Set sync setting in config automatically

Signed-off-by: Yi Rae Kim <[email protected]>

.github/workflows/ci_tests.yaml

@@ -81,11 +81,10 @@ jobs:
 
     - name: E2E Tests
       run: |
-        make deploy-ci NAMESPACE=mygatekeeper IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA
-        kubectl -n mygatekeeper wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s
-        kubectl -n mygatekeeper logs deployment/gatekeeper-operator-controller -c manager -f > operator.log &
-        make test-e2e NAMESPACE=mygatekeeper
-        kubectl delete --wait namespace mygatekeeper
+        make deploy-ci NAMESPACE=gatekeeper-system IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA
+        kubectl -n gatekeeper-system wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s
+        kubectl -n gatekeeper-system logs deployment/gatekeeper-operator-controller -c manager -f > operator.log &
+        make test-e2e NAMESPACE=gatekeeper-system
 
     - name: Debug
       if: ${{ failure() }}

.gitignore

@@ -19,3 +19,5 @@ testbin/*
 !vendor/**/zz_generated.*
 
 ci-tools/
+
+.vscode/*

Makefile

@@ -146,11 +146,11 @@ tidy: ## Run go mod tidy
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" GOFLAGS=$(GOFLAGS) go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" GOFLAGS=$(GOFLAGS) go test $(go list ./... | grep -v /test/) -coverprofile cover.out
 
 .PHONY: test-e2e
 test-e2e: e2e-dependencies generate fmt vet ## Run e2e tests, using the configured Kubernetes cluster in ~/.kube/config
-	GOFLAGS=$(GOFLAGS) USE_EXISTING_CLUSTER=true $(GINKGO) -v --trace --fail-fast --label-filter="$(LABEL_FILTER)" ./test/e2e -- --namespace="$(NAMESPACE)" --timeout="5m" --delete-timeout="10m"
+	GOFLAGS=$(GOFLAGS) USE_EXISTING_CLUSTER=true $(GINKGO) -v --trace --fail-fast ./test/e2e -- --namespace="$(NAMESPACE)" --timeout="5m" --delete-timeout="10m"
 
 .PHONY: test-cluster
 test-cluster: ## Create a local kind cluster with a registry for testing
@@ -182,7 +182,14 @@ download-binaries: kustomize go-bindata envtest controller-gen
 		rm -rf bats-core-${BATS_VERSION} v${BATS_VERSION}.tar.gz; \
 	fi
 
-##@ Build
+.PHONY: kind-bootstrap-cluster
+kind-bootstrap-cluster: test-cluster install dev-build
+	kubectl label ns $(NAMESPACE)  --overwrite pod-security.kubernetes.io/audit=privileged
+	kubectl label ns $(NAMESPACE)  --overwrite pod-security.kubernetes.io/enforce=privileged
+	kubectl label ns $(NAMESPACE)  --overwrite pod-security.kubernetes.io/warn=privileged
+	kind load docker-image $(IMG)
+	$(MAKE) deploy-ci NAMESPACE=$(NAMESPACE) IMG=$(IMG)
+	kubectl -n $(NAMESPACE) wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s
 
 .PHONY: build
 build: generate fmt vet ## Build manager binary.

api/v1alpha1/gatekeeper_types.go

@@ -92,6 +92,8 @@ type AuditConfig struct {
 	// +optional
 	ConstraintViolationLimit *uint64 `json:"constraintViolationLimit,omitempty"`
 	// +optional
+	// Setting Automatic lets the Gatekeeper operator manage syncOnly in the config resource.
+	// It is not recommended to use Automatic when using referential constraints since those are not detected.
 	AuditFromCache *AuditFromCacheMode `json:"auditFromCache,omitempty"`
 	// +kubebuilder:validation:Minimum:=0
 	// +optional
@@ -140,12 +142,13 @@ const (
 	LogLevelError   LogLevelMode = "ERROR"
 )
 
-// +kubebuilder:validation:Enum:=Enabled;Disabled
+// +kubebuilder:validation:Enum:=Enabled;Disabled;Automatic
 type AuditFromCacheMode string
 
 const (
-	AuditFromCacheEnabled  AuditFromCacheMode = "Enabled"
-	AuditFromCacheDisabled AuditFromCacheMode = "Disabled"
+	AuditFromCacheEnabled   AuditFromCacheMode = "Enabled"
+	AuditFromCacheDisabled  AuditFromCacheMode = "Disabled"
+	AuditFromCacheAutomatic AuditFromCacheMode = "Automatic"
 )
 
