open-cluster-management.io/governance-policy-propagator@v0.13.0/controllers/common/common.go

// Copyright (c) 2020 Red Hat, Inc.
// Copyright Contributors to the Open Cluster Management project

// +kubebuilder:skip
package common

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"strings"

	k8serrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/types"
	clusterv1 "open-cluster-management.io/api/cluster/v1"
	clusterv1beta1 "open-cluster-management.io/api/cluster/v1beta1"
	appsv1 "open-cluster-management.io/multicloud-operators-subscription/pkg/apis/apps/placementrule/v1"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/reconcile"

	policiesv1 "open-cluster-management.io/governance-policy-propagator/api/v1"
	policiesv1beta1 "open-cluster-management.io/governance-policy-propagator/api/v1beta1"
)

const (
	APIGroup              string = "policy.open-cluster-management.io"
	ClusterNameLabel      string = APIGroup + "/cluster-name"
	ClusterNamespaceLabel string = APIGroup + "/cluster-namespace"
	RootPolicyLabel       string = APIGroup + "/root-policy"
)

var (
	log                  = ctrl.Log.WithName("common")
	ErrInvalidLabelValue = errors.New("unexpected format of label value")
)

type GuttedObject struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
}

// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GuttedObject) DeepCopyInto(out *GuttedObject) {
	*out = *in
	out.TypeMeta = in.TypeMeta
	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GuttedObject.
func (in *GuttedObject) DeepCopy() *GuttedObject {
	if in == nil {
		return nil
	}

	out := new(GuttedObject)
	in.DeepCopyInto(out)

	return out
}

// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GuttedObject) DeepCopyObject() runtime.Object {
	return in.DeepCopy()
}

// IsInClusterNamespace check if policy is in cluster namespace
func IsInClusterNamespace(ctx context.Context, c client.Client, ns string) (bool, error) {
	cluster := &clusterv1.ManagedCluster{}

	err := c.Get(ctx, types.NamespacedName{Name: ns}, cluster)
	if k8serrors.IsNotFound(err) {
		return false, nil
	}

	if err != nil {
		return false, fmt.Errorf("failed to get the managed cluster %s: %w", ns, err)
	}

	return true, nil
}

func IsReplicatedPolicy(ctx context.Context, c client.Client, policy client.Object) (bool, error) {
	rootPlcName := policy.GetLabels()[RootPolicyLabel]
	if rootPlcName == "" {
		return false, nil
	}

	_, _, err := ParseRootPolicyLabel(rootPlcName)
	if err != nil {
		return false, fmt.Errorf("invalid value set in %s: %w", RootPolicyLabel, err)
	}

	return IsInClusterNamespace(ctx, c, policy.GetNamespace())
}

// IsForPolicyOrPolicySet returns true if any of the subjects of the PlacementBinding are Policies
// or PolicySets.
func IsForPolicyOrPolicySet(pb *policiesv1.PlacementBinding) bool {
	if pb == nil {
		return false
	}

	for _, subject := range pb.Subjects {
		if subject.APIGroup == policiesv1.SchemeGroupVersion.Group &&
			(subject.Kind == policiesv1.Kind || subject.Kind == policiesv1.PolicySetKind) {
			return true
		}
	}

	return false
}

// IsPbForPolicySet compares group and kind with policyset group and kind for given pb
func IsPbForPolicySet(pb *policiesv1.PlacementBinding) bool {
	if pb == nil {
		return false
	}

	subjects := pb.Subjects
	for _, subject := range subjects {
		if subject.Kind == policiesv1.PolicySetKind && subject.APIGroup == policiesv1.SchemeGroupVersion.Group {
			return true
		}
	}

	return false
}

// GetPoliciesInPlacementBinding returns a list of the Policies that are either direct subjects of
// the given PlacementBinding, or are in PolicySets that are subjects of the PlacementBinding.
// The list items are guaranteed to be unique (for example if a policy is in multiple sets).
func GetPoliciesInPlacementBinding(
	ctx context.Context, c client.Client, pb *policiesv1.PlacementBinding,
) []reconcile.Request {
	table := map[reconcile.Request]bool{}

	for _, subject := range pb.Subjects {
		if subject.APIGroup != policiesv1.SchemeGroupVersion.Group {
			continue
		}

		switch subject.Kind {
		case policiesv1.Kind:
			req := reconcile.Request{NamespacedName: types.NamespacedName{
				Name:      subject.Name,
				Namespace: pb.GetNamespace(),
			}}

			table[req] = true
		case policiesv1.PolicySetKind:
			setNN := types.NamespacedName{
				Name:      subject.Name,
				Namespace: pb.GetNamespace(),
			}

			policySet := policiesv1beta1.PolicySet{}
			if err := c.Get(ctx, setNN, &policySet); err != nil {
				continue
			}

			for _, plc := range policySet.Spec.Policies {
				req := reconcile.Request{NamespacedName: types.NamespacedName{
					Name:      string(plc),
					Namespace: pb.GetNamespace(),
				}}

				table[req] = true
			}
		}
	}

	result := make([]reconcile.Request, 0, len(table))

	for k := range table {
		result = append(result, k)
	}

	return result
}

// FindNonCompliantClustersForPolicy returns cluster in noncompliant status with given policy
func FindNonCompliantClustersForPolicy(plc *policiesv1.Policy) []string {
	clusterList := []string{}

	for _, clusterStatus := range plc.Status.Status {
		if clusterStatus.ComplianceState == policiesv1.NonCompliant {
			clusterList = append(clusterList, clusterStatus.ClusterName)
		}
	}

	return clusterList
}

func HasValidPlacementRef(pb *policiesv1.PlacementBinding) bool {
	switch pb.PlacementRef.Kind {
	case "PlacementRule":
		return pb.PlacementRef.APIGroup == appsv1.SchemeGroupVersion.Group
	case "Placement":
		return pb.PlacementRef.APIGroup == clusterv1beta1.SchemeGroupVersion.Group
	default:
		return false
	}
}

// GetDecisions returns the placement decisions from the Placement or PlacementRule referred to by
// the PlacementBinding
func GetDecisions(
	ctx context.Context, c client.Client, pb *policiesv1.PlacementBinding,
) ([]string, error) {
	// If the PlacementRef is invalid, log and return. (This is not recoverable.)
	if !HasValidPlacementRef(pb) {
		log.Info(fmt.Sprintf("PlacementBinding %s/%s placementRef is not valid. Ignoring.", pb.Namespace, pb.Name))

		return nil, nil
	}

	clusterDecisions := make([]string, 0)
	refNN := types.NamespacedName{
		Namespace: pb.GetNamespace(),
		Name:      pb.PlacementRef.Name,
	}

	switch pb.PlacementRef.Kind {
	case "Placement":
		pl := &clusterv1beta1.Placement{}

		err := c.Get(ctx, refNN, pl)
		if err != nil && !k8serrors.IsNotFound(err) {
			return nil, fmt.Errorf("failed to get Placement '%v': %w", pb.PlacementRef.Name, err)
		}

		if k8serrors.IsNotFound(err) {
			return nil, nil
		}

		list := &clusterv1beta1.PlacementDecisionList{}
		lopts := &client.ListOptions{Namespace: pb.GetNamespace()}

		opts := client.MatchingLabels{"cluster.open-cluster-management.io/placement": pl.GetName()}
		opts.ApplyToList(lopts)

		err = c.List(ctx, list, lopts)
		if err != nil && !k8serrors.IsNotFound(err) {
			return nil, fmt.Errorf("failed to list the PlacementDecisions for '%v', %w", pb.PlacementRef.Name, err)
		}

		for _, item := range list.Items {
			for _, cluster := range item.Status.Decisions {
				clusterDecisions = append(clusterDecisions, cluster.ClusterName)
			}
		}

		return clusterDecisions, nil
	case "PlacementRule":
		plr := &appsv1.PlacementRule{}
		if err := c.Get(ctx, refNN, plr); err != nil && !k8serrors.IsNotFound(err) {
			return nil, fmt.Errorf("failed to get PlacementRule '%v': %w", pb.PlacementRef.Name, err)
		}

		for _, cluster := range plr.Status.Decisions {
			clusterDecisions = append(clusterDecisions, cluster.ClusterName)
		}

