workloadController: check if reused reports match container images size before deciding to fetch credentials

Signed-off-by: festeveira <[email protected]>

Author: festeveira

pkg/operator/cluster.go

@@ -270,7 +270,6 @@ func (r *ClusterController) reconcileKbom() reconcile.Func {
 		dbs := v1alpha1.SbomReportData{
 			Bom: kbom.Report.Bom,
 		}
-		containerImageName := fmt.Sprintf("%s/%s:%s", K8sRegistry, K8sRepo, r.version)
 		// trigger kbom scan job
 		err = r.SubmitScanJob(ctx, &corev1.Pod{
 			TypeMeta: metav1.TypeMeta{
@@ -283,10 +282,10 @@ func (r *ClusterController) reconcileKbom() reconcile.Func {
 			Spec: corev1.PodSpec{
 				Containers: []corev1.Container{{
 					Name:  kbomScanJobIdentifier,
-					Image: containerImageName,
+					Image: fmt.Sprintf("%s/%s:%s", K8sRegistry, K8sRepo, r.version),
 				}},
 			},
-		}, kube.ContainerImages{kbomScanJobIdentifier: containerImageName} ,map[string]v1alpha1.SbomReportData{kbomScanJobIdentifier: dbs})
+		}, map[string]v1alpha1.SbomReportData{kbomScanJobIdentifier: dbs})
 		if err != nil {
 			return ctrl.Result{}, err
 		}

pkg/vulnerabilityreport/controller/workload.go

@@ -65,7 +65,6 @@ type ScanJobResult struct {
 type ScanJobRequest struct {
 	Workload          client.Object
 	Context           context.Context
-	ContainerImages   kube.ContainerImages
 	ClusterSbomReport map[string]v1alpha1.SbomReportData
 }
 
@@ -206,7 +205,7 @@ func (r *WorkloadController) reconcileWorkload(workloadKind kube.Kind) reconcile
 		}
 		log.V(1).Info("Submitting a scan for the workload", "workload", workloadRef.Name)
 		// sync all potential workload for scanning
-		r.SubmitScanJobChan <- ScanJobRequest{Workload: workloadObj, Context: ctx, ContainerImages: containerImages, ClusterSbomReport: reportsData}
+		r.SubmitScanJobChan <- ScanJobRequest{Workload: workloadObj, Context: ctx, ClusterSbomReport: reportsData}
 		// collect scan job processing results
 		scanJobResult := <-r.ResultScanJobChan
 		return scanJobResult.Result, scanJobResult.Error
@@ -228,7 +227,7 @@ func (r *WorkloadController) ProcessScanJob() {
 			r.ResultScanJobChan <- ScanJobResult{Result: ctrl.Result{RequeueAfter: r.Config.ScanJobRetryAfter}, Error: nil}
 			continue
 		}
-		err = r.SubmitScanJob(workloadRequest.Context, workloadRequest.Workload, workloadRequest.ContainerImages, workloadRequest.ClusterSbomReport)
+		err = r.SubmitScanJob(workloadRequest.Context, workloadRequest.Workload, workloadRequest.ClusterSbomReport)
 		r.ResultScanJobChan <- ScanJobResult{Result: ctrl.Result{}, Error: err}
 	}
 }
@@ -249,12 +248,19 @@ func (r *WorkloadController) hasActiveScanJob(ctx context.Context, owner kube.Ob
 	return false, nil, nil
 }
 
-func (r *WorkloadController) SubmitScanJob(ctx context.Context, owner client.Object, containerImages kube.ContainerImages, reusedReports map[string]v1alpha1.SbomReportData) error {
+func (r *WorkloadController) SubmitScanJob(ctx context.Context, owner client.Object, reusedReports map[string]v1alpha1.SbomReportData) error {
 
 	log := r.Logger.WithValues("kind", owner.GetObjectKind().GroupVersionKind().Kind,
 		"name", owner.GetName(), "namespace", owner.GetNamespace())
 	var err error
 
+	podSpec, err := kube.GetPodSpec(owner)
+	if err != nil {
+		return err
+	}
+
+	containerImages := kube.GetContainerImagesFromPodSpec(podSpec, r.GetSkipInitContainers())
+
 	credentials := make(map[string]docker.Auth, 0)
 	if len(reusedReports) != len(containerImages) {
 		privateRegistrySecrets, err := r.Config.GetPrivateRegistryScanSecretsNames()