-
Task
-
Resolution: Done
-
Undefined
-
ACM 2.12.0
-
False
-
None
-
False
-
-
-
None
Note: Doc team updates the current version of the documentation and the
two previous versions (n-2), but we address *only high-priority, or
customer-reported issues* for -2 releases in support.
Describe the changes in the doc and link to your dev story:
1. - [ ] Mandatory: Add the required version to the Fix version/s field.
2. - [x] Mandatory: Choose the type of documentation change or review.
- [ ] We need to update to an existing topic
- [x] We need to add a new document to an existing section
- [ ] We need a whole new section; this is a function not
documented before and doesn't belong in any current section
- [ ] We need an Operator Advisory review and approval
- [ ] We need a z-Stream (Errata) Advisory and Release note
for MCE and/or ACM
3. - [x] *Mandatory: *Use the following link to open the doc and find where the
documentation update should go. Note: As the feature and doc is
understood and developed, this placement decision may change:
- Published doc: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.11/html-single/gitops/index#gitops-policy-definitions
- Source: https://github.com/stolostron/rhacm-docs/blob/2.12_stage/gitops/gitops_manage_policy_def.adoc
4. - [x] Mandatory for GA content:
- [x] Add steps, the diff, known issue, and/or other important
conceptual information in the following space:
Openshift GitOps / ArgoCD allows for custom health checks for different resource kinds. We developed some of these for our Policy types in https://issues.redhat.com/browse/ACM-12570. Those will (hopefully) be accepted into the community and "baked in" to future versions of GitOps/ArgoCD, but for versions that do not have that yet, it is still possible to use them.
In particular, the `spec.resourceHealthChecks` field in the `ArgoCD` object (used by the Openshift GitOps operator) defines additional healthchecks that will be used. For our policy types, we need to document how to add these pieces:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: openshift-gitops
namespace: openshift-gitops
spec:
resourceHealthChecks:
- group: policy.open-cluster-management.io
kind: CertificatePolicy
check: |
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
hs.message = "All certificates found comply with the policy"
return hs
else
hs.status = "Degraded"
hs.message = "At least once certificate does not comply with the policy"
return hs
end
- group: policy.open-cluster-management.io
kind: ConfigurationPolicy
check: |
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.lastEvaluatedGeneration ~= obj.metadata.generation then
hs.status = "Progressing"
hs.message = "Waiting for the status to be updated"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
else
hs.status = "Degraded"
end
if obj.status.compliancyDetails ~= nil then
messages = {}
for i, compliancy in ipairs(obj.status.compliancyDetails) do
if compliancy.conditions ~= nil then
for i, condition in ipairs(compliancy.conditions) do
if condition.message ~= nil and condition.type ~= nil then
table.insert(messages, condition.type .. " - " .. condition.message)
end
end
end
end
hs.message = table.concat(messages, "; ")
return hs
end
hs.status = "Progressing"
hs.message = "Waiting for compliance"
return hs
- group: policy.open-cluster-management.io
kind: OperatorPolicy
check: |
hs = {}
if obj.status == nil or obj.status.conditions == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.observedGeneration ~= nil and obj.status.observedGeneration ~= obj.metadata.generation then
hs.status = "Progressing"
hs.message = "Waiting for the status to be updated"
return hs
end
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Compliant" then
hs.message = condition.message
if condition.status == "True" then
hs.status = "Healthy"
return hs
else
hs.status = "Degraded"
return hs
end
end
end
hs.status = "Progressing"
hs.message = "Waiting for the compliance condition"
return hs
- group: policy.open-cluster-management.io
kind: Policy
check: |
hs = {}
if obj.status == nil or obj.status.compliant == nil then
hs.status = "Progressing"
hs.message = "Waiting for the status to be reported"
return hs
end
if obj.status.compliant == "Compliant" then
hs.status = "Healthy"
else
hs.status = "Degraded"
end
noncompliants = {}
if obj.status.status ~= nil then
-- "root" policy
for i, entry in ipairs(obj.status.status) do
if entry.compliant ~= "Compliant" then
noncompliants[i] = entry.clustername
end
end
if table.getn(noncompliants) == 0 then
hs.message = "All clusters are compliant"
else
hs.message = "NonCompliant clusters: " .. table.concat(noncompliants, ", ")
end
elseif obj.status.details ~= nil then
-- "replicated" policy
for i, entry in ipairs(obj.status.details) do
if entry.compliant ~= "Compliant" then
noncompliants[i] = entry.templateMeta.name
end
end
if table.getn(noncompliants) == 0 then
hs.message = "All templates are compliant"
else
hs.message = "NonCompliant templates: " .. table.concat(noncompliants, ", ")
end
end
return hs
- [ ] *Add Required access level *(example, *Cluster
Administrator*) for the user to complete the task:
- [x] Add verification at the end of the task, how does the user
verify success (a command to run or a result to see?)
When configured correctly, any policy kinds viewed in the ArgoCD console will show whether they are Healthy, Degraded, or Progressing. When it is not configured, those details are not shown.
- [ ] Add link to dev story here: https://issues.redhat.com/browse/ACM-12570
5. - [x] Mandatory for bugs: What is the diff? Clearly define what the
problem is, what the change is, and link to the current documentation. Only
use this for a documentation bug.
The most similar section we already have is https://github.com/stolostron/rhacm-docs/blob/2.12_stage/gitops/gitops_manage_policy_def.adoc#integrating-the-policy-generator-with-ocp-short-gitops-argo-cd, which documents a similar change to the ArgoCD resource, but instead of configuring health checks, that one configures the instance to use the Policy Generator.