-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: adding enforcement point status, vapgeneratestatus #3686
chore: adding enforcement point status, vapgeneratestatus #3686
Conversation
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Operations []string `json:"operations,omitempty"` | ||
ObservedGeneration int64 `json:"observedGeneration,omitempty"` | ||
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"` | ||
VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove this if we do not want status on CT for generation updates. Lmk your thoughts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to report status for CT objects... they do map directly to a VAP object.
Signed-off-by: Jaydip Gabani <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3686 +/- ##
==========================================
- Coverage 54.49% 47.56% -6.94%
==========================================
Files 134 236 +102
Lines 12329 19896 +7567
==========================================
+ Hits 6719 9464 +2745
- Misses 5116 9539 +4423
- Partials 494 893 +399
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Jaydip Gabani <[email protected]>
// EnforcementPointStatus represents the status of a single enforcement point. | ||
type EnforcementPointStatus struct { | ||
EnforcementPoint string `json:"enforcementPoint"` | ||
Enforced bool `json:"enforced"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was a mistake to have an enforced
boolean state with constraints. And with VAP, we cannot make guarantees as to whether they are enforced b/c there is no status reporting, so we cannot know if the VAP object has been ingested or whether there are any errors. Maybe we want something like a string field called Status
?
There we can put a string like "GENERATED", "ERROR", etc.
Of course, if we call it "status", we should rename the parent field to avoid stutter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about code
- generated/error/...
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"code" seems a bit ambiguous given we are also dealing with "code" in the sense of CEL code.
"state"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like state
, updated the name to state
.
Operations []string `json:"operations,omitempty"` | ||
ObservedGeneration int64 `json:"observedGeneration,omitempty"` | ||
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"` | ||
VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to report status for CT objects... they do map directly to a VAP object.
|
||
if c, err := r.cfClient.GetConstraint(instance); err != nil || !reflect.DeepEqual(instance, c) { | ||
err := util.ValidateEnforcementAction(enforcementAction, instance.Object) | ||
if err != nil { | ||
return reconcile.Result{}, r.reportErrorOnConstraintStatus(ctx, status, err, "could not validate enforcement actions") | ||
return reconcile.Result{}, r.reportErrorOnConstraintStatus(ctx, status, constraintstatusv1beta1.EnforcementPointStatus{}, err, "could not validate enforcement actions") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this have the effect of wiping out previously reported status? Should we preserve the original VAP status unless there is a failure related to VAP generation?
Of course, if we do that, VAP status should probably have it's own observedGeneration
field, since it's possible that VAP status corresponds to an older object than the rest of the status.
The other option is to keep the current behavior, which wipes status on every update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added obeservedGeneration
for each enforcement point status.
|
||
// VAPGenerationStatus represents the status of VAP generation. | ||
type VAPGenerationStatus struct { | ||
Generated bool `json:"generated,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment about bool field vs. string field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to string field.
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
@@ -331,6 +331,7 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec | |||
status.Status.TemplateUID = ct.GetUID() | |||
status.Status.ObservedGeneration = ct.GetGeneration() | |||
status.Status.Errors = nil | |||
status.Status.VAPGenerationStatus = statusv1beta1.VAPGenerationStatus{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to have the same problem of wiping the generation status that constraints had.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed it. PTAL @maxsmythe
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
logger.Error(err, "generateVap error") | ||
if generateVap { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by Golang convention, generateVap
would be false if ShouldGenerateVAP returns an error. We should probably report the error regardless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would mean all rego templates will have this status message regarldess of if there is intention of VAP generation or not. When should we report this error?
- all the time, regardless of indication of VAP generation for CT?
- Or only when VAP is supposed to be generated but is not being generated?
I agree that we will be reporting this error for all rego CT when we go to beta.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like ShouldGenerateVAP
should be implemented differently then?
If we are struggling to implement the behaviors we want, that's a sign we should rethink primitives, not double-down on pre-existing shapes as if they were carved in stone, adding edge cases and complexity along the way.
It seems like ShouldGenerateVAP()
should return (false
, nil
) if we get ErrCodeNotDefined
:
return nil, ErrCodeNotDefined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would handle templates where VAP generation is not expected, like for Rego.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -875,6 +884,9 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 | |||
err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not delete VAP object", status, err) | |||
return err | |||
} | |||
status.Status.VAPGenerationStatus.State = DeletedVAPState |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably shouldn't have a "deleted" state, since that's more imperative than declarative. We could have a "NotGenerated" state, or similar. But if we do that, we should use it consistently (i.e. any time VAP objects are not generated)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed "delete" state
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once we fix the edge case of CTs without CEL code
Signed-off-by: Jaydip Gabani <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
ErrGenerateVAPState = "error" | ||
// GeneratedVAPState indicates a VAP was generated. | ||
GeneratedVAPState = "generated" | ||
// DeletedVAPState indicates a VAP was deleted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we still need this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope! Good catch, removed it.
vapEnforcementPointStatus := constraintstatusv1beta1.EnforcementPointStatus{EnforcementPoint: enforcementPoint, State: state, ObservedGeneration: observedGeneration, Message: message} | ||
for i, ep := range status.Status.EnforcementPointsStatus { | ||
if ep.EnforcementPoint == enforcementPoint { | ||
status.Status.EnforcementPointsStatus[i] = vapEnforcementPointStatus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
enforcementPoint can be more than just vap enforcement point right? this var name vapEnforcementPointStatus
makes it look like its just for the vap EP.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the variable to make it generic.
Signed-off-by: Jaydip Gabani <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #3682
Special notes for your reviewer: