Add metrics reporting for mutation

main.go

@@ -244,12 +244,13 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 		setupLog.Error(err, "unable to set up OPA backend")
 		os.Exit(1)
 	}
+
 	client, err := backend.NewClient(opa.Targets(&target.K8sValidationTarget{}))
 	if err != nil {
 		setupLog.Error(err, "unable to set up OPA client")
 	}
 
-	mutationCache := mutation.NewSystem()
+	mutationSystem := mutation.NewSystem(mutation.SystemOpts{Reporter: mutation.NewStatsReporter()})
 
 	c := mgr.GetCache()
 	dc, ok := c.(watch.RemovableCache)
@@ -258,6 +259,7 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 		setupLog.Error(err, "fetching dynamic cache")
 		os.Exit(1)
 	}
+
 	wm, err := watch.New(dc)
 	if err != nil {
 		setupLog.Error(err, "unable to create watch manager")
@@ -279,7 +281,7 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 		ControllerSwitch: sw,
 		Tracker:          tracker,
 		ProcessExcluder:  processExcluder,
-		MutationCache:    mutationCache,
+		MutationSystem:   mutationSystem,
 	}
 	if err := controller.AddToManager(mgr, opts); err != nil {
 		setupLog.Error(err, "unable to register controllers with the manager")
@@ -288,7 +290,7 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 
 	if operations.IsAssigned(operations.Webhook) {
 		setupLog.Info("setting up webhooks")
-		if err := webhook.AddToManager(mgr, client, processExcluder, mutationCache); err != nil {
+		if err := webhook.AddToManager(mgr, client, processExcluder, mutationSystem); err != nil {
 			setupLog.Error(err, "unable to register webhooks with the manager")
 			os.Exit(1)
 		}

pkg/controller/add_assign.go

@@ -16,7 +16,7 @@ limitations under the License.
 package controller
 
 import (
-	"github.com/open-policy-agent/gatekeeper/pkg/controller/assign"
+	"github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/assign"
 )
 
 func init() {

pkg/controller/add_assignmetadata.go

@@ -16,7 +16,7 @@ limitations under the License.
 package controller
 
 import (
-	"github.com/open-policy-agent/gatekeeper/pkg/controller/assignmetadata"
+	"github.com/open-policy-agent/gatekeeper/pkg/controller/mutators/assignmetadata"
 )
 
 func init() {

pkg/controller/config/config_controller.go

@@ -92,7 +92,7 @@ func (a *Adder) InjectProcessExcluder(m *process.Excluder) {
 	a.ProcessExcluder = m
 }
 
-func (a *Adder) InjectMutationCache(mutationCache *mutation.System) {}
+func (a *Adder) InjectMutationSystem(mutationSystem *mutation.System) {}
 
 // newReconciler returns a new reconcile.Reconciler
 // events is the channel from which sync controller will receive the events

pkg/controller/constraint/constraint_controller.go

@@ -83,7 +83,7 @@ func (a *Adder) InjectTracker(t *readiness.Tracker) {
 	a.Tracker = t
 }
 
-func (a *Adder) InjectMutationCache(mutationCache *mutation.System) {}
+func (a *Adder) InjectMutationSystem(mutationSystem *mutation.System) {}
 
 // Add creates a new Constraint Controller and adds it to the Manager. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
@@ -473,15 +473,11 @@ func (c *ConstraintsCache) reportTotalConstraints(reporter StatsReporter) {
 
 	for _, enforcementAction := range util.KnownEnforcementActions {
 		for _, status := range metrics.AllStatuses {
-			if err := reporter.reportConstraints(
-				tags{
-					enforcementAction: enforcementAction,
-					status:            status,
-				},
-				int64(totals[tags{
-					enforcementAction: enforcementAction,
-					status:            status,
-				}])); err != nil {
+			t := tags{
+				enforcementAction: enforcementAction,
+				status:            status,
+			}
+			if err := reporter.reportConstraints(t, int64(totals[t])); err != nil {
 				log.Error(err, "failed to report total constraints")
 			}
 		}

pkg/controller/constrainttemplate/constrainttemplate_controller.go

@@ -107,7 +107,7 @@ func (a *Adder) InjectGetPod(getPod func() (*corev1.Pod, error)) {
 	a.GetPod = getPod
 }
 
-func (a *Adder) InjectMutationCache(mutationCache *mutation.System) {}
+func (a *Adder) InjectMutationSystem(mutationSystem *mutation.System) {}
 
