nyl 0.4.1

Kubernetes manifest generator with Helm integration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282

/// Kyverno policy application logic
///
/// This module implements the logic to apply Kyverno policies to Kubernetes manifests
use std::fs;
use std::io::Write;
use std::path::{Path, PathBuf};
use std::process::Command;
use tempfile::TempDir;

use crate::resources::{is_kyverno_policy, AnnotatedKyvernoPolicy};
use crate::{NylError, Result};

/// Apply Kyverno policies to manifests
///
/// Policy resources themselves are excluded from mutation
pub fn apply_kyverno_policies(
    manifests: &[serde_json::Value],
    policies: &[AnnotatedKyvernoPolicy],
) -> Result<Vec<serde_json::Value>> {
    if policies.is_empty() {
        return Ok(manifests.to_vec());
    }

    // Separate policy resources from regular resources
    let (policy_manifests, regular_manifests): (Vec<_>, Vec<_>) = manifests.iter().partition(|m| is_kyverno_policy(m));

    // Only apply to regular resources
    let policy_resources: Vec<serde_json::Value> = policies.iter().map(|p| p.policy.clone()).collect();

    let mutated_manifests = apply_kyverno_policies_internal(&regular_manifests, &policy_resources)?;

    // Combine mutated resources with policy resources (unchanged)
    let mut result = mutated_manifests;
    result.extend(policy_manifests.into_iter().cloned());

    Ok(result)
}

/// Internal function to apply Kyverno policies using the CLI
fn apply_kyverno_policies_internal(
    manifests: &[&serde_json::Value],
    policies: &[serde_json::Value],
) -> Result<Vec<serde_json::Value>> {
    if manifests.is_empty() {
        return Ok(Vec::new());
    }

    // Check if kyverno is installed
    if !is_kyverno_installed() {
        return Err(NylError::Config(
            "Kyverno CLI is not installed but Kyverno policies were found. \
             Install from: https://kyverno.io/docs/kyverno-cli/"
                .to_string(),
        ));
    }

    // Create a temporary directory for policy and resource files
    let temp_dir = TempDir::new().map_err(|e| NylError::Config(format!("Failed to create temp directory: {}", e)))?;
    let policies_dir = temp_dir.path().join("policies");
    fs::create_dir(&policies_dir)
        .map_err(|e| NylError::Config(format!("Failed to create policies directory: {}", e)))?;

    // Write all policies to files
    let mut policy_files = Vec::new();
    for (idx, policy) in policies.iter().enumerate() {
        let policy_file = policies_dir.join(format!("policy-{}.yaml", idx));
        let policy_yaml = crate::yaml::serialize_yaml_document(policy).map_err(NylError::YamlEmit)?;
        fs::write(&policy_file, policy_yaml)
            .map_err(|e| NylError::Config(format!("Failed to write policy file: {}", e)))?;
        policy_files.push(policy_file);
    }

    // Write all resources to a single file
    let resources_file = temp_dir.path().join("resources.yaml");
    write_manifests_to_file(&resources_file, manifests)?;

    // Create output directory for kyverno to write mutated manifests
    let output_dir = temp_dir.path().join("output");
    fs::create_dir(&output_dir).map_err(|e| NylError::Config(format!("Failed to create output directory: {}", e)))?;

    // Execute kyverno apply
    execute_kyverno_apply(&policy_files, &resources_file, &output_dir)?;

    // Read back mutated manifests from output directory
    let original_vec: Vec<serde_json::Value> = manifests.iter().map(|&m| m.clone()).collect();
    read_kyverno_output(&output_dir, &original_vec)
}

/// Check if kyverno CLI is installed
fn is_kyverno_installed() -> bool {
    Command::new("kyverno")
        .arg("version")
        .output()
        .is_ok_and(|output| output.status.success())
}

/// Write manifests to a YAML file
fn write_manifests_to_file(path: &Path, manifests: &[&serde_json::Value]) -> Result<()> {
    let mut file =
        fs::File::create(path).map_err(|e| NylError::Config(format!("Failed to create resources file: {}", e)))?;

    for (i, manifest) in manifests.iter().enumerate() {
        if i > 0 {
            writeln!(file, "---").map_err(|e| NylError::Config(format!("Failed to write separator to file: {}", e)))?;
        }
        let yaml = crate::yaml::serialize_yaml_document(manifest).map_err(NylError::YamlEmit)?;
        write!(file, "{}", yaml).map_err(|e| NylError::Config(format!("Failed to write manifest to file: {}", e)))?;
    }

    Ok(())
}

/// Execute kyverno apply command, writing mutated manifests to the output directory
fn execute_kyverno_apply(policy_files: &[PathBuf], resources_file: &Path, output_dir: &Path) -> Result<()> {
    let mut cmd = Command::new("kyverno");
    cmd.arg("apply");

    // Add all policy files as positional arguments
    for policy_file in policy_files {
        cmd.arg(policy_file);
    }

    // Add the resources file
    cmd.arg("--resource").arg(resources_file);

