Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

feat: Add open-cluster-management.io healthchecks (#19411)

Browse source 
Healthchecks for several Policy types.

Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
This commit is contained in:
Justin Kulikauskas 2024-08-13 15:38:30 -04:00 committed by GitHub
parent 2cb7616d51
commit d2231577c7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
26 changed files with 1244 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
resource_customizations/policy.open-cluster-management.io/CertificatePolicy/health.lua Normal file
View file

@ -0,0 +1,15 @@
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
hs.message = "All certificates found comply with the policy"
return hs
else
hs.status = "Degraded"
hs.message = "At least once certificate does not comply with the policy"
return hs
end

13
resource_customizations/policy.open-cluster-management.io/CertificatePolicy/health_test.yaml Normal file
View file

@ -0,0 +1,13 @@
tests:
- healthStatus:
status: Progressing
message: Waiting for the status to be reported
inputPath: testdata/progressing_no_status.yaml
- healthStatus:
status: Degraded
message: At least once certificate does not comply with the policy
inputPath: testdata/degraded.yaml
- healthStatus:
status: Healthy
message: All certificates found comply with the policy
inputPath: testdata/healthy.yaml

34
resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/degraded.yaml vendored Normal file
View file

@ -0,0 +1,34 @@
apiVersion: policy.open-cluster-management.io/v1
kind: CertificatePolicy
metadata:
name: policy-certificate
namespace: local-cluster
spec:
minimumDuration: 3000h
namespaceSelector:
exclude:
- kube-*
include:
- default
- cert-manager-operator
remediationAction: inform
severity: low
status:
compliancyDetails:
cert-manager-operator:
message: |
Found 1 non compliant certificates in the namespace cert-manager-operator.
List of non compliant certificates:
ca-root-secret expires in 2159h53m40.509362797s
nonCompliantCertificates: 1
nonCompliantCertificatesList:
ca-root-secret:
ca: true
duration: 7776000000000000
expiration: 2159h53m40.509362797s
expiry: 7775620509362797
secretName: ca-root-secret
default:
message: |
Found 0 non compliant certificates in the namespace default.
compliant: NonCompliant

24
resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/healthy.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
apiVersion: policy.open-cluster-management.io/v1
kind: CertificatePolicy
metadata:
name: policy-certificate
namespace: local-cluster
spec:
minimumDuration: 300h
namespaceSelector:
exclude:
- kube-*
include:
- default
- cert-manager-operator
remediationAction: inform
severity: low
status:
compliancyDetails:
cert-manager-operator:
message: |
Found 0 non compliant certificates in the namespace cert-manager-operator.
default:
message: |
Found 0 non compliant certificates in the namespace default.
compliant: Compliant

15
resource_customizations/policy.open-cluster-management.io/CertificatePolicy/testdata/progressing_no_status.yaml vendored Normal file
View file

@ -0,0 +1,15 @@
apiVersion: policy.open-cluster-management.io/v1
kind: CertificatePolicy
metadata:
name: policy-certificate
namespace: local-cluster
spec:
minimumDuration: 300h
namespaceSelector:
exclude:
- kube-*
include:
- default
- cert-manager-operator
remediationAction: inform
severity: low

33
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/health.lua Normal file
View file

@ -0,0 +1,33 @@
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.lastEvaluatedGeneration ~= obj.metadata.generation then
hs.status = "Progressing"
hs.message = "Waiting for the status to be updated"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
else
hs.status = "Degraded"
end
if obj.status.compliancyDetails ~= nil then
messages = {}
for i, compliancy in ipairs(obj.status.compliancyDetails) do
if compliancy.conditions ~= nil then
for i, condition in ipairs(compliancy.conditions) do
if condition.message ~= nil and condition.type ~= nil then
table.insert(messages, condition.type .. " - " .. condition.message)
end
end
end
end
hs.message = table.concat(messages, "; ")
return hs
end
hs.status = "Progressing"
hs.message = "Waiting for compliance"
return hs

27
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/health_test.yaml Normal file
View file

