fix: Policy/policy.open-cluster-management.io stuck in progressing status when no clusters match the policy (#21296) (cherry-pick #21297) (#21594)

Signed-off-by: Michele Baldessari <[email protected]>
Co-authored-by: Michele Baldessari <[email protected]>

Author: gcp-cherry-pick-bot[bot]

resource_customizations/policy.open-cluster-management.io/Policy/health.lua

@@ -1,9 +1,24 @@
 hs = {}
-if obj.status == nil or obj.status.compliant == nil then
+if obj.status == nil then
   hs.status = "Progressing"
   hs.message = "Waiting for the status to be reported"
   return hs
 end
+
+-- A policy will not have a compliant field but will have a placement key set if
+-- it is not being applied to any clusters
+if obj.status.compliant == nil and #obj.status.placement > 0 and obj.status.status == nil then
+  hs.status = "Healthy"
+  hs.message = "No clusters match this policy"
+  return hs
+end
+
+if obj.status.compliant == nil then
+  hs.status = "Progressing"
+  hs.message = "Waiting for the status to be reported"
+  return hs
+end
+
 if obj.status.compliant == "Compliant" then
   hs.status = "Healthy"
 else

resource_customizations/policy.open-cluster-management.io/Policy/health_test.yaml

@@ -15,3 +15,11 @@ tests:
       status: Healthy
       message: All templates are compliant
     inputPath: testdata/healthy_replicated.yaml
+  - healthStatus:
+      status: Progressing
+      message: Waiting for the status to be reported
+    inputPath: testdata/progressing_no_status.yaml
+  - healthStatus:
+      status: Healthy
+      message: No clusters match this policy
+    inputPath: testdata/healthy_with_placement_empty_compliant.yaml

resource_customizations/policy.open-cluster-management.io/Policy/testdata/healthy_with_placement_empty_compliant.yaml

@@ -0,0 +1,55 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    argocd.argoproj.io/instance: acm
+  name: acm-hub-ca-policy
+  namespace: open-cluster-management
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: acm-hub-ca-config-policy
+      spec:
+        namespaceSelector:
+          include:
+          - default
+        object-templates:
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
+                | base64enc hub}}'
+              hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
+                "service-ca.crt" | base64enc hub}}'
+            kind: Secret
+            metadata:
+              name: hub-ca
+              namespace: golang-external-secrets
+            type: Opaque
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: |
+                {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
+              hub-openshift-service-ca.crt: |
+                {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
+            kind: ConfigMap
+            metadata:
+              name: trusted-hub-bundle
+              namespace: imperative
+        remediationAction: enforce
+        severity: medium
+  remediationAction: enforce
+status:
+  placement:
+  - placementBinding: acm-hub-ca-policy-placement-binding
+    placementRule: acm-hub-ca-policy-placement

resource_customizations/policy.open-cluster-management.io/Policy/testdata/progressing_no_status.yaml

@@ -0,0 +1,51 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  annotations:
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  labels:
+    argocd.argoproj.io/instance: acm
+  name: acm-hub-ca-policy
+  namespace: open-cluster-management
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: acm-hub-ca-config-policy
+      spec:
+        namespaceSelector:
+          include:
+          - default
+        object-templates:
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
+                | base64enc hub}}'
+              hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
+                "service-ca.crt" | base64enc hub}}'
+            kind: Secret
+            metadata:
+              name: hub-ca
+              namespace: golang-external-secrets
+            type: Opaque
+        - complianceType: mustonlyhave
+          objectDefinition:
+            apiVersion: v1
+            data:
+              hub-kube-root-ca.crt: |
+                {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
+              hub-openshift-service-ca.crt: |
+                {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
+            kind: ConfigMap
+            metadata:
+              name: trusted-hub-bundle
+              namespace: imperative
+        remediationAction: enforce
+        severity: medium
+  remediationAction: enforce