🤖 Sync from open-cluster-management-io/config-policy-controller: #146, #147

controllers/configurationpolicy_controller.go

@@ -71,6 +71,7 @@ var (
  reasonWantFoundExists = "Resource found as expected"
  reasonWantFoundCreated = "K8s creation success"
  reasonUpdateSuccess = "K8s update success"
+ reasonDeleteSuccess = "K8s deletion success"
  reasonWantFoundNoMatch = "Resource found but does not match"
  reasonWantFoundDNE = "Resource not found but should exist"
  reasonWantNotFoundExists = "Resource found but should not exist"
@@ -1236,11 +1237,6 @@ func (r *ConfigurationPolicyReconciler) handleObjectTemplates(plc policyv1.Confi
  if statusUpdateNeeded {
  parentStatusUpdateNeeded = true
 
- // Doesn't account for state change...
- if !compliant {
- plc.Status.ComplianceState = policyv1.NonCompliant
- }
-
  // Don't send events on the last batch because the final call to checkRelatedAndUpdate
  // after all the object templates are processed handles this.
  if i == len(eventBatches)-1 {
@@ -2032,7 +2028,7 @@ func (r *ConfigurationPolicyReconciler) enforceByCreatingOrDeleting(obj singleOb
  } else {
  log.V(2).Info("Created missing must have object", "resource", obj.gvr.Resource, "name", obj.name)
  reason = reasonWantFoundCreated
- msg = fmt.Sprintf("%v %v was missing, and was created successfully", obj.gvr.Resource, idStr)
+ msg = fmt.Sprintf("%v %v was created successfully", obj.gvr.Resource, idStr)
 
  var uidIsString bool
  uid, uidIsString, err = unstructured.NestedString(obj.object.Object, "metadata", "uid")
@@ -2050,8 +2046,8 @@ func (r *ConfigurationPolicyReconciler) enforceByCreatingOrDeleting(obj singleOb
  reason = "K8s deletion error"
  msg = fmt.Sprintf("%v %v exists, and cannot be deleted, reason: `%v`", obj.gvr.Resource, idStr, err)
  } else {
- reason = "K8s deletion success"
- msg = fmt.Sprintf("%v %v existed, and was deleted successfully", obj.gvr.Resource, idStr)
+ reason = reasonDeleteSuccess
+ msg = fmt.Sprintf("%v %v was deleted successfully", obj.gvr.Resource, idStr)
  obj.object = nil
  }
  }

controllers/configurationpolicy_controller_test.go

@@ -461,7 +461,7 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must have` object already exists",
- "configmaps [buzz] found as specified, therefore, this object template is compliant in namespace toy-story",
+ "configmaps [buzz] found as specified in namespace toy-story",
  },
  {
  "must have single object compliant cluster-scoped",
@@ -479,7 +479,7 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must have` object already exists",
- "namespaces [movies] found as specified, therefore, this object template is compliant",
+ "namespaces [movies] found as specified",
  },
  {
  "must have multiple namespaces single object compliant",
@@ -506,8 +506,7 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must have` object already exists",
- "configmaps [buzz] found as specified, therefore, this object template is compliant in namespaces: " +
- "toy-story, toy-story3",
+ "configmaps [buzz] found as specified in namespaces: toy-story, toy-story3",
  },
  {
  "must have unnamed object compliant",
@@ -534,8 +533,7 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must have` object already exists",
- "secrets [bo-peep] found as specified, therefore, this object template is compliant in namespace " +
- "toy-story4; secrets [buzz] found as specified, therefore, this object template is compliant in " +
+ "secrets [bo-peep] found as specified in namespace toy-story4; secrets [buzz] found as specified in " +
  "namespace toy-story",
  },
  {
@@ -554,7 +552,7 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s creation success",
- "configmaps [buzz] was missing, and was created successfully in namespace toy-story",
+ "configmaps [buzz] was created successfully in namespace toy-story",
  },
  {
  "must have single object created in one namespace and exists in another",
@@ -581,8 +579,8 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must have` object already exists; K8s creation success",
- "configmaps [buzz] found as specified, therefore, this object template is compliant in namespace " +
- "toy-story4; configmaps [buzz] was missing, and was created successfully in namespace toy-story",
+ "configmaps [buzz] found as specified in namespace toy-story4; configmaps [buzz] was created " +
+ "successfully in namespace toy-story",
  },
  {
  "must have single object not found in one of the namespaces",
@@ -663,8 +661,25 @@ func TestCreateStatus(t *testing.T) {
  },
  true,
  "K8s `must not have` object already missing",
- "configmaps [buzz] missing as expected, therefore, this object template is compliant in namespace " +
- "toy-story",
+ "configmaps [buzz] missing as expected in namespace toy-story",
+ },
+ {
+ "must not have single object deleted",
+ "configmaps",
+ map[string]*objectTmplEvalResultWithEvent{
+ "toy-story": {
+ result: objectTmplEvalResult{
+ objectNames: []string{"buzz"},
+ },
+ event: objectTmplEvalEvent{
+ compliant: true,
+ reason: reasonDeleteSuccess,
+ },
+ },
+ },
+ true,
+ "K8s deletion success",
+ "configmaps [buzz] was deleted successfully in namespace toy-story",
  },
  {
  "unnamed object single error",

