make ScopeTemplate CRs communicate state

api/v1/scopetemplate_types.go

@@ -43,6 +43,9 @@ type ClusterRoleTemplate struct {
 type ScopeTemplateStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
+
+	// Conditions represent the latest available observations of an object's state
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/operators.io.operator-framework_scopetemplates.yaml

@@ -135,6 +135,77 @@ spec:
             type: object
           status:
             description: ScopeTemplateStatus defines the observed state of ScopeTemplate
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of an object's state
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    type FooStatus struct{ // Represents the observations of a foo's
+                    current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
             type: object
         type: object
     served: true

controllers/scopetemplate_controller.go

@@ -27,6 +27,7 @@ import (
 	"github.com/sirupsen/logrus"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8sapierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -79,7 +80,16 @@ func (r *ScopeTemplateReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 
 	scopeinstances := operatorsv1.ScopeInstanceList{}
 
-	if err := r.Client.List(ctx, &scopeinstances, client.InNamespace(st.Namespace)); err != nil {
+	if err := r.Client.List(ctx, &scopeinstances, &client.ListOptions{}); err != nil {
+		r.updateScopeTemplateCondition(ctx, st, metav1.Condition{
+			Type:               "Succeeded",
+			Status:             metav1.ConditionFalse,
+			ObservedGeneration: st.Generation,
+			LastTransitionTime: metav1.Now(),
+			Reason:             "ScopeInstanceListFailure",
+			Message:            fmt.Sprintf("failed to list ScopeInstances: %s", err),
+		})
+
 		return ctrl.Result{}, err
 	}
 
@@ -96,12 +106,28 @@ func (r *ScopeTemplateReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		// create ClusterRoles based on the ScopeTemplate
 		log.Log.Info("ScopeInstance found that references ScopeTemplate", "name", st.Name)
 		if err := r.ensureClusterRoles(ctx, st); err != nil {
+			r.updateScopeTemplateCondition(ctx, st, metav1.Condition{
+				Type:               "Succeeded",
+				Status:             metav1.ConditionFalse,
+				ObservedGeneration: st.Generation,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "ClusterRoleCreateFailure",
+				Message:            fmt.Sprintf("failed to create ClusterRoles: %s", err),
+			})
 			return ctrl.Result{}, fmt.Errorf("Error in create ClusterRoles: %v", err)
 		}
 
 		// Add requirement to delete old hashes
 		requirement, err := labels.NewRequirement(scopeTemplateHashKey, selection.NotEquals, []string{util.HashObject(st.Spec)})
 		if err != nil {
+			r.updateScopeTemplateCondition(ctx, st, metav1.Condition{
+				Type:               "Succeeded",
+				Status:             metav1.ConditionFalse,
+				ObservedGeneration: st.Generation,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "DeleteOldHashRequirementFailure",
+				Message:            fmt.Sprintf("failed to add a requirement to delete old hashes: %s", err),
+			})
 			return ctrl.Result{}, err
 		}
 		listOptions = append(listOptions, &client.ListOptions{
@@ -111,11 +137,28 @@ func (r *ScopeTemplateReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	}
 
 	if err := r.deleteClusterRoles(ctx, listOptions...); err != nil {
+		r.updateScopeTemplateCondition(ctx, st, metav1.Condition{
+			Type:               "Succeeded",
+			Status:             metav1.ConditionFalse,
+			ObservedGeneration: st.Generation,
+			LastTransitionTime: metav1.Now(),
+			Reason:             "DeleteClusterRolesFailure",
+			Message:            fmt.Sprintf("failed to delete ClusterRoles: %s", err),
+		})
 		return ctrl.Result{}, err
 	}
 
 	log.Log.Info("No ScopeTemplate error")
 
+	r.updateScopeTemplateCondition(ctx, st, metav1.Condition{
+		Type:               "Succeeded",
+		Status:             metav1.ConditionTrue,
+		ObservedGeneration: st.Generation,
+		LastTransitionTime: metav1.Now(),
+		Reason:             "ScopeTemplateReconcileSuccess",
+		Message:            "ScopeTemplate successfully reconciled",
+	})
+
 	return ctrl.Result{}, nil
 }
 
