OCPBUGS-16628: Fix namespace when checking the hosted clusters

[yuumasato]

Description:

• Fix the resource path when checking hosted clusters.

Rationale:

• Not all clusters use 'clusters' as the prefix for hosted clusters. These rules should use the the variable hypershift_namespace_prefix.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[codeclimate]

Code Climate has analyzed commit b28a6b2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

[rhmdnd]

Is the prefix always the namespace? Or does it need to be concatenated with the cluster, too?

{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}

[yuumasato]

Good question,

It seems that when we are specifying the path, it should be:
namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}
e.g.:
oc get --raw /apis/hypershift.openshift.io/v1beta1/namespaces/local-cluster/hostedclusters/acfd5e74e18f6cb76f95 | jq [.spec.secretEncryption.type]
oc get --raw /apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/wsato-hypershift1 | jq [.spec.secretEncryption.type]

But when the API check pod is retrieving the information, it is looking for:
{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}
e.g:
URI: '/api/v1/namespaces/clusters-wsato-hypershift1/pods?labelSelector=app%3Dkube-controller-manager'

[Vincent056]

I did not know /apis/hypershift.openshift.io/v1beta1/namespaces/clusters/ was different too

[xiaojiey]

Verification pass with 4.13.0-0.nightly-2023-08-11-101506 + PR in the code:

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: hypershift-cismzv9kys8g7
  namespace: openshift-compliance
spec:
  description: This profile test required rules
  extends: upstream-ocp4-cis
  setValues:
  - name: upstream-ocp4-hypershift-cluster
    rationale: This value is used for HyperShift version detection
    value: 274303d8e6837a1b0ba5
  - name: upstream-ocp4-hypershift-namespace-prefix
    rationale: This value is used for HyperShift controlplane namespace detection
    value: local-cluster
  title: My little profile
EOF
tailoredprofile.compliance.openshift.io/hypershift-cismzv9kys8g7 created
$ oc get tp
NAME                       STATE
hypershift-cismzv9kys8g7   READY
$ oc compliance bind -N test tailoredprofile/hypershift-cismzv9kys8g7
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE         RESULT
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
^C$ oc get ccr | grep encry
hypershift-cismzv9kys8g7-api-server-encryption-provider-cipher                    PASS     medium
$ oc get pod
NAME                                                      READY   STATUS      RESTARTS      AGE
compliance-operator-79d8c7b49c-fgz87                      1/1     Running     1 (29m ago)   30m
ocp4-openshift-compliance-pp-77dbd4f477-682p8             1/1     Running     0             29m
openscap-ocp4-ds-1-build                                  0/1     Completed   0             28m
rhcos4-openshift-compliance-pp-cd4d9bb47-ndxhx            1/1     Running     0             29m
upstream-ocp4-openshift-compliance-pp-57c6f978d-k5wph     1/1     Running     0             24m
upstream-rhcos4-openshift-compliance-pp-86d87d77d-2h29m   1/1     Running     0             24m
$ oc get --raw  /apis/hypershift.openshift.io/v1beta1/namespaces/local-cluster/hostedclusters/274303d8e6837a1b0ba5 | jq [.spec.secretEncryption.type]
[
  "aescbc"
]

[yuumasato]

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-stig

[Vincent056]

thanks for fixing this!
/lgtm

[rhmdnd]

/lgtm