CI: fix (cluster)policyreport jobs

Thomas Morinrequested to merge
fix-xxx-policy-report-jobs into main

There was a change in yq between 4.45.1 and 4.45.2:

$ kubectl get clusterpolicyreport -A -o yaml | yq-4.45.1 '.items[] | select(.summary.fail > 0 or .summary.warn > 0 or .summary.error > 0) | (.metadata.namespace // "None") + " " + .metadata.name'
$
$ kubectl get clusterpolicyreport -A -o yaml | yq-4.45.2 '.items[] | select(.summary.fail > 0 or .summary.warn > 0 or .summary.error > 0) | (.metadata.namespace // "None") + " " + .metadata.name'
None

This change results in bogus/empty output in all our mgmt-cluster-policy-report and mgmt-policy-report CI jobs, and their exit with an error:

Checking Kyverno policyreports 00:00
$ error=0 # collapsed multi-line command
policyreport  was in FAIL/WARN/ERROR

(e.g https://gitlab.com/sylva-projects/sylva-core/-/jobs/10217950612#L71)

This was reported in #2347 (closed) but this MR can't close that issue because that issue is also reporting another unrelated issue.

How this fix was tested

I tested with the local CLI changing the select criteria to try both the case where no resource is matched by the select....

$ kubectl get clusterpolicyreport -A -o yaml | yq '.items[] | select(.summary.fail > 0 or .summary.warn > 0 or .summary.error > 0) | with(. ; . = (.metadata.namespace // "None") + " " + .metadata.name)'
$

... and the case where some resource is matched ...

$ kubectl get clusterpolicyreport -A -o yaml | yq '.items[] | select(.summary.fail > 0 or .summary.warn > 0 or .summary.error >= 0) | with(. ; . = (.metadata.namespace // "None") + " " + .metadata.name)'
None 39883ee1-5e21-4827-aea6-82f905af14f5
None 6f91020f-9141-4adb-9c14-dd5599105f26
None a68e212d-1bae-4f21-8cd7-d797cedcaf00

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2
🐧 Node OS ubuntu, suse
🛠️ Deployment Options light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging
🎬 Pipeline Scenarios Available scenario list and description

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🐧 suse

  • ☁️ capo 🚀 kadm 🎬 no-wkld 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🐧 suse

  • ☁️ capm3 🚀 kadm 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 rke2 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 ck8s 🎬 no-wkld 🛠️ light-deploy,k8s-1.31 🐧 ubuntu

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines
  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Thomas Morin

Merge request reports