		// if the PlacementRule was not found, the decisions will be empty
		return clusterDecisions, nil
	}

	return nil, fmt.Errorf("placement binding %s/%s reference is not valid", pb.Namespace, pb.Name)
}

func ParseRootPolicyLabel(rootPlc string) (name, namespace string, err error) {
	// namespaces can't have a `.` (but names can) so this always correctly pulls the namespace out
	namespace, name, found := strings.Cut(rootPlc, ".")
	if !found {
		err = fmt.Errorf("required at least one `.` in value of label `%v`: %w",
			RootPolicyLabel, ErrInvalidLabelValue)

		return "", "", err
	}

	return name, namespace, nil
}

// LabelsForRootPolicy returns the labels for given policy
func LabelsForRootPolicy(plc *policiesv1.Policy) map[string]string {
	return map[string]string{RootPolicyLabel: FullNameForPolicy(plc)}
}

// fullNameForPolicy returns the fully qualified name for given policy
// full qualified name: ${namespace}.${name}
func FullNameForPolicy(plc *policiesv1.Policy) string {
	return plc.GetNamespace() + "." + plc.GetName()
}

// GetRepPoliciesInPlacementBinding returns a list of the replicated policies that are either direct subjects of
// the given PlacementBinding, or are in PolicySets that are subjects of the PlacementBinding.
// The list items are guaranteed to be unique (for example if a policy is in multiple sets).
func GetRepPoliciesInPlacementBinding(
	ctx context.Context, c client.Client, pb *policiesv1.PlacementBinding,
) []reconcile.Request {
	decisions, err := GetDecisions(ctx, c, pb)
	if err != nil {
		return []reconcile.Request{}
	}
	// Use this for removing duplicated policies
	rootPolicyRequest := GetPoliciesInPlacementBinding(ctx, c, pb)

	result := make([]reconcile.Request, 0, len(rootPolicyRequest)*len(decisions))

	for _, rp := range rootPolicyRequest {
		for _, clusterName := range decisions {
			result = append(result, reconcile.Request{NamespacedName: types.NamespacedName{
				Name:      rp.Namespace + "." + rp.Name,
				Namespace: clusterName,
			}})
		}
	}

	return result
}

// TypeConverter is a helper function to converter type struct a to b
func TypeConverter(a, b interface{}) error {
	js, err := json.Marshal(a)
	if err != nil {
		return err
	}

	return json.Unmarshal(js, b)
}

// Select objects that are deleted or created
func GetAffectedObjs[T comparable](oldObjs []T, newObjs []T) []T {
	table := make(map[T]int)

	for _, oldObj := range oldObjs {
		table[oldObj] = 1
	}

	for _, newObj := range newObjs {
		table[newObj]++
	}

	result := []T{}

	for key, val := range table {
		if val == 1 {
			result = append(result, key)
		}
	}

	return result
}

type PlacementRefKinds string

const (
	Placement     PlacementRefKinds = "Placement"
	PlacementRule PlacementRefKinds = "PlacementRule"
)

// GetRootPolicyRequests find and filter placementbindings which have namespace and placementRef.name.
// Gather all root policies under placementbindings
func GetRootPolicyRequests(ctx context.Context, c client.Client,
	namespace, placementRefName string, refKind PlacementRefKinds,
) ([]reconcile.Request, error) {
	kindGroupMap := map[PlacementRefKinds]string{
		Placement:     clusterv1beta1.SchemeGroupVersion.Group,
		PlacementRule: appsv1.SchemeGroupVersion.Group,
	}

	pbList := &policiesv1.PlacementBindingList{}
	// Find pb in the same namespace of placementrule
	lopts := &client.ListOptions{Namespace: namespace}
	opts := client.MatchingFields{"placementRef.name": placementRefName}
	opts.ApplyToList(lopts)

	err := c.List(ctx, pbList, lopts)
	if err != nil {
		return nil, err
	}
	var rootPolicyResults []reconcile.Request

	for i, pb := range pbList.Items {
		if pb.PlacementRef.APIGroup != kindGroupMap[refKind] ||
			pb.PlacementRef.Kind != string(refKind) || pb.PlacementRef.Name != placementRefName {
			continue
		}
		// GetPoliciesInPlacementBinding only pick root-policy name
		rootPolicyResults = append(rootPolicyResults,
			GetPoliciesInPlacementBinding(ctx, c, &pbList.Items[i])...)
	}

	return rootPolicyResults, nil
}