Merge pull request #396 from rhmdnd/CMP-2132

CMP-2132: Implement suspend and resume scan schedule

CHANGELOG.md

@@ -9,7 +9,12 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Enhancements
 
--
+- Users can now pause scan schedules by setting the `ScanSetting.suspend`
+  attribute to `True`. This allows users to suspend a scan, and reactivate it
+  without having to delete and recreate the `ScanSettingBinding`, making it
+  more ergonomic to pause scans during maintenance periods. See the
+  [enhancement](https://github.com/ComplianceAsCode/compliance-operator/pull/375)
+  for more details.
 
 ### Fixes
 

config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: compliancecheckresults.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_complianceremediations.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: complianceremediations.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_compliancescans.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: compliancescans.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_compliancesuites.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: compliancesuites.compliance.openshift.io
 spec:
   group: compliance.openshift.io
@@ -323,6 +323,11 @@ spec:
                   scheduled scans will start running only after the initial results
                   are ready.
                 type: string
+              suspend:
+                default: false
+                description: Defines if a schedule should be suspended and is a boolean
+                  value, defaulting to False.
+                type: boolean
             required:
             - scans
             type: object

config/crd/bases/compliance.openshift.io_profilebundles.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: profilebundles.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_profiles.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: profiles.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_rules.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: rules.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_scansettingbindings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: scansettingbindings.compliance.openshift.io
 spec:
   group: compliance.openshift.io
@@ -16,7 +16,11 @@ spec:
     singular: scansettingbinding
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: ScanSettingBinding is the Schema for the scansettingbindings
@@ -124,6 +128,8 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              phase:
+                type: string
             type: object
         type: object
     served: true

config/crd/bases/compliance.openshift.io_scansettings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: scansettings.compliance.openshift.io
 spec:
   group: compliance.openshift.io
@@ -247,6 +247,11 @@ spec:
               be strict and error out. `false` means that we don't need to be strict
               and we can proceed.
             type: boolean
+          suspend:
+            default: false
+            description: Defines if a schedule should be suspended and is a boolean
+              value, defaulting to False.
+            type: boolean
           timeout:
             default: 30m
             description: Timeout is the maximum amount of time the scan can run. If

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: tailoredprofiles.compliance.openshift.io
 spec:
   group: compliance.openshift.io

config/crd/bases/compliance.openshift.io_variables.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: variables.compliance.openshift.io
 spec:
   group: compliance.openshift.io

doc/usage.md

@@ -293,6 +293,53 @@ or `ocp4-var-role-worker`:
 `oc get ccr -n openshift-compliance -o yaml | jq '.items[] | select(.valuesUsed | contains("ocp4-var-role-master") or contains("ocp4-var-role-worker"))'`
 
 
+## Suspending and resuming scan schedules
+
+The `ScanSetting` CRD exposes a `schedule` attribute that allows you to
+schedule compliance scans as a cron job syntax. The Compliance Operator uses
+Kubernetes `CronJob` resources to implement the schedule for a scan suite,
+which is sometimes referred to as a suite rerunner.
+
+Scan schedules are associated with a `ComplianceSuite`, which may contain at
+least one `ComplianceScan`. This means the schedule associated with a
+`ComplianceSuite` applies to all `ComplianceScan` objects within that suite.
+This may be useful to prevent scans from happening during planned maintenance
+windows, where results might be inaccurate depending on the state of the
+cluster.
+
+You can suspend a `ComplianceSuite` by updating the `ScanSetting` you used when
+you created the `ScanSettingBinding`.
+
+```
+$ oc patch ss/default -p 'suspend: true' --type merge
+```
+
+Any `ScanSettingBinding` using the suspended `ScanSetting` will show a
+`SUSPENDED` status:
+
+```
+$ oc get ssb
+NAME       STATUS
+cis-node   SUSPENDED
+```
+
+You can disable the `suspend` attribute to resume the scan schedule:
+
+```
+$ oc patch ss/default -p 'suspend: false' --type merge
+```
+
+The `ScanSettingBinding` will return to a `READY` state:
+
+```
+$ oc get ssb
+NAME       STATUS
+cis-node   READY
+```
+
+Note that this functionality does not pause, suspend, or stop a scan that is
+already in progress.
+
 ## Extracting raw results
 
