CMP-3613: Gracefully handle profile deprecation checks

rhmdnd · rhmdnd · commit c705e2582322 · 2025-10-15T07:48:39.000-07:00
Previously, when the operator checked if a profile was deprecated, it
would fail if it couldn't reliably detect the profile bundle used for
the profile. This is because the profile bundle contained the profiles,
which carries the deprecation flag. If the operator doesn't know which
profile bundle a profile came from, it can't guarantee it knows if the
profile is supported or not.

This is mostly fine when users are scanning their environments using
ScanSettingBindings, which rely on existing Profile and ProfileBundle
resources. But, if a user is creating a ComplianceSuite or
ComplianceScan directly, they get to set the content and content image
for the scan, which usually comes from the profile and profile bundle.
If a user specifies a content image pointing to their own content (or
even in our testing cases, where we point to content images built for
each pull request), that is going to mismatch with the default profile
bundles, meaning they can't create a ComplianceScan directly to hook in
their own content anymore because the deprecation logic will always
error out looking for a profile bundle that it assumes must exist.

This commit relaxes that requirement, but maintains the default behavior
so that users relying on ScanSettingBindings still get deprecation
notices when they should, and allows power users the ability to set
their own content images directly without breaking the workflow on the
deprecation check.
diff --git a/pkg/controller/compliancescan/compliancescan_controller.go b/pkg/controller/compliancescan/compliancescan_controller.go
@@ -329,9 +329,12 @@ func (r *ReconcileComplianceScan) notifyUseOfDeprecatedProfile(instance *compv1a
 			}
 		}
 		if pbName == "" {
-			err := goerrors.New("Could not find ProfileBundle used by scan")
-			logger.Error(err, "ComplianceScan uses non-existent ProfileBundle", "ComplianceScan", instance.Name, "Profile", instance.Spec.Profile)
-			return err
+			logger.Info("Could not find ProfileBundle used by scan to check if the Profile is deprecated",
+				"ComplianceScan", instance.Name,
+				"Profile", instance.Spec.Profile,
+				"ContentImage", instance.Spec.ContentImage,
+				"Content", instance.Spec.Content)
+			return nil
 		}
 
 		xccdfProfileName := xccdf.GetProfileNameFromID(instance.Spec.Profile)
diff --git a/tests/e2e/parallel/main_test.go b/tests/e2e/parallel/main_test.go
@@ -3404,3 +3404,59 @@ func TestScanCleansUpComplianceCheckResults(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestComplianceScanWithMissingProfileBundleGracefullyHandlesDeprecationCheck(t *testing.T) {
+	t.Parallel()
+	f := framework.Global
+
+	scanName := framework.GetObjNameFromTest(t)
+	testScan := &compv1alpha1.ComplianceScan{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      scanName,
+			Namespace: f.OperatorNamespace,
+		},
+		Spec: compv1alpha1.ComplianceScanSpec{
+			Profile: "xccdf_org.ssgproject.content_profile_moderate",
+			// Make the ProfileBundle lookup fail because the
+			// Content and ContentImage mismatch. This means the
+			// operator can't check if the profile is deprecated
+			// because it can't reliably know which bundle it came
+			// from and hasn't parsed that specific datastream. In
+			// cases like this, the profile deprecation logic
+			// shouldn't prevent the scan. Advanced users might use
+			// this technique to point to their own custom content,
+			// which is rare but possible.
+			Content:      framework.OcpContentFile,
+			ContentImage: contentImagePath,
+			ComplianceScanSettings: compv1alpha1.ComplianceScanSettings{
+				Debug: true,
+			},
+		},
+	}
+
+	// Create the scan directly since we want to set these attributes
+	// directly, and not assume the existing ProfileBundles.
+	err := f.Client.Create(context.TODO(), testScan, nil)
+	if err != nil {
+		t.Fatalf("failed to create scan %s: %s", scanName, err)
+	}
+	defer f.Client.Delete(context.TODO(), testScan)
+
+	// Wait for the scan to reach Done phase
+	err = f.WaitForScanStatus(f.OperatorNamespace, scanName, compv1alpha1.PhaseDone)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get the final scan state
+	if err = f.Client.Get(context.TODO(), types.NamespacedName{Name: scanName, Namespace: f.OperatorNamespace}, testScan); err != nil {
+		t.Fatal(err)
+	}
+
+	// The scan should NOT fail on profile deprecation check when ProfileBundle matching fails
+	if testScan.Status.ErrorMessage == "Could not check whether the Profile used by ComplianceScan is deprecated" {
+		t.Fatal(errors.New("scan should not fail on profile deprecation check when ProfileBundle matching fails"))
+	}
+
+	t.Logf("Scan completed with result: %s", testScan.Status.Result)
+}

Original file line number	Diff line number	Diff line change
`@@ -329,9 +329,12 @@ func (r ReconcileComplianceScan) notifyUseOfDeprecatedProfile(instance compv1a`
`329`	`329`	`}`
`330`	`330`	`}`
`331`	`331`	`if pbName == "" {`
`332`		`- err := goerrors.New("Could not find ProfileBundle used by scan")`
`333`		`- logger.Error(err, "ComplianceScan uses non-existent ProfileBundle", "ComplianceScan", instance.Name, "Profile", instance.Spec.Profile)`
`334`		`- return err`
	`332`	`+ logger.Info("Could not find ProfileBundle used by scan to check if the Profile is deprecated",`
	`333`	`+ "ComplianceScan", instance.Name,`
	`334`	`+ "Profile", instance.Spec.Profile,`
	`335`	`+ "ContentImage", instance.Spec.ContentImage,`
	`336`	`+ "Content", instance.Spec.Content)`
	`337`	`+ return nil`
`335`	`338`	`}`
`336`	`339`
`337`	`340`	`xccdfProfileName := xccdf.GetProfileNameFromID(instance.Spec.Profile)`