Record compliance events on the compliance events history API

If a policy controller sends a Kubernetes event with the
policy.open-cluster-management.io/policy-compliance-db-id annotation
set. The compliance event will be recorded on the compliance events
history API.

Also, when the policy is disabled/deleted, a compliance event is
recorded on the compliance events history API.

Note that to enable this functionality, the --compliance-api-url must be
passed to this controller.

Relates:
https://issues.redhat.com/browse/ACM-6889

Signed-off-by: mprahl <[email protected]>

Author: mprahl

.github/workflows/kind.yml

@@ -86,6 +86,10 @@ jobs:
         export COVERAGE_E2E_OUT=coverage_e2e_hosted_mode.out
         KUBECONFIG=${PWD}/kubeconfig_managed make e2e-test-coverage
 
+    - name: E2E Tests for Compliance Events API Integration
+      run: |
+        KUBECONFIG=${PWD}/kubeconfig_managed make e2e-test-coverage-compliance-events-api
+
     - name: Verify Deployment Configuration
       run: |
         make build-images

Makefile

@@ -27,6 +27,8 @@ GOOS = $(shell go env GOOS)
 TESTARGS_DEFAULT := -v
 export TESTARGS ?= $(TESTARGS_DEFAULT)
 
+COMPLIANCE_API_URL ?= http://127.0.0.1:8385
+
 # Get the branch of the PR target or Push in Github Action
 ifeq ($(GITHUB_EVENT_NAME), pull_request) # pull request
 	BRANCH := $(GITHUB_BASE_REF)
@@ -50,10 +52,11 @@ HUB_CONFIG_INTERNAL ?= $(PWD)/kubeconfig_hub_internal
 MANAGED_CONFIG ?= $(PWD)/kubeconfig_managed
 deployOnHub ?= false
 CONTROLLER_NAME ?= $(shell cat COMPONENT_NAME 2> /dev/null)
+E2E_FILTER = --label-filter="!compliance-events-api"
 # Set the Kind version tag
 ifeq ($(KIND_VERSION), minimum)
 	KIND_ARGS = --image kindest/node:v1.19.16
-	E2E_FILTER = --label-filter="!skip-minimum"
+	E2E_FILTER = --label-filter="!skip-minimum && !compliance-events-api"
 else ifneq ($(KIND_VERSION), latest)
 	KIND_ARGS = --image kindest/node:$(KIND_VERSION)
 else
@@ -219,10 +222,10 @@ install-resources:
 
 .PHONY: e2e-test
 e2e-test: e2e-dependencies
-	$(GINKGO) -v --fail-fast $(E2E_TEST_ARGS) test/e2e
+	$(GINKGO) -v --fail-fast $(E2E_TEST_ARGS) $(E2E_FILTER) test/e2e
 
 .PHONY: e2e-test-coverage
-e2e-test-coverage: E2E_TEST_ARGS = --json-report=report_e2e.json --output-dir=. $(E2E_FILTER)
+e2e-test-coverage: E2E_TEST_ARGS = --json-report=report_e2e.json --output-dir=.
 e2e-test-coverage: e2e-run-instrumented e2e-test e2e-stop-instrumented
 
 .PHONY: e2e-test-coverage-foreground
@@ -239,6 +242,16 @@ e2e-test-uninistall:
 e2e-test-uninstall-coverage: COVERAGE_E2E_OUT = coverage_e2e_uninstall_controller.out
 e2e-test-uninstall-coverage: e2e-run-instrumented scale-down-deployment e2e-test-uninistall e2e-stop-instrumented
 
+.PHONY: e2e-test-compliance-events-api
+e2e-test-compliance-events-api:
+	COMPLIANCE_API_URL=$(COMPLIANCE_API_URL) $(GINKGO) -v --fail-fast $(E2E_TEST_ARGS) --label-filter="compliance-events-api" test/e2e
+
+.PHONY: e2e-test-coverage-compliance-events-api
+e2e-test-coverage-compliance-events-api:
+	COVERAGE_E2E_OUT=coverage_e2e_compliance_events_api.out COMPLIANCE_API_URL=$(COMPLIANCE_API_URL) $(MAKE) e2e-run-instrumented
+	$(MAKE) e2e-test-compliance-events-api
+	$(MAKE) e2e-stop-instrumented
+
 .PHONY: scale-down-deployment
 scale-down-deployment:
 	kubectl scale deployment $(IMG) -n $(KIND_NAMESPACE) --replicas=0 --kubeconfig=$(MANAGED_CONFIG)_e2e

controllers/specsync/policy_spec_sync.go

@@ -10,9 +10,11 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
 	policiesv1 "open-cluster-management.io/governance-policy-propagator/api/v1"
 	"open-cluster-management.io/governance-policy-propagator/controllers/common"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -52,6 +54,9 @@ type PolicyReconciler struct {
 	// The namespace that the replicated policies should be synced to.
 	TargetNamespace      string
 	ConcurrentReconciles int
+	// EventsQueue is a queue that accepts ComplianceAPIEventRequest to then be recorded in the compliance events
+	// API by StartComplianceEventsSyncer. If the compliance events API is disabled, this will be nil.
+	EventsQueue workqueue.RateLimitingInterface
 }
 
 //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policies,verbs=create;delete;get;list;patch;update;watch
@@ -88,6 +93,23 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, request reconcile.Requ
 			// replicated policy on hub was deleted, remove policy on managed cluster
 			reqLogger.Info("Policy was deleted, removing on managed cluster...")
 
+			managedPolicy := &policiesv1.Policy{}
+			if r.EventsQueue != nil {
+				err := r.ManagedClient.Get(
+					ctx, types.NamespacedName{Namespace: r.TargetNamespace, Name: request.Name}, managedPolicy,
+				)
+				if errors.IsNotFound(err) {
+					// The policy is already deleted on the managed cluster so there is nothing to delete
+					return reconcile.Result{}, nil
+				}
+
+				if err != nil {
+					reqLogger.Error(err, "Failed to get the replicated policy on the managed cluster")
+
+					return reconcile.Result{}, err
+				}
+			}
+
 			err = r.ManagedClient.Delete(ctx, &policiesv1.Policy{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       policiesv1.Kind,
@@ -105,6 +127,32 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, request reconcile.Requ
 				return reconcile.Result{}, err
 			}
 
+			if r.EventsQueue != nil {
+				for _, tmplEntry := range managedPolicy.Spec.PolicyTemplates {
+					tmpl := &unstructured.Unstructured{}
+
+					err := tmpl.UnmarshalJSON(tmplEntry.ObjectDefinition.Raw)
+					if err != nil {
+						continue
+					}
+
+					if tmpl.GetAnnotations()[utils.PolicyDBIDAnnotation] == "" {
+						continue
+					}
+
+					ce, err := utils.GenerateDisabledEvent(
+						managedPolicy,
+						tmpl,
+						"The policy was removed because the parent policy no longer applies to this cluster",
+					)
+					if err != nil {
+						log.Error(err, "Failed to generate a disabled compliance API event")
+					} else {
+						r.EventsQueue.Add(ce)
+					}
+				}
+			}
+
 			reqLogger.Info("Policy has been removed from managed cluster...Reconciliation complete.")
 
 			return reconcile.Result{}, nil