fix: working example of istio native sidecars

defenseunicorns · Nov 18, 2024 · 2563b11 · 2563b11
1 parent 48cc74e
commit 2563b11
Showing 1 changed file with 63 additions and 30 deletions.
diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts
@@ -13,6 +13,7 @@ const log = setupLogger(Component.OPERATOR_ISTIO);
 
 const injectionLabel = "istio-injection";
 const injectionAnnotation = "uds.dev/original-istio-injection";
+const nativeIstioAnnotation = "uds.dev/native-istio-migrated";
 
 /**
  * Syncs the package namespace istio-injection label and adds a label for the package name
@@ -29,40 +30,61 @@ export async function enableInjection(pkg: UDSPackage) {
   const originalInjectionLabel = labels[injectionLabel];
   const annotations = sourceNS.metadata?.annotations || {};
   const pkgKey = `uds.dev/pkg-${pkg.metadata.name}`;
+  const hasMigrationAnnotation = annotations[nativeIstioAnnotation] === "true";
 
   // Mark the original namespace injection setting for if all packages are removed
   if (!annotations[injectionAnnotation]) {
     annotations[injectionAnnotation] = originalInjectionLabel || "non-existent";
   }
 
-  // Ensure the namespace is configured
-  if (!annotations[pkgKey] || originalInjectionLabel !== "enabled") {
-    // Ensure Istio injection is enabled
+  let shouldRestartPods = false;
+
+  // Ensure native Istio migration annotation is present
+  if (!hasMigrationAnnotation) {
+    annotations[nativeIstioAnnotation] = "true";
+    log.info(`Adding native Istio migration annotation to namespace ${pkg.metadata.namespace}.`);
+    shouldRestartPods = true; // Pods need restarting for migration
+  }
+
+  // Ensure Istio injection is enabled
+  if (originalInjectionLabel !== "enabled") {
     labels[injectionLabel] = "enabled";
+    log.info(`Enabling Istio injection for namespace ${pkg.metadata.namespace}.`);
+    shouldRestartPods = true; // Pods need restarting due to label change
+  }
 
-    // Add the package annotation
+  // Ensure package-specific annotation is updated
+  if (annotations[pkgKey] !== "true") {
     annotations[pkgKey] = "true";
-
-    // Apply the updated Namespace
-    log.debug(`Updating namespace ${pkg.metadata.namespace} with istio injection label`);
-    await K8s(kind.Namespace).Apply(
-      {
-        metadata: {
-          name: pkg.metadata.namespace,
-          labels,
-          annotations,
-        },
-      },
-      { force: true },
+    log.info(
+      `Updating package-specific annotation for ${pkg.metadata.name} in namespace ${pkg.metadata.namespace}.`,
     );
+    shouldRestartPods = true; // Pods need restarting due to package change
+  }
 
-    // Kill the pods if we changed the value of the istio-injection label
-    if (originalInjectionLabel !== labels[injectionLabel]) {
-      log.debug(
-        `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`,
-      );
-      await killPods(pkg.metadata.namespace, true);
-    }
+  // Apply namespace updates if there are changes
+  const updatedNamespace = {
+    metadata: {
+      name: pkg.metadata.namespace,
+      labels,
+      annotations,
+    },
+  };
+
+  if (
+    JSON.stringify(sourceNS.metadata?.labels) !== JSON.stringify(labels) ||
+    JSON.stringify(sourceNS.metadata?.annotations) !== JSON.stringify(annotations)
+  ) {
+    log.debug(`Applying updates to namespace ${pkg.metadata.namespace}.`);
+    await K8s(kind.Namespace).Apply(updatedNamespace, { force: true });
+  } else {
+    log.debug(`No namespace updates needed for ${pkg.metadata.namespace}.`);
+  }
+
+  // Restart pods if required
+  if (shouldRestartPods) {
+    log.debug(`Restarting pods in ${pkg.metadata.namespace} due to configuration changes.`);
+    await killPods(pkg.metadata.namespace, true);
   }
 }
 
@@ -119,8 +141,8 @@ export async function cleanupNamespace(pkg: UDSPackage) {
 /**
  * Forces deletion of pods with the incorrect istio sidecar state
  *
- * @param ns
- * @param enableInjection
+ * @param ns The namespace to target
+ * @param enableInjection Whether injection is being enabled
  */
 async function killPods(ns: string, enableInjection: boolean) {
   // Get all pods in the namespace
@@ -135,12 +157,23 @@ async function killPods(ns: string, enableInjection: boolean) {
       continue;
     }
 
-    const foundSidecar = pod.spec?.containers?.find(c => c.name === "istio-proxy");
+    // Detect Istio sidecars using container names
+    const foundSidecar =
+      pod.spec?.containers?.some(c => c.name === "istio-proxy") ||
+      pod.spec?.initContainers?.some(c => c.name === "istio-init");
 
-    // If enabling injection, ignore pods that already have the istio sidecar
-    if (enableInjection && foundSidecar) {
-      log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, already has sidecar`);
-      continue;
+    log.debug(
+      `Pod ${ns}/${pod.metadata?.name} - enableInjection: ${enableInjection}, hasIstioProxy: ${!!foundSidecar}`,
+    );
+
+    if (enableInjection) {
+      if (foundSidecar) {
+        log.info(
+          `Marking Pod ${ns}/${pod.metadata?.name} for deletion to reconcile Istio sidecars.`,
+        );
+      } else {
+        log.info(`Marking Pod ${ns}/${pod.metadata?.name} for deletion to inject Istio sidecars.`);
+      }
     }
 
     // If disabling injection, ignore pods that don't have the istio sidecar