@ -0,0 +1,27 @@
tests:
- healthStatus:
status: Progressing
message: Waiting for the status to be reported
inputPath: testdata/progressing_no_status.yaml
- healthStatus:
status: Degraded
message: >-
violation - namespaces [argo-example] not found; violation - namespaces
[argo-example-2] not found
inputPath: testdata/degraded.yaml
- healthStatus:
status: Progressing
message: Waiting for the status to be updated
inputPath: testdata/progressing.yaml
- healthStatus:
status: Healthy
message: >-
notification - namespaces [argo-example] was created successfully;
notification - namespaces [argo-example-2] was created successfully
inputPath: testdata/healthy_created.yaml
- healthStatus:
status: Healthy
message: >-
notification - namespaces [argo-example] found as specified;
notification - namespaces [argo-example-2] found as specified
inputPath: testdata/healthy_found.yaml

61
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/degraded.yaml vendored Normal file
View file

@ -0,0 +1,61 @@
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-namespace
generation: 2
namespace: local-cluster
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
recreateOption: None
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
recreateOption: None
pruneObjectBehavior: None
remediationAction: inform
severity: low
status:
compliancyDetails:
- Compliant: NonCompliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:34:29Z'
message: 'namespaces [argo-example] not found'
reason: K8s does not have a `must have` object
status: 'True'
type: violation
- Compliant: NonCompliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:39:00Z'
message: 'namespaces [argo-example-2] not found'
reason: K8s does not have a `must have` object
status: 'True'
type: violation
compliant: NonCompliant
lastEvaluated: '2024-07-29T16:39:18Z'
lastEvaluatedGeneration: 2
relatedObjects:
- compliant: NonCompliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
reason: Resource not found but should exist
- compliant: NonCompliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
reason: Resource not found but should exist

67
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/healthy_created.yaml vendored Normal file
View file

@ -0,0 +1,67 @@
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-namespace
generation: 3
namespace: local-cluster
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
recreateOption: None
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
recreateOption: None
pruneObjectBehavior: None
remediationAction: enforce
severity: low
status:
compliancyDetails:
- Compliant: Compliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:58:50Z'
message: 'namespaces [argo-example] was created successfully'
reason: K8s creation success
status: 'True'
type: notification
- Compliant: Compliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:58:50Z'
message: 'namespaces [argo-example-2] was created successfully'
reason: K8s creation success
status: 'True'
type: notification
compliant: Compliant
lastEvaluated: '2024-07-29T16:58:50Z'
lastEvaluatedGeneration: 3
relatedObjects:
- compliant: Compliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
properties:
createdByPolicy: true
uid: 782f50ee-4fa9-41d6-900e-66d9eaf8b111
reason: K8s creation success
- compliant: Compliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
properties:
createdByPolicy: true
uid: ce34051f-a0dc-4db2-9f8f-64cc9223d4d7
reason: K8s creation success

67
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/healthy_found.yaml vendored Normal file
View file

@ -0,0 +1,67 @@
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-namespace
generation: 3
namespace: local-cluster
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
recreateOption: None
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
recreateOption: None
pruneObjectBehavior: None
remediationAction: enforce
severity: low
status:
compliancyDetails:
- Compliant: Compliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:58:59Z'
message: 'namespaces [argo-example] found as specified'
reason: K8s `must have` object already exists
status: 'True'
type: notification
- Compliant: Compliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:58:59Z'
message: 'namespaces [argo-example-2] found as specified'
reason: K8s `must have` object already exists
status: 'True'
type: notification
compliant: Compliant
lastEvaluated: '2024-07-29T16:59:26Z'
lastEvaluatedGeneration: 3
relatedObjects:
- compliant: Compliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
properties:
createdByPolicy: true
uid: 782f50ee-4fa9-41d6-900e-66d9eaf8b111
reason: Resource found as expected
- compliant: Compliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
properties:
createdByPolicy: true
uid: ce34051f-a0dc-4db2-9f8f-64cc9223d4d7
reason: Resource found as expected

61
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/progressing.yaml vendored Normal file
View file

