add testing for gator verify expansion template support

Signed-off-by: David-Jaeyoon-Lee <[email protected]>

pkg/gator/fixtures/fixtures.go

@@ -158,6 +158,34 @@ spec:
         }
 `
 
+	TemplateRestrictCustomField = `
+kind: ConstraintTemplate
+apiVersion: templates.gatekeeper.sh/v1beta1
+metadata:
+  name: restrictedcustomfield
+spec:
+  crd:
+    spec:
+      names:
+        kind: RestrictedCustomField
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            expectedCustomField: 
+              type: boolean
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package restrictedcustomfield
+        violation[{"msg": msg}] {
+          got := input.review.object.spec.customField
+          expected := input.parameters.expectedCustomField
+          got == expected
+          msg := sprintf("foo object has restricted custom field value of %v", [expected])
+        }
+`
+
 	ConstraintAlwaysValidate = `
 kind: AlwaysValidate
 apiVersion: constraints.gatekeeper.sh/v1beta1
@@ -262,6 +290,22 @@ metadata:
   name: other
 `
 
+	ConstraintRestrictCustomField = `
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: RestrictedCustomField
+metadata:
+  name: restrict-foo-custom-field
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Foo"]
+    namespaces:
+      - "default"
+  parameters:
+    expectedCustomField: true
+`
+
 	Object = `
 kind: Object
 apiVersion: group.sh/v1
@@ -328,6 +372,17 @@ apiVersion: group.sh/v1
 metadata:
   name: object`
 
+	ObjectFooTemplate = `
+apiVersion: apps/v1
+kind: FooTemplate
+metadata:
+  name: foo-template
+spec:
+  template:
+    spec:
+      customField: true
+`
+
 	NamespaceSelected = `
 kind: Namespace
 apiVersion: /v1
@@ -608,4 +663,21 @@ spec:
       - apiGroups: ["*"]
         kinds: ["*"]
 `
+
+	ExpansionRestrictCustomField = `
+apiVersion: expansion.gatekeeper.sh/v1alpha1
+kind: ExpansionTemplate
+metadata:
+  name: expand-foo
+spec:
+  applyTo:
+  - groups: [ "apps" ]
+    kinds: [ "FooTemplate" ]
+    versions: [ "v1" ]
+  templateSource: "spec.template"
+  generatedGVK:
+    kind: "Foo"
+    group: ""
+    version: "v1"
+`
 )

pkg/gator/verify/runner_test.go

@@ -1170,6 +1170,68 @@ func TestRunner_Run(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "expansion system",
+			suite: Suite{
+				Tests: []Test{
+					{
+						Name:       "check custom field with expansion system",
+						Template:   "template.yaml",
+						Constraint: "constraint.yaml",
+						Expansion:  "expansion.yaml",
+						Cases: []*Case{
+							{
+								Name:       "Foo Template object",
+								Object:     "foo-template.yaml",
+								Assertions: []Assertion{{Message: ptr.To[string]("foo object has restricted custom field")}},
+							},
+						},
+					},
+					{
+						Name:       "check custom field without expansion system",
+						Template:   "template.yaml",
+						Constraint: "constraint.yaml",
+						Cases: []*Case{
+							{
+								Name:       "Foo Template object",
+								Object:     "foo-template.yaml",
+								Assertions: []Assertion{{Violations: gator.IntStrFromStr("no")}},
+							},
+						},
+					},
+				},
+			},
+			f: fstest.MapFS{
+				"template.yaml": &fstest.MapFile{
+					Data: []byte(fixtures.TemplateRestrictCustomField),
+				},
+				"constraint.yaml": &fstest.MapFile{
+					Data: []byte(fixtures.ConstraintRestrictCustomField),
+				},
+				"foo-template.yaml": &fstest.MapFile{
+					Data: []byte(fixtures.ObjectFooTemplate),
+				},
+				"expansion.yaml": &fstest.MapFile{
+					Data: []byte(fixtures.ExpansionRestrictCustomField),
+				},
+			},
+			want: SuiteResult{
+				TestResults: []TestResult{
+					{
+						Name: "check custom field with expansion system",
+						CaseResults: []CaseResult{
+							{Name: "Foo Template object"},
+						},
+					},
+					{
+						Name: "check custom field without expansion system",
+						CaseResults: []CaseResult{
+							{Name: "Foo Template object"},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {