fix: Handle nil health check in post-delete hooks (argoproj#18270) (a…

…rgoproj#18767) * fix: Handle nil health check in post-delete hooks Signed-off-by: Yonatan Sasson <yonatanxd7@gmail.com> * test: Validate deletion of RBAC resources for post-delete hook Signed-off-by: Yonatan Sasson <yonatanxd7@gmail.com> * Update appcontroller_test.go Signed-off-by: Yonatan Sasson <107778824+Yuni-sa@users.noreply.github.com> --------- Signed-off-by: Yonatan Sasson <yonatanxd7@gmail.com> Signed-off-by: Yonatan Sasson <107778824+Yuni-sa@users.noreply.github.com>
fengshunli · Jun 26, 2024 · 999b75f · 999b75f
1 parent 6f84afc
commit 999b75f
Show file tree

Hide file tree

Showing 2 changed files with 162 additions and 24 deletions.
diff --git a/controller/appcontroller_test.go b/controller/appcontroller_test.go
@@ -374,8 +374,8 @@ data:
 
 var fakePostDeleteHook = `
 {
-  "apiVersion": "v1",
-  "kind": "Pod",
+  "apiVersion": "batch/v1",
+  "kind": "Job",
   "metadata": {
     "name": "post-delete-hook",
     "namespace": "default",
@@ -388,22 +388,93 @@ var fakePostDeleteHook = `
     }
   },
   "spec": {
-    "containers": [
-      {
-        "name": "post-delete-hook",
-        "image": "busybox",
-        "restartPolicy": "Never",
-        "command": [
-          "/bin/sh",
-          "-c",
-          "sleep 5 && echo hello from the post-delete-hook pod"
-        ]
+    "template": {
+      "metadata": {
+        "name": "post-delete-hook"
+      },
+      "spec": {
+        "containers": [
+          {
+            "name": "post-delete-hook",
+            "image": "busybox",
+            "command": [
+              "/bin/sh",
+              "-c",
+              "sleep 5 && echo hello from the post-delete-hook job"
+            ]
+          }
+        ],
+        "restartPolicy": "Never"
       }
-    ]
+    }
   }
 }
 `
 
+var fakeServiceAccount = `
+{
+  "apiVersion": "v1",
+  "kind": "ServiceAccount",
+  "metadata": {
+    "name": "hook-serviceaccount",
+    "namespace": "default",
+    "annotations": {
+      "argocd.argoproj.io/hook": "PostDelete",
+      "argocd.argoproj.io/hook-delete-policy": "BeforeHookCreation,HookSucceeded"
+    }
+  }
+}
+`
+
+var fakeRole = `
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1",
+  "kind": "Role",
+  "metadata": {
+    "name": "hook-role",
+    "namespace": "default",
+    "annotations": {
+      "argocd.argoproj.io/hook": "PostDelete",
+      "argocd.argoproj.io/hook-delete-policy": "BeforeHookCreation,HookSucceeded"
+    }
+  },
+  "rules": [
+    {
+      "apiGroups": [""],
+      "resources": ["secrets"],
+      "verbs": ["get", "delete", "list"]
+    }
+  ]
+}
+`
+
+var fakeRoleBinding = `
+{
+  "apiVersion": "rbac.authorization.k8s.io/v1",
+  "kind": "RoleBinding",
+  "metadata": {
+    "name": "hook-rolebinding",
+    "namespace": "default",
+    "annotations": {
+      "argocd.argoproj.io/hook": "PostDelete",
+      "argocd.argoproj.io/hook-delete-policy": "BeforeHookCreation,HookSucceeded"
+    }
+  },
+  "roleRef": {
+    "apiGroup": "rbac.authorization.k8s.io",
+    "kind": "Role",
+    "name": "hook-role"
+  },
+  "subjects": [
+    {
+      "kind": "ServiceAccount",
+      "name": "hook-serviceaccount",
+      "namespace": "default"
+    }
+  ]
+}
+`
+
 func newFakeApp() *v1alpha1.Application {
 	return createFakeApp(fakeApp)
 }
@@ -439,12 +510,39 @@ func newFakeCM() map[string]interface{} {
 }
 
 func newFakePostDeleteHook() map[string]interface{} {
-	var cm map[string]interface{}
-	err := yaml.Unmarshal([]byte(fakePostDeleteHook), &cm)
+	var hook map[string]interface{}
+	err := yaml.Unmarshal([]byte(fakePostDeleteHook), &hook)
 	if err != nil {
 		panic(err)
 	}
-	return cm
+	return hook
+}
+
+func newFakeRoleBinding() map[string]interface{} {
+	var roleBinding map[string]interface{}
+	err := yaml.Unmarshal([]byte(fakeRoleBinding), &roleBinding)
+	if err != nil {
+		panic(err)
+	}
+	return roleBinding
+}
+
+func newFakeRole() map[string]interface{} {
+	var role map[string]interface{}
+	err := yaml.Unmarshal([]byte(fakeRole), &role)
+	if err != nil {
+		panic(err)
+	}
+	return role
+}
+
+func newFakeServiceAccount() map[string]interface{} {
+	var serviceAccount map[string]interface{}
+	err := yaml.Unmarshal([]byte(fakeServiceAccount), &serviceAccount)
+	if err != nil {
+		panic(err)
+	}
+	return serviceAccount
 }
 
 func TestAutoSync(t *testing.T) {
@@ -721,7 +819,7 @@ func TestFinalizeAppDeletion(t *testing.T) {
 
