Bug: Only one policyviolation when policyViolationLimit=0

Create a policy with disabled set to true. Then, create a policyAutomation with "everyevent" mode and "policyViolationLimits" set to 0.

Actual results:
Only the violaition status of one cluster was passed into the ansiblejob

Expected results:
All violations status of all clusters should be passed

Ref: https://issues.redhat.com/browse/ACM-4777
Signed-off-by: Yi Rae Kim <yikim@redhat.com>

Author: yiraeChristineKim

Makefile

@@ -267,9 +267,11 @@ install-resources:
 	kubectl create ns policy-propagator-test
 	kubectl create ns managed1
 	kubectl create ns managed2
+	kubectl create ns managed3
 	@echo creating cluster resources
 	kubectl apply -f test/resources/managed1-cluster.yaml
 	kubectl apply -f test/resources/managed2-cluster.yaml
+	kubectl apply -f test/resources/managed3-cluster.yaml
 	@echo setting a Hub cluster DNS name
 	kubectl apply -f test/resources/case5_policy_automation/cluster-dns.yaml
 

controllers/automation/policyPredicate.go

@@ -3,6 +3,7 @@
 package automation
 
 import (
+	"github.com/google/go-cmp/cmp"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
@@ -21,7 +22,7 @@ var policyPredicateFuncs = predicate.Funcs{
 		//nolint:forcetypeassert
 		plcObjOld := e.ObjectOld.(*policiesv1.Policy)
 
-		return plcObjNew.Status.ComplianceState != plcObjOld.Status.ComplianceState
+		return !cmp.Equal(plcObjNew.Status.Status, plcObjOld.Status.Status)
 	},
 	CreateFunc: func(e event.CreateEvent) bool {
 		return false

controllers/automation/policyautomation_controller.go

@@ -360,7 +360,8 @@ func (r *PolicyAutomationReconciler) Reconcile(
 			if len(targetList) > 0 {
 				log.Info("Creating An Ansible job", "targetList", targetList)
 				violationContext, _ := r.getViolationContext(ctx, policy, targetList, policyAutomation)
-				err = common.CreateAnsibleJob(policyAutomation, r.DynamicClient, "scan", violationContext)
+				err = common.CreateAnsibleJob(policyAutomation, r.DynamicClient, "scan",
+					violationContext)
 				if err != nil {
 					return reconcile.Result{RequeueAfter: requeueAfter}, err
 				}
@@ -381,6 +382,16 @@ func (r *PolicyAutomationReconciler) Reconcile(
 			if len(targetList) > 0 {
 				log.Info("Creating an Ansible job", "targetList", targetList)
 
+				AjExist, err := common.MatchPAGeneration(policyAutomation,
+					r.DynamicClient, policyAutomation.GetGeneration())
+				if err != nil {
+					log.Error(err, "Failed to get Ansible job's generation")
+
+					return reconcile.Result{}, err
+				}
+				if AjExist {
+					return reconcile.Result{}, nil
+				}
 				violationContext, _ := r.getViolationContext(ctx, policy, targetList, policyAutomation)
 				err = common.CreateAnsibleJob(
 					policyAutomation,

controllers/common/ansible.go

@@ -5,18 +5,68 @@ package common
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"reflect"
 	"regexp"
+	"strconv"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
+	ctrl "sigs.k8s.io/controller-runtime"
 
 	policyv1beta1 "open-cluster-management.io/governance-policy-propagator/api/v1beta1"
 )
 
+const (
+	ControllerName             string = "policy-automation"
+	PolicyAutomationLabel      string = "policy.open-cluster-management.io/policyautomation-name"
+	PolicyAutomationGeneration string = "policy.open-cluster-management.io/policyautomation-generation"
+)
+
+var log = ctrl.Log.WithName(ControllerName)
+
+var ansibleJobRes = schema.GroupVersionResource{
+	Group: "tower.ansible.com", Version: "v1alpha1",
+	Resource: "ansiblejobs",
+}
+
+// Check any ansiblejob is made by input genteration number
+// Returning "true" means the policy automation already created ansiblejob with the generation
+func MatchPAGeneration(policyAutomation *policyv1beta1.PolicyAutomation,
+	dynamicClient dynamic.Interface, generation int64,
+) (bool, error) {
+	ansiblejobList, err := dynamicClient.Resource(ansibleJobRes).Namespace(policyAutomation.GetNamespace()).List(
+		context.TODO(), metav1.ListOptions{
+			LabelSelector: fmt.Sprintf("%s=%s", PolicyAutomationLabel, policyAutomation.GetName()),
+		},
+	)
+	if err != nil {
+		log.Error(err, "Failed to get ansiblejob list")
+
+		return false, err
+	}
+
+	ansiblejobLen := len(ansiblejobList.Items)
+	// Check whether new PolicyAutomation
+	if ansiblejobLen == 0 {
+		return false, nil
+	}
+
+	s := strconv.FormatInt(generation, 10)
+
+	for _, aj := range ansiblejobList.Items {
+		annotations := aj.GetAnnotations()
+		if annotations[PolicyAutomationGeneration] == s {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 // CreateAnsibleJob creates ansiblejob with given PolicyAutomation
 func CreateAnsibleJob(policyAutomation *policyv1beta1.PolicyAutomation,
 	dynamicClient dynamic.Interface, mode string, violationContext policyv1beta1.ViolationContext,
@@ -25,6 +75,12 @@ func CreateAnsibleJob(policyAutomation *policyv1beta1.PolicyAutomation,
 		Object: map[string]interface{}{
 			"apiVersion": "tower.ansible.com/v1alpha1",
 			"kind":       "AnsibleJob",
+			"metadata": map[string]interface{}{
+				"annotations": map[string]interface{}{
+					PolicyAutomationGeneration: strconv.
+						FormatInt(policyAutomation.GetGeneration(), 10),
+				},
+			},
 			"spec": map[string]interface{}{
 				"job_template_name": policyAutomation.Spec.Automation.Name,
 				"tower_auth_secret": policyAutomation.Spec.Automation.TowerSecret,
@@ -63,6 +119,11 @@ func CreateAnsibleJob(policyAutomation *policyv1beta1.PolicyAutomation,
 		mapExtraVars[fieldName] = value
 	}
 
+	label := map[string]string{
+		PolicyAutomationLabel: policyAutomation.GetName(),
+	}
+	ansibleJob.SetLabels(label)
+
 	ansibleJob.Object["spec"].(map[string]interface{})["extra_vars"] = mapExtraVars
 
 	if policyAutomation.Spec.Automation.JobTTL != nil {

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/go-logr/zapr v1.2.3
 	github.com/onsi/ginkgo/v2 v2.9.4
 	github.com/onsi/gomega v1.27.6
+	github.com/google/go-cmp v0.5.9
 	github.com/prometheus/client_golang v1.15.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stolostron/go-log-utils v0.1.2
@@ -41,7 +42,6 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230502171905-255e3b9b56de // indirect
 	github.com/google/uuid v1.3.0 // indirect