Comments

Signed-off-by: Anlan Du <adu47249@gmail.com>

Makefile

@@ -341,7 +341,7 @@ generate: __conversion-gen __controller-gen
 	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./apis/..." paths="./pkg/..."
 	$(CONVERSION_GEN) \
 		--output-base=/gatekeeper \
-		--input-dirs=./apis/mutations/v1,./apis/mutations/v1beta1,./apis/mutations/v1alpha1,./apis/expansion/v1alpha1,./apis/syncset/v1alpha1 \
+		--input-dirs=./apis/mutations/v1,./apis/mutations/v1beta1,./apis/mutations/v1alpha1,./apis/expansion/v1alpha1,./apis/syncset/v1alpha1,./apis/gvkmanifest/v1alpha1 \
 		--go-header-file=./hack/boilerplate.go.txt \
 		--output-file-base=zz_generated.conversion
 

apis/addtoscheme_gvkmanifest.go

@@ -0,0 +1,10 @@
+package apis
+
+import (
+	"github.com/open-policy-agent/gatekeeper/v3/apis/gvkmanifest/v1alpha1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha1.AddToScheme)
+}

apis/gvkmanifest/v1alpha1/groupversion_info.go

@@ -0,0 +1,20 @@
+// Package v1alpha1 contains API Schema definitions for the GVKManifest v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=gvkmanifest.gatekeeper.sh
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "gvkmanifest.gatekeeper.sh", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

apis/gvkmanifest/v1alpha1/gvkmanifest_types.go

@@ -0,0 +1,43 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type GVKManifestSpec struct {
+	Groups []Group `json:"groups,omitempty"`
+}
+
+type Group struct {
+	Name     string    `json:"name,omitempty"`
+	Versions []Version `json:"versions,omitempty"`
+}
+
+type Version struct {
+	Name  string   `json:"name,omitempty"`
+	Kinds []string `json:"kinds,omitempty"`
+}
+
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:object:root=true
+
+// GVKManifest is the Schema for the GVKManifest API.
+type GVKManifest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec GVKManifestSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// GVKManifestList contains a list of GVKManifests.
+type GVKManifestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GVKManifest `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&GVKManifest{}, &GVKManifestList{})
+}

cmd/gator/sync/sync.go

@@ -3,19 +3,19 @@ package sync
 import (
 	"fmt"
 
-	syncverify "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync/verify"
+	synctest "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync/test"
 	"github.com/spf13/cobra"
 )
 
 var commands = []*cobra.Command{
-	syncverify.Cmd,
+	synctest.Cmd,
 }
 
 var Cmd = &cobra.Command{
 	Use:   "sync",
 	Short: "Manage SyncSets and Config",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println("Usage: gator sync verify")
+		fmt.Println("Usage: gator sync test")
 	},
 }
 

cmd/gator/sync/verify/verify.go → cmd/gator/sync/test/test.go

@@ -1,4 +1,4 @@
-package verify
+package test
 
 import (
 	"fmt"
@@ -7,32 +7,33 @@ import (
 
 	cmdutils "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/util"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/sync/verify"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/sync/test"
 	"github.com/spf13/cobra"
 )
 
 var Cmd = &cobra.Command{
-	Use:   "verify",
-	Short: "Verify that the provided SyncSet(s) and/or Config contain the GVKs required by the input templates.",
+	Use:   "test",
+	Short: "Test that the provided SyncSet(s) and/or Config contain the GVKs required by the input templates.",
 	Run:   run,
 }
 
 var (
-	flagFilenames     []string
-	flagImages        []string
-	flagSupportedGVKs verify.SupportedGVKs
+	flagFilenames       []string
+	flagImages          []string
+	flagOmitGVKManifest bool
 )
 
 const (
-	flagNameFilename      = "filename"
-	flagNameImage         = "image"
-	flagNameSupportedGVKs = "supported-gvks"
+	flagNameFilename = "filename"
+	flagNameImage    = "image"
+	flagNameForce    = "omit-gvk-manifest"
 )
 
