DVO-111: Dynamic validation engine

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=deployment-validation-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.1
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.31.0+git
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=unknown
 

bundle/manifests/deployment-validation-operator.clusterserviceversion.yaml

@@ -4,8 +4,8 @@ metadata:
   annotations:
     alm-examples: '[]'
     capabilities: Basic Install
-    createdAt: "2023-08-24T07:58:38Z"
-    operators.operatorframework.io/builder: operator-sdk-v1.28.1
+    createdAt: "2023-09-12T14:13:09Z"
+    operators.operatorframework.io/builder: operator-sdk-v1.31.0+git
     operators.operatorframework.io/project_layout: unknown
   name: deployment-validation-operator.v0.0.0
   namespace: placeholder
@@ -82,6 +82,10 @@ spec:
                   valueFrom:
                     fieldRef:
                       fieldPath: metadata.name
+                - name: POD_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.namespace
                 image: quay.io/deployment-validation-operator/dv-operator:latest
                 imagePullPolicy: Always
                 livenessProbe:

bundle/metadata/annotations.yaml

@@ -5,6 +5,6 @@ annotations:
   operators.operatorframework.io.bundle.metadata.v1: metadata/
   operators.operatorframework.io.bundle.package.v1: deployment-validation-operator
   operators.operatorframework.io.bundle.channels.v1: alpha
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.1
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.31.0+git
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: unknown

deploy/openshift/operator.yaml

@@ -86,6 +86,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         volumeMounts:
         - name: dvo-config
           mountPath: /config

main.go

@@ -15,8 +15,9 @@ import (
 	apis "github.com/app-sre/deployment-validation-operator/api"
 	dvconfig "github.com/app-sre/deployment-validation-operator/config"
 	"github.com/app-sre/deployment-validation-operator/internal/options"
+	"github.com/app-sre/deployment-validation-operator/pkg/configmap"
 	"github.com/app-sre/deployment-validation-operator/pkg/controller"
-	dvo_prom "github.com/app-sre/deployment-validation-operator/pkg/prometheus"
+	dvoProm "github.com/app-sre/deployment-validation-operator/pkg/prometheus"
 	"github.com/app-sre/deployment-validation-operator/pkg/validations"
 	"github.com/app-sre/deployment-validation-operator/version"
 	"github.com/prometheus/client_golang/prometheus"
@@ -86,68 +87,66 @@ func setupManager(log logr.Logger, opts options.Options) (manager.Manager, error
 		return nil, fmt.Errorf("getting config: %w", err)
 	}
 
-	log.Info("Initialize Scheme")
+	log.Info("Initialize Manager")
 
-	scheme, err := initializeScheme()
+	mgr, err := initManager(log, opts, cfg)
 	if err != nil {
-		return nil, fmt.Errorf("initializing scheme: %w", err)
+		return nil, fmt.Errorf("initializing manager: %w", err)
 	}
 
-	log.Info("Initialize Manager")
+	log.Info("Registering Components")
 
-	mgrOpts, err := getManagerOptions(scheme, opts)
-	if err != nil {
-		return nil, fmt.Errorf("getting manager options: %w", err)
-	}
+	log.Info("Initialize Prometheus Registry")
 
-	mgr, err := manager.New(cfg, mgrOpts)
+	reg := prometheus.NewRegistry()
+	metrics, err := dvoProm.PreloadMetrics(reg)
 	if err != nil {
-		return nil, fmt.Errorf("initializing manager: %w", err)
+		return nil, fmt.Errorf("preloading kube-linter metrics: %w", err)
 	}
 
-	if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {
-		return nil, fmt.Errorf("adding healthz check: %w", err)
-	}
+	log.Info(fmt.Sprintf("Initialize Prometheus metrics endpoint on %q", opts.MetricsEndpoint()))
 
-	if err := mgr.AddReadyzCheck("check", healthz.Ping); err != nil {
-		return nil, fmt.Errorf("adding readyz check: %w", err)
+	srv, err := dvoProm.NewServer(reg, opts.MetricsPath, fmt.Sprintf(":%d", opts.MetricsPort))
+	if err != nil {
+		return nil, fmt.Errorf("initializing metrics server: %w", err)
 	}
 
-	log.Info("Registering Components")
-
-	discoveryClient, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig())
-	if err != nil {
-		return nil, fmt.Errorf("initializing discovery client: %w", err)
+	if err := mgr.Add(srv); err != nil {
+		return nil, fmt.Errorf("adding metrics server to manager: %w", err)
 	}
 
-	gr, err := controller.NewGenericReconciler(mgr.GetClient(), discoveryClient)
+	log.Info("Initialize ConfigMap watcher")
+
+	cmWatcher, err := configmap.NewWatcher(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("initializing generic reconciler: %w", err)
+		return nil, fmt.Errorf("initializing configmap watcher: %w", err)
 	}
 