controllers/configurationpolicy_utils.go

@@ -491,6 +491,7 @@ func createStatus(
  reasonWantFoundExists,
  reasonWantFoundCreated,
  reasonUpdateSuccess,
+ reasonDeleteSuccess,
  reasonWantFoundDNE,
  reasonWantFoundNoMatch,
  reasonWantNotFoundDNE,
@@ -566,15 +567,16 @@ func createStatus(
  switch reason {
  case reasonWantFoundExists:
  generatedReason = "K8s `must have` object already exists"
- generatedMsg = fmt.Sprintf(
- "%s%s found as specified, therefore, this object template is compliant", resourceName, namesStr,
- )
+ generatedMsg = fmt.Sprintf("%s%s found as specified", resourceName, namesStr)
  case reasonWantFoundCreated:
  generatedReason = reasonWantFoundCreated
- generatedMsg = fmt.Sprintf("%s%s was missing, and was created successfully", resourceName, namesStr)
+ generatedMsg = fmt.Sprintf("%s%s was created successfully", resourceName, namesStr)
  case reasonUpdateSuccess:
  generatedReason = reasonUpdateSuccess
  generatedMsg = fmt.Sprintf("%s%s was updated successfully", resourceName, namesStr)
+ case reasonDeleteSuccess:
+ generatedReason = reasonDeleteSuccess
+ generatedMsg = fmt.Sprintf("%s%s was deleted successfully", resourceName, namesStr)
  case reasonWantFoundDNE:
  generatedReason = "K8s does not have a `must have` object"
  compliancyDetailsMsg += fmt.Sprintf("%s%s not found", resourceName, namesStr)
@@ -586,9 +588,7 @@ func createStatus(
  compliancyDetailsMsg += fmt.Sprintf("%s%s found", resourceName, namesStr)
  case reasonWantNotFoundDNE:
  generatedReason = "K8s `must not have` object already missing"
- compliancyDetailsMsg += fmt.Sprintf(
- "%s%s missing as expected, therefore, this object template is compliant", resourceName, namesStr,
- )
+ compliancyDetailsMsg += fmt.Sprintf("%s%s missing as expected", resourceName, namesStr)
  default:
  // If it's not one of the above reasons, then skip consolidation. This is likely an error being
  // reported.

test/e2e/case13_templatization_test.go

@@ -223,10 +223,7 @@ var _ = Describe("Test templatization", func() {
  case13LookupClusterClaim, testNamespace, true, defaultTimeoutSeconds)
 
  return utils.GetStatusMessage(managedPlc)
- }, defaultTimeoutSeconds, 1).Should(Equal(
- "pods [testvalue] found as specified, therefore, this object template is compliant in " +
- "namespace default",
- ))
+ }, defaultTimeoutSeconds, 1).Should(Equal("pods [testvalue] found as specified in namespace default"))
  utils.Kubectl("delete", "configurationpolicy", case13LookupSecret, "-n", testNamespace)
  utils.Kubectl("delete", "configurationpolicy", case13LookupClusterClaim, "-n", testNamespace)
  })

