fix: reset mutable fields orphandownstream (#10478)

* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

---------

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/validation/policy/generate.go

@@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
 	rule.DeepCopyInto(new)
 	new.Generation.Synchronize = true
 	new.Generation.SetData(nil)
+	new.Generation.OrphanDownstreamOnPolicyDelete = true
 	return new
 }
 

test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml

@@ -2,21 +2,21 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
   creationTimestamp: null
-  name: cpol-data-sync-delete-policy
+  name: cpol-data-sync-delete-policy-with-orphan
 spec:
   steps:
   - name: step-01
     try:
     - apply:
-        file: chainsaw-step-01-apply-1-1.yaml
+        file: policy.yaml
     - assert:
-        file: chainsaw-step-01-assert-1-1.yaml
+        file: policy-ready.yaml
   - name: step-02
     try:
     - apply:
-        file: chainsaw-step-02-apply-1-1.yaml
+        file: namespace.yaml
     - assert:
-        file: chainsaw-step-02-assert-1-1.yaml
+        file: configmap.yaml
   - name: step-03
     try:
     - delete:
@@ -24,5 +24,39 @@ spec:
           apiVersion: kyverno.io/v1
           kind: ClusterPolicy
           name: cpol-data-sync-orphan-downstream-delete-policy
+    - error:
+        file: configmap-assert.yaml
+  - name: step-04
+    try:
+    - delete:
+        ref:
+          apiVersion: v1
+          kind: Namespace
+          name: cpol-data-sync-orphan-downstream-delete-policy-ns
+  - name: step-05
+    try:
+    - apply:
+        file: policy.yaml
     - assert:
-        file: chainsaw-step-02-assert-1-1.yaml
+        file: policy-ready.yaml
+  - name: step-06
+    try:
+    - apply:
+        file: policy-orphan.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-07
+    try:
+    - apply:
+        file: namespace.yaml
+    - assert:
+        file: configmap.yaml
+  - name: step-08
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: cpol-data-sync-orphan-downstream-delete-policy
+    - assert:
+        file: configmap.yaml

test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-data-sync-orphan-downstream-delete-policy
+spec:
+  generateExisting: false
+  rules:
+  - exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - default
+          - kube-public
+          - kyverno
+    generate:
+      apiVersion: v1
+      data:
+        data:
+          KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+          ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: cpol-data-sync-delete-rule

test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test ensures that a generate policy with `orphanDownstreamOnPolicyDelete` can be updated on existing policy.
+
+## Expected Behavior
+
+The test fails if the `orphanDownstreamOnPolicyDelete` can't be updated, otherwise passes.
+
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/10464

test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml

@@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: update-orphan
+spec:
+  steps:
+    - name: step-01
+      try:
+        - apply:
+            file: policy.yaml
+        - assert:
+            file: policy-assert.yaml
+    - name: step-02
+      try:
+        - apply:
+            file: policy-with-orphan.yaml
+        - assert:
+            file: policy-assert.yaml

test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-update-orphan
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-update-orphan
+spec:
+  rules:
+    - name: deny-all-traffic
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - default
+                - kube-public
+                - kyverno
+      generate:
+        orphanDownstreamOnPolicyDelete: true
+        kind: NetworkPolicy
+        apiVersion: networking.k8s.io/v1
+        name: deny-all-traffic
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          spec:
+            # select all pods in the namespace
+            podSelector: {}
+            policyTypes:
+              - Ingress
+              - Egress

test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-update-orphan
+spec:
+  rules:
+    - name: deny-all-traffic
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - default
+                - kube-public
+                - kyverno
+      generate:
+        orphanDownstreamOnPolicyDelete: false
+        kind: NetworkPolicy
+        apiVersion: networking.k8s.io/v1
+        name: deny-all-traffic
+        namespace: "{{request.object.metadata.name}}"
+        data:
+          spec:
+            # select all pods in the namespace
+            podSelector: {}
+            policyTypes:
+              - Ingress
+              - Egress