chore: adding enforcement point status, vapgeneratestatus

[JaydipGabani]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #3682

Special notes for your reviewer:

[JaydipGabani]

I can remove this if we do not want status on CT for generation updates. Lmk your thoughts.

[maxsmythe]

I think it makes sense to report status for CT objects... they do map directly to a VAP object.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 1.47059% with 67 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.56%. Comparing base (3350319) to head (45a53f7).
⚠️ Report is 655 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/controller/constraint/constraint_controller.go	0.00%	35 Missing ⚠️
apis/status/v1beta1/zz_generated.deepcopy.go	0.00%	28 Missing ⚠️
...onstrainttemplate/constrainttemplate_controller.go	25.00%	2 Missing and 1 partial ⚠️
pkg/drivers/k8scel/schema/schema.go	0.00%	1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (45a53f7). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (3350319)	HEAD (45a53f7)
unittests	2	1

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3686      +/-   ##
==========================================
- Coverage   54.49%   47.56%   -6.94%     
==========================================
  Files         134      236     +102     
  Lines       12329    19896    +7567     
==========================================
+ Hits         6719     9464    +2745     
- Misses       5116     9539    +4423     
- Partials      494      893     +399     

Flag	Coverage Δ
unittests	47.56% <1.47%> (-6.94%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sozercan]

LGTM

[maxsmythe]

I think it was a mistake to have an enforced boolean state with constraints. And with VAP, we cannot make guarantees as to whether they are enforced b/c there is no status reporting, so we cannot know if the VAP object has been ingested or whether there are any errors. Maybe we want something like a string field called Status?

There we can put a string like "GENERATED", "ERROR", etc.

Of course, if we call it "status", we should rename the parent field to avoid stutter.

[JaydipGabani]

how about code - generated/error/...?

[maxsmythe]

"code" seems a bit ambiguous given we are also dealing with "code" in the sense of CEL code.

"state"?

[JaydipGabani]

I like state, updated the name to state.

[maxsmythe]

I think it makes sense to report status for CT objects... they do map directly to a VAP object.

[maxsmythe]

Will this have the effect of wiping out previously reported status? Should we preserve the original VAP status unless there is a failure related to VAP generation?

Of course, if we do that, VAP status should probably have it's own observedGeneration field, since it's possible that VAP status corresponds to an older object than the rest of the status.

The other option is to keep the current behavior, which wipes status on every update.

[JaydipGabani]

Added obeservedGeneration for each enforcement point status.

[maxsmythe]

Same comment about bool field vs. string field.

[JaydipGabani]

Updated to string field.

[maxsmythe]

This appears to have the same problem of wiping the generation status that constraints had.

[JaydipGabani]

Fixed it. PTAL @maxsmythe

[maxsmythe]

by Golang convention, generateVap would be false if ShouldGenerateVAP returns an error. We should probably report the error regardless.

[JaydipGabani]

This would mean all rego templates will have this status message regarldess of if there is intention of VAP generation or not. When should we report this error?

• all the time, regardless of indication of VAP generation for CT?
• Or only when VAP is supposed to be generated but is not being generated?

I agree that we will be reporting this error for all rego CT when we go to beta.

[maxsmythe]

It sounds like ShouldGenerateVAP should be implemented differently then?

If we are struggling to implement the behaviors we want, that's a sign we should rethink primitives, not double-down on pre-existing shapes as if they were carved in stone, adding edge cases and complexity along the way.

It seems like ShouldGenerateVAP() should return (false, nil) if we get ErrCodeNotDefined:

gatekeeper/pkg/drivers/k8scel/schema/schema.go

Line 291 in 3555a65

return nil, ErrCodeNotDefined

[maxsmythe]

That would handle templates where VAP generation is not expected, like for Rego.

[JaydipGabani]

Updated shouldGenerateVAP to return false. Still returning ErrCodeNotDefined as it is needed for constraints to report respective status.

@ritazh @sozercan PTAL.

[maxsmythe]

We probably shouldn't have a "deleted" state, since that's more imperative than declarative. We could have a "NotGenerated" state, or similar. But if we do that, we should use it consistently (i.e. any time VAP objects are not generated)

[JaydipGabani]

Removed "delete" state

[maxsmythe]

LGTM once we fix the edge case of CTs without CEL code

[maxsmythe]

LGTM

[ritazh]

do we still need this

[JaydipGabani]

Nope! Good catch, removed it.

[ritazh]

enforcementPoint can be more than just vap enforcement point right? this var name vapEnforcementPointStatus makes it look like its just for the vap EP.

[JaydipGabani]

updated the variable to make it generic.

[ritazh]

LGTM