) at the path. If there are multiple manifests, the patch requires
         # the apiVersion, kind, metadata.name, and metadata.namespace (if applicable) fields to be set so Kustomize can
diff --git a/internal/plugin.go b/internal/plugin.go
@@ -573,12 +573,12 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			}
 
 			// If the manifests are consolidated to a single ConfigurationPolicy object, don't set
-			// the evaluation interval per manifest.
+			// ConfigurationPolicy options per manifest.
 			if policy.ConsolidateManifests {
 				continue
 			}
 
-			// Only use the policy's evaluationInterval value when it's not explicitly set in the manifest.
+			// Only use the policy's ConfigurationPolicyOptions values when they're not explicitly set in the manifest.
 			if manifest.EvaluationInterval.Compliant == "" {
 				set := isEvaluationIntervalSetManifest(unmarshaledConfig, i, j, "compliant")
 				if !set {
@@ -593,9 +593,23 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 				}
 			}
 
+			selector := manifest.NamespaceSelector
+			if selector.Exclude != nil || selector.Include != nil ||
+				selector.MatchLabels != nil || selector.MatchExpressions != nil {
+				manifest.NamespaceSelector = policy.NamespaceSelector
+			}
+
+			if manifest.RemediationAction == "" && policy.RemediationAction != "" {
+				manifest.RemediationAction = policy.RemediationAction
+			}
+
 			if manifest.PruneObjectBehavior == "" && policy.PruneObjectBehavior != "" {
 				manifest.PruneObjectBehavior = policy.PruneObjectBehavior
 			}
+
+			if manifest.Severity == "" && manifest.Severity != "" {
+				manifest.Severity = policy.Severity
+			}
 		}
 
 		for _, plcsetInPlc := range policy.PolicySets {
@@ -800,25 +814,37 @@ func (p *Plugin) assertValidConfig() error {
 				return err
 			}
 
+			evalInterval := manifest.EvaluationInterval
+
 			// Verify that consolidated manifests don't specify fields
 			// that can't be overridden at the objectTemplate level
-			if policy.ConsolidateManifests && manifest.PruneObjectBehavior != "" {
-				return fmt.Errorf(
-					"the policy %s has the pruneObjectBehavior value set on manifest[%d] but "+
-						"consolidateManifests is true",
-					policy.Name,
-					j,
+			if policy.ConsolidateManifests {
+				errorMsgFmt := fmt.Sprintf(
+					"the policy %s has the %%s value set on manifest[%d] but consolidateManifests is true",
+					policy.Name, j,
 				)
-			}
 
-			evalInterval := &manifest.EvaluationInterval
-			if policy.ConsolidateManifests && (evalInterval.Compliant != "" || evalInterval.NonCompliant != "") {
-				return fmt.Errorf(
-					"the policy %s has the evaluationInterval value set on manifest[%d] but "+
-						"consolidateManifests is true",
-					policy.Name,
-					j,
-				)
+				if evalInterval.Compliant != "" || evalInterval.NonCompliant != "" {
+					return fmt.Errorf(errorMsgFmt, "evaluationInterval")
+				}
+
+				selector := manifest.NamespaceSelector
+				if selector.Exclude != nil || selector.Include != nil ||
+					selector.MatchLabels != nil || selector.MatchExpressions != nil {
+					return fmt.Errorf(errorMsgFmt, "namespaceSelector")
+				}
+
+				if manifest.PruneObjectBehavior != "" {
+					return fmt.Errorf(errorMsgFmt, "pruneObjectBehavior")
+				}
+
+				if manifest.RemediationAction != "" {
+					return fmt.Errorf(errorMsgFmt, "remediationAction")
+				}
+
+				if manifest.Severity != "" {
+					return fmt.Errorf(errorMsgFmt, "severity")
+				}
 			}
 
