Move specialized functions into specialized reconcilers

Co-authored-by: Yannik Fuhrmeister <12710254+fuhrmeistery@users.noreply.github.com>

Author: J12934

operator/controllers/execution/scans/hook_reconciler.go

@@ -5,7 +5,14 @@ import (
 	"fmt"
 
 	executionv1 "github.com/secureCodeBox/secureCodeBox-v2-alpha/operator/apis/execution/v1"
+	util "github.com/secureCodeBox/secureCodeBox-v2-alpha/operator/utils"
+	batch "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -170,6 +177,20 @@ func (r *ScanReconciler) executeReadAndWriteHooks(scan *executionv1.Scan) error
 	return nil
 }
 
+func containsJobForHook(jobs *batch.JobList, hook executionv1.ScanCompletionHook) bool {
+	if len(jobs.Items) == 0 {
+		return false
+	}
+
+	for _, job := range jobs.Items {
+		if job.ObjectMeta.Labels["experimental.securecodebox.io/hook-name"] == hook.Name {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error {
 	ctx := context.Background()
 
@@ -278,3 +299,129 @@ func (r *ScanReconciler) checkIfReadOnlyHookIsCompleted(scan *executionv1.Scan)
 	// Waiting until all are done.
 	return nil
 }
+
+func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, scan *executionv1.Scan, cliArgs []string) (string, error) {
+	ctx := context.Background()
+
+	serviceAccountName := "scan-completion-hook"
+	if hook.Spec.ServiceAccountName != nil {
+		// Hook uses a custom ServiceAccount
+		serviceAccountName = *hook.Spec.ServiceAccountName
+	} else {
+		// Check and create a serviceAccount for the hook in its namespace, if it doesn't already exist.
+		rules := []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans"},
+				Verbs:     []string{"get"},
+			},
+			{
+				APIGroups: []string{"execution.experimental.securecodebox.io"},
+				Resources: []string{"scans/status"},
+				Verbs:     []string{"get", "patch"},
+			},
+		}
+
+		r.ensureServiceAccountExists(
+			hook.Namespace,
+			serviceAccountName,
+			"ScanCompletionHooks need to access the current scan to view where its results are stored",
+			rules,
+		)
+	}
+
+	standardEnvVars := []corev1.EnvVar{
+		{
+			Name: "NAMESPACE",
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					FieldPath: "metadata.namespace",
+				},
+			},
+		},
+		{
+			Name:  "SCAN_NAME",
+			Value: scan.Name,
+		},
+	}
+
+	// Starting a new job based on the current ReadAndWrite Hook
+	labels := scan.ObjectMeta.DeepCopy().Labels
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	if hook.Spec.Type == executionv1.ReadAndWrite {
+		labels["experimental.securecodebox.io/job-type"] = "read-and-write-hook"
+	} else if hook.Spec.Type == executionv1.ReadOnly {
+		labels["experimental.securecodebox.io/job-type"] = "read-only-hook"
+	}
+	labels["experimental.securecodebox.io/hook-name"] = hook.Name
+
+	var backOffLimit int32 = 3
+	job := &batch.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations:  make(map[string]string),
+			GenerateName: util.TruncateName(fmt.Sprintf("%s-%s", hook.Name, scan.Name)),
+			Namespace:    scan.Namespace,
+			Labels:       labels,
+		},
+		Spec: batch.JobSpec{
+			BackoffLimit: &backOffLimit,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"auto-discovery.experimental.securecodebox.io/ignore": "true",
+					},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: serviceAccountName,
+					RestartPolicy:      corev1.RestartPolicyNever,
+					ImagePullSecrets:   hook.Spec.ImagePullSecrets,
+					Containers: []corev1.Container{
+						{
+							Name:            "hook",
+							Image:           hook.Spec.Image,
+							Args:            cliArgs,
+							Env:             append(hook.Spec.Env, standardEnvVars...),
+							ImagePullPolicy: "IfNotPresent",
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("200m"),
+									corev1.ResourceMemory: resource.MustParse("100Mi"),
+								},
+								Limits: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("400m"),
+									corev1.ResourceMemory: resource.MustParse("200Mi"),
+								},
+							},
+						},
+					},
+				},
+			},
+			TTLSecondsAfterFinished: nil,
+		},
+	}
+	if err := ctrl.SetControllerReference(scan, job, r.Scheme); err != nil {
+		r.Log.Error(err, "Unable to set controllerReference on job", "job", job)
+		return "", err
+	}
+
+	if err := r.Create(ctx, job); err != nil {
+		return "", err
+	}
+	return job.Name, nil
+}
+
+func (r *ScanReconciler) updateHookStatus(scan *executionv1.Scan, hookStatus executionv1.HookStatus) error {
+	for i, hook := range scan.Status.ReadAndWriteHookStatus {
+		if hook.HookName == hookStatus.HookName {
+			scan.Status.ReadAndWriteHookStatus[i] = hookStatus
+			break
+		}
+	}
+	if err := r.Status().Update(context.Background(), scan); err != nil {
+		r.Log.Error(err, "unable to update Scan status")
+		return err
+	}
+	return nil
+}

