From 2a963b11f7914c5f405e1b2c96d172ab1f3d2011 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Fri, 20 Dec 2024 17:20:32 +0100
Subject: [PATCH] fix: Policy/policy.open-cluster-management.io stuck in
 progressing status when no clusters match the policy (#21296)

When a policy does not apply to a cluster because the placementrule
matches no cluster at all then the status will look like the following:

    status:
      placement:
      - placementBinding: group-one-placement-binding
        placementRule: group-one-placement

Without this change the above will show up as progressing even though
there is really nothing to progress.

Let's take care of this case by returning healthy when there is no
compliant field but the array under placement is non-zero, which means
that its placement resolution has happened and there is nothing to do.

Fixes: #21296
Signed-off-by: Michele Baldessari <michele@acksyn.org>
---
 .../Policy/health.lua                         | 17 +++++-
 .../Policy/health_test.yaml                   |  8 +++
 ...ealthy_with_placement_empty_compliant.yaml | 55 +++++++++++++++++++
 .../testdata/progressing_no_status.yaml       | 51 +++++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml
 create mode 100644 resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml

diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/health.lua b/resource_customizations/policy.open-cluster-management.io/Policy/health.lua
index b969c367e121e..3ecf863bfeddd 100644
--- a/resource_customizations/policy.open-cluster-management.io/Policy/health.lua
+++ b/resource_customizations/policy.open-cluster-management.io/Policy/health.lua
@@ -1,9 +1,24 @@
 hs = {}
-if obj.status == nil or obj.status.compliant == nil then
+if obj.status == nil then
   hs.status = "Progressing"
   hs.message = "Waiting for the status to be reported"
   return hs
 end
+
+-- A policy will not have a compliant field but will have a placement key set if
+-- it is not being applied to any clusters
+if obj.status.compliant == nil and #obj.status.placement > 0 and obj.status.status == nil then
+  hs.status = "Healthy"
+  hs.message = "No clusters match this policy"
+  return hs
+end
+
+if obj.status.compliant == nil then
+  hs.status = "Progressing"
+  hs.message = "Waiting for the status to be reported"
+  return hs
+end
+
 if obj.status.compliant == "Compliant" then
   hs.status = "Healthy"
 else
diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml
index ede9cc5c8a2c0..b2caab5155a15 100644
--- a/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml
+++ b/resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml
@@ -15,3 +15,11 @@ tests:
       status: Healthy
       message: All templates are compliant
     inputPath: testdata/healthy_replicated.yaml
+  - healthStatus:
+      status: Progressing
+      message: Waiting for the status to be reported
+    inputPath: testdata/progressing_no_status.yaml
+  - healthStatus:
+      status: Healthy
+      message: No clusters match this policy
+    inputPath: testdata/healthy_with_placement_empty_compliant.yaml
diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml
new file mode 100644
index 0000000000000..118f28354aade
--- /dev/null
+++ b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml
@@ -0,0 +1,55 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    argocd.argoproj.io/instance: acm
+  name: acm-hub-ca-policy
+  namespace: open-cluster-management
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: acm-hub-ca-config-policy
+      spec:
+        namespaceSelector:
+          include:
+          - default
+        object-templates:
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
+                | base64enc hub}}'
+              hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
+                "service-ca.crt" | base64enc hub}}'
+            kind: Secret
+            metadata:
+              name: hub-ca
+              namespace: golang-external-secrets
+            type: Opaque
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: |
+                {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
+              hub-openshift-service-ca.crt: |
+                {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
+            kind: ConfigMap
+            metadata:
+              name: trusted-hub-bundle
+              namespace: imperative
+        remediationAction: enforce
+        severity: medium
+  remediationAction: enforce
+status:
+  placement:
+  - placementBinding: acm-hub-ca-policy-placement-binding
+    placementRule: acm-hub-ca-policy-placement
diff --git a/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml
new file mode 100644
index 0000000000000..1b5d985ab2972
--- /dev/null
+++ b/resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml
@@ -0,0 +1,51 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    argocd.argoproj.io/instance: acm
+  name: acm-hub-ca-policy
+  namespace: open-cluster-management
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: acm-hub-ca-config-policy
+      spec:
+        namespaceSelector:
+          include:
+          - default
+        object-templates:
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
+                | base64enc hub}}'
+              hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
+                "service-ca.crt" | base64enc hub}}'
+            kind: Secret
+            metadata:
+              name: hub-ca
+              namespace: golang-external-secrets
+            type: Opaque
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: |
+                {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
+              hub-openshift-service-ca.crt: |
+                {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
+            kind: ConfigMap
+            metadata:
+              name: trusted-hub-bundle
+              namespace: imperative
+        remediationAction: enforce
+        severity: medium
+  remediationAction: enforce