A library for processing Go templates in policy templates or other Open Cluster Management objects.
Go to the Contributing guide to learn how to get involved.
- The
go-template-utilsrepository is part of theopen-cluster-managementcommunity. For more information, visit: open-cluster-management.io.
To get started, use the templates.NewResolver function along with a templates.Config instance.
See the ResolveTemplate example for an example of how to use this library.
Under the hood, go-template-utils wraps the
text/template package. This means that as
long as the input to
templates.ResolveTemplate
can be marshaled to YAML, any of the
text/template package features can be used.
Additionally, the following custom functions are supported:
atoiparses an input string and returns an integer like the Atoi function. For example,{{ "6" | atoi }}.autoindentwill automatically indent the input string based on the leading spaces. For example,{{ "Templating\nrocks!" | autoindent }}.base64encdecodes the input Base64 string to its decoded form. For example,{{ "VGVtcGxhdGVzIHJvY2shCg==" | base64dec }}.base64encencodes an input string in the Base64 format. For example,{{ "Templating rocks!" | base64enc }}.indentwill indent the input string by specified amount. For example,{{ "Templating\nrocks!" | indent 4 }}.fromClusterClaimreturns the value of a specificClusterClaim. For example,{{ fromClusterClaim "name" }}.fromConfigMapreturns the value of a key inside aConfigMap. For example,{{ fromConfigMap "namespace" "config-map-name" "key" }}.fromSecretreturns the value of a key inside aSecret. For example,{{ fromSecret "namespace" "secret-name" "key" }}. If theEncryptionModeis set toEncryptionEnabled, this will return an encrypted value.lookupis a generic lookup function for any Kubernetes object. For example,{{ (lookup "v1" "Secret" "namespace" "name").Data.key }}.protectis a function that encrypts any string using AES-CBC.toBool- parses an input boolean string converts it to a boolean but also removes any quotes around the map value. For example,key: "{{ "true" | toBool }}"=>key: true.toIntparses an input string and returns an integer but also removes any quotes around the map value. For example,key: "{{ "6" | toInt }}"=>key: 6.toLiteralremoves any quotes around the template string after it is processed. For example,key: "{{ "[10.10.10.10, 1.1.1.1]" | toLiteral }}=>key: [10.10.10.10, 1.1.1.1]. A good use-case for this is when aConfigMapfield contains a JSON string that you want to literally replace the template with and have it treated as the underlying JSON type.
The client CLI tool is used to help during policy development involving templates. Note that the generated output is only partially validated for syntax.
kubectl -n default create configmap cool-car --from-literal=model=Shelby\ Mustang
kubectl -n default create configmap not-cool-car --from-literal=model=Pinto
cat <<EOF > policy-example.yaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: label-configmaps
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: label-configmaps
spec:
remediationAction: enforce
severity: low
object-templates-raw: |
{{- range (lookup "v1" "ConfigMap" "default" "").items }}
{{- if and .data.model (contains "Mustang" .data.model) }}
- complianceType: musthave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ .metadata.name }}
namespace: {{ .metadata.namespace }}
labels:
ford.com/model: Mustang
{{- end }}
{{- end }}
EOF
go run experimental/client.go policy-example.yamlThe output should be:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: label-configmaps
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: label-configmaps
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
ford.com/model: Mustang
name: cool-car
namespace: default
remediationAction: enforce
severity: lowkubectl -n default create configmap cool-car --from-literal=model=Shelby\ Mustang
kubectl -n default create configmap not-cool-car --from-literal=model=Pinto
cat <<EOF > policy-example.yaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: label-configmaps
namespace: policies
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: label-configmaps
spec:
remediationAction: enforce
severity: low
object-templates-raw: |
{{- range (lookup "v1" "ConfigMap" "default" "").items }}
{{- if and .data.model (contains "Mustang" .data.model) }}
- complianceType: musthave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ .metadata.name }}
namespace: {{ .metadata.namespace }}
labels:
cluster-name: {{hub .ManagedClusterName hub}}
ford.com/model: Mustang
{{- end }}
{{- end }}
EOF
go run experimental/client.go -hub-kubeconfig ~/.kube/config -cluster-name local-cluster policy-example.yamlThe output should be:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: label-configmaps
namespace: policies
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: label-configmaps
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
cluster-name: local-cluster
ford.com/model: Mustang
name: cool-car
namespace: default
remediationAction: enforce
severity: low