-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CMP-2615: Add a check aggregate to the compliance scan metadata #588
Conversation
@Vincent056: This pull request references CMP-2615 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
🤖 To deploy this PR, run the following command:
|
b312849
to
8aafdac
Compare
🤖 To deploy this PR, run the following command:
|
@Vincent056 I cannot see any annotation in the compliancescan. Could you please take a look? Thanks.
|
/hold for test |
8aafdac
to
cc9a0d8
Compare
🤖 To deploy this PR, run the following command:
|
Verification pass with CATALOG_IMG ghcr.io/complianceascode/compliance-operator-catalog:588-cc9a0d89b221a015818a2ddd026caf49e9220fc0:
|
@@ -245,6 +245,11 @@ func TestSuiteScan(t *testing.T) { | |||
f.AssertCheckRemediation(checkVsyscall.Name, checkVsyscall.Namespace, true) | |||
} | |||
|
|||
// ensure scan has total check counts annotation | |||
err = f.AssertScanHasTotalCheckCounts(f.OperatorNamespace, workerScanName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could assert each scan in the suite has this, too.
Somewhat related, it would be nice to have an E2E assertion (or set of assertions) that check the ComplianceScan object that we could use consistently across the suite. If this test is ever refactored, and this assertion goes missing, our test coverage for the check-count annotation goes with it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
somthing like all scans in the suite has that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah - it could be a part of the assertion to check for a successful or done scan.
@@ -727,6 +760,7 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance * | |||
// reset phase | |||
logger.Info("Resetting scan") | |||
instanceCopy := instance.DeepCopy() | |||
delete(instanceCopy.Annotations, compv1alpha1.ComplianceCheckCountAnnotation) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could add a check in our e2e test utilities that asserts this annotation is deleted while the suite is waiting for the scan to cycle through it's phases. That way we're protecting this from regression if it gets accidentally removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhmdnd You mean the user manually removing the check count annotation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Specifically, if line 763 is removed or refactored in a way that doesn't delete the annotation, we'd know about it because we have code in the assertions to make sure it's deleted up until the scan goes into a specific phase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to get this to work locally.
I moved the logic to a difference place and got it to work.
$ git d
diff --git a/pkg/controller/compliancescan/compliancescan_controller.go b/pkg/controller/compliancescan/compliancescan_controller.go
index 507f6bbe..d746cafe 100644
--- a/pkg/controller/compliancescan/compliancescan_controller.go
+++ b/pkg/controller/compliancescan/compliancescan_controller.go
@@ -288,6 +288,7 @@ func (r *ReconcileComplianceScan) phasePendingHandler(instance *compv1alpha1.Com
if instance.NeedsRescan() {
instanceCopy := instance.DeepCopy()
delete(instanceCopy.Annotations, compv1alpha1.ComplianceScanRescanAnnotation)
+ delete(instanceCopy.Annotations, compv1alpha1.ComplianceCheckCountAnnotation)
delete(instanceCopy.Annotations, compv1alpha1.ComplianceScanTimeoutAnnotation)
err := r.Client.Update(context.TODO(), instanceCopy)
return reconcile.Result{}, err
cc9a0d8
to
364ee0d
Compare
🤖 To deploy this PR, run the following command:
|
/retest |
}, | ||
} | ||
|
||
err := f.Client.Create(context.TODO(), exampleComplianceSuite, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the rationale behind creating a ComplianceSuite
directly as opposed to using a ScanSettingBinding
?
t.Fatal(err) | ||
} | ||
|
||
// At this point, both scans should be non-compliant given our current content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: These two assertions aren't hurting anything, but they're probably not overly useful for this particular test since we really just care about asserting the check counts for each scan.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Agree with Lance.. And actually suggest removing these assertions for NonCompliant scans.
When/if rhcos4 moderate profile starts passing out of the box this test will start failing, XD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Only minor comments and questions that we can choose to clean up in a follow up.
Removing hold due to #588 (comment) |
t.Fatal(err) | ||
} | ||
|
||
// At this point, both scans should be non-compliant given our current content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Agree with Lance.. And actually suggest removing these assertions for NonCompliant scans.
When/if rhcos4 moderate profile starts passing out of the box this test will start failing, XD.
@@ -727,6 +760,7 @@ func (r *ReconcileComplianceScan) phaseDoneHandler(h scanTypeHandler, instance * | |||
// reset phase | |||
logger.Info("Resetting scan") | |||
instanceCopy := instance.DeepCopy() | |||
delete(instanceCopy.Annotations, compv1alpha1.ComplianceCheckCountAnnotation) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhmdnd You mean the user manually removing the check count annotation?
364ee0d
to
96718b9
Compare
🤖 To deploy this PR, run the following command:
|
96718b9
to
ec93a11
Compare
Implement a total check count as an annotation of the ComplianceScan, we will add an annotation compliance.openshift.io/check-count to every compliancescan object when a scan is in done state. Noted: This annotation is removed when a new scanPhase begin.
ec93a11
to
387b504
Compare
🤖 To deploy this PR, run the following command:
|
🤖 To deploy this PR, run the following command:
|
/label docs-approved |
/assign GroceryBoyJr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhmdnd, Vincent056, yuumasato The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws-parallel Transient issues with metrics tests :( |
/test e2e-aws-parallel |
/test e2e-aws-serial Failed on a network blip during clean up, but the tests passed fine. Tracking the e2e improvement in #614 |
Implement a total check count as an annotation of the ComplianceScan, we will add an annotation
compliance.openshift.io/check-count
to everycompliancescan
object when a scan is inDone
state.Noted: This annotation is removed when a new scanPhase begins.
example of output