Add options for policy ordering

The new `dependencies` field in the generator is the same as the new
`dependencies` field in the Policy type, however, more fields are
optional and will be filled in by the generator with useful defaults.

The new `ignorePending` field is also the same, but since that would be
set on templates, and the generator does not expose much at the template
level, here the field is set on the policy, and the generator sets the
correct field in all the templates of that policy. For a similar reason,
the `extraDependencies` field is not exposed in the generator at all.

The new `orderViaDependencies` field will set up a chain of dependencies
on the created policies. So if 3 policies are created by the generator,
policy 2 will depend on policy 1, and policy 3 will depend on policy 2.

In all cases, dependency lists are merged - setting it on a specific
policy will *not* override the defaults, or a dependency added by the
`orderViaDependencies` flag.

Refs:
 - stolostron/backlog#26183

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

docs/policygenerator-reference.yaml

@@ -10,6 +10,11 @@ placementBindingDefaults:
   # Set an explicit placement binding name to use rather than rely on the default.
   name: ""
 
+# Optional. Determines whether to define dependencies on the policies so they are applied in the
+# order they are defined in the manifests list. This defaults to false, and all the policies
+# can be applied at the same time.
+orderViaDependencies: false
+
 # Required. Any default value listed here can be overridden under an entry in the policies array
 # except for "namespace".
 policyDefaults:
@@ -32,6 +37,21 @@ policyDefaults:
   # manifests being wrapped in the policy. If set to false, a configuration policy per manifest will
   # be generated. This defaults to true.
   consolidateManifests: true
+  # Optional. A list of objects that should be in specific compliance states before this policy is
+  # applied.
+  dependencies:
+      # Required. The name of the object being depended on.
+    - name: ""
+      # Optional. The namespace of the object being depended on. Will default to the namespace of
+      # policies from this generator.
+      namespace: ""
+      # Optional. The compliance state the object should be in. Defaults to "Compliant"
+      compliance: "Compliant"
+      # Optional. The kind of the object. Defaults to "Policy", but can also be things like
+      # ConfigurationPolicy.
+      kind: "Policy"
+      # Optional. The APIVersion of the object. Defaults to "policy.open-cluster-management.io/v1"
+      apiVersion: "policy.open-cluster-management.io/v1"
   # Optional. Determines whether the policy is enabled or disabled. A disabled policy will not be
   # propagated to any managed clusters and will show no status as a result.
   disabled: false
@@ -47,6 +67,9 @@ policyDefaults:
   # deleted. Pruning only takes place if the remediation action of the policy has been set to "enforce". Example values
   # are "DeleteIfCreated", "DeleteAll", or "None". This defaults to unset, which is equivalent to "None".
   pruneObjectBehavior: "None"
+  # Optional. Determines whether to treat the policy as compliant when it is waiting for its
+  # dependencies to reach their desired states. Defaults to false.
+  ignorePending: false
   # Optional. When the policy references a Gatekeeper policy manifest, this determines if an additional
   # configuration policy should be generated in order to receive policy violations in Open Cluster
   # Management when the Gatekeeper policy has been violated. This defaults to true.
@@ -191,12 +214,27 @@ policies:
     # Optional. (See policyDefaults.controls for description.)
     controls:
       - "CM-2 Baseline Configuration"
+    # Optional. (See policyDefaults.dependencies for description.) Note: the list defined here will
+    # be merged with the default list.
+    dependencies:
+        # Required. (See policyDefaults.dependencies.name for description.)
+      - name: ""
+        # Optional. (See policyDefaults.dependencies.namespace for description.)
+        namespace: ""
+        # Optional. (See policyDefaults.dependencies.compliance for description.)
+        compliance: "Compliant"
+        # Optional. (See policyDefaults.dependencies.kind for description.)
+        kind: "Policy"
+        # Optional. (See policyDefaults.dependencies.apiVersion for description.)
+        apiVersion: "policy.open-cluster-management.io/v1"
     # Optional. (See policyDefaults.disabled for description.)
     disabled: false
     # Optional. (See policyDefaults.evaluationInterval for description.)
     evaluationInterval: {}
     # Optional. (See policyDefaults.pruneObjectBehavior for description.)
     pruneObjectBehavior: ""
+    # Optional. (See policyDefaults.ignorePending for description.)
+    ignorePending: false
     # Optional. (See policyDefaults.informGatekeeperPolicies for description.)
     informGatekeeperPolicies: true
     # Optional. (See policyDefaults.informKyvernoPolicies for description.)

internal/plugin.go

@@ -46,6 +46,8 @@ type Plugin struct {
 	PlacementBindingDefaults struct {
 		Name string `json:"name,omitempty" yaml:"name,omitempty"`
 	} `json:"placementBindingDefaults,omitempty" yaml:"placementBindingDefaults,omitempty"`
+	OrderViaDependencies bool `json:"orderViaDependencies,omitempty" yaml:"orderViaDependencies,omitempty"`
+
 	PolicyDefaults types.PolicyDefaults    `json:"policyDefaults,omitempty" yaml:"policyDefaults,omitempty"`
 	Policies       []types.PolicyConfig    `json:"policies" yaml:"policies"`
 	PolicySets     []types.PolicySetConfig `json:"policySets" yaml:"policySets"`
@@ -411,6 +413,27 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 		}
 	}
 
