OCPBUGS-4704: Include already compliant polices for pre-caching (#401)

* Include already compliant polices for pre-caching * Fold long commands in kuttl yaml files * Add new lines at the end of the files * Remove unused bool arg * More clean up * Remove spaces in last line
openshift-kni · Dec 16, 2022 · 9d2695a · 9d2695a
1 parent 07c0a39
commit 9d2695a
Show file tree

Hide file tree

Showing 27 changed files with 1,937 additions and 42 deletions.
diff --git a/controllers/clustergroupupgrade_controller.go b/controllers/clustergroupupgrade_controller.go
@@ -56,9 +56,10 @@ type ClusterGroupUpgradeReconciler struct {
 }
 
 type policiesInfo struct {
-	invalidPolicies []string
-	missingPolicies []string
-	presentPolicies []*unstructured.Unstructured
+	invalidPolicies   []string
+	missingPolicies   []string
+	presentPolicies   []*unstructured.Unstructured
+	compliantPolicies []*unstructured.Unstructured
 }
 
 const statusUpdateWaitInMilliSeconds = 100
@@ -211,7 +212,7 @@ func (r *ClusterGroupUpgradeReconciler) Reconcile(ctx context.Context, req ctrl.
 		}
 
 		allManagedPoliciesExist, managedPoliciesInfo, err =
-			r.doManagedPoliciesExist(ctx, clusterGroupUpgrade, clusters, true)
+			r.doManagedPoliciesExist(ctx, clusterGroupUpgrade, clusters)
 		if err != nil {
 			return
 		}
@@ -276,8 +277,8 @@ func (r *ClusterGroupUpgradeReconciler) Reconcile(ctx context.Context, req ctrl.
 			err = r.updateStatus(ctx, clusterGroupUpgrade)
 			return
 		}
-
-		err = r.reconcilePrecaching(ctx, clusterGroupUpgrade, clusters, managedPoliciesInfo.presentPolicies)
+		// Pass in already compliant policies as the catalog source info is needed by precaching
+		err = r.reconcilePrecaching(ctx, clusterGroupUpgrade, clusters, append(managedPoliciesInfo.presentPolicies, managedPoliciesInfo.compliantPolicies...))
 		if err != nil {
 			r.Log.Error(err, "reconcilePrecaching error")
 			return
@@ -916,8 +917,7 @@ func (r *ClusterGroupUpgradeReconciler) getPolicyByName(ctx context.Context, pol
 */
 func (r *ClusterGroupUpgradeReconciler) doManagedPoliciesExist(
 	ctx context.Context, clusterGroupUpgrade *ranv1alpha1.ClusterGroupUpgrade,
-	clusters []string,
-	filterNonCompliantPolicies bool) (bool, policiesInfo, error) {
+	clusters []string) (bool, policiesInfo, error) {
 
 	childPoliciesList, err := utils.GetChildPolicies(ctx, r.Client, clusters)
 	if err != nil {
@@ -996,19 +996,19 @@ func (r *ClusterGroupUpgradeReconciler) doManagedPoliciesExist(
 				continue
 			}
 
-			if filterNonCompliantPolicies {
-				// Check the policy has at least one of the clusters from the CR in NonCompliant state.
-				clustersNonCompliantWithPolicy := r.getClustersNonCompliantWithPolicy(clusters, foundPolicy)
-
-				if len(clustersNonCompliantWithPolicy) == 0 {
-					managedPoliciesCompliantBeforeUpgrade = append(managedPoliciesCompliantBeforeUpgrade, foundPolicy.GetName())
-					continue
-				}
+			// Check the policy has at least one of the clusters from the CR in NonCompliant state.
+			clustersNonCompliantWithPolicy := r.getClustersNonCompliantWithPolicy(clusters, foundPolicy)
 
