From 11125397b771abcdc515df7ba4c2bd3999e4dd89 Mon Sep 17 00:00:00 2001 From: mprahl Date: Thu, 31 Oct 2024 16:50:22 -0400 Subject: [PATCH] Remove the tech preview compliance history API integration Relates: https://issues.redhat.com/browse/ACM-15291 Signed-off-by: mprahl --- Makefile | 2 - config/rbac/role.yaml | 151 ++++-------------- go.mod | 2 - go.sum | 5 - main.go | 128 +-------------- pkg/addon/policyframework/agent_addon.go | 5 - .../compliance_history_api_role.yaml | 11 -- .../compliance_history_api_rolebinding.yaml | 13 -- .../compliance_history_api_sa.yaml | 5 - .../compliance_history_api_sa_secret.yaml | 8 - .../manifests/hubpermissions/role.yaml | 1 - .../templates/deployment.yaml | 3 - .../manifests/managedclusterchart/values.yaml | 1 - pkg/controllers/complianceapi/reconciler.go | 110 ------------- test/e2e/case1_framework_deployment_test.go | 24 --- test/e2e/case3_compliance_db_secret_test.go | 72 --------- test/e2e/e2e_suite_test.go | 3 - .../addondeploymentconfig_customvars.yaml | 2 - 18 files changed, 30 insertions(+), 516 deletions(-) delete mode 100644 pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_role.yaml delete mode 100644 pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_rolebinding.yaml delete mode 100644 pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa.yaml delete mode 100644 pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa_secret.yaml delete mode 100644 pkg/controllers/complianceapi/reconciler.go delete mode 100644 test/e2e/case3_compliance_db_secret_test.go diff --git a/Makefile b/Makefile index aeffe555..6505ffb1 100644 --- a/Makefile +++ b/Makefile @@ -163,8 +163,6 @@ $(KIND_KUBECONFIG): kind get kubeconfig --name $(KIND_NAME) --internal > $(KIND_KUBECONFIG_INTERNAL) KUBECONFIG=$(KIND_KUBECONFIG) kubectl apply -f \ https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.64.1/example/prometheus-operator-crd-full/monitoring.coreos.com_servicemonitors.yaml - KUBECONFIG=$(KIND_KUBECONFIG) kubectl create -f \ - https://raw.githubusercontent.com/openshift/api/release-4.17/route/v1/zz_generated.crd-manifests/routes-Default.crd.yaml .PHONY: kind-delete-cluster kind-delete-cluster: ## Delete a kind cluster. diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 84626e9d..9a068cdf 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,9 +5,30 @@ metadata: name: governance-policy-addon-controller rules: - apiGroups: - - addon.open-cluster-management.io + - "" resources: - - addondeploymentconfigs + - events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - policy-encryption-key + resources: + - secrets verbs: - get - list @@ -15,6 +36,7 @@ rules: - apiGroups: - addon.open-cluster-management.io resources: + - addondeploymentconfigs - clustermanagementaddons verbs: - get @@ -27,6 +49,7 @@ rules: - governance-policy-framework resources: - clustermanagementaddons/finalizers + - managedclusteraddons/finalizers verbs: - update - apiGroups: @@ -36,6 +59,7 @@ rules: - governance-policy-framework resources: - clustermanagementaddons/status + - managedclusteraddons/status verbs: - patch - update @@ -58,25 +82,6 @@ rules: - managedclusteraddons verbs: - delete -- apiGroups: - - addon.open-cluster-management.io - resourceNames: - - config-policy-controller - - governance-policy-framework - resources: - - managedclusteraddons/finalizers - verbs: - - update -- apiGroups: - - addon.open-cluster-management.io - resourceNames: - - config-policy-controller - - governance-policy-framework - resources: - - managedclusteraddons/status - verbs: - - patch - - update - apiGroups: - authorization.k8s.io resources: @@ -144,72 +149,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create -- apiGroups: - - "" - resourceNames: - - governance-policy-database - - policy-encryption-key - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - open-cluster-management-compliance-history-api-recorder - resources: - - secrets - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create -- apiGroups: - - "" - resourceNames: - - open-cluster-management-compliance-history-api-recorder - resources: - - serviceaccounts - verbs: - - delete - - get - - patch - - update - apiGroups: - policy.open-cluster-management.io resources: @@ -240,58 +179,22 @@ rules: - rbac.authorization.k8s.io resources: - clusterroles - verbs: - - create -- apiGroups: - - rbac.authorization.k8s.io - resourceNames: - - open-cluster-management:compliance-history-api-recorder - - open-cluster-management:config-policy-controller-hub - - open-cluster-management:policy-framework-hub - resources: - - clusterroles - verbs: - - delete - - get - - patch - - update -- apiGroups: - - rbac.authorization.k8s.io - resources: - rolebindings verbs: - create - apiGroups: - rbac.authorization.k8s.io resourceNames: - - open-cluster-management:compliance-history-api-recorder - open-cluster-management:config-policy-controller-hub - open-cluster-management:policy-framework-hub resources: + - clusterroles - rolebindings verbs: - delete - get - patch - update -- apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - create -- apiGroups: - - route.openshift.io - resourceNames: - - governance-history-api - resources: - - routes - verbs: - - delete - - get - - list - - update - - watch - apiGroups: - work.open-cluster-management.io resources: diff --git a/go.mod b/go.mod index 1eaff954..54ce135a 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,6 @@ require ( github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - github.com/stolostron/kubernetes-dependency-watches v0.7.0 k8s.io/apimachinery v0.29.5 k8s.io/client-go v0.29.5 k8s.io/component-base v0.29.5 @@ -129,7 +128,6 @@ require ( k8s.io/api v0.29.5 // indirect k8s.io/apiextensions-apiserver v0.29.5 // indirect k8s.io/apiserver v0.29.5 // indirect - k8s.io/klog v1.0.0 // indirect k8s.io/kms v0.29.5 // indirect k8s.io/kube-aggregator v0.29.5 // indirect k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect diff --git a/go.sum b/go.sum index 134edf8a..4dbe4431 100644 --- a/go.sum +++ b/go.sum @@ -55,7 +55,6 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -197,8 +196,6 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= -github.com/stolostron/kubernetes-dependency-watches v0.7.0 h1:aiJSZUusiPtWEz1CIdFperRgS9ibA0Gr8Hu3K8bpN/o= -github.com/stolostron/kubernetes-dependency-watches v0.7.0/go.mod h1:6v54aX8Bxx1m9YETZUxNGUrSHcRIArM/YnOqnUbIB/g= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -372,8 +369,6 @@ k8s.io/client-go v0.29.5 h1:nlASXmPQy190qTteaVP31g3c/wi2kycznkTP7Sv1zPc= k8s.io/client-go v0.29.5/go.mod h1:aY5CnqUUvXYccJhm47XHoPcRyX6vouHdIBHaKZGTbK4= k8s.io/component-base v0.29.5 h1:Ptj8AzG+p8c2a839XriHwxakDpZH9uvIgYz+o1agjg8= k8s.io/component-base v0.29.5/go.mod h1:9nBUoPxW/yimISIgAG7sJDrUGJlu7t8HnDafIrOdU8Q= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kms v0.29.5 h1:DcR0hBeEcuLmKTpriezu7kyR4sJcHeeYle/WGdQWi2o= diff --git a/main.go b/main.go index 7b2542eb..57c31352 100644 --- a/main.go +++ b/main.go @@ -21,19 +21,12 @@ import ( "flag" "fmt" "os" - "strings" "sync" - "time" "github.com/openshift/library-go/pkg/controller/controllercmd" "github.com/spf13/cobra" "github.com/spf13/pflag" - k8sdepwatches "github.com/stolostron/kubernetes-dependency-watches/client" - k8serrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/version" - "k8s.io/client-go/discovery" - "k8s.io/client-go/dynamic" - "k8s.io/client-go/rest" utilflag "k8s.io/component-base/cli/flag" "k8s.io/component-base/logs" "k8s.io/klog/v2" @@ -41,7 +34,6 @@ import ( "open-cluster-management.io/governance-policy-addon-controller/pkg/addon/configpolicy" "open-cluster-management.io/governance-policy-addon-controller/pkg/addon/policyframework" - "open-cluster-management.io/governance-policy-addon-controller/pkg/controllers/complianceapi" ) //+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=get;create @@ -56,13 +48,9 @@ import ( //+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;patch;update,resourceNames=governance-policy-framework;config-policy-controller //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;update;patch;delete,resourceNames="open-cluster-management:policy-framework-hub";"open-cluster-management:config-policy-controller-hub";"open-cluster-management:compliance-history-api-recorder" +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;update;patch;delete,resourceNames="open-cluster-management:policy-framework-hub";"open-cluster-management:config-policy-controller-hub" //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;update;patch;delete,resourceNames="open-cluster-management:policy-framework-hub";"open-cluster-management:config-policy-controller-hub";"open-cluster-management:compliance-history-api-recorder" -//+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=create -//+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;update;patch;delete,resourceNames="open-cluster-management-compliance-history-api-recorder" -//+kubebuilder:rbac:groups=core,resources=secrets,verbs=create -//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;update;patch;delete;watch;list,resourceNames="open-cluster-management-compliance-history-api-recorder" +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;update;patch;delete,resourceNames="open-cluster-management:policy-framework-hub";"open-cluster-management:config-policy-controller-hub" // Cannot limit based on resourceNames because the name is dynamic in hosted mode. //+kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=create;delete;get;list;patch;update;watch @@ -83,10 +71,8 @@ import ( //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policies,verbs=create;delete;get;list;patch;update;watch //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policies/finalizers,verbs=update //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policies/status,verbs=get;patch;update -//+kubebuilder:rbac:groups=core,resources=secrets,resourceNames=policy-encryption-key;governance-policy-database,verbs=get;list;watch +//+kubebuilder:rbac:groups=core,resources=secrets,resourceNames=policy-encryption-key,verbs=get;list;watch //+kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=clusterclaims,resourceNames=id.k8s.io,verbs=get -//+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=create -//+kubebuilder:rbac:groups=route.openshift.io,resources=routes,resourceNames=governance-history-api,verbs=get;list;watch;update;delete //+kubebuilder:rbac:groups=core,resources=events,verbs=create;get;list;patch;update;watch //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get;list;watch @@ -144,84 +130,6 @@ func runController(ctx context.Context, controllerContext *controllercmd.Control wg := sync.WaitGroup{} - runSecretReconciler, err := isOpenShift(controllerContext.KubeConfig) - if err != nil { - klog.Error(err, "Failed to detect if this is running on OpenShift. Assuming it's not.") - } - - // The Compliance API DB Secret reconciler is responsible for creating/deleting OpenShift routes for the compliance - // history API. If it's not OpenShift, then don't run this. - if runSecretReconciler { - klog.Info("Starting the compliance events database secret reconciler") - - controllerNamespace := getControllerNamespace() - - dynamicClient := dynamic.NewForConfigOrDie(controllerContext.KubeConfig) - reconciler := complianceapi.ComplianceDBSecretReconciler{DynamicClient: dynamicClient} - - dynamicWatcher, err := k8sdepwatches.New( - controllerContext.KubeConfig, &reconciler, &k8sdepwatches.Options{ - EnableCache: true, - ObjectCacheOptions: k8sdepwatches.ObjectCacheOptions{ - // Cache the GVKToGVR for 24 hours since we are using it for stable things like determining if - // this is an OpenShift cluster by seeing if the cluster has a Route CRD or querying for a Secret. - GVKToGVRCacheTTL: 24 * time.Hour, - MissingAPIResourceCacheTTL: 24 * time.Hour, - }, - }, - ) - if err != nil { - klog.Error( - err, "Failed to instantiate the dynamic watcher for the compliance events database secret reconciler", - ) - os.Exit(1) - } - - reconciler.DynamicWatcher = dynamicWatcher - - wg.Add(1) - - go func() { - defer wg.Done() - - err := dynamicWatcher.Start(ctx) - if err != nil { - klog.Error( - err, "Unable to start the dynamic watcher for the compliance events database secret reconciler", - ) - os.Exit(1) - } - }() - - klog.Info("Waiting for the dynamic watcher to start") - <-dynamicWatcher.Started() - - watcherSecret := k8sdepwatches.ObjectIdentifier{ - Version: "v1", - Kind: "Secret", - Namespace: controllerNamespace, - Name: complianceapi.DBSecretName, - } - if err := dynamicWatcher.AddWatcher(watcherSecret, watcherSecret); err != nil { - klog.Error(err, "Unable to start the compliance events database secret watcher") - os.Exit(1) - } - - route := k8sdepwatches.ObjectIdentifier{ - Group: "route.openshift.io", - Kind: "Route", - Version: "v1", - Namespace: controllerNamespace, - Name: complianceapi.RouteName, - } - if err := dynamicWatcher.AddWatcher(watcherSecret, route); err != nil { - klog.Error(err, "Unable to start the compliance events database secret watcher") - os.Exit(1) - } - } else { - klog.Info("Not running on OpenShift so not starting the compliance events database secret reconciler") - } - for _, f := range agentFuncs { err := f(ctx, mgr, controllerContext) if err != nil { @@ -249,33 +157,3 @@ func runController(ctx context.Context, controllerContext *controllercmd.Control return nil } - -// getControllerNamespace returns the namespace the controller is running in. It defaults to open-cluster-management. -func getControllerNamespace() string { - nsBytes, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace") - if err != nil { - return "open-cluster-management" - } - - ns := strings.TrimSpace(string(nsBytes)) - - return ns -} - -func isOpenShift(kubeconfig *rest.Config) (bool, error) { - discoveryClient, err := discovery.NewDiscoveryClientForConfig(kubeconfig) - if err != nil { - return false, err - } - - _, err = discoveryClient.ServerResourcesForGroupVersion(complianceapi.RouteGVR.GroupVersion().String()) - if err != nil { - if k8serrors.IsNotFound(err) { - return false, nil - } - - return false, err - } - - return true, nil -} diff --git a/pkg/addon/policyframework/agent_addon.go b/pkg/addon/policyframework/agent_addon.go index f8764f0b..c1821979 100644 --- a/pkg/addon/policyframework/agent_addon.go +++ b/pkg/addon/policyframework/agent_addon.go @@ -48,11 +48,6 @@ var agentPermissionFiles = []string{ "manifests/hubpermissions/role.yaml", // rolebinding to bind the above role to a certain user group "manifests/hubpermissions/rolebinding.yaml", - // a service account with minimal access for recording compliance events in the compliance history API - "manifests/hubpermissions/compliance_history_api_role.yaml", - "manifests/hubpermissions/compliance_history_api_rolebinding.yaml", - "manifests/hubpermissions/compliance_history_api_sa.yaml", - "manifests/hubpermissions/compliance_history_api_sa_secret.yaml", } type UserArgs struct { diff --git a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_role.yaml b/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_role.yaml deleted file mode 100644 index 6801b6ba..00000000 --- a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_role.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: open-cluster-management:compliance-history-api-recorder -rules: -- apiGroups: - - policy.open-cluster-management.io - resources: - - policies/status - verbs: - - patch diff --git a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_rolebinding.yaml b/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_rolebinding.yaml deleted file mode 100644 index 4fc75800..00000000 --- a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: open-cluster-management:compliance-history-api-recorder - namespace: "{{ .ClusterName }}" -roleRef: - kind: ClusterRole - name: open-cluster-management:compliance-history-api-recorder - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: open-cluster-management-compliance-history-api-recorder - namespace: "{{ .ClusterName }}" diff --git a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa.yaml b/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa.yaml