    // Write mutated manifests to output directory
    cmd.arg("-o").arg(output_dir);

    tracing::debug!("Executing kyverno apply command: {:?}", cmd);

    let output = cmd
        .output()
        .map_err(|e| NylError::Config(format!("Failed to execute kyverno apply: {}", e)))?;

    let combined_output = String::from_utf8_lossy(&output.stdout);
    tracing::debug!("Kyverno output:\n{}", combined_output);

    if !output.status.success() {
        return Err(NylError::Config(format!(
            "Kyverno apply failed with exit code {:?}:\n{}",
            output.status.code(),
            combined_output
        )));
    }

    Ok(())
}

/// Read mutated manifests from the kyverno output directory
///
/// Kyverno writes one file per mutated resource to the output directory. Validation-only
/// policies don't produce output files. When the output directory is empty (e.g. only
/// validation policies were applied), the original manifests are returned unchanged.
fn read_kyverno_output(output_dir: &Path, original_manifests: &[serde_json::Value]) -> Result<Vec<serde_json::Value>> {
    let mut manifests = Vec::new();

    let entries: Vec<_> = fs::read_dir(output_dir)
        .map_err(|e| NylError::Config(format!("Failed to read kyverno output directory: {}", e)))?
        .collect::<std::result::Result<Vec<_>, _>>()
        .map_err(|e| NylError::Config(format!("Failed to read kyverno output directory entries: {}", e)))?;

    // Validation-only policies don't produce output files. If kyverno succeeded
    // (checked by the caller) but wrote no output, return the originals unchanged.
    if entries.is_empty() {
        tracing::debug!("Kyverno output directory is empty; returning original manifests unchanged");
        return Ok(original_manifests.to_vec());
    }

    for entry in &entries {
        let content = fs::read_to_string(entry.path()).map_err(|e| {
            NylError::Config(format!(
                "Failed to read kyverno output file {}: {}",
                entry.path().display(),
                e
            ))
        })?;

        // Each file may contain multiple YAML documents
        for doc in content.split("\n---") {
            let trimmed = doc.trim();
            if trimmed.is_empty() {
                continue;
            }
            match crate::yaml::parse_yaml_value_k8s_compatible(trimmed) {
                Ok(value) if !value.is_null() => manifests.push(value),
                Ok(_) => {}
                Err(e) => {
                    tracing::debug!("Failed to parse YAML document from kyverno output: {}", e);
                }
            }
        }
    }

    if manifests.len() != original_manifests.len() {
        return Err(NylError::Config(format!(
            "Unexpected behaviour of `kyverno apply` command: The number of resources generated in the \
             output folder ({}) does not match the number of input resources ({})",
            manifests.len(),
            original_manifests.len()
        )));
    }

    Ok(manifests)
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    #[test]
    fn test_write_manifests_to_file() {
        let temp_dir = TempDir::new().unwrap();
        let file_path = temp_dir.path().join("test.yaml");

        let manifests = [
            json!({"apiVersion": "v1", "kind": "ConfigMap", "metadata": {"name": "test1"}}),
            json!({"apiVersion": "v1", "kind": "Service", "metadata": {"name": "test2"}}),
        ];
        let manifest_refs: Vec<&serde_json::Value> = manifests.iter().collect();

        write_manifests_to_file(&file_path, &manifest_refs).unwrap();

        let content = fs::read_to_string(&file_path).unwrap();
        assert!(content.contains("ConfigMap"));
        assert!(content.contains("Service"));
        assert!(content.contains("---"));
    }

    #[test]
    fn test_read_kyverno_output() {
        let temp_dir = TempDir::new().unwrap();

        // Write two resource files like kyverno would
        fs::write(
            temp_dir.path().join("resource-0.yaml"),
            "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: test1\n",
        )
        .unwrap();
        fs::write(
            temp_dir.path().join("resource-1.yaml"),
            "apiVersion: v1\nkind: Service\nmetadata:\n  name: test2\n",
        )
        .unwrap();

        let originals = vec![
            json!({"apiVersion": "v1", "kind": "ConfigMap", "metadata": {"name": "test1"}}),
            json!({"apiVersion": "v1", "kind": "Service", "metadata": {"name": "test2"}}),
        ];
        let manifests = read_kyverno_output(temp_dir.path(), &originals).unwrap();
        assert_eq!(manifests.len(), 2);
    }

    #[test]
    fn test_read_kyverno_output_empty_returns_originals() {
        let temp_dir = TempDir::new().unwrap();

        // Empty output dir (e.g. validation-only policies)
        let originals = vec![json!({"apiVersion": "v1", "kind": "ConfigMap", "metadata": {"name": "test1"}})];
        let manifests = read_kyverno_output(temp_dir.path(), &originals).unwrap();
        assert_eq!(manifests.len(), 1);
        assert_eq!(manifests[0]["metadata"]["name"], "test1");
    }

    #[test]
    fn test_read_kyverno_output_count_mismatch() {
        let temp_dir = TempDir::new().unwrap();

        fs::write(
            temp_dir.path().join("resource-0.yaml"),
            "apiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: test1\n",
        )
        .unwrap();

        let originals = vec![
            json!({"apiVersion": "v1", "kind": "ConfigMap", "metadata": {"name": "test1"}}),
            json!({"apiVersion": "v1", "kind": "Service", "metadata": {"name": "test2"}}),
        ];
        let result = read_kyverno_output(temp_dir.path(), &originals);
        assert!(result.is_err());
    }
}