gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard
verified publisher icon open-policy-agent

gator verify: Support multiple ExpansionTemplates per test case in a suite

Open grelland opened this issue 11 months ago • 4 comments

Describe the solution you'd like When defining a suite for gator verify I'd like to be able to supply multiple ExpansionTemplates for a test. This would be consistent with the behaviour of gator test and gator expand, which takes an arbitrary amount of input files.

I stumbled across this when implementing a constraint for top-level resource labels. I'm using an ExpansionTemplate for workload types (Deployment, Job, StatefulSet etc) to Pod, and another one for CronJob-> Job. I cannot with the current version write a single test which asserts that my constraint works as expected for both the Pod and Job spawned from a CronJob. Rather. I must test these individually as they require different expansions.

The same test is straightforward to implement when running gator test - just supply both ExpansionTemplate files.

Anything else you would like to add: Support could probably be added without breaking the current Suite kind by supporting multi-document YAML files (I assumed this would work but it does not).

Environment:

  • Gatekeeper version: v3.20.0-beta.0.0.20250513191843-93a999f21a18
  • Kubernetes version: (use kubectl version): N/A

grelland avatar May 19 '25 09:05 grelland

@grelland do you require multiple ExpansionTemplate for one constraint?

As of now you can use multiple ExpansionTemplate per suite.yaml for gator verify via including multiple tests in one suite and using one ExpansionTemplate per test case. Here is how you can use it - https://github.com/open-policy-agent/gatekeeper/blob/master/test/gator/verify/suite.yaml#L43.

JaydipGabani avatar May 21 '25 16:05 JaydipGabani

@grelland do you require multiple ExpansionTemplate for one constraint?

As of now you can use multiple ExpansionTemplate per suite.yaml for gator verify via including multiple tests in one suite and using one ExpansionTemplate per test case. Here is how you can use it - https://github.com/open-policy-agent/gatekeeper/blob/master/test/gator/verify/suite.yaml#L43.

Yes, as per my example where a single constraint applies to both Job and Pod as derived from CronJob and for example Deployment.

I understand that I can implement multiple tests to cover these separately, which gets around having to have multiple expansions. So in that sense it's not a huge problem.

It did strike me as needlessly inflexible and a bit contradictory to the way the CLI works, however. You can specify multiple expansions for gator test so I guess I expected Suite to work in the same way.

grelland avatar May 21 '25 18:05 grelland

Oh ok, I am fine supporting this in suite, it should not cause any problem in terms of breaking current behavior. Would you like to contribute this change?

JaydipGabani avatar May 21 '25 18:05 JaydipGabani

Great. I can take a stab at it, sure. 👍

grelland avatar May 22 '25 09:05 grelland

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 25 '25 06:07 stale[bot]