Upgrade constrainttemplate_controller to apiextensionsv1 (#1320)

julianKatz · web-flow · commit 0b1d89ddeaf7 · 2021-05-24T18:07:13.000-07:00
This PR changes constrainttemplate_controller to use apiextensionsv1 to create Constraint kind v1 CRDs. That change revealed some additional problems. In particular, that byPod status was being pruned by the API server. This required a fix in Constraint Framework. open-policy-agent/frameworks#120 adds a status field to the Constraint kind CRD. This allows Gatekeeper to add byPodStatus to the object. This PR imports this new code and updates some tests. Contributes to #550 Signed-off-by: juliankatz <juliankatz@google.com>
diff --git a/apis/addtoscheme_customresourcedefinition_v1.go b/apis/addtoscheme_customresourcedefinition_v1.go
@@ -0,0 +1,25 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, apiextensionsv1.AddToScheme)
+}
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/onsi/ginkgo v1.14.1
 	github.com/onsi/gomega v1.10.2
 	github.com/open-policy-agent/cert-controller v0.2.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20210518223409-ecad1fe8ed8d
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20210522003146-5c034948ac29
 	github.com/open-policy-agent/opa v0.24.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1
diff --git a/go.sum b/go.sum
@@ -330,8 +330,8 @@ github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/open-policy-agent/cert-controller v0.2.0 h1:Z+IPOYDor28l6cjEo2WvTZY6Bv5oYR6wECEIP8pyG/M=
 github.com/open-policy-agent/cert-controller v0.2.0/go.mod h1:SWS7Ame8oKHF11cDsQCFlULrrOMV5Z59FIGEAF/M6YI=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20210518223409-ecad1fe8ed8d h1:PJdSXI31Ul1VEqET4+JQtsJHZurBbR7Gl5iFj5gXD8w=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20210518223409-ecad1fe8ed8d/go.mod h1:y8wOVfZ6+bEmbhBMnLnFlQrJB9eQpVk+dIDa7YrtocI=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20210522003146-5c034948ac29 h1:o2IzbSyOZRmLwmZX52KPbQ/O6vafNnpq2ubgEDNi1Vk=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20210522003146-5c034948ac29/go.mod h1:y8wOVfZ6+bEmbhBMnLnFlQrJB9eQpVk+dIDa7YrtocI=
 github.com/open-policy-agent/opa v0.24.0 h1:fnGOIux+TTGZsC0du1bRBtV8F+KPN55Hks12uE3Fq3E=
 github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go
@@ -38,7 +38,7 @@ import (
 	"github.com/open-policy-agent/opa/ast"
 	errorpkg "github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -210,7 +210,7 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 
 	// Watch for changes to Constraint CRDs
 	err = c.Watch(
-		&source.Kind{Type: &apiextensionsv1beta1.CustomResourceDefinition{}},
+		&source.Kind{Type: &apiextensionsv1.CustomResourceDefinition{}},
 		&handler.EnqueueRequestForOwner{
 			OwnerType:    &v1beta1.ConstraintTemplate{},
 			IsController: true,
@@ -349,9 +349,9 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
 		return reconcile.Result{}, nil
 	}
 
-	proposedCRD := &apiextensionsv1beta1.CustomResourceDefinition{}
+	proposedCRD := &apiextensionsv1.CustomResourceDefinition{}
 	if err := r.scheme.Convert(unversionedProposedCRD, proposedCRD, nil); err != nil {
-		log.Error(err, "conversion error")
+		log.Error(err, "CRD conversion error")
 		r.tracker.TryCancelTemplate(unversionedCT) // Don't track templates that failed compilation
 		r.metrics.registry.add(request.NamespacedName, metrics.ErrorStatus)
 		logError(request.NamespacedName.Name)
@@ -363,7 +363,7 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec
 	namespace := unversionedProposedCRD.GetNamespace()
 	// Check if the constraint CRD already exists
 	action := updatedAction
-	currentCRD := &apiextensionsv1beta1.CustomResourceDefinition{}
+	currentCRD := &apiextensionsv1.CustomResourceDefinition{}
 	err = r.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, currentCRD)
 	switch {
 	case err == nil:
@@ -408,7 +408,7 @@ func (r *ReconcileConstraintTemplate) reportErrorOnCTStatus(code, message string
 func (r *ReconcileConstraintTemplate) handleUpdate(
 	ct *v1beta1.ConstraintTemplate,
 	unversionedCT *templates.ConstraintTemplate,
-	proposedCRD, currentCRD *apiextensionsv1beta1.CustomResourceDefinition,
+	proposedCRD, currentCRD *apiextensionsv1.CustomResourceDefinition,
 	status *statusv1beta1.ConstraintTemplatePodStatus,
 ) (reconcile.Result, error) {
 	name := proposedCRD.GetName()
@@ -438,7 +438,7 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
 	t.Observe(unversionedCT)
 	log.Info("[readiness] observed ConstraintTemplate", "name", unversionedCT.GetName())
 
-	var newCRD *apiextensionsv1beta1.CustomResourceDefinition
+	var newCRD *apiextensionsv1.CustomResourceDefinition
 	if currentCRD == nil {
 		newCRD = proposedCRD.DeepCopy()
 	} else {
diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go
@@ -41,7 +41,7 @@ import (
 	"golang.org/x/net/context"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	errors2 "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -122,10 +122,10 @@ violation[{"msg": "denied!"}] {
 	}
 
