chore: Use PodTemplates to support ImageJobs

api/v1alpha1/imagejob_types.go

@@ -17,7 +17,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -30,12 +29,6 @@ type Image struct {
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-// ImageJobSpec defines the desired state of ImageJob.
-type ImageJobSpec struct {
-	// Specifies the job that will be created when executing an ImageJob.
-	JobTemplate v1.PodTemplateSpec `json:"template"`
-}
-
 // JobPhase defines the phase of an ImageJob status.
 type JobPhase string
 
@@ -74,7 +67,6 @@ type ImageJob struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   ImageJobSpec   `json:"spec,omitempty"`
 	Status ImageJobStatus `json:"status,omitempty"`
 }
 

config/rbac/role.yaml

@@ -32,6 +32,18 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - podtemplates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - batch
   resources:

controllers/imagecollector/imagecollector_controller.go

@@ -63,6 +63,7 @@ var (
 	collectorImage         = flag.String("collector-image", "", "collector image, empty value disables collect feature")
 	log                    = logf.Log.WithName("controller").WithValues("process", "imagecollector-controller")
 	repeatPeriod           = flag.Duration("repeat-period", time.Hour*24, "repeat period for collect/scan process")
+	repeatImmediate        = flag.Bool("repeat-immediate", true, "begin collect/scan process immediately")
 	deleteScanFailedImages = flag.Bool("delete-scan-failed-images", true, "whether or not to delete images for which scanning has failed")
 	scannerArgs            = utils.MultiFlag([]string{})
 	collectorArgs          = utils.MultiFlag([]string{})
@@ -154,7 +155,13 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 		return err
 	}
 
-	go func() {
+	delay := *repeatPeriod
+	if *repeatImmediate {
+		delay = 0 * time.Second
+	}
+
+	// runs the provided function after the specified delay
+	_ = time.AfterFunc(delay, func() {
 		log.Info("Queueing first ImageCollector reconcile...")
 		ch <- event.GenericEvent{
 			Object: &eraserv1alpha1.ImageJob{
@@ -163,13 +170,15 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 				},
 			},
 		}
-		log.Info("Queued first ImageCollector reconcile")
-	}()
+
+		log.Info("...Queued first ImageCollector reconcile")
+	})
 
 	return nil
 }
 
 //+kubebuilder:rbac:groups="batch",resources=jobs,verbs=get;list;create;delete;watch
+//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -233,75 +242,74 @@ func (r *Reconciler) createImageJob(ctx context.Context, req ctrl.Request, argsC
 	scanDisabled := *scannerImage == ""
 	startTime = time.Now()
 
