WIP ObjectNamespace template variable

Signed-off-by: mprahl <[email protected]>

Author: mprahl

controllers/configurationpolicy_controller.go

@@ -568,7 +568,7 @@ status:
 		t.Error(err)
 	}
 
-	desiredObj := unstructured.Unstructured{Object: policyObjDef}
+	desiredObj := &unstructured.Unstructured{Object: policyObjDef}
 	existingObjOrderOne := unstructured.Unstructured{Object: orderOneObj}
 	existingObjOrderTwo := unstructured.Unstructured{Object: orderTwoObj}
 
@@ -1057,7 +1057,7 @@ secrets:
 	compType := policyv1.MustOnlyHave
 	mdCompType := policyv1.MustOnlyHave
 
-	throwSpecViolation, _, updateNeeded, statusMismatch := handleKeys(desiredObj, &existingObj,
+	throwSpecViolation, _, updateNeeded, statusMismatch := handleKeys(&desiredObj, &existingObj,
 		&existingObjCopy, compType, mdCompType)
 
 	assert.False(t, throwSpecViolation)
@@ -1524,7 +1524,7 @@ func TestShouldHandleSingleKeyFalse(t *testing.T) {
 		unstruct.Object = test.input
 		unstructObj.Object = test.fromAPI
 		key := test.expectResult.key
-		_, update, _, skip = handleSingleKey(key, unstruct, &unstructObj, "musthave", true)
+		_, update, _, skip = handleSingleKey(key, &unstruct, &unstructObj, "musthave", true)
 		assert.Equal(t, update, test.expectResult.expect)
 		assert.False(t, skip)
 	}

controllers/configurationpolicy_controller_test.go

@@ -359,7 +359,7 @@ func filterUnwantedAnnotations(input map[string]interface{}) map[string]interfac
 }
 
 // formatTemplate returns the value of the input key in a manner that the controller can use for comparisons.
-func formatTemplate(unstruct unstructured.Unstructured, key string) (obj interface{}) {
+func formatTemplate(unstruct *unstructured.Unstructured, key string) (obj interface{}) {
 	if key == "metadata" {
 		metadata, ok := unstruct.Object[key].(map[string]interface{})
 		if !ok {

controllers/configurationpolicy_utils.go

@@ -25,22 +25,6 @@ var (
 		},
 		[]string{"name"},
 	)
-	plcTempsProcessSecondsCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "config_policy_templates_process_seconds_total",
-			Help: "The total seconds taken while processing the configuration policy templates. Use this alongside " +
-				"config_policy_templates_process_total.",
-		},
-		[]string{"name"},
-	)
-	plcTempsProcessCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "config_policy_templates_process_total",
-			Help: "The total number of processes of the configuration policy templates. Use this alongside " +
-				"config_policy_templates_process_seconds_total.",
-		},
-		[]string{"name"},
-	)
 	compareObjSecondsCounter = prometheus.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "compare_objects_seconds_total",
@@ -85,8 +69,6 @@ func init() {
 	// Register custom metrics with the global Prometheus registry
 	metrics.Registry.MustRegister(policyEvalSecondsCounter)
 	metrics.Registry.MustRegister(policyEvalCounter)
-	metrics.Registry.MustRegister(plcTempsProcessSecondsCounter)
-	metrics.Registry.MustRegister(plcTempsProcessCounter)
 	metrics.Registry.MustRegister(compareObjSecondsCounter)
 	metrics.Registry.MustRegister(compareObjEvalCounter)
 	// Error metrics may already be registered by template sync
@@ -107,8 +89,6 @@ func removeConfigPolicyMetrics(request ctrl.Request) {
 	// If a metric has an error while deleting, that means the policy was never evaluated so it can be ignored.
 	_ = policyEvalSecondsCounter.DeleteLabelValues(request.Name)
 	_ = policyEvalCounter.DeleteLabelValues(request.Name)
-	_ = plcTempsProcessSecondsCounter.DeleteLabelValues(request.Name)
-	_ = plcTempsProcessCounter.DeleteLabelValues(request.Name)
 	_ = compareObjEvalCounter.DeletePartialMatch(prometheus.Labels{"config_policy_name": request.Name})
 	_ = compareObjSecondsCounter.DeletePartialMatch(prometheus.Labels{"config_policy_name": request.Name})
 	_ = policyUserErrorsCounter.DeletePartialMatch(prometheus.Labels{"template": request.Name})

controllers/metric.go

@@ -2533,7 +2533,7 @@ func (r *OperatorPolicyReconciler) mergeObjects(
 	existing *unstructured.Unstructured,
 	complianceType policyv1.ComplianceType,
 ) (updateNeeded, updateIsForbidden bool, err error) {
-	desiredObj := unstructured.Unstructured{Object: desired}
+	desiredObj := &unstructured.Unstructured{Object: desired}
 
 	// Use a copy since some values can be directly assigned to mergedObj in handleSingleKey.
 	existingObjectCopy := existing.DeepCopy()

controllers/operatorpolicy_controller.go

@@ -5,13 +5,12 @@ package e2e
 
 import (
 	"context"
-	"fmt"
-	"strconv"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"open-cluster-management.io/config-policy-controller/test/utils"
 )
@@ -67,7 +66,7 @@ const (
 	case13PruneTmpErrYaml string = "../resources/case13_templatization/case13_prune_template_error.yaml"
 )
 
