CMP-4116: Fix platform scan pod stuck when RawResultStorage is disabled (#1097)

* Fix platform scan pod stuck when RawResultStorage is disabled

The addResultsCollectionPods function unconditionally added the TLS
volume and mount referencing the result-client-cert secret, which is
only created when RawResultStorage.Enabled=true. This caused the
platform scan pod to get stuck in Init:0/2 when RawResultStorage was
disabled.

Reuse getLogCollectorVolumeMounts and conditionally append the TLS
volume, matching the existing behavior in getNodeScannerPodVolumes.

Made-with: Cursor

* Add e2e test for platform scan with RawResultStorage disabled

Made-with: Cursor

* Move PVC check after scan completes to avoid race condition

* Use reliably compliant rule in platform no-storage e2e test

Author: Vincent056

pkg/controller/compliancescan/scan.go

@@ -516,18 +516,7 @@ func addResultsCollectionPods(scanInstance *compv1alpha1.ComplianceScan, pod *co
 					corev1.ResourceCPU:    resource.MustParse("100m"),
 				},
 			},
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "report-dir",
-					MountPath: "/reports",
-					ReadOnly:  true,
-				},
-				{
-					Name:      "tls",
-					MountPath: "/etc/pki/tls",
-					ReadOnly:  true,
-				},
-			},
+			VolumeMounts: getLogCollectorVolumeMounts(scanInstance),
 		},
 	}
 
@@ -549,14 +538,16 @@ func addResultsCollectionPods(scanInstance *compv1alpha1.ComplianceScan, pod *co
 				},
 			},
 		},
-		{
+	}
+	if scanInstance.Spec.RawResultStorage.Enabled != nil && *scanInstance.Spec.RawResultStorage.Enabled {
+		podVolumes = append(podVolumes, corev1.Volume{
 			Name: "tls",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName: ClientCertPrefix + scanInstance.Name,
 				},
 			},
-		},
+		})
 	}
 
 	pod.Spec.Volumes = append(pod.Spec.Volumes, podVolumes...)

tests/e2e/parallel/main_test.go

@@ -2409,6 +2409,67 @@ func TestScheduledSuiteNoStorage(t *testing.T) {
 	}
 }
 
+func TestScheduledSuitePlatformNoStorage(t *testing.T) {
+	t.Parallel()
+	f := framework.Global
+	suiteName := "test-scheduled-suite-platform-no-storage"
+	platformScanName := fmt.Sprintf("%s-platform-scan", suiteName)
+
+	falseValue := false
+	testSuite := &compv1alpha1.ComplianceSuite{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      suiteName,
+			Namespace: f.OperatorNamespace,
+		},
+		Spec: compv1alpha1.ComplianceSuiteSpec{
+			ComplianceSuiteSettings: compv1alpha1.ComplianceSuiteSettings{
+				AutoApplyRemediations: false,
+			},
+			Scans: []compv1alpha1.ComplianceScanSpecWrapper{
+				{
+					Name: platformScanName,
+					ComplianceScanSpec: compv1alpha1.ComplianceScanSpec{
+						ContentImage: contentImagePath,
+						Profile:      "xccdf_org.ssgproject.content_profile_moderate",
+						Content:      framework.OcpContentFile,
+						Rule:         "xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd",
+						ScanType:     compv1alpha1.ScanTypePlatform,
+						ComplianceScanSettings: compv1alpha1.ComplianceScanSettings{
+							RawResultStorage: compv1alpha1.RawResultStorageSettings{
+								Enabled: &falseValue,
+							},
+							Debug: true,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	err := f.Client.Create(context.TODO(), testSuite, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Client.Delete(context.TODO(), testSuite)
+
+	// Ensure that all the scans in the suite have finished and are marked as Done
+	err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pvcList := &corev1.PersistentVolumeClaimList{}
+	err = f.Client.List(context.TODO(), pvcList, client.InNamespace(f.OperatorNamespace), client.MatchingLabels(map[string]string{
+		compv1alpha1.ComplianceScanLabel: platformScanName,
+	}))
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, pvc := range pvcList.Items {
+		t.Fatalf("Found unexpected PVC %s", pvc.Name)
+	}
+}
+
 func TestScheduledSuiteInvalidPriorityClass(t *testing.T) {
 	t.Parallel()
 	f := framework.Global