Add fields for scanner volume mounts

api/unversioned/config/config.go

@@ -5,9 +5,11 @@ import (
 	"sync"
 	"time"
 
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+
 	"github.com/eraser-dev/eraser/api/unversioned"
 	"github.com/eraser-dev/eraser/version"
-	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 var defaultScannerConfig = `
@@ -142,7 +144,8 @@ func Default() *unversioned.EraserConfig {
 						Mem: resource.MustParse("2Gi"),
 						CPU: resource.MustParse("1500m"),
 					},
-					Config: &defaultScannerConfig,
+					Config:  &defaultScannerConfig,
+					Volumes: []v1.Volume{},
 				},
 			},
 			Remover: unversioned.ContainerConfig{

api/unversioned/eraserconfig_types.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -153,6 +154,7 @@ type ContainerConfig struct {
 	Request ResourceRequirements `json:"request,omitempty"`
 	Limit   ResourceRequirements `json:"limit,omitempty"`
 	Config  *string              `json:"config,omitempty"`
+	Volumes []corev1.Volume      `json:"volumes,omitempty"`
 }
 
 type ManagerConfig struct {

api/v1alpha1/eraserconfig_types.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/eraser-dev/eraser/api/unversioned"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/conversion"
@@ -88,6 +89,7 @@ type ContainerConfig struct {
 	Request ResourceRequirements `json:"request,omitempty"`
 	Limit   ResourceRequirements `json:"limit,omitempty"`
 	Config  *string              `json:"config,omitempty"`
+	Volumes []corev1.Volume      `json:"volumes,omitempty"`
 }
 
 type ManagerConfig struct {

api/v1alpha2/eraserconfig_types.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -86,6 +87,7 @@ type ContainerConfig struct {
 	Request ResourceRequirements `json:"request,omitempty"`
 	Limit   ResourceRequirements `json:"limit,omitempty"`
 	Config  *string              `json:"config,omitempty"`
+	Volumes []corev1.Volume      `json:"volumes,omitempty"`
 }
 
 type ManagerConfig struct {

api/v1alpha3/eraserconfig_types.go

@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -153,6 +154,7 @@ type ContainerConfig struct {
 	Request ResourceRequirements `json:"request,omitempty"`
 	Limit   ResourceRequirements `json:"limit,omitempty"`
 	Config  *string              `json:"config,omitempty"`
+	Volumes []corev1.Volume      `json:"volumes,omitempty"`
 }
 
 type ManagerConfig struct {

config/manager/controller_manager_config.yaml

@@ -76,6 +76,7 @@ components:
       timeout:
         total: 23h
         perImage: 1h
+    volumes: []
   remover:
     image:
       repo: REMOVER_REPO

controllers/imagecollector/imagecollector_controller.go

@@ -448,6 +448,27 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) {
 				},
 			},
 		}
+
+		log.Info("extra mount for scanner starts")
+		scannerVolumes := compCfg.Scanner.Volumes
+		if len(scannerVolumes) != 0 {
+			jobTemplate.Spec.Volumes = append(jobTemplate.Spec.Volumes, scannerVolumes...)
+			scannerVolumeMounts := []corev1.VolumeMount{}
+			for idx := range scannerVolumes {
+				volume := scannerVolumes[idx]
+				if volume.HostPath == nil {
+					log.Error(fmt.Errorf("volume hostPath is nil"), "invalid volume", "volumeName", volume.Name)
+					continue
+				}
+				scannerVolumeMounts = append(scannerVolumeMounts, corev1.VolumeMount{
+					Name:      volume.Name,
+					MountPath: volume.HostPath.Path,
+					ReadOnly:  true,
+				})
+			}
+			scannerContainer.VolumeMounts = append(scannerContainer.VolumeMounts, scannerVolumeMounts...)
+		}
+
 		jobTemplate.Spec.Containers = append(jobTemplate.Spec.Containers, scannerContainer)
 	}
 

docs/docs/customization.md

@@ -105,6 +105,8 @@ manager:
   pullSecrets: [] # image pull secrets for collector/scanner/remover
   priorityClassName: "" # priority class name for collector/scanner/remover
   additionalPodLabels: {}
+  extraScannerVolumes: {}
+  extraScannerVolumeMounts: {}
   nodeFilter:
     type: exclude # must be either exclude|include
     selectors:
@@ -228,6 +230,7 @@ timeout:
 | components.scanner.limit.mem | The maximum amount of memory the scanner container is allowed to use. | 2Gi |
 | components.scanner.limit.cpu | The maximum amount of CPU the scanner container is allowed to use. | 0 |
 | components.scanner.config | The configuration to pass to the scanner container, as a YAML string. | See YAML below |
+| components.scanner.volumes | Extra volumes for scanner. | `{}` |
 | components.remover.image.repo | The repository containing the remover image. | ghcr.io/eraser-dev/remover |
 | components.remover.image.tag | The tag of the remover image. | v1.0.0 |
 | components.remover.request.mem | The amount of memory to request for the remover container. | 25Mi |

manifest_staging/deploy/eraser.yaml

@@ -489,6 +489,7 @@ data:
           timeout:
             total: 23h
             perImage: 1h
+        volumes: []
       remover:
         image:
           repo: ghcr.io/eraser-dev/remover