Merge branch 'master' into website-decision-adr

Daniel Patanin · Daniel Patanin · commit 8ac8d4d6f85b · 2020-09-29T11:34:56.000+02:00
diff --git a/.github/workflows/helm-charts.yaml b/.github/workflows/helm-charts.yaml
@@ -11,7 +11,7 @@ jobs:
       - name: "Install yq"
         run: |
           sudo snap install yq
-      - name: Parse Tag 
+      - name: Parse Tag
         run: echo ::set-env name=RELEASE_VERSION::${GITHUB_REF#refs/*/}
       - name: "Publish Helm3 Charts"
         env:
@@ -45,8 +45,9 @@ jobs:
             cd "${dir}" || exit
             mv Chart.yaml helm3.Chart.yaml
             mv helm2.Chart.yaml Chart.yaml
-            if [ ${dir} = "operator" ]
+            if [ "$(basename "$PWD")" = "operator" ]
             then
+                echo "Copying CRDS to templates folder, as helm2 doesn't have native crds support."
                 cp -R crds templates/crds
             fi
             echo "Restoring Helm2 Chart and replace Helm3 Chart temporary"
@@ -57,4 +58,4 @@ jobs:
             NAME=$(yq read - name < Chart.yaml)
             curl --silent --show-error --user "${USERNAME}:${PASSWORD}" --data-binary "@${NAME}-${RELEASE_VERSION}.tgz" "${HELM_REGISTRY}/api/charts"
           )
-          done
+          done
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -376,6 +376,9 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
 					},
+					Labels: map[string]string{
+						"sidecar.istio.io/inject": "false",
+					},
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: serviceAccountName,
diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -94,6 +94,9 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
 					},
+					Labels: map[string]string{
+						"sidecar.istio.io/inject": "false",
+					},
 				},
 				Spec: corev1.PodSpec{
 					RestartPolicy:      corev1.RestartPolicyNever,
diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -187,6 +187,16 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		},
 	})
 
+	// Ensuring that istio doesn't inject a sidecar proxy.
+	// This currently messes with
+	if job.Spec.Template.ObjectMeta.Labels != nil {
+		job.Spec.Template.ObjectMeta.Labels["sidecar.istio.io/inject"] = "true"
+	} else {
+		job.Spec.Template.ObjectMeta.Labels = map[string]string{
+			"sidecar.istio.io/inject": "false",
+		}
+	}
+
 	// merging volume mounts (for the primary scanner container) from ScanType (if existing) with standard results volume mount
 	if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{}
