- Workload enters HealthyConditionRule status with messages condition status: False, message: Scan job pod could not be retrieved. expected 1 pod, found 0. 

$ tanzu apps workload get -n dev sample-app
......
📦 Supply Chain
   name:   source-test-scan-to-url

   RESOURCE           READY   HEALTHY   TIME   OUTPUT
   source-provider    True    True      13m    GitRepository/sample-app
   source-tester      True    True      13m    Runnable/sample-app
   source-scanner     False   False     13m    SourceScan/sample-app
......
💬 Messages
   Workload [HealthyConditionRule]:   condition status: False, message: Scan job pod could not be retrieved. expected 1 pod, found 0
......


$ kubectl get SourceScan/sample-app -n dev -o yaml
......
status:
  conditions:
  - error: expected 1 pod, found 0
    lastTransitionTime: "2023-08-02T01:46:13Z"
    message: Scan job pod could not be retrieved. expected 1 pod, found 0

 - Taskrun status section shows failed to create task run pod "scan-xxx": translating TaskSpec to Pod: secrets "app-tls-cert" not found.

$ kubectl get taskruns -n dev scan-sample-app-vnh24 -o yaml
......
status:
  completionTime: "2023-07-27T06:17:06Z"
  conditions:
  - lastTransitionTime: "2023-07-27T06:17:06Z"
    message: 'failed to create task run pod "scan-sample-app-vnh24":
      translating TaskSpec to Pod: secrets "app-tls-cert" not found. Maybe invalid
      TaskSpec'
    reason: CouldntGetTask
    status: "False"
    type: Succeeded

Product Version: 1.5

- As documented in Connecting vulnerability scanning to Supply Chain Security Tools - Store, secret app-tls-cert is used by scanner to communicate with SCST - Store in the Full profile cluster (Single Cluster). Therefore, in a Multicluster environment,  secret app-tls-cert is not supposed to present or be used to configure a POD, instead the ingress-cert of SCST - Store in the view cluster is used.

 - Users are asked to follow Multicluster setup for Supply Chain Security Tools - Store to perform below four step to complete the Multicluster scanner configuration.

1. Copy SCST - Store CA certificate from the View cluster.
2. Copy SCST - Store authentication token from the View cluster.
3. Apply the CA certificate and authentication token to the Kubernetes cluster where you intend to install the Build profile.
4. Install the Build profile.

 - In the Step#4, if correctly configured, store-auth-token and store-ca-cert SecretImports will be created when creating the grype package. Once grype package is deployed correctly, secret "app-tls-cert" will not be asked to create the scan job pod and issue should be gone.

        | Namespace  Name                         Kind            Age  Op      Op st.  Wait to    Rs  Ri
        | sky        blob-source-scan-template    ScanTemplate    -    create  -       reconcile  -   -
        | ^          grype-scanner                ServiceAccount  -    create  -       reconcile  -   -
        | ^          private-image-scan-template  ScanTemplate    -    create  -       reconcile  -   -
        | ^          public-image-scan-template   ScanTemplate    -    create  -       reconcile  -   -
        | ^          public-source-scan-template  ScanTemplate    -    create  -       reconcile  -   -
        | ^          scanner-secret-ref           Secret          -    create  -       reconcile  -   -
        | ^          store-auth-token             SecretImport    -    create  -       reconcile  -   -
        | ^          store-ca-cert                SecretImport    -    create  -       reconcile  -   -
        | Op:      8 create, 0 delete, 0 update, 0 noop, 0 exists
        | Wait to: 8 reconcile, 0 delete, 0 noop