diff --git a/controllers/configurationpolicy_controller.go b/controllers/configurationpolicy_controller.go index 2eccbc9e..1da37943 100644 --- a/controllers/configurationpolicy_controller.go +++ b/controllers/configurationpolicy_controller.go @@ -71,6 +71,7 @@ var ( reasonWantFoundExists = "Resource found as expected" reasonWantFoundCreated = "K8s creation success" reasonUpdateSuccess = "K8s update success" + reasonDeleteSuccess = "K8s deletion success" reasonWantFoundNoMatch = "Resource found but does not match" reasonWantFoundDNE = "Resource not found but should exist" reasonWantNotFoundExists = "Resource found but should not exist" @@ -1236,11 +1237,6 @@ func (r *ConfigurationPolicyReconciler) handleObjectTemplates(plc policyv1.Confi if statusUpdateNeeded { parentStatusUpdateNeeded = true - // Doesn't account for state change... - if !compliant { - plc.Status.ComplianceState = policyv1.NonCompliant - } - // Don't send events on the last batch because the final call to checkRelatedAndUpdate // after all the object templates are processed handles this. if i == len(eventBatches)-1 { @@ -2032,7 +2028,7 @@ func (r *ConfigurationPolicyReconciler) enforceByCreatingOrDeleting(obj singleOb } else { log.V(2).Info("Created missing must have object", "resource", obj.gvr.Resource, "name", obj.name) reason = reasonWantFoundCreated - msg = fmt.Sprintf("%v %v was missing, and was created successfully", obj.gvr.Resource, idStr) + msg = fmt.Sprintf("%v %v was created successfully", obj.gvr.Resource, idStr) var uidIsString bool uid, uidIsString, err = unstructured.NestedString(obj.object.Object, "metadata", "uid") @@ -2050,8 +2046,8 @@ func (r *ConfigurationPolicyReconciler) enforceByCreatingOrDeleting(obj singleOb reason = "K8s deletion error" msg = fmt.Sprintf("%v %v exists, and cannot be deleted, reason: `%v`", obj.gvr.Resource, idStr, err) } else { - reason = "K8s deletion success" - msg = fmt.Sprintf("%v %v existed, and was deleted successfully", obj.gvr.Resource, idStr) + reason = reasonDeleteSuccess + msg = fmt.Sprintf("%v %v was deleted successfully", obj.gvr.Resource, idStr) obj.object = nil } } diff --git a/controllers/configurationpolicy_controller_test.go b/controllers/configurationpolicy_controller_test.go index 280cd019..29e93437 100644 --- a/controllers/configurationpolicy_controller_test.go +++ b/controllers/configurationpolicy_controller_test.go @@ -461,7 +461,7 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must have` object already exists", - "configmaps [buzz] found as specified, therefore, this object template is compliant in namespace toy-story", + "configmaps [buzz] found as specified in namespace toy-story", }, { "must have single object compliant cluster-scoped", @@ -479,7 +479,7 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must have` object already exists", - "namespaces [movies] found as specified, therefore, this object template is compliant", + "namespaces [movies] found as specified", }, { "must have multiple namespaces single object compliant", @@ -506,8 +506,7 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must have` object already exists", - "configmaps [buzz] found as specified, therefore, this object template is compliant in namespaces: " + - "toy-story, toy-story3", + "configmaps [buzz] found as specified in namespaces: toy-story, toy-story3", }, { "must have unnamed object compliant", @@ -534,8 +533,7 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must have` object already exists", - "secrets [bo-peep] found as specified, therefore, this object template is compliant in namespace " + - "toy-story4; secrets [buzz] found as specified, therefore, this object template is compliant in " + + "secrets [bo-peep] found as specified in namespace toy-story4; secrets [buzz] found as specified in " + "namespace toy-story", }, { @@ -554,7 +552,7 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s creation success", - "configmaps [buzz] was missing, and was created successfully in namespace toy-story", + "configmaps [buzz] was created successfully in namespace toy-story", }, { "must have single object created in one namespace and exists in another", @@ -581,8 +579,8 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must have` object already exists; K8s creation success", - "configmaps [buzz] found as specified, therefore, this object template is compliant in namespace " + - "toy-story4; configmaps [buzz] was missing, and was created successfully in namespace toy-story", + "configmaps [buzz] found as specified in namespace toy-story4; configmaps [buzz] was created " + + "successfully in namespace toy-story", }, { "must have single object not found in one of the namespaces", @@ -663,8 +661,25 @@ func TestCreateStatus(t *testing.T) { }, true, "K8s `must not have` object already missing", - "configmaps [buzz] missing as expected, therefore, this object template is compliant in namespace " + - "toy-story", + "configmaps [buzz] missing as expected in namespace toy-story", + }, + { + "must not have single object deleted", + "configmaps", + map[string]*objectTmplEvalResultWithEvent{ + "toy-story": { + result: objectTmplEvalResult{ + objectNames: []string{"buzz"}, + }, + event: objectTmplEvalEvent{ + compliant: true, + reason: reasonDeleteSuccess, + }, + }, + }, + true, + "K8s deletion success", + "configmaps [buzz] was deleted successfully in namespace toy-story", }, { "unnamed object single error", diff --git a/controllers/configurationpolicy_utils.go b/controllers/configurationpolicy_utils.go index ba706aa9..452a304d 100644 --- a/controllers/configurationpolicy_utils.go +++ b/controllers/configurationpolicy_utils.go @@ -491,6 +491,7 @@ func createStatus( reasonWantFoundExists, reasonWantFoundCreated, reasonUpdateSuccess, + reasonDeleteSuccess, reasonWantFoundDNE, reasonWantFoundNoMatch, reasonWantNotFoundDNE, @@ -566,15 +567,16 @@ func createStatus( switch reason { case reasonWantFoundExists: generatedReason = "K8s `must have` object already exists" - generatedMsg = fmt.Sprintf( - "%s%s found as specified, therefore, this object template is compliant", resourceName, namesStr, - ) + generatedMsg = fmt.Sprintf("%s%s found as specified", resourceName, namesStr) case reasonWantFoundCreated: generatedReason = reasonWantFoundCreated - generatedMsg = fmt.Sprintf("%s%s was missing, and was created successfully", resourceName, namesStr) + generatedMsg = fmt.Sprintf("%s%s was created successfully", resourceName, namesStr) case reasonUpdateSuccess: generatedReason = reasonUpdateSuccess generatedMsg = fmt.Sprintf("%s%s was updated successfully", resourceName, namesStr) + case reasonDeleteSuccess: + generatedReason = reasonDeleteSuccess + generatedMsg = fmt.Sprintf("%s%s was deleted successfully", resourceName, namesStr) case reasonWantFoundDNE: generatedReason = "K8s does not have a `must have` object" compliancyDetailsMsg += fmt.Sprintf("%s%s not found", resourceName, namesStr) @@ -586,9 +588,7 @@ func createStatus( compliancyDetailsMsg += fmt.Sprintf("%s%s found", resourceName, namesStr) case reasonWantNotFoundDNE: generatedReason = "K8s `must not have` object already missing" - compliancyDetailsMsg += fmt.Sprintf( - "%s%s missing as expected, therefore, this object template is compliant", resourceName, namesStr, - ) + compliancyDetailsMsg += fmt.Sprintf("%s%s missing as expected", resourceName, namesStr) default: // If it's not one of the above reasons, then skip consolidation. This is likely an error being // reported. diff --git a/test/e2e/case13_templatization_test.go b/test/e2e/case13_templatization_test.go index d2acfa7d..f539cfe7 100644 --- a/test/e2e/case13_templatization_test.go +++ b/test/e2e/case13_templatization_test.go @@ -223,10 +223,7 @@ var _ = Describe("Test templatization", func() { case13LookupClusterClaim, testNamespace, true, defaultTimeoutSeconds) return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal( - "pods [testvalue] found as specified, therefore, this object template is compliant in " + - "namespace default", - )) + }, defaultTimeoutSeconds, 1).Should(Equal("pods [testvalue] found as specified in namespace default")) utils.Kubectl("delete", "configurationpolicy", case13LookupSecret, "-n", testNamespace) utils.Kubectl("delete", "configurationpolicy", case13LookupClusterClaim, "-n", testNamespace) }) diff --git a/test/e2e/case15_event_format_test.go b/test/e2e/case15_event_format_test.go index af9a293e..95fd53e0 100644 --- a/test/e2e/case15_event_format_test.go +++ b/test/e2e/case15_event_format_test.go @@ -133,7 +133,7 @@ var _ = Describe("Testing compliance event formatting", func() { Expect(compParentEventsPreCreation).NotTo(BeEmpty()) compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, case15BecomesCompliantParentName, "policy: "+testNamespace+"/"+case15BecomesCompliantName, - "^Compliant;.