required condition logic update

jmdeal · jmdeal · commit 62569b322a79 · 2025-02-26T23:03:19.000-05:00
diff --git a/pkg/controllers/nodeclass/validation.go b/pkg/controllers/nodeclass/validation.go
@@ -53,8 +53,7 @@ var ValidationConditionMessages = map[string]string{
 }
 
 type Validation struct {
-	ec2api sdk.EC2API
-
+	ec2api      sdk.EC2API
 	amiProvider amifamily.Provider
 	cache       *cache.Cache
 }
@@ -69,22 +68,29 @@ func NewValidationReconciler(ec2api sdk.EC2API, amiProvider amifamily.Provider,
 
 // nolint:gocyclo
 func (v *Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass) (reconcile.Result, error) {
-	for _, cond := range []string{
-		v1.ConditionTypeAMIsReady,
-		v1.ConditionTypeInstanceProfileReady,
-		v1.ConditionTypeSecurityGroupsReady,
-		v1.ConditionTypeSubnetsReady,
-	} {
-		if nodeClass.StatusConditions().Get(cond).IsTrue() {
-			continue
-		}
+	if _, ok := lo.Find(v.requiredConditions(), func(cond string) bool {
+		return nodeClass.StatusConditions().Get(cond).IsFalse()
+	}); ok {
+		// If any of the required status conditions are false, we know validation will fail regardless of the other values.
 		nodeClass.StatusConditions().SetFalse(
 			v1.ConditionTypeValidationSucceeded,
 			"DependenciesNotReady",
 			"Awaiting AMI, Instance Profile, Security Group, and Subnet resolution",
 		)
 		return reconcile.Result{}, nil
 	}
+	if _, ok := lo.Find(v.requiredConditions(), func(cond string) bool {
+		return nodeClass.StatusConditions().Get(cond).IsUnknown()
+	}); ok {
+		// If none of the status conditions are false, but at least one is unknown, we should also consider the validation
+		// state to be unknown. Once all required conditions collapse to a true or false state, we can test validation.
+		nodeClass.StatusConditions().SetUnknownWithReason(
+			v1.ConditionTypeValidationSucceeded,
+			"DependenciesNotReady",
+			"Awaiting AMI, Instance Profile, Security Group, and Subnet resolution",
+		)
+		return reconcile.Result{}, nil
+	}
 
 	if val, ok := v.cache.Get(v.cacheKey(nodeClass)); ok {
 		// We still update the status condition even if it's cached since we may have had a conflict error previously
@@ -113,32 +119,19 @@ func (v *Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass)
 		return reconcile.Result{}, reconcile.TerminalError(fmt.Errorf("validating tags, %w", err))
 	}
 
-	type validator struct {
-		isValid       validatorFunc
-		failureReason string
-	}
-	for _, val := range []validator{
-		{
-			isValid:       v.validateCreateFleetAuthorization,
-			failureReason: ConditionReasonCreateFleetAuthFailed,
-		},
-		{
-			isValid:       v.validateCreateLaunchTemplateAuthorization,
-			failureReason: ConditionReasonCreateLaunchTemplateAuthFailed,
-		},
-		{
-			isValid:       v.validateRunInstancesAuthorization,
-			failureReason: ConditionReasonRunInstancesAuthFailed,
-		},
+	for _, isValid := range []validatorFunc{
+		v.validateCreateFleetAuthorization,
+		v.validateCreateLaunchTemplateAuthorization,
+		v.validateRunInstancesAuthorization,
 	} {
-		if ok, err := val.isValid(ctx, nodeClass, nodeClaim, tags); err != nil {
+		if failureReason, err := isValid(ctx, nodeClass, nodeClaim, tags); err != nil {
 			return reconcile.Result{}, err
-		} else if !ok {
-			v.cache.SetDefault(v.cacheKey(nodeClass), val.failureReason)
+		} else if failureReason != "" {
+			v.cache.SetDefault(v.cacheKey(nodeClass), failureReason)
 			nodeClass.StatusConditions().SetFalse(
 				v1.ConditionTypeValidationSucceeded,
-				val.failureReason,
-				ValidationConditionMessages[val.failureReason],
+				failureReason,
+				ValidationConditionMessages[failureReason],
 			)
 			return reconcile.Result{}, nil
 		}
@@ -149,55 +142,55 @@ func (v *Validation) Reconcile(ctx context.Context, nodeClass *v1.EC2NodeClass)
 	return reconcile.Result{}, nil
 }
 
-type validatorFunc func(context.Context, *v1.EC2NodeClass, *karpv1.NodeClaim, map[string]string) (bool, error)
+type validatorFunc func(context.Context, *v1.EC2NodeClass, *karpv1.NodeClaim, map[string]string) (string, error)
 
 func (v *Validation) validateCreateFleetAuthorization(
 	ctx context.Context,
 	nodeClass *v1.EC2NodeClass,
 	_ *karpv1.NodeClaim,
 	tags map[string]string,
-) (bool, error) {
+) (reason string, err error) {
 	createFleetInput := instance.GetCreateFleetInput(nodeClass, string(karpv1.CapacityTypeOnDemand), tags, mockLaunchTemplateConfig())
 	createFleetInput.DryRun = aws.Bool(true)
 	if _, err := v.ec2api.CreateFleet(ctx, createFleetInput); awserrors.IgnoreDryRunError(err) != nil {
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
 			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
 			// it would be an unexpected state
-			return false, err
+			return "", err
 		}
-		return false, nil
+		return ConditionReasonCreateFleetAuthFailed, nil
 	}
-	return true, nil
+	return "", nil
 }
 
 func (v *Validation) validateCreateLaunchTemplateAuthorization(
 	ctx context.Context,
 	nodeClass *v1.EC2NodeClass,
 	nodeClaim *karpv1.NodeClaim,
 	tags map[string]string,
-) (bool, error) {
+) (reason string, err error) {
 	createLaunchTemplateInput := launchtemplate.GetCreateLaunchTemplateInput(ctx, mockOptions(*nodeClaim, nodeClass, tags), corev1.IPv4Protocol, "")
 	createLaunchTemplateInput.DryRun = aws.Bool(true)
 	if _, err := v.ec2api.CreateLaunchTemplate(ctx, createLaunchTemplateInput); awserrors.IgnoreDryRunError(err) != nil {
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
 			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
 			// it would be an unexpected state
-			return false, fmt.Errorf("validating ec2:CreateLaunchTemplates authorization, %w", err)
+			return "", fmt.Errorf("validating ec2:CreateLaunchTemplates authorization, %w", err)
 		}
-		return false, nil
+		return ConditionReasonCreateLaunchTemplateAuthFailed, nil
 	}
-	return true, nil
+	return "", nil
 }
 
 func (v *Validation) validateRunInstancesAuthorization(
 	ctx context.Context,
 	nodeClass *v1.EC2NodeClass,
 	nodeClaim *karpv1.NodeClaim,
 	tags map[string]string,
-) (bool, error) {
+) (reason string, err error) {
 	// NOTE: Since we've already validated the AMI status condition is true, this should never occur
 	if len(nodeClass.Status.AMIs) == 0 {
-		return false, fmt.Errorf("no resolved amis in status")
+		return "", fmt.Errorf("no resolved amis in status")
 	}
 
 	var instanceType ec2types.InstanceType
@@ -243,11 +236,20 @@ func (v *Validation) validateRunInstancesAuthorization(
 		if awserrors.IgnoreUnauthorizedOperationError(err) != nil {
 			// Dry run should only ever return UnauthorizedOperation or DryRunOperation so if we receive any other error
 			// it would be an unexpected state
-			return false, fmt.Errorf("validating ec2:RunInstances authorization, %w", err)
+			return "", fmt.Errorf("validating ec2:RunInstances authorization, %w", err)
 		}
-		return false, nil
+		return ConditionReasonRunInstancesAuthFailed, nil
+	}
+	return "", nil
+}
+
+func (*Validation) requiredConditions() []string {
+	return []string{
+		v1.ConditionTypeAMIsReady,
+		v1.ConditionTypeInstanceProfileReady,
+		v1.ConditionTypeSecurityGroupsReady,
+		v1.ConditionTypeSubnetsReady,
 	}
-	return true, nil
 }
 
