open-cluster-management-io · openshift-merge-robot · Jan 9, 2023 · Jan 9, 2023
diff --git a/Makefile b/Makefile
@@ -262,6 +262,7 @@ install-crds: manifests
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/api/main/cluster/v1beta1/0000_02_clusters.open-cluster-management.io_placements.crd.yaml --validate=false
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/api/main/cluster/v1beta1/0000_03_clusters.open-cluster-management.io_placementdecisions.crd.yaml --validate=false
 	kubectl apply -f deploy/crds/external/tower.ansible.com_joblaunch_crd.yaml
+	kubectl apply -f test/resources/case5_policy_automation/dns-crd.yaml
 
 .PHONY: install-resources
 install-resources:
@@ -272,6 +273,8 @@ install-resources:
 	@echo creating cluster resources
 	kubectl apply -f test/resources/managed1-cluster.yaml
 	kubectl apply -f test/resources/managed2-cluster.yaml
+	@echo setting a Hub cluster DNS name
+	kubectl apply -f test/resources/case5_policy_automation/cluster-dns.yaml
 
 .PHONY: e2e-dependencies
 e2e-dependencies:

diff --git a/controllers/automation/policyautomation_controller.go b/controllers/automation/policyautomation_controller.go
@@ -6,21 +6,20 @@ package automation
 import (
 	"context"
 	"fmt"
-	"net"
 	"strconv"
-	"strings"
 	"time"
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
@@ -32,8 +31,11 @@ import (
 
 const ControllerName string = "policy-automation"
 
+var dnsGVR = schema.GroupVersionResource{Group: "config.openshift.io", Version: "v1", Resource: "dnses"}
+
 var log = ctrl.Log.WithName(ControllerName)
 
+//+kubebuilder:rbac:groups=config.openshift.io,resources=dnses,resourceNames=cluster,verbs=get
 //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policyautomations,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policyautomations/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=policyautomations/finalizers,verbs=update
@@ -104,41 +106,35 @@ func getTargetListMap(targetList []string) map[string]bool {
 	return targetListMap
 }
 
-// getClusterName will get the hub cluster name information
-func getClusterName() string {
-	hubCluster := ""
-	// Get a config to talk to the apiserver
-	cfg, err := config.GetConfig()
-	if err == nil {
-		hubCluster = cfg.Host
-	} else {
-		log.Error(err, "Unable to get the Kubernetes configuration.")
-	}
+// getClusterDNSName will get the Hub cluster DNS name if the Hub is an OpenShift cluster.
+func (r *PolicyAutomationReconciler) getClusterDNSName(ctx context.Context) (string, error) {
+	dnsCluster, err := r.DynamicClient.Resource(dnsGVR).Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			// This is a debug log to not spam the logs when the Hub is installed on a Kubernetes distribution other
+			// than OpenShift.
+			log.V(2).Info("The Hub cluster DNS name couldn't be determined")
 
-	if len(hubCluster) > 0 {
-		// remove possible https head
-		hubCluster = strings.ReplaceAll(hubCluster, "https://", "")
-		// remove possible http head
-		hubCluster = strings.ReplaceAll(hubCluster, "http://", "")
-		// remove possible port number
-		hubCluster = strings.SplitN(hubCluster, ":", 2)[0]
-		// convert host name to URL if it is IP address
-		if net.ParseIP(hubCluster) != nil {
-			names, _ := net.LookupAddr(hubCluster)
-			if len(names) != 0 {
-				hubCluster = names[0]
-			}
+			return "", nil
 		}
+
+		return "", err
 	}
 
-	log.V(3).Info("Hub Cluster information: %s", hubCluster)
+	dnsName, _, _ := unstructured.NestedString(dnsCluster.Object, "spec", "baseDomain")
+	if dnsName == "" {
+		log.Info("The OpenShift DNS object named cluster did not contain a valid spec.baseDomain value")
+	} else {
+		log.V(2).Info("The Hub cluster DNS name was found", "name", dnsName)
+	}
 
