Fix constraint template when the matchers key is not present (#591)

* Add more acceptance tests

* Fix constraint template

* Fix tests

Author: mrueg

.github/workflows/cron_e2e.yaml

@@ -65,7 +65,6 @@ jobs:
         run: |
           chmod +x ./konstraint
           ./konstraint create -o e2e-resources examples
-          ./konstraint create -o e2e-resources test
 
       - name: create kind cluster
         run: kind create cluster

.github/workflows/pull_request.yaml

@@ -196,7 +196,6 @@ jobs:
         run: |
           chmod +x ./konstraint
           ./konstraint create -o e2e-resources examples
-          ./konstraint create -o e2e-resources test
 
       - name: create kind cluster
         run: kind create cluster

acceptance.bats

@@ -19,13 +19,13 @@
 }
 
 @test "[CREATE] Creating constraints using --output matches expected output" {
-  run ./build/konstraint create test --output test
+  run ./build/konstraint create test/policies --output test/output/standard
   [ "$status" -eq 0 ]
-  git diff --quiet -- test/
+  git diff --quiet -- test/output/standard
 }
 
 @test "[CREATE] Creating constraints using --constraint-custom-template-file, --constraint-template-custom-template-file and --output matches expected output" {
-  run ./build/konstraint create test --constraint-custom-template-file internal/commands/constraint_template.tpl --constraint-template-custom-template-file internal/commands/constrainttemplate_template.tpl --partial-constraints --output test/custom
+  run ./build/konstraint create test/policies --constraint-custom-template-file internal/commands/constraint_template.tpl --constraint-template-custom-template-file internal/commands/constrainttemplate_template.tpl --partial-constraints --output test/output/custom
   [ "$status" -eq 0 ]
-  git diff --quiet -- test/custom
+  git diff --quiet -- test/output/custom
 }

internal/commands/constraint_template.tpl

@@ -10,12 +10,21 @@ metadata:
   {{- end }}
   name: {{ .Name }}
 spec:
-  {{- if .Matchers }}
-  match: {{- .GetAnnotation "matchers" | toIndentYAML 2 | nindent 4 }}
-  {{- end }}
   {{- if ne .Enforcement "deny" }}
   enforcementAction: {{ .Enforcement }}
   {{- end -}}
-  {{- if .AnnotationParameters }}
-  parameters: {{- .AnnotationParameters | toIndentYAML 2 | nindent 4 }}
+  {{- if or .AnnotationKindMatchers .AnnotationNamespaceMatchers .AnnotationExcludedNamespaceMatchers .AnnotationLabelSelectorMatcher }}
+  match:
+  {{- if .AnnotationExcludedNamespaceMatchers }}
+    excludedNamespaces: {{- .AnnotationExcludedNamespaceMatchers | toIndentYAML 2 | nindent 6 }}
+  {{- end }}
+  {{- if .AnnotationKindMatchers }}
+    kinds: {{- .AnnotationKindMatchers | toJSON | fromJSON | toIndentYAML 2 | nindent 6 }}
+  {{- end }}
+  {{- if .AnnotationLabelSelectorMatcher }}
+    labelSelector: {{- .AnnotationLabelSelectorMatcher | toJSON | fromJSON | toIndentYAML 2 | nindent 6 }}
+  {{- end }}
+  {{- if .AnnotationNamespaceMatchers }}
+    namespaces: {{- .AnnotationNamespaceMatchers | toIndentYAML 2 | nindent 6 }}
+  {{- end }}
   {{- end }}

internal/commands/create_test.go

@@ -19,7 +19,7 @@ func TestRenderConstraint(t *testing.T) {
 		t.Errorf("Error getting violations: %v", err)
 	}
 
-	expected, err := os.ReadFile("../../test/constraint_Test.yaml")
+	expected, err := os.ReadFile("../../test/output/standard/constraint_FullMetadata.yaml")
 	if err != nil {
 		t.Errorf("Error reading expected file: %v", err)
 	}
@@ -48,7 +48,7 @@ func TestRenderConstraintWithCustomTemplate(t *testing.T) {
 		t.Errorf("Error getting violations: %v", err)
 	}
 
-	expected, err := os.ReadFile("../../test/custom/constraint_Test.yaml")
+	expected, err := os.ReadFile("../../test/output/custom/constraint_FullMetadata.yaml")
 	if err != nil {
 		t.Errorf("Error reading expected file: %v", err)
 	}
@@ -77,7 +77,7 @@ func TestRenderConstraintTemplate(t *testing.T) {
 		t.Errorf("Error getting violations: %v", err)
 	}
 
-	expected, err := os.ReadFile("../../test/template_Test.yaml")
+	expected, err := os.ReadFile("../../test/output/standard/template_FullMetadata.yaml")
 	if err != nil {
 		t.Errorf("Error reading expected file: %v", err)
 	}
@@ -106,7 +106,7 @@ func TestRenderConstraintTemplateWithCustomTemplate(t *testing.T) {
 		t.Errorf("Error getting violations: %v", err)
 	}
 
