From 9ad24eac342d0b17cfddadf6135030f89f3f83ac Mon Sep 17 00:00:00 2001
From: David Caravello <119438707+dcaravel@users.noreply.github.com>
Date: Thu, 9 Apr 2026 21:05:27 -0500
Subject: [PATCH] wait for matcher readiness

---
 deploy/common/k8sbased.sh                     |  9 ++++++++
 .../ci/jobs/gke_scanner_v4_install_tests.py   |  1 +
 .../ci/jobs/ocp_scanner_v4_install_tests.py   |  1 +
 tests/e2e/lib.sh                              | 21 ++++++++++++++++++-
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/deploy/common/k8sbased.sh b/deploy/common/k8sbased.sh
index 3d3e618fee96a..4586eee62e249 100644
--- a/deploy/common/k8sbased.sh
+++ b/deploy/common/k8sbased.sh
@@ -415,6 +415,12 @@ function launch_central {
         )
       fi
 
+      if [[ "${SCANNER_V4_VULN_READINESS:-false}" == "true" && "${ROX_SCANNER_V4:-}" != "false" ]]; then
+        helm_args+=(
+          --set customize.envVars.SCANNER_V4_MATCHER_READINESS=vulnerability
+        )
+      fi
+
       if [[ -n "$EXTERNAL_DB" ]]; then
           helm_args+=(
             --set "central.db.password.value=${EXTERNAL_DB_PASSWORD}"
@@ -524,6 +530,9 @@ function launch_central {
                 "${unzip_dir}/scanner-v4/scripts/setup.sh"
               fi
               launch_service "${unzip_dir}" scanner-v4
+              if [[ "${SCANNER_V4_VULN_READINESS:-false}" == "true" ]]; then
+                ${ORCH_CMD} -n stackrox set env deploy/scanner-v4-matcher SCANNER_V4_MATCHER_READINESS=vulnerability
+              fi
             else
               echo >&2 "WARNING: Deployment bundle does not seem to contain support for Scanner V4."
               echo >&2 "WARNING: Scanner V4 will not be deployed now."
diff --git a/scripts/ci/jobs/gke_scanner_v4_install_tests.py b/scripts/ci/jobs/gke_scanner_v4_install_tests.py
index d2b1ecc663e35..9dbe38e6d8ce7 100755
--- a/scripts/ci/jobs/gke_scanner_v4_install_tests.py
+++ b/scripts/ci/jobs/gke_scanner_v4_install_tests.py
@@ -14,6 +14,7 @@
 os.environ["STORE_METRICS"] = "true"
 os.environ["ROX_BASELINE_GENERATION_DURATION"] = "5m"
 os.environ["ROX_SCANNER_V4"] = "true"
+os.environ["SCANNER_V4_VULN_READINESS"] = "false"
 
 ClusterTestRunner(
     cluster=GKECluster("scanner-v4-install-test", machine_type="e2-standard-8"),
diff --git a/scripts/ci/jobs/ocp_scanner_v4_install_tests.py b/scripts/ci/jobs/ocp_scanner_v4_install_tests.py
index be34a036e66d2..33a715d6eb6da 100755
--- a/scripts/ci/jobs/ocp_scanner_v4_install_tests.py
+++ b/scripts/ci/jobs/ocp_scanner_v4_install_tests.py
@@ -15,6 +15,7 @@
 os.environ["STORE_METRICS"] = "true"
 os.environ["ROX_BASELINE_GENERATION_DURATION"] = "5m"
 os.environ["ROX_SCANNER_V4"] = "true"
+os.environ["SCANNER_V4_VULN_READINESS"] = "false"
 os.environ["ENABLE_OPERATOR_TESTS"] = "true"
 
 # ROX-32314, move out
diff --git a/tests/e2e/lib.sh b/tests/e2e/lib.sh
index 8c76c14967273..0f467945f94a4 100755
--- a/tests/e2e/lib.sh
+++ b/tests/e2e/lib.sh
@@ -198,6 +198,7 @@ export_test_environment() {
     ci_export ROX_NETFLOW_BATCHING "${ROX_NETFLOW_BATCHING:-true}"
     ci_export ROX_NETFLOW_CACHE_LIMITING "${ROX_NETFLOW_CACHE_LIMITING:-true}"
     ci_export ROX_TAILORED_PROFILES "${ROX_TAILORED_PROFILES:-true}"
+    ci_export SCANNER_V4_VULN_READINESS "${SCANNER_V4_VULN_READINESS:-true}"
 
     if is_in_PR_context && pr_has_label ci-fail-fast; then
         ci_export FAIL_FAST "true"
@@ -360,6 +361,11 @@ deploy_central_via_operator() {
         false) scannerV4ScannerComponent="Disabled" ;;
     esac
 
+    if [[ "${SCANNER_V4_VULN_READINESS:-false}" == "true" && "$scannerV4ScannerComponent" != "Disabled" ]]; then
+        customize_envVars+=$'\n      - name: SCANNER_V4_MATCHER_READINESS'
+        customize_envVars+=$'\n        value: "vulnerability"'
+    fi
+
     CENTRAL_YAML_PATH="tests/e2e/yaml/central-cr.envsubst.yaml"
     # Different yaml for midstream images
     if [[ "${USE_MIDSTREAM_IMAGES}" == "true" ]]; then
@@ -1161,16 +1167,29 @@ wait_for_ready_deployment() {
 wait_for_scanner_V4() {
     local namespace="$1"
     local max_seconds=${MAX_WAIT_SECONDS:-300}
+    local matcher_max_seconds="$max_seconds"
     info "Waiting for Scanner V4 to become ready..."
     if [[ "${ORCHESTRATOR_FLAVOR:-}" == "openshift" ]]; then
         # OCP Interop tests are run on minimal instances and will take longer
         # Allow override with MAX_WAIT_SECONDS
         max_seconds=${MAX_WAIT_SECONDS:-600}
+        matcher_max_seconds="$max_seconds"
         info "Waiting ${max_seconds}s (increased for openshift-ci provisioned clusters) for central api and $(( max_seconds * 6 )) for ingress..."
     fi
+    if [[ "${SCANNER_V4_VULN_READINESS:-false}" == "true" ]]; then
+        # Slowness or timeout may indicate that a low performance disk is used by
+        # the Scanner V4 DB PVC. If storage class is unset the cluster default
+        # storage class is used.
+        info "SCANNER_V4_DB_STORAGE_CLASS=${SCANNER_V4_DB_STORAGE_CLASS:-<unset>}"
+        info "Listing available storage classes:"
+        kubectl describe storageclasses 2>/dev/null || true
+
+        matcher_max_seconds=${SCANNER_V4_VULN_READINESS_TIMEOUT:-2400}
+        info "Waiting ${matcher_max_seconds}s for matcher vulnerability readiness..."
+    fi
 
     wait_for_ready_deployment "$namespace" "scanner-v4-indexer" "$max_seconds"
-    wait_for_ready_deployment "$namespace" "scanner-v4-matcher" "$max_seconds"
+    wait_for_ready_deployment "$namespace" "scanner-v4-matcher" "$matcher_max_seconds"
 }
 
 # shellcheck disable=SC2120