Merge pull request #1954 from tiraboschi/deleteVAP

openshift-merge-bot[bot] · web-flow · commit f489e811f030 · 2025-10-21T14:17:06.000Z
Add delete support for ValidatingAdmissionPolicies and ValidatingAdmissionPolicyBindings
diff --git a/pkg/operator/resource/resourceapply/admissionregistration.go b/pkg/operator/resource/resourceapply/admissionregistration.go
@@ -415,3 +415,51 @@ func ApplyValidatingAdmissionPolicyBindingV1(ctx context.Context, client admissi
 	cache.UpdateCachedResourceMetadata(requiredOriginal, actual)
 	return actual, true, nil
 }
+
+func DeleteValidatingAdmissionPolicyV1beta1(ctx context.Context, client admissionregistrationclientv1beta1.ValidatingAdmissionPoliciesGetter, recorder events.Recorder, required *admissionregistrationv1beta1.ValidatingAdmissionPolicy) (*admissionregistrationv1beta1.ValidatingAdmissionPolicy, bool, error) {
+	err := client.ValidatingAdmissionPolicies().Delete(ctx, required.Name, metav1.DeleteOptions{})
+	if err != nil && apierrors.IsNotFound(err) {
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+	resourcehelper.ReportDeleteEvent(recorder, required, err)
+	return nil, true, nil
+}
+
+func DeleteValidatingAdmissionPolicyBindingV1beta1(ctx context.Context, client admissionregistrationclientv1beta1.ValidatingAdmissionPolicyBindingsGetter, recorder events.Recorder, required *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) (*admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, bool, error) {
+	err := client.ValidatingAdmissionPolicyBindings().Delete(ctx, required.Name, metav1.DeleteOptions{})
+	if err != nil && apierrors.IsNotFound(err) {
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+	resourcehelper.ReportDeleteEvent(recorder, required, err)
+	return nil, true, nil
+}
+
+func DeleteValidatingAdmissionPolicyV1(ctx context.Context, client admissionregistrationclientv1.ValidatingAdmissionPoliciesGetter, recorder events.Recorder, required *admissionregistrationv1.ValidatingAdmissionPolicy) (*admissionregistrationv1.ValidatingAdmissionPolicy, bool, error) {
+	err := client.ValidatingAdmissionPolicies().Delete(ctx, required.Name, metav1.DeleteOptions{})
+	if err != nil && apierrors.IsNotFound(err) {
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+	resourcehelper.ReportDeleteEvent(recorder, required, err)
+	return nil, true, nil
+}
+
+func DeleteValidatingAdmissionPolicyBindingV1(ctx context.Context, client admissionregistrationclientv1.ValidatingAdmissionPolicyBindingsGetter, recorder events.Recorder, required *admissionregistrationv1.ValidatingAdmissionPolicyBinding) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, bool, error) {
+	err := client.ValidatingAdmissionPolicyBindings().Delete(ctx, required.Name, metav1.DeleteOptions{})
+	if err != nil && apierrors.IsNotFound(err) {
+		return nil, false, nil
+	}
+	if err != nil {
+		return nil, false, err
+	}
+	resourcehelper.ReportDeleteEvent(recorder, required, err)
+	return nil, true, nil
+}
diff --git a/pkg/operator/resource/resourceapply/admissionregistration_test.go b/pkg/operator/resource/resourceapply/admissionregistration_test.go
@@ -448,7 +448,7 @@ func TestDeleteValidatingConfiguration(t *testing.T) {
 	}
 }
 
-func TestApplyValidatingAdmissionPolicyConfiguration(t *testing.T) {
+func TestApplyValidatingAdmissionPolicy(t *testing.T) {
 	defaultPolicy := &admissionregistrationv1beta1.ValidatingAdmissionPolicy{}
 	defaultPolicy.SetName("test")
 	createEvent := "ValidatingAdmissionPolicyCreated"
@@ -562,6 +562,138 @@ func TestApplyValidatingAdmissionPolicyConfiguration(t *testing.T) {
 	}
 }
 
