Control the policy controller monitoring resources from chart, enhanc…

.github/workflows/kind-cluster-custom-resources.yaml

@@ -16,7 +16,7 @@ name: Test policy-controller with custom resource
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: ["main", "release-*"]
 
 defaults:
   run:
@@ -96,7 +96,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version-file: './go.mod'
+          go-version-file: "./go.mod"
           check-latest: true
 
       # will use the latest release available for ko
@@ -122,7 +122,7 @@ jobs:
           k8s-version: ${{ matrix.k8s-version}}
           version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
 
-      - name: Install policy-controller-with-only-pod-resource
+      - name: Install policy-controller-with-replicasets-daemonsets-resource
         env:
           GIT_HASH: ${{ github.sha }}
           GIT_VERSION: ci
@@ -141,6 +141,7 @@ jobs:
       - name: Run Custom resources Tests
         timeout-minutes: 5
         run: |
+          chmod +x ./test/e2e_test_policy_custom_resource.sh
           ./test/e2e_test_policy_custom_resource.sh
 
       - name: Collect diagnostics

cmd/webhook/main.go

@@ -80,11 +80,11 @@
 	disableTUF = flag.Bool("disable-tuf", false, "Disable TUF support.")
 
 	// Validate specific resources.
-    // https://github.com/sigstore/policy-controller/issues/1388
-    resourcesNames = flag.String("resource-name", "replicasets, deployments, pods, cronjobs, jobs, statefulsets, daemonsets", "Comma-separated list of resources")
-    // Split the input string into a slice of strings
-    listResources []string
-    types              map[schema.GroupVersionKind]resourcesemantics.GenericCRD
+	// https://github.com/sigstore/policy-controller/issues/1388
+	resourcesNames = flag.String("resource-name", "replicasets, deployments, pods, cronjobs, jobs, statefulsets, daemonsets", "Comma-separated list of resources")
+	// Split the input string into a slice of strings
+	listResources []string
+	types         map[schema.GroupVersionKind]resourcesemantics.GenericCRD
 
 	// mutatingCIPWebhookName holds the name of the mutating webhook configuration
 	// resource dispatching admission requests to policy-webhook.
@@ -124,8 +124,8 @@
 	flag.IntVar(&opts.Port, "secure-port", opts.Port, "The port on which to serve HTTPS.")
 
 	flag.Parse()
 	resourcesNamesList := strings.Split(*resourcesNames, ",")
-    listResources = append(listResources, resourcesNamesList...)
+	listResources = append(listResources, resourcesNamesList...)
 
 	// If TUF has been disabled do not try to set it up.
 	if !*disableTUF {
@@ -150,7 +150,7 @@
 
 	// This must match the set of resources we configure in
 	// cmd/webhook/main.go in the "types" map.
 	common.ValidResourceNames = sets.NewString(resourcesNamesList...)
 
 	v := version.GetVersionInfo()
 	vJSON, _ := v.JSONString()
@@ -207,29 +207,29 @@
 	}
 }
 
 func createTypesMap(kindsList []string) map[schema.GroupVersionKind]resourcesemantics.GenericCRD {
 	types := make(map[schema.GroupVersionKind]resourcesemantics.GenericCRD)
 	for _, kind := range kindsList {
 		kind = strings.TrimSpace(kind)
 		switch kind {
 		case "pods":
 			types[corev1.SchemeGroupVersion.WithKind("Pod")] = &crdEphemeralContainers{GenericCRD: &duckv1.Pod{}}
 		case "replicasets":
 			types[appsv1.SchemeGroupVersion.WithKind("ReplicaSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
 		case "deployments":
 			types[appsv1.SchemeGroupVersion.WithKind("Deployment")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
 		case "statefulsets":
 			types[appsv1.SchemeGroupVersion.WithKind("StatefulSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}}
 		case "daemonsets":
 			types[appsv1.SchemeGroupVersion.WithKind("DaemonSet")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}}
 		case "jobs":
 			types[batchv1.SchemeGroupVersion.WithKind("Job")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}}
 		case "cronjobs":
 			types[batchv1.SchemeGroupVersion.WithKind("CronJob")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}}
 			types[batchv1beta1.SchemeGroupVersion.WithKind("CronJob")] = &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}}
 		}
 	}
 	return types
 }
 
 var typesCIP = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
@@ -242,7 +242,7 @@
 
