Check that LocalQueue CRD exist before policy sync

[gbenhaim]

I was observed the syncing the Kyverno policy for creating LocalQueue can have great delay if it starts before the LocalQueue CRD is installed on the cluster.

Add a PreSync hook the will delay the sync of the policies until the LocalQueue CRD is installed on the cluster.

Assisted-By: Cursor

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gbenhaim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• components/policies/OWNERS [gbenhaim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

🤖 Gemini AI Assistant Available

Hi @gbenhaim! I'm here to help with your pull request. You can interact with me using the following commands:

Available Commands

• @gemini-cli /review - Request a comprehensive code review

  • Example: @gemini-cli /review Please focus on security and performance

• @gemini-cli <your question> - Ask me anything about the codebase

  • Example: @gemini-cli How can I improve this function?
  • Example: @gemini-cli What are the best practices for error handling here?

How to Use

1. Simply type one of the commands above in a comment on this PR
2. I'll analyze your code and provide detailed feedback
3. You can track my progress in the workflow logs

Permissions

Only OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage.

---

This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance.

[github-actions]

🤖 Hi @gbenhaim, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[gbenhaim]

@gemini-cli /review

[filariow]

To simplify this logic, I'd suggest to:

• use kubectl wait --for=create instead of polling on get
• scope to just a single CustomResourceDefinition
• take TIMEOUT and CRD from configuration

Suggested change

	command:
	- /bin/bash
	- -c
	- |
	set -e
	echo "Starting CRD check..."
	# Configuration
	TIMEOUT=300 # 5 minutes timeout
	INTERVAL=10 # Check every 10 seconds
	START_TIME=$(date +%s)
	# Define CRDs to check
	CRDS=(
	"localqueues.kueue.x-k8s.io"
	)
	echo "Checking if required CRDs exist..."
	# Check all CRDs with global timeout
	while ! oc get crd "${CRDS[@]}"; do
	CURRENT_TIME=$(date +%s)
	ELAPSED=$((CURRENT_TIME - START_TIME))
	if [ $ELAPSED -gt $TIMEOUT ]; then
	echo "ERROR: Global timeout reached (${TIMEOUT}s). Required CRDs not found."
	echo "Missing CRDs: ${CRDS[*]}"
	exit 1
	fi
	echo "Required CRDs not found yet. Waiting ${INTERVAL}s... (${ELAPSED}s/${TIMEOUT}s elapsed)"
	sleep $INTERVAL
	done
	echo "SUCCESS: All required CRDs found!"
	echo "Pre-sync hook completed successfully."
	exit 0
	env:
	- name: CRD
	value: localqueues.kueue.x-k8s.io
	command:
	- /bin/bash
	- -c
	- |
	TIMEOUT=${TIMEOUT:-300} # default to 5 minutes timeout
	echo "Checking CRD ${CRD} exists..."
	kubectl wait --for=create "${CRD}" --timeout ${TIMEOUT}

[gbenhaim]

I don't see the oc (at least the one provided by ocp 4.17) supports wait --for=create

--for='': The condition to wait on: [delete|condition=condition-name[=condition-value]|jsonpath='{JSONPath expression}'=[JSONPath value]]. The default condition-value is true. Condition values are compared after Unicode simple case folding, which is a more general form of case-insensitivity.

[gbenhaim]

also, I would like to support checking for the existence of multiple CRDs because I expect that more will come (and I don't think it introduce to much complexity).

[filariow]

Should we use HookSucceeded instead? It seems to me that with BeforeHookCreation this resources will always be around, just updated before the next wave. I'd rather prefer them to be gone if everything applied correctly

https://argo-cd.readthedocs.io/en/stable/user-guide/sync-waves/#hook-lifecycle-and-cleanup

[gbenhaim]

I choose BeforeHookCreation because I use metadata.name, from the docs

BeforeHookCreation Any existing hook resource is deleted before the new one is created (since v1.3). It is meant to be used with /metadata/name.

[filariow]

/test konflux-e2e-v418-optional

[openshift-ci]

@gbenhaim: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/konflux-e2e-v418-optional	9e95059	link	false	/test konflux-e2e-v418-optional

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.