fix: Allow templated namespace without nsSelector

When a `namespaceSelector` was not provided
and a namespace was templated, the controller
considered this invalid and didn't attempt to
resolve the template, returning errors about a
missing namespace.

ref: https://issues.redhat.com/browse/ACM-21804
Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

controllers/configurationpolicy_controller.go

@@ -1347,10 +1347,12 @@ func (r *ConfigurationPolicyReconciler) determineDesiredObjects(
 	relevantNsNames := map[string]map[string]unstructured.Unstructured{}
 
 	desiredNs := parsedMinMetadata.Metadata.Namespace
+	hasTemplatedNs := false
 
 	// If the namespace is templated, consider it not explicitly set
 	if templates.HasTemplate([]byte(desiredNs), "", true) {
 		desiredNs = ""
+		hasTemplatedNs = true
 	}
 
 	desiredName := parsedMinMetadata.Metadata.Name
@@ -1401,27 +1403,31 @@ func (r *ConfigurationPolicyReconciler) determineDesiredObjects(
 		// (Fetching for the object selector is handled later on)
 		fetchObject := needsObject && desiredName != "" && parsedMinMetadata.Metadata.Namespace == ""
 
-		if len(selectedNamespaces) != 0 {
-			for _, ns := range selectedNamespaces {
-				if fetchObject {
-					var existingObj *unstructured.Unstructured
-					if usingWatch {
-						existingObj, _ = r.getObjectFromCache(plc, ns, desiredName, objGVK)
-					} else {
-						existingObj, _ = getObject(ns, desiredName, scopedGVR, r.TargetK8sDynamicClient)
-					}
+		for _, ns := range selectedNamespaces {
+			if fetchObject {
+				var existingObj *unstructured.Unstructured
+				if usingWatch {
+					existingObj, _ = r.getObjectFromCache(plc, ns, desiredName, objGVK)
+				} else {
+					existingObj, _ = getObject(ns, desiredName, scopedGVR, r.TargetK8sDynamicClient)
+				}
 
-					if existingObj != nil {
-						relevantNsNames[ns] = map[string]unstructured.Unstructured{desiredName: *existingObj}
-					} else {
-						relevantNsNames[ns] = defaultNamesPerNs
-					}
+				if existingObj != nil {
+					relevantNsNames[ns] = map[string]unstructured.Unstructured{desiredName: *existingObj}
 				} else {
 					relevantNsNames[ns] = defaultNamesPerNs
 				}
+			} else {
+				relevantNsNames[ns] = defaultNamesPerNs
 			}
 		}
 
+		// If no namespaces were selected and the namespace is templated, set a default.
+		// Having an empty namespace after template resolution is handled later on.
+		if len(relevantNsNames) == 0 && hasTemplatedNs {
+			relevantNsNames[""] = defaultNamesPerNs
+		}
+
 	case scopedGVR.Namespaced:
 		// Namespaced, but a namespace was provided
 		relevantNsNames[desiredNs] = defaultNamesPerNs
@@ -1765,6 +1771,25 @@ func (r *ConfigurationPolicyReconciler) determineDesiredObjects(
 				return nil, &scopedGVR, errEvent, nil
 			}
 
+			// Error if the namespace is templated and returns empty.
+			if scopedGVR.Namespaced && hasTemplatedNs && desiredObj.GetNamespace() == "" {
+				var space string
+				if desiredName != "" {
+					space = " "
+				}
+
+				errEvent := &objectTmplEvalEvent{
+					compliant: false,
+					reason:    reasonTemplateError,
+					message: fmt.Sprintf("namespaced object%s%s of kind %s has no namespace specified "+
+						"after template resolution",
+						space, desiredName, objGVK.Kind,
+					),
+				}
+
+				return nil, &scopedGVR, errEvent, nil
+			}
+
 			// Error if the name doesn't match the parsed name from the objectSelector
 			if objectSelector != nil && desiredObj.GetName() != name {
 				errEvent := &objectTmplEvalEvent{

test/dryrun/context_vars/context_vars_test.go

@@ -27,16 +27,22 @@ var (
 	objUnnamedDef embed.FS
 	//go:embed objectns_cluster_scoped
 	objNsClusterScoped embed.FS
+	//go:embed objectns_templated_empty
+	objNsTemplatedEmpty embed.FS
+	//go:embed objectns_templated_no_nsselector
+	objNsTemplatedNoNsSelector embed.FS
 
 	testCases = map[string]embed.FS{
-		"Test Object: available for namespaced objects":                objNamespaced,
-		"Test Object: available for complex objects":                   objPod,
-		"Test Object: nil for objects that don't exist":                objPodNsSelector,
-		"Test Object: nil but succeeds with default function":          objPodDefaultFunc,
-		"Test Object: available for cluster-scoped objects":            objClusterScoped,
-		"Test Object: nil when namespace is templated":                 objTmplNs,
-		"Test Object: unavailable for unnamed objects":                 objUnnamedDef,
-		"Test ObjectNamespace: unavailable for cluster-scoped objects": objNsClusterScoped,
+		"Test Object: available for namespaced objects":                    objNamespaced,
+		"Test Object: available for complex objects":                       objPod,
+		"Test Object: nil for objects that don't exist":                    objPodNsSelector,
+		"Test Object: nil but succeeds with default function":              objPodDefaultFunc,
+		"Test Object: available for cluster-scoped objects":                objClusterScoped,
+		"Test Object: nil when namespace is templated":                     objTmplNs,
+		"Test Object: unavailable for unnamed objects":                     objUnnamedDef,
+		"Test ObjectNamespace: unavailable for cluster-scoped objects":     objNsClusterScoped,
+		"Test ObjectNamespace: noncompliant for empty templated namespace": objNsTemplatedEmpty,
+		"Test ObjectNamespace: available for templated namespace":          objNsTemplatedNoNsSelector,
 	}
 )
 

test/dryrun/context_vars/objectns_templated_empty/input.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-namespace
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-other-namespace
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: templated-ns-configmap
+  namespace: my-namespace
+data:
+  this: thing
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-extra
+  namespace: my-namespace
+data:
+  this: thing
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-other-ns
+  namespace: my-other-namespace
+data:
+  this: thing

test/dryrun/context_vars/objectns_templated_empty/output.txt

@@ -0,0 +1,3 @@
+# Diffs:
+# Compliance messages:
+NonCompliant; violation - namespaced object templated-ns-configmap of kind ConfigMap has no namespace specified after template resolution

test/dryrun/context_vars/objectns_templated_empty/policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-object-var-templated-name
+spec:
+  remediationAction: inform
+  object-templates:
+    - complianceType: musthave
+      recordDiff: InStatus
+      objectDefinition:
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: templated-ns-configmap
+          namespace: '{{ "" }}'
+        data:
+          this: thing

test/dryrun/context_vars/objectns_templated_no_nsselector/input.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-namespace
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-other-namespace
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: templated-ns-configmap
+  namespace: my-namespace
+data:
+  this: thing
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-extra
+  namespace: my-namespace
+data:
+  this: thing
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-other-ns
+  namespace: my-other-namespace
+data:
+  this: thing

test/dryrun/context_vars/objectns_templated_no_nsselector/output.txt

@@ -0,0 +1,5 @@
+# Diffs:
+v1 ConfigMap my-namespace/templated-ns-configmap:
+
+# Compliance messages:
+Compliant; notification - configmaps [templated-ns-configmap] found as specified in namespace my-namespace

test/dryrun/context_vars/objectns_templated_no_nsselector/policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-object-var-templated-name
+spec:
+  remediationAction: inform
+  object-templates:
+    - complianceType: musthave
+      recordDiff: InStatus
+      objectDefinition:
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: templated-ns-configmap
+          namespace: '{{ "my-namespace" }}'
+        data:
+          this: thing