@@ -230,3 +273,20 @@ func (r *ScopeTemplateReconciler) deleteClusterRoles(ctx context.Context, listOp
 	}
 	return nil
 }
+
+func (r *ScopeTemplateReconciler) updateScopeTemplateCondition(ctx context.Context, st *operatorsv1.ScopeTemplate, condition metav1.Condition) {
+	// Get the latest instance of the ScopeTemplate in case it has been updated
+	tempSt := &operatorsv1.ScopeTemplate{}
+	err := r.Client.Get(ctx, client.ObjectKeyFromObject(st), tempSt)
+	if err != nil {
+		log.Log.Error(err, "failed to get the latest version of the ScopeTemplate to update the ScopeTemplate status")
+		return
+	}
+	// Update the condition of the ScopeTemplate
+	meta.SetStatusCondition(&tempSt.Status.Conditions, condition)
+
+	condErr := r.Status().Update(ctx, tempSt, &client.UpdateOptions{})
+	if condErr != nil {
+		log.Log.Error(condErr, "failed to update .Status.Condition of ScopeTemplate", "Condition", condition)
+	}
+}

controllers/scopetemplate_controller_test.go

@@ -23,6 +23,7 @@ import (
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -40,9 +41,12 @@ var _ = Describe("ScopeTemplate", func() {
 		namespace2    *corev1.Namespace
 		scopeTemplate *operatorsv1.ScopeTemplate
 		scopeInstance *operatorsv1.ScopeInstance
+		// Use this to track the test iteration
+		iteration int
 	)
 
 	BeforeEach(func() {
+		iteration += 1
 		namespace = &corev1.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
 				GenerateName: "test-",
@@ -68,7 +72,9 @@ var _ = Describe("ScopeTemplate", func() {
 				Spec: operatorsv1.ScopeTemplateSpec{
 					ClusterRoles: []operatorsv1.ClusterRoleTemplate{
 						{
-							GenerateName: "test",
+							// Create a new ClusterRole for each test iteration so that there are no conflicts with a ClusterRole already existing.
+							// We can deliberately test this scenario in specific tests in the future.
+							GenerateName: fmt.Sprintf("test-%d", iteration),
 							Rules: []rbacv1.PolicyRule{
 								{
 									APIGroups: []string{
@@ -106,6 +112,7 @@ var _ = Describe("ScopeTemplate", func() {
 
 			clusterRoleList := listClusterRole(0, labels)
 			Expect(clusterRoleList.Items).Should(BeNil())
+			verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 		})
 
 		When("a scopeInstance is created that references the scopeTemplate with a single namespace", func() {
@@ -154,18 +161,20 @@ var _ = Describe("ScopeTemplate", func() {
 						Resources: []string{"secrets"},
 					},
 				}))
+				verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 			})
 
 			It("should create the expected RoleBinding within the test namespace", func() {
 				labels := map[string]string{scopeInstanceUIDKey: string(scopeInstance.GetUID()),
 					scopeTemplateUIDKey:           string(scopeTemplate.GetUID()),
-					clusterRoleBindingGenerateKey: "test"}
+					clusterRoleBindingGenerateKey: scopeTemplate.Spec.ClusterRoles[0].GenerateName}
 
 				roleBindingList := listRoleBinding(namespace.GetName(), 1, labels)
 
 				existingRB := &roleBindingList.Items[0]
 
 				verifyRoleBindings(existingRB, scopeInstance, scopeTemplate)
+				verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 			})
 
 			When("a scopeInstance is updated to include another namespace", func() {
@@ -197,7 +206,7 @@ var _ = Describe("ScopeTemplate", func() {
 
 					labels := map[string]string{scopeInstanceUIDKey: string(scopeInstance.GetUID()),
 						scopeTemplateUIDKey:           string(scopeTemplate.GetUID()),
-						clusterRoleBindingGenerateKey: "test"}
+						clusterRoleBindingGenerateKey: scopeTemplate.Spec.ClusterRoles[0].GenerateName}
 
 					roleBindingList := listRoleBinding(namespace2.GetName(), 1, labels)
 
@@ -209,6 +218,7 @@ var _ = Describe("ScopeTemplate", func() {
 
 					existingRB = &roleBindingList.Items[0]
 					verifyRoleBindings(existingRB, scopeInstance, scopeTemplate)
+					verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 				})
 