-	return hubCluster
+	return dnsName, nil
 }
 
 // getViolationContext will put the root policy information into violationContext
 // It also puts the status of the non-compliant replicated policies into violationContext
 func (r *PolicyAutomationReconciler) getViolationContext(
+	ctx context.Context,
 	policy *policyv1.Policy,
 	targetList []string,
 	policyAutomation *policyv1beta1.PolicyAutomation,
@@ -157,7 +153,12 @@ func (r *PolicyAutomationReconciler) getViolationContext(
 	// 3) get the root policy namespace
 	violationContext.PolicyNamespace = policy.GetNamespace()
 	// 4) get the root policy hub cluster name
-	violationContext.HubCluster = getClusterName()
+	var err error
+
+	violationContext.HubCluster, err = r.getClusterDNSName(ctx)
+	if err != nil {
+		return policyv1beta1.ViolationContext{}, err
+	}
 
 	// 5) get the policy sets of the root policy
 	plcPlacement := policy.Status.Placement
@@ -178,7 +179,7 @@ func (r *PolicyAutomationReconciler) getViolationContext(
 
 	replicatedPlcList := &policyv1.PolicyList{}
 
-	err := r.List(
+	err = r.List(
 		context.TODO(),
 		replicatedPlcList,
 		client.MatchingLabels(propagator.LabelsForRootPolicy(policy)),
@@ -308,7 +309,7 @@ func (r *PolicyAutomationReconciler) Reconcile(
 			"Creating an Ansible job", "mode", "manual",
 			"clusterCount", strconv.Itoa(len(targetList)))
 
-		violationContext, _ := r.getViolationContext(policy, targetList, policyAutomation)
+		violationContext, _ := r.getViolationContext(ctx, policy, targetList, policyAutomation)
 
 		err = common.CreateAnsibleJob(
 			policyAutomation,
@@ -359,7 +360,7 @@ func (r *PolicyAutomationReconciler) Reconcile(
 			targetList := common.FindNonCompliantClustersForPolicy(policy)
 			if len(targetList) > 0 {
 				log.Info("Creating An Ansible job", "targetList", targetList)
-				violationContext, _ := r.getViolationContext(policy, targetList, policyAutomation)
+				violationContext, _ := r.getViolationContext(ctx, policy, targetList, policyAutomation)
 				err = common.CreateAnsibleJob(policyAutomation, r.DynamicClient, "scan", violationContext)
 				if err != nil {
 					return reconcile.Result{RequeueAfter: requeueAfter}, err
@@ -381,7 +382,7 @@ func (r *PolicyAutomationReconciler) Reconcile(
 			if len(targetList) > 0 {
 				log.Info("Creating an Ansible job", "targetList", targetList)
 
-				violationContext, _ := r.getViolationContext(policy, targetList, policyAutomation)
+				violationContext, _ := r.getViolationContext(ctx, policy, targetList, policyAutomation)
 				err = common.CreateAnsibleJob(
 					policyAutomation,
 					r.DynamicClient,
@@ -492,7 +493,7 @@ func (r *PolicyAutomationReconciler) Reconcile(
 					trimmedTargetList = append(trimmedTargetList, clusterName)
 				}
 				log.Info("Creating An Ansible job", "trimmedTargetList", trimmedTargetList)
-				violationContext, _ := r.getViolationContext(policy, trimmedTargetList, policyAutomation)
+				violationContext, _ := r.getViolationContext(ctx, policy, trimmedTargetList, policyAutomation)
 				err = common.CreateAnsibleJob(
 					policyAutomation,
 					r.DynamicClient,

diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -73,6 +73,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - config.openshift.io
+  resourceNames:
+  - cluster
+  resources:
+  - dnses
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:

