Fix compliance when created resource has a status #161
Conversation
|
I can squash the |
| hasStatus := false | ||
| if tmplObj, err := unmarshalFromJSON(objectT.ObjectDefinition.Raw); err == nil { | ||
| _, hasStatus = tmplObj.Object["status"] | ||
| } | ||
|
|
||
| if completed && hasStatus { | ||
| msg += ", but has a status that might not be correct yet" | ||
| reason += ", but has a status that might not be correct yet" | ||
| result.events = append(result.events, objectTmplEvalEvent{false, reason, msg}) | ||
| } else { | ||
| result.events = append(result.events, objectTmplEvalEvent{completed, reason, msg}) | ||
| } |
There was a problem hiding this comment.
This is the creation flow, right? Does it still stay NonCompliant if a NonCompliant policy is updated and the status doesn't match or does some logic need to be there also?
There was a problem hiding this comment.
Good catch, somehow I didn't think about the update flow having this same potential issue!
There was a problem hiding this comment.
It looks like it might work correctly, but I'll adjust the test to be sure.
There was a problem hiding this comment.
There was a problem hiding this comment.
Initially, the CI here failed, but from the logs it looked like that was because the config-policy-controller was a little overwhelmed with the parallel tests. Because this test uses the status of another configurationpolicy, it can take extra loops to do what is expected... so bumping the timeouts to the default (1 minute) fixed it.
JustinKuli
force-pushed
the
7020-enforced-w-status-compliance
branch
2 times, most recently
from
3421b23
to
d9736b5
Compare
| } | ||
|
|
||
| if completed && hasStatus { | ||
| msg += ", but has a status that might not be correct yet" |
There was a problem hiding this comment.
How about this?
| msg += ", but has a status that might not be correct yet" | |
| msg += ". The status will be validated on the next evaluation." |
There was a problem hiding this comment.
Instead, perhaps msg += ". The status will be verified on the next evaluation."
There was a problem hiding this comment.
Good suggestion! I've reworded it slightly again, and I wanted to keep the comma: if a policy has multiple objects, the messages will be combined with semicolons, so using a period in the middle of a message seemed like it could be weird.
I also adjusted the reason to be shorter now.
| metadata: | ||
| name: default | ||
| status: | ||
| lastEvaluatedGeneration: 3 |
There was a problem hiding this comment.
Haha--I thought the same thing! I had to give it a double-take.
There was a problem hiding this comment.
I like config policies, so I put a config policy in my config policy, so I can test config policies with config policies.
| @@ -0,0 +1,78 @@ | |||
| // Copyright (c) 2023 Red Hat, Inc. | |||
| // Copyright Contributors to the Open Cluster Management project | |||
There was a problem hiding this comment.
the file name what does "w" mean?
There was a problem hiding this comment.
"with" - as in "enforce with status"
Previously, the template would always be marked as compliant after the resource it defines was created. But if the object definition included a `status`, then the object might not actually match what was desired. Now, in this case, the template will be marked as non-compliant. Refs: - https://issues.redhat.com/browse/ACM-7020 Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
The `object` and `unstruct` fields were not self-explanatory. Now they are `existingObj` and `desiredObj` respectively. This will help readers understand why they are used the way they are. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
In both instances, the object is already assured to be non-nil, so there are no errors that can occur here. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
By keeping track of which branch we're in, it became obvious that the `generateSingleObjReason` calls were actually just static lookups. So that function has been removed. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
Putting this in the function itself means that the function could be called from multiple places, and the metrics would still be recorded. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
JustinKuli
force-pushed
the
7020-enforced-w-status-compliance
branch
from
d9736b5
to
02cf4b5
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JustinKuli, mprahl, yiraeChristineKim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-robot
merged commit 406ccf7
into
open-cluster-management-io:main
Previously, the template would always be marked as compliant after the resource it defines was created. But if the object definition included a
status, then the object might not actually match what was desired. Now, in this case, the template will be marked as non-compliant.Refs: