Omit dry run matching field when not in use

ref: https://issues.redhat.com/browse/ACM-14577

Signed-off-by: Janelle Law <[email protected]>

Author: jan-law

api/v1/configurationpolicy_types.go

@@ -418,7 +418,7 @@ type ObjectProperties struct {
 	// cluster.
 	Diff string `json:"diff,omitempty"`
 
-	// MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
+	// MatchesAfterDryRun indicates whether the object matches the policy after the dry run update. If true,
 	// there was an initial mismatch between the policy and object, but the dry run update produced
 	// a compliant result.
 	MatchesAfterDryRun bool `json:"matchesAfterDryRun,omitempty"`

controllers/configurationpolicy_controller.go

@@ -3189,7 +3189,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 	if obj.existingObj == nil {
 		log.Info("Skipping update: Previous object retrieval from the API server failed")
 
-		return false, "", "", false, nil, true
+		return false, "", "", false, nil, false
 	}
 
 	var res dynamic.ResourceInterface
@@ -3211,7 +3211,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 		objectT.MetadataComplianceType,
 	)
 	if errMsg != "" {
-		return true, errMsg, "", true, nil, true
+		return true, errMsg, "", true, nil, false
 	}
 
 	recordDiff := objectT.RecordDiffWithDefault()
@@ -3231,7 +3231,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 
 		r.setEvaluatedObject(obj.policy, obj.existingObj, !throwSpecViolation, "")
 
-		return throwSpecViolation, "", diff, updateNeeded, updatedObj, true
+		return throwSpecViolation, "", diff, updateNeeded, updatedObj, false
 	}
 
 	if updateNeeded {
@@ -3275,7 +3275,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 				r.setEvaluatedObject(obj.policy, obj.existingObj, false, message)
 			}
 
-			return true, message, "", updateNeeded, nil, true
+			return true, message, "", updateNeeded, nil, false
 		}
 
 		// If an update is invalid (i.e. modifying Pod spec fields), then return noncompliant since that
@@ -3301,7 +3301,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 
 			r.setEvaluatedObject(obj.policy, obj.existingObj, false, message)
 
-			return true, message, diff, false, nil, true
+			return true, message, diff, false, nil, false
 		}
 
 		mergedObjCopy := obj.existingObj.DeepCopy()
@@ -3327,7 +3327,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 			// Assume object is compliant by inverting the value of throwSpecViolation
 			r.setEvaluatedObject(obj.policy, obj.existingObj, !throwSpecViolation, "")
 
-			matchesAfterDryRun = false
+			matchesAfterDryRun = true
 
 			return throwSpecViolation, "", diff, updateNeeded, updatedObj, matchesAfterDryRun
 		}
@@ -3339,7 +3339,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 	if isInform {
 		r.setEvaluatedObject(obj.policy, obj.existingObj, false, "")
 
-		return true, "", diff, false, nil, true
+		return true, "", diff, false, nil, matchesAfterDryRun
 	}
 
 	// If it's not inform (i.e. enforce), update the object
@@ -3359,7 +3359,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 		if err != nil && !k8serrors.IsNotFound(err) {
 			message = fmt.Sprintf(`%s failed to delete when recreating with the error %v`, getMsgPrefix(&obj), err)
 
-			return true, message, "", updateNeeded, nil, true
+			return true, message, "", updateNeeded, nil, matchesAfterDryRun
 		}
 
 		attempts := 0
@@ -3377,7 +3377,7 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 				message = getMsgPrefix(&obj) + " timed out waiting for the object to delete during recreate, " +
 					"will retry on the next policy evaluation"
 
-				return true, message, "", updateNeeded, nil, true
+				return true, message, "", updateNeeded, nil, matchesAfterDryRun
 			}
 
 			time.Sleep(time.Second)
@@ -3413,14 +3413,14 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 			message = fmt.Sprintf("%s failed to %s with the error `%v`", getMsgPrefix(&obj), action, err)
 		}
 