 // newReconciler returns a new reconcile.Reconciler
 // cstrEvents is the channel from which constraint controller will receive the events

pkg/controller/controller.go

@@ -44,7 +44,7 @@ type Injector interface {
 	InjectWatchManager(*watch.Manager)
 	InjectControllerSwitch(*watch.ControllerSwitch)
 	InjectTracker(tracker *readiness.Tracker)
-	InjectMutationCache(mutationCache *mutation.System)
+	InjectMutationSystem(mutationSystem *mutation.System)
 	Add(mgr manager.Manager) error
 }
 
@@ -71,7 +71,7 @@ type Dependencies struct {
 	Tracker          *readiness.Tracker
 	GetPod           func() (*corev1.Pod, error)
 	ProcessExcluder  *process.Excluder
-	MutationCache    *mutation.System
+	MutationSystem   *mutation.System
 }
 
 type defaultPodGetter struct {
@@ -149,7 +149,7 @@ func AddToManager(m manager.Manager, deps Dependencies) error {
 		a.InjectWatchManager(deps.WatchManger)
 		a.InjectControllerSwitch(deps.ControllerSwitch)
 		a.InjectTracker(deps.Tracker)
-		a.InjectMutationCache(deps.MutationCache)
+		a.InjectMutationSystem(deps.MutationSystem)
 		if a2, ok := a.(GetPodInjector); ok {
 			a2.InjectGetPod(deps.GetPod)
 		}

pkg/controller/assign/assign_controller.go → pkg/controller/mutators/assign/assign_controller.go

@@ -19,10 +19,12 @@ package assign
 import (
 	"context"
 	"fmt"
+	"time"
 
 	opa "github.com/open-policy-agent/frameworks/constraint/pkg/client"
 	mutationsv1alpha1 "github.com/open-policy-agent/gatekeeper/apis/mutations/v1alpha1"
 	statusv1beta1 "github.com/open-policy-agent/gatekeeper/apis/status/v1beta1"
+	ctrlmutators "github.com/open-policy-agent/gatekeeper/pkg/controller/mutators"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller/mutatorstatus"
 	"github.com/open-policy-agent/gatekeeper/pkg/logging"
 	"github.com/open-policy-agent/gatekeeper/pkg/mutation"
@@ -55,15 +57,15 @@ var gvkAssign = schema.GroupVersionKind{
 }
 
 type Adder struct {
-	MutationCache *mutation.System
-	Tracker       *readiness.Tracker
-	GetPod        func() (*corev1.Pod, error)
+	MutationSystem *mutation.System
+	Tracker        *readiness.Tracker
+	GetPod         func() (*corev1.Pod, error)
 }
 
 // Add creates a new Assign Controller and adds it to the Manager. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
 func (a *Adder) Add(mgr manager.Manager) error {
-	r := newReconciler(mgr, a.MutationCache, a.Tracker, a.GetPod)
+	r := newReconciler(mgr, a.MutationSystem, a.Tracker, a.GetPod)
 	return add(mgr, r)
 }
 
@@ -81,18 +83,20 @@ func (a *Adder) InjectGetPod(getPod func() (*corev1.Pod, error)) {
 	a.GetPod = getPod
 }
 
-func (a *Adder) InjectMutationCache(mutationCache *mutation.System) {
-	a.MutationCache = mutationCache
+func (a *Adder) InjectMutationSystem(mutationSystem *mutation.System) {
+	a.MutationSystem = mutationSystem
 }
 
 // newReconciler returns a new reconcile.Reconciler.
-func newReconciler(mgr manager.Manager, mutationCache *mutation.System, tracker *readiness.Tracker, getPod func() (*corev1.Pod, error)) *Reconciler {
+func newReconciler(mgr manager.Manager, mutationSystem *mutation.System, tracker *readiness.Tracker, getPod func() (*corev1.Pod, error)) *Reconciler {
 	r := &Reconciler{
-		system:  mutationCache,
-		Client:  mgr.GetClient(),
-		tracker: tracker,
-		getPod:  getPod,
-		scheme:  mgr.GetScheme(),
+		system:   mutationSystem,
+		Client:   mgr.GetClient(),
+		tracker:  tracker,
+		getPod:   getPod,
+		scheme:   mgr.GetScheme(),
+		reporter: ctrlmutators.NewStatsReporter(),
+		cache:    ctrlmutators.NewMutationCache(),
 	}
 	if getPod == nil {
 		r.getPod = r.defaultGetPod
@@ -133,25 +137,31 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 // Reconciler reconciles a Assign object.
 type Reconciler struct {
 	client.Client
-	system  *mutation.System
-	tracker *readiness.Tracker
-	getPod  func() (*corev1.Pod, error)
-	scheme  *runtime.Scheme
+	system   *mutation.System
+	tracker  *readiness.Tracker
+	getPod   func() (*corev1.Pod, error)
+	scheme   *runtime.Scheme
+	reporter ctrlmutators.StatsReporter
+	cache    *ctrlmutators.Cache
 }
 