-				// Update the info on the policies used in the upgrade.
-				newPolicyInfo := ranv1alpha1.ManagedPolicyForUpgrade{Name: managedPolicyName, Namespace: managedPolicyNamespace}
-				managedPoliciesForUpgrade = append(managedPoliciesForUpgrade, newPolicyInfo)
+			if len(clustersNonCompliantWithPolicy) == 0 {
+				managedPoliciesCompliantBeforeUpgrade = append(managedPoliciesCompliantBeforeUpgrade, foundPolicy.GetName())
+				managedPoliciesInfo.compliantPolicies = append(managedPoliciesInfo.compliantPolicies, foundPolicy)
+				continue
 			}
+
+			// Update the info on the policies used in the upgrade.
+			newPolicyInfo := ranv1alpha1.ManagedPolicyForUpgrade{Name: managedPolicyName, Namespace: managedPolicyNamespace}
+			managedPoliciesForUpgrade = append(managedPoliciesForUpgrade, newPolicyInfo)
+
 			// Add the policy to the list of present policies and update the status with the policy's namespace.
 			managedPoliciesInfo.presentPolicies = append(managedPoliciesInfo.presentPolicies, foundPolicy)
 			clusterGroupUpgrade.Status.ManagedPoliciesNs[managedPolicyName] = managedPolicyNamespace

diff --git a/controllers/monitoring.go b/controllers/monitoring.go
@@ -93,8 +93,7 @@ func (r *ClusterGroupUpgradeReconciler) getMonitoredObjects(managedPolicy *unstr
 			}
 
 			objectDefinitionMetadataContent := innerObjectDefinitionContent["metadata"].(map[string]interface{})
-			// Save the kind, name and namespace if they exist and if kind is of Subscription type.
-			// If kind is missing, log and skip.
+
 			kind, ok := innerObjectDefinitionContent["kind"]
 			if !ok {
 				r.Log.Info(
@@ -103,16 +102,10 @@ func (r *ClusterGroupUpgradeReconciler) getMonitoredObjects(managedPolicy *unstr
 				continue
 			}
 
-			// Filter only Subscription templates.
 			if !isMonitoredObjectType(kind) {
-				r.Log.Info(
-					"[getPolicyContent] Policy spec.policy-templates.objectDefinition.spec.object-templates.kind does not need to be monitored",
-					"policyName", managedPolicyName)
 				continue
 			}
 
-			// If name is missing, log and skip. We need Subscription name in order to have a valid content for
-			// Subscription InstallPlan approval.
 			_, ok = objectDefinitionMetadataContent["name"]
 			if !ok {
 				r.Log.Info(
@@ -121,7 +114,6 @@ func (r *ClusterGroupUpgradeReconciler) getMonitoredObjects(managedPolicy *unstr
 				continue
 			}
 
-			// If namespace is missing, log and skip.
 			_, ok = objectDefinitionMetadataContent["namespace"]
 			if !ok {
 				r.Log.Info(

