diff --git a/apis/status/v1beta1/constrainttemplatepodstatus_types.go b/apis/status/v1beta1/constrainttemplatepodstatus_types.go index 418de3e761e..a06c6696417 100644 --- a/apis/status/v1beta1/constrainttemplatepodstatus_types.go +++ b/apis/status/v1beta1/constrainttemplatepodstatus_types.go @@ -34,7 +34,7 @@ type ConstraintTemplatePodStatusStatus struct { Operations []string `json:"operations,omitempty"` ObservedGeneration int64 `json:"observedGeneration,omitempty"` Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"` - VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"` + VAPGenerationStatus *VAPGenerationStatus `json:"vapGenerationStatus,omitempty"` } // VAPGenerationStatus represents the status of VAP generation. diff --git a/apis/status/v1beta1/zz_generated.deepcopy.go b/apis/status/v1beta1/zz_generated.deepcopy.go index 6b165de0856..0249b331f42 100644 --- a/apis/status/v1beta1/zz_generated.deepcopy.go +++ b/apis/status/v1beta1/zz_generated.deepcopy.go @@ -293,7 +293,11 @@ func (in *ConstraintTemplatePodStatusStatus) DeepCopyInto(out *ConstraintTemplat } } } - out.VAPGenerationStatus = in.VAPGenerationStatus + if in.VAPGenerationStatus != nil { + in, out := &in.VAPGenerationStatus, &out.VAPGenerationStatus + *out = new(VAPGenerationStatus) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConstraintTemplatePodStatusStatus. diff --git a/pkg/controller/constraint/constraint_controller.go b/pkg/controller/constraint/constraint_controller.go index ee683a4baf6..4b1fa156455 100644 --- a/pkg/controller/constraint/constraint_controller.go +++ b/pkg/controller/constraint/constraint_controller.go @@ -493,21 +493,6 @@ func (r *ReconcileConstraint) manageVAPB(ctx context.Context, enforcementAction return noDelay, err } - vapEnforcementPointStatus := constraintstatusv1beta1.EnforcementPointStatus{EnforcementPoint: util.VAPEnforcementPoint, State: ErrGenerateVAPBState, ObservedGeneration: instance.GetGeneration()} - vapEnforcementPointStatusIndex := -1 - - for i, ep := range status.Status.EnforcementPointsStatus { - if ep.EnforcementPoint == util.VAPEnforcementPoint { - status.Status.EnforcementPointsStatus[i] = vapEnforcementPointStatus - vapEnforcementPointStatusIndex = i - break - } - } - if vapEnforcementPointStatusIndex == -1 { - status.Status.EnforcementPointsStatus = append(status.Status.EnforcementPointsStatus, vapEnforcementPointStatus) - vapEnforcementPointStatusIndex = len(status.Status.EnforcementPointsStatus) - 1 - } - shouldGenerateVAPB, VAPEnforcementActions, err := shouldGenerateVAPB(*DefaultGenerateVAPB, enforcementAction, instance) if err != nil { log.Error(err, "could not determine if ValidatingAdmissionPolicyBinding should be generated") @@ -531,7 +516,7 @@ func (r *ReconcileConstraint) manageVAPB(ctx context.Context, enforcementAction hasVAP, err := ShouldGenerateVAP(unversionedCT) switch { case errors.Is(err, celSchema.ErrCELEngineMissing): - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].Message = err.Error() + updateEnforcementPointStatus(status, util.VAPEnforcementPoint, ErrGenerateVAPBState, err.Error(), instance.GetGeneration()) shouldGenerateVAPB = false case err != nil: log.Error(err, "could not determine if ConstraintTemplate is configured to generate ValidatingAdmissionPolicy", "constraint", instance.GetName(), "constraint_template", unversionedCT.GetName()) @@ -555,8 +540,7 @@ func (r *ReconcileConstraint) manageVAPB(ctx context.Context, enforcementAction } if t.After(time.Now()) { wait := time.Until(t) - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].State = WaitVAPBState - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].Message = fmt.Sprintf("waiting for %s before generating ValidatingAdmissionPolicyBinding to make sure api-server has cached constraint CRD", wait) + updateEnforcementPointStatus(status, util.VAPEnforcementPoint, WaitVAPBState, fmt.Sprintf("waiting for %s before generating ValidatingAdmissionPolicyBinding to make sure api-server has cached constraint CRD", wait), instance.GetGeneration()) return wait, r.writer.Update(ctx, status) } } @@ -603,8 +587,7 @@ func (r *ReconcileConstraint) manageVAPB(ctx context.Context, enforcementAction return noDelay, r.reportErrorOnConstraintStatus(ctx, status, err, fmt.Sprintf("could not update ValidatingAdmissionPolicyBinding: %s", vapBindingName)) } } - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].State = GeneratedVAPBState - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].Message = "" + updateEnforcementPointStatus(status, util.VAPEnforcementPoint, GeneratedVAPBState, "", instance.GetGeneration()) } // do not generate vapbinding resources // remove if exists @@ -626,8 +609,7 @@ func (r *ReconcileConstraint) manageVAPB(ctx context.Context, enforcementAction if err := r.writer.Delete(ctx, currentVapBinding); err != nil { return noDelay, r.reportErrorOnConstraintStatus(ctx, status, err, fmt.Sprintf("could not delete ValidatingAdmissionPolicyBinding: %s", vapBindingName)) } - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].State = DeletedVAPBState - status.Status.EnforcementPointsStatus[vapEnforcementPointStatusIndex].Message = "" + cleanEnforcementPointStatus(status, util.VAPEnforcementPoint) } } return noDelay, r.writer.Update(ctx, status) @@ -752,3 +734,23 @@ func v1beta1ToV1(v1beta1Obj *admissionregistrationv1beta1.ValidatingAdmissionPol return obj, nil } + +func updateEnforcementPointStatus(status *constraintstatusv1beta1.ConstraintPodStatus, enforcementPoint string, state string, message string, observedGeneration int64) { + vapEnforcementPointStatus := constraintstatusv1beta1.EnforcementPointStatus{EnforcementPoint: enforcementPoint, State: state, ObservedGeneration: observedGeneration, Message: message} + for i, ep := range status.Status.EnforcementPointsStatus { + if ep.EnforcementPoint == enforcementPoint { + status.Status.EnforcementPointsStatus[i] = vapEnforcementPointStatus + return + } + } + status.Status.EnforcementPointsStatus = append(status.Status.EnforcementPointsStatus, vapEnforcementPointStatus) +} + +func cleanEnforcementPointStatus(status *constraintstatusv1beta1.ConstraintPodStatus, enforcementPoint string) { + for i, ep := range status.Status.EnforcementPointsStatus { + if ep.EnforcementPoint == enforcementPoint { + status.Status.EnforcementPointsStatus = append(status.Status.EnforcementPointsStatus[:i], status.Status.EnforcementPointsStatus[i+1:]...) + return + } + } +} diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go index ae703e31a0a..d4b4e885b92 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller.go @@ -445,9 +445,7 @@ func (r *ReconcileConstraintTemplate) handleUpdate( logger.Error(err, "generateVap error") if generateVap { generateVap = false - status.Status.VAPGenerationStatus.State = ErrGenerateVAPState - status.Status.VAPGenerationStatus.ObservedGeneration = ct.GetGeneration() - status.Status.VAPGenerationStatus.Warning = fmt.Sprintf("ValidatingAdmissionPolicy is not generated: %s", err.Error()) + status.Status.VAPGenerationStatus = &statusv1beta1.VAPGenerationStatus{State: ErrGenerateVAPState, ObservedGeneration: ct.GetGeneration(), Warning: fmt.Sprintf("ValidatingAdmissionPolicy is not generated: %s", err.Error())} } } @@ -857,9 +855,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 return err } } - status.Status.VAPGenerationStatus.State = GeneratedVAPState - status.Status.VAPGenerationStatus.ObservedGeneration = ct.GetGeneration() - status.Status.VAPGenerationStatus.Warning = "" + status.Status.VAPGenerationStatus = &statusv1beta1.VAPGenerationStatus{State: GeneratedVAPState, ObservedGeneration: ct.GetGeneration(), Warning: ""} } // do not generate VAP resources // remove if exists @@ -884,9 +880,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not delete VAP object", status, err) return err } - status.Status.VAPGenerationStatus.State = DeletedVAPState - status.Status.VAPGenerationStatus.ObservedGeneration = ct.GetGeneration() - status.Status.VAPGenerationStatus.Warning = "" + status.Status.VAPGenerationStatus = nil // after VAP is deleted, trigger update event for all constraints if err := r.triggerConstraintEvents(ctx, ct, status); err != nil { return err diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go index 98f8b155740..de40949602c 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go @@ -413,7 +413,7 @@ func TestReconcile(t *testing.T) { return err } - if statusObj.Status.VAPGenerationStatus.Warning == "" { + if statusObj.Status.VAPGenerationStatus == nil || statusObj.Status.VAPGenerationStatus.Warning == "" { return fmt.Errorf("expected warning message") } return nil @@ -556,7 +556,7 @@ func TestReconcile(t *testing.T) { return err } - if statusObj.Status.VAPGenerationStatus.State != GeneratedVAPState { + if statusObj.Status.VAPGenerationStatus == nil || statusObj.Status.VAPGenerationStatus.State != GeneratedVAPState { return fmt.Errorf("Expected VAP generation status state to be %s", GeneratedVAPState) } return nil @@ -943,7 +943,7 @@ func TestReconcile(t *testing.T) { return err } - if statusObj.Status.VAPGenerationStatus.State != GeneratedVAPState { + if statusObj.Status.VAPGenerationStatus == nil || statusObj.Status.VAPGenerationStatus.State != GeneratedVAPState { return fmt.Errorf("Expected VAP generation status state to be %s", GeneratedVAPState) }