From 2a029ddffdc3114ed831c571c701c82e56293d68 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Fri, 23 Aug 2024 11:56:42 +0200 Subject: [PATCH 1/4] Add env section to expected helm output Signed-off-by: Jannik Hollenbach Signed-off-by: Michael-Kruggel --- .../kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap | 2 ++ 1 file changed, 2 insertions(+) diff --git a/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap b/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap index 00b1265d62..45a801e7e9 100644 --- a/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap +++ b/auto-discovery/kubernetes/tests/__snapshot__/auto-discovery_test.yaml.snap @@ -19,6 +19,7 @@ matches the snapshot: "defectdojo.securecodebox.io/product-name": "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}", "defectdojo.securecodebox.io/product-tags": "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}" }, + "env": [], "hookSelector": {}, "labels": {}, "name": "trivy", @@ -62,6 +63,7 @@ matches the snapshot: "defectdojo.securecodebox.io/product-name": "{{ .Cluster.Name }} | {{ .Namespace.Name }} | {{ .Target.Name }}", "defectdojo.securecodebox.io/product-tags": "cluster/{{ .Cluster.Name }},namespace/{{ .Namespace.Name }}" }, + "env": [], "hookSelector": {}, "labels": {}, "name": "zap", From e67bbe2dee48476af888189819a484ce5b0aa53b Mon Sep 17 00:00:00 2001 From: Michael-Kruggel Date: Wed, 18 Sep 2024 19:23:14 +0000 Subject: [PATCH 2/4] feat: add configurable istio sidecar annotaion for jobs Signed-off-by: Michael-Kruggel --- .../controllers/execution/scans/hook_reconciler.go | 10 +++++++++- .../controllers/execution/scans/parse_reconciler.go | 9 ++++++++- .../controllers/execution/scans/scan_reconciler.go | 9 ++++++++- operator/templates/manager/manager.yaml | 2 ++ operator/values.yaml | 3 +++ 5 files changed, 30 insertions(+), 3 deletions(-) diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 428db1ffe6..8129197dea 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -7,6 +7,7 @@ package scancontrollers import ( "context" "fmt" + "os" "k8s.io/apimachinery/pkg/labels" @@ -378,6 +379,13 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1 if len(hookSpec.Resources.Requests) != 0 || len(hookSpec.Resources.Limits) != 0 { resources = hookSpec.Resources } + + istioInjectJobs := "false" + + if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { + istioInjectJobs = configuredIstioInjectJobs + } + job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -395,7 +403,7 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1 }, Annotations: map[string]string{ "auto-discovery.securecodebox.io/ignore": "true", - "sidecar.istio.io/inject": "false", + "sidecar.istio.io/inject": istioInjectJobs, }, }, Spec: corev1.PodSpec{ diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 981fcb2df4..4491b3d4c4 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -7,6 +7,7 @@ package scancontrollers import ( "context" "fmt" + "os" "strings" executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1" @@ -137,6 +138,12 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { resources = parseDefinitionSpec.Resources } + istioInjectJobs := "false" + + if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { + istioInjectJobs = configuredIstioInjectJobs + } + job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -154,7 +161,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { }, Annotations: map[string]string{ "auto-discovery.securecodebox.io/ignore": "true", - "sidecar.istio.io/inject": "false", + "sidecar.istio.io/inject": istioInjectJobs, }, }, Spec: corev1.PodSpec{ diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index cd0b3c2a7c..21db0aac0d 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -232,9 +232,16 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe if podAnnotations == nil { podAnnotations = make(map[string]string) } + + istioInjectJobs := "false" + + if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { + istioInjectJobs = configuredIstioInjectJobs + } + podAnnotations["auto-discovery.securecodebox.io/ignore"] = "true" // Ensuring that istio doesn't inject a sidecar proxy. - podAnnotations["sidecar.istio.io/inject"] = "false" + podAnnotations["sidecar.istio.io/inject"] = istioInjectJobs job.Spec.Template.Annotations = podAnnotations if job.Spec.Template.Spec.ServiceAccountName == "" { diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index 44febc48d0..5ece895acb 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -139,6 +139,8 @@ spec: value: {{ .Values.presignedUrlExpirationTimes.parsers | quote }} - name: URL_EXPIRATION_HOOK value: {{ .Values.presignedUrlExpirationTimes.hooks | quote }} + - name: ISTIO_INJECT_JOBS + value: {{ .Values.istioInjectJobs | quote }} resources: {{- toYaml .Values.resources | nindent 12 }} securityContext: diff --git a/operator/values.yaml b/operator/values.yaml index b6e7776ffb..0decd8417d 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -128,3 +128,6 @@ presignedUrlExpirationTimes: scanners: "12h" parsers: "1h" hooks: "1h" + +# Sets the value of the istio sidecar annotation for jobs: "sidecar.istio.io/inject" +istioInjectJobs: false From be9198d253a053c69d724d8d54714fc03e6890f0 Mon Sep 17 00:00:00 2001 From: Michael-Kruggel Date: Wed, 18 Sep 2024 19:36:52 +0000 Subject: [PATCH 3/4] chore: updated operator snapshot Signed-off-by: Michael-Kruggel --- operator/tests/__snapshot__/operator_test.yaml.snap | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index 58a3fc782b..e2ef99f27f 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -77,6 +77,8 @@ matches the snapshot: value: 1h - name: URL_EXPIRATION_HOOK value: 1h + - name: ISTIO_INJECT_JOBS + value: "false" image: docker.io/securecodebox/operator:0.0.0 imagePullPolicy: IfNotPresent livenessProbe: @@ -683,6 +685,8 @@ properly-renders-the-service-monitor-when-enabled: value: 1h - name: URL_EXPIRATION_HOOK value: 1h + - name: ISTIO_INJECT_JOBS + value: "false" image: docker.io/securecodebox/operator:0.0.0 imagePullPolicy: IfNotPresent livenessProbe: From 7ab8c9399114b55260a1e49e4e4c004c022e6f09 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Thu, 19 Sep 2024 09:58:40 +0200 Subject: [PATCH 4/4] Rename property to make it's effect more clear. Would potentially be confusing otherwise as the operator doesn't inject the istio sidecars, it's just allowing/preventing it. Signed-off-by: Jannik Hollenbach --- operator/README.md | 1 + operator/controllers/execution/scans/hook_reconciler.go | 9 +-------- operator/controllers/execution/scans/init.go | 8 ++++++++ operator/controllers/execution/scans/parse_reconciler.go | 9 +-------- operator/controllers/execution/scans/scan_reconciler.go | 8 +------- operator/docs/README.ArtifactHub.md | 1 + operator/templates/manager/manager.yaml | 4 ++-- operator/tests/__snapshot__/operator_test.yaml.snap | 4 ++-- operator/values.yaml | 4 ++-- 9 files changed, 19 insertions(+), 29 deletions(-) diff --git a/operator/README.md b/operator/README.md index aaaf0a8515..e7abc98549 100644 --- a/operator/README.md +++ b/operator/README.md @@ -73,6 +73,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator | Key | Type | Default | Description | |-----|------|---------|-------------| +| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. | | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) | | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces | diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index 8129197dea..45527b00e8 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -7,7 +7,6 @@ package scancontrollers import ( "context" "fmt" - "os" "k8s.io/apimachinery/pkg/labels" @@ -380,12 +379,6 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1 resources = hookSpec.Resources } - istioInjectJobs := "false" - - if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { - istioInjectJobs = configuredIstioInjectJobs - } - job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -403,7 +396,7 @@ func (r *ScanReconciler) createJobForHook(hookName string, hookSpec *executionv1 }, Annotations: map[string]string{ "auto-discovery.securecodebox.io/ignore": "true", - "sidecar.istio.io/inject": istioInjectJobs, + "sidecar.istio.io/inject": allowIstioSidecarInjectionInJobs, }, }, Spec: corev1.PodSpec{ diff --git a/operator/controllers/execution/scans/init.go b/operator/controllers/execution/scans/init.go index 526d93a4fe..05e8633005 100644 --- a/operator/controllers/execution/scans/init.go +++ b/operator/controllers/execution/scans/init.go @@ -5,6 +5,8 @@ package scancontrollers import ( + "os" + "github.com/prometheus/client_golang/prometheus" "sigs.k8s.io/controller-runtime/pkg/metrics" ) @@ -37,7 +39,13 @@ var ( ) ) +var allowIstioSidecarInjectionInJobs = "false" + func init() { // Register custom metrics with the global prometheus registry metrics.Registry.MustRegister(scansStartedMetric, scansDoneMetric, scansErroredMetric) + + if allowIstioSidecarInjectionInJobsEnv, ok := os.LookupEnv("ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS"); ok && (allowIstioSidecarInjectionInJobsEnv == "true" || allowIstioSidecarInjectionInJobsEnv == "false") { + allowIstioSidecarInjectionInJobs = allowIstioSidecarInjectionInJobsEnv + } } diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 4491b3d4c4..868617a0d3 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -7,7 +7,6 @@ package scancontrollers import ( "context" "fmt" - "os" "strings" executionv1 "github.com/secureCodeBox/secureCodeBox/operator/apis/execution/v1" @@ -138,12 +137,6 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { resources = parseDefinitionSpec.Resources } - istioInjectJobs := "false" - - if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { - istioInjectJobs = configuredIstioInjectJobs - } - job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -161,7 +154,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { }, Annotations: map[string]string{ "auto-discovery.securecodebox.io/ignore": "true", - "sidecar.istio.io/inject": istioInjectJobs, + "sidecar.istio.io/inject": allowIstioSidecarInjectionInJobs, }, }, Spec: corev1.PodSpec{ diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index 21db0aac0d..2998e12636 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -233,15 +233,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe podAnnotations = make(map[string]string) } - istioInjectJobs := "false" - - if configuredIstioInjectJobs, ok := os.LookupEnv("ISTIO_INJECT_JOBS"); ok { - istioInjectJobs = configuredIstioInjectJobs - } - podAnnotations["auto-discovery.securecodebox.io/ignore"] = "true" // Ensuring that istio doesn't inject a sidecar proxy. - podAnnotations["sidecar.istio.io/inject"] = istioInjectJobs + podAnnotations["sidecar.istio.io/inject"] = allowIstioSidecarInjectionInJobs job.Spec.Template.Annotations = podAnnotations if job.Spec.Template.Spec.ServiceAccountName == "" { diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md index 954082039a..4f3e5af023 100644 --- a/operator/docs/README.ArtifactHub.md +++ b/operator/docs/README.ArtifactHub.md @@ -78,6 +78,7 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator | Key | Type | Default | Description | |-----|------|---------|-------------| +| allowIstioSidecarInjectionInJobs | bool | `false` | Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. | | customCACertificate | object | `{"certificate":"public.crt","existingCertificate":null}` | Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks). Requires that every namespace has a configmap with the CA certificate(s) | | customCACertificate.certificate | string | `"public.crt"` | key in the configmap holding the certificate(s) | | customCACertificate.existingCertificate | string | `nil` | name of the configMap holding the ca certificate(s), needs to be the same across all namespaces | diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index 5ece895acb..4f345b2e19 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -139,8 +139,8 @@ spec: value: {{ .Values.presignedUrlExpirationTimes.parsers | quote }} - name: URL_EXPIRATION_HOOK value: {{ .Values.presignedUrlExpirationTimes.hooks | quote }} - - name: ISTIO_INJECT_JOBS - value: {{ .Values.istioInjectJobs | quote }} + - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS + value: {{ .Values.allowIstioSidecarInjectionInJobs | quote }} resources: {{- toYaml .Values.resources | nindent 12 }} securityContext: diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index e2ef99f27f..1d1408d695 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -77,7 +77,7 @@ matches the snapshot: value: 1h - name: URL_EXPIRATION_HOOK value: 1h - - name: ISTIO_INJECT_JOBS + - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS value: "false" image: docker.io/securecodebox/operator:0.0.0 imagePullPolicy: IfNotPresent @@ -685,7 +685,7 @@ properly-renders-the-service-monitor-when-enabled: value: 1h - name: URL_EXPIRATION_HOOK value: 1h - - name: ISTIO_INJECT_JOBS + - name: ALLOW_ISTIO_SIDECAR_INJECTION_IN_JOBS value: "false" image: docker.io/securecodebox/operator:0.0.0 imagePullPolicy: IfNotPresent diff --git a/operator/values.yaml b/operator/values.yaml index 0decd8417d..acf2feb258 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -129,5 +129,5 @@ presignedUrlExpirationTimes: parsers: "1h" hooks: "1h" -# Sets the value of the istio sidecar annotation for jobs: "sidecar.istio.io/inject" -istioInjectJobs: false +# -- Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect. +allowIstioSidecarInjectionInJobs: false