fix: Only set ConstraintTemplate's status.created on success

[stek29]

What this PR does / why we need it:
Currently ConstraintTemplate's .status.created field is set to true if there's at least one ConstraintTemplatePodStatus for it.
However, it doesn't check if ConstraintTemplatePodStatus has actually succeeded (has no errors). This PR fixes that – .status.created is only set to true if there's at least one ConstraintTemplatePodStatus for this template with no errors.

I've also noticed that Err..Code constants are used inconsistently in the constrainttemplate controller, so I've fixed that too. Please tell me if it has to be separated into a different PR.

Which issue(s) this PR fixes:
Fixes #2053

[codecov-commenter]

Codecov Report

Merging #2208 (bad1f8c) into master (13692a9) will increase coverage by 0.14%.
The diff coverage is 70.00%.

@@            Coverage Diff             @@
##           master    #2208      +/-   ##
==========================================
+ Coverage   54.26%   54.41%   +0.14%     
==========================================
  Files         111      111              
  Lines        9529     9535       +6     
==========================================
+ Hits         5171     5188      +17     
+ Misses       3957     3949       -8     
+ Partials      401      398       -3     

Flag	Coverage Δ
unittests	54.41% <70.00%> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...onstrainttemplate/constrainttemplate_controller.go	56.59% <33.33%> (+1.67%)	⬆️
...platestatus/constrainttemplatestatus_controller.go	70.58% <85.71%> (+1.56%)	⬆️
pkg/readiness/list.go	91.17% <0.00%> (+11.76%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 13692a9...bad1f8c. Read the comment docs.

[stek29]

I'm not sure on how to test the other path (when byPod has a error), the only way I can think of is a different test which only has constraintTemplateStatus controller started, without ConstraintTemplateController running, and adding a fakePod PodStatus – and I'm not quite sure on how to do that properly.

[maxsmythe]

thanks for the PR!

Probably the easiest way to hit the other path (all show errors) is to try to apply a constraint template with invalid Rego in it:

violation[ or similar.

[stek29]

@maxsmythe I've already tried that and failed, because I forgot to remove Constraint operations, so tests were hanging indefinitely because CRDs were missing.

Done, I've tests for .status.created being false :)

[ritazh]

this is still a sufficient test case without the typo right? can we remove the typo?

[stek29]

@ritazh the typo was accidental, didn't notice it :D

[ritazh]

maybe not hardcode this but instead pass in a var?

[stek29]

verifyTByPodStatusCount has it hardcoded, that's why I've kept it hardcoded :)

I'd suggest to add a const with a name instead of passing a var or hardcoding, would that be fine?

[ritazh]

Few nits, but otherwise LGTM

[maxsmythe]

Thank you for the PR! LGTM, LMK when it's ready to merge vis-a-vis Rita's comments.

One thought:

There are some race conditions where this mistakenly points to "false" instead of true (e.g. all pods are restarted but the CRD exists from previous pods), but better to be pessimistic than optimistic.

Watching for the CRD resource could also work but would be subject to other errors (e.g. a CRD that corresponds to an old, deleted CT that has yet to be GC'd)

[stek29]

@maxsmythe @ritazh I've fixed the typo and moved names to constants :)