diff --git a/deploy/rbac/role.yaml b/deploy/rbac/role.yaml
@@ -32,6 +32,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - config.openshift.io
+  resourceNames:
+  - cluster
+  resources:
+  - dnses
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:

diff --git a/test/e2e/case5_policy_automation_test.go b/test/e2e/case5_policy_automation_test.go
@@ -172,10 +172,7 @@ var _ = Describe("Test policy automation", func() {
 			extraVars := spec.(map[string]interface{})["extra_vars"].(map[string]interface{})
 			Expect(extraVars["policy_name"]).To(Equal("case5-test-policy"))
 			Expect(extraVars["namespace"]).To(Equal(testNamespace))
-			// hub_cluster depends on environment so just check if hub_cluster is set
-			// rather than verifying the hub_cluster name
-			By("Check hub_cluster : " + extraVars["hub_cluster"].(string))
-			Expect(len(extraVars["hub_cluster"].(string)) > 0).To(BeTrue())
+			Expect(extraVars["hub_cluster"]).To(Equal("millienium-falcon.tatooine.local"))
 			Expect(len(extraVars["target_clusters"].([]interface{}))).To(Equal(1))
 			Expect(extraVars["target_clusters"].([]interface{})[0]).To(Equal("managed1"))
 			Expect(len(extraVars["policy_set"].([]interface{}))).To(Equal(1))
@@ -811,10 +808,7 @@ var _ = Describe("Test policy automation", func() {
 			extraVars := spec.(map[string]interface{})["extra_vars"].(map[string]interface{})
 			Expect(extraVars["policy_name"]).To(Equal("case5-test-policy"))
 			Expect(extraVars["namespace"]).To(Equal(testNamespace))
-			// hub_cluster depends on environment so just check if hub_cluster is set
-			// rather than verifying the hub_cluster name
-			By("Check hub_cluster : " + extraVars["hub_cluster"].(string))
-			Expect(len(extraVars["hub_cluster"].(string)) > 0).To(BeTrue())
+			Expect(extraVars["hub_cluster"]).To(Equal("millienium-falcon.tatooine.local"))
 			Expect(len(extraVars["target_clusters"].([]interface{}))).To(Equal(2))
 			Expect(len(extraVars["policy_set"].([]interface{}))).To(Equal(1))
 			Expect(extraVars["policy_set"].([]interface{})[0]).To(Equal("case5-test-policyset"))
@@ -872,7 +866,7 @@ var _ = Describe("Test policy automation", func() {
 				return len(ansiblejobList.Items)
 			}, 30, 1).Should(Equal(2))
 
-			By("Check each policy_violation_context is null in extra_vars for the compliant manual run case")
+			By("Check the policy_violation_context is mostly empty for the compliant manual run case")
 			ansiblejobList, err = clientHubDynamic.Resource(gvrAnsibleJob).Namespace(testNamespace).List(
 				context.TODO(), metav1.ListOptions{},
 			)
@@ -887,8 +881,7 @@ var _ = Describe("Test policy automation", func() {
 			extraVars = spec.(map[string]interface{})["extra_vars"].(map[string]interface{})
 			Expect(extraVars["policy_name"]).To(Equal("case5-test-policy"))
 			Expect(extraVars["namespace"]).To(Equal(testNamespace))
-			By("Check hub_cluster : " + extraVars["hub_cluster"].(string))
-			Expect(len(extraVars["hub_cluster"].(string)) > 0).To(BeTrue())
+			Expect(extraVars["hub_cluster"]).To(Equal("millienium-falcon.tatooine.local"))
 			Expect(len(extraVars["target_clusters"].([]interface{}))).To(Equal(0))
 			Expect(len(extraVars["policy_set"].([]interface{}))).To(Equal(1))
 			Expect(extraVars["policy_set"].([]interface{})[0]).To(Equal("case5-test-policyset"))