diff --git a/deploy/acm/policies/all_policies/child-policy0-common-config-policy.yaml b/deploy/acm/policies/all_policies/child-policy0-common-config-policy.yaml
@@ -0,0 +1,46 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+  labels:
+    policy.open-cluster-management.io/root-policy: policy1-common-cluster-version-policy
+  name: default.policy0-common-config-policy
+# namespace: common-policies
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: common-config-policy-config
+      spec:
+        namespaceselector:
+          exclude:
+          - kube-*
+          include:
+          - '*'
+        object-templates:
+        - complianceType: musthave
+          objectDefinition:
+            apiVersion: operators.coreos.com/v1alpha1
+            kind: CatalogSource
+            metadata:
+              annotations:
+                target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+              name: rh-du-operators
+              namespace: openshift-marketplace
+            spec:
+              displayName: disconnected-redhat-operators
+              image: e27-h01-000-r650.rdu2.scalelab.redhat.com:5000/olm-mirror/redhat-operator-index:v4.11
+              publisher: Red Hat
+              sourceType: grpc
+            status:
+              connectionState:
+                lastObservedState: READY
+        remediationAction: inform
+        severity: low
+  remediationAction: inform
diff --git a/deploy/acm/policies/all_policies/policy0-common-config-policy.yaml b/deploy/acm/policies/all_policies/policy0-common-config-policy.yaml
@@ -0,0 +1,43 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+  name: policy0-common-config-policy
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: common-config-policy-config
+      spec:
+        namespaceselector:
+          exclude:
+          - kube-*
+          include:
+          - '*'
+        object-templates:
+        - complianceType: musthave
+          objectDefinition:
+            apiVersion: operators.coreos.com/v1alpha1
+            kind: CatalogSource
+            metadata:
+              annotations:
+                target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+              name: rh-du-operators
+              namespace: openshift-marketplace
+            spec:
+              displayName: disconnected-redhat-operators
+              image: e27-h01-000-r650.rdu2.scalelab.redhat.com:5000/olm-mirror/redhat-operator-index:v4.11
+              publisher: Red Hat
+              sourceType: grpc
+            status:
+              connectionState:
+                lastObservedState: READY
+        remediationAction: inform
+        severity: low
+  remediationAction: inform
diff --git a/deploy/upgrades/operator-upgrade/patch-install-plan-mcv-status.sh b/deploy/upgrades/operator-upgrade/patch-install-plan-mcv-status.sh
@@ -4,51 +4,51 @@
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke1/managedclusterviews/cgu-default-installplan-install-aaaa1-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa1","namespace":"openshift-logging","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa1","namespace":"openshift-logging","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke1/managedclusterviews/cgu-default-installplan-install-aaaa2-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa2","namespace":"openshift-local-storage","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa2","namespace":"openshift-local-storage","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke1/managedclusterviews/cgu-default-installplan-install-aaaa3-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa3","namespace":"openshift-performance-addon-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa3","namespace":"openshift-performance-addon-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke1/managedclusterviews/cgu-default-installplan-install-aaaa4-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa4","namespace":"openshift-ptp","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa4","namespace":"openshift-ptp","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke1/managedclusterviews/cgu-default-installplan-install-aaaa5-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa5","namespace":"openshift-sriov-network-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-aaaa5","namespace":"openshift-sriov-network-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 
 # spoke2
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke2/managedclusterviews/cgu-default-installplan-install-bbbb1-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb1","namespace":"openshift-logging","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb1","namespace":"openshift-logging","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke2/managedclusterviews/cgu-default-installplan-install-bbbb2-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb2","namespace":"openshift-local-storage","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb2","namespace":"openshift-local-storage","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke2/managedclusterviews/cgu-default-installplan-install-bbbb3-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb3","namespace":"openshift-performance-addon-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb3","namespace":"openshift-performance-addon-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke2/managedclusterviews/cgu-default-installplan-install-bbbb4-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb4","namespace":"openshift-ptp","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb4","namespace":"openshift-ptp","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
 
 curl -k -s -X PATCH -H "Accept: application/json, */*" \
 -H "Content-Type: application/merge-patch+json" \
 http://localhost:8001/apis/view.open-cluster-management.io/v1beta1/namespaces/spoke2/managedclusterviews/cgu-default-installplan-install-bbbb5-kuttl/status \
---data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"apiVersion:operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb5","namespace":"openshift-sriov-network-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'
+--data '{"status":{"conditions":[{"lastTransitionTime":"2022-01-28T17:57:00Z","message":"Watching resources successfully", "reason":"GetResourceProcessing","status":"True","type":"Processing"}],"result":{"apiVersion":"operators.coreos.com\/v1alpha1","kind":"InstallPlan","metadata":{"name":"install-bbbb5","namespace":"openshift-sriov-network-operator","resourceVersion":"1532546"},"spec":{"approval":"Manual","approved":"false"},"status":{"phase":"RequiresApproval"}}}}'