deleted file mode 100644 index 5e33b6a0..00000000 --- a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: open-cluster-management-compliance-history-api-recorder - namespace: "{{ .ClusterName }}" diff --git a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa_secret.yaml b/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa_secret.yaml deleted file mode 100644 index c6865019..00000000 --- a/pkg/addon/policyframework/manifests/hubpermissions/compliance_history_api_sa_secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: open-cluster-management-compliance-history-api-recorder - namespace: "{{ .ClusterName }}" - annotations: - kubernetes.io/service-account.name: open-cluster-management-compliance-history-api-recorder \ No newline at end of file diff --git a/pkg/addon/policyframework/manifests/hubpermissions/role.yaml b/pkg/addon/policyframework/manifests/hubpermissions/role.yaml index 2b09908f..949987d1 100644 --- a/pkg/addon/policyframework/manifests/hubpermissions/role.yaml +++ b/pkg/addon/policyframework/manifests/hubpermissions/role.yaml @@ -56,7 +56,6 @@ rules: - secrets resourceNames: - policy-encryption-key - - open-cluster-management-compliance-history-api-recorder verbs: - get - list diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml index 965fafb0..a6cce920 100644 --- a/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml +++ b/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml @@ -65,9 +65,6 @@ spec: {{- else if .Values.prometheus.enabled }} - --metrics-bind-address=0.0.0.0:8383 {{- end }} - {{- if .Values.complianceHistoryAPIURL }} - - '--compliance-api-url={{ .Values.complianceHistoryAPIURL }}' - {{- end }} env: - name: POD_NAME valueFrom: diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml index f6a60e8a..98c7f7b6 100644 --- a/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml +++ b/pkg/addon/policyframework/manifests/managedclusterchart/values.yaml @@ -36,7 +36,6 @@ tolerations: clusterName: null installMode: null -complianceHistoryAPIURL: null uninstallationAnnotation: "false" # This is the Kubernetes distribution of the managed cluster. If set to OpenShift, diff --git a/pkg/controllers/complianceapi/reconciler.go b/pkg/controllers/complianceapi/reconciler.go deleted file mode 100644 index ba74fc46..00000000 --- a/pkg/controllers/complianceapi/reconciler.go +++ /dev/null @@ -1,110 +0,0 @@ -package complianceapi - -import ( - "context" - "errors" - - k8sdepwatches "github.com/stolostron/kubernetes-dependency-watches/client" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/dynamic" - "k8s.io/klog/v2" - ctrl "sigs.k8s.io/controller-runtime" -) - -const ( - ServiceName string = "governance-policy-compliance-history-api" - // The Route name needs to be relatively short since there is a 63 character limit on DNS names. - RouteName string = "governance-history-api" - DBSecretName string = "governance-policy-database" -) - -var RouteGVR = schema.GroupVersionResource{Group: "route.openshift.io", Version: "v1", Resource: "routes"} - -type ComplianceDBSecretReconciler struct { - DynamicWatcher k8sdepwatches.DynamicWatcher - DynamicClient *dynamic.DynamicClient -} - -// Reconcile watches the governance-policy-database secret in the controller namespace. On changes it'll handle -// the Kubernetes objects to expose the compliance history API. -func (r *ComplianceDBSecretReconciler) Reconcile( - ctx context.Context, watcher k8sdepwatches.ObjectIdentifier, -) (ctrl.Result, error) { - // Everything that is watched is in the same namespace - ns := watcher.Namespace - - secret, err := r.DynamicWatcher.GetFromCache( - schema.GroupVersionKind{Version: "v1", Kind: "Secret"}, ns, DBSecretName, - ) - if err != nil && !errors.Is(err, k8sdepwatches.ErrNoCacheEntry) { - return ctrl.Result{}, nil - } - - if secret == nil { - klog.V(2).Infof( - "The Secret %s is not present. Verifying that the Route of %s is deleted.", DBSecretName, RouteName, - ) - - err = r.DynamicClient.Resource(RouteGVR).Namespace(ns).Delete(ctx, RouteName, metav1.DeleteOptions{}) - if