refactor(cli): Use deterministic names for vulnerability scan jobs (#598

)

Signed-off-by: Daniel Pacak <[email protected]>

pkg/operator/controller/vulnerabilityreport.go

@@ -395,11 +395,12 @@ func (r *VulnerabilityReportReconciler) processCompleteScanJob(ctx context.Conte
 		}
 		_ = logsStream.Close()
 
-		report, err := vulnerabilityreport.NewBuilder(r.Client.Scheme()).
-			Owner(ownerObj).
+		report, err := vulnerabilityreport.NewReportBuilder(r.Client.Scheme()).
+			Controller(ownerObj).
 			Container(containerName).
-			Result(scanResult).
-			PodSpecHash(hash).Get()
+			Data(scanResult).
+			PodSpecHash(hash).
+			Get()
 		if err != nil {
 			return err
 		}

pkg/vulnerabilityreport/builder.go

@@ -10,52 +10,53 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/pointer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-type Builder interface {
-	Owner(owner metav1.Object) Builder
-	Container(name string) Builder
-	PodSpecHash(hash string) Builder
-	Result(result v1alpha1.VulnerabilityScanResult) Builder
-	Get() (v1alpha1.VulnerabilityReport, error)
+func GetScanJobName(obj client.Object) string {
+	return fmt.Sprintf("scan-vulnerabilityreport-%s", kube.ComputeHash(kube.Object{
+		Kind:      kube.Kind(obj.GetObjectKind().GroupVersionKind().Kind),
+		Namespace: obj.GetNamespace(),
+		Name:      obj.GetName(),
+	}))
 }
 
-func NewBuilder(scheme *runtime.Scheme) Builder {
-	return &builder{
-		scheme: scheme,
-	}
-}
-
-type builder struct {
+type ReportBuilder struct {
 	scheme    *runtime.Scheme
 	owner     metav1.Object
 	container string
 	hash      string
 	result    v1alpha1.VulnerabilityScanResult
 }
 
-func (b *builder) Owner(owner metav1.Object) Builder {
+func NewReportBuilder(scheme *runtime.Scheme) *ReportBuilder {
+	return &ReportBuilder{
+		scheme: scheme,
+	}
+}
+
+func (b *ReportBuilder) Controller(owner metav1.Object) *ReportBuilder {
 	b.owner = owner
 	return b
 }
 
-func (b *builder) Container(name string) Builder {
+func (b *ReportBuilder) Container(name string) *ReportBuilder {
 	b.container = name
 	return b
 }
 
-func (b *builder) PodSpecHash(hash string) Builder {
+func (b *ReportBuilder) PodSpecHash(hash string) *ReportBuilder {
 	b.hash = hash
 	return b
 }
 
-func (b *builder) Result(result v1alpha1.VulnerabilityScanResult) Builder {
+func (b *ReportBuilder) Data(result v1alpha1.VulnerabilityScanResult) *ReportBuilder {
 	b.result = result
 	return b
 }
 
-func (b *builder) reportName() (string, error) {
+func (b *ReportBuilder) reportName() (string, error) {
 	kind, err := kube.KindForObject(b.owner, b.scheme)
 	if err != nil {
 		return "", err
@@ -64,7 +65,7 @@ func (b *builder) reportName() (string, error) {
 		b.owner.GetName(), b.container), nil
 }
 
-func (b *builder) Get() (v1alpha1.VulnerabilityReport, error) {
+func (b *ReportBuilder) Get() (v1alpha1.VulnerabilityReport, error) {
 	kind, err := kube.KindForObject(b.owner, b.scheme)
 	if err != nil {
 		return v1alpha1.VulnerabilityReport{}, fmt.Errorf("getting kind for object: %w", err)

pkg/vulnerabilityreport/builder_test.go

@@ -15,16 +15,17 @@ import (
 
 func TestBuilder(t *testing.T) {
 	g := gomega.NewGomegaWithT(t)
-	report, err := vulnerabilityreport.NewBuilder(scheme.Scheme).
-		Owner(&appsv1.ReplicaSet{
+	report, err := vulnerabilityreport.NewReportBuilder(scheme.Scheme).
+		Controller(&appsv1.ReplicaSet{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "some-owner",
 				Namespace: "qa",
 			},
 		}).
 		Container("my-container").
 		PodSpecHash("xyz").
-		Result(v1alpha1.VulnerabilityScanResult{}).Get()
+		Data(v1alpha1.VulnerabilityScanResult{}).
+		Get()
 
 	g.Expect(err).ToNot(gomega.HaveOccurred())
 	g.Expect(report).To(gomega.Equal(v1alpha1.VulnerabilityReport{

pkg/vulnerabilityreport/scanner.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/docker"
-	"github.com/aquasecurity/starboard/pkg/ext"
 	"github.com/aquasecurity/starboard/pkg/kube"
 	"github.com/aquasecurity/starboard/pkg/runner"
 	"github.com/aquasecurity/starboard/pkg/starboard"
@@ -30,7 +29,6 @@ type Scanner struct {
 	logsReader     kube.LogsReader
 	config         starboard.ConfigData
 	opts           kube.ScannerOpts
-	idGenerator    ext.IDGenerator
 	secretsReader  kube.SecretsReader
 }
 
