From 116510ada8f829b790aee057f948375d8f8b0ad9 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Tue, 30 Jun 2020 12:35:12 +0200 Subject: [PATCH 1/3] #29 Ensure that the RW Hook wasn't started before starting --- operator/controllers/execution/scan_controller.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/operator/controllers/execution/scan_controller.go b/operator/controllers/execution/scan_controller.go index c15e7cdb..03984e4b 100644 --- a/operator/controllers/execution/scan_controller.go +++ b/operator/controllers/execution/scan_controller.go @@ -1135,6 +1135,18 @@ func (r *ScanReconciler) executeReadAndWriteHooks(scan *executionv1.Scan) error return err } + jobs, err := r.getJobsForScan(scan, client.MatchingLabels{ + "experimental.securecodebox.io/job-type": "read-and-write-hook", + "experimental.securecodebox.io/hook-name": nonCompletedHook.HookName, + }) + if err != nil { + return err + } + if len(jobs.Items) > 0 { + // Job already exists + return nil + } + jobName, err := r.createJobForHook( &hook, scan, From 346163693984712af06d884d07ab2d5f3cfcfa37 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Tue, 30 Jun 2020 12:48:09 +0200 Subject: [PATCH 2/3] #29 Check if read only hook were already created before starting the job --- .../controllers/execution/scan_controller.go | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/operator/controllers/execution/scan_controller.go b/operator/controllers/execution/scan_controller.go index 03984e4b..30745336 100644 --- a/operator/controllers/execution/scan_controller.go +++ b/operator/controllers/execution/scan_controller.go @@ -726,7 +726,22 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error { rules, ) + // Get all read-only-hooks for scan to later check that they weren't already created + jobs, err := r.getJobsForScan(scan, client.MatchingLabels{ + "experimental.securecodebox.io/job-type": "read-only-hook", + }) + if err != nil { + return err + } + for _, hook := range readOnlyHooks { + // Check if hook was already executed + if containsJobForHook(jobs, hook) == true { + r.Log.V(4).Info("Skipping creation of job for hook '%s' as it already exists", hook.Name) + // Job was already created + continue + } + rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile) if err != nil { return err @@ -758,6 +773,20 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error { return nil } +func containsJobForHook(jobs *batch.JobList, hook executionv1.ScanCompletionHook) bool { + if len(jobs.Items) == 0 { + return false + } + + for _, job := range jobs.Items { + if job.ObjectMeta.Labels["experimental.securecodebox.io/hook-name"] == hook.Name { + return true + } + } + + return false +} + func (r *ScanReconciler) checkIfReadOnlyHookIsCompleted(scan *executionv1.Scan) error { ctx := context.Background() readOnlyHookCompletion, err := r.checkIfJobIsCompleted(scan, client.MatchingLabels{"experimental.securecodebox.io/job-type": "read-only-hook"}) From b0ceaa7c086fc7b6cc4bfc243a91557ca4ca8528 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Date: Tue, 30 Jun 2020 12:59:36 +0200 Subject: [PATCH 3/3] #29 Remove duplicated code --- operator/controllers/execution/scan_controller.go | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/operator/controllers/execution/scan_controller.go b/operator/controllers/execution/scan_controller.go index 30745336..9af4e47b 100644 --- a/operator/controllers/execution/scan_controller.go +++ b/operator/controllers/execution/scan_controller.go @@ -711,21 +711,6 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error { return nil } - rules := []rbacv1.PolicyRule{ - { - APIGroups: []string{"execution.experimental.securecodebox.io"}, - Resources: []string{"scans"}, - Verbs: []string{"get", "create", "list"}, - }, - } - serviceAccountName := "scan-completion-hook" - r.ensureServiceAccountExists( - scan.Namespace, - serviceAccountName, - "ScanCompletionHooks need to access the current scan to view where its results are stored", - rules, - ) - // Get all read-only-hooks for scan to later check that they weren't already created jobs, err := r.getJobsForScan(scan, client.MatchingLabels{ "experimental.securecodebox.io/job-type": "read-only-hook",