From 0c1d20d5bd193307f73d955efe942030c1348b3a Mon Sep 17 00:00:00 2001 From: Christian Zunker <827818+czunker@users.noreply.github.com> Date: Mon, 21 Aug 2023 10:08:58 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Enable=20Scan=20API=20also=20for?= =?UTF-8?q?=20node=20scanning=20(#844)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🐛 Enable Scan API also for node scanning The node GC depends on the Scan API. Because of that we also need to create the Scan API when only node scanning is active. Fixes https://github.com/mondoohq/server/issues/6267 Signed-off-by: Christian Zunker --- Makefile | 5 ++- controllers/scanapi/deployment_handler.go | 2 +- .../scanapi/deployment_handler_test.go | 42 +++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 716502d86..13fba4442 100644 --- a/Makefile +++ b/Makefile @@ -405,10 +405,13 @@ prep/tools/ranger: prep/repos: test -x cnquery || git clone https://github.com/mondoohq/cnquery.git +# workaround for now. Needs to be removed as we move to v9 + cd cnquery && git fetch && git checkout v8 test -x cnspec || git clone https://github.com/mondoohq/cnspec.git prep/repos/update: prep/repos - cd cnquery; git checkout main && git pull; cd -; +# workaround for now. Needs to be removed as we move to v9 + cd cnquery; git fetch; git checkout v8 && git pull; cd -; cd cnspec; git checkout main && git pull; cd -; prep/ci/protoc: diff --git a/controllers/scanapi/deployment_handler.go b/controllers/scanapi/deployment_handler.go index c6c4a7549..23115bb29 100644 --- a/controllers/scanapi/deployment_handler.go +++ b/controllers/scanapi/deployment_handler.go @@ -35,7 +35,7 @@ type DeploymentHandler struct { func (n *DeploymentHandler) Reconcile(ctx context.Context) (ctrl.Result, error) { // If neither KubernetesResources, nor Admission is enabled, the scan API is not needed. - if (!n.Mondoo.Spec.KubernetesResources.Enable && !n.Mondoo.Spec.Admission.Enable) || + if (!n.Mondoo.Spec.KubernetesResources.Enable && !n.Mondoo.Spec.Admission.Enable && !n.Mondoo.Spec.Nodes.Enable) || !n.Mondoo.DeletionTimestamp.IsZero() { return ctrl.Result{}, n.down(ctx) } diff --git a/controllers/scanapi/deployment_handler_test.go b/controllers/scanapi/deployment_handler_test.go index 09f0a8253..b69b1ed53 100644 --- a/controllers/scanapi/deployment_handler_test.go +++ b/controllers/scanapi/deployment_handler_test.go @@ -274,6 +274,48 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create_Admission() { s.Equal(*service, ss.Items[0]) } +func (s *DeploymentHandlerSuite) TestReconcile_Create_NodeScanning() { + s.auditConfig = utils.DefaultAuditConfig("mondoo-operator", false, false, true, false) + + d := s.createDeploymentHandler() + result, err := d.Reconcile(s.ctx) + s.NoError(err) + s.True(result.IsZero()) + + tokenSecret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: s.auditConfig.Namespace, + Name: TokenSecretName(s.auditConfig.Name), + }, + } + s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret), "Error checking for token secret") + // This really should be checking tokenSecret.Data, but the fake kubeClient just takes and stores the objects given to it + // and our code populates the Secret through Secret.StringData["token"] + s.Contains(tokenSecret.StringData, "token") + + ds := &appsv1.DeploymentList{} + s.NoError(d.KubeClient.List(s.ctx, ds)) + s.Equal(1, len(ds.Items)) + + image, err := s.containerImageResolver.CnspecImage( + s.auditConfig.Spec.Scanner.Image.Name, s.auditConfig.Spec.Scanner.Image.Tag, false) + s.NoError(err) + + deployment := ScanApiDeployment(s.auditConfig.Namespace, image, s.auditConfig, "", false) + deployment.ResourceVersion = "1" // Needed because the fake client sets it. + s.NoError(ctrl.SetControllerReference(&s.auditConfig, deployment, s.scheme)) + s.True(k8s.AreDeploymentsEqual(*deployment, ds.Items[0])) + + ss := &corev1.ServiceList{} + s.NoError(d.KubeClient.List(s.ctx, ss)) + s.Equal(1, len(ss.Items)) + + service := ScanApiService(d.Mondoo.Namespace, s.auditConfig) + service.ResourceVersion = "1" // Needed because the fake client sets it. + s.NoError(ctrl.SetControllerReference(&s.auditConfig, service, s.scheme)) + s.Equal(*service, ss.Items[0]) +} + func (s *DeploymentHandlerSuite) TestDeploy_CreateMissingServiceAccount() { ns := "test-ns" s.auditConfig = utils.DefaultAuditConfig(ns, false, false, false, true)