From 1d2f1185611a822792f8b655e73e5edbccf454de Mon Sep 17 00:00:00 2001
From: Gus Parvin <gparvin@redhat.com>
Date: Thu, 25 Apr 2024 07:41:11 -0400
Subject: [PATCH] Create a policy to automatically import discovered ROSA
 clusters

This policy monitors DiscoveredCluster resources for ROSA clusters and
configures matching discovered clusters to be automatically imported.
Status is shown for any that have been configured to be automatically
imported.  Filtering by the discovered cluster display name can be
updated in the policy by editing the ConfigMap.

Refs:
 - https://issues.redhat.com/browse/ACM-10304

Signed-off-by: Gus Parvin <gparvin@redhat.com>
(cherry picked from commit f3de3d9b30a203189cb369fed998b5e488b666a3)
---
 .../policy-rosa-autoimport.yaml               | 101 ++++++++++++++++++
 community/README.md                           |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 community/CM-Configuration-Management/policy-rosa-autoimport.yaml

diff --git a/community/CM-Configuration-Management/policy-rosa-autoimport.yaml b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml
new file mode 100644
index 00000000..25476cb5
--- /dev/null
+++ b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml
@@ -0,0 +1,101 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: policy-rosa-autoimport
+  annotations:
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/description: Discovered clusters that are of
+      type ROSA can be automatically imported into ACM as managed clusters.  This
+      policy helps you select those managed clusters and configure them so the import
+      will happen.  If you do not want all of your ROSA clusters to be automatically
+      imported, you can configure filters or add an annotation.
+spec:
+  remediationAction: inform
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-rosa-autoimport
+        spec:
+          remediationAction: inform
+          severity: low
+          object-templates-raw: |
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                kind: ConfigMap
+                metadata:
+                  name: discovery-config
+                  namespace: open-cluster-management-global-set
+                data:
+                  rosa-filter: ""
+            {{- /* find the ROSA DiscoveredClusters */ -}}
+            {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
+              {{- /* Check for the flag that indicates the import should be skipped */ -}}
+              {{- $skip := "false" -}}
+              {{- range $key, $value := $dc.metadata.annotations }}
+                {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
+                           (eq $value "true") }}
+                  {{- $skip = "true" }}
+                {{- end }}
+              {{- end }}
+              {{- /* if the type is ROSA and the status is Active */ -}}
+              {{- if and (eq $dc.spec.status "Active") 
+                         (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
+                         (eq $dc.spec.type "ROSA")
+                         (eq $skip "false") }}
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: discovery.open-cluster-management.io/v1
+                kind: DiscoveredCluster
+                metadata:
+                  name: {{ $dc.metadata.name }}
+                  namespace: {{ $dc.metadata.namespace }}
+                spec:
+                  importAsManagedCluster: true
+              {{- end }}
+            {{- end }}
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-rosa-managedcluster-status
+        spec:
+          remediationAction: inform
+          severity: low
+          object-templates-raw: |
+            {{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}}
+            {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
+              {{- /* Check for the flag that indicates the import should be skipped */ -}}
+              {{- $skip := "false" -}}
+              {{- range $key, $value := $dc.metadata.annotations }}
+                {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
+                           (eq $value "true") }}
+                  {{- $skip = "true" }}
+                {{- end }}
+              {{- end }}
+              {{- /* if the type is ROSA and the status is Active */ -}}
+              {{- if and (eq $dc.spec.status "Active")
+                         (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
+                         (eq $dc.spec.type "ROSA")
+                         (eq $skip "false") }}
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: cluster.open-cluster-management.io/v1
+                kind: ManagedCluster
+                metadata:
+                  name: {{ $dc.spec.displayName }}
+                  namespace: {{ $dc.spec.displayName }}
+                  annotations:
+                    cluster.open-cluster-management.io/clusterset: default
+                status:
+                  conditions:
+                    - type: ManagedClusterAvailable
+                      status: "True"
+              {{- end }}
+            {{- end }}
+
diff --git a/community/README.md b/community/README.md
index 5c17067f..99d9ac91 100644
--- a/community/README.md
+++ b/community/README.md
@@ -181,6 +181,7 @@ Policy  | Description | Prerequisites
 [Policy to install and configure OADP operator for stateful application backup](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-install.yaml) | First of 3 policies, used to backup or restore stateful applications on managed clusters. Used to install OADP on managed clusters and configure the connection to the storage location and installed on both backup and restore operations. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
 [Policy to backup a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml) | Second of 3 policies, used to backup stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
 [Policy to restore a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-restore.yaml) | Last of 3 policies, used to restore stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
+[Policy to automatically import ROSA clusters](./CM-Configuration-Management/policy-rosa-autoimport.yaml) | Use this policy to automatically import discovered ROSA clusters as a managed cluster. | By default this policy will configure ROSA discovered clusters to be automatically imported as a managed cluster.  Edit the ConfigMap to adjust the discovered cluster filter.  Edit the managed cluster resource to change the default ManagedClusterSet the mananged cluster is added to.
 
 
 ### Contingency Planning