From 095e8cf45a1ae6803ef27ec4bc272e88d282350d Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 28 Nov 2024 00:00:01 +0000 Subject: [PATCH 1/7] removing wait of vapb deletion Signed-off-by: Jaydip Gabani --- test/bats/helpers.bash | 15 --------------- test/bats/test.bats | 4 ---- 2 files changed, 19 deletions(-) diff --git a/test/bats/helpers.bash b/test/bats/helpers.bash index 9f94907ba4f..e2acb9e1205 100644 --- a/test/bats/helpers.bash +++ b/test/bats/helpers.bash @@ -73,21 +73,6 @@ wait_for_process() { return 1 } -wait_for_error() { - wait_time="$1" - sleep_time="$2" - cmd="$3" - while [ "$wait_time" -gt 0 ]; do - if eval "$cmd"; then - sleep "$sleep_time" - wait_time=$((wait_time - sleep_time)) - else - return 0 - fi - done - return 1 -} - get_ca_cert() { destination="$1" if [ $(kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then diff --git a/test/bats/test.bats b/test/bats/test.bats index ed5f388b8ee..e000324703c 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -97,10 +97,6 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label-scoped" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label-scoped" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label" fi } From 90d646c65db79aa5880111945e4d9ad402e2f765 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 28 Nov 2024 01:20:19 +0000 Subject: [PATCH 2/7] deleting vap on template deletion Signed-off-by: Jaydip Gabani --- .../constrainttemplate_controller.go | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go index ff69d8a972e..03ff303361d 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller.go @@ -310,6 +310,20 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec logAction(ct, deletedAction) r.metrics.registry.remove(request.NamespacedName) } + isAPIEnabled, groupVersion := transform.IsVapAPIEnabled(&logger) + if isAPIEnabled { + currentVap, err := vapForVersion(groupVersion) + if err != nil { + return reconcile.Result{}, err + } + vapName := getVAPName(ctUnversioned.GetName()) + currentVap.SetName(vapName) + if err := r.Delete(ctx, currentVap); err != nil { + if !apierrors.IsNotFound(err) { + return reconcile.Result{}, err + } + } + } } err = r.deleteAllStatus(ctx, request.Name) return result, err @@ -648,6 +662,10 @@ func vapForVersion(gvk *schema.GroupVersion) (client.Object, error) { } } +func getVAPName(constraintName string) string { + return fmt.Sprintf("gatekeeper-%s", constraintName) +} + func getRunTimeVAP(gvk *schema.GroupVersion, transformedVap *admissionregistrationv1beta1.ValidatingAdmissionPolicy, currentVap client.Object) (client.Object, error) { if currentVap == nil { if gvk.Version == "v1" { @@ -806,7 +824,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with runtime group version", status, err) return err } - vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName()) + vapName := getVAPName(unversionedCT.GetName()) logger.Info("check if VAP exists", "vapName", vapName) if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil { if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) { @@ -863,7 +881,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err) return err } - vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName()) + vapName := getVAPName(unversionedCT.GetName()) logger.Info("check if VAP exists", "vapName", vapName) if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil { if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) { From 201cdfa7dd62087379a7d06215ba54ef67a92539 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 4 Dec 2024 01:51:41 +0000 Subject: [PATCH 3/7] updating vap tests Signed-off-by: Jaydip Gabani --- test/bats/test.bats | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/test/bats/test.bats b/test/bats/test.bats index e000324703c..8d546cc4555 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -61,10 +61,6 @@ teardown_file() { } @test "vap test" { - minor_version=$(echo "$KUBERNETES_VERSION" | cut -d'.' -f2) - if [ "$minor_version" -lt 28 ] || [ -z $ENABLE_VAP_TESTS ]; then - skip "skipping vap tests" - fi local api="$(kubectl api-resources | grep validatingadmission)" if [[ -z "$api" ]]; then echo "vap is not enabled for the cluster. skip vap test" @@ -97,6 +93,7 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" + kubectl get validatingadmissionpolicybinding gatekeeper-all-must-have-label-scoped || kubectl get validatingadmissionpolicybinding gatekeeper-all-must-have-label fi } From 26b45a45e25af865a609965914d23e66025a4541 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 4 Dec 2024 01:59:52 +0000 Subject: [PATCH 4/7] waiting at the end of vap tests Signed-off-by: Jaydip Gabani --- test/bats/test.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/bats/test.bats b/test/bats/test.bats index 8d546cc4555..1127350a2e0 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -93,7 +93,7 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" - kubectl get validatingadmissionpolicybinding gatekeeper-all-must-have-label-scoped || kubectl get validatingadmissionpolicybinding gatekeeper-all-must-have-label + wait 5 fi } From dc3c88fd24cc71ebb78ef66aa7f7623b8f180cdb Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 4 Dec 2024 02:08:22 +0000 Subject: [PATCH 5/7] waiting at the end of vap tests Signed-off-by: Jaydip Gabani --- test/bats/test.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/bats/test.bats b/test/bats/test.bats index 1127350a2e0..fb2dd3267c3 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -93,7 +93,7 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" - wait 5 + sleep 5 fi } From cafbb066c34c48af99353de33b7a563d83a44b8c Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 4 Dec 2024 19:30:52 +0000 Subject: [PATCH 6/7] fixing nit Signed-off-by: Jaydip Gabani --- test/bats/test.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/test/bats/test.bats b/test/bats/test.bats index fb2dd3267c3..9cfb9916786 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -93,6 +93,7 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" + # wait for k8s to register deletion with eventual consistency sleep 5 fi } From c7043a610adc0b171724eda39d771970c1e21767 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 4 Dec 2024 19:42:12 +0000 Subject: [PATCH 7/7] fixing test Signed-off-by: Jaydip Gabani --- test/bats/test.bats | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/bats/test.bats b/test/bats/test.bats index 9cfb9916786..708b0dacaeb 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -61,6 +61,9 @@ teardown_file() { } @test "vap test" { + if [ -z $ENABLE_VAP_TESTS ]; then + skip "skipping vap tests" + fi local api="$(kubectl api-resources | grep validatingadmission)" if [[ -z "$api" ]]; then echo "vap is not enabled for the cluster. skip vap test"