🐛 Enable Scan API also for node scanning

The node GC depends on the Scan API. Because of that we also need to create the Scan API when only node scanning is active. Fixes mondoohq/server#6267 Signed-off-by: Christian Zunker <[email protected]>
mondoohq · Aug 21, 2023 · 820e32e · 820e32e
1 parent e0af85c
commit 820e32e
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/controllers/scanapi/deployment_handler.go b/controllers/scanapi/deployment_handler.go
@@ -35,7 +35,7 @@ type DeploymentHandler struct {
 
 func (n *DeploymentHandler) Reconcile(ctx context.Context) (ctrl.Result, error) {
 	// If neither KubernetesResources, nor Admission is enabled, the scan API is not needed.
-	if (!n.Mondoo.Spec.KubernetesResources.Enable && !n.Mondoo.Spec.Admission.Enable) ||
+	if (!n.Mondoo.Spec.KubernetesResources.Enable && !n.Mondoo.Spec.Admission.Enable && !n.Mondoo.Spec.Nodes.Enable) ||
 		!n.Mondoo.DeletionTimestamp.IsZero() {
 		return ctrl.Result{}, n.down(ctx)
 	}

diff --git a/controllers/scanapi/deployment_handler_test.go b/controllers/scanapi/deployment_handler_test.go
@@ -274,6 +274,48 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create_Admission() {
 	s.Equal(*service, ss.Items[0])
 }
 
+func (s *DeploymentHandlerSuite) TestReconcile_Create_NodeScanning() {
+	s.auditConfig = utils.DefaultAuditConfig("mondoo-operator", false, false, true, false)
+
+	d := s.createDeploymentHandler()
+	result, err := d.Reconcile(s.ctx)
+	s.NoError(err)
+	s.True(result.IsZero())
+
+	tokenSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: s.auditConfig.Namespace,
+			Name:      TokenSecretName(s.auditConfig.Name),
+		},
+	}
+	s.NoError(d.KubeClient.Get(s.ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret), "Error checking for token secret")
+	// This really should be checking tokenSecret.Data, but the fake kubeClient just takes and stores the objects given to it
+	// and our code populates the Secret through Secret.StringData["token"]
+	s.Contains(tokenSecret.StringData, "token")
+
+	ds := &appsv1.DeploymentList{}
+	s.NoError(d.KubeClient.List(s.ctx, ds))
+	s.Equal(1, len(ds.Items))
+
+	image, err := s.containerImageResolver.CnspecImage(
+		s.auditConfig.Spec.Scanner.Image.Name, s.auditConfig.Spec.Scanner.Image.Tag, false)
+	s.NoError(err)
+
+	deployment := ScanApiDeployment(s.auditConfig.Namespace, image, s.auditConfig, "", false)
+	deployment.ResourceVersion = "1" // Needed because the fake client sets it.
+	s.NoError(ctrl.SetControllerReference(&s.auditConfig, deployment, s.scheme))
+	s.True(k8s.AreDeploymentsEqual(*deployment, ds.Items[0]))
+
+	ss := &corev1.ServiceList{}
+	s.NoError(d.KubeClient.List(s.ctx, ss))
+	s.Equal(1, len(ss.Items))
+
+	service := ScanApiService(d.Mondoo.Namespace, s.auditConfig)
+	service.ResourceVersion = "1" // Needed because the fake client sets it.
+	s.NoError(ctrl.SetControllerReference(&s.auditConfig, service, s.scheme))
+	s.Equal(*service, ss.Items[0])
+}
+
 func (s *DeploymentHandlerSuite) TestDeploy_CreateMissingServiceAccount() {
 	ns := "test-ns"
 	s.auditConfig = utils.DefaultAuditConfig(ns, false, false, false, true)