substitute variables in context.configMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

pkg/engine/jsonContext.go

@@ -32,7 +32,7 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resC
 
 	for _, entry := range contextEntries {
 		if entry.ConfigMap != nil {
-			if err := loadConfigMap(entry, lister, ctx.JSONContext); err != nil {
+			if err := loadConfigMap(logger, entry, lister, ctx.JSONContext); err != nil {
 				return err
 			}
 		} else if entry.APICall != nil {
@@ -90,7 +90,7 @@ func applyJMESPath(jmesPath string, jsonData []byte) (interface{}, error) {
 	var data interface{}
 	err = json.Unmarshal(jsonData, &data)
 	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshall JSON: %s, error: %v", string(jsonData), err)
+		return nil, fmt.Errorf("failed to unmarshal JSON: %s, error: %v", string(jsonData), err)
 	}
 
 	return jp.Search(data)
@@ -151,24 +151,33 @@ func loadResource(ctx *PolicyContext, p *APIPath) ([]byte, error) {
 	return r.MarshalJSON()
 }
 
-func loadConfigMap(entry kyverno.ContextEntry, lister dynamiclister.Lister, ctx *context.Context) error {
-	data, err := fetchConfigMap(entry, lister)
+func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, ctx *context.Context) error {
+	data, err := fetchConfigMap(logger, entry, lister, ctx)
 	if err != nil {
-		return fmt.Errorf("failed to retrieve config map for context entry %v: %v", entry, err)
+		return fmt.Errorf("failed to retrieve config map for context entry %s: %v", entry.Name, err)
 	}
 
 	err = ctx.AddJSON(data)
 	if err != nil {
-		return fmt.Errorf("failed to add config map for context entry %v: %v", entry, err)
+		return fmt.Errorf("failed to add config map for context entry %s: %v", entry.Name, err)
 	}
 
 	return nil
 }
 
-func fetchConfigMap(entry kyverno.ContextEntry, lister dynamiclister.Lister) ([]byte, error) {
+func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, jsonContext *context.Context) ([]byte, error) {
 	contextData := make(map[string]interface{})
-	name := entry.ConfigMap.Name
-	namespace := entry.ConfigMap.Namespace
+
+	name, err := variables.SubstituteVars(logger, jsonContext, entry.ConfigMap.Name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to substitute variables in context %s configMap.name %s: %v", entry.Name, entry.ConfigMap.Name, err)
+	}
+
+	namespace, err := variables.SubstituteVars(logger, jsonContext, entry.ConfigMap.Namespace)
+	if err != nil {
+		return nil, fmt.Errorf("failed to substitute variables in context %s configMap.namespace %s: %v", entry.Name, entry.ConfigMap.Namespace, err)
+	}
+
 	if namespace == "" {
 		namespace = "default"
 	}

pkg/policy/background.go

@@ -41,56 +41,56 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 				ctx.AddBuiltInVars(contextEntry.Name)
 
 				if _, err = variables.SubstituteVars(log.Log, ctx, contextEntry.ConfigMap.Name); !checkNotFoundErr(err) {
-					return fmt.Errorf("invalid variable used at spec/rules[%d]/context[%d]/configMap/name", idx, contextIdx)
+					return fmt.Errorf("invalid variable used at spec/rules[%d]/context[%d]/configMap/name: %s", idx, contextIdx, err.Error())
 				}
 
 				if _, err = variables.SubstituteVars(log.Log, ctx, contextEntry.ConfigMap.Namespace); !checkNotFoundErr(err) {
-					return fmt.Errorf("invalid variable used at spec/rules[%d]/context[%d]/configMap/namespace", idx, contextIdx)
+					return fmt.Errorf("invalid variable used at spec/rules[%d]/context[%d]/configMap/namespace: %s", idx, contextIdx, err.Error())
 				}
 			}
 		}
 
 		for condIdx, condition := range rule.Conditions {
 			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid variable %v used at spec/rules[%d]/condition[%d]/key", condition.Key, idx, condIdx)
+				return fmt.Errorf("invalid variable %v used at spec/rules[%d]/condition[%d]/key: %s", condition.Key, idx, condIdx, err.Error())
 			}
 
 			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid %v variable used at spec/rules[%d]/condition[%d]/value: %v", condition.Value, idx, condIdx, err)
+				return fmt.Errorf("invalid %v variable used at spec/rules[%d]/condition[%d]/value: %s", condition.Value, idx, condIdx, err.Error())
 			}
 		}
 
 		if rule.Mutation.Overlay != nil {
 			if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay", idx)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay: %s", idx, err.Error())
 			}
 		}
 
 		if rule.Mutation.PatchStrategicMerge != nil {
 			if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.PatchStrategicMerge); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/patchStrategicMerge", idx)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/patchStrategicMerge: %s", idx, err.Error())
 			}
 		}
 
 		if rule.Validation.Pattern != nil {
 			if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern: %v", idx, err)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern: %s", idx, err.Error())
 			}
 		}
 
 		anyPattern, err := rule.Validation.DeserializeAnyPattern()
 		if err != nil {
-			return fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err)
+			return fmt.Errorf("failed to deserialize anyPattern, expect array: %s", err.Error())
 		}
 
 		for idx2, pattern := range anyPattern {
 			if anyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); !checkNotFoundErr(err) {
-				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/anyPattern[%d]: %s", idx, idx2, err.Error())
 			}
 		}
 
 		if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Message); !checkNotFoundErr(err) {
-			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/message", idx)
+			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/message: %s", idx, err.Error())
 		}
 
 		if rule.Validation.Deny != nil {

pkg/utils/util.go

@@ -3,9 +3,10 @@ package utils
 import (
 	"fmt"
 	"regexp"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 	"strconv"
 
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
 	"github.com/go-logr/logr"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
@@ -122,6 +123,11 @@ func ConvertResource(raw []byte, group, version, kind, namespace string) (unstru
 	}
 
 	obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind})
+
+	if namespace != "" {
+		obj.SetNamespace(namespace)
+	}
+
 	return *obj, nil
 }