[Enhancement] Please clarify the use of double curly braces for jmesPath in external variables

[jsalatiel]

Description

It would be really nice if the docs could clearly explain the difference/possibility of using double curly braces in jmespath for external variables.
I tried to create a policy that would set a variable based in one optional annotation or fallback to another annotation ( mandatory ) , in this case prefixed by some path.

The only way that worked ( thanks to @realshuting ) was to mix part of the request without double curly brace and part of it with double curly brace like this.

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional || '/etc/ssl/{{request.object.metadata.annotations.mandatory"}}'

It would be nice to have a better understanding of that in the docs. Is that only for concatenation? What else?

Thanks!

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1728944204996649

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[realshuting]

Adding working samples, playground.

[realshuting]

By default for a plain JMESPath variable, no double curly brackets are needed in variable.jmesPath, for example:

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional

Nested variables need to be wrapped with {{}}, for example:

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional || '/custom/string/{{request.object.metadata.annotations.mandatory"}}'

[A-5ingh]

/assign

[cerebro1]

@realshuting Please /assign
Also quick question:
I was doing a bit of research on where this should go and i think this seems like the right place: https://kyverno.io/docs/writing-policies/jmespath/#basics

We already have a paragraph here mentioning the following:

JMESPath expressions in most places in Kyverno must be enclosed in double curly braces like {{request.namespace}}. If an expression is used as the value of a field and contains nothing else, the expression needs to be wrapped in quotes: appns: "{{request.namespace}}". If the value field contains other text outside of the expression, then it can be unquoted and treated as a string but this isn’t strictly required: message: The namespace name is {{request.namespace}}.

I think we can update the above text.

Or do you think it should go in Variables over here: https://kyverno.io/docs/writing-policies/variables/
Since we do not necessarily need {{}} to reference the plain JMESPath variable. We need it for the nested variables.

Or we can mention both places and add the example you have shared above in the Variables doc.

Let me know what you guys think.

[cerebro1]

@JimBugwadia @realshuting
Please /assign this

[realshuting]

Or do you think it should go in Variables over here: https://kyverno.io/docs/writing-policies/variables/
Since we do not necessarily need {{}} to reference the plain JMESPath variable. We need it for the nested variables.

This makes sense to me! Since we have jmesPath under each attribute of a rule context, we can clarify the same on the variables page.