Add support for spec.hubTemplateOptions when generating a policy

Relates: https://issues.redhat.com/browse/ACM-13608 Signed-off-by: mprahl <mprahl@users.noreply.github.com> (cherry picked from commit afb8a69)
stolostron · Aug 27, 2024 · fd70c02 · fd70c02
1 parent 5233919
commit fd70c02
Show file tree

Hide file tree

Showing 4 changed files with 140 additions and 0 deletions.
diff --git a/docs/policygenerator-reference.yaml b/docs/policygenerator-reference.yaml
@@ -76,6 +76,13 @@ policyDefaults:
       kind: "Policy"
       # Optional. (See policyDefaults.dependencies.apiVersion for description.)
       apiVersion: "policy.open-cluster-management.io/v1"
+  # Optional. Changes the default behavior of hub templates.
+  hubTemplateOptions:
+    # Optional. serviceAccountName is the name of a service account in the same namespace as the policy to use for all hub
+    # template lookups. The service account must have list and watch permissions on any object the hub templates
+    # look up. If not specified, lookups are restricted to namespaced objects in the same namespace as the policy and
+    # to the `ManagedCluster` object associated with the propagated policy.
+    serviceAccountName: ""
   # Optional. Determines whether objects created or monitored by the policy should be deleted when the policy is
   # deleted. Pruning only takes place if the remediation action of the policy has been set to "enforce". Example values
   # are "DeleteIfCreated", "DeleteAll", or "None". This defaults to unset, which is equivalent to "None".
@@ -252,6 +259,9 @@ policies:
         # Optional. (See policyDefaults.extraDependencies for description)
         # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         extraDependencies: []
+        # Optional. (See policyDefaults.hubTemplateOptions for description.)
+        hubTemplateOptions:
+          serviceAccountName: ""
         # Optional. (See policyDefaults.pruneObjectBehavior for description.)
         # Cannot be specified when policyDefaults.consolidateManifests is set to true.
         pruneObjectBehavior: ""

diff --git a/internal/plugin.go b/internal/plugin.go
@@ -696,6 +696,10 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.Severity = p.PolicyDefaults.Severity
 		}
 
+		if policy.HubTemplateOptions.ServiceAccountName == "" {
+			policy.HubTemplateOptions.ServiceAccountName = p.PolicyDefaults.HubTemplateOptions.ServiceAccountName
+		}
+
 		for j := range policy.Manifests {
 			manifest := &policy.Manifests[j]
 
@@ -1364,6 +1368,10 @@ func (p *Plugin) createPolicy(policyConf *types.PolicyConfig) error {
 		"policy-templates": policyTemplates,
 	}
 
+	if policyConf.HubTemplateOptions.ServiceAccountName != "" {
+		spec["hubTemplateOptions"] = policyConf.HubTemplateOptions
+	}
+
 	if p.PolicyDefaults.OrderPolicies && p.previousPolicyName != "" {
 		policyConf.Dependencies = []types.PolicyDependency{{
 			Name:       p.previousPolicyName,

diff --git a/internal/plugin_test.go b/internal/plugin_test.go
@@ -1496,6 +1496,123 @@ spec:
 	assertEqual(t, output, expected)
 }
 
+func TestCreatePolicyHubTemplateOptions(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	p := Plugin{}
+	p.PolicyDefaults.Namespace = "my-policies"
+	p.PolicyDefaults.HubTemplateOptions = types.HubTemplateOptions{ServiceAccountName: "default-sa"}
+
+	policyConf := types.PolicyConfig{
+		Name: "policy-app-config",
+		Manifests: []types.Manifest{
+			{Path: path.Join(tmpDir, "configmap.yaml")},
+		},
+	}
+	p.Policies = append(p.Policies, policyConf)
+
+	p.applyDefaults(map[string]interface{}{})
+
+	err := p.createPolicy(&p.Policies[0])
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output := p.outputBuffer.String()
+	expected := `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: CM Configuration Management
+        policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+        policy.open-cluster-management.io/description: ""
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    disabled: false
+    hubTemplateOptions:
+        serviceAccountName: default-sa
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: inform
+                severity: low
+    remediationAction: inform
+`
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+
+	// Override the value on the policy
+	p.outputBuffer.Reset()
+	p.Policies[0].PolicyOptions = types.PolicyOptions{
+		HubTemplateOptions: types.HubTemplateOptions{ServiceAccountName: "override-sa"},
+	}
+	p.applyDefaults(map[string]interface{}{})
+
+	err = p.createPolicy(&p.Policies[0])
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output = p.outputBuffer.String()
+	expected = `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: CM Configuration Management
+        policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+        policy.open-cluster-management.io/description: ""
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+    name: policy-app-config
+    namespace: my-policies
+spec:
+    disabled: false
+    hubTemplateOptions:
+        serviceAccountName: override-sa
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: policy-app-config
+            spec:
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: v1
+                        data:
+                            game.properties: enemies=potato
+                        kind: ConfigMap
+                        metadata:
+                            name: my-configmap
+                remediationAction: inform
+                severity: low
+    remediationAction: inform
+`
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+}
+
 func TestCreatePolicyFromCertificatePolicyTypeManifest(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

diff --git a/internal/types/types.go b/internal/types/types.go
@@ -7,6 +7,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+type HubTemplateOptions struct {
+	ServiceAccountName string `json:"serviceAccountName,omitempty" yaml:"serviceAccountName,omitempty"`
+}
+
 type PolicyOptions struct {
 	Categories                     []string           `json:"categories,omitempty" yaml:"categories,omitempty"`
 	Controls                       []string           `json:"controls,omitempty" yaml:"controls,omitempty"`
@@ -28,6 +32,7 @@ type PolicyOptions struct {
 	PolicyAnnotations              map[string]string  `json:"policyAnnotations,omitempty" yaml:"policyAnnotations,omitempty"`
 	PolicyLabels                   map[string]string  `json:"policyLabels,omitempty" yaml:"policyLabels,omitempty"`
 	ConfigurationPolicyAnnotations map[string]string  `json:"configurationPolicyAnnotations,omitempty" yaml:"configurationPolicyAnnotations,omitempty"`
+	HubTemplateOptions             HubTemplateOptions `json:"hubTemplateOptions,omitempty" yaml:"hubTemplateOptions,omitempty"`
 }
 
 type PolicySetOptions struct {