diff --git a/cmd/cli/kubectl-kyverno/processor/generate.go b/cmd/cli/kubectl-kyverno/processor/generate.go index d3d9ce252f..d95d708e6a 100644 --- a/cmd/cli/kubectl-kyverno/processor/generate.go +++ b/cmd/cli/kubectl-kyverno/processor/generate.go @@ -2,6 +2,7 @@ package processor import ( "fmt" + "strings" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" @@ -17,6 +18,8 @@ import ( "github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/imageverifycache" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/sets" ) func handleGeneratePolicy(generateResponse *engineapi.EngineResponse, policyContext engine.PolicyContext, ruleToCloneSourceResource map[string]string) ([]engineapi.RuleResponse, error) { @@ -84,7 +87,12 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr fmt.Printf("Failed to mock dynamic client") return nil, err } - client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil)) + gvrs := sets.New[schema.GroupVersionResource]() + for _, object := range objects { + gvk := object.GetObjectKind().GroupVersionKind() + gvrs.Insert(gvk.GroupVersion().WithResource(strings.ToLower(gvk.Kind) + "s")) + } + client.SetDiscovery(dclient.NewFakeDiscoveryClient(gvrs.UnsortedList())) cfg := config.NewDefaultConfiguration(false) c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine( cfg, diff --git a/pkg/clients/dclient/fake.go b/pkg/clients/dclient/fake.go index 0c0b8180e7..89d71c7dfb 100644 --- a/pkg/clients/dclient/fake.go +++ b/pkg/clients/dclient/fake.go @@ -65,7 +65,7 @@ func (c *fakeDiscoveryClient) getGVR(resource string) (schema.GroupVersionResour return gvr, nil } } - return schema.GroupVersionResource{}, errors.New("no found") + return schema.GroupVersionResource{}, errors.New("not found") } func (c *fakeDiscoveryClient) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error) { diff --git a/test/cli/test-generate/custom-resource/clone-secret.yaml b/test/cli/test-generate/custom-resource/clone-secret.yaml new file mode 100644 index 0000000000..b6859c56f8 --- /dev/null +++ b/test/cli/test-generate/custom-resource/clone-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: devops-docker-pull-image-secret + namespace: default +spec: + data: + - remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: secrets/devops-docker-pull-image-secret + property: dockerconfigjson + secretKey: .dockerconfigjson + refreshInterval: 10s + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + creationPolicy: Owner + deletionPolicy: Retain + name: devops-docker-pull-image-secret \ No newline at end of file diff --git a/test/cli/test-generate/custom-resource/gen-secret.yaml b/test/cli/test-generate/custom-resource/gen-secret.yaml new file mode 100644 index 0000000000..9728b1f796 --- /dev/null +++ b/test/cli/test-generate/custom-resource/gen-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: devops-docker-pull-image-secret + namespace: test-ns +spec: + data: + - remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: secrets/devops-docker-pull-image-secret + property: dockerconfigjson + secretKey: .dockerconfigjson + refreshInterval: 10s + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + creationPolicy: Owner + deletionPolicy: Retain + name: devops-docker-pull-image-secret \ No newline at end of file diff --git a/test/cli/test-generate/custom-resource/kyverno-test.yaml b/test/cli/test-generate/custom-resource/kyverno-test.yaml new file mode 100644 index 0000000000..c186704a59 --- /dev/null +++ b/test/cli/test-generate/custom-resource/kyverno-test.yaml @@ -0,0 +1,14 @@ +name: generate-tests +policies: +- policy.yaml +resources: +- resource.yaml +results: +- cloneSourceResource: clone-secret.yaml + generatedResource: gen-secret.yaml + kind: Namespace + policy: sync-pull-image-secrets + resources: + - test-ns + result: pass + rule: sync-image-pull-secret diff --git a/test/cli/test-generate/custom-resource/policy.yaml b/test/cli/test-generate/custom-resource/policy.yaml new file mode 100644 index 0000000000..d9e6768af1 --- /dev/null +++ b/test/cli/test-generate/custom-resource/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-pull-image-secrets + annotations: + policies.kyverno.io/title: Sync pull image secrets + policies.kyverno.io/category: Secrets + policies.kyverno.io/severity: low + policies.kyverno.io/subject: secret + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + Copies the pullSecret ESO resources into all namespaces + this will mean we're never missing the secret when we need it. +spec: + rules: + - name: sync-image-pull-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + name: devops-docker-pull-image-secret + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: devops-docker-pull-image-secret \ No newline at end of file diff --git a/test/cli/test-generate/custom-resource/resource.yaml b/test/cli/test-generate/custom-resource/resource.yaml new file mode 100644 index 0000000000..40de771728 --- /dev/null +++ b/test/cli/test-generate/custom-resource/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns \ No newline at end of file