 func init() {
 	Cmd.Flags().StringArrayVarP(&flagFilenames, flagNameFilename, "f", []string{}, "a file or directory containing Kubernetes resources.  Can be specified multiple times.")
 	Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
-	Cmd.Flags().VarP(&flagSupportedGVKs, flagNameSupportedGVKs, "s", "a json string listing the GVKs supported by the cluster as a nested array of groups, containing supported versions, each of which contains supported kinds. See https://open-policy-agent.github.io/gatekeeper/website/docs/gator#the-gator-sync-verify-subcommand for an example.")
+	Cmd.Flags().BoolVarP(&flagOmitGVKManifest, flagNameForce, "o", false, "Do not require a GVK manifest; if one is not provided, assume all GVKs listed in the requirements "+
+		"and configs are supported by the cluster under test. If this assumption isn't true, the given config may cause errors or templates may not be enforced correctly even after passing this test.")
 }
 
 func run(cmd *cobra.Command, args []string) {
@@ -44,9 +45,9 @@ func run(cmd *cobra.Command, args []string) {
 		cmdutils.ErrFatalf("no input data identified")
 	}
 
-	missingRequirements, templateErrors, err := verify.Verify(unstrucs, flagSupportedGVKs)
+	missingRequirements, templateErrors, err := test.Test(unstrucs, flagOmitGVKManifest)
 	if err != nil {
-		cmdutils.ErrFatalf("verifying: %v", err)
+		cmdutils.ErrFatalf("checking: %v", err)
 	}
 
 	if len(missingRequirements) > 0 {
@@ -57,7 +58,6 @@ func run(cmd *cobra.Command, args []string) {
 		cmdutils.ErrFatalf("encountered errors parsing the following templates: \n%v", resultsToString(templateErrors))
 	}
 
-	fmt.Println("all template requirements met")
 	os.Exit(0)
 }
 

pkg/gator/errors.go

@@ -15,12 +15,17 @@ var (
 	// ErrNotASyncSet indicates the user-indicated file does not contain a
 	// SyncSet.
 	ErrNotASyncSet = errors.New("not a SyncSet")
+	// ErrNotASyncSet indicates the user-indicated file does not contain a
+	// SyncSet.
+	ErrNotAGVKManifest = errors.New("not a GVKManifest")
 	// ErrAddingTemplate indicates a problem instantiating a Suite's ConstraintTemplate.
 	ErrAddingTemplate = errors.New("adding template")
 	// ErrAddingConstraint indicates a problem instantiating a Suite's Constraint.
 	ErrAddingConstraint = errors.New("adding constraint")
 	// ErrAddingSyncSet indicates a problem instantiating a Suite's SyncSet.
 	ErrAddingSyncSet = errors.New("adding syncset")
+	// ErrAddingGVKManifest indicates a problem instantiating a Suite's GVKManifest.
+	ErrAddingGVKManifest = errors.New("adding gvkmanifest")
 	// ErrAddingConfig indicates a problem instantiating a Suite's Config.
 	ErrAddingConfig = errors.New("adding config")
 	// ErrInvalidSuite indicates a Suite does not define the required fields.

pkg/gator/fixtures/fixtures.go

@@ -661,7 +661,6 @@ apiVersion: syncset.gatekeeper.sh/v1alpha1
 kind: SyncSet
 metadata:
   name: syncset
-  namespace: "gatekeeper-system"
 spec:
   gvks:
     - group: "networking.k8s.io"
@@ -676,7 +675,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1
 kind: Config
 metadata:
   name: config
-  namespace: "gatekeeper-system"
 spec:
   sync:
     syncOnly:
@@ -686,5 +684,17 @@ spec:
       - group: "apps"
         version: "v1"
         kind: "Deployment"
+`
+	GVKManifest = `
+apiVersion: gvkmanifest.gatekeeper.sh/v1alpha1
+kind: GVKManifest
+metadata:
+  name: gvkmanifest
+spec:
+  groups:
+  - name: ""
+    versions:
+    - name: "v1"
+      kinds: ["Service"]
 `
 )