-	if err = gr.AddToManager(mgr); err != nil {
-		return nil, fmt.Errorf("adding generic reconciler to manager: %w", err)
+	if err := mgr.Add(cmWatcher); err != nil {
+		return nil, fmt.Errorf("adding configmap watcher to manager: %w", err)
 	}
 
-	log.Info("Initializing Prometheus Registry")
+	log.Info("Initialize Validation Engine")
 
-	reg := prometheus.NewRegistry()
+	err = validations.InitEngine(opts.ConfigFile, metrics)
+	if err != nil {
+		return nil, fmt.Errorf("initializing validation engine: %w", err)
+	}
 
-	log.Info(fmt.Sprintf("Initializing Prometheus metrics endpoint on %q", opts.MetricsEndpoint()))
+	log.Info("Initialize Reconciler")
 
-	srv, err := dvo_prom.NewServer(reg, opts.MetricsPath, fmt.Sprintf(":%d", opts.MetricsPort))
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(mgr.GetConfig())
 	if err != nil {
-		return nil, fmt.Errorf("initializing metrics server: %w", err)
+		return nil, fmt.Errorf("initializing discovery client: %w", err)
 	}
 
-	if err := mgr.Add(srv); err != nil {
-		return nil, fmt.Errorf("adding metrics server to manager: %w", err)
+	gr, err := controller.NewGenericReconciler(mgr.GetClient(), discoveryClient, cmWatcher)
+	if err != nil {
+		return nil, fmt.Errorf("initializing generic reconciler: %w", err)
 	}
 
-	log.Info("Initializing Validation Engine")
-
-	if err := validations.InitializeValidationEngine(opts.ConfigFile, reg); err != nil {
-		return nil, fmt.Errorf("initializing validation engine: %w", err)
+	if err = gr.AddToManager(mgr); err != nil {
+		return nil, fmt.Errorf("adding generic reconciler to manager: %w", err)
 	}
 
 	return mgr, nil
@@ -235,3 +234,33 @@ func kubeClientQPS() (float32, error) {
 	qps = float32(val)
 	return qps, err
 }
+
+func initManager(log logr.Logger, opts options.Options, cfg *rest.Config) (manager.Manager, error) {
+	log.Info("Initialize Scheme")
+	scheme, err := initializeScheme()
+	if err != nil {
+		return nil, fmt.Errorf("initializing scheme: %w", err)
+	}
+
+	log.Info("Getting Manager Options")
+	mgrOpts, err := getManagerOptions(scheme, opts)
+	if err != nil {
+		return nil, fmt.Errorf("getting manager options: %w", err)
+	}
+
+	mgr, err := manager.New(cfg, mgrOpts)
+	if err != nil {
+		return nil, fmt.Errorf("getting new manager: %w", err)
+	}
+
+	log.Info("Adding Healthz and Readyz checks")
+	if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {
+		return nil, fmt.Errorf("adding healthz check: %w", err)
+	}
+
+	if err := mgr.AddReadyzCheck("check", healthz.Ping); err != nil {
+		return nil, fmt.Errorf("adding readyz check: %w", err)
+	}
+
+	return mgr, nil
+}

