Add --scan-report-ttl-after-outdated flag (#27)

Signed-off-by: Arnob Kumar Saha <[email protected]>
kubeops · Apr 12, 2023 · a98cd82 · a98cd82
1 parent c9d2306
commit a98cd82
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 10 deletions.
diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go
@@ -105,6 +105,7 @@ type ExtraConfig struct {
 	TrivyDBCacherImage   string
 	FileServerAddr       string
 	ScanRequestTTLPeriod time.Duration
+	ScanReportTTLPeriod  time.Duration
 }
 
 func (c ExtraConfig) LicenseProvided() bool {
@@ -179,7 +180,8 @@ func (c completedConfig) New(ctx context.Context) (*ScannerServer, error) {
 		ClientDisableCacheFor: []client.Object{
 			&core.Pod{},
 		},
-		NewClient: cu.NewClient,
+		NewClient:  cu.NewClient,
+		SyncPeriod: &c.ExtraConfig.ResyncPeriod,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to start manager, reason: %v", err)
@@ -241,6 +243,7 @@ func (c completedConfig) New(ctx context.Context) (*ScannerServer, error) {
 		Client:        mgr.GetClient(),
 		Scheme:        mgr.GetScheme(),
 		FileServerDir: c.ExtraConfig.FileServerFilesDir,
+		ReportTTL:     c.ExtraConfig.ScanReportTTLPeriod,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ImageScanReport")
 		os.Exit(1)

diff --git a/pkg/cmds/server/options.go b/pkg/cmds/server/options.go
@@ -51,6 +51,7 @@ type ExtraOptions struct {
 	ScanInCluster      bool
 
 	ScanRequestTTLPeriod time.Duration
+	ScanReportTTLPeriod  time.Duration
 }
 
 func NewExtraOptions() *ExtraOptions {
@@ -63,6 +64,7 @@ func NewExtraOptions() *ExtraOptions {
 		FileServerFilesDir:   "/var/data/files",
 		TrivyImage:           "aquasec/trivy",
 		ScanRequestTTLPeriod: time.Hour * 12,
+		ScanReportTTLPeriod:  time.Hour * 168,
 	}
 }
 
@@ -86,6 +88,7 @@ func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&s.ScanInCluster, "scan-public-image-incluster", s.ScanInCluster, "If true public images will be scanned in cluster. Set true for air-gaped cluster")
 
 	fs.DurationVar(&s.ScanRequestTTLPeriod, "scan-request-ttl-after-finished", s.ScanRequestTTLPeriod, "ImageScanRequest older than this period will be garbage collected")
+	fs.DurationVar(&s.ScanReportTTLPeriod, "scan-report-ttl-after-outdated", s.ScanReportTTLPeriod, "Outdated ImageScanReport older than this period will be garbage collected")
 }
 
 func (s *ExtraOptions) ApplyTo(cfg *apiserver.ExtraConfig) error {
@@ -103,6 +106,7 @@ func (s *ExtraOptions) ApplyTo(cfg *apiserver.ExtraConfig) error {
 	cfg.ClientConfig.Burst = s.Burst
 	cfg.ResyncPeriod = s.ResyncPeriod
 	cfg.ScanRequestTTLPeriod = s.ScanRequestTTLPeriod
+	cfg.ScanReportTTLPeriod = s.ScanReportTTLPeriod
 
 	var err error
 	if cfg.KubeClient, err = kubernetes.NewForConfig(cfg.ClientConfig); err != nil {

diff --git a/pkg/controllers/scanreport/controller.go b/pkg/controllers/scanreport/controller.go
@@ -18,6 +18,7 @@ package scanreport
 
 import (
 	"context"
+	"time"
 
 	api "kubeops.dev/scanner/apis/scanner/v1alpha1"
 	"kubeops.dev/scanner/pkg/fileserver"
@@ -34,17 +35,9 @@ type ImageScanReportReconciler struct {
 	client.Client
 	Scheme        *runtime.Scheme
 	FileServerDir string
+	ReportTTL     time.Duration
 }
 
-// Reconcile is part of the main kubernetes reconciliation loop which aims to
-// move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the ImageScanReport object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *ImageScanReportReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)
 
@@ -65,6 +58,13 @@ func (r *ImageScanReportReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	if dbTimestamp.After(isrp.Status.Version.VulnerabilityDB.UpdatedAt.Time) {
 		status.Phase = api.ImageScanReportPhaseOutdated
+		later := isrp.CreationTimestamp.Time
+		if isrp.CreationTimestamp.Time.Before(isrp.Status.Version.VulnerabilityDB.UpdatedAt.Time) {
+			later = isrp.Status.Version.VulnerabilityDB.UpdatedAt.Time
+		}
+		if time.Since(later) >= r.ReportTTL {
+			return ctrl.Result{}, r.Delete(ctx, &isrp)
+		}
 	} else {
 		status.Phase = api.ImageScanReportPhaseCurrent
 	}