fix patches

pkg/engine/patches.go

@@ -35,7 +35,7 @@ func processPatches(rule kyverno.Rule, resource []byte) (allPatches [][]byte, er
 			continue
 		}
 
-		patchedDocument, err = applyPatch(patchedDocument, patchRaw)
+		patchedDocument, err = ApplyPatchNew(patchedDocument, patchRaw)
 		// TODO: continue on error if one of the patches fails, will add the failure event in such case
 		if patch.Operation == "remove" {
 			glog.Info(err)
@@ -91,7 +91,9 @@ func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) {
 
 //ApplyPatchNew ...
 func ApplyPatchNew(resource, patch []byte) ([]byte, error) {
-	jsonpatch, err := jsonpatch.DecodePatch(patch)
+	patchesList := [][]byte{patch}
+	joinedPatches := JoinPatches(patchesList)
+	jsonpatch, err := jsonpatch.DecodePatch(joinedPatches)
 	if err != nil {
 		return nil, err
 	}
@@ -133,7 +135,7 @@ func processPatchesNew(rule kyverno.Rule, resource unstructured.Unstructured) (r
 			errs = append(errs, err)
 			continue
 		}
-		patchResource, err := ApplyPatchNew(resourceRaw, patchRaw)
+		patchResource, err := applyPatch(resourceRaw, patchRaw)
 		// TODO: continue on error if one of the patches fails, will add the failure event in such case
 		if err != nil && patch.Operation == "remove" {
 			glog.Info(err)

pkg/engine/response.go

@@ -84,7 +84,7 @@ func (er EngineResponseNew) IsSuccesful() bool {
 }
 
 //GetPatches returns all the patches joined
-func (er EngineResponseNew) GetPatches() []byte {
+func (er EngineResponseNew) GetPatches() [][]byte {
 	var patches [][]byte
 	for _, r := range er.PolicyResponse.Rules {
 		if r.Patches != nil {
@@ -92,7 +92,7 @@ func (er EngineResponseNew) GetPatches() []byte {
 		}
 	}
 	// join patches
-	return JoinPatches(patches)
+	return patches
 }
 
 //GetFailedRules returns failed rules

pkg/policy/apply.go

@@ -89,7 +89,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
-		glog.V(4).Info("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
+		glog.V(4).Infof("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
 		if len(rule.Patches) == 0 {
 			continue
 		}
@@ -110,7 +110,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 		if !jsonpatch.Equal(patchedResource, rawResource) {
 			glog.V(4).Infof("policy %s rule %s condition not satisifed by existing resource", engineResponse.PolicyResponse.Policy, rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("rule not satisfied by existing resource. %s", rule.Message)
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("rule not satisfied by existing resource.")
 		}
 	}
 	return engineResponse, nil

pkg/policyviolation/helpers.go

@@ -99,7 +99,7 @@ func CreatePV(pvLister kyvernolister.PolicyViolationLister, client *kyvernoclien
 			continue
 		}
 		if curPv == nil {
-			glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", curPv.Spec.Policy, curPv.Spec.ResourceSpec.Kind, curPv.Spec.ResourceSpec.Namespace, curPv.Spec.ResourceSpec.Name)
+			glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
 			// no existing policy violation, create a new one
 			_, err := client.KyvernoV1alpha1().PolicyViolations().Create(&newPv)
 			if err != nil {

pkg/webhooks/annotations.go

@@ -45,14 +45,14 @@ func generateAnnotationPatches(annotations map[string]string, policyResponse eng
 	if _, ok := annotations[policyAnnotation]; ok {
 		// create update patch string
 		patchResponse = response{
-			Op:    "replace",
 			Path:  "/metadata/annotations/" + policyAnnotation,
+			Op:    "replace",
 			Value: string(value),
 		}
 	} else {
 		patchResponse = response{
-			Op:    "add",
 			Path:  "/metadata/annotations",
+			Op:    "add",
 			Value: map[string]string{policyAnnotation: string(value)},
 		}
 	}

pkg/webhooks/mutation.go

@@ -75,7 +75,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) (bool
 			continue
 		}
 		// gather patches
-		patches = append(patches, engineResponse.GetPatches())
+		patches = append(patches, engineResponse.GetPatches()...)
 		// generate annotations
 		if annPatches := generateAnnotationPatches(resource.GetAnnotations(), engineResponse.PolicyResponse); annPatches != nil {
 			patches = append(patches, annPatches)

pkg/webhooks/utils.go

@@ -129,9 +129,10 @@ func processResourceWithPatches(patch []byte, resource []byte) []byte {
 	if patch == nil {
 		return nil
 	}
+	glog.Info(string(resource))
 	resource, err := engine.ApplyPatchNew(resource, patch)
 	if err != nil {
-		glog.Error("failed to patch resource: %v", err)
+		glog.Errorf("failed to patch resource: %v", err)
 		return nil
 	}
 	return resource