err != nil { - if k8serrors.IsNotFound(err) { - return ctrl.Result{}, nil - } - - klog.Errorf("Failed to delete the compliance history API Route of %s: %v", RouteName, err) - - return ctrl.Result{}, err - } - - klog.Infof("Deleted the compliance history API Route of %s", RouteName) - - return ctrl.Result{}, nil - } - - klog.V(2).Infof( - "The Secret %s is present. Verifying that the compliance history API Route of %s is present.", - DBSecretName, RouteName, - ) - - route := &unstructured.Unstructured{ - Object: map[string]interface{}{ - "apiVersion": "route.openshift.io/v1", - "kind": "Route", - "metadata": map[string]interface{}{ - "name": RouteName, - "namespace": ns, - }, - "spec": map[string]interface{}{ - "port": map[string]interface{}{ - "targetPort": "compliance-history-api", - }, - "tls": map[string]interface{}{ - "insecureEdgeTerminationPolicy": "Redirect", - "termination": "reencrypt", - }, - "to": map[string]interface{}{ - "kind": "Service", - "name": ServiceName, - }, - }, - }, - } - - _, err = r.DynamicClient.Resource(RouteGVR).Namespace(ns).Create(ctx, route, metav1.CreateOptions{}) - if err != nil { - if !k8serrors.IsAlreadyExists(err) { - klog.Errorf("Failed to create the compliance history API Route of %s: %v", RouteName, err) - - return ctrl.Result{}, err - } - - klog.V(2).Infof("The compliance history API Route of %s already exists", RouteName) - } else { - klog.Infof("Created the compliance history API Route of %s", RouteName) - } - - return ctrl.Result{}, nil -} diff --git a/test/e2e/case1_framework_deployment_test.go b/test/e2e/case1_framework_deployment_test.go index 241995cb..3839b54f 100644 --- a/test/e2e/case1_framework_deployment_test.go +++ b/test/e2e/case1_framework_deployment_test.go @@ -93,9 +93,6 @@ var _ = Describe("Test framework deployment", Ordered, func() { }) It("should create the default framework deployment on separate managed clusters", func(ctx context.Context) { - hubClusterConfig := managedClusterList[0] - hubClient := hubClusterConfig.clusterClient - for i, cluster := range managedClusterList[1:] { Expect(cluster.clusterType).To(Equal("managed")) @@ -117,24 +114,6 @@ var _ = Describe("Test framework deployment", Ordered, func() { checkArgs(cluster, expectedArgs...) - By(logPrefix + "checking if the hub service account and permissions were created") - _, err := hubClient.Resource(gvrServiceAccount).Namespace(cluster.clusterName).Get( - ctx, "open-cluster-management-compliance-history-api-recorder", metav1.GetOptions{}, - ) - Expect(err).ToNot(HaveOccurred()) - _, err = hubClient.Resource(gvrClusterRole).Get( - ctx, "open-cluster-management:compliance-history-api-recorder", metav1.GetOptions{}, - ) - Expect(err).ToNot(HaveOccurred()) - _, err = hubClient.Resource(gvrRoleBinding).Namespace(cluster.clusterName).Get( - ctx, "open-cluster-management:compliance-history-api-recorder", metav1.GetOptions{}, - ) - Expect(err).ToNot(HaveOccurred()) - _, err = hubClient.Resource(gvrSecret).Namespace(cluster.clusterName).Get( - ctx, "open-cluster-management-compliance-history-api-recorder", metav1.GetOptions{}, - ) - Expect(err).ToNot(HaveOccurred()) - By(logPrefix + "removing the framework deployment when the ManagedClusterAddOn CR is removed") Kubectl("delete", "-n", cluster.clusterName, "-f", case1ManagedClusterAddOnCR, "--timeout=90s") deploy = GetWithTimeout( @@ -250,9 +229,6 @@ var _ = Describe("Test framework deployment", Ordered, func() { // Use i+1 since the for loop ranges over a slice skipping first index checkContainersAndAvailabilityInNamespace(cluster, i+1, installNamespace) - By(logPrefix + "verifying the --compliance-api-url argument was set") - checkArgs(cluster, "--compliance-api-url=http://127.0.0.1:8080") - ctx, cancel := context.WithTimeout(context.TODO(), 15*time.Second) defer cancel() diff --git a/test/e2e/case3_compliance_db_secret_test.go b/test/e2e/case3_compliance_db_secret_test.go deleted file mode 100644 index 523bf38f..00000000 --- a/test/e2e/case3_compliance_db_secret_test.go +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/client-go/dynamic" - - "open-cluster-management.io/governance-policy-addon-controller/pkg/controllers/complianceapi" -) - -var _ = Describe("Test ComplianceDBSecretReconciler", Ordered, func() { - var routerRsrc dynamic.ResourceInterface - var secretRsrc dynamic.ResourceInterface - - BeforeAll(func(ctx context.Context) { - secretRsrc = clientDynamic.Resource(gvrSecret).Namespace(controllerNamespace) - routerRsrc = clientDynamic.Resource(complianceapi.RouteGVR).Namespace(controllerNamespace) - }) - - AfterAll(func(ctx context.Context) { - By("Deleting the " + complianceapi.DBSecretName + " secret") - err := secretRsrc.Delete(ctx, complianceapi.DBSecretName, metav1.DeleteOptions{}) - if !k8serrors.IsNotFound(err) { - Expect(err).ToNot(HaveOccurred()) - } - }) - - It("Creates the route when the secret is defined", func(ctx context.Context) { - Kubectl("-n", controllerNamespace, "create", "secret", "generic", complianceapi.DBSecretName) - - var route *unstructured.Unstructured - - Eventually(func(g Gomega) { - var err error - route, err = routerRsrc.Get(ctx, complianceapi.RouteName, metav1.GetOptions{}) - g.Expect(err).ToNot(HaveOccurred()) - }, 30, 5).Should(Succeed()) - - targetPort, _, _ := unstructured.NestedString(route.Object, "spec", "port", "targetPort") - Expect(targetPort).To(Equal("compliance-history-api")) - - termination, _, _ := unstructured.NestedString(route.Object, "spec", "tls", "termination") - Expect(termination).To(Equal("reencrypt")) - }) - - It("Recreates the route when the route is deleted", func(ctx context.Context) { - err := routerRsrc.Delete(ctx, complianceapi.RouteName, metav1.DeleteOptions{}) - Expect(err).ToNot(HaveOccurred()) - - Eventually(func(g Gomega) { - _, err := routerRsrc.Get(ctx, complianceapi.RouteName, metav1.GetOptions{}) - g.Expect(err).ToNot(HaveOccurred()) - }, 30, 5).Should(Succeed()) - }) - - It("Deletes the route when the secret is deleted", func(ctx context.Context) { - err := secretRsrc.Delete(ctx, complianceapi.DBSecretName, metav1.DeleteOptions{}) - Expect(err).ToNot(HaveOccurred()) - - Eventually(func(g Gomega) { - _, err := routerRsrc.Get(ctx, complianceapi.RouteName, metav1.GetOptions{}) - g.Expect(k8serrors.IsNotFound(err)).To(BeTrue(), "the route was not deleted") - }, 30, 5).Should(Succeed()) - }) -}) diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go index 99c0cd34..afd297a6 100644 --- a/test/e2e/e2e_suite_test.go +++ b/test/e2e/e2e_suite_test.go @@ -22,7 +22,6 @@ import ( const ( addonNamespace string = "open-cluster-management-agent-addon" - controllerNamespace string = "open-cluster-management" kubeconfigFilename string = "../../kubeconfig_cluster" loggingLevelAnnotation string = "log-level=8" evaluationConcurrencyAnnotation string = "policy-evaluation-concurrency=5" @@ -45,7 +44,6 @@ var ( gvrSecret schema.GroupVersionResource gvrServiceMonitor schema.GroupVersionResource gvrService schema.GroupVersionResource - gvrServiceAccount schema.GroupVersionResource gvrClusterRole schema.GroupVersionResource gvrRoleBinding schema.GroupVersionResource gvrPolicyCrd schema.GroupVersionResource @@ -86,7 +84,6 @@ var _ = BeforeSuite(func() { Group: "monitoring.coreos.com", Version: "v1", Resource: "servicemonitors", } gvrService = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "services"} - gvrServiceAccount = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "serviceaccounts"} gvrClusterRole = schema.GroupVersionResource{ Group: "rbac.authorization.k8s.io", Version: "v1", Resource: "clusterroles", } diff --git a/test/resources/addondeploymentconfig_customvars.yaml b/test/resources/addondeploymentconfig_customvars.yaml index 6e502f74..6b6f623c 100644 --- a/test/resources/addondeploymentconfig_customvars.yaml +++ b/test/resources/addondeploymentconfig_customvars.yaml @@ -7,5 +7,3 @@ spec: customizedVariables: - name: managedKubeConfigSecret value: external-managed-kubeconfig - - name: complianceHistoryAPIURL - value: http://127.0.0.1:8080