diff --git a/internal/auditlogging/auditlogging.go b/internal/auditlogging/auditlogging.go index 1a19174d..aeeabf6f 100644 --- a/internal/auditlogging/auditlogging.go +++ b/internal/auditlogging/auditlogging.go @@ -140,10 +140,10 @@ func ApplyAuditLogConfig(shoot *gardener.Shoot, auditConfigFromFile map[string]m } tenant, ok := providerConfig[auditID] - if !ok { - if mandatory { - return false, fmt.Errorf("auditlog config for region %s, provider %s is empty", auditID, providerType) - } + if !ok && mandatory { + return false, fmt.Errorf("auditlog config for region %s, provider %s is empty", auditID, providerType) + } else if !ok { + rollbackAuditPolicy(shoot) return false, nil } @@ -288,6 +288,12 @@ func newAuditPolicyConfig(policyConfigMapName string) *gardener.AuditConfig { } } +func rollbackAuditPolicy(shoot *gardener.Shoot) { + if shoot.Spec.Kubernetes.KubeAPIServer != nil { + shoot.Spec.Kubernetes.KubeAPIServer.AuditConfig = nil + } +} + func (a *auditLogConfig) UpdateShoot(ctx context.Context, shoot *gardener.Shoot) error { return a.client.Update(ctx, shoot) } diff --git a/internal/auditlogging/mocks/AuditLogging.go b/internal/auditlogging/mocks/AuditLogging.go index f670fd14..da6306d4 100644 --- a/internal/auditlogging/mocks/AuditLogging.go +++ b/internal/auditlogging/mocks/AuditLogging.go @@ -14,9 +14,9 @@ type AuditLogging struct { mock.Mock } -// Enable provides a mock function with given fields: ctx, shoot -func (_m *AuditLogging) Enable(ctx context.Context, shoot *v1beta1.Shoot) (bool, error) { - ret := _m.Called(ctx, shoot) +// Enable provides a mock function with given fields: ctx, shoot, mandatory +func (_m *AuditLogging) Enable(ctx context.Context, shoot *v1beta1.Shoot, mandatory bool) (bool, error) { + ret := _m.Called(ctx, shoot, mandatory) if len(ret) == 0 { panic("no return value specified for Enable") @@ -24,17 +24,17 @@ func (_m *AuditLogging) Enable(ctx context.Context, shoot *v1beta1.Shoot) (bool, var r0 bool var r1 error - if rf, ok := ret.Get(0).(func(context.Context, *v1beta1.Shoot) (bool, error)); ok { - return rf(ctx, shoot) + if rf, ok := ret.Get(0).(func(context.Context, *v1beta1.Shoot, bool) (bool, error)); ok { + return rf(ctx, shoot, mandatory) } - if rf, ok := ret.Get(0).(func(context.Context, *v1beta1.Shoot) bool); ok { - r0 = rf(ctx, shoot) + if rf, ok := ret.Get(0).(func(context.Context, *v1beta1.Shoot, bool) bool); ok { + r0 = rf(ctx, shoot, mandatory) } else { r0 = ret.Get(0).(bool) } - if rf, ok := ret.Get(1).(func(context.Context, *v1beta1.Shoot) error); ok { - r1 = rf(ctx, shoot) + if rf, ok := ret.Get(1).(func(context.Context, *v1beta1.Shoot, bool) error); ok { + r1 = rf(ctx, shoot, mandatory) } else { r1 = ret.Error(1) } diff --git a/internal/auditlogging/tests/auditlogging_test.go b/internal/auditlogging/tests/auditlogging_test.go index 6a74d9b4..94d3a66b 100644 --- a/internal/auditlogging/tests/auditlogging_test.go +++ b/internal/auditlogging/tests/auditlogging_test.go @@ -13,6 +13,8 @@ import ( "testing" ) +var auditLogMandatory = true + func TestEnable(t *testing.T) { t.Run("Should successfully enable Audit Log for Shoot", func(t *testing.T) { // given @@ -31,7 +33,7 @@ func TestEnable(t *testing.T) { // when auditLog := &auditlogging.AuditLog{AuditLogConfigurator: configurator} - enable, err := auditLog.Enable(ctx, shoot) + enable, err := auditLog.Enable(ctx, shoot, auditLogMandatory) // then configurator.AssertExpectations(t) @@ -58,7 +60,7 @@ func TestEnable(t *testing.T) { // when auditLog := &auditlogging.AuditLog{AuditLogConfigurator: configurator} - enable, err := auditLog.Enable(ctx, shoot) + enable, err := auditLog.Enable(ctx, shoot, auditLogMandatory) // then configurator.AssertExpectations(t) @@ -78,7 +80,7 @@ func TestEnable(t *testing.T) { // when auditLog := &auditlogging.AuditLog{AuditLogConfigurator: configurator} - enable, err := auditLog.Enable(ctx, shoot) + enable, err := auditLog.Enable(ctx, shoot, auditLogMandatory) // then configurator.AssertExpectations(t) @@ -94,7 +96,7 @@ func TestApplyAuditLogConfig(t *testing.T) { configFromFile := fileConfigData() // when - annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws") + annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws", auditLogMandatory) // then require.True(t, annotated) @@ -106,7 +108,7 @@ func TestApplyAuditLogConfig(t *testing.T) { shoot := shootForTest() // when - annotated, err := auditlogging.ApplyAuditLogConfig(shoot, map[string]map[string]auditlogging.AuditLogData{}, "aws") + annotated, err := auditlogging.ApplyAuditLogConfig(shoot, map[string]map[string]auditlogging.AuditLogData{}, "aws", auditLogMandatory) // then require.False(t, annotated) @@ -120,7 +122,7 @@ func TestApplyAuditLogConfig(t *testing.T) { shoot.Spec.Region = "" // when - annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws") + annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws", auditLogMandatory) // then require.False(t, annotated) @@ -135,7 +137,7 @@ func TestApplyAuditLogConfig(t *testing.T) { } // when - annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws") + annotated, err := auditlogging.ApplyAuditLogConfig(shoot, configFromFile, "aws", auditLogMandatory) // then require.False(t, annotated) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog.go b/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog.go index 2cf0acd7..c7cc62aa 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog.go @@ -38,7 +38,7 @@ func sFnConfigureAuditLog(ctx context.Context, m *fsm, s *systemState) (stateFn, s.instance.UpdateStateReady( imv1.ConditionTypeAuditLogConfigured, imv1.ConditionReasonAuditLogConfigured, - "Audit Log configured successfully", + "Audit Log state completed", ) return updateStatusAndStop() diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog_test.go b/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog_test.go index deb0bb79..bab8c990 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog_test.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_auditlog_test.go @@ -33,10 +33,12 @@ func TestAuditLogState(t *testing.T) { }, } - auditLog.On("Enable", ctx, shoot).Return(true, nil).Once() + fsm := &fsm{AuditLogging: auditLog} + fsm.AuditLog.Mandatory = true + + auditLog.On("Enable", ctx, shoot, true).Return(true, nil).Once() // when - fsm := &fsm{AuditLogging: auditLog} stateFn, _, _ := sFnConfigureAuditLog(ctx, fsm, systemState) // set the time to its zero value for comparison purposes @@ -64,14 +66,16 @@ func TestAuditLogState(t *testing.T) { Type: string(v1.ConditionTypeAuditLogConfigured), Status: "True", Reason: string(v1.ConditionReasonAuditLogConfigured), - Message: "Audit Log configured successfully", + Message: "Audit Log state completed", }, } - auditLog.On("Enable", ctx, shoot).Return(false, nil).Once() + fsm := &fsm{AuditLogging: auditLog} + fsm.AuditLog.Mandatory = true + + auditLog.On("Enable", ctx, shoot, true).Return(false, nil).Once() // when - fsm := &fsm{AuditLogging: auditLog} stateFn, _, _ := sFnConfigureAuditLog(ctx, fsm, systemState) // set the time to its zero value for comparison purposes @@ -103,10 +107,12 @@ func TestAuditLogState(t *testing.T) { }, } - auditLog.On("Enable", ctx, shoot).Return(false, errors.New("some error during configuration")).Once() + fsm := &fsm{AuditLogging: auditLog} + fsm.AuditLog.Mandatory = true + + auditLog.On("Enable", ctx, shoot, true).Return(false, errors.New("some error during configuration")).Once() // when - fsm := &fsm{AuditLogging: auditLog} stateFn, _, _ := sFnConfigureAuditLog(ctx, fsm, systemState) // set the time to its zero value for comparison purposes