From 572453ac575ae2ec63849b176b3a5b0433645a4b Mon Sep 17 00:00:00 2001
From: Gus Parvin <gparvin@redhat.com>
Date: Thu, 25 Apr 2024 07:41:11 -0400
Subject: [PATCH] Create a policy to automatically import discovered ROSA
 clusters

This policy monitors DiscoveredCluster resources for ROSA clusters and
configures matching discovered clusters to be automatically imported.
Status is shown for any that have been configured to be automatically
imported.  Filtering by the discovered cluster display name can be
updated in the policy by editing the ConfigMap.

Refs:
 - https://issues.redhat.com/browse/ACM-10304

Signed-off-by: Gus Parvin <gparvin@redhat.com>
---
 .../policy-rosa-autoimport.yaml               | 101 ++++++++++++++++++
 community/README.md                           |   1 +
 2 files changed, 102 insertions(+)
 create mode 100644 community/CM-Configuration-Management/policy-rosa-autoimport.yaml

diff --git a/community/CM-Configuration-Management/policy-rosa-autoimport.yaml b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml
new file mode 100644
index 00000000..25476cb5
--- /dev/null
+++ b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml
@@ -0,0 +1,101 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: policy-rosa-autoimport
+  annotations:
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/description: Discovered clusters that are of
+      type ROSA can be automatically imported into ACM as managed clusters.  This
+      policy helps you select those managed clusters and configure them so the import
+      will happen.  If you do not want all of your ROSA clusters to be automatically
+      imported, you can configure filters or add an annotation.
+spec:
+  remediationAction: inform
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-rosa-autoimport
+        spec:
+          remediationAction: inform
+          severity: low
+          object-templates-raw: |
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                kind: ConfigMap
+                metadata:
+                  name: discovery-config
+                  namespace: open-cluster-management-global-set
+                data:
+                  rosa-filter: ""
+            {{- /* find the ROSA DiscoveredClusters */ -}}
+            {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
+              {{- /* Check for the flag that indicates the import should be skipped */ -}}
+              {{- $skip := "false" -}}
+              {{- range $key, $value := $dc.metadata.annotations }}
+                {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
+                           (eq $value "true") }}
+                  {{- $skip = "true" }}
+                {{- end }}
+              {{- end }}
+              {{- /* if the type is ROSA and the status is Active */ -}}
+              {{- if and (eq $dc.spec.status "Active") 
+                         (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
+                         (eq $dc.spec.type "ROSA")
+                         (eq $skip "false") }}
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: discovery.open-cluster-management.io/v1
+                kind: DiscoveredCluster
+                metadata:
+                  name: {{ $dc.metadata.name }}
+                  namespace: {{ $dc.metadata.namespace }}
+                spec:
+                  importAsManagedCluster: true
+              {{- end }}
+            {{- end }}
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-rosa-managedcluster-status
+        spec:
+          remediationAction: inform
+          severity: low
+          object-templates-raw: |
+            {{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}}
+            {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
+              {{- /* Check for the flag that indicates the import should be skipped */ -}}
+              {{- $skip := "false" -}}
+              {{- range $key, $value := $dc.metadata.annotations }}
+                {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
+                           (eq $value "true") }}
+                  {{- $skip = "true" }}
+                {{- end }}
+              {{- end }}
+              {{- /* if the type is ROSA and the status is Active */ -}}
+              {{- if and (eq $dc.spec.status "Active")
+                         (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
+                         (eq $dc.spec.type "ROSA")
+                         (eq $skip "false") }}
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: cluster.open-cluster-management.io/v1
+                kind: ManagedCluster
+                metadata:
+                  name: {{ $dc.spec.displayName }}
+                  namespace: {{ $dc.spec.displayName }}
+                  annotations:
+                    cluster.open-cluster-management.io/clusterset: default
+                status:
+                  conditions:
+                    - type: ManagedClusterAvailable
+                      status: "True"
+              {{- end }}
+            {{- end }}
+
diff --git a/community/README.md b/community/README.md
index 1f11e141..8bee5632 100644
--- a/community/README.md
+++ b/community/README.md
@@ -181,6 +181,7 @@ Policy  | Description | Prerequisites
 [Policy to install and configure OADP operator for stateful application backup](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-install.yaml) | First of 3 policies, used to backup or restore stateful applications on managed clusters. Used to install OADP on managed clusters and configure the connection to the storage location and installed on both backup and restore operations. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
 [Policy to backup a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml) | Second of 3 policies, used to backup stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
 [Policy to restore a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-restore.yaml) | Last of 3 policies, used to restore stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
+[Policy to automatically import ROSA clusters](./CM-Configuration-Management/policy-rosa-autoimport.yaml) | Use this policy to automatically import discovered ROSA clusters as a managed cluster. | By default this policy will configure ROSA discovered clusters to be automatically imported as a managed cluster.  Edit the ConfigMap to adjust the discovered cluster filter.  Edit the managed cluster resource to change the default ManagedClusterSet the mananged cluster is added to.
 
 
 ### Contingency Planning