feat: Add open-cluster-management.io healthchecks (#19411)

Healthchecks for several Policy types.

Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>

resource_customizations/policy.open-cluster-management.io/CertificatePolicy/health.lua

@@ -0,0 +1,15 @@
+hs = {}
+if obj.status == nil or obj.status.compliant == nil then
+  hs.status = "Progressing"
+  hs.message = "Waiting for the status to be reported"
+  return hs
+end
+if obj.status.compliant == "Compliant" then
+  hs.status = "Healthy"
+  hs.message = "All certificates found comply with the policy"
+  return hs
+else
+  hs.status = "Degraded"
+  hs.message = "At least once certificate does not comply with the policy"
+  return hs
+end

resource_customizations/policy.open-cluster-management.io/CertificatePolicy/health_test.yaml

@@ -0,0 +1,13 @@
+tests:
+  - healthStatus:
+      status: Progressing
+      message: Waiting for the status to be reported
+    inputPath: testdata/progressing_no_status.yaml
+  - healthStatus:
+      status: Degraded
+      message: At least once certificate does not comply with the policy
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Healthy
+      message: All certificates found comply with the policy
+    inputPath: testdata/healthy.yaml

resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/degraded.yaml

@@ -0,0 +1,34 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: CertificatePolicy
+metadata:
+  name: policy-certificate
+  namespace: local-cluster
+spec:
+  minimumDuration: 3000h
+  namespaceSelector:
+    exclude:
+      - kube-*
+    include:
+      - default
+      - cert-manager-operator
+  remediationAction: inform
+  severity: low
+status:
+  compliancyDetails:
+    cert-manager-operator:
+      message: |
+        Found 1 non compliant certificates in the namespace cert-manager-operator.
+        List of non compliant certificates:
+        ca-root-secret expires in 2159h53m40.509362797s
+      nonCompliantCertificates: 1
+      nonCompliantCertificatesList:
+        ca-root-secret:
+          ca: true
+          duration: 7776000000000000
+          expiration: 2159h53m40.509362797s
+          expiry: 7775620509362797
+          secretName: ca-root-secret
+    default:
+      message: |
+        Found 0 non compliant certificates in the namespace default.
+  compliant: NonCompliant

resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/healthy.yaml

@@ -0,0 +1,24 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: CertificatePolicy
+metadata:
+  name: policy-certificate
+  namespace: local-cluster
+spec:
+  minimumDuration: 300h
+  namespaceSelector:
+    exclude:
+      - kube-*
+    include:
+      - default
+      - cert-manager-operator
+  remediationAction: inform
+  severity: low
+status:
+  compliancyDetails:
+    cert-manager-operator:
+      message: |
+        Found 0 non compliant certificates in the namespace cert-manager-operator.
+    default:
+      message: |
+        Found 0 non compliant certificates in the namespace default.
+  compliant: Compliant

resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/progressing_no_status.yaml

@@ -0,0 +1,15 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: CertificatePolicy
+metadata:
+  name: policy-certificate
+  namespace: local-cluster
+spec:
+  minimumDuration: 300h
+  namespaceSelector:
+    exclude:
+      - kube-*
+    include:
+      - default
+      - cert-manager-operator
+  remediationAction: inform
+  severity: low

resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/health.lua

@@ -0,0 +1,33 @@
+hs = {}
+if obj.status == nil or obj.status.compliant == nil then
+  hs.status = "Progressing"
+  hs.message = "Waiting for the status to be reported"
+  return hs
+end
+if obj.status.lastEvaluatedGeneration ~= obj.metadata.generation then
+  hs.status = "Progressing"
+  hs.message = "Waiting for the status to be updated"
+  return hs  
+end
+if obj.status.compliant == "Compliant" then
+  hs.status = "Healthy"
+else
+  hs.status = "Degraded"
+end
+if obj.status.compliancyDetails ~= nil then
+  messages = {}
+  for i, compliancy in ipairs(obj.status.compliancyDetails) do
+    if compliancy.conditions ~= nil then
+      for i, condition in ipairs(compliancy.conditions) do
+        if condition.message ~= nil and condition.type ~= nil then
+          table.insert(messages, condition.type .. " - " .. condition.message)
+        end
+      end
+    end
+  end
+  hs.message = table.concat(messages, "; ")
+  return hs
+end
+hs.status = "Progressing"
+hs.message = "Waiting for compliance"
+return hs 

resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/health_test.yaml

@@ -0,0 +1,27 @@
+tests:
+  - healthStatus:
+      status: Progressing
+      message: Waiting for the status to be reported
+    inputPath: testdata/progressing_no_status.yaml
+  - healthStatus:
+      status: Degraded
+      message: >-
+        violation - namespaces [argo-example] not found; violation - namespaces
+        [argo-example-2] not found
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Progressing
+      message: Waiting for the status to be updated
+    inputPath: testdata/progressing.yaml
+  - healthStatus:
+      status: Healthy
+      message: >-
+        notification - namespaces [argo-example] was created successfully;
+        notification - namespaces [argo-example-2] was created successfully
+    inputPath: testdata/healthy_created.yaml
+  - healthStatus:
+      status: Healthy
+      message: >-
+        notification - namespaces [argo-example] found as specified;
+        notification - namespaces [argo-example-2] found as specified
+    inputPath: testdata/healthy_found.yaml

resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/degraded.yaml

@@ -0,0 +1,61 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-namespace
+  generation: 2
+  namespace: local-cluster
+spec:
+  object-templates:
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      recreateOption: None
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      recreateOption: None
+  pruneObjectBehavior: None
+  remediationAction: inform
+  severity: low
+status:
+  compliancyDetails:
+    - Compliant: NonCompliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:34:29Z'
+          message: 'namespaces [argo-example] not found'
+          reason: K8s does not have a `must have` object
+          status: 'True'
+          type: violation
+    - Compliant: NonCompliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:39:00Z'
+          message: 'namespaces [argo-example-2] not found'
+          reason: K8s does not have a `must have` object
+          status: 'True'
+          type: violation
+  compliant: NonCompliant
+  lastEvaluated: '2024-07-29T16:39:18Z'
+  lastEvaluatedGeneration: 2
+  relatedObjects:
+    - compliant: NonCompliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      reason: Resource not found but should exist
+    - compliant: NonCompliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      reason: Resource not found but should exist

resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/healthy_created.yaml

@@ -0,0 +1,67 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-namespace
+  generation: 3
+  namespace: local-cluster
+spec:
+  object-templates:
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      recreateOption: None
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      recreateOption: None
+  pruneObjectBehavior: None
+  remediationAction: enforce
+  severity: low
+status:
+  compliancyDetails:
+    - Compliant: Compliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:58:50Z'
+          message: 'namespaces [argo-example] was created successfully'
+          reason: K8s creation success
+          status: 'True'
+          type: notification
+    - Compliant: Compliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:58:50Z'
+          message: 'namespaces [argo-example-2] was created successfully'
+          reason: K8s creation success
+          status: 'True'
+          type: notification
+  compliant: Compliant
+  lastEvaluated: '2024-07-29T16:58:50Z'
+  lastEvaluatedGeneration: 3
+  relatedObjects:
+    - compliant: Compliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      properties:
+        createdByPolicy: true
+        uid: 782f50ee-4fa9-41d6-900e-66d9eaf8b111
+      reason: K8s creation success
+    - compliant: Compliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      properties:
+        createdByPolicy: true
+        uid: ce34051f-a0dc-4db2-9f8f-64cc9223d4d7
+      reason: K8s creation success

resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/healthy_found.yaml

@@ -0,0 +1,67 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-namespace
+  generation: 3
+  namespace: local-cluster
+spec:
+  object-templates:
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      recreateOption: None
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      recreateOption: None
+  pruneObjectBehavior: None
+  remediationAction: enforce
+  severity: low
+status:
+  compliancyDetails:
+    - Compliant: Compliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:58:59Z'
+          message: 'namespaces [argo-example] found as specified'
+          reason: K8s `must have` object already exists
+          status: 'True'
+          type: notification
+    - Compliant: Compliant
+      Validity: {}
+      conditions:
+        - lastTransitionTime: '2024-07-29T16:58:59Z'
+          message: 'namespaces [argo-example-2] found as specified'
+          reason: K8s `must have` object already exists
+          status: 'True'
+          type: notification
+  compliant: Compliant
+  lastEvaluated: '2024-07-29T16:59:26Z'
+  lastEvaluatedGeneration: 3
+  relatedObjects:
+    - compliant: Compliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example
+      properties:
+        createdByPolicy: true
+        uid: 782f50ee-4fa9-41d6-900e-66d9eaf8b111
+      reason: Resource found as expected
+    - compliant: Compliant
+      object:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: argo-example-2
+      properties:
+        createdByPolicy: true
+        uid: ce34051f-a0dc-4db2-9f8f-64cc9223d4d7
+      reason: Resource found as expected