@ -0,0 +1,61 @@
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-namespace
generation: 3
namespace: local-cluster
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
recreateOption: None
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
recreateOption: None
pruneObjectBehavior: None
remediationAction: enforce
severity: low
status:
compliancyDetails:
- Compliant: NonCompliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:34:29Z'
message: 'namespaces [argo-example] not found'
reason: K8s does not have a `must have` object
status: 'True'
type: violation
- Compliant: NonCompliant
Validity: {}
conditions:
- lastTransitionTime: '2024-07-29T16:39:00Z'
message: 'namespaces [argo-example-2] not found'
reason: K8s does not have a `must have` object
status: 'True'
type: violation
compliant: NonCompliant
lastEvaluated: '2024-07-29T16:39:18Z'
lastEvaluatedGeneration: 2
relatedObjects:
- compliant: NonCompliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
reason: Resource not found but should exist
- compliant: NonCompliant
object:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
reason: Resource not found but should exist

25
resource_customizations/policy.open-cluster-management.io/ConfigurationPolicy/testdata/progressing_no_status.yaml vendored Normal file
View file

@ -0,0 +1,25 @@
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-namespace
generation: 2
namespace: local-cluster
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example
recreateOption: None
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: argo-example-2
recreateOption: None
pruneObjectBehavior: None
remediationAction: inform
severity: low

26
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/health.lua Normal file
View file

@ -0,0 +1,26 @@
hs = {}
if obj.status == nil or obj.status.conditions == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.observedGeneration ~= nil and obj.status.observedGeneration ~= obj.metadata.generation then
hs.status = "Progressing"
hs.message = "Waiting for the status to be updated"
return hs
end
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Compliant" then
hs.message = condition.message
if condition.status == "True" then
hs.status = "Healthy"
return hs
else
hs.status = "Degraded"
return hs
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for the compliance condition"
return hs

48
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/health_test.yaml Normal file
View file

@ -0,0 +1,48 @@
tests:
- healthStatus:
status: Progressing
message: Waiting for the status to be reported
inputPath: testdata/progressing_no_status.yaml
- healthStatus:
status: Degraded
message: >-
NonCompliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription required by the policy was
not found, there are no relevant InstallPlans in the namespace, the
ClusterServiceVersion required by the policy was not found, no CRDs were
found for the operator, there are no relevant deployments because the
ClusterServiceVersion is missing, CatalogSource was found
inputPath: testdata/degraded.yaml
- healthStatus:
status: Progressing
message: Waiting for the status to be updated
inputPath: testdata/progressing_old_generation.yaml
- healthStatus:
status: Progressing
message: Waiting for the compliance condition
inputPath: testdata/progressing_no_compliance.yaml
- healthStatus:
status: Healthy
message: >-
Compliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription matches what is required by
the policy, no InstallPlans requiring approval were found,
ClusterServiceVersion (argocd-operator.v0.11.0) - install strategy
completed with no errors, there are CRDs present for the operator, all
operator Deployments have their minimum availability, CatalogSource was
found
inputPath: testdata/healthy_no_generation.yaml
- healthStatus:
status: Healthy
message: >-
Compliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription matches what is required by
the policy, no InstallPlans requiring approval were found,
ClusterServiceVersion (argocd-operator.v0.11.0) - install strategy
completed with no errors, there are CRDs present for the operator, all
operator Deployments have their minimum availability, CatalogSource was
found
inputPath: testdata/healthy_with_generation.yaml

69
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/degraded.yaml vendored Normal file
View file

@ -0,0 +1,69 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 1
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: inform
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: None
versions: []
status:
compliant: NonCompliant
conditions:
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: CatalogSource was found
reason: CatalogSourcesFound
status: 'False'
type: CatalogSourcesUnhealthy
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: >-
NonCompliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription required by the policy was
not found, there are no relevant InstallPlans in the namespace, the
ClusterServiceVersion required by the policy was not found, no CRDs were
found for the operator, there are no relevant deployments because the
ClusterServiceVersion is missing, CatalogSource was found
reason: NonCompliant
status: 'False'
type: Compliant
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: the Subscription required by the policy was not found
reason: SubscriptionMissing
status: 'False'
type: SubscriptionCompliant
relatedObjects:
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: community-operators
namespace: openshift-marketplace
reason: Resource found as expected
- compliant: NonCompliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: openshift-operators
reason: Resource not found but should exist
resolvedSubscriptionLabel: argocd-operator.openshift-operators

