-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support to control/toggle SDS per VirtualNode #418
Conversation
|
||
func isSDSDisabled(pod *corev1.Pod) bool { | ||
if v, ok := pod.ObjectMeta.Annotations[AppMeshSDSAnnotation]; ok { | ||
if v == "disabled" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's log a warning when user configures an unsupported value like "enabled"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good point.
pkg/inject/utils.go
Outdated
func mutateSDSMounts(pod *corev1.Pod, envoyContainer *corev1.Container, SdsUdsPath string) { | ||
SDSVolumeType := corev1.HostPathSocket | ||
volume := corev1.Volume{ | ||
Name: "sds-socket-volume", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: prefix the name with "appmesh" so the name is not super generic and can be identified for debugging etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, will change it.
envoyContainer.VolumeMounts = append(envoyContainer.VolumeMounts, volumeMount) | ||
pod.Spec.Volumes = append(pod.Spec.Volumes, volume) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make sure this is idempotent, if a volume is already there, we should not append it again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, for VirtualGateway scenario. We can do a name based match to make sure we don't already have an existing volume.
@@ -128,6 +128,9 @@ func (m *virtualGatewayEnvoyConfig) buildTemplateVariables(pod *corev1.Pod) Virt | |||
meshName := m.getAugmentedMeshName() | |||
virtualGatewayName := aws.StringValue(m.vg.Spec.AWSName) | |||
preview := m.getPreview(pod) | |||
if m.mutatorConfig.enableSDS && isSDSDisabled(pod) { | |||
m.mutatorConfig.enableSDS = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This reads a bit off changing state of m.mutatorConfig.enableSDS
for the entire package. i.e. it leaks the bounds of this specific function. It is better to use separate function local variable that is passed as a value of EnableSDS
in VirtualGatewayEnvoyVariables
Same applies to the change in envoy.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This setting is per Pod (i.e.,) inject config is populated with defaults per pod and we want to toggle the SDS support for Pod level anyways.
* [Preview] App Mesh mTLS support (#394) * App Mesh mTLS support * Additional UT cases * mTLS - SDS based e2e integration tests (#404) * Support to control/toggle SDS per VirtualNode (#418) * Support to control/toggle SDS per VirtualNode * Addressed CR comments * Add a log for unsupported annotation values * Revert CertManager API version changes until CI scripts are updated * Disable Preview Mode * Move master to Preview Mode * Set default envoy image to v1.16.1.0-prod
[Preview] App Mesh mTLS support (aws#394) * App Mesh mTLS support * Additional UT cases Support to control/toggle SDS per VirtualNode (aws#418) * Support to control/toggle SDS per VirtualNode * Addressed CR comments * Add a log for unsupported annotation values Updated VirtualGateway CRD to support gatewayRouteSelector GatewayRoute changes Added Test case for gateway_validator Update to gatewayroute test case Added matching based on path and query parameters in Route CRD Added path rewrite changes to Gateway Route CRDs Updated 1. gatewayroute_type and virtualrouter_type changes 2. CRD conversion Changes for gatewayroute and virtualrouter 3. Validator changes for gatewayroute Added Rewrite changes to GatewayRoute CRD Added Conversion code for CRD to SDK Added Validation logic for Rewrite Added Validation Tests Added Conversion Tests Fixed race condition test (aws#457) Fixed typos in comments (aws#461) Updated LiveDocs for VGW section (aws#454) Update docs for vgw (aws#467) * Updated LiveDocs for sidecar Injection in VGW section * Added a new section for VGW CRD in LiveDocs reference * Updated Docs to explain the association of VGW and GWRoutes * Updated Live Docs for VGW * minor change Co-authored-by: Chinmay Gadgil <cgadgil@amazon.com> Added a new GatewayRoute selector optional field to VirtualGateway (aws#464) * Added a new GatewayRoute selector optional field to VirtualGateway Updated membership_designator logic for GatewayRoute to VirtualGateway * Select only those virtualGateways which have matching gatewayRoute selector if specified * Updated Logic for GatewayRoute Selector * Updated logic in membership_designator and added test cases * Addressed PR comments * Updated error Message to include gatewayroute name if we cannot find any matching virtualgateways. * Updated CRD for VirtualGateway * Undo crd changes as these must be sent to a preview branch for 1.4.0 release * Added VGW CRD changes Co-authored-by: Chinmay Gadgil <cgadgil@amazon.com> Update jaegar tracing Envoy config to v3 API (aws#468) Added validation logic Updated Test files Changes tested with gamma endpoint Use camel casing for field names instead of underscores reverted go.mod changes Updated CRD's , fixed naming revert go.sum changes Changes to troubleshooting guide Changed HTTPathMatch to a pointer in HTTPRouteMatch GatewayRoute association readme changes Updated Validation logic for Header match filters Reverted header match empty validation of GatewayRoute
Issue #, if available:
NA
Description of changes:
Ability to enable SDS based mTLS is currently a controller level flag. This PR, adds support to disable SDS @ VirtualNode level via an annotation on the corresponding deployment spec. AppMesh, currently bootstraps a static SDS cluster purely based on the presence of an environment variable (and not dynamically based on the presence of mTLS SDS config) and this change will help avoid it at the controller level.
If SDS is enabled via the controller flag(and SDS UDS path specified), controller will populate the "APPMESH_SDS_SOCKET_PATH" env variable and mount the UDS in to Envoy. To disable this @ VirtualNode level, one can use annotation "appmesh.k8s.aws/sds" set to disabled on the corresponding deployment spec.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.