From 9876b068b8412338fb5e68c3df56f8fc98d73d90 Mon Sep 17 00:00:00 2001 From: Justin Kulikauskas Date: Thu, 9 May 2024 14:14:06 -0400 Subject: [PATCH] Report compliant when NS missing in mustnothave Previously, when the namespace specified for the operator in an OperatorPolicy was not found, the policy would always be noncompliant. But in mustnothave mode, it should be compliant (assuming everything else is right). Refs: - https://issues.redhat.com/browse/ACM-11549 Signed-off-by: Justin Kulikauskas (cherry picked from commit 3db27608d2fb1c062bd266c3ad477a719da9c549) --- controllers/operatorpolicy_controller.go | 2 +- test/e2e/case38_install_operator_test.go | 38 ++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/controllers/operatorpolicy_controller.go b/controllers/operatorpolicy_controller.go index d7a720d2..9ed5a7ed 100644 --- a/controllers/operatorpolicy_controller.go +++ b/controllers/operatorpolicy_controller.go @@ -369,7 +369,7 @@ func (r *OperatorPolicyReconciler) buildResources(ctx context.Context, policy *p return sub, opGroup, false, fmt.Errorf("error getting operator namespace: %w", err) } - if gotNamespace == nil { + if gotNamespace == nil && policy.Spec.ComplianceType.IsMustHave() { validationErrors = append(validationErrors, fmt.Errorf("the operator namespace ('%v') does not exist", opGroupNS)) } diff --git a/test/e2e/case38_install_operator_test.go b/test/e2e/case38_install_operator_test.go index a729a674..b8ea0dfe 100644 --- a/test/e2e/case38_install_operator_test.go +++ b/test/e2e/case38_install_operator_test.go @@ -2750,6 +2750,44 @@ var _ = Describe("Testing OperatorPolicy", Ordered, func() { ) }) }) + Describe("Test mustnothave message when the namespace does not exist", func() { + const ( + opPolYAML = "../resources/case38_operator_install/operator-policy-no-group.yaml" + opPolName = "oppol-no-group" + subName = "project-quay" + ) + + BeforeEach(func() { + utils.Kubectl("create", "ns", opPolTestNS) + DeferCleanup(func() { + utils.Kubectl("delete", "ns", opPolTestNS) + }) + + createObjWithParent(parentPolicyYAML, parentPolicyName, + opPolYAML, opPolTestNS, gvrPolicy, gvrOperatorPolicy) + }) + + It("should report compliant", func() { + // change the subscription namespace, and the complianceType to mustnothave + utils.Kubectl("patch", "operatorpolicy", opPolName, "-n", opPolTestNS, "--type=json", "-p", + `[{"op": "replace", "path": "/spec/subscription/namespace", "value": "imaginaryfriend"},`+ + `{"op": "replace", "path": "/spec/complianceType", "value": "mustnothave"}]`) + + check( + opPolName, + false, + []policyv1.RelatedObject{}, + metav1.Condition{ + Type: "ValidPolicySpec", + Status: metav1.ConditionTrue, + Reason: "PolicyValidated", + Message: "the policy spec is valid", + }, + "the policy spec is valid", + ) + checkCompliance(opPolName, opPolTestNS, eventuallyTimeout, policyv1.Compliant) + }) + }) Describe("Testing mustnothave behavior of operator groups in DeleteIfUnused mode", Ordered, func() { const ( opPolYAML = "../resources/case38_operator_install/operator-policy-mustnothave-any-version.yaml"