73
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/healthy_no_generation.yaml vendored Normal file
View file

@ -0,0 +1,73 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 2
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: enforce
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: Automatic
versions: []
status:
compliant: Compliant
conditions:
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: CatalogSource was found
reason: CatalogSourcesFound
status: 'False'
type: CatalogSourcesUnhealthy
- lastTransitionTime: '2024-07-29T15:48:20Z'
message: >-
Compliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription matches what is required by
the policy, no InstallPlans requiring approval were found,
ClusterServiceVersion (argocd-operator.v0.11.0) - install strategy
completed with no errors, there are CRDs present for the operator, all
operator Deployments have their minimum availability, CatalogSource was
found
reason: Compliant
status: 'True'
type: Compliant
- lastTransitionTime: '2024-07-29T15:47:45Z'
message: the Subscription matches what is required by the policy
reason: SubscriptionMatches
status: 'True'
type: SubscriptionCompliant
relatedObjects:
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: community-operators
namespace: openshift-marketplace
reason: Resource found as expected
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: openshift-operators
properties:
createdByPolicy: true
uid: f3e6d8a7-eb73-4b29-b804-bf4609d2f7fb
reason: Resource found as expected
resolvedSubscriptionLabel: argocd-operator.openshift-operators

74
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/healthy_with_generation.yaml vendored Normal file
View file

@ -0,0 +1,74 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 2
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: enforce
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: Automatic
versions: []
status:
compliant: Compliant
conditions:
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: CatalogSource was found
reason: CatalogSourcesFound
status: 'False'
type: CatalogSourcesUnhealthy
- lastTransitionTime: '2024-07-29T15:48:20Z'
message: >-
Compliant; the policy spec is valid, the policy does not specify an
OperatorGroup but one already exists in the namespace - assuming that
OperatorGroup is correct, the Subscription matches what is required by
the policy, no InstallPlans requiring approval were found,
ClusterServiceVersion (argocd-operator.v0.11.0) - install strategy
completed with no errors, there are CRDs present for the operator, all
operator Deployments have their minimum availability, CatalogSource was
found
reason: Compliant
status: 'True'
type: Compliant
- lastTransitionTime: '2024-07-29T15:47:45Z'
message: the Subscription matches what is required by the policy
reason: SubscriptionMatches
status: 'True'
type: SubscriptionCompliant
observedGeneration: 2
relatedObjects:
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: community-operators
namespace: openshift-marketplace
reason: Resource found as expected
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: openshift-operators
properties:
createdByPolicy: true
uid: f3e6d8a7-eb73-4b29-b804-bf4609d2f7fb
reason: Resource found as expected
resolvedSubscriptionLabel: argocd-operator.openshift-operators

61
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/progressing_no_compliance.yaml vendored Normal file
View file

@ -0,0 +1,61 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 2
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: enforce
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: Automatic
versions: []
status:
compliant: Compliant
conditions:
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: CatalogSource was found
reason: CatalogSourcesFound
status: 'False'
type: CatalogSourcesUnhealthy
- lastTransitionTime: '2024-07-29T15:47:45Z'
message: the Subscription matches what is required by the policy
reason: SubscriptionMatches
status: 'True'
type: SubscriptionCompliant
observedGeneration: 2
relatedObjects:
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: community-operators
namespace: openshift-marketplace
reason: Resource found as expected
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: openshift-operators
properties:
createdByPolicy: true
uid: f3e6d8a7-eb73-4b29-b804-bf4609d2f7fb
reason: Resource found as expected
resolvedSubscriptionLabel: argocd-operator.openshift-operators

26
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/progressing_no_status.yaml vendored Normal file
View file

@ -0,0 +1,26 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 1
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: inform
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: None
versions: []

63
resource_customizations/policy.open-cluster-management.io/OperatorPolicy/testdata/progressing_old_generation.yaml vendored Normal file
View file

