does this ensure scanner.stackrox.svc:8443 is used in the Central namespace and scanner-slim.stackrox.svc:8443 is used in the other Secured Clusters?

yes, because in image/templates/helm/shared/templates/_scanner_init.tpl.htpl the function "srox.scannerInit" does:

• {{ if or (eq $scannerCfg.mode "") (eq $scannerCfg.mode "full") }} then {{ $_ := set $scannerCfg "name" "scanner" }}
• {{ else if eq $scannerCfg.mode "slim" }} then {{ $_ := set $scannerCfg "name" "scanner-slim" }}

and here we call "srox.scannerInit" with the parameter $scannerCfg set to$._rox.scanner

I opened a PR to rename the stackrox resources: #820

Maybe let's wait with change for this PR to be merged or rebasing on top of it?

Yeah let's make sure this is always scanner.<namespace>.svc:8443. One thing to note is the port is technically configurable in the Scanner ConfigMap, but it really shouldn't be changed. Not sure why we offer this, and I wonder if we should just remove that @connorgorman ? Anyway, that's for another time. I think assuming 8443 is safe

After ROX-9589 this is now {{ printf "scanner.%s.svc:8443" .Release.Namespace }}

Does this need to be inline with the subsequent - name: ROX_SCANNER_GRPC_ENDPOINT?

see new logic after applying Simon's suggestion above

Yeah let's make sure this is always scanner.<namespace>.svc:8443. One thing to note is the port is technically configurable in the Scanner ConfigMap, but it really shouldn't be changed. Not sure why we offer this, and I wonder if we should just remove that @connorgorman ? Anyway, that's for another time. I think assuming 8443 is safe

this should be eventually be scanner.custom-ns.svc:8443 once #820 is merged

done

The env var does not need to be set unconditionally because false is the default even if it is not set on the pod.
See here: https://github.com/stackrox/stackrox/blob/master/pkg/env/sensor.go#L20-L20

The reason why you have the nil pointer errors is because of this code which only adds the scanner shape if the feature flag is enabled and not in kubectl output mode:
https://github.com/stackrox/stackrox/blob/master/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl#L41-L45

Can you add this env variables only:

• If not in kubectl output AND feature flag enabled in the meta templating stage?
  The check is this: [< if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING ->]
• The env variables should be inside the {{- if ._rox.env.openshift }} above.

{{ if ._rox.env.openshift }}
- name: ROX_OPENSHIFT_API
  value: "true"
[<- if and (not .KubectlOutput) .FeatureFlags.ROX_LOCAL_IMAGE_SCANNING >]
- name: ROX_USE_LOCAL_SCANNER
   value: {{ not ._rox.scanner.disable }}
 - name: ROX_SCANNER_GRPC_ENDPOINT
   value: {{ printf "%s.%s.svc:8443" ._rox.scanner.name .Release.Namespace }}
[<- end >]
{{ end }}

In case you get an error because {{ not ._rox.scanner.disable }} was not "false" you need to do a hack and change it to {{ not ._rox.scanner.disable | not | not }} to convert it

Done. I had to remove the test to check ROX_SCANNER_GRPC_ENDPOINT is missing, because I cannot manipulate KubectlOutput or FeatureFlags in the test