Correct Istio AutoInject Flag to a Annotation

secureCodeBox · Sep 29, 2020 · 0e33d6e · 0e33d6e
1 parent 493f77e
commit 0e33d6e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 16 deletions.
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -375,9 +375,7 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook,
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
-					},
-					Labels: map[string]string{
-						"sidecar.istio.io/inject": "false",
+						"sidecar.istio.io/inject":                             "false",
 					},
 				},
 				Spec: corev1.PodSpec{

diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -93,9 +93,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
 						"auto-discovery.experimental.securecodebox.io/ignore": "true",
-					},
-					Labels: map[string]string{
-						"sidecar.istio.io/inject": "false",
+						"sidecar.istio.io/inject":                             "false",
 					},
 				},
 				Spec: corev1.PodSpec{

diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -172,6 +172,8 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		podAnnotations = make(map[string]string)
 	}
 	podAnnotations["experimental.securecodebox.io/job-type"] = "scanner"
+	// Ensuring that istio doesn't inject a sidecar proxy.
+	podAnnotations["sidecar.istio.io/inject"] = "true"
 	job.Spec.Template.Annotations = podAnnotations
 
 	job.Spec.Template.Spec.ServiceAccountName = "lurcher"
@@ -187,16 +189,6 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		},
 	})
 
-	// Ensuring that istio doesn't inject a sidecar proxy.
-	// This currently messes with
-	if job.Spec.Template.ObjectMeta.Labels != nil {
-		job.Spec.Template.ObjectMeta.Labels["sidecar.istio.io/inject"] = "true"
-	} else {
-		job.Spec.Template.ObjectMeta.Labels = map[string]string{
-			"sidecar.istio.io/inject": "false",
-		}
-	}
-
 	// merging volume mounts (for the primary scanner container) from ScanType (if existing) with standard results volume mount
 	if job.Spec.Template.Spec.Containers[0].VolumeMounts == nil || len(job.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
 		job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{}