From c43d888002f7509683c9df4b2ff204b22441ab2f Mon Sep 17 00:00:00 2001
From: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
Date: Sun, 5 Nov 2023 20:16:15 -0500
Subject: [PATCH] :bug: Disable the propagator webhook; Add
 ClusterManagementAddon manifests (#388)

* Disable the propagator webhook

A webhook was added, but it requires cert-manager as a prerequisite.
Until we can resolve/update that, leave it disabled by default.

Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>

* Add `ClusterManagementAddon` for app and policy

A new check blocked enabling addons if this is missing.

Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>

---------

Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
---
 Makefile                                         |  2 +-
 pkg/cmd/create/sampleapp/suite_test.go           |  5 +++--
 pkg/cmd/install/hubaddon/exec.go                 |  6 +++++-
 .../appmgr/clustermanagementaddon_appmgr.yaml    |  9 +++++++++
 .../clustermanagementaddon_configpolicy.yaml     | 12 ++++++++++++
 .../clustermanagementaddon_policyframework.yaml  | 12 ++++++++++++
 .../addon/policy/propagator_clusterrole.yaml     | 16 +++++++---------
 .../addon/policy/propagator_deployment.yaml      |  7 +++++++
 .../scenario/addon/policy/propagator_role.yaml   | 12 ------------
 pkg/cmd/install/hubaddon/suite_test.go           | 10 ++++++++--
 10 files changed, 64 insertions(+), 27 deletions(-)
 create mode 100644 pkg/cmd/install/hubaddon/scenario/addon/appmgr/clustermanagementaddon_appmgr.yaml
 create mode 100644 pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_configpolicy.yaml
 create mode 100644 pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_policyframework.yaml

diff --git a/Makefile b/Makefile
index 52e90abd4..7e3832284 100644
--- a/Makefile
+++ b/Makefile
@@ -90,7 +90,7 @@ check-copyright:
 	@build/check-copyright.sh
 
 .PHONY: test
-test:
+test: deps
 	@build/run-unit-tests.sh
 
 .PHONY: clean-test
diff --git a/pkg/cmd/create/sampleapp/suite_test.go b/pkg/cmd/create/sampleapp/suite_test.go
index 3f4bb175b..2b585dd46 100644
--- a/pkg/cmd/create/sampleapp/suite_test.go
+++ b/pkg/cmd/create/sampleapp/suite_test.go
@@ -2,14 +2,15 @@
 package sampleapp
 
 import (
+	"path/filepath"
+	"testing"
+
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/memory"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"path/filepath"
-	"testing"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
diff --git a/pkg/cmd/install/hubaddon/exec.go b/pkg/cmd/install/hubaddon/exec.go
index ff3322dbc..ec9ebcf53 100644
--- a/pkg/cmd/install/hubaddon/exec.go
+++ b/pkg/cmd/install/hubaddon/exec.go
@@ -3,10 +3,11 @@ package hubaddon
 
 import (
 	"fmt"
-	"open-cluster-management.io/clusteradm/pkg/helpers/reader"
 	"os"
 	"strings"
 
+	"open-cluster-management.io/clusteradm/pkg/helpers/reader"
+
 	"github.com/spf13/cobra"
 	"k8s.io/klog/v2"
 
@@ -89,6 +90,7 @@ func (o *Options) runWithClient() error {
 		// Install the Application Management Addon
 		case appMgrAddonName:
 			files := []string{
+				"addon/appmgr/clustermanagementaddon_appmgr.yaml",
 				"addon/appmgr/clusterrole_agent.yaml",
 				"addon/appmgr/clusterrole_binding.yaml",
 				"addon/appmgr/clusterrole.yaml",
@@ -139,6 +141,8 @@ func (o *Options) runWithClient() error {
 				"addon/policy/propagator_role.yaml",
 				"addon/policy/propagator_rolebinding.yaml",
 				"addon/policy/propagator_serviceaccount.yaml",
+				"addon/policy/clustermanagementaddon_configpolicy.yaml",
+				"addon/policy/clustermanagementaddon_policyframework.yaml",
 				"addon/appmgr/crd_placementrule.yaml",
 			}
 
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/appmgr/clustermanagementaddon_appmgr.yaml b/pkg/cmd/install/hubaddon/scenario/addon/appmgr/clustermanagementaddon_appmgr.yaml
new file mode 100644
index 000000000..fd00f5afd
--- /dev/null
+++ b/pkg/cmd/install/hubaddon/scenario/addon/appmgr/clustermanagementaddon_appmgr.yaml
@@ -0,0 +1,9 @@
+# Copyright Contributors to the Open Cluster Management project
+apiVersion: addon.open-cluster-management.io/v1alpha1
+kind: ClusterManagementAddOn
+metadata:
+  name: application-manager
+spec:
+  addOnMeta:
+    description: Synchronizes application on the managed clusters from the hub
+    displayName: Application Manager
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_configpolicy.yaml b/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_configpolicy.yaml
new file mode 100644
index 000000000..3550c5fe4
--- /dev/null
+++ b/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_configpolicy.yaml
@@ -0,0 +1,12 @@
+# Copyright Contributors to the Open Cluster Management project
+apiVersion: addon.open-cluster-management.io/v1alpha1
+kind: ClusterManagementAddOn
+metadata:
+  name: config-policy-controller
+spec:
+  addOnMeta:
+    description: Audits k8s resources and remediates violation based on configuration policies.
+    displayName: Config Policy Addon
+  supportedConfigs:
+    - group: addon.open-cluster-management.io
+      resource: addondeploymentconfigs
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_policyframework.yaml b/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_policyframework.yaml
new file mode 100644
index 000000000..5c07072be
--- /dev/null
+++ b/pkg/cmd/install/hubaddon/scenario/addon/policy/clustermanagementaddon_policyframework.yaml
@@ -0,0 +1,12 @@
+# Copyright Contributors to the Open Cluster Management project
+apiVersion: addon.open-cluster-management.io/v1alpha1
+kind: ClusterManagementAddOn
+metadata:
+  name: governance-policy-framework
+spec:
+  addOnMeta:
+    description: Distributes policies and collects policy evaluation results.
+    displayName: Governance Policy Framework Addon
+  supportedConfigs:
+    - group: addon.open-cluster-management.io
+      resource: addondeploymentconfigs
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_clusterrole.yaml b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_clusterrole.yaml
index 5da55241c..e6f9f8c6c 100644
--- a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_clusterrole.yaml
+++ b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_clusterrole.yaml
@@ -41,7 +41,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - configmaps
+  - events
   verbs:
   - create
   - delete
@@ -53,21 +53,19 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - events
+  - secrets
   verbs:
   - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
+  resourceNames:
+  - governance-policy-database
   resources:
   - secrets
   verbs:
-  - create
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resourceNames:
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_deployment.yaml b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_deployment.yaml
index 137244b0f..aa0b3747f 100644
--- a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_deployment.yaml
+++ b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_deployment.yaml
@@ -11,6 +11,8 @@ spec:
       name: governance-policy-propagator
   template:
     metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: governance-policy-propagator
       labels:
         name: governance-policy-propagator
     spec:
@@ -19,6 +21,7 @@ spec:
         - --health-probe-bind-address=:8081
         - --metrics-bind-address=:8383
         - --leader-elect
+        - --enable-webhooks=false
         command:
         - governance-policy-propagator
         env:
@@ -30,6 +33,10 @@ spec:
               fieldPath: metadata.name
         - name: OPERATOR_NAME
           value: governance-policy-propagator
+        - name: WATCH_NAMESPACE_COMPLIANCE_EVENTS_STORE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         image: quay.io/open-cluster-management/governance-policy-propagator:{{ .BundleVersion.PolicyAddon }}
         imagePullPolicy: Always
         name: governance-policy-propagator
diff --git a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_role.yaml b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_role.yaml
index cbe5f55e5..0edfc1ef0 100644
--- a/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_role.yaml
+++ b/pkg/cmd/install/hubaddon/scenario/addon/policy/propagator_role.yaml
@@ -5,18 +5,6 @@ metadata:
   name: governance-policy-propagator-leader-election-role
   namespace: {{ .Namespace }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - coordination.k8s.io
   resources:
diff --git a/pkg/cmd/install/hubaddon/suite_test.go b/pkg/cmd/install/hubaddon/suite_test.go
index 5604d5686..2dd896824 100644
--- a/pkg/cmd/install/hubaddon/suite_test.go
+++ b/pkg/cmd/install/hubaddon/suite_test.go
@@ -2,13 +2,15 @@
 package hubaddon
 
 import (
+	"path/filepath"
+	"testing"
+
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/memory"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"testing"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -41,7 +43,11 @@ var _ = ginkgo.BeforeSuite(func() {
 	ginkgo.By("bootstrapping test environment")
 
 	// start a kube-apiserver
-	testEnv = &envtest.Environment{}
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths: []string{
+			filepath.Join("..", "..", "..", "..", "vendor", "open-cluster-management.io", "api", "addon", "v1alpha1"),
+		},
+	}
 
 	cfg, err := testEnv.Start()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())