Merge pull request #13 from anderssonw/istio-proxy-sidecar

Add istio-proxy and allow watching on different label

.gitignore

@@ -1,8 +1,11 @@
 /target
 .idea/
+.vscode
 
 .env*
 
 # Nix stuff
 .direnv/
 result*
+
+config.toml

README.md

@@ -2,21 +2,33 @@
 
 Your leader has been eliminated, it's time for the rest of you to die!
 
-Pods spawned by Naisjobs that also contain sidecars might never run to completion.
+Pods that also contain sidecars might never run to completion.
 That is, unless a particular villain shows up when the main container has died and terminates the others.
 
-## What kind of sidecars can appear alongside my Job?
+Hahaha Watches all Pods using a [Label Selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/), which defaults to `nais.io/naisjob="true"`, but this selector may be changed using the `WATCHES_SELECTOR` environment variable.
 
-| name | explanation |
-|------|-------------|
-| linkerd-proxy | runs if your Naisjob runs in GCP | 
-| cloudsql-proxy | runs if your Naisjob provisions databases through `spec.gcp.sqlInstances` |
-| secure-logs-fluentd | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` |
-| secure-logs-configmap-reload | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` |
-| vks-sidecar | runs if your Naisjob has `spec.vault.sidecar` set to `true` |
+## What kind of sidecars can appear alongside my main container?
+
+A different number of sidecars may appear alongside your main container. Here is an explanation for a few of them, some NaisJob specific and some generic.
 
 You can view what HAHAHA tries to do to these sidecars when encountered in [actions.rs](https://github.com/nais/hahaha/blob/main/src/actions.rs#L9-L13)
 
+### NaisJob specific
+
+| name                         | explanation                                                               |
+| ---------------------------- | ------------------------------------------------------------------------- |
+| linkerd-proxy                | runs if your Naisjob runs in GCP                                          |
+| cloudsql-proxy               | runs if your Naisjob provisions databases through `spec.gcp.sqlInstances` |
+| secure-logs-fluentd          | runs if your Naisjob has `spec.secureLogs.enabled` set to `true`          |
+| secure-logs-configmap-reload | runs if your Naisjob has `spec.secureLogs.enabled` set to `true`          |
+| vks-sidecar                  | runs if your Naisjob has `spec.vault.sidecar` set to `true`               |
+
+### Generic
+
+| name        | explanation                                      |
+| ----------- | ------------------------------------------------ |
+| istio-proxy | used in clusters running with Istio service mesh |
+
 ## Things about development that you might want to know
 
 Running HAHAHA's tests should be done by invoking `cargo test -- --test-threads 1`. The reason is that while the Prometheus test generally gets started first, it's usually the last to finish. By limiting the thread count to 1, we'll ensure that it finishes before the other tests run. The other tests are more like integration tests, and also mutate the Prometheus state, which makes it kind of hard to run them in parallel.
@@ -25,18 +37,20 @@ Running HAHAHA's tests should be done by invoking `cargo test -- --test-threads
 
 The image is signed "keylessly" (is that a word?) using [Sigstore cosign](https://github.com/sigstore/cosign).
 To verify its authenticity run
+
 ```
 cosign verify \
---certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ 
+--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \
 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
 europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256:<shasum>
 ```
 
 The images are also attested with SBOMs in the [CycloneDX](https://cyclonedx.org/) format.
 You can verify these by running
+
 ```
 cosign verify-attestation --type cyclonedx  \
---certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ 
+--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \
 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
 europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256:<shasum>
 ```

src/actions.rs

@@ -1,6 +1,6 @@
 use hyper::http::Method;
 use hyper::Uri;
-use std::{collections::BTreeMap};
+use std::collections::BTreeMap;
 /// Generate the action `BTreeMap`
 ///
 /// Modify this function to add or remove sidecar definitions and their associated shutdown procedures.
@@ -18,6 +18,10 @@ pub fn generate() -> BTreeMap<String, Action> {
             "secure-logs-configmap-reload".into(),
             Action::Exec("/bin/killall configmap-reload".split(' ').map(String::from).collect()),
         ),
+        (
+            "istio-proxy".into(),
+            Action::Portforward(Method::POST, "/quitquitquit".parse::<Uri>().unwrap(), 15000),
+        ),
         (
             "linkerd-proxy".into(),
             Action::Portforward(Method::POST, "/shutdown".parse::<Uri>().unwrap(), 4191),

src/main.rs

@@ -36,6 +36,8 @@ async fn main() -> anyhow::Result<()> {
         .with(format_layer)
         .init();
 
+    let label_env = env::var("WATCH_SELECTOR").unwrap_or("nais.io/naisjob=true".to_string());
+
     let actions = actions::generate();
     let client = Client::try_default().await?;
 
@@ -57,7 +59,7 @@ async fn main() -> anyhow::Result<()> {
             .unwrap();
     });
 
-    Controller::new(pods, watcher::Config::default().labels("nais.io/naisjob=true"))
+    Controller::new(pods, watcher::Config::default().labels(&label_env))
         .shutdown_on_signal()
         .run(
             reconciler::reconcile,

src/pod.rs

@@ -40,7 +40,7 @@ impl Sidecars for Pod {
     }
 
     fn job_name(&self) -> anyhow::Result<String> {
-        let Some(labels) =  &self.metadata.labels else {
+        let Some(labels) = &self.metadata.labels else {
             return Err(anyhow!("no labels found on pod"));
         };
         let Some(app_name) = labels.get("app") else {