 	// Uncommenting the below enables logging of K8s internals like watch.
-	//fs := flag.NewFlagSet("", flag.PanicOnError)
-	//klog.InitFlags(fs)
-	//fs.Parse([]string{"--alsologtostderr", "-v=10"})
-	//klog.SetOutput(os.Stderr)
+	// fs := flag.NewFlagSet("", flag.PanicOnError)
+	// klog.InitFlags(fs)
+	// fs.Parse([]string{"--alsologtostderr", "-v=10"})
+	// klog.SetOutput(os.Stderr)
 
 	// Setup the Manager and Controller.  Wrap the Controller Reconcile function so it writes each request to a
 	// channel when it is finished.
@@ -174,7 +174,7 @@ violation[{"msg": "denied!"}] {
 	defer testMgrStopped()
 	// Clean up to remove the crd, constraint and constraint template
 	defer func() {
-		crd := &apiextensionsv1beta1.CustomResourceDefinition{}
+		crd := &apiextensionsv1.CustomResourceDefinition{}
 		g.Expect(c.Get(ctx, crdKey, crd)).NotTo(gomega.HaveOccurred())
 
 		g.Expect(deleteObject(ctx, c, cstr, timeout)).To(gomega.BeNil())
@@ -189,7 +189,7 @@ violation[{"msg": "denied!"}] {
 
 		clientset := kubernetes.NewForConfigOrDie(cfg)
 		g.Eventually(func() error {
-			crd := &apiextensionsv1beta1.CustomResourceDefinition{}
+			crd := &apiextensionsv1.CustomResourceDefinition{}
 			if err := c.Get(ctx, crdKey, crd); err != nil {
 				return err
 			}
@@ -241,14 +241,14 @@ violation[{"msg": "denied!"}] {
 
 	log.Info("Running test: Deleted constraint CRDs are recreated")
 	t.Run("Deleted constraint CRDs are recreated", func(t *testing.T) {
-		crd := &apiextensionsv1beta1.CustomResourceDefinition{}
+		crd := &apiextensionsv1.CustomResourceDefinition{}
 		g.Expect(c.Get(ctx, crdKey, crd)).NotTo(gomega.HaveOccurred())
 		origUID := crd.GetUID()
-		crd.Spec = apiextensionsv1beta1.CustomResourceDefinitionSpec{}
+		crd.Spec = apiextensionsv1.CustomResourceDefinitionSpec{}
 		g.Expect(c.Delete(ctx, crd)).NotTo(gomega.HaveOccurred())
 
 		g.Eventually(func() error {
-			crd := &apiextensionsv1beta1.CustomResourceDefinition{}
+			crd := &apiextensionsv1.CustomResourceDefinition{}
 			if err := c.Get(ctx, crdKey, crd); err != nil {
 				return err
 			}
@@ -259,7 +259,7 @@ violation[{"msg": "denied!"}] {
 				return errors.New("Not yet deleted")
 			}
 			for _, cond := range crd.Status.Conditions {
-				if cond.Type == apiextensionsv1beta1.Established && cond.Status == apiextensionsv1beta1.ConditionTrue {
+				if cond.Type == apiextensionsv1.Established && cond.Status == apiextensionsv1.ConditionTrue {
 					return nil
 				}
 			}
@@ -429,6 +429,7 @@ violation[{"msg": "denied!"}] {
 			},
 		},
 	}
+
 	err := c.Create(ctx, instance)
 	g.Expect(err).NotTo(gomega.HaveOccurred())
 
@@ -577,26 +578,36 @@ func getCByPodStatus(obj *unstructured.Unstructured) (*statusv1beta1.ConstraintP
 }
 
 // makeCRD generates a CRD specified by GVK and plural for testing.
-func makeCRD(gvk schema.GroupVersionKind, plural string) *apiextensionsv1beta1.CustomResourceDefinition {
-	return &apiextensionsv1beta1.CustomResourceDefinition{
+func makeCRD(gvk schema.GroupVersionKind, plural string) *apiextensionsv1.CustomResourceDefinition {
+	trueBool := true
+	return &apiextensionsv1.CustomResourceDefinition{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: fmt.Sprintf("%s.%s", plural, gvk.Group),
 		},
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "CustomResourceDefinition",
-			APIVersion: "apiextensions/v1beta1",
+			APIVersion: "apiextensions/v1",
 		},
-		Spec: apiextensionsv1beta1.CustomResourceDefinitionSpec{
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
 			Group: gvk.Group,
-			Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
+			Names: apiextensionsv1.CustomResourceDefinitionNames{
 				Plural:   plural,
 				Singular: strings.ToLower(gvk.Kind),
 				Kind:     gvk.Kind,
 			},
-			Versions: []apiextensionsv1beta1.CustomResourceDefinitionVersion{
-				{Name: gvk.Version, Served: true, Storage: true},
+			Versions: []apiextensionsv1.CustomResourceDefinitionVersion{
+				{
+					Name:    gvk.Version,
+					Served:  true,
+					Storage: true,
+					Schema: &apiextensionsv1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+							XPreserveUnknownFields: &trueBool,
+						},
+					},
+				},
 			},
-			Scope: apiextensionsv1beta1.ClusterScoped,
+			Scope: apiextensionsv1.ClusterScoped,
 		},
 	}
 }
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/crd_helpers.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/crd_helpers.go
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/e2e_tests.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/e2e_tests.go
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/test_handler.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/test_handler.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -149,7 +149,7 @@ github.com/onsi/gomega/types
 # github.com/open-policy-agent/cert-controller v0.2.0
 ## explicit
 github.com/open-policy-agent/cert-controller/pkg/rotator
-# github.com/open-policy-agent/frameworks/constraint v0.0.0-20210518223409-ecad1fe8ed8d
+# github.com/open-policy-agent/frameworks/constraint v0.0.0-20210522003146-5c034948ac29
 ## explicit
 github.com/open-policy-agent/frameworks/constraint/deploy
 github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates
