From ed3cc488471a26d1f342eaf92a62a2731ac77ebb Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Tue, 21 Jan 2025 14:19:35 +0100 Subject: [PATCH] fix: Policy/policy.open-cluster-management.io stuck in progressing status when no clusters match the policy (#21296) (#21297) Signed-off-by: Michele Baldessari --- .../Policy/health.lua | 17 +++++- .../Policy/health_test.yaml | 8 +++ ...ealthy_with_placement_empty_compliant.yaml | 55 +++++++++++++++++++ .../testdata/progressing_no_status.yaml | 51 +++++++++++++++++ 4 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml create mode 100644 resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/health.lua b/resource_customizations/policy.open-cluster-management.io/Policy/health.lua index b969c367e121e..3ecf863bfeddd 100644 --- a/resource_customizations/policy.open-cluster-management.io/Policy/health.lua +++ b/resource_customizations/policy.open-cluster-management.io/Policy/health.lua @@ -1,9 +1,24 @@ hs = {} -if obj.status == nil or obj.status.compliant == nil then +if obj.status == nil then hs.status = "Progressing" hs.message = "Waiting for the status to be reported" return hs end + +-- A policy will not have a compliant field but will have a placement key set if +-- it is not being applied to any clusters +if obj.status.compliant == nil and #obj.status.placement > 0 and obj.status.status == nil then + hs.status = "Healthy" + hs.message = "No clusters match this policy" + return hs +end + +if obj.status.compliant == nil then + hs.status = "Progressing" + hs.message = "Waiting for the status to be reported" + return hs +end + if obj.status.compliant == "Compliant" then hs.status = "Healthy" else diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml index ede9cc5c8a2c0..b2caab5155a15 100644 --- a/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml +++ b/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml @@ -15,3 +15,11 @@ tests: status: Healthy message: All templates are compliant inputPath: testdata/healthy_replicated.yaml + - healthStatus: + status: Progressing + message: Waiting for the status to be reported + inputPath: testdata/progressing_no_status.yaml + - healthStatus: + status: Healthy + message: No clusters match this policy + inputPath: testdata/healthy_with_placement_empty_compliant.yaml diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml new file mode 100644 index 0000000000000..118f28354aade --- /dev/null +++ b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml @@ -0,0 +1,55 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + labels: + argocd.argoproj.io/instance: acm + name: acm-hub-ca-policy + namespace: open-cluster-management +spec: + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: acm-hub-ca-config-policy + spec: + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + data: + hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" + | base64enc hub}}' + hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" + "service-ca.crt" | base64enc hub}}' + kind: Secret + metadata: + name: hub-ca + namespace: golang-external-secrets + type: Opaque + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} + kind: ConfigMap + metadata: + name: trusted-hub-bundle + namespace: imperative + remediationAction: enforce + severity: medium + remediationAction: enforce +status: + placement: + - placementBinding: acm-hub-ca-policy-placement-binding + placementRule: acm-hub-ca-policy-placement diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml new file mode 100644 index 0000000000000..1b5d985ab2972 --- /dev/null +++ b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml @@ -0,0 +1,51 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + labels: + argocd.argoproj.io/instance: acm + name: acm-hub-ca-policy + namespace: open-cluster-management +spec: + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: acm-hub-ca-config-policy + spec: + namespaceSelector: + include: + - default + object-templates: + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + data: + hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" + | base64enc hub}}' + hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" + "service-ca.crt" | base64enc hub}}' + kind: Secret + metadata: + name: hub-ca + namespace: golang-external-secrets + type: Opaque + - complianceType: mustonlyhave + objectDefinition: + apiVersion: v1 + data: + hub-kube-root-ca.crt: | + {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}} + hub-openshift-service-ca.crt: | + {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}} + kind: ConfigMap + metadata: + name: trusted-hub-bundle + namespace: imperative + remediationAction: enforce + severity: medium + remediationAction: enforce