fix: Testing a generate rule for a custom resource fails (#8373)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 18:38:40 +00:00 · 2023-09-13 10:45:40 +02:00 · 2023-09-13 10:45:40 +02:00 · c88f8e8638
commit c88f8e8638
parent b4c669b32a
7 changed files with 100 additions and 2 deletions
--- a/cmd/cli/kubectl-kyverno/processor/generate.go
+++ b/cmd/cli/kubectl-kyverno/processor/generate.go
@ -2,6 +2,7 @@ package processor

 import (
 	"fmt"
+	"strings"

 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
@ -17,6 +18,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
 )

 func handleGeneratePolicy(generateResponse *engineapi.EngineResponse, policyContext engine.PolicyContext, ruleToCloneSourceResource map[string]string) ([]engineapi.RuleResponse, error) {
@ -84,7 +87,12 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		fmt.Printf("Failed to mock dynamic client")
 		return nil, err
 	}
-	client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
+	gvrs := sets.New[schema.GroupVersionResource]()
+	for _, object := range objects {
+		gvk := object.GetObjectKind().GroupVersionKind()
+		gvrs.Insert(gvk.GroupVersion().WithResource(strings.ToLower(gvk.Kind) + "s"))
+	}
+	client.SetDiscovery(dclient.NewFakeDiscoveryClient(gvrs.UnsortedList()))
 	cfg := config.NewDefaultConfiguration(false)
 	c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
 		cfg,
--- a/pkg/clients/dclient/fake.go
+++ b/pkg/clients/dclient/fake.go
@ -65,7 +65,7 @@ func (c *fakeDiscoveryClient) getGVR(resource string) (schema.GroupVersionResour
 			return gvr, nil
 		}
 	}
-	return schema.GroupVersionResource{}, errors.New("no found")
+	return schema.GroupVersionResource{}, errors.New("not found")
 }

 func (c *fakeDiscoveryClient) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error) {
--- a/test/cli/test-generate/custom-resource/clone-secret.yaml
+++ b/test/cli/test-generate/custom-resource/clone-secret.yaml
@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: devops-docker-pull-image-secret
+  namespace: default
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: secrets/devops-docker-pull-image-secret
+      property: dockerconfigjson
+    secretKey: .dockerconfigjson
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: devops-docker-pull-image-secret
--- a/test/cli/test-generate/custom-resource/gen-secret.yaml
+++ b/test/cli/test-generate/custom-resource/gen-secret.yaml
@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: devops-docker-pull-image-secret
+  namespace: test-ns
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: secrets/devops-docker-pull-image-secret
+      property: dockerconfigjson
+    secretKey: .dockerconfigjson
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: devops-docker-pull-image-secret
--- a/test/cli/test-generate/custom-resource/kyverno-test.yaml
+++ b/test/cli/test-generate/custom-resource/kyverno-test.yaml
@ -0,0 +1,14 @@
+name: generate-tests
+policies:
+- policy.yaml
+resources:
+- resource.yaml
+results:
+- cloneSourceResource: clone-secret.yaml
+  generatedResource: gen-secret.yaml
+  kind: Namespace
+  policy: sync-pull-image-secrets
+  resources:
+  - test-ns
+  result: pass
+  rule: sync-image-pull-secret
--- a/test/cli/test-generate/custom-resource/policy.yaml
+++ b/test/cli/test-generate/custom-resource/policy.yaml
@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-pull-image-secrets
+  annotations:
+    policies.kyverno.io/title: Sync pull image secrets
+    policies.kyverno.io/category: Secrets
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: secret
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      Copies the pullSecret ESO resources into all namespaces
+      this will mean we're never missing the secret when we need it.         
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      name: devops-docker-pull-image-secret
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: devops-docker-pull-image-secret
--- a/test/cli/test-generate/custom-resource/resource.yaml
+++ b/test/cli/test-generate/custom-resource/resource.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-ns