fix: broken custom image scan metrics (#1591)

Co-authored-by: Copilot <[email protected]>

Author: erikgb

config/rbac/role.yaml

@@ -48,7 +48,10 @@ rules:
   verbs:
   - create
   - delete
+  - get
+  - list
   - patch
+  - watch
 - apiGroups:
   - stas.statnett.no
   resources:

internal/controller/stas/scan_job_controller.go

@@ -8,6 +8,7 @@ import (
 	"slices"
 	"strings"
 
+	openreportsv1alpha1 "github.com/openreports/reports-api/apis/openreports.io/v1alpha1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	eventsv1 "k8s.io/api/events/v1"
@@ -53,7 +54,7 @@ type ScanJobReconciler struct {
 //+kubebuilder:rbac:groups="events.k8s.io",resources=events,verbs=get;list;watch
 // Must add policyreports delete verb and containerimagescans/finalizers update verb to satisfy
 // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
-//+kubebuilder:rbac:groups="openreports.io",resources=reports,verbs=create;patch;delete
+//+kubebuilder:rbac:groups="openreports.io",resources=reports,verbs=get;list;watch;create;patch;delete
 //+kubebuilder:rbac:groups=stas.statnett.no,resources=containerimagescans/finalizers,verbs=update
 
 // SetupWithManager sets up the controller with the Manager.
@@ -65,7 +66,8 @@ func (r *ScanJobReconciler) SetupWithManager(mgr ctrl.Manager) error {
 				inNamespacePredicate(r.ScanJobNamespace),
 				jobIsFinished,
 				ignoreDeletionPredicate(),
-			)).
+										)).
+		Watches(&openreportsv1alpha1.Report{}, handler.Funcs{}). // Watches reports with empty handler to ensure informer creation for metrics collection
 		Complete(r.reconcile())
 	if err != nil {
 		return err

internal/metrics/collector.go

@@ -8,6 +8,7 @@ import (
 	"github.com/go-logr/logr"
 	openreportsv1alpha1 "github.com/openreports/reports-api/apis/openreports.io/v1alpha1"
 	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	kstatus "sigs.k8s.io/cli-utils/pkg/kstatus/status"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -171,7 +172,10 @@ func (c ImageMetricsCollector) Collect(metrics chan<- prometheus.Metric) {
 		if config.DefaultMutableFeatureGate.Enabled(feature.PolicyReport) {
 			report := openreportsv1alpha1.Report{}
 			if err := c.Get(ctx, client.ObjectKeyFromObject(&cis), &report); err != nil {
-				c.Log.Error(err, "Failed to get Report", "namespace", cis.Namespace, "name", cis.Name)
+				if !errors.IsNotFound(err) {
+					c.Log.Error(err, "Failed to get Report", "namespace", cis.Namespace, "name", cis.Name)
+				}
+
 				continue
 			}
 

test/e2e/scenario/metrics/00-assert.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: metrics-up
+status:
+  phase: Succeeded
+---
+# Assert that at least one Report exists to provide the custom metrics in the next step
+apiVersion: openreports.io/v1alpha1
+kind: Report

test/e2e/scenario/metrics/00-create.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics
+  namespace: image-scanner
+spec:
+  ports:
+    - name: metrics
+      port: 80
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    control-plane: image-scanner
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: metrics-up
+spec:
+  restartPolicy: Never
+  containers:
+    - name: run
+      image: docker.io/curlimages/curl
+      command:
+        - /bin/sh
+        - -c
+      args:
+        - >-
+          curl -s "http://metrics.image-scanner.svc.cluster.local:80/metrics" | grep certwatcher_read_certificate_errors_total;

test/e2e/scenario/metrics/01-assert.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: metrics-custom
+status:
+  phase: Succeeded

test/e2e/scenario/metrics/01-create.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: metrics-custom
+spec:
+  restartPolicy: Never
+  containers:
+    - name: run
+      image: docker.io/curlimages/curl
+      command:
+        - /bin/sh
+        - -c
+      args:
+        - >-
+          curl -s "http://metrics.image-scanner.svc.cluster.local:80/metrics" | grep image_scanner_container_image_issues;

test/e2e/scenario/metrics/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: metrics
+spec:
+  steps:
+    - name: step-00
+      try:
+        - apply:
+            file: 00-create.yaml
+        - assert:
+            file: 00-assert.yaml
+      catch:
+        - podLogs:
+            namespace: image-scanner
+            selector: control-plane=image-scanner
+        - podLogs:
+            name: metrics-up
+    - name: step-01
+      try:
+        - apply:
+            file: 01-create.yaml
+        - assert:
+            file: 01-assert.yaml
+      catch:
+        - podLogs:
+            namespace: image-scanner
+            selector: control-plane=image-scanner
+            tail: -1
+        - podLogs:
+            name: metrics-custom