mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: Testing a generate rule for a custom resource fails (#8373)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-13 10:45:40 +02:00 committed by GitHub
parent b4c669b32a
commit c88f8e8638
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 100 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
cmd/cli/kubectl-kyverno/processor/generate.go
View file

@ -2,6 +2,7 @@ package processor
import ( import (
"fmt" "fmt"
"strings"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
@ -17,6 +18,8 @@ import (
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/imageverifycache" "github.com/kyverno/kyverno/pkg/imageverifycache"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
) )
func handleGeneratePolicy(generateResponse *engineapi.EngineResponse, policyContext engine.PolicyContext, ruleToCloneSourceResource map[string]string) ([]engineapi.RuleResponse, error) { func handleGeneratePolicy(generateResponse *engineapi.EngineResponse, policyContext engine.PolicyContext, ruleToCloneSourceResource map[string]string) ([]engineapi.RuleResponse, error) {
@ -84,7 +87,12 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
fmt.Printf("Failed to mock dynamic client") fmt.Printf("Failed to mock dynamic client")
return nil, err return nil, err
} }
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil)) gvrs := sets.New[schema.GroupVersionResource]()
for _, object := range objects {
gvk := object.GetObjectKind().GroupVersionKind()
gvrs.Insert(gvk.GroupVersion().WithResource(strings.ToLower(gvk.Kind) + "s"))
}
client.SetDiscovery(dclient.NewFakeDiscoveryClient(gvrs.UnsortedList()))
cfg := config.NewDefaultConfiguration(false) cfg := config.NewDefaultConfiguration(false)
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine( c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
cfg, cfg,

2
pkg/clients/dclient/fake.go
View file

@ -65,7 +65,7 @@ func (c *fakeDiscoveryClient) getGVR(resource string) (schema.GroupVersionResour
return gvr, nil return gvr, nil
} }
} }
return schema.GroupVersionResource{}, errors.New("no found") return schema.GroupVersionResource{}, errors.New("not found")
} }
func (c *fakeDiscoveryClient) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error) { func (c *fakeDiscoveryClient) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error) {

21
test/cli/test-generate/custom-resource/clone-secret.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: devops-docker-pull-image-secret
namespace: default
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: secrets/devops-docker-pull-image-secret
property: dockerconfigjson
secretKey: .dockerconfigjson
refreshInterval: 10s
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
creationPolicy: Owner
deletionPolicy: Retain
name: devops-docker-pull-image-secret

21
test/cli/test-generate/custom-resource/gen-secret.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: devops-docker-pull-image-secret
namespace: test-ns
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: secrets/devops-docker-pull-image-secret
property: dockerconfigjson
secretKey: .dockerconfigjson
refreshInterval: 10s
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
creationPolicy: Owner
deletionPolicy: Retain
name: devops-docker-pull-image-secret

14
test/cli/test-generate/custom-resource/kyverno-test.yaml Normal file
View file

@ -0,0 +1,14 @@
name: generate-tests
policies:
- policy.yaml
resources:
- resource.yaml
results:
- cloneSourceResource: clone-secret.yaml
generatedResource: gen-secret.yaml
kind: Namespace
policy: sync-pull-image-secrets
resources:
- test-ns
result: pass
rule: sync-image-pull-secret

30
test/cli/test-generate/custom-resource/policy.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-pull-image-secrets
annotations:
policies.kyverno.io/title: Sync pull image secrets
policies.kyverno.io/category: Secrets
policies.kyverno.io/severity: low
policies.kyverno.io/subject: secret
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
Copies the pullSecret ESO resources into all namespaces
this will mean we're never missing the secret when we need it.
spec:
rules:
- name: sync-image-pull-secret
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
name: devops-docker-pull-image-secret
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: devops-docker-pull-image-secret

4
test/cli/test-generate/custom-resource/resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-ns