Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-13094

Add doc for configuring policy healthchecks in Openshift GitOps

XMLWordPrintable

    • False
    • None
    • False
    • None

      Note: Doc team updates the current version of the documentation and the
      two previous versions (n-2), but we address *only high-priority, or
      customer-reported issues* for -2 releases in support.
      Describe the changes in the doc and link to your dev story:

      1. - [ ] Mandatory: Add the required version to the Fix version/s field.

      2. - [x] Mandatory: Choose the type of documentation change or review.

      • [ ] We need to update to an existing topic
      • [x] We need to add a new document to an existing section
      • [ ] We need a whole new section; this is a function not
        documented before and doesn't belong in any current section
      • [ ] We need an Operator Advisory review and approval
      • [ ] We need a z-Stream (Errata) Advisory and Release note
        for MCE and/or ACM

      3. - [x] *Mandatory: *Use the following link to open the doc and find where the
      documentation update should go. Note: As the feature and doc is
      understood and developed, this placement decision may change:

      4. - [x] Mandatory for GA content:

      • [x] Add steps, the diff, known issue, and/or other important
        conceptual information in the following space:

      Openshift GitOps / ArgoCD allows for custom health checks for different resource kinds. We developed some of these for our Policy types in https://issues.redhat.com/browse/ACM-12570. Those will (hopefully) be accepted into the community and "baked in" to future versions of GitOps/ArgoCD, but for versions that do not have that yet, it is still possible to use them.

      In particular, the `spec.resourceHealthChecks` field in the `ArgoCD` object (used by the Openshift GitOps operator) defines additional healthchecks that will be used. For our policy types, we need to document how to add these pieces:

      apiVersion: argoproj.io/v1beta1
      kind: ArgoCD
      metadata:
        name: openshift-gitops
        namespace: openshift-gitops
      spec:
        resourceHealthChecks:
          - group: policy.open-cluster-management.io
            kind: CertificatePolicy
            check: |
              hs = {}
              if obj.status == nil or obj.status.compliant == nil then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be reported"
                return hs
              end
              if obj.status.compliant == "Compliant" then
                hs.status = "Healthy"
                hs.message = "All certificates found comply with the policy"
                return hs
              else
                hs.status = "Degraded"
                hs.message = "At least once certificate does not comply with the policy"
                return hs
              end
          - group: policy.open-cluster-management.io
            kind: ConfigurationPolicy
            check: |
              hs = {}
              if obj.status == nil or obj.status.compliant == nil then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be reported"
                return hs
              end
              if obj.status.lastEvaluatedGeneration ~= obj.metadata.generation then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be updated"
                return hs  
              end
              if obj.status.compliant == "Compliant" then
                hs.status = "Healthy"
              else
                hs.status = "Degraded"
              end
              if obj.status.compliancyDetails ~= nil then
                messages = {}
                for i, compliancy in ipairs(obj.status.compliancyDetails) do
                  if compliancy.conditions ~= nil then
                    for i, condition in ipairs(compliancy.conditions) do
                      if condition.message ~= nil and condition.type ~= nil then
                        table.insert(messages, condition.type .. " - " .. condition.message)
                      end
                    end
                  end
                end
                hs.message = table.concat(messages, "; ")
                return hs
              end
              hs.status = "Progressing"
              hs.message = "Waiting for compliance"
              return hs
          - group: policy.open-cluster-management.io
            kind: OperatorPolicy
            check: |
              hs = {}
              if obj.status == nil or obj.status.conditions == nil then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be reported"
                return hs
              end
              if obj.status.observedGeneration ~= nil and obj.status.observedGeneration ~= obj.metadata.generation then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be updated"
                return hs  
              end
              for i, condition in ipairs(obj.status.conditions) do
                if condition.type == "Compliant" then
                  hs.message = condition.message
                  if condition.status == "True" then
                    hs.status = "Healthy"
                    return hs
                  else
                    hs.status = "Degraded"
                    return hs
                  end
                end
              end
              hs.status = "Progressing"
              hs.message = "Waiting for the compliance condition"
              return hs
          - group: policy.open-cluster-management.io
            kind: Policy
            check: |
              hs = {}
              if obj.status == nil or obj.status.compliant == nil then
                hs.status = "Progressing"
                hs.message = "Waiting for the status to be reported"
                return hs
              end
              if obj.status.compliant == "Compliant" then
                hs.status = "Healthy"
              else
                hs.status = "Degraded"
              end
              noncompliants = {}
              if obj.status.status ~= nil then
                -- "root" policy
                for i, entry in ipairs(obj.status.status) do
                  if entry.compliant ~= "Compliant" then
                    noncompliants[i] = entry.clustername
                  end
                end
                if table.getn(noncompliants) == 0 then
                  hs.message = "All clusters are compliant"
                else
                  hs.message = "NonCompliant clusters: " .. table.concat(noncompliants, ", ")
                end
              elseif obj.status.details ~= nil then
                -- "replicated" policy
                for i, entry in ipairs(obj.status.details) do
                  if entry.compliant ~= "Compliant" then
                    noncompliants[i] = entry.templateMeta.name
                  end
                end
                if table.getn(noncompliants) == 0 then
                  hs.message = "All templates are compliant"
                else
                  hs.message = "NonCompliant templates: " .. table.concat(noncompliants, ", ")
                end
              end
              return hs
      • [ ] *Add Required access level *(example, *Cluster
        Administrator*) for the user to complete the task:
      • [x] Add verification at the end of the task, how does the user
        verify success (a command to run or a result to see?)

      When configured correctly, any policy kinds viewed in the ArgoCD console will show whether they are Healthy, Degraded, or Progressing. When it is not configured, those details are not shown.

      5. - [x] Mandatory for bugs: What is the diff? Clearly define what the
      problem is, what the change is, and link to the current documentation. Only
      use this for a documentation bug.

      The most similar section we already have is https://github.com/stolostron/rhacm-docs/blob/2.12_stage/gitops/gitops_manage_policy_def.adoc#integrating-the-policy-generator-with-ocp-short-gitops-argo-cd, which documents a similar change to the ArgoCD resource, but instead of configuring health checks, that one configures the instance to use the Policy Generator.

              mdockery@redhat.com Mikela Jackson
              jkulikau@redhat.com Justin Kulikauskas
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: