Add an owner reference and a watch to Constraint Template CRDs, remove finalizers

Makefile

@@ -84,12 +84,13 @@ e2e-helm-deploy:
 	# tiller needs enough permissions to create CRDs
 	kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
 	# Download and install helm
-	curl https://raw.githubusercontent.com/helm/helm/master/scripts/get > get_helm.sh
-	chmod 700 get_helm.sh
-	./get_helm.sh
-	helm init --wait --history-max=5
+	rm -rf .staging/helm
+	mkdir -p .staging/helm
+	curl https://get.helm.sh/helm-v2.15.2-linux-amd64.tar.gz > .staging/helm/helmbin.tar.gz
+	cd .staging/helm && tar -xvf helmbin.tar.gz
+	./.staging/helm/linux-amd64/helm init --wait --history-max=5
 	kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s
-	helm install manifest_staging/chart/gatekeeper-operator --name=tiger --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE}
+	./.staging/helm/linux-amd64/helm install manifest_staging/chart/gatekeeper-operator --name=tiger --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE}
 
 # Build manager binary
 manager: generate fmt vet
@@ -218,11 +219,4 @@ endif
 
 .PHONY: vendor
 vendor:
-	$(eval $@_TMP := $(shell mktemp -d))
-	$(eval $@_CACHE := ${$@_TMP}/pkg/mod/cache/download)
-	GO111MODULE=on go mod download
-	GO111MODULE=on GOPROXY=file://${GOPATH}/pkg/mod/cache/download GOPATH=${$@_TMP} go mod download
-	GO111MODULE=on GOPROXY=file://${$@_CACHE} go mod vendor
-	$(eval $@_PACKAGE := $(shell GO111MODULE=on go mod graph | awk '{print $$2}' | grep '^${FRAMEWORK_PACKAGE}@'))
-	mkdir -p vendor/${FRAMEWORK_PACKAGE}/deploy
-	cp -r ${$@_TMP}/pkg/mod/${$@_PACKAGE}/deploy/* vendor/${FRAMEWORK_PACKAGE}/deploy/.
+	go mod vendor

build/vendormanifests.go

@@ -0,0 +1,8 @@
+// +build tools
+
+package build
+
+import (
+	_ "github.com/open-policy-agent/frameworks/constraint/deploy"
+)
+

go.mod

@@ -9,11 +9,12 @@ require (
 	github.com/go-logr/logr v0.1.0
 	github.com/go-logr/zapr v0.1.0
 	github.com/go-openapi/spec v0.19.4 // indirect
+	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
 	github.com/google/go-cmp v0.3.1
 	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.8.1
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20200304180616-c46b44c53e49
-	github.com/open-policy-agent/opa v0.16.2
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20200325031139-1a8f361c3e49
+	github.com/open-policy-agent/opa v0.17.2
 	github.com/pkg/errors v0.8.1
 	github.com/prometheus/client_golang v1.1.0
 	go.opencensus.io v0.22.2
@@ -24,5 +25,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.17.2
 	k8s.io/apimachinery v0.17.2
 	k8s.io/client-go v0.17.2
+	k8s.io/klog v1.0.0 // indirect
 	sigs.k8s.io/controller-runtime v0.5.0
+	sigs.k8s.io/controller-tools v0.2.4 // indirect
 )

go.sum

@@ -79,6 +79,7 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -153,6 +154,8 @@ github.com/go-openapi/validate v0.19.5 h1:QhCBKRYqZR+SKo4gl1lPhPahope8/RLt6EVgY8
 github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gobuffalo/flect v0.1.5 h1:xpKq9ap8MbYfhuPCF0dBH854Gp9CxZjr/IocxELFflo=
+github.com/gobuffalo/flect v0.1.5/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -246,11 +249,17 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-runewidth v0.0.0-20181025052659-b20a3daf6a39/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/maxsmythe/frameworks/constraint v0.0.0-20200323235719-2b4fead1eabc h1:qmCTDE85nPBIgXPNPYLcd+jgyIPJQDmK29GYC1FO4CM=
+github.com/maxsmythe/frameworks/constraint v0.0.0-20200323235719-2b4fead1eabc/go.mod h1:X8DFAmMmNYXIlCsBJevCfoteqP1dylPuKurg3SY+80E=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -283,10 +292,16 @@ github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
 github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
+github.com/open-policy-agent/frameworks v0.0.0-20200324191623-fdfe40285ae8 h1:eUQk4LtLUNKIhyQquMpeCfd37WaFjF+kBMh9ssM90Es=
 github.com/open-policy-agent/frameworks/constraint v0.0.0-20200304180616-c46b44c53e49 h1:l5EgTkzRJB1lRVihCGCnv/r6s5rdx3M4qvrK2GxCNlA=
 github.com/open-policy-agent/frameworks/constraint v0.0.0-20200304180616-c46b44c53e49/go.mod h1:RYtG2t6a5nly9IWFMNgq/K29YzYMV9ftA7XlGOM75bs=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20200324191623-fdfe40285ae8 h1:HAheBwqSYQ57e0jaSO4sbGDeLb7/QtaIKjuru1Ls658=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20200325031139-1a8f361c3e49 h1:UWixju7yHJWZ/A0I5VCy+sN6pZD+ahvKcmu4XLlGNvM=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20200325031139-1a8f361c3e49/go.mod h1:X8DFAmMmNYXIlCsBJevCfoteqP1dylPuKurg3SY+80E=
 github.com/open-policy-agent/opa v0.16.2 h1:Fdt1ysSA3p7z88HVHmUFiPM6hqqXbLDDZF9cQFYaIP0=
 github.com/open-policy-agent/opa v0.16.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
+github.com/open-policy-agent/opa v0.17.2 h1:E7l8FvgoyrmphQGtD+h9HfSTcf8b7d3X4PDQ4avrEmo=
+github.com/open-policy-agent/opa v0.17.2/go.mod h1:P0xUE/GQAAgnvV537GzA0Ikw4+icPELRT327QJPkaKY=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -456,6 +471,7 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -540,6 +556,8 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20190905181640-827449938966 h1:B0J02caTR6tpSJozBJyiAzT6CtBzjclw4pgm9gg8Ys0=
+gopkg.in/yaml.v3 v3.0.0-20190905181640-827449938966/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -602,6 +620,8 @@ sigs.k8s.io/controller-runtime v0.4.0 h1:wATM6/m+3w8lj8FXNaO6Fs/rq/vqoOjO1Q116Z9
 sigs.k8s.io/controller-runtime v0.4.0/go.mod h1:ApC79lpY3PHW9xj/w9pj+lYkLgwAAUZwfXkME1Lajns=
 sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo=
 sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8=
+sigs.k8s.io/controller-tools v0.2.4 h1:la1h46EzElvWefWLqfsXrnsO3lZjpkI0asTpX6h8PLA=
+sigs.k8s.io/controller-tools v0.2.4/go.mod h1:m/ztfQNocGYBgTTCmFdnK94uVvgxeZeE3LtJvd/jIzA=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190817042607-6149e4549fca/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA=
 sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=

manifest_staging/chart/gatekeeper-operator/templates/gatekeeper.yaml

@@ -458,7 +458,7 @@ spec:
   template:
     metadata:
       annotations: 
-{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+{{- toYaml .Values.podAnnotations | nindent 8 }}
       labels:
         app: '{{ template "gatekeeper-operator.name" . }}'
         chart: '{{ template "gatekeeper-operator.name" . }}'

pkg/controller/constraint/constraint_controller.go

@@ -169,25 +169,30 @@ func (r *ReconcileConstraint) Reconcile(request reconcile.Request) (reconcile.Re
 		log.Error(err, "unpacking request", "request", request)
 		return reconcile.Result{}, nil
 	}
+
 	// Sanity - make sure it is a constraint resource.
 	if gvk.Group != constraintsGroup {
 		// Unrecoverable, do not retry.
 		log.Error(err, "invalid constraint GroupVersion", "gvk", gvk)
 		return reconcile.Result{}, nil
 	}
 
