secureCodeBox · J12934 · Sep 19, 2024 · Aug 23, 2024 · Sep 18, 2024 · Sep 18, 2024
diff --git a/operator/README.md b/operator/README.md
@@ -73,6 +73,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. |
 | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) |
 | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) |
 | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces |

diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -378,6 +378,7 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1
 	if len(hookSpec.Resources.Requests) != 0 || len(hookSpec.Resources.Limits) != 0 {
 		resources = hookSpec.Resources
 	}
+
 	job := &batch.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations:  make(map[string]string),
@@ -395,7 +396,7 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1
 					},
 					Annotations: map[string]string{
 						"auto-discovery.securecodebox.io/ignore": "true",
-						"sidecar.istio.io/inject":                "false",
+						"sidecar.istio.io/inject":                allowIstioSidecarInjectionInJobs,
 					},
 				},
 				Spec: corev1.PodSpec{

diff --git a/operator/controllers/execution/scans/init.go b/operator/controllers/execution/scans/init.go
@@ -5,6 +5,8 @@
 package scancontrollers
 
 import (
+	"os"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 )
@@ -37,7 +39,13 @@ var (
 	)
 )
 
+var allowIstioSidecarInjectionInJobs = "false"
+
 func init() {
 	// Register custom metrics with the global prometheus registry
 	metrics.Registry.MustRegister(scansStartedMetric, scansDoneMetric, scansErroredMetric)
+
+	if allowIstioSidecarInjectionInJobsEnv, ok := os.LookupEnv("ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS"); ok && (allowIstioSidecarInjectionInJobsEnv == "true" || allowIstioSidecarInjectionInJobsEnv == "false") {
+		allowIstioSidecarInjectionInJobs = allowIstioSidecarInjectionInJobsEnv
+	}
 }
diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -154,7 +154,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 					},
 					Annotations: map[string]string{
 						"auto-discovery.securecodebox.io/ignore": "true",
-						"sidecar.istio.io/inject":                "false",
+						"sidecar.istio.io/inject":                allowIstioSidecarInjectionInJobs,
 					},
 				},
 				Spec: corev1.PodSpec{

diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -232,9 +232,10 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 	if podAnnotations == nil {
 		podAnnotations = make(map[string]string)
 	}
+
 	podAnnotations["auto-discovery.securecodebox.io/ignore"] = "true"
 	// Ensuring that istio doesn't inject a sidecar proxy.
-	podAnnotations["sidecar.istio.io/inject"] = "false"
+	podAnnotations["sidecar.istio.io/inject"] = allowIstioSidecarInjectionInJobs
 	job.Spec.Template.Annotations = podAnnotations
 
 	if job.Spec.Template.Spec.ServiceAccountName == "" {

diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md
@@ -78,6 +78,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. |
 | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) |
 | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) |
 | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces |

diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
@@ -139,6 +139,8 @@ spec:
               value: {{ .Values.presignedUrlExpirationTimes.parsers | quote }}
             - name: URL_EXPIRATION_HOOK
               value: {{ .Values.presignedUrlExpirationTimes.hooks | quote }}
+            - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
+              value: {{ .Values.allowIstioSidecarInjectionInJobs | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:

diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap
@@ -77,6 +77,8 @@ matches the snapshot:
                   value: 1h
                 - name: URL_EXPIRATION_HOOK
                   value: 1h
+                - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
+                  value: "false"
               image: docker.io/securecodebox/operator:0.0.0
               imagePullPolicy: IfNotPresent
               livenessProbe:
@@ -683,6 +685,8 @@ properly-renders-the-service-monitor-when-enabled:
                   value: 1h
                 - name: URL_EXPIRATION_HOOK
                   value: 1h
+                - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS
+                  value: "false"
               image: docker.io/securecodebox/operator:0.0.0
               imagePullPolicy: IfNotPresent
               livenessProbe:

diff --git a/operator/values.yaml b/operator/values.yaml
@@ -128,3 +128,6 @@ presignedUrlExpirationTimes:
   scanners: "12h"
   parsers: "1h"
   hooks: "1h"
+
+# -- Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect.
+allowIstioSidecarInjectionInJobs: false