-	expected, err := os.ReadFile("../../test/custom/template_Test.yaml")
+	expected, err := os.ReadFile("../../test/output/custom/template_FullMetadata.yaml")
 	if err != nil {
 		t.Errorf("Error reading expected file: %v", err)
 	}
@@ -129,7 +129,7 @@ func TestRenderConstraintTemplateWithCustomTemplate(t *testing.T) {
 }
 
 func GetViolations() ([]rego.Rego, error) {
-	violations, err := rego.GetViolations("../../test")
+	violations, err := rego.GetViolations("../../test/policies/")
 	if err != nil {
 		return nil, err
 	}

test/custom/constraint_Test.yaml

@@ -0,0 +1,34 @@
+# This is a custom template for constraints
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: FullMetadata
+metadata:
+  name: fullmetadata
+spec:
+  match:
+    excludedNamespaces:
+      - kube-system
+      - gatekeeper-system
+    kinds:
+      - apiGroups:
+          - ""
+        kinds:
+          - Pod
+      - apiGroups:
+          - apps
+        kinds:
+          - DaemonSet
+          - Deployment
+          - StatefulSet
+    labelSelector:
+      matchExpressions:
+        - key: foo
+          operator: In
+          values:
+            - bar
+            - baz
+        - key: doggos
+          operator: Exists
+    namespaces:
+      - dev
+      - stage
+      - prod

test/output/custom/constraint_FullMetadata.yaml

@@ -0,0 +1,6 @@
+# This is a custom template for constraints
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: NoMetadata
+metadata:
+  name: nometadata
+spec:

test/output/custom/constraint_NoMetadata.yaml

@@ -0,0 +1,11 @@
+# This is a custom template for constraints
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: PartialMetadata
+metadata:
+  name: partialmetadata
+spec:
+  match:
+    namespaces:
+      - dev
+      - stage
+      - prod

test/output/custom/constraint_PartialMetadata.yaml

@@ -2,12 +2,12 @@
 apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
 metadata:
-  name: test
+  name: fullmetadata
 spec:
   crd:
     spec:
       names:
-        kind: Test
+        kind: FullMetadata
       validation:
         openAPIV3Schema:
           properties:
@@ -25,7 +25,7 @@ spec:
     - |-
       package lib.libraryB
     rego: |-
-      package test
+      package test_fullmetadata
       
       import future.keywords.if
       import data.lib.libraryA

test/custom/template_Test.yaml test/output/custom/template_FullMetadata.yaml

@@ -0,0 +1,30 @@
+# This is a custom template for a constraint template
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: nometadata
+spec:
+  crd:
+    spec:
+      names:
+        kind: NoMetadata
+  targets:
+  - libs:
+    - |-
+      package lib.libraryA
+      
+      import data.lib.libraryB
+    - |-
+      package lib.libraryB
+    rego: |-
+      package test_nometadata
+      
+      import future.keywords.if
+      import data.lib.libraryA
+      
+      policyID := "P123456"
+      
+      violation if {
+          true # some comment
+      }
+    target: admission.k8s.gatekeeper.sh

test/output/custom/template_NoMetadata.yaml

@@ -0,0 +1,30 @@
+# This is a custom template for a constraint template
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: partialmetadata
+spec:
+  crd:
+    spec:
+      names:
+        kind: PartialMetadata
+  targets:
+  - libs:
+    - |-
+      package lib.libraryA
+      
+      import data.lib.libraryB
+    - |-
+      package lib.libraryB
+    rego: |-
+      package test_partialmetadata
+      
+      import future.keywords.if
+      import data.lib.libraryA
+      
+      policyID := "P123456"
+      
+      violation if {
+          true # some comment
+      }
+    target: admission.k8s.gatekeeper.sh

test/output/custom/template_PartialMetadata.yaml

@@ -1,7 +1,7 @@
 apiVersion: constraints.gatekeeper.sh/v1beta1
-kind: Test
+kind: FullMetadata
 metadata:
-  name: test
+  name: fullmetadata
 spec:
   match:
     excludedNamespaces:

test/constraint_Test.yaml test/output/standard/constraint_FullMetadata.yaml

@@ -0,0 +1,4 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: NoMetadata
+metadata:
+  name: nometadata

test/output/standard/constraint_NoMetadata.yaml

@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: PartialMetadata
+metadata:
+  name: partialmetadata
+spec:
+  match:
+    namespaces:
+    - dev
+    - stage
+    - prod

test/output/standard/constraint_PartialMetadata.yaml

@@ -2,12 +2,12 @@ apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
 metadata:
   creationTimestamp: null
-  name: test
+  name: fullmetadata
 spec:
   crd:
     spec:
       names:
-        kind: Test
+        kind: FullMetadata
       validation:
         openAPIV3Schema:
           properties:
@@ -25,7 +25,7 @@ spec:
       import data.lib.libraryB
     - package lib.libraryB
     rego: |-
-      package test
+      package test_fullmetadata
 
       import future.keywords.if
       import data.lib.libraryA