 // +kubebuilder:validation:Enum:=Enabled;Disabled

bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml

@@ -864,9 +864,14 @@ spec:
                     minimum: 0
                     type: integer
                   auditFromCache:
+                    description: Setting Automatic lets the Gatekeeper operator manage
+                      syncOnly in the config resource. It is not recommended to use
+                      Automatic when using referential constraints since those are
+                      not detected.
                     enum:
                     - Enabled
                     - Disabled
+                    - Automatic
                     type: string
                   auditInterval:
                     type: string

config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml

@@ -864,9 +864,14 @@ spec:
                     minimum: 0
                     type: integer
                   auditFromCache:
+                    description: Setting Automatic lets the Gatekeeper operator manage
+                      syncOnly in the config resource. It is not recommended to use
+                      Automatic when using referential constraints since those are
+                      not detected.
                     enum:
                     - Enabled
                     - Disabled
+                    - Automatic
                     type: string
                   auditInterval:
                     type: string

controllers/constraintstatus_controller.go

@@ -0,0 +1,259 @@
+package controllers
+
+import (
+	"context"
+	"reflect"
+	"sort"
+	"time"
+
+	operatorv1alpha1 "github.com/gatekeeper/gatekeeper-operator/api/v1alpha1"
+	"github.com/go-logr/logr"
+	"github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1"
+	"github.com/open-policy-agent/gatekeeper/v3/apis/status/v1beta1"
+	"github.com/pkg/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/utils/strings/slices"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+var ControllerName = "constraintstatus_reconciler"
+
+type ConstraintPodStatusReconciler struct {
+	client.Client
+	Scheme        *runtime.Scheme
+	Log           logr.Logger
+	DynamicClient *dynamic.DynamicClient
+	Namespace     string
+	// This includes api-resources list and it finds a missing version of resources.
+	DiscoveryStorage *DiscoveryStorage
+	// key = constraintPodName
+	ConstraintToSyncOnly map[string][]v1alpha1.SyncOnlyEntry
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *ConstraintPodStatusReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		WithOptions(controller.Options{MaxConcurrentReconciles: int(1)}).
+		Named(ControllerName).
+		For(&v1beta1.ConstraintPodStatus{},
+			builder.WithPredicates(predicate.Funcs{
+				// Execute this reconcile func when it is audit-constraintStatuspod
+				// because a constraint creates 4 constraintPodstatus
+				CreateFunc: func(e event.CreateEvent) bool {
+					obj := e.Object.(*v1beta1.ConstraintPodStatus)
+
+					return slices.Contains(obj.Status.Operations, "audit")
+				},
+				UpdateFunc: func(e event.UpdateEvent) bool {
+					oldObj := e.ObjectOld.(*v1beta1.ConstraintPodStatus)
+					newObj := e.ObjectNew.(*v1beta1.ConstraintPodStatus)
+
+					return slices.Contains(newObj.Status.Operations, "audit") &&
+						// Update when the constraint is refreshed
+						oldObj.Status.ObservedGeneration != newObj.Status.ObservedGeneration
+				},
+				DeleteFunc: func(e event.DeleteEvent) bool {
+					obj := e.Object.(*v1beta1.ConstraintPodStatus)
+
+					return slices.Contains(obj.Status.Operations, "audit")
+				},
+			},
+			)).
+		Complete(r)
+}
+
+// When spec.audit.auditFromCache is set to Automatic,
+// Reconcile analyzes the constraint associated with the ConstraintPodStatus reconcile request.
+// The kinds used in the constraint's match configuration is used to configure the syncOnly option.
+func (r *ConstraintPodStatusReconciler) Reconcile(ctx context.Context,
+	request reconcile.Request,
+) (reconcile.Result, error) {
+	log := r.Log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	log.Info("Reconciling ConstraintPodStatus and Config")
+	// This is used for RequeueAfter
+	var requeueTime time.Duration
+
+	gatekeeper := &operatorv1alpha1.Gatekeeper{}
+	// Get gatekeeper resource
+	err := r.Get(ctx, types.NamespacedName{
+		Namespace: "",
+		Name:      "gatekeeper",
+	}, gatekeeper)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			log.Error(err, "Gatekeeper resource is not found")