 func (*Validation) cacheKey(nodeClass *v1.EC2NodeClass) string {
diff --git a/pkg/controllers/nodeclass/validation_test.go b/pkg/controllers/nodeclass/validation_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/aws/smithy-go"
 
 	v1 "github.com/aws/karpenter-provider-aws/pkg/apis/v1"
+	"github.com/aws/karpenter-provider-aws/pkg/controllers/nodeclass"
 	"github.com/aws/karpenter-provider-aws/pkg/fake"
 	"github.com/aws/karpenter-provider-aws/pkg/test"
 
@@ -63,6 +64,7 @@ var _ = Describe("NodeClass Validation Status Controller", func() {
 			Expect(err).To(HaveOccurred())
 			nodeClass = ExpectExists(ctx, env.Client, nodeClass)
 			Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).IsFalse()).To(BeTrue())
+			Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).Reason).To(Equal("TagValidationFailed"))
 			Expect(nodeClass.StatusConditions().Get(status.ConditionReady).IsFalse()).To(BeTrue())
 			Expect(nodeClass.StatusConditions().Get(status.ConditionReady).Message).To(Equal("ValidationSucceeded=False"))
 		},
@@ -84,31 +86,29 @@ var _ = Describe("NodeClass Validation Status Controller", func() {
 	})
 	Context("Authorization Validation", func() {
 		DescribeTable("NodeClass validation failure conditions",
-			func(setupFn func()) {
+			func(setupFn func(), reason string) {
 				ExpectApplied(ctx, env.Client, nodeClass)
 				setupFn()
 				ExpectObjectReconciled(ctx, env.Client, controller, nodeClass)
 				nodeClass = ExpectExists(ctx, env.Client, nodeClass)
 				Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).IsFalse()).To(BeTrue())
+				Expect(nodeClass.StatusConditions().Get(v1.ConditionTypeValidationSucceeded).Reason).To(Equal(reason))
 			},
-			Entry("should update status condition as NotReady when CreateFleet unauthorized",
-				func() {
-					awsEnv.EC2API.CreateFleetBehavior.Error.Set(&smithy.GenericAPIError{
-						Code: "UnauthorizedOperation",
-					}, fake.MaxCalls(1))
-				}),
-			Entry("should update status condition as NotReady when RunInstances unauthorized",
-				func() {
-					awsEnv.EC2API.RunInstancesBehavior.Error.Set(&smithy.GenericAPIError{
-						Code: "UnauthorizedOperation",
-					}, fake.MaxCalls(1))
-				}),
-			Entry("should update status condition as NotReady when CreateLaunchTemplate unauthorized",
-				func() {
-					awsEnv.EC2API.CreateLaunchTemplateBehavior.Error.Set(&smithy.GenericAPIError{
-						Code: "UnauthorizedOperation",
-					}, fake.MaxCalls(1))
-				}),
+			Entry("should update status condition as NotReady when CreateFleet unauthorized", func() {
+				awsEnv.EC2API.CreateFleetBehavior.Error.Set(&smithy.GenericAPIError{
+					Code: "UnauthorizedOperation",
+				}, fake.MaxCalls(1))
+			}, nodeclass.ConditionReasonCreateFleetAuthFailed),
+			Entry("should update status condition as NotReady when RunInstances unauthorized", func() {
+				awsEnv.EC2API.RunInstancesBehavior.Error.Set(&smithy.GenericAPIError{
+					Code: "UnauthorizedOperation",
+				}, fake.MaxCalls(1))
+			}, nodeclass.ConditionReasonRunInstancesAuthFailed),
+			Entry("should update status condition as NotReady when CreateLaunchTemplate unauthorized", func() {
+				awsEnv.EC2API.CreateLaunchTemplateBehavior.Error.Set(&smithy.GenericAPIError{
+					Code: "UnauthorizedOperation",
+				}, fake.MaxCalls(1))
+			}, nodeclass.ConditionReasonCreateLaunchTemplateAuthFailed),
 		)
 
 		It("should update status condition as Ready when authorized", func() {
