refactor: separate scan job with different reconciler (#727)

* refactor: separate scan job with different reconciler

Signed-off-by: chenk <hen.keinan@gmail.com>

* refactor: separate scan job with different reconciler

Signed-off-by: chenk <hen.keinan@gmail.com>

* refactor: separate scan job with different reconciler

Signed-off-by: chenk <hen.keinan@gmail.com>

* refactor: separate scan job with different reconciler

Signed-off-by: chenk <hen.keinan@gmail.com>

* refactor: separate scan job with different reconciler

Signed-off-by: chenk <hen.keinan@gmail.com>

Signed-off-by: chenk <hen.keinan@gmail.com>

pkg/operator/operator.go

@@ -19,6 +19,7 @@ import (
 	"github.com/aquasecurity/trivy-operator/pkg/rbacassessment"
 	"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
 	"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport"
+	vcontroller "github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller"
 	"github.com/aquasecurity/trivy-operator/pkg/webhook"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
@@ -163,14 +164,13 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi
 			return fmt.Errorf("initializing %s plugin: %w", pluginContext.GetName(), err)
 		}
 
-		if err = (&vulnerabilityreport.WorkloadController{
+		if err = (&vcontroller.WorkloadController{
 			Logger:                  ctrl.Log.WithName("reconciler").WithName("vulnerabilityreport"),
 			Config:                  operatorConfig,
 			ConfigData:              trivyOperatorConfig,
 			Client:                  mgr.GetClient(),
 			ObjectResolver:          objectResolver,
 			LimitChecker:            limitChecker,
-			LogsReader:              logsReader,
 			SecretsReader:           secretsReader,
 			Plugin:                  plugin,
 			PluginContext:           pluginContext,
@@ -180,6 +180,20 @@ func Start(ctx context.Context, buildInfo trivyoperator.BuildInfo, operatorConfi
 			return fmt.Errorf("unable to setup vulnerabilityreport reconciler: %w", err)
 		}
 
+		if err = (&vcontroller.ScanJobController{
+			Logger:                  ctrl.Log.WithName("reconciler").WithName("scan job"),
+			Config:                  operatorConfig,
+			ConfigData:              trivyOperatorConfig,
+			ObjectResolver:          objectResolver,
+			LogsReader:              logsReader,
+			Plugin:                  plugin,
+			PluginContext:           pluginContext,
+			VulnerabilityReadWriter: vulnerabilityreport.NewReadWriter(&objectResolver),
+			ExposedSecretReadWriter: exposedsecretreport.NewReadWriter(&objectResolver),
+		}).SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("unable to setup scan job  reconciler: %w", err)
+		}
+
 		if operatorConfig.ScannerReportTTL != nil {
 			if err = (&TTLReportReconciler{
 				Logger: ctrl.Log.WithName("reconciler").WithName("ttlreport"),

pkg/trivyoperator/config.go

@@ -87,10 +87,10 @@ type ConfigManager interface {
 // GetDefaultConfig returns the default configuration settings.
 func GetDefaultConfig() ConfigData {
 	return map[string]string{
-		keyVulnerabilityReportsScanner: "Trivy",
-		keyConfigAuditReportsScanner:   "Trivy",
-		KeyScanJobcompressLogs:         "true",
-		"compliance.failEntriesLimit":  "10",
+		keyVulnerabilityReportsScanner:  "Trivy",
+		keyConfigAuditReportsScanner:    "Trivy",
+		KeyScanJobcompressLogs:          "true",
+		"compliance.failEntriesLimit":   "10",
 		KeyReportRecordFailedChecksOnly: "true",
 	}
 }

pkg/vulnerabilityreport/controller/helper.go

@@ -0,0 +1,72 @@
+package controller
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/aquasecurity/trivy-operator/pkg/exposedsecretreport"
+	"github.com/aquasecurity/trivy-operator/pkg/kube"
+	"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
+	"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport"
+)
+
+func hasReports(ctx context.Context, esReadWriter exposedsecretreport.ReadWriter, vulnReadWriter vulnerabilityreport.ReadWriter, owner kube.ObjectRef, hash string, images kube.ContainerImages) (bool, error) {
+	hasVulnerabilityReports, err := hasVulnerabilityReports(ctx, vulnReadWriter, owner, hash, images)
+	if err != nil {
+		return false, err
+	}
+
+	hasSecretReports, err := hasSecretReports(ctx, esReadWriter, owner, hash, images)
+	if err != nil {
+		return false, err
+	}
+
+	return hasVulnerabilityReports && hasSecretReports, nil
+}
+
+func hasVulnerabilityReports(ctx context.Context, vulnReadWriter vulnerabilityreport.ReadWriter, owner kube.ObjectRef, hash string, images kube.ContainerImages) (bool, error) {
+	// TODO FindByOwner should accept optional label selector to further narrow down search results
+	list, err := vulnReadWriter.FindByOwner(ctx, owner)
+	if err != nil {
+		return false, err
+	}
+
+	actual := map[string]bool{}
+	for _, report := range list {
+		if containerName, ok := report.Labels[trivyoperator.LabelContainerName]; ok {
+			if hash == report.Labels[trivyoperator.LabelResourceSpecHash] {
+				actual[containerName] = true
+			}
+		}
+	}
+
+	return compareReports(actual, images), nil
+}
+
+func hasSecretReports(ctx context.Context, esReadWriter exposedsecretreport.ReadWriter, owner kube.ObjectRef, hash string, images kube.ContainerImages) (bool, error) {
+	// TODO FindByOwner should accept optional label selector to further narrow down search results
+	list, err := esReadWriter.FindByOwner(ctx, owner)
+	if err != nil {
+		return false, err
+	}
+
+	actual := map[string]bool{}
+	for _, report := range list {
+		if containerName, ok := report.Labels[trivyoperator.LabelContainerName]; ok {
+			if hash == report.Labels[trivyoperator.LabelResourceSpecHash] {
+				actual[containerName] = true
+			}
+		}
+	}
+
+	return compareReports(actual, images), nil
+}
+
+func compareReports(actual map[string]bool, images kube.ContainerImages) bool {
+	expected := map[string]bool{}
+	for containerName := range images {
+		expected[containerName] = true
+	}
+
+	return reflect.DeepEqual(actual, expected)
+}