 			if evalInterval.Compliant != "" && evalInterval.Compliant != "never" {
diff --git a/internal/plugin_config_test.go b/internal/plugin_config_test.go
@@ -1030,6 +1030,30 @@ func TestConfigInvalidManifestKey(t *testing.T) {
 			`the policy policy-app has the pruneObjectBehavior value set` +
 				` on manifest[0] but consolidateManifests is true`,
 		},
+		"namespaceSelector specified in manifest": {
+			"namespaceSelector",
+			"",
+			"",
+			`{"include": ["test"]}`,
+			`the policy policy-app has the namespaceSelector value set` +
+				` on manifest[0] but consolidateManifests is true`,
+		},
+		"remediationAction specified in manifest": {
+			"remediationAction",
+			"",
+			"",
+			"enforce",
+			`the policy policy-app has the remediationAction value set` +
+				` on manifest[0] but consolidateManifests is true`,
+		},
+		"severity specified in manifest": {
+			"severity",
+			"",
+			"",
+			"critical",
+			`the policy policy-app has the severity value set` +
+				` on manifest[0] but consolidateManifests is true`,
+		},
 	}
 
 	for testName, test := range tests {
diff --git a/internal/plugin_test.go b/internal/plugin_test.go
@@ -2,6 +2,7 @@
 package internal
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"path"
@@ -10,6 +11,7 @@ import (
 	"strings"
 	"testing"
 
+	"gopkg.in/yaml.v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"open-cluster-management.io/ocm-kustomize-generator-plugins/internal/types"
 )
@@ -185,6 +187,108 @@ subjects:
 	assertEqual(t, string(output), expected)
 }
 
+func TestConfigManifestKeyOverride(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	tests := map[string]struct {
+		// Individual values can't be used for compliant/noncompliant since an empty string means
+		// to not inherit from the policy defaults.
+		keyName     string
+		defaultKey  string
+		policyKey   string
+		manifestKey string
+	}{
+		"pruneObjectBehavior specified in manifest": {
+			"pruneObjectBehavior",
+			"None",
+			"DeleteIfCreated",
+			`"DeleteAll"`,
+		},
+		"namespaceSelector specified in manifest": {
+			"namespaceSelector",
+			`{"matchLabels":{"name":"test"}}`,
+			`{"exclude":["test"]}`,
+			`{"include":["test"]}`,
+		},
+		"remediationAction specified in manifest": {
+			"remediationAction",
+			"inform",
+			"inform",
+			`"enforce"`,
+		},
+		"severity specified in manifest": {
+			"severity",
+			"low",
+			"medium",
+			`"critical"`,
+		},
+	}
+
+	for testName, test := range tests {
+		test := test
+
+		t.Run(
+			testName,
+			func(t *testing.T) {
+				t.Parallel()
+				config := fmt.Sprintf(`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  consolidateManifests: false
+  %s: %s
+policies:
+- name: policy-app
+  %s: %s
+  manifests:
+    - path: %s
+      %s: %s
+`,
+					test.keyName, test.defaultKey,
+					test.keyName, test.policyKey,
+					path.Join(tmpDir, "configmap.yaml"),
+					test.keyName, test.manifestKey,
+				)
+
+				p := Plugin{}
+				err := p.Config([]byte(config), tmpDir)
+				if err != nil {
+					t.Fatal("Unexpected error", err)
+				}
+
+				assertEqual(t, p.Policies[0].ConsolidateManifests, false)
+
+				output, err := p.Generate()
+				if err != nil {
+					t.Fatal("Failed to generate policies from PolicyGenerator manifest", err)
+				}
+
+				var policyObj map[string]interface{}
+				err = yaml.Unmarshal(output, &policyObj)
+				if err != nil {
+					t.Fatal("Failed to unmarshal object", err)
+				}
+
+				policyTemplate := policyObj["spec"].(map[string]interface{})["policy-templates"].([]interface{})[0]
+				objectDef := policyTemplate.(map[string]interface{})["objectDefinition"].(map[string]interface{})
+				configSpec := objectDef["spec"].(map[string]interface{})
+
+				jsonConfig, err := json.Marshal(configSpec[test.keyName])
+				if err != nil {
+					t.Fatal("Failed to marshal policy to JSON", err)
+				}
+
+				assertEqual(t, string(jsonConfig), test.manifestKey)
+			},
+		)
+	}
+}
+
 func TestGeneratePolicyExisingPlacementRuleName(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
diff --git a/internal/utils.go b/internal/utils.go
@@ -208,10 +208,8 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 					policyConf,
 					len(policyTemplates)+1,
 					&[]map[string]interface{}{objTemplate},
-					&policyConf.Manifests[i].EvaluationInterval,
-					policyConf.Manifests[i].PruneObjectBehavior,
+					policyConf.Manifests[i].ConfigurationPolicyOptions,
 				)
-				setNamespaceSelector(policyConf, policyTemplate)
 				policyTemplates = append(policyTemplates, *policyTemplate)
 			}
 		}
@@ -230,10 +228,8 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 			policyConf,
 			1,
 			&objectTemplates,
-			&policyConf.EvaluationInterval,
-			policyConf.PruneObjectBehavior,
+			policyConf.ConfigurationPolicyOptions,
 		)
-		setNamespaceSelector(policyConf, policyTemplate)
 		policyTemplates = append(policyTemplates, *policyTemplate)
 	}
 