pkg/configmap/configmap_watcher.go

@@ -0,0 +1,185 @@
+package configmap
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"reflect"
+	"time"
+
+	"golang.stackrox.io/kube-linter/pkg/config"
+	"gopkg.in/yaml.v3"
+
+	"github.com/app-sre/deployment-validation-operator/pkg/validations"
+	"github.com/go-logr/logr"
+	apicorev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// this structure mirrors Kube-Linter configuration structure
+// it is used as a bridge to unmarshall ConfigMap data
+// doc: https://pkg.go.dev/golang.stackrox.io/kube-linter/pkg/config#Config
+type KubeLinterChecks struct {
+	Checks struct {
+		AddAllBuiltIn        bool     `yaml:"addAllBuiltIn,omitempty"`
+		DoNotAutoAddDefaults bool     `yaml:"doNotAutoAddDefaults,omitempty"`
+		Exclude              []string `yaml:"exclude,omitempty"`
+		Include              []string `yaml:"include,omitempty"`
+		IgnorePaths          []string `yaml:"ignorePaths,omitempty"`
+	} `yaml:"checks"`
+}
+
+type Watcher struct {
+	clientset kubernetes.Interface
+	checks    KubeLinterChecks
+	ch        chan config.Config
+	logger    logr.Logger
+	namespace string
+}
+
+var configMapName = "deployment-validation-operator-config"
+var configMapDataAccess = "deployment-validation-operator-config.yaml"
+
+// NewWatcher creates a new Watcher instance for observing changes to a ConfigMap.
+//
+// Parameters:
+//   - cfg: A pointer to a rest.Config representing the Kubernetes client configuration.
+//
+// Returns:
+//   - A pointer to a Watcher instance for monitoring changes to DVO ConfigMap resource.
+//   - An error if there's an issue while initializing the Kubernetes clientset.
+func NewWatcher(cfg *rest.Config) (*Watcher, error) {
+	clientset, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("initializing clientset: %w", err)
+	}
+
+	// the Informer will use this to monitor the namespace for the ConfigMap.
+	namespace, err := getPodNamespace()
+	if err != nil {
+		return nil, fmt.Errorf("getting namespace: %w", err)
+	}
+
+	return &Watcher{
+		clientset: clientset,
+		logger:    log.Log.WithName("ConfigMapWatcher"),
+		ch:        make(chan config.Config),
+		namespace: namespace,
+	}, nil
+}
+
+// GetStaticKubelinterConfig returns the ConfigMap's checks configuration
+func (cmw *Watcher) GetStaticKubelinterConfig(ctx context.Context) (config.Config, error) {
+	cm, err := cmw.clientset.CoreV1().
+		ConfigMaps(cmw.namespace).Get(ctx, configMapName, v1.GetOptions{})
+	if err != nil {
+		return config.Config{}, fmt.Errorf("getting initial configuration: %w", err)
+	}
+
+	return cmw.getKubeLinterConfig(cm.Data[configMapDataAccess])
+}
+
+// Start will update the channel structure with new configuration data from ConfigMap update event
+func (cmw Watcher) Start(ctx context.Context) error {
+	factory := informers.NewSharedInformerFactoryWithOptions(
+		cmw.clientset, time.Second*30, informers.WithNamespace(cmw.namespace),
+	)
+	informer := factory.Core().V1().ConfigMaps().Informer()
+
+	informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ // nolint:errcheck
+		AddFunc: func(obj interface{}) {
+			newCm := obj.(*apicorev1.ConfigMap)
+
+			if configMapName != newCm.GetName() {
+				return
+			}
+
+			cmw.logger.Info(
+				"a ConfigMap has been created under watched namespace",
+				"name", newCm.GetName(),
+				"namespace", newCm.GetNamespace(),
+			)
+
+			cfg, err := cmw.getKubeLinterConfig(newCm.Data[configMapDataAccess])
+			if err != nil {
+				cmw.logger.Error(err, "ConfigMap data format")
+				return
+			}
+
+			cmw.ch <- cfg
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			newCm := newObj.(*apicorev1.ConfigMap)
+
+			// This is sometimes triggered even if no change was due to the ConfigMap
+			if configMapName != newCm.GetName() || reflect.DeepEqual(oldObj, newObj) {
+				return
+			}
+
+			cmw.logger.Info(
+				"a ConfigMap has been updated under watched namespace",
+				"name", newCm.GetName(),
+				"namespace", newCm.GetNamespace(),
+			)
+
+			cfg, err := cmw.getKubeLinterConfig(newCm.Data[configMapDataAccess])
+			if err != nil {
+				cmw.logger.Error(err, "ConfigMap data format")
+				return
+			}
+
+			cmw.ch <- cfg
+		},
+		DeleteFunc: func(oldObj interface{}) {
+			cm := oldObj.(*apicorev1.ConfigMap)
+
+			cmw.logger.Info(
+				"a ConfigMap has been deleted under watched namespace",
+				"name", cm.GetName(),
+				"namespace", cm.GetNamespace(),
+			)
+
+			cmw.ch <- config.Config{
+				Checks: validations.GetDefaultChecks(),
+			}
+		},
+	})
+
+	factory.Start(ctx.Done())
+
+	return nil
+}
+
+// ConfigChanged receives push notifications when the configuration is updated
+func (cmw *Watcher) ConfigChanged() <-chan config.Config {
+	return cmw.ch
+}
+
+// getKubeLinterConfig returns a valid Kube-linter Config structure
+// based on the checks received by the string
+func (cmw *Watcher) getKubeLinterConfig(data string) (config.Config, error) {
+	var cfg config.Config
+
+	err := yaml.Unmarshal([]byte(data), &cmw.checks)
+	if err != nil {
+		return cfg, fmt.Errorf("unmarshalling configmap data: %w", err)
+	}
+
+	cfg.Checks = config.ChecksConfig(cmw.checks.Checks)
+
+	return cfg, nil
+}
+
+func getPodNamespace() (string, error) {
+	namespace, exists := os.LookupEnv("POD_NAMESPACE")
+	if !exists {
+		return "", fmt.Errorf("could not find DVO pod")
+	}
+
+	return namespace, nil
+}