diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller.go b/pkg/controller/constrainttemplate/constrainttemplate_controller.go index ff69d8a972e..03ff303361d 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller.go @@ -310,6 +310,20 @@ func (r *ReconcileConstraintTemplate) Reconcile(ctx context.Context, request rec logAction(ct, deletedAction) r.metrics.registry.remove(request.NamespacedName) } + isAPIEnabled, groupVersion := transform.IsVapAPIEnabled(&logger) + if isAPIEnabled { + currentVap, err := vapForVersion(groupVersion) + if err != nil { + return reconcile.Result{}, err + } + vapName := getVAPName(ctUnversioned.GetName()) + currentVap.SetName(vapName) + if err := r.Delete(ctx, currentVap); err != nil { + if !apierrors.IsNotFound(err) { + return reconcile.Result{}, err + } + } + } } err = r.deleteAllStatus(ctx, request.Name) return result, err @@ -648,6 +662,10 @@ func vapForVersion(gvk *schema.GroupVersion) (client.Object, error) { } } +func getVAPName(constraintName string) string { + return fmt.Sprintf("gatekeeper-%s", constraintName) +} + func getRunTimeVAP(gvk *schema.GroupVersion, transformedVap *admissionregistrationv1beta1.ValidatingAdmissionPolicy, currentVap client.Object) (client.Object, error) { if currentVap == nil { if gvk.Version == "v1" { @@ -806,7 +824,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with runtime group version", status, err) return err } - vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName()) + vapName := getVAPName(unversionedCT.GetName()) logger.Info("check if VAP exists", "vapName", vapName) if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil { if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) { @@ -863,7 +881,7 @@ func (r *ReconcileConstraintTemplate) manageVAP(ctx context.Context, ct *v1beta1 err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err) return err } - vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName()) + vapName := getVAPName(unversionedCT.GetName()) logger.Info("check if VAP exists", "vapName", vapName) if err := r.Get(ctx, types.NamespacedName{Name: vapName}, currentVap); err != nil { if !apierrors.IsNotFound(err) && !errors.As(err, &discoveryErr) && !meta.IsNoMatchError(err) { diff --git a/test/bats/helpers.bash b/test/bats/helpers.bash index 9f94907ba4f..e2acb9e1205 100644 --- a/test/bats/helpers.bash +++ b/test/bats/helpers.bash @@ -73,21 +73,6 @@ wait_for_process() { return 1 } -wait_for_error() { - wait_time="$1" - sleep_time="$2" - cmd="$3" - while [ "$wait_time" -gt 0 ]; do - if eval "$cmd"; then - sleep "$sleep_time" - wait_time=$((wait_time - sleep_time)) - else - return 0 - fi - done - return 1 -} - get_ca_cert() { destination="$1" if [ $(kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then diff --git a/test/bats/test.bats b/test/bats/test.bats index ed5f388b8ee..708b0dacaeb 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -61,8 +61,7 @@ teardown_file() { } @test "vap test" { - minor_version=$(echo "$KUBERNETES_VERSION" | cut -d'.' -f2) - if [ "$minor_version" -lt 28 ] || [ -z $ENABLE_VAP_TESTS ]; then + if [ -z $ENABLE_VAP_TESTS ]; then skip "skipping vap tests" fi local api="$(kubectl api-resources | grep validatingadmission)" @@ -97,10 +96,8 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label-scoped" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding all-must-have-label" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label-scoped" - wait_for_error ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label" + # wait for k8s to register deletion with eventual consistency + sleep 5 fi }