diff --git a/test/resources/case5_policy_automation/cluster-dns.yaml b/test/resources/case5_policy_automation/cluster-dns.yaml
@@ -0,0 +1,6 @@
+apiVersion: config.openshift.io/v1
+kind: DNS
+metadata:
+  name: cluster
+spec:
+  baseDomain: millienium-falcon.tatooine.local
diff --git a/test/resources/case5_policy_automation/dns-crd.yaml b/test/resources/case5_policy_automation/dns-crd.yaml
@@ -0,0 +1,135 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/470
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+  creationTimestamp: "2023-01-09T07:07:25Z"
+  generation: 1
+  name: dnses.config.openshift.io
+  ownerReferences:
+  - apiVersion: config.openshift.io/v1
+    kind: ClusterVersion
+    name: version
+    uid: ace25b63-dff4-415f-9c1d-c7583b57e40d
+  resourceVersion: "1100"
+  uid: 37084ebf-13f5-4c39-a9ff-fda238db6a3f
+spec:
+  conversion:
+    strategy: None
+  group: config.openshift.io
+  names:
+    kind: DNS
+    listKind: DNSList
+    plural: dnses
+    singular: dns
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: "DNS holds cluster-wide information about DNS. The canonical
+          name is `cluster` \n Compatibility level 1: Stable within a major release
+          for a minimum of 12 months or 3 minor releases (whichever is longer)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec holds user settable values for configuration
+            properties:
+              baseDomain:
+                description: "baseDomain is the base domain of the cluster. All managed
+                  DNS records will be sub-domains of this base. \n For example, given
+                  the base domain `openshift.example.com`, an API server DNS record
+                  may be created for `cluster-api.openshift.example.com`. \n Once
+                  set, this field cannot be changed."
+                type: string
+              privateZone:
+                description: "privateZone is the location where all the DNS records
+                  that are only available internally to the cluster exist. \n If this
+                  field is nil, no private records should be created. \n Once set,
+                  this field cannot be changed."
+                properties:
+                  id:
+                    description: "id is the identifier that can be used to find the
+                      DNS hosted zone. \n on AWS zone can be fetched using `ID` as
+                      id in [1] on Azure zone can be fetched using `ID` as a pre-determined
+                      name in [2], on GCP zone can be fetched using `ID` as a pre-determined
+                      name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                      [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                      [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get"
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: "tags can be used to query the DNS hosted zone. \n
+                      on AWS, resourcegroupstaggingapi [1] can be used to fetch a
+                      zone using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options"
+                    type: object
+                type: object
+              publicZone:
+                description: "publicZone is the location where all the DNS records
+                  that are publicly accessible to the internet exist. \n If this field
+                  is nil, no public records should be created. \n Once set, this field
+                  cannot be changed."
+                properties:
+                  id:
+                    description: "id is the identifier that can be used to find the
+                      DNS hosted zone. \n on AWS zone can be fetched using `ID` as
+                      id in [1] on Azure zone can be fetched using `ID` as a pre-determined
+                      name in [2], on GCP zone can be fetched using `ID` as a pre-determined
+                      name in [3]. \n [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+                      [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+                      [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get"
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: "tags can be used to query the DNS hosted zone. \n
+                      on AWS, resourcegroupstaggingapi [1] can be used to fetch a
+                      zone using `Tags` as tag-filters, \n [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options"
+                    type: object
+                type: object
+            type: object
+          status:
+            description: status holds observed values from the cluster. They may not
+              be overridden.
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: DNS
+    listKind: DNSList
+    plural: dnses
+    singular: dns
+  conditions:
+  - lastTransitionTime: "2023-01-09T07:07:25Z"
+    message: no conflicts found
+    reason: NoConflicts
+    status: "True"
+    type: NamesAccepted
+  - lastTransitionTime: "2023-01-09T07:07:25Z"
+    message: the initial names have been accepted
+    reason: InitialNamesAccepted
+    status: "True"
+    type: Established
+  storedVersions:
+  - v1