operator/controllers/execution/scans/job.go

@@ -2,18 +2,9 @@ package scancontrollers
 
 import (
 	"context"
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
 
 	executionv1 "github.com/secureCodeBox/secureCodeBox-v2-alpha/operator/apis/execution/v1"
-	util "github.com/secureCodeBox/secureCodeBox-v2-alpha/operator/utils"
 	batch "k8s.io/api/batch/v1"
-	corev1 "k8s.io/api/core/v1"
-	resource "k8s.io/apimachinery/pkg/api/resource"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -72,146 +63,3 @@ func (r *ScanReconciler) checkIfJobIsCompleted(scan *executionv1.Scan, labels cl
 
 	return allJobsCompleted(jobs), nil
 }
-
-func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *executionv1.ScanType) (*batch.Job, error) {
-	filename := filepath.Base(scanType.Spec.ExtractResults.Location)
-	resultUploadURL, err := r.PresignedPutURL(scan.UID, filename)
-	if err != nil {
-		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
-		return nil, err
-	}
-
-	if len(scanType.Spec.JobTemplate.Spec.Template.Spec.Containers) < 1 {
-		return nil, errors.New("ScanType must at least contain one container in which the scanner is running")
-	}
-
-	labels := scan.ObjectMeta.DeepCopy().Labels
-	if labels == nil {
-		labels = make(map[string]string)
-	}
-	labels["experimental.securecodebox.io/job-type"] = "scanner"
-	job := &batch.Job{
-		ObjectMeta: metav1.ObjectMeta{
-			Labels:       labels,
-			GenerateName: util.TruncateName(fmt.Sprintf("scan-%s", scan.Name)),
-			Namespace:    scan.Namespace,
-		},
-		Spec: *scanType.Spec.JobTemplate.Spec.DeepCopy(),
-	}
-
-	podAnnotations := scanType.Spec.JobTemplate.DeepCopy().Annotations
-	if podAnnotations == nil {
-		podAnnotations = make(map[string]string)
-	}
-	podAnnotations["experimental.securecodebox.io/job-type"] = "scanner"
-	job.Spec.Template.Annotations = podAnnotations
-
-	job.Spec.Template.Spec.ServiceAccountName = "lurcher"
-
-	// merging volume definition from ScanType (if existing) with standard results volume
-	if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
-		job.Spec.Template.Spec.Volumes = []corev1.Volume{}
-	}
-	job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
-		Name: "scan-results",
-		VolumeSource: corev1.VolumeSource{
-			EmptyDir: &corev1.EmptyDirVolumeSource{},
-		},
-	})
-
-	// merging volume mounts (for the primary scanner container) from ScanType (if existing) with standard results volume mount
-	if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
-		job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{}
-	}
-	job.Spec.Template.Spec.Containers[0].VolumeMounts = append(
-		job.Spec.Template.Spec.Containers[0].VolumeMounts,
-		corev1.VolumeMount{
-			Name:      "scan-results",
-			MountPath: "/home/securecodebox/",
-		},
-	)
-
-	// Get lurcher image config from env
-	lurcherImage := os.Getenv("LURCHER_IMAGE")
-	if lurcherImage == "" {
-		lurcherImage = "scbexperimental/lurcher:latest"
-	}
-	lurcherPullPolicyRaw := os.Getenv("LURCHER_PULL_POLICY")
-	var lurcherPullPolicy corev1.PullPolicy
-	switch lurcherPullPolicyRaw {
-	case "Always":
-		lurcherPullPolicy = corev1.PullAlways
-	case "IfNotPresent":
-		lurcherPullPolicy = corev1.PullIfNotPresent
-	case "Never":
-		lurcherPullPolicy = corev1.PullNever
-	case "":
-		lurcherPullPolicy = corev1.PullAlways
-	default:
-		return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw)
-	}
-
-	lurcherSidecar := &corev1.Container{
-		Name:            "lurcher",
-		Image:           lurcherImage,
-		ImagePullPolicy: lurcherPullPolicy,
-		Args: []string{
-			"--container",
-			job.Spec.Template.Spec.Containers[0].Name,
-			"--file",
-			scanType.Spec.ExtractResults.Location,
-			"--url",
-			resultUploadURL,
-		},
-		Env: []corev1.EnvVar{
-			{
-				Name: "NAMESPACE",
-				ValueFrom: &corev1.EnvVarSource{
-					FieldRef: &corev1.ObjectFieldSelector{
-						FieldPath: "metadata.namespace",
-					},
-				},
-			},
-		},
-		Resources: corev1.ResourceRequirements{
-			Requests: corev1.ResourceList{
-				corev1.ResourceCPU:    resource.MustParse("20m"),
-				corev1.ResourceMemory: resource.MustParse("20Mi"),
-			},
-			Limits: corev1.ResourceList{
-				corev1.ResourceCPU:    resource.MustParse("100m"),
-				corev1.ResourceMemory: resource.MustParse("100Mi"),
-			},
-		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				Name:      "scan-results",
-				MountPath: "/home/securecodebox/",
-				ReadOnly:  true,
-			},
-		},
-	}
-
-	job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar)
-
-	if err := ctrl.SetControllerReference(scan, job, r.Scheme); err != nil {
-		return nil, err
-	}
-
-	command := append(
-		scanType.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Command,
-		scan.Spec.Parameters...,
-	)
-
-	// Merge Env from ScanTemplate with Env defined in scan
-	job.Spec.Template.Spec.Containers[0].Env = append(
-		job.Spec.Template.Spec.Containers[0].Env,
-		scan.Spec.Env...,
-	)
-
-	// Using command over args
-	job.Spec.Template.Spec.Containers[0].Command = command
-	job.Spec.Template.Spec.Containers[0].Args = nil
-
-	return job, nil
-}