fix: support source field in Constraints

Makefile

@@ -257,6 +257,7 @@ manifests: __controller-gen
 		paths="./apis/..." \
 		paths="./pkg/..." \
 		output:crd:artifacts:config=config/crd/bases
+	./build/update-match-schema.sh
 	rm -rf manifest_staging
 	mkdir -p manifest_staging/deploy/experimental
 	mkdir -p manifest_staging/charts/gatekeeper

build/update-match-schema.sh

@@ -0,0 +1,38 @@
+# The purpose of the script is to build a golang string constant containing the
+# YAML code for the Match CRD. This is needed to auto generate the
+# JSONSchemaProps for Match.
+# It will parse the YAML for the Match CRD, found in $CRD_FILE, and output to
+# $GO_FILE. For controller-gen to generate the CRD, we must include the metadata
+# and typemeta fields. Since we don't want these fields to exist on the real
+# Match CRD, we embed the Match type in a dummy type that has the
+# metadata/typemeta fields, and then parse out these unwanted fields.
+
+GO_FILE="./pkg/target/matchcrd_constant.go"
+SRC_FILE="./pkg/mutation/match/match_types.go"
+CRD_FILE="./config/crd/bases/match.gatekeeper.sh_matchcrd.yaml"
+
+cat << EOF > ${GO_FILE}
+package target
+
+// DO NOT MODIFY THIS FILE DIRECTLY!
+// This file is generated from $SRC_FILE via "make manifests".
+
+const matchYAML = \`
+EOF
+
+# Delete apiVersion block, adjust indentation to un-embed the match field, escape backticks
+start=$(cat ${CRD_FILE} | grep -n "description: DummyCRD" | cut -d: -f1)
+end=$(cat ${CRD_FILE} | grep -n "embeddedMatch:" | cut -d: -f1)
+cat ${CRD_FILE} | sed "${end},$ s/  //" | sed "${start},${end}d" | sed "s/\`/\`+\"\`\"+\`/g" >> ${GO_FILE}
+
+# Delete the 'kind:' and 'metadataDummy:' blocks at the end. This assumes the metadataDummy
+# block is immediately after the kind block, and the metadataDummy block contains only
+# one line (type: object)
+start=$(cat ${GO_FILE} | grep -n -E "kind:$" | cut -d: -f1)
+end=$(cat ${GO_FILE} | grep -n -E "metadataDummy:$" | cut -d: -f1)
+end=$((end+1))
+sed -i "${start},${end}d" ${GO_FILE}
+
+echo "\`" >> ${GO_FILE}
+
+gofmt -w -l ${GO_FILE}

config/crd/bases/match.gatekeeper.sh_matchcrd.yaml

@@ -0,0 +1,211 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  creationTimestamp: null
+  name: matchcrd.match.gatekeeper.sh
+spec:
+  group: match.gatekeeper.sh
+  names:
+    kind: DummyCRD
+    listKind: DummyCRDList
+    plural: matchcrd
+    singular: dummycrd
+  scope: Namespaced
+  versions:
+  - name: match
+    schema:
+      openAPIV3Schema:
+        description: DummyCRD is a "dummy" CRD to hold the Match object, which we
+          ultimately need to generate JSONSchemaProps. The TypeMeta and ObjectMeta
+          fields are required for controller-gen to generate the CRD. DO NOT CHANGE
+          THE FIRST WORD OF THIS COMMENT. It is used for regex matching to extract
+          the embedded match CRD.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          embeddedMatch:
+            description: Match selects objects to apply mutations to.
+            properties:
+              excludedNamespaces:
+                description: 'ExcludedNamespaces is a list of namespace names. If
+                  defined, a constraint only applies to resources not in a listed
+                  namespace. ExcludedNamespaces also supports a prefix or suffix based
+                  glob.  For example, `excludedNamespaces: [kube-*]` matches both
+                  `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]`
+                  matches both `kube-system` and `gatekeeper-system`.'
+                items:
+                  description: 'A string that supports globbing at its front or end.
+                    Ex: "kube-*" will match "kube-system" or "kube-public", "*-system"
+                    will match "kube-system" or "gatekeeper-system".  The asterisk
+                    is required for wildcard matching.'
+                  pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                  type: string
+                type: array
+              kinds:
+                items:
+                  description: Kinds accepts a list of objects with apiGroups and
+                    kinds fields that list the groups/kinds of objects to which the
+                    mutation will apply. If multiple groups/kinds objects are specified,
+                    only one match is needed for the resource to be in scope.
+                  properties:
+                    apiGroups:
+                      description: APIGroups is the API groups the resources belong
+                        to. '*' is all groups. If '*' is present, the length of the
+                        slice must be one. Required.
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              labelSelector:
+                description: 'LabelSelector is the combination of two optional fields:
+                  `matchLabels` and `matchExpressions`.  These two fields provide
+                  different methods of selecting or excluding k8s objects based on
+                  the label keys and values included in object metadata.  All selection
+                  expressions from both sections are ANDed to determine if an object
+                  meets the cumulative requirements of the selector.'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              name:
+                description: 'Name is the name of an object.  If defined, it will
+                  match against objects with the specified name.  Name also supports
+                  a prefix or suffix glob.  For example, `name: pod-*` would match
+                  both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod`
+                  and `b-pod`.'
+                pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                type: string
+              namespaceSelector:
+                description: NamespaceSelector is a label selector against an object's
+                  containing namespace or the object itself, if the object is a namespace.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              namespaces:
+                description: 'Namespaces is a list of namespace names. If defined,
+                  a constraint only applies to resources in a listed namespace.  Namespaces
+                  also supports a prefix or suffix based glob.  For example, `namespaces:
+                  [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces:
+                  [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                items:
+                  description: 'A string that supports globbing at its front or end.
+                    Ex: "kube-*" will match "kube-system" or "kube-public", "*-system"
+                    will match "kube-system" or "gatekeeper-system".  The asterisk
+                    is required for wildcard matching.'
+                  pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                  type: string
+                type: array
+              scope:
+                description: Scope determines if cluster-scoped and/or namespaced-scoped
+                  resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`.
+                  (defaults to `*`)
+                type: string
+              source:
+                description: Source determines whether generated or original resources
+                  are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`).
+                  A value of `Generated` will only match generated resources, while
+                  `Original` will only match regular resources.
+                enum:
+                - All
+                - Generated
+                - Original
+                type: string
+            type: object
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadataDummy:
+            type: object
+        type: object
+    served: true
+    storage: true