+	deleted := false
 	instance := &unstructured.Unstructured{}
 	instance.SetGroupVersionKind(gvk)
 	if err := r.reader.Get(context.TODO(), unpackedRequest.NamespacedName, instance); err != nil {
-		if errors.IsNotFound(err) {
-			// Object not found, return.  Created objects are automatically garbage collected.
-			// For additional cleanup logic use finalizers.
-			return reconcile.Result{}, nil
+		if !errors.IsNotFound(err) {
+			return reconcile.Result{}, err
 		}
-		// Error reading the object - requeue the request.
-		return reconcile.Result{}, err
+		deleted = true
+		instance = &unstructured.Unstructured{}
+		instance.SetGroupVersionKind(gvk)
+		instance.SetNamespace(unpackedRequest.NamespacedName.Namespace)
+		instance.SetName(unpackedRequest.NamespacedName.Name)
 	}
 
+	deleted = deleted || !instance.GetDeletionTimestamp().IsZero()
+
 	constraintKey := strings.Join([]string{instance.GetKind(), instance.GetName()}, "/")
 	enforcementAction, err := util.GetEnforcementAction(instance.Object)
 	if err != nil {
@@ -201,20 +206,21 @@ func (r *ReconcileConstraint) Reconcile(request reconcile.Request) (reconcile.Re
 		}
 	}()
 
-	if instance.GetDeletionTimestamp().IsZero() {
-		if !HasFinalizer(instance) {
-			status, _, _ := unstructured.NestedFieldCopy(instance.Object, "status")
-			instance.SetFinalizers(append(instance.GetFinalizers(), finalizerName))
-			if err := r.writer.Update(context.Background(), instance); err != nil {
-				return reconcile.Result{Requeue: true}, nil
-			}
+	if HasFinalizer(instance) {
+		status, _, _ := unstructured.NestedFieldCopy(instance.Object, "status")
+		RemoveFinalizer(instance)
+		if err := r.writer.Update(context.Background(), instance); err != nil {
+			return reconcile.Result{Requeue: true}, nil
+		}
 
-			if status != nil {
-				if err := unstructured.SetNestedField(instance.Object, status, "status"); err != nil {
-					log.Error(err, "error preserving constraint status")
-				}
+		if status != nil {
+			if err := unstructured.SetNestedField(instance.Object, status, "status"); err != nil {
+				log.Error(err, "error preserving constraint status")
 			}
 		}
+	}
+
+	if !deleted {
 		r.log.Info("handling constraint update", "instance", instance)
 		status, err := csutil.GetHAStatus(instance)
 		if err != nil {
@@ -242,13 +248,15 @@ func (r *ReconcileConstraint) Reconcile(request reconcile.Request) (reconcile.Re
 			}
 			logAddition(r.log, instance, enforcementAction)
 		}
+
 		status.Enforced = true
 		if err = csutil.SetHAStatus(instance, status); err != nil {
 			return reconcile.Result{}, err
 		}
 		if err = r.statusClient.Status().Update(context.Background(), instance); err != nil {
 			return reconcile.Result{Requeue: true}, nil
 		}
+
 		// adding constraint to cache and sending metrics
 		r.constraintsCache.addConstraintKey(constraintKey, tags{
 			enforcementAction: enforcementAction,
@@ -257,22 +265,14 @@ func (r *ReconcileConstraint) Reconcile(request reconcile.Request) (reconcile.Re
 		reportMetrics = true
 	} else {
 		// Handle deletion
-		if HasFinalizer(instance) {
-			if _, err := r.opa.RemoveConstraint(context.Background(), instance); err != nil {
-				if _, ok := err.(*opa.UnrecognizedConstraintError); !ok {
-					logRemoval(r.log, instance, enforcementAction)
-					return reconcile.Result{}, err
-				}
-			}
-			logRemoval(r.log, instance, enforcementAction)
-			RemoveFinalizer(instance)
-			if err := r.writer.Update(context.Background(), instance); err != nil {
-				return reconcile.Result{Requeue: true}, nil
+		if _, err := r.opa.RemoveConstraint(context.Background(), instance); err != nil {
+			if _, ok := err.(*opa.UnrecognizedConstraintError); !ok {
+				return reconcile.Result{}, err
 			}
-			// removing constraint entry from cache
-			r.constraintsCache.deleteConstraintKey(constraintKey)
-			reportMetrics = true
 		}
+		logRemoval(r.log, instance, enforcementAction)
+		r.constraintsCache.deleteConstraintKey(constraintKey)
+		reportMetrics = true
 	}
 	return reconcile.Result{}, nil
 }