 func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	// Decorate contexts with the current state of the config.
 	types = createTypesMap(listResources)
 	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
 	store.WatchConfigs(cmw)
 	policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
@@ -300,7 +300,7 @@
 	}
 	ctx = webhook.WithOptions(ctx, *woptions)
 	validator := cwebhook.NewValidator(ctx)
-    types = createTypesMap(listResources)
+	types = createTypesMap(listResources)
 	return defaulting.NewAdmissionController(ctx,
 		// Name of the resource webhook.
 		*webhookName,

third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/doc.go

@@ -1,4 +1,4 @@
 // Package cleanhttp offers convenience utilities for acquiring "clean"
 // http.Transport and http.Client structs.
 //
 // Values set on http.DefaultClient and http.DefaultTransport affect all
@@ -16,5 +16,4 @@
 // connecting to the same hosts repeatedly from the same client, you can use
 // DefaultPooledClient to receive a client that has connection pooling
 // semantics similar to http.DefaultClient.
-//
 package cleanhttp

third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/strutil/strutil.go

@@ -1,4 +1,4 @@
 package strutil
 
 import (
 	"encoding/base64"
@@ -110,11 +110,11 @@
 
 // ParseArbitraryKeyValues parses arbitrary <key,value> tuples. The input
 // can be one of the following:
-// * JSON string
-// * Base64 encoded JSON string
-// * Comma separated list of `<key>=<value>` pairs
-// * Base64 encoded string containing comma separated list of
-//   `<key>=<value>` pairs
+//   - JSON string
+//   - Base64 encoded JSON string
+//   - Comma separated list of `<key>=<value>` pairs
+//   - Base64 encoded string containing comma separated list of
+//     `<key>=<value>` pairs
 //
 // Input will be parsed into the output parameter, which should
 // be a non-nil map[string]string.

third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddr.go

@@ -1,4 +1,4 @@
 package sockaddr
 
 import "strings"
 
@@ -17,7 +17,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetPrivateInterfaces | attr "address"}}'
-/// ```
+// / ```
 func GetPrivateIP() (string, error) {
 	privateIfs, err := GetPrivateInterfaces()
 	if err != nil {
@@ -39,7 +39,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | include "RFC" "6890" | join "address" " "}}'
-/// ```
+// / ```
 func GetPrivateIPs() (string, error) {
 	ifAddrs, err := GetAllInterfaces()
 	if err != nil {
@@ -86,7 +86,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetPublicInterfaces | attr "address"}}'
-/// ```
+// / ```
 func GetPublicIP() (string, error) {
 	publicIfs, err := GetPublicInterfaces()
 	if err != nil {
@@ -108,7 +108,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | exclude "RFC" "6890" | join "address" " "}}'
-/// ```
+// / ```
 func GetPublicIPs() (string, error) {
 	ifAddrs, err := GetAllInterfaces()
 	if err != nil {
@@ -147,7 +147,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | include "name" <<ARG>> | sort "type,size" | include "flag" "forwardable" | attr "address" }}'
-/// ```
+// / ```
 func GetInterfaceIP(namedIfRE string) (string, error) {
 	ifAddrs, err := GetAllInterfaces()
 	if err != nil {
@@ -188,7 +188,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | include "name" <<ARG>> | sort "type,size" | join "address" " "}}'
-/// ```
+// / ```
 func GetInterfaceIPs(namedIfRE string) (string, error) {
 	ifAddrs, err := GetAllInterfaces()
 	if err != nil {

third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddrs.go

@@ -1,4 +1,4 @@
 package sockaddr
 
 import (
 	"encoding/binary"
@@ -303,7 +303,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | include "type" "ip" | include "flags" "forwardable" | include "flags" "up" | sort "default,type,size" | include "RFC" "6890" }}'
-/// ```
+// / ```
 func GetPrivateInterfaces() (IfAddrs, error) {
 	privateIfs, err := GetAllInterfaces()
 	if err != nil {
@@ -351,7 +351,7 @@
 //
 // ```
 // $ sockaddr eval -r '{{GetAllInterfaces | include "type" "ip" | include "flags" "forwardable" | include "flags" "up" | sort "default,type,size" | exclude "RFC" "6890" }}'
-/// ```
+// / ```
 func GetPublicInterfaces() (IfAddrs, error) {
 	publicIfs, err := GetAllInterfaces()
 	if err != nil {

third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipv4addr.go

@@ -1,4 +1,4 @@
 package sockaddr
 
 import (
 	"encoding/binary"
@@ -165,10 +165,10 @@
 
 // CmpAddress follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because its address is lower than arg
-// - 0 if the SockAddr arg is equal to the receiving IPv4Addr or the argument is
-//   of a different type.
-// - 1 If the argument should sort first.
+//   - -1 If the receiver should sort first because its address is lower than arg
+//   - 0 if the SockAddr arg is equal to the receiving IPv4Addr or the argument is
+//     of a different type.
+//   - 1 If the argument should sort first.
 func (ipv4 IPv4Addr) CmpAddress(sa SockAddr) int {
 	ipv4b, ok := sa.(IPv4Addr)
 	if !ok {
@@ -187,10 +187,10 @@
 