-	job := &eraserv1alpha1.ImageJob{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "imagejob-",
-			Labels: map[string]string{
-				util.ImageJobOwnerLabelKey: ownerLabelValue,
+	jobTemplate := corev1.PodTemplateSpec{
+		Spec: corev1.PodSpec{
+			Volumes: []corev1.Volume{
+				{
+					// EmptyDir default
+					Name: "shared-data",
+				},
 			},
-		},
-		Spec: eraserv1alpha1.ImageJobSpec{
-			JobTemplate: corev1.PodTemplateSpec{
-				Spec: corev1.PodSpec{
-					Volumes: []corev1.Volume{
-						{
-							// EmptyDir default
-							Name: "shared-data",
+			RestartPolicy: corev1.RestartPolicyNever,
+			Containers: []corev1.Container{
+				{
+					Name:            "collector",
+					Image:           *collectorImage,
+					ImagePullPolicy: corev1.PullIfNotPresent,
+					Args:            append(collectorArgs, "--scan-disabled="+strconv.FormatBool(scanDisabled)),
+					VolumeMounts: []corev1.VolumeMount{
+						{MountPath: "/run/eraser.sh/shared-data", Name: "shared-data"},
+					},
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"cpu":    resource.MustParse("7m"),
+							"memory": resource.MustParse("25Mi"),
+						},
+						Limits: corev1.ResourceList{
+							"memory": resource.MustParse("30Mi"),
 						},
 					},
-					RestartPolicy: corev1.RestartPolicyNever,
-					Containers: []corev1.Container{
+				},
+				{
+					Name:            "eraser",
+					Image:           *util.EraserImage,
+					ImagePullPolicy: corev1.PullIfNotPresent,
+					Args:            append(util.EraserArgs, "--log-level="+logger.GetLevel()),
+					VolumeMounts: []corev1.VolumeMount{
+						{MountPath: "/run/eraser.sh/shared-data", Name: "shared-data"},
+					},
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"cpu":    resource.MustParse("7m"),
+							"memory": resource.MustParse("25Mi"),
+						},
+						Limits: corev1.ResourceList{
+							"memory": resource.MustParse("30Mi"),
+						},
+					},
+					SecurityContext: utils.SharedSecurityContext,
+					Env: []corev1.EnvVar{
 						{
-							Name:            "collector",
-							Image:           *collectorImage,
-							ImagePullPolicy: corev1.PullIfNotPresent,
-							Args:            append(collectorArgs, "--scan-disabled="+strconv.FormatBool(scanDisabled)),
-							VolumeMounts: []corev1.VolumeMount{
-								{MountPath: "/run/eraser.sh/shared-data", Name: "shared-data"},
-							},
-							Resources: corev1.ResourceRequirements{
-								Requests: corev1.ResourceList{
-									"cpu":    resource.MustParse("7m"),
-									"memory": resource.MustParse("25Mi"),
-								},
-								Limits: corev1.ResourceList{
-									"memory": resource.MustParse("30Mi"),
-								},
-							},
+							Name:  "OTEL_EXPORTER_OTLP_ENDPOINT",
+							Value: *util.OtlpEndpoint,
 						},
 						{
-							Name:            "eraser",
-							Image:           *util.EraserImage,
-							ImagePullPolicy: corev1.PullIfNotPresent,
-							Args:            append(util.EraserArgs, "--log-level="+logger.GetLevel()),
-							VolumeMounts: []corev1.VolumeMount{
-								{MountPath: "/run/eraser.sh/shared-data", Name: "shared-data"},
-							},
-							Resources: corev1.ResourceRequirements{
-								Requests: corev1.ResourceList{
-									"cpu":    resource.MustParse("7m"),
-									"memory": resource.MustParse("25Mi"),
-								},
-								Limits: corev1.ResourceList{
-									"memory": resource.MustParse("30Mi"),
-								},
-							},
-							SecurityContext: utils.SharedSecurityContext,
-							Env: []corev1.EnvVar{
-								{
-									Name:  "OTEL_EXPORTER_OTLP_ENDPOINT",
-									Value: *util.OtlpEndpoint,
-								},
-								{
-									Name:  "OTEL_SERVICE_NAME",
-									Value: "eraser",
-								},
-							},
+							Name:  "OTEL_SERVICE_NAME",
+							Value: "eraser",
 						},
 					},
-					ServiceAccountName: "eraser-imagejob-pods",
 				},
 			},
+			ServiceAccountName: "eraser-imagejob-pods",
+		},
+	}
+
+	job := &eraserv1alpha1.ImageJob{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "imagejob-",
+			Labels: map[string]string{
+				util.ImageJobOwnerLabelKey: ownerLabelValue,
+			},
 		},
 	}
 
@@ -344,7 +352,7 @@ func (r *Reconciler) createImageJob(ctx context.Context, req ctrl.Request, argsC
 				},
 			},
 		}
-		job.Spec.JobTemplate.Spec.Containers = append(job.Spec.JobTemplate.Spec.Containers, scannerContainer)
+		jobTemplate.Spec.Containers = append(jobTemplate.Spec.Containers, scannerContainer)
 	}
 
 	configmapList := &corev1.ConfigMapList{}
@@ -359,18 +367,35 @@ func (r *Reconciler) createImageJob(ctx context.Context, req ctrl.Request, argsC
 		return reconcile.Result{}, err
 	}
 
-	for i := range job.Spec.JobTemplate.Spec.Containers {
-		job.Spec.JobTemplate.Spec.Containers[i].VolumeMounts = append(job.Spec.JobTemplate.Spec.Containers[i].VolumeMounts, exclusionMount...)
+	for i := range jobTemplate.Spec.Containers {
+		jobTemplate.Spec.Containers[i].VolumeMounts = append(jobTemplate.Spec.Containers[i].VolumeMounts, exclusionMount...)
 	}
 
-	job.Spec.JobTemplate.Spec.Volumes = append(job.Spec.JobTemplate.Spec.Volumes, exclusionVolume...)
+	jobTemplate.Spec.Volumes = append(jobTemplate.Spec.Volumes, exclusionVolume...)
 
 	err = r.Create(ctx, job)
 	if err != nil {
 		log.Info("Could not create collector ImageJob")
 		return reconcile.Result{}, err
 	}
 
+	namespace := utils.GetNamespace()
+	template := corev1.PodTemplate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      job.GetName(),
+			Namespace: namespace,
+			OwnerReferences: []metav1.OwnerReference{
+				*metav1.NewControllerRef(job, eraserv1alpha1.GroupVersion.WithKind("ImageJob")),
+			},
+		},
+		Template: jobTemplate,
+	}
+	err = r.Create(ctx, &template)
+	if err != nil {
+		log.Info("Could not create collector PodTemplate")
+		return reconcile.Result{}, err
+	}
+
 	log.Info("Successfully created collector ImageJob", "job", job.Name)
 	return reconcile.Result{}, nil
 }