Skip to content

Commit

Permalink
fix: scanjob.customVolumesMount is not applied to the Built-Job (#2241)
Browse files Browse the repository at this point in the history 
* fix: use index instead of `container`.

* add test for builder using custom volumes and mounts

* add container definition included plugin and use it
  • Loading branch information
@takutakahashi
takutakahashi authored Jan 11, 2025
1 parent c8712da commit 88064c7
Show file tree
Hide file tree
Showing 2 changed files with 159 additions and 4 deletions.
8 changes: 4 additions & 4 deletions pkg/vulnerabilityreport/builder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,11 +166,11 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) {
templateSpec.Volumes = append(templateSpec.Volumes, s.customVolumes...)
}
if len(s.customVolumesMount) > 0 {
for _, container := range templateSpec.Containers {
container.VolumeMounts = append(container.VolumeMounts, s.customVolumesMount...)
for i := range templateSpec.Containers {
templateSpec.Containers[i].VolumeMounts = append(templateSpec.Containers[i].VolumeMounts, s.customVolumesMount...)
}
for _, initContainer := range templateSpec.InitContainers {
initContainer.VolumeMounts = append(initContainer.VolumeMounts, s.customVolumesMount...)
for i := range templateSpec.InitContainers {
templateSpec.InitContainers[i].VolumeMounts = append(templateSpec.InitContainers[i].VolumeMounts, s.customVolumesMount...)
}
}
templateSpec.PriorityClassName = s.podPriorityClassName
Expand Down
155 changes: 155 additions & 0 deletions pkg/vulnerabilityreport/builder_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,133 @@ func TestScanJobBuilder(t *testing.T) {
},
}))
})

t.Run("Shoud set scan job with custom volume and volume mount", func(t *testing.T) {
g := gomega.NewGomegaWithT(t)
job, _, err := vulnerabilityreport.NewScanJobBuilder().
WithPlugin(&testContainersPlugin{}).
WithPluginContext(trivyoperator.NewPluginContext().
WithName("test-plugin").
WithNamespace("trivy-operator-ns").
WithServiceAccountName("trivy-operator-sa").
Get()).
WithTimeout(3 * time.Second).
WithObject(&appsv1.ReplicaSet{
TypeMeta: metav1.TypeMeta{
Kind: "ReplicaSet",
APIVersion: "apps/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "nginx-6799fc88d8",
Namespace: "prod-ns",
},
Spec: appsv1.ReplicaSetSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
InitContainers: []corev1.Container{
{
Name: "test-init-container",
Image: "test-init-image",
},
},

Containers: []corev1.Container{
{
Name: "test-container",
Image: "test-image",
},
},
},
},
Selector: &metav1.LabelSelector{},
},
}).
WithCustomVolumes([]corev1.Volume{
{
Name: "test-volume",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
}).
WithCustomVolumesMount([]corev1.VolumeMount{
{
Name: "test-volume",
MountPath: "/test-mount-path",
},
}).
Get()
g.Expect(err).ToNot(gomega.HaveOccurred())
g.Expect(job).ToNot(gomega.BeNil())
g.Expect(job).To(gomega.Equal(&batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: "scan-vulnerabilityreport-64d65c457",
Namespace: "trivy-operator-ns",
Labels: map[string]string{
"app.kubernetes.io/managed-by": "trivy-operator",
"resource-spec-hash": "7dcdf9f488",
"trivy-operator.resource.kind": "ReplicaSet",
"trivy-operator.resource.name": "nginx-6799fc88d8",
"trivy-operator.resource.namespace": "prod-ns",
"vulnerabilityReport.scanner": "test-plugin",
},
Annotations: map[string]string{
"trivy-operator.container-images": `{"test-container":"test-image","test-init-container":"test-init-image"}`,
},
},
Spec: batchv1.JobSpec{
BackoffLimit: ptr.To[int32](0),
Completions: ptr.To[int32](1),
ActiveDeadlineSeconds: ptr.To[int64](3),
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Labels: map[string]string{
"app.kubernetes.io/managed-by": "trivy-operator",
"resource-spec-hash": "7dcdf9f488",
"trivy-operator.resource.kind": "ReplicaSet",
"trivy-operator.resource.name": "nginx-6799fc88d8",
"trivy-operator.resource.namespace": "prod-ns",
"vulnerabilityReport.scanner": "test-plugin",
},
},
Spec: corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: "test-volume",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
},
InitContainers: []corev1.Container{
{
Name: "test-init-container",
Image: "test-init-image",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-volume",
MountPath: "/test-mount-path",
},
},
},
},
Containers: []corev1.Container{
{
Name: "test-container",
Image: "test-image",
VolumeMounts: []corev1.VolumeMount{
{
Name: "test-volume",
MountPath: "/test-mount-path",
},
},
},
},
},
},
},
}))
})
}

type testPlugin struct {
Expand All @@ -310,3 +437,31 @@ func (p *testPlugin) GetScanJobSpec(_ trivyoperator.PluginContext, _ client.Obje
func (p *testPlugin) ParseReportData(_ trivyoperator.PluginContext, _ string, _ io.ReadCloser) (v1alpha1.VulnerabilityReportData, v1alpha1.ExposedSecretReportData, *v1alpha1.SbomReportData, error) {
return v1alpha1.VulnerabilityReportData{}, v1alpha1.ExposedSecretReportData{}, &v1alpha1.SbomReportData{}, nil
}

type testContainersPlugin struct {
}

func (p *testContainersPlugin) Init(_ trivyoperator.PluginContext) error {
return nil
}

func (p *testContainersPlugin) GetScanJobSpec(_ trivyoperator.PluginContext, _ client.Object, _ map[string]docker.Auth, _ *corev1.SecurityContext, _ map[string]v1alpha1.SbomReportData) (corev1.PodSpec, []*corev1.Secret, error) {
return corev1.PodSpec{
InitContainers: []corev1.Container{
{
Name: "test-init-container",
Image: "test-init-image",
},
},
Containers: []corev1.Container{
{
Name: "test-container",
Image: "test-image",
},
},
}, nil, nil
}

func (p *testContainersPlugin) ParseReportData(_ trivyoperator.PluginContext, _ string, _ io.ReadCloser) (v1alpha1.VulnerabilityReportData, v1alpha1.ExposedSecretReportData, *v1alpha1.SbomReportData, error) {
return v1alpha1.VulnerabilityReportData{}, v1alpha1.ExposedSecretReportData{}, &v1alpha1.SbomReportData{}, nil
}

0 comments on commit 88064c7

Please sign in to comment.