 The scans provide two kinds of raw results: the full report in the ARF format

pkg/apis/compliance/v1alpha1/compliancesuite_types.go

@@ -82,6 +82,10 @@ type ComplianceSuiteSettings struct {
 	// Note the scan will still be triggered immediately, and the scheduled
 	// scans will start running only after the initial results are ready.
 	Schedule string `json:"schedule,omitempty"`
+	// Defines if a schedule should be suspended and is a boolean value,
+	// defaulting to False.
+	// +kubebuilder:default=false
+	Suspend bool `json:"suspend,omitempty"`
 }
 
 // ComplianceSuiteSpec defines the desired state of ComplianceSuite

pkg/apis/compliance/v1alpha1/scansettingbinding_types.go

@@ -5,6 +5,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+type ScanSettingBindingStatusPhase string
+
+const (
+	ScanSettingBindingPhasePending   ScanSettingBindingStatusPhase = "PENDING"
+	ScanSettingBindingPhaseReady     ScanSettingBindingStatusPhase = "READY"
+	ScanSettingBindingPhaseInvalid   ScanSettingBindingStatusPhase = "INVALID"
+	ScanSettingBindingPhaseSuspended ScanSettingBindingStatusPhase = "SUSPENDED"
+)
+
 type NamedObjectReference struct {
 	Name     string `json:"name,omitempty"`
 	Kind     string `json:"kind,omitempty"`
@@ -16,6 +25,7 @@ type NamedObjectReference struct {
 // ScanSettingBinding is the Schema for the scansettingbindings API
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=scansettingbindings,scope=Namespaced,shortName=ssb
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=`.status.phase`
 type ScanSettingBinding struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -32,6 +42,7 @@ type ScanSettingBinding struct {
 type ScanSettingBindingSpec struct{}
 
 type ScanSettingBindingStatus struct {
+	Phase ScanSettingBindingStatusPhase `json:"phase,omitempty"`
 	// +optional
 	Conditions Conditions `json:"conditions,omitempty"`
 	// Reference to the object generated from this ScanSettingBinding
@@ -76,6 +87,15 @@ func (s *ScanSettingBindingStatus) SetConditionReady() {
 	})
 }
 
+func (s *ScanSettingBindingStatus) SetConditionSuspended() {
+	s.Conditions.SetCondition(Condition{
+		Type:    "Ready",
+		Status:  corev1.ConditionFalse,
+		Reason:  "Suspended",
+		Message: "The scan setting binding uses a scan setting that is suspended",
+	})
+}
+
 func init() {
 	SchemeBuilder.Register(&ScanSettingBinding{}, &ScanSettingBindingList{})
 }

pkg/controller/compliancesuite/suitererunner_cron_compat.go

@@ -72,11 +72,12 @@ func (r *ReconcileComplianceSuite) cronJobCompatCreate(
 		if !ok {
 			return fmt.Errorf("failed to cast object to v1 CronJob")
 		}
-		if getObjTyped.Spec.Schedule == suite.Spec.Schedule {
+		if getObjTyped.Spec.Schedule == suite.Spec.Schedule && getObjTyped.Spec.Suspend == &suite.Spec.Suspend {
 			return nil
 		}
 		cronJobCopy := getObjTyped.DeepCopy()
 		cronJobCopy.Spec.Schedule = suite.Spec.Schedule
+		cronJobCopy.Spec.Suspend = &suite.Spec.Suspend
 		logger.Info("Updating v1 rerunner", "CronJob.Name", cronJobCopy.GetName())
 		return r.Client.Update(context.TODO(), cronJobCopy)
 	}