 	// Ensure any stray resources irregularly labeled with instance label of app are not deleted upon deleting,
 	// when app project restriction is in place
-	t.Run("ProjectRestrictionEnforced", func(*testing.T) {
+	t.Run("ProjectRestrictionEnforced", func(t *testing.T) {
 		restrictedProj := v1alpha1.AppProject{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "restricted",
@@ -882,7 +980,13 @@ func TestFinalizeAppDeletion(t *testing.T) {
 		app.SetPostDeleteFinalizer()
 		app.Spec.Destination.Namespace = test.FakeArgoCDNamespace
 		liveHook := &unstructured.Unstructured{Object: newFakePostDeleteHook()}
-		require.NoError(t, unstructured.SetNestedField(liveHook.Object, "Succeeded", "status", "phase"))
+		conditions := []interface{}{
+			map[string]interface{}{
+				"type":   "Complete",
+				"status": "True",
+			},
+		}
+		require.NoError(t, unstructured.SetNestedField(liveHook.Object, conditions, "status", "conditions"))
 		ctrl := newFakeController(&fakeData{
 			manifestResponses: []*apiclient.ManifestResponse{{
 				Manifests: []string{fakePostDeleteHook},
@@ -916,15 +1020,27 @@ func TestFinalizeAppDeletion(t *testing.T) {
 		app := newFakeApp()
 		app.SetPostDeleteFinalizer("cleanup")
 		app.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+		liveRoleBinding := &unstructured.Unstructured{Object: newFakeRoleBinding()}
+		liveRole := &unstructured.Unstructured{Object: newFakeRole()}
+		liveServiceAccount := &unstructured.Unstructured{Object: newFakeServiceAccount()}
 		liveHook := &unstructured.Unstructured{Object: newFakePostDeleteHook()}
-		require.NoError(t, unstructured.SetNestedField(liveHook.Object, "Succeeded", "status", "phase"))
+		conditions := []interface{}{
+			map[string]interface{}{
+				"type":   "Complete",
+				"status": "True",
+			},
+		}
+		require.NoError(t, unstructured.SetNestedField(liveHook.Object, conditions, "status", "conditions"))
 		ctrl := newFakeController(&fakeData{
 			manifestResponses: []*apiclient.ManifestResponse{{
-				Manifests: []string{fakePostDeleteHook},
+				Manifests: []string{fakeRoleBinding, fakeRole, fakeServiceAccount, fakePostDeleteHook},
 			}},
 			apps: []runtime.Object{app, &defaultProj},
 			managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
-				kube.GetResourceKey(liveHook): liveHook,
+				kube.GetResourceKey(liveRoleBinding):    liveRoleBinding,
+				kube.GetResourceKey(liveRole):           liveRole,
+				kube.GetResourceKey(liveServiceAccount): liveServiceAccount,
+				kube.GetResourceKey(liveHook):           liveHook,
 			},
 		}, nil)
 
@@ -943,9 +1059,14 @@ func TestFinalizeAppDeletion(t *testing.T) {
 			return []*v1alpha1.Cluster{}, nil
 		})
 		require.NoError(t, err)
-		// post-delete hook is deleted
-		require.Len(t, ctrl.kubectl.(*MockKubectl).DeletedResources, 1)
-		require.Equal(t, "post-delete-hook", ctrl.kubectl.(*MockKubectl).DeletedResources[0].Name)
+		// post-delete hooks are deleted
+		require.Len(t, ctrl.kubectl.(*MockKubectl).DeletedResources, 4)
+		deletedResources := []string{}
+		for _, res := range ctrl.kubectl.(*MockKubectl).DeletedResources {
+			deletedResources = append(deletedResources, res.Name)
+		}
+		expectedNames := []string{"hook-rolebinding", "hook-role", "hook-serviceaccount", "post-delete-hook"}
+		require.ElementsMatch(t, expectedNames, deletedResources, "Deleted resources should match expected names")
 		// finalizer is not removed
 		assert.False(t, patched)
 	})

diff --git a/controller/hook.go b/controller/hook.go
@@ -98,6 +98,18 @@ func (ctrl *ApplicationController) executePostDeleteHooks(app *v1alpha1.Applicat
 		if err != nil {
 			return false, err
 		}
+		if hookHealth == nil {
+			logCtx.WithFields(log.Fields{
+				"group":     obj.GroupVersionKind().Group,
+				"version":   obj.GroupVersionKind().Version,
+				"kind":      obj.GetKind(),
+				"name":      obj.GetName(),
+				"namespace": obj.GetNamespace(),
+			}).Info("No health check defined for resource, considering it healthy")
+			hookHealth = &health.HealthStatus{
+				Status: health.HealthStatusHealthy,
+			}
+		}
 		if hookHealth.Status == health.HealthStatusProgressing {
 			progressingHooksCnt++
 		}
@@ -128,6 +140,11 @@ func (ctrl *ApplicationController) cleanupPostDeleteHooks(liveObjs map[kube.Reso
 		if err != nil {
 			return false, err
 		}
+		if hookHealth == nil {
+			hookHealth = &health.HealthStatus{
+				Status: health.HealthStatusHealthy,
+			}
+		}
 		if health.IsWorse(aggregatedHealth, hookHealth.Status) {
 			aggregatedHealth = hookHealth.Status
 		}