*and was created successfully in namespace default$", defaultTimeoutSeconds) + "^Compliant;.*was created successfully in namespace default$", defaultTimeoutSeconds) Expect(compParentEvents).NotTo(BeEmpty()) }) It("Records events for a policy that becomes noncompliant", func() { diff --git a/test/e2e/case27_showupdateinstatus_test.go b/test/e2e/case27_showupdateinstatus_test.go index 82a6bbff..61317c91 100644 --- a/test/e2e/case27_showupdateinstatus_test.go +++ b/test/e2e/case27_showupdateinstatus_test.go @@ -28,10 +28,7 @@ var _ = Describe("Verify status update after updating object", Ordered, func() { case27ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) return utils.GetStatusMessage(managedPlc) - }, 120, 1).Should(Equal( - "configmaps [case27-map] found as specified, therefore, this object template is compliant in " + - "namespace default", - )) + }, 120, 1).Should(Equal("configmaps [case27-map] found as specified in namespace default")) }) It("configmap and status should be updated properly on the managed cluster", func() { By("Updating " + case27ConfigPolicyName + " on managed") diff --git a/test/e2e/case4_clusterversion_test.go b/test/e2e/case4_clusterversion_test.go index b04d1a4a..3c3d5c9a 100644 --- a/test/e2e/case4_clusterversion_test.go +++ b/test/e2e/case4_clusterversion_test.go @@ -59,8 +59,7 @@ var _ = Describe("Test cluster version obj template handling", func() { case4ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) return utils.GetStatusMessage(managedPlc) - }, 120, 1).Should(Equal( - "clusterversions [version] found as specified, therefore, this object template is compliant")) + }, 120, 1).Should(Equal("clusterversions [version] found as specified")) }) It("Cleans up", func() { policies := []string{ diff --git a/test/e2e/case5_multi_test.go b/test/e2e/case5_multi_test.go index 026f1a43..a335831a 100644 --- a/test/e2e/case5_multi_test.go +++ b/test/e2e/case5_multi_test.go @@ -152,19 +152,15 @@ var _ = Describe("Test multiple obj template handling", func() { case5MultiNSInformConfigPolicyName, 0, defaultTimeoutSeconds, expectedMsg) }) It("Should show merged messages when it is multiple namespaces", func() { - expectedMsg := "pods [case5-multi-namespace-enforce-pod] found as specified, therefore, this object " + - "template is compliant in namespaces: n1, n2, n3" + expectedMsg := "pods [case5-multi-namespace-enforce-pod] found as specified in namespaces: n1, n2, n3" utils.Kubectl("apply", "-f", case5EnforceYaml) utils.DoConfigPolicyMessageTest(clientManagedDynamic, gvrConfigPolicy, testNamespace, case5MultiNSConfigPolicyName, 0, defaultTimeoutSeconds, expectedMsg) }) It("Should show 3 merged messages when it is multiple namespaces and multiple obj-template", func() { - firstMsg := "pods [case5-multi-obj-temp-pod-11] found as specified, therefore, this object template is " + - "compliant in namespaces: n1, n2, n3" - secondMsg := "pods [case5-multi-obj-temp-pod-22] found as specified, therefore, this object template is " + - "compliant in namespaces: n1, n2, n3" - thirdMsg := "pods [case5-multi-obj-temp-pod-33] found as specified, therefore, this object template is " + - "compliant in namespaces: n1, n2, n3" + firstMsg := "pods [case5-multi-obj-temp-pod-11] found as specified in namespaces: n1, n2, n3" + secondMsg := "pods [case5-multi-obj-temp-pod-22] found as specified in namespaces: n1, n2, n3" + thirdMsg := "pods [case5-multi-obj-temp-pod-33] found as specified in namespaces: n1, n2, n3" utils.Kubectl("apply", "-f", case5MultiObjTmpYaml) utils.DoConfigPolicyMessageTest(clientManagedDynamic, gvrConfigPolicy, testNamespace, case5MultiObjNSConfigPolicyName, 0, defaultTimeoutSeconds, firstMsg)