@@ -266,13 +262,16 @@ func isPolicyTypeManifest(manifest map[string]interface{}) (bool, error) {
 }
 
 // setNamespaceSelector sets the namespace selector, if set, on the input policy template.
-func setNamespaceSelector(policyConf *types.PolicyConfig, policyTemplate *map[string]map[string]interface{}) {
+func setNamespaceSelector(
+	policyConf types.ConfigurationPolicyOptions,
+	policyTemplate map[string]map[string]interface{},
+) {
 	selector := policyConf.NamespaceSelector
 	if selector.Exclude != nil ||
 		selector.Include != nil ||
 		selector.MatchLabels != nil ||
 		selector.MatchExpressions != nil {
-		spec := (*policyTemplate)["objectDefinition"]["spec"].(map[string]interface{})
+		spec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
 		spec["namespaceSelector"] = selector
 	}
 }
@@ -306,8 +305,7 @@ func buildPolicyTemplate(
 	policyConf *types.PolicyConfig,
 	policyNum int,
 	objectTemplates *[]map[string]interface{},
-	evaluationInterval *types.EvaluationInterval,
-	pruneObjectBehavior string,
+	configPolicyOptionsOverrides types.ConfigurationPolicyOptions,
 ) *map[string]map[string]interface{} {
 	var name string
 	if policyNum > 1 {
@@ -331,16 +329,18 @@ func buildPolicyTemplate(
 		},
 	}
 
+	// Set NamespaceSelector with policy configuration
+	setNamespaceSelector(policyConf.ConfigurationPolicyOptions, policyTemplate)
+
 	if len(policyConf.ConfigurationPolicyAnnotations) > 0 {
 		metadata := policyTemplate["objectDefinition"]["metadata"].(map[string]interface{})
 		metadata["annotations"] = policyConf.ConfigurationPolicyAnnotations
 	}
 
-	if pruneObjectBehavior != "" {
-		configSpec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
-		configSpec["pruneObjectBehavior"] = policyConf.PruneObjectBehavior
-	}
+	configSpec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
 
+	// Set EvaluationInterval with manifest overrides
+	evaluationInterval := configPolicyOptionsOverrides.EvaluationInterval
 	if evaluationInterval.Compliant != "" || evaluationInterval.NonCompliant != "" {
 		evalInterval := map[string]interface{}{}
 
@@ -352,7 +352,25 @@ func buildPolicyTemplate(
 			evalInterval["noncompliant"] = evaluationInterval.NonCompliant
 		}
 
-		policyTemplate["objectDefinition"]["spec"].(map[string]interface{})["evaluationInterval"] = evalInterval
+		configSpec["evaluationInterval"] = evalInterval
+	}
+
+	// Set NamespaceSelector with manifest overrides
+	setNamespaceSelector(configPolicyOptionsOverrides, policyTemplate)
+
+	// Set PruneObjectBehavior with manifest overrides
+	if configPolicyOptionsOverrides.PruneObjectBehavior != "" {
+		configSpec["pruneObjectBehavior"] = configPolicyOptionsOverrides.PruneObjectBehavior
+	}
+
+	// Set RemediationAction with manifest overrides
+	if configPolicyOptionsOverrides.RemediationAction != "" {
+		configSpec["remediationAction"] = configPolicyOptionsOverrides.RemediationAction
+	}
+
+	// Set Severity with manifest overrides
+	if configPolicyOptionsOverrides.Severity != "" {
+		configSpec["severity"] = configPolicyOptionsOverrides.Severity
 	}
 
 	return &policyTemplate
