Skip to content

Commit

Permalink
fix: Policy/policy.open-cluster-management.io stuck in progressing st…
Browse files Browse the repository at this point in the history
…atus when no clusters match the policy

When a policy does not apply to a cluster because the placementrule
matches no cluster at all then the status will look like the following:

    status:
      placement:
      - placementBinding: group-one-placement-binding
        placementRule: group-one-placement

Without this change the above will show up as progressing even though
there is really nothing to progress.

Let's take care of this case by returing healthy when there is no
compliant field but the array under placement is non-zero, which means
that its placement resolution has happened and there is nothing to do.

Fixes: argoproj#21296
  • Loading branch information
mbaldessari committed Dec 23, 2024
1 parent ac8e3f0 commit ca92dde
Show file tree
Hide file tree
Showing 4 changed files with 130 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -1,9 +1,24 @@
hs = {}
if obj.status == nil or obj.status.compliant == nil then
if obj.status == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end

-- A policy will not have a compliant field but will have a placement key set if
-- it is not being applied to any clusters
if obj.status.compliant == nil and #obj.status.placement > 0 then
hs.status = "Healthy"
hs.message = "No clusters are matching this policy"
return hs
end

if obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end

if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
else
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,11 @@ tests:
status: Healthy
message: All templates are compliant
inputPath: testdata/healthy_replicated.yaml
- healthStatus:
status: Progressing
message: Waiting for the status to be reported
inputPath: testdata/progressing_no_status.yaml
- healthStatus:
status: Healthy
message: No clusters are matching this policy
inputPath: testdata/healthy_with_placement_empty_compliant.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
labels:
argocd.argoproj.io/instance: acm
name: acm-hub-ca-policy
namespace: open-cluster-management
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: acm-hub-ca-config-policy
spec:
namespaceSelector:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data:
hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
| base64enc hub}}'
hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
"service-ca.crt" | base64enc hub}}'
kind: Secret
metadata:
name: hub-ca
namespace: golang-external-secrets
type: Opaque
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data:
hub-kube-root-ca.crt: |
{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
hub-openshift-service-ca.crt: |
{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
kind: ConfigMap
metadata:
name: trusted-hub-bundle
namespace: imperative
remediationAction: enforce
severity: medium
remediationAction: enforce
status:
placement:
- placementBinding: acm-hub-ca-policy-placement-binding
placementRule: acm-hub-ca-policy-placement
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
labels:
argocd.argoproj.io/instance: acm
name: acm-hub-ca-policy
namespace: open-cluster-management
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: acm-hub-ca-config-policy
spec:
namespaceSelector:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data:
hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
| base64enc hub}}'
hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
"service-ca.crt" | base64enc hub}}'
kind: Secret
metadata:
name: hub-ca
namespace: golang-external-secrets
type: Opaque
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data:
hub-kube-root-ca.crt: |
{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
hub-openshift-service-ca.crt: |
{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
kind: ConfigMap
metadata:
name: trusted-hub-bundle
namespace: imperative
remediationAction: enforce
severity: medium
remediationAction: enforce

0 comments on commit ca92dde

Please sign in to comment.