@@ -53,7 +51,6 @@ func NewScanner(
 		objectResolver: &kube.ObjectResolver{Client: client},
 		logsReader:     kube.NewLogsReader(clientset),
 		config:         config,
-		idGenerator:    ext.NewGoogleUUIDGenerator(),
 		secretsReader:  kube.NewSecretsReader(client),
 	}
 }
@@ -84,7 +81,7 @@ func (s *Scanner) Scan(ctx context.Context, workload kube.Object) ([]v1alpha1.Vu
 		return nil, err
 	}
 
-	job, secrets, err := s.prepareScanJob(workload, spec, credentials)
+	job, secrets, err := s.prepareScanJob(owner, spec, credentials)
 	if err != nil {
 		return nil, fmt.Errorf("preparing scan job: %w", err)
 	}
@@ -119,7 +116,7 @@ func (s *Scanner) getCredentials(ctx context.Context, spec corev1.PodSpec, ns st
 	return kube.MapContainerNamesToDockerAuths(kube.GetContainerImagesFromPodSpec(spec), imagePullSecrets)
 }
 
-func (s *Scanner) prepareScanJob(workload kube.Object, spec corev1.PodSpec, credentials map[string]docker.Auth) (*batchv1.Job, []*corev1.Secret, error) {
+func (s *Scanner) prepareScanJob(workload client.Object, spec corev1.PodSpec, credentials map[string]docker.Auth) (*batchv1.Job, []*corev1.Secret, error) {
 	templateSpec, secrets, err := s.plugin.GetScanJobSpec(spec, credentials)
 	if err != nil {
 		return nil, nil, err
@@ -143,15 +140,20 @@ func (s *Scanner) prepareScanJob(workload kube.Object, spec corev1.PodSpec, cred
 		return nil, nil, err
 	}
 
+	labels := map[string]string{
+		starboard.LabelResourceKind:      workload.GetObjectKind().GroupVersionKind().Kind,
+		starboard.LabelResourceName:      workload.GetName(),
+		starboard.LabelResourceNamespace: workload.GetNamespace(),
+		// TODO Add pod-spec-hash or resource-spec-hash
+		starboard.LabelK8SAppManagedBy:            starboard.AppStarboard,
+		starboard.LabelVulnerabilityReportScanner: "true",
+	}
+
 	return &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      s.idGenerator.GenerateID(),
+			Name:      GetScanJobName(workload),
 			Namespace: starboard.NamespaceName,
-			Labels: map[string]string{
-				starboard.LabelResourceKind:      string(workload.Kind),
-				starboard.LabelResourceName:      workload.Name,
-				starboard.LabelResourceNamespace: workload.Namespace,
-			},
+			Labels:    labels,
 			Annotations: map[string]string{
 				starboard.AnnotationContainerImages: containerImagesAsJSON,
 			},
@@ -162,11 +164,7 @@ func (s *Scanner) prepareScanJob(workload kube.Object, spec corev1.PodSpec, cred
 			ActiveDeadlineSeconds: kube.GetActiveDeadlineSeconds(s.opts.ScanJobTimeout),
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Labels: map[string]string{
-						starboard.LabelResourceKind:      string(workload.Kind),
-						starboard.LabelResourceName:      workload.Name,
-						starboard.LabelResourceNamespace: workload.Namespace,
-					},
+					Labels:      labels,
 					Annotations: scanJobAnnotations,
 				},
 				Spec: templateSpec,
@@ -199,12 +197,13 @@ func (s *Scanner) getVulnerabilityReportsByScanJob(ctx context.Context, job *bat
 
 		_ = logsStream.Close()
 
-		report, err := NewBuilder(s.scheme).
-			Owner(owner).
+		report, err := NewReportBuilder(s.scheme).
+			Controller(owner).
 			Container(containerName).
-			Result(result).
+			Data(result).
 			// TODO Add pod template hash like we do in the Operator
-			PodSpecHash("").Get()
+			PodSpecHash("").
+			Get()
 		if err != nil {
 			return nil, err
 		}