pkg/mutation/match/match.go

@@ -6,7 +6,6 @@ import (
 	"reflect"
 
 	"github.com/open-policy-agent/gatekeeper/pkg/mutation/types"
-	"github.com/open-policy-agent/gatekeeper/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,62 +19,8 @@ var ErrMatch = errors.New("failed to run Match criteria")
 // Only for use in Match, not ApplyTo.
 const Wildcard = "*"
 
-// Match selects objects to apply mutations to.
-// +kubebuilder:object:generate=true
-type Match struct {
-	// Source determines whether generated or original resources are matched.
-	// Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of
-	// `Generated` will only match generated resources, while `Original` will only
-	// match regular resources.
-	// +kubebuilder:validation:Enum=All;Generated;Original
-	Source string  `json:"source,omitempty"`
-	Kinds  []Kinds `json:"kinds,omitempty"`
-	// Scope determines if cluster-scoped and/or namespaced-scoped resources
-	// are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
-	Scope apiextensionsv1.ResourceScope `json:"scope,omitempty"`
-	// Namespaces is a list of namespace names. If defined, a constraint only
-	// applies to resources in a listed namespace.  Namespaces also supports a
-	// prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both
-	// `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both
-	// `kube-system` and `gatekeeper-system`.
-	Namespaces []util.Wildcard `json:"namespaces,omitempty"`
-	// ExcludedNamespaces is a list of namespace names. If defined, a
-	// constraint only applies to resources not in a listed namespace.
-	// ExcludedNamespaces also supports a prefix or suffix based glob.  For example,
-	// `excludedNamespaces: [kube-*]` matches both `kube-system` and
-	// `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and
-	// `gatekeeper-system`.
-	ExcludedNamespaces []util.Wildcard `json:"excludedNamespaces,omitempty"`
-	// LabelSelector is the combination of two optional fields: `matchLabels`
-	// and `matchExpressions`.  These two fields provide different methods of
-	// selecting or excluding k8s objects based on the label keys and values
-	// included in object metadata.  All selection expressions from both
-	// sections are ANDed to determine if an object meets the cumulative
-	// requirements of the selector.
-	LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty"`
-	// NamespaceSelector is a label selector against an object's containing
-	// namespace or the object itself, if the object is a namespace.
-	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
-	// Name is the name of an object.  If defined, it will match against objects with the specified
-	// name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match
-	// both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.
-	Name util.Wildcard `json:"name,omitempty"`
-}
-
-// Kinds accepts a list of objects with apiGroups and kinds fields
-// that list the groups/kinds of objects to which the mutation will apply.
-// If multiple groups/kinds objects are specified,
-// only one match is needed for the resource to be in scope.
-// +kubebuilder:object:generate=true
-type Kinds struct {
-	// APIGroups is the API groups the resources belong to. '*' is all groups.
-	// If '*' is present, the length of the slice must be one.
-	// Required.
-	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,1,rep,name=apiGroups"`
-	Kinds     []string `json:"kinds,omitempty"`
-}
-
 // Matchable represent an object to be matched along with its metadata.
+// +kubebuilder:object:generate=false
 type Matchable struct {
 	Object    client.Object
 	Namespace *corev1.Namespace