feat: implement AssignImage mutator (#2429)

* Implement AssignImage mutator
Signed-off-by: davis-haba <davishaba@google.com>

* fix tests
Signed-off-by: davis-haba <davishaba@google.com>

* fix controller gen setup
Signed-off-by: davis-haba <davishaba@google.com>

* fix helm manifest generation
Signed-off-by: davis-haba <davishaba@google.com>

* WIP assignimage byPod status
Signed-off-by: davis-haba <davishaba@google.com>

* mutator pod status working for assignimage
Signed-off-by: davis-haba <davishaba@google.com>

* e2e test assignimage mutator deleted
Signed-off-by: davis-haba <davishaba@google.com>

* old kubectl run
Signed-off-by: davis-haba <davishaba@google.com>

* address comments. domain must have '.' unless localhost
Signed-off-by: davis-haba <davishaba@google.com>

* appease linter
Signed-off-by: davis-haba <davishaba@google.com>

* fix gator tests
Signed-off-by: davis-haba <davishaba@google.com>

* add test domain ending in colon still converges
Signed-off-by: davis-haba <davishaba@google.com>

* docs for assignimage
Signed-off-by: davis-haba <davishaba@google.com>

* remove newline
Signed-off-by: davis-haba <davishaba@google.com>

* address comments
Signed-off-by: davis-haba <davishaba@google.com>

* appease linter
Signed-off-by: davis-haba <davishaba@google.com>

* cleanup dead code branch
Signed-off-by: davis-haba <davishaba@google.com>

* validateDomain to use splitDomain
Signed-off-by: davis-haba <davishaba@google.com>

* future-proof validateImageParts. Add custom error types.
Signed-off-by: davis-haba <davishaba@google.com>

* fix readiness tracker test
Signed-off-by: davis-haba <davishaba@google.com>

* make manifests
Signed-off-by: davis-haba <davishaba@google.com>

* validate that splitting a valid tag never returns a path
Signed-off-by: davis-haba <davishaba@google.com>

* degenerate cases for unit tests. do not expose regex on image component error.
Signed-off-by: davis-haba <davishaba@google.com>

* test missing image field. update error copy.
Signed-off-by: davis-haba <davishaba@google.com>

* tag error copy
Signed-off-by: davis-haba <davishaba@google.com>

* Update pkg/expansion/system_test.go

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Davis Haba <52938648+davis-haba@users.noreply.github.com>

* Update pkg/mutation/mutators/assignimage/assignimage_mutator.go

Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Davis Haba <52938648+davis-haba@users.noreply.github.com>

* errors.As instead of type casting in unit tests
Signed-off-by: davis-haba <davishaba@google.com>

* fix error type checking
Signed-off-by: davis-haba <davishaba@google.com>

Signed-off-by: Davis Haba <52938648+davis-haba@users.noreply.github.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>

apis/mutations/unversioned/assignimage_types.go

@@ -0,0 +1,90 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unversioned
+
+import (
+	"github.com/open-policy-agent/gatekeeper/apis/status/v1beta1"
+	"github.com/open-policy-agent/gatekeeper/pkg/mutation/match"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// AssignImageSpec defines the desired state of AssignImage.
+type AssignImageSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// ApplyTo lists the specific groups, versions and kinds a mutation will be applied to.
+	// This is necessary because every mutation implies part of an object schema and object
+	// schemas are associated with specific GVKs.
+	ApplyTo []match.ApplyTo `json:"applyTo,omitempty"`
+
+	// Match allows the user to limit which resources get mutated.
+	// Individual match criteria are AND-ed together. An undefined
+	// match criteria matches everything.
+	Match match.Match `json:"match,omitempty"`
+
+	// Location describes the path to be mutated, for example: `spec.containers[name: main].image`.
+	Location string `json:"location,omitempty"`
+
+	// Parameters define the behavior of the mutator.
+	Parameters AssignImageParameters `json:"parameters,omitempty"`
+}
+
+type AssignImageParameters struct {
+	PathTests []PathTest `json:"pathTests,omitempty"`
+
+	// AssignDomain sets the domain component on an image string. The trailing
+	// slash should not be included.
+	AssignDomain string `json:"assignDomain,omitempty"`
+
+	// AssignPath sets the domain component on an image string.
+	AssignPath string `json:"assignPath,omitempty"`
+
+	// AssignImage sets the image component on an image string. It must start
+	// with a `:` or `@`.
+	AssignTag string `json:"assignTag,omitempty"`
+}
+
+// AssignImageStatus defines the observed state of AssignImage.
+type AssignImageStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	ByPod []v1beta1.MutatorPodStatusStatus `json:"byPod,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// AssignImage is the Schema for the assign API.
+type AssignImage struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AssignImageSpec   `json:"spec,omitempty"`
+	Status AssignImageStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// AssignImageList contains a list of AssignImage.
+type AssignImageList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AssignImage `json:"items"`
+}

apis/mutations/v1alpha1/assignimage_types.go

@@ -0,0 +1,97 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/open-policy-agent/gatekeeper/apis/status/v1beta1"
+	"github.com/open-policy-agent/gatekeeper/pkg/mutation/match"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// AssignImageSpec defines the desired state of AssignImage.
+type AssignImageSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// ApplyTo lists the specific groups, versions and kinds a mutation will be applied to.
+	// This is necessary because every mutation implies part of an object schema and object
+	// schemas are associated with specific GVKs.
+	ApplyTo []match.ApplyTo `json:"applyTo,omitempty"`
+
+	// Match allows the user to limit which resources get mutated.
+	// Individual match criteria are AND-ed together. An undefined
+	// match criteria matches everything.
+	Match match.Match `json:"match,omitempty"`
+
+	// Location describes the path to be mutated, for example: `spec.containers[name: main].image`.
+	Location string `json:"location,omitempty"`
+
+	// Parameters define the behavior of the mutator.
+	Parameters AssignImageParameters `json:"parameters,omitempty"`
+}
+
+type AssignImageParameters struct {
+	PathTests []PathTest `json:"pathTests,omitempty"`
+
+	// AssignDomain sets the domain component on an image string. The trailing
+	// slash should not be included.
+	AssignDomain string `json:"assignDomain,omitempty"`
+
+	// AssignPath sets the domain component on an image string.
+	AssignPath string `json:"assignPath,omitempty"`
+
+	// AssignImage sets the image component on an image string. It must start
+	// with a `:` or `@`.
+	AssignTag string `json:"assignTag,omitempty"`
+}
+
+// AssignImageStatus defines the observed state of AssignImage.
+type AssignImageStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	ByPod []v1beta1.MutatorPodStatusStatus `json:"byPod,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path="assignimage"
+// +kubebuilder:resource:scope="Cluster"
+// +kubebuilder:subresource:status
+
+// AssignImage is the Schema for the assignimage API.
+type AssignImage struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AssignImageSpec   `json:"spec,omitempty"`
+	Status AssignImageStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// AssignImageList contains a list of AssignImage.
+type AssignImageList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AssignImage `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&AssignImage{}, &AssignImageList{})
+}