From 1331209b19e1df31f1ea6fd19281635ec5877788 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Wed, 25 Sep 2024 16:11:43 +0300
Subject: [PATCH] feat: add dumpPatch flag (#11237)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 charts/kyverno/README.md                                    | 1 +
 charts/kyverno/templates/_helpers.tpl                       | 3 +++
 .../kyverno/templates/admission-controller/deployment.yaml  | 1 +
 charts/kyverno/values.yaml                                  | 3 +++
 cmd/kyverno/main.go                                         | 1 +
 config/install-latest-testing.yaml                          | 1 +
 pkg/toggle/context.go                                       | 5 +++++
 pkg/toggle/toggle.go                                        | 6 ++++++
 pkg/webhooks/resource/mutation/mutation.go                  | 5 ++++-
 9 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index c2c6252f5c..05ff636c0c 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -337,6 +337,7 @@ The chart values are organised per component.
 | features.dumpPayload.enabled | bool | `false` | Enables the feature |
 | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
 | features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature |
+| features.dumpPatches.enabled | bool | `false` | Enables the feature |
 | features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) |
 | features.logging.format | string | `"text"` | Logging format |
 | features.logging.verbosity | int | `2` | Logging verbosity |
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index fad87db354..8461348dd9 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -49,6 +49,9 @@
 {{- with .generateValidatingAdmissionPolicy -}}
   {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}}
 {{- end -}}
+{{- with .dumpPatches -}}
+  {{- $flags = append $flags (print "--dumpPatches=" .enabled) -}}
+{{- end -}}
 {{- with .globalContext -}}
   {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml
index d145037ef8..a8ab117c93 100644
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -181,6 +181,7 @@ spec:
               "dumpPayload"
               "forceFailurePolicyIgnore"
               "generateValidatingAdmissionPolicy"
+              "dumpPatches"
               "globalContext"
               "logging"
               "omitEvents"
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 8201aa9e9f..6e3b39b0c5 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -661,6 +661,9 @@ features:
   generateValidatingAdmissionPolicy:
     # -- Enables the feature
     enabled: false
+  dumpPatches:
+    # -- Enables the feature
+    enabled: false
   globalContext:
     # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
     maxApiCallResponseLength: 2000000
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index ab539809a0..1a707061e7 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -287,6 +287,7 @@ func main() {
 	flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
 	flagset.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
 	flagset.Func(toggle.GenerateValidatingAdmissionPolicyFlagName, toggle.GenerateValidatingAdmissionPolicyDescription, toggle.GenerateValidatingAdmissionPolicy.Parse)
+	flagset.Func(toggle.DumpMutatePatchesFlagName, toggle.DumpMutatePatchesDescription, toggle.DumpMutatePatches.Parse)
 	flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
 	flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
 	flagset.IntVar(&webhookServerPort, "webhookServerPort", 9443, "Port used by the webhook server.")
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index be9d67004b..a4c20f13cc 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -50712,6 +50712,7 @@ spec:
             - --dumpPayload=false
             - --forceFailurePolicyIgnore=false
             - --generateValidatingAdmissionPolicy=false
+            - --dumpPatches=false
             - --maxAPICallResponseLength=2000000
             - --loggingFormat=text
             - --v=2
diff --git a/pkg/toggle/context.go b/pkg/toggle/context.go
index 44bf0aa091..cc49eca82b 100644
--- a/pkg/toggle/context.go
+++ b/pkg/toggle/context.go
@@ -11,6 +11,7 @@ type Toggles interface {
 	ForceFailurePolicyIgnore() bool
 	EnableDeferredLoading() bool
 	GenerateValidatingAdmissionPolicy() bool
+	DumpMutatePatches() bool
 }
 
 type defaultToggles struct{}
@@ -31,6 +32,10 @@ func (defaultToggles) GenerateValidatingAdmissionPolicy() bool {
 	return GenerateValidatingAdmissionPolicy.enabled()
 }
 
+func (defaultToggles) DumpMutatePatches() bool {
+	return DumpMutatePatches.enabled()
+}
+
 type contextKey struct{}
 
 func NewContext(ctx context.Context, toggles Toggles) context.Context {
diff --git a/pkg/toggle/toggle.go b/pkg/toggle/toggle.go
index a0a7c5d12e..71247ce5ac 100644
--- a/pkg/toggle/toggle.go
+++ b/pkg/toggle/toggle.go
@@ -26,6 +26,11 @@ const (
 	GenerateValidatingAdmissionPolicyDescription = "Set the flag to 'true', to generate validating admission policies."
 	generateValidatingAdmissionPolicyEnvVar      = "FLAG_GENERATE_VALIDATING_ADMISSION_POLICY"
 	defaultGenerateValidatingAdmissionPolicy     = false
+	// dump mutate patches
+	DumpMutatePatchesFlagName    = "dumpPatches"
+	DumpMutatePatchesDescription = "Set the flag to 'true', to dump mutate patches."
+	dumpMutatePatchesEnvVar      = "FLAG_DUMP_PATCHES"
+	defaultDumpMutatePatches     = false
 )
 
 var (
@@ -33,6 +38,7 @@ var (
 	ForceFailurePolicyIgnore          = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar)
 	EnableDeferredLoading             = newToggle(defaultEnableDeferredLoading, enableDeferredLoadingEnvVar)
 	GenerateValidatingAdmissionPolicy = newToggle(defaultGenerateValidatingAdmissionPolicy, generateValidatingAdmissionPolicyEnvVar)
+	DumpMutatePatches                 = newToggle(defaultDumpMutatePatches, dumpMutatePatchesEnvVar)
 )
 
 type ToggleFlag interface {
diff --git a/pkg/webhooks/resource/mutation/mutation.go b/pkg/webhooks/resource/mutation/mutation.go
index 4e9ad13a24..16c8a4967e 100644
--- a/pkg/webhooks/resource/mutation/mutation.go
+++ b/pkg/webhooks/resource/mutation/mutation.go
@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"github.com/kyverno/kyverno/pkg/tracing"
 	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@@ -66,7 +67,9 @@ func (h *mutationHandler) HandleMutation(
 	if err != nil {
 		return nil, nil, err
 	}
-	h.log.V(6).Info("", "generated patches", string(mutatePatches))
+	if toggle.FromContext(ctx).DumpMutatePatches() {
+		h.log.V(2).Info("", "generated patches", string(mutatePatches))
+	}
 	return mutatePatches, webhookutils.GetWarningMessages(mutateEngineResponses), nil
 }