@ -0,0 +1,63 @@
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: install-argocd
generation: 2
namespace: local-cluster
spec:
complianceConfig:
catalogSourceUnhealthy: Compliant
deploymentsUnavailable: NonCompliant
upgradesAvailable: Compliant
complianceType: musthave
remediationAction: enforce
removalBehavior:
clusterServiceVersions: Delete
customResourceDefinitions: Keep
operatorGroups: DeleteIfUnused
subscriptions: Delete
severity: high
subscription:
channel: alpha
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
upgradeApproval: Automatic
versions: []
status:
compliant: NonCompliant
conditions:
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: CatalogSource was found
reason: CatalogSourcesFound
status: 'False'
type: CatalogSourcesUnhealthy
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: 'NonCompliant; the policy spec is valid, the policy does not specify an OperatorGroup but one already exists in the namespace - assuming that OperatorGroup is correct, the Subscription required by the policy was not found, there are no relevant InstallPlans in the namespace, the ClusterServiceVersion required by the policy was not found, no CRDs were found for the operator, there are no relevant deployments because the ClusterServiceVersion is missing, CatalogSource was found'
reason: NonCompliant
status: 'False'
type: Compliant
- lastTransitionTime: '2024-07-29T15:20:48Z'
message: the Subscription required by the policy was not found
reason: SubscriptionMissing
status: 'False'
type: SubscriptionCompliant
observedGeneration: 1
relatedObjects:
- compliant: Compliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: community-operators
namespace: openshift-marketplace
reason: Resource found as expected
- compliant: NonCompliant
object:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: openshift-operators
reason: Resource not found but should exist
resolvedSubscriptionLabel: argocd-operator.openshift-operators

38
resource_customizations/policy.open-cluster-management.io/Policy/health.lua Normal file
View file

@ -0,0 +1,38 @@
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
else
hs.status = "Degraded"
end
noncompliants = {}
if obj.status.status ~= nil then
-- "root" policy
for i, entry in ipairs(obj.status.status) do
if entry.compliant ~= "Compliant" then
noncompliants[i] = entry.clustername
end
end
if table.getn(noncompliants) == 0 then
hs.message = "All clusters are compliant"
else
hs.message = "NonCompliant clusters: " .. table.concat(noncompliants, ", ")
end
elseif obj.status.details ~= nil then
-- "replicated" policy
for i, entry in ipairs(obj.status.details) do
if entry.compliant ~= "Compliant" then
noncompliants[i] = entry.templateMeta.name
end
end
if table.getn(noncompliants) == 0 then
hs.message = "All templates are compliant"
else
hs.message = "NonCompliant templates: " .. table.concat(noncompliants, ", ")
end
end
return hs

17
resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml Normal file
View file

@ -0,0 +1,17 @@
tests:
- healthStatus:
status: Degraded
message: 'NonCompliant clusters: local-cluster, managed'
inputPath: testdata/degraded_root.yaml
- healthStatus:
status: Degraded
message: 'NonCompliant templates: example-namespace'
inputPath: testdata/degraded_replicated.yaml
- healthStatus:
status: Healthy
message: All clusters are compliant
inputPath: testdata/healthy_root.yaml
- healthStatus:
status: Healthy
message: All templates are compliant
inputPath: testdata/healthy_replicated.yaml

80
resource_customizations/policy.open-cluster-management.io/Policy/testdata/degraded_replicated.yaml vendored Normal file
View file

@ -0,0 +1,80 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: open-cluster-management-global-set.argo-example
namespace: local-cluster
labels:
policy.open-cluster-management.io/cluster-name: local-cluster
policy.open-cluster-management.io/cluster-namespace: local-cluster
policy.open-cluster-management.io/root-policy: open-cluster-management-global-set.argo-example
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-namespace
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: example
remediationAction: inform
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-pod
spec:
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- image: 'registry.redhat.io/rhel9/httpd-24:latest'
name: httpd
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
remediationAction: enforce
severity: low
status:
compliant: NonCompliant
details:
- compliant: NonCompliant
history:
- eventName: open-cluster-management-global-set.argo-example.17e701cc5101e3a4
lastTimestamp: '2024-07-30T13:49:19Z'
message: 'NonCompliant; violation - namespaces [example] not found'
templateMeta:
creationTimestamp: null
name: example-namespace
- compliant: Compliant
history:
- eventName: open-cluster-management-global-set.argo-example.17e7034c879045a3
lastTimestamp: '2024-07-30T14:16:49Z'
message: 'Compliant; notification - pods [foobar] was created successfully in namespace default'
- eventName: open-cluster-management-global-set.argo-example.17e7020b47782ddc
lastTimestamp: '2024-07-30T13:53:49Z'
message: 'NonCompliant; violation - pods [foobar] not found in namespace default'
templateMeta:
creationTimestamp: null
name: example-pod

