Rename property to make it's effect more clear.

J12934 · J12934 · commit 122c74019afb · 2024-09-19T10:24:20.000+02:00
Would potentially be confusing otherwise as the operator doesn't inject the istio sidecars, it's just allowing/preventing it.

Signed-off-by: Jannik Hollenbach &lt;jannik.hollenbach@iteratec.com&gt;
diff --git a/operator/README.md b/operator/README.md
@@ -73,6 +73,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. |
 | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) |
 | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) |
 | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces |
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -7,7 +7,6 @@ package scancontrollers
 import (
 	"context"
 	"fmt"
-	"os"
 
 	"k8s.io/apimachinery/pkg/labels"
 
@@ -380,12 +379,6 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1
 		resources = hookSpec.Resources
 	}
 
-	istioInjectJobs := "false"
-
-	if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok {
-		istioInjectJobs = configuredIstioInjectJobs
-	}
-
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -403,7 +396,7 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1
 					},
 					Annotations: map[string]string{
 						"auto-discovery.securecodebox.io/ignore": "true",
-						"sidecar.istio.io/inject":                istioInjectJobs,
+						"sidecar.istio.io/inject":                allowIstioSidecarInjectionInJobs,
 					},
 				},
 				Spec: corev1.PodSpec{
diff --git a/operator/controllers/execution/scans/init.go b/operator/controllers/execution/scans/init.go
@@ -5,6 +5,8 @@
 package scancontrollers
 
 import (
+	"os"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 )
@@ -37,7 +39,13 @@ var (
 	)
 )
 
+var allowIstioSidecarInjectionInJobs = "false"
+
 func init() {
 	// Register custom metrics with the global prometheus registry
 	metrics.Registry.MustRegister(scansStartedMetric, scansDoneMetric, scansErroredMetric)
+
+	if allowIstioSidecarInjectionInJobsEnv, ok := os.LookupEnv("ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS"); ok && (allowIstioSidecarInjectionInJobsEnv == "true" || allowIstioSidecarInjectionInJobsEnv == "false") {
+		allowIstioSidecarInjectionInJobs = allowIstioSidecarInjectionInJobsEnv
+	}
 }
diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -7,7 +7,6 @@ package scancontrollers
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 
 	executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1"
@@ -138,12 +137,6 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 		resources = parseDefinitionSpec.Resources
 	}
 
-	istioInjectJobs := "false"
-
-	if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok {
-		istioInjectJobs = configuredIstioInjectJobs
-	}
-
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -161,7 +154,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 					},
 					Annotations: map[string]string{
 						"auto-discovery.securecodebox.io/ignore": "true",
-						"sidecar.istio.io/inject":                istioInjectJobs,
+						"sidecar.istio.io/inject":                allowIstioSidecarInjectionInJobs,
 					},
 				},
 				Spec: corev1.PodSpec{
diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -233,15 +233,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 		podAnnotations = make(map[string]string)
 	}
 
-	istioInjectJobs := "false"
-
-	if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok {
-		istioInjectJobs = configuredIstioInjectJobs
-	}
-
 	podAnnotations["auto-discovery.securecodebox.io/ignore"] = "true"
 	// Ensuring that istio doesn't inject a sidecar proxy.
-	podAnnotations["sidecar.istio.io/inject"] = istioInjectJobs
+	podAnnotations["sidecar.istio.io/inject"] = allowIstioSidecarInjectionInJobs
 	job.Spec.Template.Annotations = podAnnotations
 
 	if job.Spec.Template.Spec.ServiceAccountName == "" {
diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md
@@ -78,6 +78,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. |
 | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) |
 | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) |
 | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces |
diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
@@ -139,8 +139,8 @@ spec:
               value: {{ .Values.presignedUrlExpirationTimes.parsers | quote }}
             - name: URL_EXPIRATION_HOOK
               value: {{ .Values.presignedUrlExpirationTimes.hooks | quote }}
-            - name: ISTIO_INJECT_JOBS
-              value: {{ .Values.istioInjectJobs | quote }}
+            - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
+              value: {{ .Values.allowIstioSidecarInjectionInJobs | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap
@@ -77,7 +77,7 @@ matches the snapshot:
                   value: 1h
                 - name: URL_EXPIRATION_HOOK
                   value: 1h
-                - name: ISTIO_INJECT_JOBS
+                - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
                   value: "false"
               image: docker.io/securecodebox/operator:0.0.0
               imagePullPolicy: IfNotPresent
@@ -685,7 +685,7 @@ properly-renders-the-service-monitor-when-enabled:
                   value: 1h
                 - name: URL_EXPIRATION_HOOK
                   value: 1h
-                - name: ISTIO_INJECT_JOBS
+                - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
                   value: "false"
               image: docker.io/securecodebox/operator:0.0.0
               imagePullPolicy: IfNotPresent
diff --git a/operator/values.yaml b/operator/values.yaml
@@ -129,5 +129,5 @@ presignedUrlExpirationTimes:
   parsers: "1h"
   hooks: "1h"
 
-# Sets the value of the istio sidecar annotation for jobs: "sidecar.istio.io/inject"
-istioInjectJobs: false
+# -- Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect.
+allowIstioSidecarInjectionInJobs: false

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@`
`5`	`5`	`package scancontrollers`
`6`	`6`
`7`	`7`	`import (`
	`8`	`+ "os"`
	`9`	`+`
`8`	`10`	`"github.com/prometheus/client_golang/prometheus"`
`9`	`11`	`"sigs.k8s.io/controller-runtime/pkg/metrics"`
`10`	`12`	`)`
`@@ -37,7 +39,13 @@ var (`
`37`	`39`	`)`
`38`	`40`	`)`
`39`	`41`
	`42`	`+var allowIstioSidecarInjectionInJobs = "false"`
	`43`	`+`
`40`	`44`	`func init() {`
`41`	`45`	`// Register custom metrics with the global prometheus registry`
`42`	`46`	`metrics.Registry.MustRegister(scansStartedMetric, scansDoneMetric, scansErroredMetric)`
	`47`	`+`
	`48`	`+ if allowIstioSidecarInjectionInJobsEnv, ok := os.LookupEnv("ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS"); ok && (allowIstioSidecarInjectionInJobsEnv == "true" \|\| allowIstioSidecarInjectionInJobsEnv == "false") {`
	`49`	`+ allowIstioSidecarInjectionInJobs = allowIstioSidecarInjectionInJobsEnv`
	`50`	`+ }`
`43`	`51`	`}`