openshift-kni · by2waysprojects · Oct 16, 2025
diff --git a/controllers/utils/policy_util.go b/controllers/utils/policy_util.go
@@ -287,18 +287,24 @@ func StripObjectTemplatesRaw(tmplStr string) string {
 	}
 
 	// Get everything between sets of brackets as substrings
-	bracketRegex := regexp.MustCompile(`\{{[^}]+}\}`)
+	// e.g. "name: test-{{ hub range (lookup "v1" "Secret" "policies" "" "").items hub }}"
+	bracketRegex := regexp.MustCompile(`([:]\s*[a-zA-Z0-9-]+\s*)\{{[^}]+}\}`)
 
-	// Each result here will be a substring including the start and end brackets
-	// e.g. "{{ $example.var.usage }}"
-	bracketSubstrings := bracketRegex.FindAllStringSubmatch(result, -1)
+	// Each result here will be replaced with the key from the map
+	// e.g. "name: test-{{ hub range (lookup "v1" "Secret" "policies" "" "").items hub }}"
+	// -> "name: test-"
+	result = bracketRegex.ReplaceAllString(result, "$1")
 
-	// For our usage all our results will be an array with a single item
-	// so we will just use item[0] here
-	for _, item := range bracketSubstrings {
+	// Get everything between sets of brackets as substrings
+	// e.g. "{{ hub range (lookup "v1" "Secret" "policies" "" "").items hub }}"
+	bracketRegexLineWide := regexp.MustCompile(`\n\s*[^\\\n]*\{{[^}]+}\}`)
+
+	bracketSubstringsLineWide := bracketRegexLineWide.FindAllStringSubmatch(result, -1)
+
+	for _, item := range bracketSubstringsLineWide {
 		// We want to remove all the ACM templates and the hub side templates
 		// Deletes the template line entirely, including the newline at the end
-		result = strings.Replace(result+"\n", item[0], "", 1)
+		result = strings.Replace(result+"\n", item[0], "\n", 1)
 	}
 
 	return result

diff --git a/controllers/utils/policy_util_test.go b/controllers/utils/policy_util_test.go
@@ -295,6 +295,68 @@ func TestStripObjectTemplatesRaw(t *testing.T) {
 	objectDefinition:
 `,
 		},
+		{
+			name: "Templated policy with object-templates-raw",
+			inputRawTemplate: `apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: test
+  namespace: policies
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: test
+      spec:
+        object-templates-raw: |
+          {{hub range (lookup "v1" "Secret" "policies" "" "").items hub}}
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: {{hub .metadata.name hub}}
+                namespace: policies
+              stringData:
+                test: ''
+          {{hub end hub}}
+        pruneObjectBehavior: DeleteIfCreated
+        remediationAction: inform
+        severity: low
+			`,
+			expectedResult: `apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: test
+  namespace: policies
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: test
+      spec:
+        object-templates-raw: |
+
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+
+                namespace: policies
+              stringData:
+                test: ''
+
+        pruneObjectBehavior: DeleteIfCreated
+        remediationAction: inform
+        severity: low`,
+		},
 	}
 
 	// Loop over all test cases
@@ -312,3 +374,63 @@ func TestStripObjectTemplatesRaw(t *testing.T) {
 		})
 	}
 }
+
+func TestInspectPolicyObjects(t *testing.T) {
+	testcases := []struct {
+		name             string
+		inputRawTemplate string
+		expectedResult   bool
+	}{
+		{
+			name: "Templated policy with object-templates-raw",
+			inputRawTemplate: `
+          {{hub range (lookup "v1" "Secret" "policies" "" "").items hub}}
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: v1
+              kind: ConfigMap
+              metadata:
+                name: {{hub .metadata.name hub}}
+                namespace: policies
+              stringData:
+                test: ''
+              status:
+                state: AtLatestKnown
+          {{hub end hub}}`,
+			expectedResult: true,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			policy := &unstructured.Unstructured{}
+			policy.SetUnstructuredContent(map[string]interface{}{
+				"apiVersion": "policy.open-cluster-management.io/v1",
+				"kind":       "Policy",
+				"metadata": map[string]interface{}{
+					"name":      "test",
+					"namespace": "policies",
+				},
+				"spec": map[string]interface{}{
+					"disabled": false,
+					"policy-templates": []interface{}{
+						map[string]interface{}{
+							"objectDefinition": map[string]interface{}{
+								"apiVersion": "policy.open-cluster-management.io/v1",
+								"kind":       "ConfigurationPolicy",
+								"metadata": map[string]interface{}{
+									"name": "test",
+								},
+								"spec": map[string]interface{}{
+									"object-templates-raw": tc.inputRawTemplate,
+								},
+							},
+						},
+					},
+				}})
+			actualResult, err := InspectPolicyObjects(policy)
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expectedResult, actualResult)
+		})
+	}
+}