+
+			return reconcile.Result{}, nil
+		}
+
+		return reconcile.Result{}, err
+	}
+
+	// Get config or create if not exist
+	config := &v1alpha1.Config{}
+	err = r.Get(ctx, types.NamespacedName{
+		Namespace: r.Namespace,
+		Name:      "config",
+	}, config)
+
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			config = &v1alpha1.Config{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "config",
+					Namespace: r.Namespace,
+				},
+			}
+
+			createErr := r.Create(ctx, config)
+			if createErr != nil {
+				log.Error(err, "Fail to create the Gatekeeper Config object, will retry.")
+
+				return reconcile.Result{}, createErr
+			}
+
+			log.Info("The Gatekeeper Config object was created")
+		} else {
+			return reconcile.Result{}, err
+		}
+	}
+
+	constraintPodStatus := &v1beta1.ConstraintPodStatus{}
+
+	err = r.Get(ctx, request.NamespacedName, constraintPodStatus)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			log.V(1).Info("Cannot find the ConstraintPodStatus")
+
+			err = r.handleDeleteEvent(ctx, request.Name, config)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+
+			return reconcile.Result{}, nil
+		}
+		// Requeue
+		return reconcile.Result{}, err
+	}
+
+	constraint, constraintName, err := getConstraint(ctx, *constraintPodStatus, r.DynamicClient)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			r.Log.Info("The Constraint was not found", "constraintName:", constraintName)
+
+			return reconcile.Result{}, nil
+		}
+
+		return reconcile.Result{}, err
+	}
+
+	constraintMatchKinds, _, err := unstructured.NestedSlice(constraint.Object, "spec", "match", "kinds")
+	if err != nil {
+		r.Log.V(1).Info("There are no provided kinds in the Constraint", "constraintName:", constraintName)
+
+		err = r.handleDeleteEvent(ctx, request.Name, config)
+		if err != nil {
+			return reconcile.Result{}, err
+		}
+
+		return reconcile.Result{}, nil
+	}
+
+	constraintSyncOnlyEntries, err := r.DiscoveryStorage.getSyncOnlys(constraintMatchKinds)
+	if err != nil {
+		if errors.Is(err, ErrNotFoundDiscovery) {
+			r.Log.V(1).Info("Cannot find matched discovery. Requeue after 10 secs")
+
+			requeueTime = time.Second * 10
+		} else {
+			log.Error(err, "Error to get matching kind and apigroup")
+
+			return reconcile.Result{}, err
+		}
+	}
+
+	r.ConstraintToSyncOnly[request.Name] = constraintSyncOnlyEntries
+
+	uniqSyncOnly := r.getUniqSyncOnly()
+
+	if reflect.DeepEqual(uniqSyncOnly, config.Spec.Sync.SyncOnly) {
+		r.Log.V(1).Info("There are no changes detected. Cancel Updating")
+
+		return reconcile.Result{RequeueAfter: requeueTime}, nil
+	}
+
+	config.Spec.Sync.SyncOnly = uniqSyncOnly
+
+	err = r.Update(ctx, config, &client.UpdateOptions{})
+	if err != nil {
+		log.Error(err, "unable to update config syncOnly")
+
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{RequeueAfter: requeueTime}, nil
+}
+
+func (r *ConstraintPodStatusReconciler) getUniqSyncOnly() []v1alpha1.SyncOnlyEntry {
+	syncOnlySet := map[v1alpha1.SyncOnlyEntry]bool{}
+	// Add to table for unique filtering
+	for _, syncEntries := range r.ConstraintToSyncOnly {
+		for _, entry := range syncEntries {
+			syncOnlySet[entry] = true
+		}
+	}
+
+	syncOnlys := make([]v1alpha1.SyncOnlyEntry, 0, len(syncOnlySet))
+	for key := range syncOnlySet {
+		syncOnlys = append(syncOnlys, key)
+	}
+
+	// Sort syncOnly so the returned value is consistent each time the method is called.
+	sort.Slice(syncOnlys, func(i, j int) bool {
+		stringi := syncOnlys[i].Group + " " + syncOnlys[i].Kind + " " + syncOnlys[i].Version
+		stringj := syncOnlys[j].Group + " " + syncOnlys[j].Kind + " " + syncOnlys[j].Version
+
+		return stringi < stringj
+	})
+
+	return syncOnlys
+}
+
+// handleDeleteEvent is called when a ConstraintPodStatus object is deleted.
+// It deletes ConstraintPodStatus' key in the `ConstraintToSyncOnly` map and
+// recalculates the appropriate SyncOnly entries.
+func (r *ConstraintPodStatusReconciler) handleDeleteEvent(
+	ctx context.Context, cpsName string, config *v1alpha1.Config,
+) error {
+	delete(r.ConstraintToSyncOnly, cpsName)
+
+	updatedSyncOnly := r.getUniqSyncOnly()
+
+	if reflect.DeepEqual(updatedSyncOnly, config.Spec.Sync.SyncOnly) {
+		r.Log.V(1).Info("There are no changes detected. Will not update.")
+
+		return nil
+	}
+
+	config.Spec.Sync.SyncOnly = updatedSyncOnly
+
+	err := r.Update(ctx, config, &client.UpdateOptions{})
+	if err != nil {
+		r.Log.Error(err, "unable to update config syncOnly")
+
+		return err
+	}
+
+	return nil
+}