Remove empty objects from policy filter (#197)

DId not find a way to do delete a file in post process. A argocd plugin complains about an empty yaml manifest.
appuio · Aug 28, 2024 · 612c10c · 612c10c
1 parent c398cfd
commit 612c10c
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 29 deletions.
diff --git a/class/appuio-cloud.yml b/class/appuio-cloud.yml
@@ -27,10 +27,3 @@ parameters:
           - appuio-cloud/component/agent.jsonnet
         input_type: jsonnet
         output_path: appuio-cloud/01_agent/
-
-  commodore:
-    postprocess:
-      filters:
-        - type: jsonnet
-          filter: postprocess/disable-kyveno-policies.jsonnet
-          path: ${_instance}/
diff --git a/component/common.libsonnet b/component/common.libsonnet
@@ -76,7 +76,23 @@ local agentFeatureEnabled(name) =
   assert std.member(knownFeatures, name) : 'Unknown agent feature "%s"' % name;
   std.member(params.agent_feature_set, name);
 
+local disabledPolicies = std.prune(params.disable_kyverno_cluster_policies);
+
+local removeDisabledPolicies = function(policies)
+  {
+    [p]: policies[p]
+    for p in std.filter(
+      function(pk)
+        local policy = policies[pk];
+        !std.isObject(policy) || policy.apiVersion != 'kyverno.io/v1' || policy.kind != 'ClusterPolicy' || std.length(std.find(policy.metadata.name, disabledPolicies)) == 0,
+      std.objectFields(policies)
+    )
+  };
+
 {
+  // Remove disabled Kyverno policies
+  // Takes a dict with kubernetes resources and removes kyverno.io/v1.ClusterPolicy manifests that are disabled
+  RemoveDisabledPolicies: removeDisabledPolicies,
   // AgentFeatureEnabled returns true if the given feature is enabled.
   AgentFeatureEnabled: agentFeatureEnabled,
   DefaultLabels: defaultLabels,

diff --git a/component/namespace-policies.jsonnet b/component/namespace-policies.jsonnet
@@ -506,12 +506,12 @@ local validateNamespaceMetadata = kyverno.ClusterPolicy('validate-namespace-meta
 };
 
 // Define outputs below
-{
+common.RemoveDisabledPolicies({
   '01_appuio_ns_provisioner_role': appuioNsProvisionerRole + common.DefaultLabels,
   '01_appuio_ns_provisioners_crb': appuioNsProvisionersRoleBinding + common.DefaultLabels,
   '02_organization_namespaces': organizationNamespaces + common.DefaultLabels,
   '02_organization_sa_namespaces': organizationSaNamespaces + common.DefaultLabels,
   '02_organization_projects': organizationProjects + common.DefaultLabels,
   '02_disallow_reserved_namespaces': disallowReservedNamespaces + common.DefaultLabels,
   '02_validate_namespace_metadata': validateNamespaceMetadata + common.DefaultLabels,
-}
+})
diff --git a/component/namespace-quota.jsonnet b/component/namespace-quota.jsonnet
@@ -147,7 +147,7 @@ local namespaceQuotaOverrides = [
 ];
 
 // Define outputs below
-{
+common.RemoveDisabledPolicies({
   [if !common.AgentFeatureEnabled('usage-profiles') then '12_namespace_quota_per_zone']: namespaceQuotaPolicy + common.DefaultLabels,
   [if std.length(namespaceQuotaOverrides) > 0 then '13_namespace_quota_overrides']: namespaceQuotaOverrides,
-}
+})
diff --git a/component/quota-limitrange.jsonnet b/component/quota-limitrange.jsonnet
@@ -100,6 +100,6 @@ local generateQuotaLimitRangeInNsPolicy = kyverno.ClusterPolicy('quota-and-limit
 };
 
 // Define outputs below
-{
+common.RemoveDisabledPolicies({
   [if !common.AgentFeatureEnabled('usage-profiles') then '11_generate_quota_limit_range_in_ns']: generateQuotaLimitRangeInNsPolicy + common.DefaultLabels,
-}
+})
diff --git a/component/runonce-activedeadlineseconds.jsonnet b/component/runonce-activedeadlineseconds.jsonnet
@@ -83,6 +83,6 @@ local policy =
     },
   };
 
-{
+common.RemoveDisabledPolicies({
   '30_set_runonce_activedeadlineseconds': policy + common.DefaultLabels,
-}
+})
diff --git a/postprocess/disable-kyveno-policies.jsonnet b/postprocess/disable-kyveno-policies.jsonnet
-Original file line number
+Diff line change
@@ Expand Up / @@ -83,6 +83,6 @@ local policy = @@
         },
       };
-    {
+    common.RemoveDisabledPolicies({
       '30_set_runonce_activedeadlineseconds': policy + common.DefaultLabels,
-    }
+    })