From 09407227c21afcbffcefb3d937646411065874a8 Mon Sep 17 00:00:00 2001 From: anderssonw Date: Mon, 23 Oct 2023 15:05:11 +0200 Subject: [PATCH 1/3] add istio-proxy and allow watching on different label --- .gitignore | 3 +++ src/actions.rs | 6 +++++- src/main.rs | 3 ++- src/pod.rs | 2 +- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 68211ec..fbc3e84 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,11 @@ /target .idea/ +.vscode .env* # Nix stuff .direnv/ result* + +config.toml \ No newline at end of file diff --git a/src/actions.rs b/src/actions.rs index ec3f267..83ef470 100644 --- a/src/actions.rs +++ b/src/actions.rs @@ -1,6 +1,6 @@ use hyper::http::Method; use hyper::Uri; -use std::{collections::BTreeMap}; +use std::collections::BTreeMap; /// Generate the action `BTreeMap` /// /// Modify this function to add or remove sidecar definitions and their associated shutdown procedures. @@ -18,6 +18,10 @@ pub fn generate() -> BTreeMap { "secure-logs-configmap-reload".into(), Action::Exec("/bin/killall configmap-reload".split(' ').map(String::from).collect()), ), + ( + "istio-proxy".into(), + Action::Portforward(Method::POST, "/quitquitquit".parse::().unwrap(), 15000), + ), ( "linkerd-proxy".into(), Action::Portforward(Method::POST, "/shutdown".parse::().unwrap(), 4191), diff --git a/src/main.rs b/src/main.rs index 687844b..b18dea6 100644 --- a/src/main.rs +++ b/src/main.rs @@ -57,7 +57,8 @@ async fn main() -> anyhow::Result<()> { .unwrap(); }); - Controller::new(pods, watcher::Config::default().labels("nais.io/naisjob=true")) + let label_env = env::var("WATCH_SELECTOR").unwrap_or("nais.io/naisjob=true".to_string()); + Controller::new(pods, watcher::Config::default().labels(&label_env)) .shutdown_on_signal() .run( reconciler::reconcile, diff --git a/src/pod.rs b/src/pod.rs index b886149..65e0fa4 100644 --- a/src/pod.rs +++ b/src/pod.rs @@ -40,7 +40,7 @@ impl Sidecars for Pod { } fn job_name(&self) -> anyhow::Result { - let Some(labels) = &self.metadata.labels else { + let Some(labels) = &self.metadata.labels else { return Err(anyhow!("no labels found on pod")); }; let Some(app_name) = labels.get("app") else { From c5bf714fc19ca584048df30ab2f0024d065c51e1 Mon Sep 17 00:00:00 2001 From: anderssonw Date: Mon, 23 Oct 2023 15:17:35 +0200 Subject: [PATCH 2/3] generify readme Signed-off-by: anderssonw --- README.md | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index c6eea7a..ed435a7 100644 --- a/README.md +++ b/README.md @@ -2,21 +2,33 @@ Your leader has been eliminated, it's time for the rest of you to die! -Pods spawned by Naisjobs that also contain sidecars might never run to completion. +Pods that also contain sidecars might never run to completion. That is, unless a particular villain shows up when the main container has died and terminates the others. -## What kind of sidecars can appear alongside my Job? +Hahaha Watches all Pods using a [Label Selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/), which defaults to `nais.io/naisjob="true"`, but this selector may be changed using the `WATCHES_SELECTOR` environment variable. -| name | explanation | -|------|-------------| -| linkerd-proxy | runs if your Naisjob runs in GCP | -| cloudsql-proxy | runs if your Naisjob provisions databases through `spec.gcp.sqlInstances` | -| secure-logs-fluentd | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` | -| secure-logs-configmap-reload | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` | -| vks-sidecar | runs if your Naisjob has `spec.vault.sidecar` set to `true` | +## What kind of sidecars can appear alongside my main container? + +A different number of sidecars may appear alongside your main container. Here is an explanation for a few of them, some NaisJob specific and some generic. You can view what HAHAHA tries to do to these sidecars when encountered in [actions.rs](https://github.com/nais/hahaha/blob/main/src/actions.rs#L9-L13) +### NaisJob specific + +| name | explanation | +| ---------------------------- | ------------------------------------------------------------------------- | +| linkerd-proxy | runs if your Naisjob runs in GCP | +| cloudsql-proxy | runs if your Naisjob provisions databases through `spec.gcp.sqlInstances` | +| secure-logs-fluentd | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` | +| secure-logs-configmap-reload | runs if your Naisjob has `spec.secureLogs.enabled` set to `true` | +| vks-sidecar | runs if your Naisjob has `spec.vault.sidecar` set to `true` | + +### Generic + +| name | explanation | +| ----------- | ------------------------------------------------ | +| istio-proxy | used in clusters running with Istio service mesh | + ## Things about development that you might want to know Running HAHAHA's tests should be done by invoking `cargo test -- --test-threads 1`. The reason is that while the Prometheus test generally gets started first, it's usually the last to finish. By limiting the thread count to 1, we'll ensure that it finishes before the other tests run. The other tests are more like integration tests, and also mutate the Prometheus state, which makes it kind of hard to run them in parallel. @@ -25,18 +37,20 @@ Running HAHAHA's tests should be done by invoking `cargo test -- --test-threads The image is signed "keylessly" (is that a word?) using [Sigstore cosign](https://github.com/sigstore/cosign). To verify its authenticity run + ``` cosign verify \ ---certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ +--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256: ``` The images are also attested with SBOMs in the [CycloneDX](https://cyclonedx.org/) format. You can verify these by running + ``` cosign verify-attestation --type cyclonedx \ ---certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ +--certificate-identity "https://github.com/nais/hahaha/.github/workflows/build_and_push_image.yaml@refs/heads/main" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ europe-north1-docker.pkg.dev/nais-io/nais/images/hahaha@sha256: ``` From 5d13cf2322ea636e3d3f3d83cdccc7e93cf09641 Mon Sep 17 00:00:00 2001 From: anderssonw Date: Mon, 23 Oct 2023 15:18:55 +0200 Subject: [PATCH 3/3] keep config/environment in one place Signed-off-by: anderssonw --- src/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index b18dea6..61fd270 100644 --- a/src/main.rs +++ b/src/main.rs @@ -36,6 +36,8 @@ async fn main() -> anyhow::Result<()> { .with(format_layer) .init(); + let label_env = env::var("WATCH_SELECTOR").unwrap_or("nais.io/naisjob=true".to_string()); + let actions = actions::generate(); let client = Client::try_default().await?; @@ -57,7 +59,6 @@ async fn main() -> anyhow::Result<()> { .unwrap(); }); - let label_env = env::var("WATCH_SELECTOR").unwrap_or("nais.io/naisjob=true".to_string()); Controller::new(pods, watcher::Config::default().labels(&label_env)) .shutdown_on_signal() .run(