[BUG] volatileConfig exclude statements cannot tolerate multiple references to the same rule

[ralphbean]

Describe the Bug

If you specify more than one exclude entry with an imageRef for the same rule (but with different imageRefs), then EC fails, calling it invalid when I try to apply it to my cluster.

Steps to Reproduce

Construct an policy with the following volatileConfig:

volatileConfig:
  exclude:
    - value: cve.cve_blockers
      imageRef: sha256:d363597a0a7d555e16bec72095cd1a928d081ddd6f3764883f128525fd4fe226
    - value: cve.cve_blockers
      imageRef: sha256:b993ec75adad17dcccf49b67d985bdc23b70e1a6a2c4858241fec2a49b8b5902
    - value: cve.cve_blockers
      imageRef: sha256:5cfc89651593af9a84f9a852aae9775884a6ee0551f0e84f03d5c11f93ef30b5

Expected Behavior

You can successfully apply that policy to the cluster and ec cli will process it and it will ignore cve.cve_blockers for those three refs.

Actual Behavior

Applying the resource to the cluster fails with:

The EnterpriseContractPolicy "..." is invalid: spec.sources[0].volatileConfig.exclude[1]: Duplicate value: map[string]interface {}{"value":"cve.cve_blockers"}
``

[simonbaird]

IIUC the schema is generated from the CRD, which might be this?

[simonbaird]

From @joejstuart in slack:

// +listType:=map
// +listMapKey:=value

It appears that, even though it's a list, the x-kubernetes-list-type: map means the value is used as a map key, therefore it is required to be unique.

[simonbaird]

listType:=atomic might be the solution.