+	for i, dep := range p.PolicyDefaults.Dependencies {
+		if dep.Namespace == "" {
+			p.PolicyDefaults.Dependencies[i].Namespace = p.PolicyDefaults.Namespace
+		}
+
+		if dep.Compliance == "" {
+			p.PolicyDefaults.Dependencies[i].Compliance = "Compliant"
+		}
+
+		if dep.Kind == "" {
+			p.PolicyDefaults.Dependencies[i].Kind = policyKind
+		}
+
+		if dep.APIVersion == "" {
+			p.PolicyDefaults.Dependencies[i].APIVersion = policyAPIVersion
+		}
+	}
+
+	// Used when p.OrderViaDependencies is set
+	prevPolicyName := ""
+
 	for i := range p.Policies {
 		policy := &p.Policies[i]
 
@@ -513,6 +536,43 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.Disabled = p.PolicyDefaults.Disabled
 		}
 
+		ignorePending, ignorePendingIsSet := getPolicyBool(unmarshaledConfig, i, "ignorePending")
+		if ignorePendingIsSet {
+			policy.IgnorePending = ignorePending
+		} else {
+			policy.IgnorePending = p.PolicyDefaults.IgnorePending
+		}
+
+		for i, dep := range policy.Dependencies {
+			if dep.Namespace == "" {
+				policy.Dependencies[i].Namespace = p.PolicyDefaults.Namespace
+			}
+
+			if dep.Compliance == "" {
+				policy.Dependencies[i].Compliance = "Compliant"
+			}
+
+			if dep.Kind == "" {
+				policy.Dependencies[i].Kind = policyKind
+			}
+
+			if dep.APIVersion == "" {
+				policy.Dependencies[i].APIVersion = policyAPIVersion
+			}
+		}
+
+		policy.Dependencies = append(policy.Dependencies, p.PolicyDefaults.Dependencies...)
+
+		if p.OrderViaDependencies && prevPolicyName != "" {
+			policy.Dependencies = append(policy.Dependencies, types.PolicyDependency{
+				Name:       prevPolicyName,
+				Namespace:  p.PolicyDefaults.Namespace,
+				Compliance: "Compliant",
+				Kind:       policyKind,
+				APIVersion: policyAPIVersion,
+			})
+		}
+
 		// Determine whether defaults are set for placement
 		plcDefaultSet := len(p.PolicyDefaults.Placement.LabelSelector) != 0 ||
 			p.PolicyDefaults.Placement.PlacementPath != "" ||
@@ -640,6 +700,8 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 		for plcset := range plcToPlcset[policy.Name] {
 			policy.PolicySets = append(policy.PolicySets, plcset)
 		}
+
+		prevPolicyName = policy.Name
 	}
 
 	// Sync up the declared policy sets in p.Policies[*]
@@ -740,6 +802,12 @@ func (p *Plugin) assertValidConfig() error {
 		return errors.New("policies is empty but it must be set")
 	}
 
+	for i, dep := range p.PolicyDefaults.Dependencies {
+		if dep.Name == "" {
+			return fmt.Errorf("dependency name must be set in policyDefaults dependency %v", i)
+		}
+	}
+
 	seenPlc := map[string]bool{}
 	plCount := struct {
 		plc int
@@ -985,6 +1053,12 @@ func (p *Plugin) assertValidConfig() error {
 				)
 			}
 		}
+
+		for i, dep := range policy.Dependencies {
+			if dep.Name == "" {
+				return fmt.Errorf("dependency name must be set in policy %v dependency %v", policy.Name, i)
+			}
+		}
 	}
 
 	seenPlcset := map[string]bool{}
@@ -1153,6 +1227,15 @@ func (p *Plugin) createPolicy(policyConf *types.PolicyConfig) error {
 		policyConf.Standards, ",",
 	)
 
+	spec := map[string]interface{}{
+		"disabled":         policyConf.Disabled,
+		"policy-templates": policyTemplates,
+	}
+
+	if len(policyConf.Dependencies) != 0 {
+		spec["dependencies"] = policyConf.Dependencies
+	}
+
 	policy := map[string]interface{}{
 		"apiVersion": policyAPIVersion,
 		"kind":       policyKind,
@@ -1161,10 +1244,7 @@ func (p *Plugin) createPolicy(policyConf *types.PolicyConfig) error {
 			"name":        policyConf.Name,
 			"namespace":   p.PolicyDefaults.Namespace,
 		},
-		"spec": map[string]interface{}{
-			"disabled":         policyConf.Disabled,
-			"policy-templates": policyTemplates,
-		},
+		"spec": spec,
 	}
 
 	// set the root policy remediation action if all the remediation actions match