diff --git a/.circleci/config.yml b/.circleci/config.yml index 5e104fc75e..3ad64ce37f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -70,7 +70,7 @@ commands: type: string consul-k8s-image: type: string - default: "ndhanushkodi/consul-k8s-dev:multiport22" + default: "ndhanushkodi/consul-k8s-dev:multiport24" go-path: type: string default: "/home/circleci/.go_workspace" diff --git a/control-plane/connect-inject/container_init.go b/control-plane/connect-inject/container_init.go index e0c9296f7d..c575d43148 100644 --- a/control-plane/connect-inject/container_init.go +++ b/control-plane/connect-inject/container_init.go @@ -73,10 +73,17 @@ type initContainerCommandData struct { // ConsulDNSClusterIP is the IP of the Consul DNS Service. ConsulDNSClusterIP string - MultiPort bool - EnvoyAdminPort int - EnvoyAddressPort int - BearerTokenFile string + // MultiPort determines whether this is a multi port Pod, which configures the init container to be specific to one + // of the services on the multi port Pod. + MultiPort bool + + // EnvoyAdminPort configures the admin port of the Envoy sidecar. This will be unique per service in a multi port + // Pod. + EnvoyAdminPort int + + // BearerTokenFile configures where the service account token can be found. This will be unique per service in a + // multi port Pod. + BearerTokenFile string } // initCopyContainer returns the init container spec for the copy container which places diff --git a/control-plane/connect-inject/handler.go b/control-plane/connect-inject/handler.go index b5b8b45ce8..6e454557c0 100644 --- a/control-plane/connect-inject/handler.go +++ b/control-plane/connect-inject/handler.go @@ -237,7 +237,7 @@ func (h *Handler) Handle(ctx context.Context, req admission.Request) admission.R multiPort := len(annotatedSvcNames) > 1 // For single port pods, add the single init container and envoy sidecar. - if len(annotatedSvcNames) == 0 || len(annotatedSvcNames) == 1 { + if !multiPort { // Add the init container that registers the service and sets up the Envoy configuration. initContainer, err := h.containerInit(*ns, pod, multiPortInfo{}) if err != nil { @@ -253,15 +253,14 @@ func (h *Handler) Handle(ctx context.Context, req admission.Request) admission.R return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error configuring injection sidecar container: %s", err)) } pod.Spec.Containers = append(pod.Spec.Containers, envoySidecar) - } + } else { + // For multi port pods, check for unsupported cases, mount all relevant service account tokens, and mount an init + // container and envoy sidecar per port. Tproxy, metrics, and metrics merging are not supported for multi port pods. + // In a single port pod, the service account specified in the pod is sufficient for mounting the service account + // token to the pod. In a multi port pod, where multiple services are registered with Consul, we also require a + // service account per service. So, this will look for service accounts whose name matches the service and mount + // those tokens if not already specified via the pod's serviceAccountName. - // For multi port pods, check for unsupported cases, mount all relevant service account tokens, and mount an init - // container and envoy sidecar per port. Tproxy, metrics, and metrics merging are not supported for multi port pods. - // In a single port pod, the service account specified in the pod is sufficient for mounting the service account - // token to the pod. In a multi port pod, where multiple services are registered with Consul, we also require a - // service account per service. So, this will look for service accounts whose name matches the service and mount - // those tokens if not already specified via the pod's serviceAccountName. - if multiPort { h.Log.Info("processing multiport pod") err := h.checkUnsupportedMultiPortCases(*ns, pod) if err != nil {