Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: adding enforcement point status, vapgeneratestatus #3686

Merged

Conversation

JaydipGabani
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #3682

Special notes for your reviewer:

@JaydipGabani JaydipGabani requested a review from a team as a code owner November 8, 2024 22:02
Signed-off-by: Jaydip Gabani <[email protected]>
Operations []string `json:"operations,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"`
VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"`
Copy link
Contributor Author

@JaydipGabani JaydipGabani Nov 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can remove this if we do not want status on CT for generation updates. Lmk your thoughts.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to report status for CT objects... they do map directly to a VAP object.

Signed-off-by: Jaydip Gabani <[email protected]>
@codecov-commenter
Copy link

codecov-commenter commented Nov 11, 2024

Codecov Report

Attention: Patch coverage is 1.47059% with 67 lines in your changes missing coverage. Please review.

Project coverage is 47.56%. Comparing base (3350319) to head (45a53f7).
Report is 202 commits behind head on master.

Files with missing lines Patch % Lines
pkg/controller/constraint/constraint_controller.go 0.00% 35 Missing ⚠️
apis/status/v1beta1/zz_generated.deepcopy.go 0.00% 28 Missing ⚠️
...onstrainttemplate/constrainttemplate_controller.go 25.00% 2 Missing and 1 partial ⚠️
pkg/drivers/k8scel/schema/schema.go 0.00% 1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (45a53f7). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (45a53f7)
unittests 2 1
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #3686      +/-   ##
==========================================
- Coverage   54.49%   47.56%   -6.94%     
==========================================
  Files         134      236     +102     
  Lines       12329    19896    +7567     
==========================================
+ Hits         6719     9464    +2745     
- Misses       5116     9539    +4423     
- Partials      494      893     +399     
Flag Coverage Δ
unittests 47.56% <1.47%> (-6.94%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.


🚨 Try these New Features:

@JaydipGabani JaydipGabani added this to the v3.18.0 milestone Nov 13, 2024
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Signed-off-by: Jaydip Gabani <[email protected]>
// EnforcementPointStatus represents the status of a single enforcement point.
type EnforcementPointStatus struct {
EnforcementPoint string `json:"enforcementPoint"`
Enforced bool `json:"enforced"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it was a mistake to have an enforced boolean state with constraints. And with VAP, we cannot make guarantees as to whether they are enforced b/c there is no status reporting, so we cannot know if the VAP object has been ingested or whether there are any errors. Maybe we want something like a string field called Status?

There we can put a string like "GENERATED", "ERROR", etc.

Of course, if we call it "status", we should rename the parent field to avoid stutter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about code - generated/error/...?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"code" seems a bit ambiguous given we are also dealing with "code" in the sense of CEL code.

"state"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like state, updated the name to state.

Operations []string `json:"operations,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"`
VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to report status for CT objects... they do map directly to a VAP object.


if c, err := r.cfClient.GetConstraint(instance); err != nil || !reflect.DeepEqual(instance, c) {
err := util.ValidateEnforcementAction(enforcementAction, instance.Object)
if err != nil {
return reconcile.Result{}, r.reportErrorOnConstraintStatus(ctx, status, err, "could not validate enforcement actions")
return reconcile.Result{}, r.reportErrorOnConstraintStatus(ctx, status, constraintstatusv1beta1.EnforcementPointStatus{}, err, "could not validate enforcement actions")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this have the effect of wiping out previously reported status? Should we preserve the original VAP status unless there is a failure related to VAP generation?

Of course, if we do that, VAP status should probably have it's own observedGeneration field, since it's possible that VAP status corresponds to an older object than the rest of the status.

The other option is to keep the current behavior, which wipes status on every update.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added obeservedGeneration for each enforcement point status.


// VAPGenerationStatus represents the status of VAP generation.
type VAPGenerationStatus struct {
Generated bool `json:"generated,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment about bool field vs. string field.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to string field.

Signed-off-by: Jaydip Gabani <[email protected]>
@@ -331,6 +331,7 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
status.Status.TemplateUID = ct.GetUID()
status.Status.ObservedGeneration = ct.GetGeneration()
status.Status.Errors = nil
status.Status.VAPGenerationStatus = statusv1beta1.VAPGenerationStatus{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to have the same problem of wiping the generation status that constraints had.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed it. PTAL @maxsmythe

logger.Error(err, "generateVap error")
if generateVap {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by Golang convention, generateVap would be false if ShouldGenerateVAP returns an error. We should probably report the error regardless.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would mean all rego templates will have this status message regarldess of if there is intention of VAP generation or not. When should we report this error?

  • all the time, regardless of indication of VAP generation for CT?
  • Or only when VAP is supposed to be generated but is not being generated?

I agree that we will be reporting this error for all rego CT when we go to beta.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds like ShouldGenerateVAP should be implemented differently then?

If we are struggling to implement the behaviors we want, that's a sign we should rethink primitives, not double-down on pre-existing shapes as if they were carved in stone, adding edge cases and complexity along the way.

It seems like ShouldGenerateVAP() should return (false, nil) if we get ErrCodeNotDefined:

return nil, ErrCodeNotDefined

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would handle templates where VAP generation is not expected, like for Rego.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated shouldGenerateVAP to return false. Still returning ErrCodeNotDefined as it is needed for constraints to report respective status.

@ritazh @sozercan PTAL.

@@ -875,6 +884,9 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1
err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not delete VAP object", status, err)
return err
}
status.Status.VAPGenerationStatus.State = DeletedVAPState
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably shouldn't have a "deleted" state, since that's more imperative than declarative. We could have a "NotGenerated" state, or similar. But if we do that, we should use it consistently (i.e. any time VAP objects are not generated)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed "delete" state

Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once we fix the edge case of CTs without CEL code

Signed-off-by: Jaydip Gabani <[email protected]>
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ErrGenerateVAPState = "error"
// GeneratedVAPState indicates a VAP was generated.
GeneratedVAPState = "generated"
// DeletedVAPState indicates a VAP was deleted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we still need this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope! Good catch, removed it.

vapEnforcementPointStatus := constraintstatusv1beta1.EnforcementPointStatus{EnforcementPoint: enforcementPoint, State: state, ObservedGeneration: observedGeneration, Message: message}
for i, ep := range status.Status.EnforcementPointsStatus {
if ep.EnforcementPoint == enforcementPoint {
status.Status.EnforcementPointsStatus[i] = vapEnforcementPointStatus
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

enforcementPoint can be more than just vap enforcement point right? this var name vapEnforcementPointStatus makes it look like its just for the vap EP.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the variable to make it generic.

@JaydipGabani JaydipGabani requested a review from ritazh November 21, 2024 01:30
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JaydipGabani JaydipGabani merged commit 26bfc0f into open-policy-agent:master Nov 21, 2024
21 checks passed
@JaydipGabani JaydipGabani deleted the enforcementPointStatus branch November 21, 2024 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add enforcementPointStatus under constraint status
5 participants