Skip to content

Commit

Permalink
lint and makefile
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
ritazh committed Feb 9, 2024
1 parent 10f64a8 commit 1632355
Show file tree
Hide file tree
Showing 8 changed files with 52 additions and 40 deletions.
10 changes: 6 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ KUSTOMIZE_VERSION ?= 3.8.9
BATS_VERSION ?= 1.8.2
ORAS_VERSION ?= 0.16.0
BATS_TESTS_FILE ?= test/bats/test.bats
KIND_CLUSTER_FILE ?= test/bats/kindcluster.yml
KIND_CLUSTER_FILE ?= test/bats/tests/kindcluster.yml
HELM_VERSION ?= 3.7.2
NODE_VERSION ?= 16-bullseye-slim
YQ_VERSION ?= 4.30.6
Expand All @@ -32,7 +32,7 @@ GATEKEEPER_NAMESPACE ?= gatekeeper-system

# When updating this, make sure to update the corresponding action in
# workflow.yaml
GOLANGCI_LINT_VERSION := v1.51.2
GOLANGCI_LINT_VERSION := v1.55.2

# Detects the location of the user golangci-lint cache.
GOLANGCI_LINT_CACHE := $(shell pwd)/.tmp/golangci-lint
Expand Down Expand Up @@ -170,9 +170,11 @@ KIND_NODE_VERSION := kindest/node:v$(KUBERNETES_VERSION)
e2e-bootstrap: e2e-dependencies
# Check for existing kind cluster
if [ $$(${GITHUB_WORKSPACE}/bin/kind get clusters) ]; then ${GITHUB_WORKSPACE}/bin/kind delete cluster; fi

# Create a new kind cluster
# TODO(ritazh): remove KIND_CLUSTER_FILE when vap feature is GA
TERM=dumb ${GITHUB_WORKSPACE}/bin/kind create cluster --config $(KIND_CLUSTER_FILE) --image $(KIND_NODE_VERSION) --wait 5m

if [ $$(echo $(KUBERNETES_VERSION) | cut -d'.' -f2) -lt 28 ]; then ${GITHUB_WORKSPACE}/bin/kind create cluster --image $(KIND_NODE_VERSION) --wait 5m; else ${GITHUB_WORKSPACE}/bin/kind create cluster --config $(KIND_CLUSTER_FILE) --image $(KIND_NODE_VERSION) --wait 5m; fi

e2e-build-load-image: docker-buildx e2e-build-load-externaldata-image
kind load docker-image --name kind ${IMG} ${CRD_IMG}
Expand Down Expand Up @@ -347,7 +349,7 @@ lint:
docker run --rm -v $(shell pwd):/app \
-v ${GOLANGCI_LINT_CACHE}:/root/.cache/golangci-lint \
-w /app golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine \
golangci-lint run -v
golangci-lint run -v --timeout 7m

# Generate code
generate: __conversion-gen __controller-gen
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ func init() {

// +kubebuilder:scaffold:scheme
flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.")
flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE:do not generate, GATEKEEPER_DEFAULT:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explictly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explictly.")
flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE:do not generate, GATEKEEPER_DEFAULT:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.")
}

func main() {
Expand Down
8 changes: 4 additions & 4 deletions pkg/controller/constraint/constants.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
package constraint

const (
// VapGenerationLabel indicates opting in and out preference for generating VAP objects
// VapGenerationLabel indicates opting in and out preference for generating VAP objects.
VapGenerationLabel = "gatekeeper.sh/use-vap"
// VapFlagNone:do not generate
// VapFlagNone:do not generate.
VapFlagNone = "NONE"
// VapFlagGatekeeperDefault:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explictly
// VapFlagGatekeeperDefault:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly.
VapFlagGatekeeperDefault = "GATEKEEPER_DEFAULT"
// VapFlagVapDefault: generate unless label gatekeeper.sh/use-vap: no is added to policy explictly
// VapFlagVapDefault: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.
VapFlagVapDefault = "VAP_DEFAULT"
)
9 changes: 4 additions & 5 deletions pkg/controller/constraint/constraint_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,18 +63,18 @@ var VapAPIEnabled *bool

var VapEnforcement VapFlagType

// VapFlagType is the custom type for the vap-enforcement flag
// VapFlagType is the custom type for the vap-enforcement flag.
type VapFlagType string

// Allowed values for VapFlagType
// Allowed values for VapFlagType.
var allowedVapFlagVals = []string{VapFlagNone, VapFlagGatekeeperDefault, VapFlagVapDefault}

// String returns the string representation of the flag value
// String returns the string representation of the flag value.
func (v *VapFlagType) String() string {
return string(*v)
}

// Set validates and sets the value for the VapFlagType
// Set validates and sets the value for the VapFlagType.
func (v *VapFlagType) Set(value string) error {
for _, val := range allowedVapFlagVals {
if val == value {
Expand Down Expand Up @@ -380,7 +380,6 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
if err != nil {
log.Error(err, "error converting to unstructured")
return reconcile.Result{}, err

}
un, err := runtime.DefaultUnstructuredConverter.ToUnstructured(newVapBinding)
if err != nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -320,7 +320,8 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
logError(request.NamespacedName.Name)
r.metrics.registry.add(request.NamespacedName, metrics.ErrorStatus)
return reconcile.Result{}, err
} else if !result.Requeue {
}
if !result.Requeue {
logAction(ct, deletedAction)
r.metrics.registry.remove(request.NamespacedName)
}
Expand Down Expand Up @@ -399,7 +400,9 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
logger.Error(err, "handle update error")
logError(request.NamespacedName.Name)
r.metrics.registry.add(request.NamespacedName, metrics.ErrorStatus)
} else if !result.Requeue {
return result, err
}
if !result.Requeue {
logAction(ct, action)
r.metrics.registry.add(request.NamespacedName, metrics.ActiveStatus)
}
Expand Down Expand Up @@ -536,7 +539,6 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
if err != nil {
logger.Error(err, "error converting to unstructured")
return reconcile.Result{}, err

}
un, err := runtime.DefaultUnstructuredConverter.ToUnstructured(newVap)
if err != nil {
Expand Down Expand Up @@ -566,8 +568,9 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
}
logger.Info("list gvk objects", "cstrObjs", cstrObjs)
for _, cstr := range cstrObjs {
c := cstr
logger.Info("triggering cstrEvent")
r.cstrEvents <- event.GenericEvent{Object: &cstr}
r.cstrEvents <- event.GenericEvent{Object: &c}
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ import (
testclient "github.com/open-policy-agent/gatekeeper/v3/test/clients"
"github.com/open-policy-agent/gatekeeper/v3/test/testutils"
"golang.org/x/net/context"

admissionv1 "k8s.io/api/admission/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
corev1 "k8s.io/api/core/v1"
Expand All @@ -47,11 +46,9 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"

"k8s.io/client-go/kubernetes"
"k8s.io/client-go/util/retry"
"k8s.io/utils/ptr"
Expand Down Expand Up @@ -91,6 +88,7 @@ violation[{"msg": "denied!"}] {
},
}
}

func makeReconcileConstraintTemplateForVap(suffix string, labels map[string]string) *v1beta1.ConstraintTemplate {
source := &celSchema.Source{
FailurePolicy: ptr.To[string]("Fail"),
Expand Down Expand Up @@ -845,17 +843,17 @@ func newDenyAllCstr(suffix string) *unstructured.Unstructured {
return cstr
}

func newDenyAllCstrWithLabel(suffix string, labels map[string]string) *unstructured.Unstructured {
cstr := &unstructured.Unstructured{}
cstr.SetGroupVersionKind(schema.GroupVersionKind{
Group: "constraints.gatekeeper.sh",
Version: "v1beta1",
Kind: "DenyAll" + suffix,
})
cstr.SetName("denyallconstraintforvapbinding")
cstr.SetLabels(labels)
return cstr
}
// func newDenyAllCstrWithLabel(suffix string, labels map[string]string) *unstructured.Unstructured {
// cstr := &unstructured.Unstructured{}
// cstr.SetGroupVersionKind(schema.GroupVersionKind{
// Group: "constraints.gatekeeper.sh",
// Version: "v1beta1",
// Kind: "DenyAll" + suffix,
// })
// cstr.SetName("denyallconstraintforvapbinding")
// cstr.SetLabels(labels)
// return cstr
// }

func getCTByPodStatus(templ *v1beta1.ConstraintTemplate) (v1beta1.ByPodStatus, bool) {
statuses := templ.Status.ByPod
Expand Down
21 changes: 17 additions & 4 deletions test/bats/test.bats
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,27 @@ teardown_file() {
#kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml

@test "vap test" {
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml"
local api="$(kubectl api-resources | grep validatingadmission)"
if [[ -z "$api" ]]; then
echo "vap is not enabled for the cluster. skip vap test"
else
echo "${api}"
kubectl get deploy -n gatekeeper-system -oyaml
kubectl get ValidatingAdmissionPolicy

wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicy gatekeeper-k8srequiredlabelsvap"
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml"

kubectl delete --ignore-not-found ValidatingAdmissionPolicy gatekeeper-k8srequiredlabelsvap
# check status resource on expansion template
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabelsvap -ojson | jq -r -e '.status.byPod[0]'"

kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml
kubectl get constrainttemplates.templates.gatekeeper.sh k8srequiredlabelsvap -oyaml

wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicy gatekeeper-k8srequiredlabelsvap"

kubectl delete --ignore-not-found ValidatingAdmissionPolicy gatekeeper-k8srequiredlabelsvap

kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml
fi
}

@test "gatekeeper mutation test" {
Expand Down
5 changes: 1 addition & 4 deletions test/bats/tests/kindcluster.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,4 @@ apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1alpha1: true
nodes:
- role: control-plane
image: kindest/node:v1.28.0
admissionregistration.k8s.io/v1beta1: true

0 comments on commit 1632355

Please sign in to comment.