 // CmpPort follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because its port is lower than arg
-// - 0 if the SockAddr arg's port number is equal to the receiving IPv4Addr,
-//   regardless of type.
-// - 1 If the argument should sort first.
+//   - -1 If the receiver should sort first because its port is lower than arg
+//   - 0 if the SockAddr arg's port number is equal to the receiving IPv4Addr,
+//     regardless of type.
+//   - 1 If the argument should sort first.
 func (ipv4 IPv4Addr) CmpPort(sa SockAddr) int {
 	var saPort IPPort
 	switch v := sa.(type) {
@@ -214,10 +214,10 @@
 
 // CmpRFC follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because it belongs to the RFC and its
-//   arg does not
-// - 0 if the receiver and arg both belong to the same RFC or neither do.
-// - 1 If the arg belongs to the RFC but receiver does not.
+//   - -1 If the receiver should sort first because it belongs to the RFC and its
+//     arg does not
+//   - 0 if the receiver and arg both belong to the same RFC or neither do.
+//   - 1 If the arg belongs to the RFC but receiver does not.
 func (ipv4 IPv4Addr) CmpRFC(rfcNum uint, sa SockAddr) int {
 	recvInRFC := IsRFC(rfcNum, ipv4)
 	ipv4b, ok := sa.(IPv4Addr)

third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipv6addr.go

@@ -1,4 +1,4 @@
 package sockaddr
 
 import (
 	"bytes"
@@ -173,10 +173,10 @@
 
 // CmpAddress follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because its address is lower than arg
-// - 0 if the SockAddr arg equal to the receiving IPv6Addr or the argument is of a
-//   different type.
-// - 1 If the argument should sort first.
+//   - -1 If the receiver should sort first because its address is lower than arg
+//   - 0 if the SockAddr arg equal to the receiving IPv6Addr or the argument is of a
+//     different type.
+//   - 1 If the argument should sort first.
 func (ipv6 IPv6Addr) CmpAddress(sa SockAddr) int {
 	ipv6b, ok := sa.(IPv6Addr)
 	if !ok {
@@ -193,10 +193,10 @@
 
 // CmpPort follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because its port is lower than arg
-// - 0 if the SockAddr arg's port number is equal to the receiving IPv6Addr,
-//   regardless of type.
-// - 1 If the argument should sort first.
+//   - -1 If the receiver should sort first because its port is lower than arg
+//   - 0 if the SockAddr arg's port number is equal to the receiving IPv6Addr,
+//     regardless of type.
+//   - 1 If the argument should sort first.
 func (ipv6 IPv6Addr) CmpPort(sa SockAddr) int {
 	var saPort IPPort
 	switch v := sa.(type) {
@@ -220,10 +220,10 @@
 
 // CmpRFC follows the Cmp() standard protocol and returns:
 //
-// - -1 If the receiver should sort first because it belongs to the RFC and its
-//   arg does not
-// - 0 if the receiver and arg both belong to the same RFC or neither do.
-// - 1 If the arg belongs to the RFC but receiver does not.
+//   - -1 If the receiver should sort first because it belongs to the RFC and its
+//     arg does not
+//   - 0 if the receiver and arg both belong to the same RFC or neither do.
+//   - 1 If the arg belongs to the RFC but receiver does not.
 func (ipv6 IPv6Addr) CmpRFC(rfcNum uint, sa SockAddr) int {
 	recvInRFC := IsRFC(rfcNum, ipv6)
 	ipv6b, ok := sa.(IPv6Addr)

third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/printer/nodes.go

@@ -1,4 +1,4 @@
 package printer
 
 import (
 	"bytes"
@@ -721,10 +721,9 @@
 //
 // A single line object:
 //
-//   * has no lead comments (hence multi-line)
-//   * has no assignment
-//   * has no values in the stanza (within {})
-//
+//   - has no lead comments (hence multi-line)
+//   - has no assignment
+//   - has no values in the stanza (within {})
 func (p *printer) isSingleLineObject(val *ast.ObjectItem) bool {
 	// If there is a lead comment, can't be one line
 	if val.LeadComment != nil {