-		return true, message, diff, updateNeeded, nil, true
+		return true, message, diff, updateNeeded, nil, matchesAfterDryRun
 	}
 
 	if !statusMismatch {
 		r.setEvaluatedObject(obj.policy, updatedObj, true, message)
 	}
 
-	return throwSpecViolation, "", diff, updateNeeded, updatedObj, true
+	return throwSpecViolation, "", diff, updateNeeded, updatedObj, matchesAfterDryRun
 }
 
 func getMsgPrefix(obj *singleObject) string {

deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml

@@ -479,7 +479,7 @@ spec:
                           type: string
                         matchesAfterDryRun:
                           description: |-
-                            MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
+                            MatchesAfterDryRun indicates whether the object matches the policy after the dry run update. If true,
                             there was an initial mismatch between the policy and object, but the dry run update produced
                             a compliant result.
                           type: boolean

deploy/crds/kustomize_operatorpolicy/kustomization.yaml

@@ -14,3 +14,9 @@ patches:
     version: v1
     kind: CustomResourceDefinition
     name: operatorpolicies.policy.open-cluster-management.io
+- path: remove-matches-after-dry-run.json
+  target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: operatorpolicies.policy.open-cluster-management.io

deploy/crds/kustomize_operatorpolicy/policy.open-cluster-management.io_operatorpolicies.yaml

@@ -386,7 +386,7 @@ spec:
                           type: string
                         matchesAfterDryRun:
                           description: |-
-                            MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
+                            MatchesAfterDryRun indicates whether the object matches the policy after the dry run update. If true,
                             there was an initial mismatch between the policy and object, but the dry run update produced
                             a compliant result.
                           type: boolean

deploy/crds/kustomize_operatorpolicy/remove-matches-after-dry-run.json

@@ -0,0 +1,6 @@
+[
+    {
+        "op": "remove",
+        "path": "/spec/versions/0/schema/openAPIV3Schema/properties/status/properties/relatedObjects/items/properties/properties/properties/matchesAfterDryRun"
+    }
+]

deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml

@@ -486,7 +486,7 @@ spec:
                           type: string
                         matchesAfterDryRun:
                           description: |-
-                            MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
+                            MatchesAfterDryRun indicates whether the object matches the policy after the dry run update. If true,
                             there was an initial mismatch between the policy and object, but the dry run update produced
                             a compliant result.
                           type: boolean

deploy/crds/policy.open-cluster-management.io_operatorpolicies.yaml

@@ -381,12 +381,6 @@ spec:
                             CreatedByPolicy reports whether the object was created by the configuration policy, which is
                             important when pruning is configured.
                           type: boolean
-                        matchesAfterDryRun:
-                          description: |-
-                            MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
-                            there was an initial mismatch between the policy and object, but the dry run update produced
-                            a compliant result.
-                          type: boolean
                         uid:
                           description: |-
                             UID stores the object UID to help track object ownership for deletion when pruning is

pkg/dryrun/policy.open-cluster-management.io_configurationpolicies.yaml

@@ -486,7 +486,7 @@ spec:
                           type: string
                         matchesAfterDryRun:
                           description: |-
-                            MatchesAfterDryRun indicates whether the dry run update matches the policy assessment. If false,
+                            MatchesAfterDryRun indicates whether the object matches the policy after the dry run update. If true,
                             there was an initial mismatch between the policy and object, but the dry run update produced
                             a compliant result.
                           type: boolean

test/e2e/case20_delete_objects_test.go

@@ -160,10 +160,6 @@ var _ = Describe("Test Object deletion", Ordered, func() {
 			uid, found, _ := unstructured.NestedString(relatedObj, "properties", "uid")
 			Expect(found).To(BeTrue())
 			Expect(uid).ToNot(BeEmpty())
-
-			matchesAfterDryRun, found, _ := unstructured.NestedBool(relatedObj, "properties", "matchesAfterDryRun")
-			Expect(found).To(BeTrue())
-			Expect(matchesAfterDryRun).To(BeTrue())
 		})
 		AfterAll(func() {
 			policies := []string{