 // +kubebuilder:rbac:groups=mutations.gatekeeper.sh,resources=*,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile reads that state of the cluster for a Assign object and makes changes based on the state read
 // and what is in the Assign.Spec.
+// TODO (https://github.com/open-policy-agent/gatekeeper/issues/1449): DRY this and assignmetadata_controller.go .
 func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	log.Info("Reconcile", "request", request)
+	startTime := time.Now()
+
 	deleted := false
 	assign := &mutationsv1alpha1.Assign{}
 	err := r.Get(ctx, request.NamespacedName, assign)
 	if err != nil {
 		if !errors.IsNotFound(err) {
 			return reconcile.Result{}, err
 		}
+
 		deleted = true
 		assign = &mutationsv1alpha1.Assign{
 			ObjectMeta: metav1.ObjectMeta{
@@ -171,6 +181,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 
 	if deleted {
 		tracker.CancelExpect(assign)
+		r.cache.Remove(mID)
 
 		if err := r.system.Remove(mID); err != nil {
 			log.Error(err, "Remove failed", "resource", request.NamespacedName)
@@ -193,6 +204,10 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		return reconcile.Result{}, nil
 	}
 
+	ingestionStatus := ctrlmutators.MutatorStatusError
+	// encasing this call in a function prevents the arguments from being evaluated early
+	defer func() { r.reportMutator(mID, ingestionStatus, startTime) }()
+
 	status, err := r.getOrCreatePodStatus(mID)
 	if err != nil {
 		log.Info("could not get/create pod status object", "error", err)
@@ -230,6 +245,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
 		log.Error(err, "could not update mutator status")
 		return reconcile.Result{}, err
 	}
+
+	ingestionStatus = ctrlmutators.MutatorStatusActive
 	return reconcile.Result{}, nil
 }
 
@@ -266,3 +283,21 @@ func (r *Reconciler) defaultGetPod() (*corev1.Pod, error) {
 	// guarantee we don't inadvertently create a watch
 	panic("GetPod must be injected")
 }
+
+func (r *Reconciler) reportMutator(mID types.ID, ingestionStatus ctrlmutators.MutatorIngestionStatus, startTime time.Time) {
+	r.cache.Upsert(mID, ingestionStatus)
+
+	if r.reporter == nil {
+		return
+	}
+
+	if err := r.reporter.ReportMutatorIngestionRequest(ingestionStatus, time.Since(startTime)); err != nil {
+		log.Error(err, "failed to report mutator ingestion request")
+	}
+
+	for status, count := range r.cache.Tally() {
+		if err := r.reporter.ReportMutatorsStatus(status, count); err != nil {
+			log.Error(err, "failed to report mutator status request")
+		}
+	}
+}

pkg/controller/assign/assign_controller_suite_test.go → pkg/controller/mutators/assign/assign_controller_suite_test.go

@@ -41,8 +41,8 @@ var cfg *rest.Config
 func TestMain(m *testing.M) {
 	t := &envtest.Environment{
 		CRDDirectoryPaths: []string{
-			filepath.Join("..", "..", "..", "vendor", "github.com", "open-policy-agent", "frameworks", "constraint", "deploy", "crds.yaml"),
-			filepath.Join("..", "..", "..", "config", "crd", "bases"),
+			filepath.Join("..", "..", "..", "..", "vendor", "github.com", "open-policy-agent", "frameworks", "constraint", "deploy", "crds.yaml"),
+			filepath.Join("..", "..", "..", "..", "config", "crd", "bases"),
 		},
 		ErrorIfCRDPathMissing: true,
 	}

pkg/controller/assign/assign_controller_test.go → pkg/controller/mutators/assign/assign_controller_test.go

@@ -95,7 +95,8 @@ func TestReconcile(t *testing.T) {
 	// force mutation to be enabled
 	*mutation.MutationEnabled = true
 
-	mSys := mutation.NewSystem()
+	mSys := mutation.NewSystem(mutation.SystemOpts{})
+
 	tracker, err := readiness.SetupTracker(mgr, true)
 	g.Expect(err).NotTo(gomega.HaveOccurred())
 	os.Setenv("POD_NAME", "no-pod")