fix: compliant with mustnothave and objectselector

When a mustnothave ConfigurationPolicy returns objects from the
objectSelector but no objects match the policy, the status wasn't
populated. This populates a compliant status for this case.

ref: https://issues.redhat.com/browse/ACM-25562
Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

controllers/configurationpolicy_controller.go

@@ -1880,6 +1880,30 @@ func (r *ConfigurationPolicyReconciler) determineDesiredObjects(
 			}
 		}
 
+		// If no objects were matched, return a compliant event since this is
+		// mustnothave and no objects were found.
+		if len(targetedObjects) == 0 {
+			var namespaces []string
+			for ns := range relevantNsNames {
+				namespaces = append(namespaces, ns)
+			}
+
+			sort.Strings(namespaces)
+
+			nsMsg := "namespace"
+			if len(namespaces) > 1 {
+				nsMsg = "namespaces:"
+			}
+
+			event := &objectTmplEvalEvent{
+				compliant: true,
+				reason:    "",
+				message:   fmt.Sprintf("%s missing as expected in %s %s", scopedGVR.Resource, nsMsg, strings.Join(namespaces, ", ")),
+			}
+
+			return nil, &scopedGVR, event, nil
+		}
+
 		return targetedObjects, &scopedGVR, nil, nil
 	}
 

test/dryrun/no_name/with_object_selector/mustnothave_unmatched/input.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: default
+  name: wrong-configmap
+  labels:
+    isLower: 'true'
+    privileged: 'no'
+

test/dryrun/no_name/with_object_selector/mustnothave_unmatched/output.txt

@@ -0,0 +1,3 @@
+# Diffs:
+# Compliance messages:
+Compliant; notification - configmaps missing as expected in namespace default

test/dryrun/no_name/with_object_selector/mustnothave_unmatched/policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-mustnothave-objselector
+spec:
+  object-templates:
+    - complianceType: mustnothave
+      objectDefinition:
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          labels:
+            isLower: 'true'
+            privileged: 'yes'
+          namespace: default
+      objectSelector:
+        matchLabels:
+          isLower: 'true'
+      recordDiff: InStatus
+      recreateOption: None
+  pruneObjectBehavior: DeleteAll
+  remediationAction: inform
+  severity: low

test/dryrun/no_name/with_object_selector/no_name_obj_sel_test.go

@@ -7,18 +7,23 @@ import (
 	"open-cluster-management.io/config-policy-controller/test/dryrun"
 )
 
-//go:embed musthave_mixed_noncompliant/*
-var musthaveMixedNoncompliant embed.FS
+var (
+	//go:embed musthave_mixed_noncompliant/*
+	musthaveMixedNoncompliant embed.FS
+	//go:embed mustnothave_mixed_noncompliant/*
+	mustnothaveMixedNoncompliant embed.FS
+	//go:embed mustnothave_unmatched/*
+	mustnothaveUnmatched embed.FS
 
-func TestMusthaveMixedNonCompliant(t *testing.T) {
-	t.Run("Test only selected and incorrect objects are marked as violations",
-		dryrun.Run(musthaveMixedNoncompliant))
-}
-
-//go:embed mustnothave_mixed_noncompliant/*
-var mustnothaveMixedNoncompliant embed.FS
+	testCases = map[string]embed.FS{
+		"Test only selected and incorrect objects are marked as violations": musthaveMixedNoncompliant,
+		"Test only selected and matched objects are marked as violations":   mustnothaveMixedNoncompliant,
+		"Test no matched objects for mustnothave is compliant":              mustnothaveUnmatched,
+	}
+)
 
-func TestMustnothaveMixedNonCompliant(t *testing.T) {
-	t.Run("Test only selected and matched objects are marked as violations",
-		dryrun.Run(mustnothaveMixedNoncompliant))
+func TestNoNameObjSelector(t *testing.T) {
+	for name, testFiles := range testCases {
+		t.Run(name, dryrun.Run(testFiles))
+	}
 }