68
resource_customizations/policy.open-cluster-management.io/Policy/testdata/degraded_root.yaml vendored Normal file
View file

@ -0,0 +1,68 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
generation: 2
name: argo-example
namespace: open-cluster-management-global-set
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-namespace
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: example
remediationAction: inform
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-pod
spec:
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- image: 'registry.redhat.io/rhel9/httpd-24:latest'
name: httpd
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
remediationAction: inform
severity: low
remediationAction: inform
status:
compliant: NonCompliant
placement:
- placement: argo-example-placement
placementBinding: argo-example-placement
status:
- clustername: local-cluster
clusternamespace: local-cluster
compliant: NonCompliant
- clustername: managed
clusternamespace: managed
compliant: NonCompliant

91
resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_replicated.yaml vendored Normal file
View file

@ -0,0 +1,91 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: open-cluster-management-global-set.argo-example
generation: 4
namespace: local-cluster
labels:
policy.open-cluster-management.io/cluster-name: local-cluster
policy.open-cluster-management.io/cluster-namespace: local-cluster
policy.open-cluster-management.io/root-policy: open-cluster-management-global-set.argo-example
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-namespace
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: example
remediationAction: inform
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-pod
spec:
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- image: 'registry.redhat.io/rhel9/httpd-24:latest'
name: httpd
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
remediationAction: inform
severity: low
remediationAction: inform
status:
compliant: Compliant
details:
- compliant: Compliant
history:
- eventName: open-cluster-management-global-set.argo-example.17e703831ab809b3
lastTimestamp: '2024-07-30T14:20:44Z'
message: 'Compliant; notification - namespaces [example] found as specified'
- eventName: open-cluster-management-global-set.argo-example.17e703810146765a
lastTimestamp: '2024-07-30T14:20:35Z'
message: 'Compliant; notification - namespaces [example] was created successfully'
- eventName: open-cluster-management-global-set.argo-example.17e701cc5101e3a4
lastTimestamp: '2024-07-30T13:49:19Z'
message: 'NonCompliant; violation - namespaces [example] not found'
templateMeta:
creationTimestamp: null
name: example-namespace
- compliant: Compliant
history:
- eventName: open-cluster-management-global-set.argo-example.17e7034ea145078e
lastTimestamp: '2024-07-30T14:16:58Z'
message: 'Compliant; notification - pods [foobar] found as specified in namespace default'
- eventName: open-cluster-management-global-set.argo-example.17e7034c879045a3
lastTimestamp: '2024-07-30T14:16:49Z'
message: 'Compliant; notification - pods [foobar] was created successfully in namespace default'
- eventName: open-cluster-management-global-set.argo-example.17e7020b47782ddc
lastTimestamp: '2024-07-30T13:53:49Z'
message: 'NonCompliant; violation - pods [foobar] not found in namespace default'
templateMeta:
creationTimestamp: null
name: example-pod

68
resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_root.yaml vendored Normal file
View file

@ -0,0 +1,68 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
generation: 4
name: argo-example
namespace: open-cluster-management-global-set
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-namespace
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: example
remediationAction: inform
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: example-pod
spec:
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
name: foobar
spec:
containers:
- image: 'registry.redhat.io/rhel9/httpd-24:latest'
name: httpd
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
remediationAction: inform
severity: low
remediationAction: inform
status:
compliant: Compliant
placement:
- placement: argo-example-placement
placementBinding: argo-example-placement
status:
- clustername: local-cluster
clusternamespace: local-cluster
compliant: Compliant
- clustername: managed
clusternamespace: managed
compliant: Compliant