+func TestDeleteValidatingAdmissionPolicy(t *testing.T) {
+	defaultPolicy := &admissionregistrationv1.ValidatingAdmissionPolicy{}
+	defaultPolicy.SetName("test")
+	deleteEvent := "ValidatingAdmissionPolicyDeleted"
+
+	tests := []struct {
+		name           string
+		expectModified bool
+		existing       func() *admissionregistrationv1.ValidatingAdmissionPolicy
+		input          func() *admissionregistrationv1.ValidatingAdmissionPolicy
+		checkUpdated   func(*admissionregistrationv1.ValidatingAdmissionPolicy) error
+		expectedEvents []string
+	}{
+		{
+			name:           "Should delete policy if it exists",
+			expectModified: true,
+			input: func() *admissionregistrationv1.ValidatingAdmissionPolicy {
+				policy := defaultPolicy.DeepCopy()
+				return policy
+			},
+			existing: func() *admissionregistrationv1.ValidatingAdmissionPolicy {
+				policy := defaultPolicy.DeepCopy()
+				return policy
+			},
+			expectedEvents: []string{deleteEvent},
+		},
+		{
+			name:           "Should do nothing if policy does not exist",
+			expectModified: false,
+			input: func() *admissionregistrationv1.ValidatingAdmissionPolicy {
+				policy := defaultPolicy.DeepCopy()
+				return policy
+			},
+			expectedEvents: []string{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+
+			existingHooks := []runtime.Object{}
+			if test.existing != nil {
+				existingHooks = append(existingHooks, test.existing())
+			}
+			client := fake.NewSimpleClientset(existingHooks...)
+			recorder := events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now()))
+
+			testApply := func(expectModify bool) {
+				updatedHook, modified, err := DeleteValidatingAdmissionPolicyV1(
+					context.TODO(),
+					client.AdmissionregistrationV1(),
+					recorder, test.input())
+				if err != nil {
+					t.Fatal(err)
+				}
+				if expectModify != modified {
+					t.Errorf("expected modified to be equal %v, got %v: %#v", expectModify, modified, updatedHook)
+				}
+			}
+
+			testApply(test.expectModified)
+			assertEvents(t, test.name, test.expectedEvents, recorder.Events())
+		})
+	}
+}
+
+func TestDeleteValidatingAdmissionPolicyBinding(t *testing.T) {
+	defaultPolicyBinding := &admissionregistrationv1.ValidatingAdmissionPolicyBinding{}
+	defaultPolicyBinding.SetName("test")
+	deleteEvent := "ValidatingAdmissionPolicyBindingDeleted"
+
+	tests := []struct {
+		name           string
+		expectModified bool
+		existing       func() *admissionregistrationv1.ValidatingAdmissionPolicyBinding
+		input          func() *admissionregistrationv1.ValidatingAdmissionPolicyBinding
+		checkUpdated   func(*admissionregistrationv1.ValidatingAdmissionPolicyBinding) error
+		expectedEvents []string
+	}{
+		{
+			name:           "Should delete policy binding if it exists",
+			expectModified: true,
+			input: func() *admissionregistrationv1.ValidatingAdmissionPolicyBinding {
+				policyBinding := defaultPolicyBinding.DeepCopy()
+				return policyBinding
+			},
+			existing: func() *admissionregistrationv1.ValidatingAdmissionPolicyBinding {
+				policyBinding := defaultPolicyBinding.DeepCopy()
+				return policyBinding
+			},
+			expectedEvents: []string{deleteEvent},
+		},
+		{
+			name:           "Should do nothing if policy binding does not exist",
+			expectModified: false,
+			input: func() *admissionregistrationv1.ValidatingAdmissionPolicyBinding {
+				policyBinding := defaultPolicyBinding.DeepCopy()
+				return policyBinding
+			},
+			expectedEvents: []string{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+
+			existingHooks := []runtime.Object{}
+			if test.existing != nil {
+				existingHooks = append(existingHooks, test.existing())
+			}
+			client := fake.NewSimpleClientset(existingHooks...)
+			recorder := events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now()))
+
+			testApply := func(expectModify bool) {
+				updatedHook, modified, err := DeleteValidatingAdmissionPolicyBindingV1(
+					context.TODO(),
+					client.AdmissionregistrationV1(),
+					recorder, test.input())
+				if err != nil {
+					t.Fatal(err)
+				}
+				if expectModify != modified {
+					t.Errorf("expected modified to be equal %v, got %v: %#v", expectModify, modified, updatedHook)
+				}
+			}
+
+			testApply(test.expectModified)
+			assertEvents(t, test.name, test.expectedEvents, recorder.Events())
+		})
+	}
+}
+
 func assertEvents(t *testing.T, testCase string, expectedReasons []string, events []*corev1.Event) {
 	if len(expectedReasons) != len(events) {
 		t.Errorf(
diff --git a/pkg/operator/resource/resourceapply/generic.go b/pkg/operator/resource/resourceapply/generic.go
@@ -380,6 +380,30 @@ func DeleteAll(ctx context.Context, clients *ClientHolder, recorder events.Recor
 			} else {
 				_, result.Changed, result.Error = DeleteValidatingWebhookConfiguration(ctx, clients.kubeClient.AdmissionregistrationV1(), recorder, t)
 			}
+		case *admissionregistrationv1beta1.ValidatingAdmissionPolicy:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				_, result.Changed, result.Error = DeleteValidatingAdmissionPolicyV1beta1(ctx, clients.kubeClient.AdmissionregistrationV1beta1(), recorder, t)
+			}
+		case *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				_, result.Changed, result.Error = DeleteValidatingAdmissionPolicyBindingV1beta1(ctx, clients.kubeClient.AdmissionregistrationV1beta1(), recorder, t)
+			}
+		case *admissionregistrationv1.ValidatingAdmissionPolicy:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				_, result.Changed, result.Error = DeleteValidatingAdmissionPolicyV1(ctx, clients.kubeClient.AdmissionregistrationV1(), recorder, t)
+			}
+		case *admissionregistrationv1.ValidatingAdmissionPolicyBinding:
+			if clients.kubeClient == nil {
+				result.Error = fmt.Errorf("missing kubeClient")
+			} else {
+				_, result.Changed, result.Error = DeleteValidatingAdmissionPolicyBindingV1(ctx, clients.kubeClient.AdmissionregistrationV1(), recorder, t)
+			}
 		case *storagev1.CSIDriver:
 			if clients.kubeClient == nil {
 				result.Error = fmt.Errorf("missing kubeClient")