 				When("a scopeInstance is updated to remove one of the namespace", func() {
@@ -227,7 +237,7 @@ var _ = Describe("ScopeTemplate", func() {
 
 						labels := map[string]string{scopeInstanceUIDKey: string(scopeInstance.GetUID()),
 							scopeTemplateUIDKey:           string(scopeTemplate.GetUID()),
-							clusterRoleBindingGenerateKey: "test"}
+							clusterRoleBindingGenerateKey: scopeTemplate.Spec.ClusterRoles[0].GenerateName}
 
 						roleBindingList := listRoleBinding(namespace2.GetName(), 1, labels)
 
@@ -236,7 +246,7 @@ var _ = Describe("ScopeTemplate", func() {
 						verifyRoleBindings(existingRB, scopeInstance, scopeTemplate)
 
 						roleBindingList = listRoleBinding(namespace.GetName(), 0, labels)
-
+						verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 					})
 
 					When("a scopeInstance is updated to remove all namespaces", func() {
@@ -259,7 +269,7 @@ var _ = Describe("ScopeTemplate", func() {
 									client.MatchingLabels{
 										scopeInstanceUIDKey:           string(scopeInstance.GetUID()),
 										scopeTemplateUIDKey:           string(scopeTemplate.GetUID()),
-										clusterRoleBindingGenerateKey: "test",
+										clusterRoleBindingGenerateKey: scopeTemplate.Spec.ClusterRoles[0].GenerateName,
 									})
 								if err != nil {
 									return err
@@ -290,19 +300,20 @@ var _ = Describe("ScopeTemplate", func() {
 							}))
 							Expect(existingCRB.RoleRef).To(Equal(rbacv1.RoleRef{
 								Kind:     "ClusterRole",
-								Name:     "test",
+								Name:     scopeTemplate.Spec.ClusterRoles[0].GenerateName,
 								APIGroup: "rbac.authorization.k8s.io",
 							}))
 
 							labels := map[string]string{scopeInstanceUIDKey: string(scopeInstance.GetUID()),
 								scopeTemplateUIDKey:           string(scopeTemplate.GetUID()),
-								clusterRoleBindingGenerateKey: "test"}
+								clusterRoleBindingGenerateKey: scopeTemplate.Spec.ClusterRoles[0].GenerateName}
 
 							roleBindingList := listRoleBinding(namespace.GetName(), 0, labels)
 							Expect(len(roleBindingList.Items)).To(Equal(0))
 
 							roleBindingList = listRoleBinding(namespace2.GetName(), 0, labels)
 							Expect(len(roleBindingList.Items)).To(Equal(0))
+							verifyScopeTemplateStatus(scopeTemplate, "Succeeded", "ScopeTemplateReconcileSuccess", metav1.ConditionTrue, "ScopeTemplate successfully reconciled")
 						})
 					})
 				})
@@ -329,11 +340,29 @@ func verifyRoleBindings(existingRB *rbacv1.RoleBinding, si *operatorsv1.ScopeIns
 	}))
 	Expect(existingRB.RoleRef).To(Equal(rbacv1.RoleRef{
 		Kind:     "ClusterRole",
-		Name:     "test",
+		Name:     st.Spec.ClusterRoles[0].GenerateName,
 		APIGroup: "rbac.authorization.k8s.io",
 	}))
 }
 
+func verifyScopeTemplateStatus(st *operatorsv1.ScopeTemplate, conditionType string, reason string, status metav1.ConditionStatus, message string) {
+	tempSt := &operatorsv1.ScopeTemplate{}
+	Eventually(func() error {
+		Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(st), tempSt)).NotTo(HaveOccurred())
+		if len(tempSt.Status.Conditions) == 0 {
+			return fmt.Errorf("status.conditions len not > 0")
+		}
+		return nil
+	}).Should(Succeed())
+
+	cond := meta.FindStatusCondition(tempSt.Status.Conditions, conditionType)
+	Expect(cond).ShouldNot(BeNil())
+	Expect(cond.ObservedGeneration).Should(Equal(tempSt.Generation))
+	Expect(cond.Reason).Should(Equal(reason))
+	Expect(cond.Status).Should(Equal(status))
+	Expect(cond.Message).Should(Equal(message))
+}
+
 func listRoleBinding(namespace string, numberOfExpectedRoleBindings int, labels map[string]string) *rbacv1.RoleBindingList {
 	roleBindingList := &rbacv1.RoleBindingList{}
 	Eventually(func() error {