-var _ = Describe("Test templatization", Ordered, func() {
+var _ = FDescribe("Test templatization", Ordered, func() {
 	Describe("Create a secret and pull data from it into a configurationPolicy", func() {
 		It("should be created properly on the managed cluster", func() {
 			By("Creating " + case13CfgPolCreateSecret + " and " + case13CfgPolCheckSecret + " on managed")
@@ -254,12 +253,26 @@ var _ = Describe("Test templatization", Ordered, func() {
 			plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
 				case13WrongArgs, testNamespace, true, defaultTimeoutSeconds)
 			Expect(plc).NotTo(BeNil())
+
+			var managedPlc *unstructured.Unstructured
+
 			Eventually(func(g Gomega) {
-				managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
+				managedPlc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy,
 					case13WrongArgs, testNamespace, true, defaultTimeoutSeconds)
 
 				utils.CheckComplianceStatus(g, managedPlc, "NonCompliant")
 			}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+			// Verify that the first object template failing template resolution doesn't prevent the other
+			// object templates from being evaluated.
+			compliancyDetails, _, _ := unstructured.NestedSlice(managedPlc.Object, "status", "compliancyDetails")
+			Expect(compliancyDetails).To(HaveLen(2))
+
+			firstObjTemplate := compliancyDetails[0].(map[string]interface{})
+			Expect(firstObjTemplate["Compliant"]).To(Equal("NonCompliant"))
+
+			secondObjTemplate := compliancyDetails[1].(map[string]interface{})
+			Expect(secondObjTemplate["Compliant"]).To(Equal("Compliant"))
 		})
 		AfterAll(func() {
 			deleteConfigPolicies([]string{case13Unterminated, case13WrongArgs})
@@ -311,41 +324,6 @@ var _ = Describe("Test templatization", Ordered, func() {
 				Expect(err).ToNot(HaveOccurred())
 				Expect(replConfigMap.Data["message"]).To(Equal("Hello Raleigh!\n"))
 
-				By("Checking metric endpoint for policy template counter for policy " + case13UpdateRefObject)
-				Eventually(func() interface{} {
-					return utils.GetMetrics(
-						"config_policy_templates_process_total",
-						fmt.Sprintf(`name=\"%s\"`, case13UpdateRefObject),
-					)
-				}, defaultTimeoutSeconds, 1).Should(Not(BeNil()))
-				templatesTotalCounter := utils.GetMetrics(
-					"config_policy_templates_process_total",
-					fmt.Sprintf(`name=\"%s\"`, case13UpdateRefObject),
-				)
-				totalCounter, err := strconv.Atoi(templatesTotalCounter[0])
-				Expect(err).ToNot(HaveOccurred())
-				if err == nil {
-					Expect(totalCounter).To(BeNumerically(">", 0))
-				}
-				By("Policy " + case13UpdateRefObject + " total template process counter : " + templatesTotalCounter[0])
-
-				Eventually(func() interface{} {
-					return utils.GetMetrics(
-						"config_policy_templates_process_seconds_total",
-						fmt.Sprintf(`name=\"%s\"`, case13UpdateRefObject),
-					)
-				}, defaultTimeoutSeconds, 1).Should(Not(BeNil()))
-				templatesTotalSeconds := utils.GetMetrics(
-					"config_policy_templates_process_seconds_total",
-					fmt.Sprintf(`name=\"%s\"`, case13UpdateRefObject),
-				)
-				templatesSeconds, err := strconv.ParseFloat(templatesTotalSeconds[0], 32)
-				Expect(err).ToNot(HaveOccurred())
-				if err == nil {
-					Expect(templatesSeconds).To(BeNumerically(">", 0))
-				}
-				By("Policy " + case13UpdateRefObject + " total template process seconds : " + templatesTotalSeconds[0])
-
 				By("Updating the referenced ConfigMap")
 				configMap.Data["message"] = "Hello world!"
 				_, err = clientManaged.CoreV1().ConfigMaps("default").Update(

test/e2e/case13_templatization_test.go

@@ -3,7 +3,7 @@ kind: ConfigurationPolicy
 metadata:
   name: case13-policy-pod-create-wrong-args
 spec:
-  remediationAction: enforce
+  remediationAction: inform
   namespaceSelector:
     exclude: ["kube-*"]
     include: ["default"]
@@ -19,4 +19,10 @@ spec:
             - image: nginx:1.7.9
               name: nginx
               ports:
-                - containerPort: 80
+                - containerPort: 80
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: default

test/resources/case13_templatization/case13_wrong_args.yaml

@@ -190,7 +190,17 @@ func GetComplianceState(managedPlc *unstructured.Unstructured) (result interface
 // GetStatusMessage parses status field to get message
 func GetStatusMessage(managedPlc *unstructured.Unstructured) (result interface{}) {
 	if managedPlc.Object["status"] != nil {
-		detail := managedPlc.Object["status"].(map[string]interface{})["compliancyDetails"].([]interface{})[0]
+		status, ok := managedPlc.Object["status"].(map[string]interface{})
+		if !ok {
+			return nil
+		}
+
+		complianceDetails, ok := status["compliancyDetails"].([]interface{})
+		if !ok || len(complianceDetails) == 0 {
+			return nil
+		}
+
+		detail := complianceDetails[0]
 
 		return detail.(map[string]interface{})["conditions"].([]interface{})[0].(map[string]interface{})["message"]
 	}