test/e2e/case15_event_format_test.go

@@ -133,7 +133,7 @@ var _ = Describe("Testing compliance event formatting", func() {
  Expect(compParentEventsPreCreation).NotTo(BeEmpty())
  compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, case15BecomesCompliantParentName,
  "policy: "+testNamespace+"/"+case15BecomesCompliantName,
- "^Compliant;.*and was created successfully in namespace default$", defaultTimeoutSeconds)
+ "^Compliant;.*was created successfully in namespace default$", defaultTimeoutSeconds)
  Expect(compParentEvents).NotTo(BeEmpty())
  })
  It("Records events for a policy that becomes noncompliant", func() {

test/e2e/case27_showupdateinstatus_test.go

@@ -28,10 +28,7 @@ var _ = Describe("Verify status update after updating object", Ordered, func() {
  case27ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds)
 
  return utils.GetStatusMessage(managedPlc)
- }, 120, 1).Should(Equal(
- "configmaps [case27-map] found as specified, therefore, this object template is compliant in " +
- "namespace default",
- ))
+ }, 120, 1).Should(Equal("configmaps [case27-map] found as specified in namespace default"))
  })
  It("configmap and status should be updated properly on the managed cluster", func() {
  By("Updating " + case27ConfigPolicyName + " on managed")

test/e2e/case4_clusterversion_test.go

@@ -59,8 +59,7 @@ var _ = Describe("Test cluster version obj template handling", func() {
  case4ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds)
 
  return utils.GetStatusMessage(managedPlc)
- }, 120, 1).Should(Equal(
- "clusterversions [version] found as specified, therefore, this object template is compliant"))
+ }, 120, 1).Should(Equal("clusterversions [version] found as specified"))
  })
  It("Cleans up", func() {
  policies := []string{

test/e2e/case5_multi_test.go

@@ -152,19 +152,15 @@ var _ = Describe("Test multiple obj template handling", func() {
  case5MultiNSInformConfigPolicyName, 0, defaultTimeoutSeconds, expectedMsg)
  })
  It("Should show merged messages when it is multiple namespaces", func() {
- expectedMsg := "pods [case5-multi-namespace-enforce-pod] found as specified, therefore, this object " +
- "template is compliant in namespaces: n1, n2, n3"
+ expectedMsg := "pods [case5-multi-namespace-enforce-pod] found as specified in namespaces: n1, n2, n3"
  utils.Kubectl("apply", "-f", case5EnforceYaml)
  utils.DoConfigPolicyMessageTest(clientManagedDynamic, gvrConfigPolicy, testNamespace,
  case5MultiNSConfigPolicyName, 0, defaultTimeoutSeconds, expectedMsg)
  })
  It("Should show 3 merged messages when it is multiple namespaces and multiple obj-template", func() {
- firstMsg := "pods [case5-multi-obj-temp-pod-11] found as specified, therefore, this object template is " +
- "compliant in namespaces: n1, n2, n3"
- secondMsg := "pods [case5-multi-obj-temp-pod-22] found as specified, therefore, this object template is " +
- "compliant in namespaces: n1, n2, n3"
- thirdMsg := "pods [case5-multi-obj-temp-pod-33] found as specified, therefore, this object template is " +
- "compliant in namespaces: n1, n2, n3"
+ firstMsg := "pods [case5-multi-obj-temp-pod-11] found as specified in namespaces: n1, n2, n3"
+ secondMsg := "pods [case5-multi-obj-temp-pod-22] found as specified in namespaces: n1, n2, n3"
+ thirdMsg := "pods [case5-multi-obj-temp-pod-33] found as specified in namespaces: n1, n2, n3"
  utils.Kubectl("apply", "-f", case5MultiObjTmpYaml)
  utils.DoConfigPolicyMessageTest(clientManagedDynamic, gvrConfigPolicy, testNamespace,
  case5MultiObjNSConfigPolicyName, 0, defaultTimeoutSeconds, firstMsg)