✨ enhance: update garbage collection logic to use schedule-based thresholds and add tests for schedule parsing (#1437)

Author: slntopp

controllers/k8s_scan/deployment_handler.go

@@ -614,7 +614,7 @@ func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, manage
 		ManagedBy:       managedBy,
 		PlatformRuntime: "k8s-cluster",
 		DateFilter: &mondooclient.DateFilter{
-			Timestamp:  time.Now().Add(-mondoo.GCOlderThan()).Format(time.RFC3339),
+			Timestamp:  time.Now().Add(-mondoo.GCOlderThan(n.Mondoo.Spec.KubernetesResources.Schedule)).Format(time.RFC3339),
 			Comparison: mondooclient.Comparison_LESS_THAN,
 			Field:      mondooclient.DateFilterField_FILTER_LAST_UPDATED,
 		},

controllers/nodes/deployment_handler.go

@@ -441,7 +441,7 @@ func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, manage
 	req := &mondooclient.DeleteAssetsRequest{
 		ManagedBy: managedBy,
 		DateFilter: &mondooclient.DateFilter{
-			Timestamp:  time.Now().Add(-mondoo.GCOlderThan()).Format(time.RFC3339),
+			Timestamp:  time.Now().Add(-mondoo.GCOlderThan(n.Mondoo.Spec.Nodes.Schedule)).Format(time.RFC3339),
 			Comparison: mondooclient.Comparison_LESS_THAN,
 			Field:      mondooclient.DateFilterField_FILTER_LAST_UPDATED,
 		},

go.mod

@@ -23,6 +23,7 @@ require (
 
 require (
 	github.com/hashicorp/vault-client-go v0.4.3
+	github.com/robfig/cron/v3 v3.0.1
 	go.mondoo.com/mql/v13 v13.1.1
 	go.mondoo.com/mql/v13/providers/k8s v0.0.0-00010101000000-000000000000
 )

go.sum

@@ -547,6 +547,8 @@ github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=

pkg/utils/mondoo/gc.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	"github.com/robfig/cron/v3"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -19,7 +20,10 @@ import (
 	"go.mondoo.com/mondoo-operator/pkg/constants"
 )
 
-const defaultGCOlderThan = 2 * time.Hour
+const (
+	defaultGCOlderThan = 2 * time.Hour
+	gcMultiplier       = 2
+)
 
 // ManagedByLabel returns the ManagedBy value for assets owned by this operator instance.
 // The cluster UID uniquely identifies which operator instance manages the assets.
@@ -30,19 +34,41 @@ func ManagedByLabel(clusterUID string) string {
 	return "mondoo-operator-" + clusterUID
 }
 
-// GCOlderThan returns the duration threshold for garbage collection.
-// It defaults to 2h but can be overridden via the MONDOO_GC_OLDER_THAN env var
-// (accepts any value parseable by time.ParseDuration, e.g. "5m", "30s").
-func GCOlderThan() time.Duration {
+// GCOlderThan returns the duration threshold for garbage collection based on
+// the scan schedule. It computes 2x the interval between consecutive cron runs
+// so that assets are only GC'd after missing at least one full scan cycle.
+// The MONDOO_GC_OLDER_THAN env var overrides the computed value.
+func GCOlderThan(schedule string) time.Duration {
 	if v := os.Getenv("MONDOO_GC_OLDER_THAN"); v != "" {
 		d, err := time.ParseDuration(v)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "WARNING: invalid MONDOO_GC_OLDER_THAN=%q, using default %s: %v\n", v, defaultGCOlderThan, err)
+			fmt.Fprintf(os.Stderr, "WARNING: invalid MONDOO_GC_OLDER_THAN=%q, falling back to schedule-based computation: %v\n", v, err)
 		} else {
 			return d
 		}
 	}
-	return defaultGCOlderThan
+	return gcOlderThanFromSchedule(schedule)
+}
+
+// gcOlderThanFromSchedule parses a cron schedule and returns 2x the interval
+// between consecutive runs. Falls back to defaultGCOlderThan if parsing fails.
+func gcOlderThanFromSchedule(schedule string) time.Duration {
+	if schedule == "" {
+		return defaultGCOlderThan
+	}
+
+	sched, err := cron.ParseStandard(schedule)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "WARNING: failed to parse cron schedule %q, using default %s: %v\n", schedule, defaultGCOlderThan, err)
+		return defaultGCOlderThan
+	}
+
+	now := time.Now()
+	next1 := sched.Next(now)
+	next2 := sched.Next(next1)
+	interval := next2.Sub(next1)
+
+	return time.Duration(gcMultiplier) * interval
 }
 
 // DeleteStaleAssets builds a Mondoo API client from the operator's credentials and

pkg/utils/mondoo/gc_test.go

@@ -5,10 +5,56 @@ package mondoo
 
 import (
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 )
 
+func TestGCOlderThanFromSchedule(t *testing.T) {
+	tests := []struct {
+		name     string
+		schedule string
+		expect   time.Duration
+	}{
+		{
+			name:     "hourly schedule",
+			schedule: "30 * * * *",
+			expect:   2 * time.Hour,
+		},
+		{
+			name:     "every 6 hours",
+			schedule: "0 */6 * * *",
+			expect:   12 * time.Hour,
+		},
+		{
+			name:     "daily schedule",
+			schedule: "0 2 * * *",
+			expect:   48 * time.Hour,
+		},
+		{
+			name:     "every 15 minutes",
+			schedule: "*/15 * * * *",
+			expect:   30 * time.Minute,
+		},
+		{
+			name:     "empty schedule falls back to default",
+			schedule: "",
+			expect:   defaultGCOlderThan,
+		},
+		{
+			name:     "invalid schedule falls back to default",
+			schedule: "not-a-cron",
+			expect:   defaultGCOlderThan,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expect, gcOlderThanFromSchedule(tt.schedule))
+		})
+	}
+}
+
 func TestSpaceMrnFromServiceAccountMrn(t *testing.T) {
 	tests := []struct {
 		name   string