logging errors and reporting the same on CT and C, when generation in…

…ternt cannot be satisfied Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
open-policy-agent · Aug 9, 2024 · 24dd83d · 24dd83d
1 parent a1ab00b
commit 24dd83d
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 42 deletions.
diff --git a/pkg/controller/constraint/constraint_controller.go b/pkg/controller/constraint/constraint_controller.go
@@ -64,12 +64,16 @@ import (
 )
 
 var (
-	log                 = logf.Log.V(logging.DebugLevel).WithName("controller").WithValues(logging.Process, "constraint_controller")
-	discoveryErr        *apiutil.ErrResourceDiscoveryFailed
-	DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", false, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.")
-	DefaultGenerateVAP  = flag.Bool("default-create-vap-for-templates", false, "Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly.")
+	log                                     = logf.Log.V(logging.DebugLevel).WithName("controller").WithValues(logging.Process, "constraint_controller")
+	discoveryErr                            *apiutil.ErrResourceDiscoveryFailed
+	DefaultGenerateVAPB                     = flag.Bool("default-create-vap-binding-for-constraints", false, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.")
+	DefaultGenerateVAP                      = flag.Bool("default-create-vap-for-templates", false, "Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly.")
 )
 
+var (
+	ErrValidatingAdmissionPolicyAPIDisabled = errors.New("ValidatingAdmissionPolicy API is not enabled")
+	ErrVAPConditionsNotSatisfied            = errors.New("Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
+)
 var vapMux sync.RWMutex
 
 var VapAPIEnabled *bool
@@ -306,13 +310,14 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
 				if err2 := r.writer.Update(ctx, status); err2 != nil {
 					log.Error(err2, "could not report error for validation of enforcement action")
 				}
+				return reconcile.Result{}, err
 			}
 			generateVAPB, VAPEnforcementActions, err := shouldGenerateVAPB(*DefaultGenerateVAPB, enforcementAction, instance)
 			if err != nil {
+				log.Error(err, "could not determine if VAPBinding should be generated")
 				status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: err.Error()})
-				log.Error(err, "could not get enforcement actions for VAP")
 				if err2 := r.writer.Update(ctx, status); err2 != nil {
-					log.Error(err2, "could not report error for getting enforcement actions for VAP")
+					log.Error(err2, "could not report error when determining if VAPBinding should be generated")
 				}
 				return reconcile.Result{}, err
 			}
@@ -323,12 +328,12 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
 			}
 			if generateVAPB {
 				if !isAPIEnabled {
-					r.log.V(1).Info("Warning: ValidatingAdmissionPolicy API is not enabled, cannot create ValidatingAdmissionPolicyBinding")
-					generateVAPB = false
-					status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: "Warning: ValidatingAdmissionPolicy API is not enabled, cannot create ValidatingAdmissionPolicyBinding"})
+					log.Error(ErrValidatingAdmissionPolicyAPIDisabled, "Cannot generate ValidatingAdmissionPolicyBinding", "constraint", instance.GetName())
+					status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: fmt.Sprintf("%s, cannot generate ValidatingAdmissionPolicyBinding", ErrValidatingAdmissionPolicyAPIDisabled.Error())})
 					if err2 := r.writer.Update(ctx, status); err2 != nil {
-						log.Error(err2, "could not update constraint status error when VAP API is not enabled")
+						log.Error(err2, "could not update constraint status error when ValidatingAdmissionPolicy API is not enabled")
 					}
+					generateVAPB = false
 				} else {
 					unversionedCT := &templates.ConstraintTemplate{}
 					if err := r.scheme.Convert(ct, unversionedCT, nil); err != nil {
@@ -340,19 +345,20 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
 					}
 					hasVAP, err := ShouldGenerateVAP(unversionedCT)
 					if err != nil {
+						log.Error(err, "could not determine if ConstraintTemplate is configured to generate ValidatingAdmissionPolicy", "constraint", instance.GetName(), "constraint_template", ct.GetName())
 						status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: err.Error()})
 						if err2 := r.writer.Update(ctx, status); err2 != nil {
-							log.Error(err2, "could not update constraint status error when determining if CT should generate VAP")
+							log.Error(err2, "could not update constraint status error when determining if ConstraintTemplate is configured to generate ValidatingAdmissionPolicy")
 						}
 						generateVAPB = false
 					}
 					if !hasVAP {
-						r.log.V(1).Info("Warning: Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
-						generateVAPB = false
-						status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: "Warning: Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding"})
+						log.Error(ErrVAPConditionsNotSatisfied, "Cannot generate ValidatingAdmissionPolicyBinding", "constraint", instance.GetName(), "constraint_template", ct.GetName())
+						status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: fmt.Sprintf("%s, cannot generate ValidatingAdmissionPolicyBinding", ErrVAPConditionsNotSatisfied.Error())})
 						if err2 := r.writer.Update(ctx, status); err2 != nil {
-							log.Error(err2, "could not update constraint status error when conditions are not satisfied to generate VAP")
+							log.Error(err2, "could not update constraint status error when conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
 						}
+						generateVAPB = false
 					}
 				}
 			}

diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go
@@ -476,28 +476,24 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 		logger.Error(err, "error adding template to watch registry")
 		return reconcile.Result{}, err
 	}
-	isVAPapiEnabled := false
+	isVapAPIEnabled := false
 	var groupVersion *schema.GroupVersion
 	if generateVap {
-		isVAPapiEnabled, groupVersion = constraint.IsVapAPIEnabled()
+		isVapAPIEnabled, groupVersion = constraint.IsVapAPIEnabled()
 	}
-	logger.Info("isVAPapiEnabled", "isVAPapiEnabled", isVAPapiEnabled)
+	logger.Info("isVapAPIEnabled", "isVapAPIEnabled", isVapAPIEnabled)
 	logger.Info("groupVersion", "groupVersion", groupVersion)
-	if generateVap && (!isVAPapiEnabled || groupVersion == nil) {
-		logger.V(1).Info("Warning: ValidatingAdmissionPolicy API is not enabled, ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", "name", ct.GetName())
-		createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: "ValidatingAdmissionPolicy API is not enabled, ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate"}
-		status.Status.Errors = append(status.Status.Errors, createErr)
-		err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Warning: ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", status, errors.New("ValidatingAdmissionPolicy API is not enabled"))
+	if generateVap && (!isVapAPIEnabled || groupVersion == nil) {
+		logger.Error(constraint.ErrValidatingAdmissionPolicyAPIDisabled, "ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", "name", ct.GetName())
+		err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", status, constraint.ErrValidatingAdmissionPolicyAPIDisabled)
 		return reconcile.Result{}, err
 	}
 	// generating vap resources
-	if generateVap && isVAPapiEnabled && groupVersion != nil {
+	if generateVap && isVapAPIEnabled && groupVersion != nil {
 		currentVap, err := vapForVersion(groupVersion)
 		if err != nil {
 			logger.Error(err, "error getting vap object with respective groupVersion")
-			createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
-			status.Status.Errors = append(status.Status.Errors, createErr)
-			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err)
+			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with runtime group version", status, err)
 			return reconcile.Result{}, err
 		}
 		vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName())
@@ -512,17 +508,13 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 		transformedVap, err := transform.TemplateToPolicyDefinition(unversionedCT)
 		if err != nil {
 			logger.Error(err, "transform to vap error", "vapName", vapName)
-			createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
-			status.Status.Errors = append(status.Status.Errors, createErr)
 			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not transform to vap object", status, err)
 			return reconcile.Result{}, err
 		}
 
 		newVap, err := getRunTimeVAP(groupVersion, transformedVap, currentVap)
 		if err != nil {
 			logger.Error(err, "getRunTimeVAP error", "vapName", vapName)
-			createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
-			status.Status.Errors = append(status.Status.Errors, createErr)
 			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get runtime vap object", status, err)
 			return reconcile.Result{}, err
 		}
@@ -535,8 +527,6 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 			logger.Info("creating vap", "vapName", vapName)
 			if err := r.Create(ctx, newVap); err != nil {
 				logger.Info("creating vap error", "vapName", vapName, "error", err)
-				createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
-				status.Status.Errors = append(status.Status.Errors, createErr)
 				err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not create vap object", status, err)
 				return reconcile.Result{}, err
 			}
@@ -547,21 +537,17 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 		} else if !reflect.DeepEqual(currentVap, newVap) {
 			logger.Info("updating vap")
 			if err := r.Update(ctx, newVap); err != nil {
-				updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
-				status.Status.Errors = append(status.Status.Errors, updateErr)
 				err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not update vap object", status, err)
 				return reconcile.Result{}, err
 			}
 		}
 	}
 	// do not generate vap resources
 	// remove if exists
-	if !generateVap && isVAPapiEnabled && groupVersion != nil {
+	if !generateVap && isVapAPIEnabled && groupVersion != nil {
 		currentVap, err := vapForVersion(groupVersion)
 		if err != nil {
 			logger.Error(err, "error getting vap object with respective groupVersion")
-			createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
-			status.Status.Errors = append(status.Status.Errors, createErr)
 			err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err)
 			return reconcile.Result{}, err
 		}
@@ -576,8 +562,6 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 		if currentVap != nil {
 			logger.Info("deleting vap")
 			if err := r.Delete(ctx, currentVap); err != nil {
-				updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
-				status.Status.Errors = append(status.Status.Errors, updateErr)
 				err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not delete vap object", status, err)
 				return reconcile.Result{}, err
 			}
@@ -714,8 +698,6 @@ func (r *ReconcileConstraintTemplate) triggerConstraintEvents(ctx context.Contex
 	cstrObjs, err := r.listObjects(ctx, gvk)
 	if err != nil {
 		logger.Error(err, "get all constraints listObjects")
-		updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
-		status.Status.Errors = append(status.Status.Errors, updateErr)
 		err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not list all constraint objects", status, err)
 		return err
 	}