From 2ab51ed5a049ebf1723e525d2d7e6a262a9cc51f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 20 Dec 2024 20:29:06 +0200
Subject: [PATCH 1/4] chore(deps): bump golang.org/x/crypto from 0.25.0 to
0.31.0 in /frontend (#2045)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.25.0 to 0.31.0.
Commits
b4f1988
ssh: make the public key cache a 1-entry FIFO cache
7042ebc
openpgp/clearsign: just use rand.Reader in tests
3e90321
go.mod: update golang.org/x dependencies
8c4e668
x509roots/fallback: update bundle
6018723
go.mod: update golang.org/x dependencies
71ed71b
README: don't recommend go get
750a45f
sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary
36b1725
sha3: avoid trailing permutation
80ea76e
sha3: fix padding for long cSHAKE parameters
c17aa50
sha3: avoid buffer copy
- Additional commits viewable in compare
view
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.25.0&new-version=0.31.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/odigos-io/odigos/network/alerts).
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
frontend/go.mod | 10 +++++-----
frontend/go.sum | 20 ++++++++++----------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/frontend/go.mod b/frontend/go.mod
index 9076933b6..13a1258e5 100644
--- a/frontend/go.mod
+++ b/frontend/go.mod
@@ -21,7 +21,7 @@ require (
go.opentelemetry.io/collector/pdata v1.12.0
go.opentelemetry.io/collector/receiver/otlpreceiver v0.106.1
go.opentelemetry.io/otel v1.29.0
- golang.org/x/sync v0.7.0
+ golang.org/x/sync v0.10.0
k8s.io/api v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
@@ -132,12 +132,12 @@ require (
go.opentelemetry.io/collector/pdata/pprofile v0.106.1 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
golang.org/x/arch v0.3.0 // indirect
- golang.org/x/crypto v0.25.0 // indirect
+ golang.org/x/crypto v0.31.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/oauth2 v0.21.0 // indirect
- golang.org/x/sys v0.22.0 // indirect
- golang.org/x/term v0.22.0 // indirect
- golang.org/x/text v0.16.0 // indirect
+ golang.org/x/sys v0.28.0 // indirect
+ golang.org/x/term v0.27.0 // indirect
+ golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/protobuf v1.34.2 // indirect
diff --git a/frontend/go.sum b/frontend/go.sum
index a6ed52ff1..7ae38cb33 100644
--- a/frontend/go.sum
+++ b/frontend/go.sum
@@ -338,8 +338,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU=
golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -356,8 +356,8 @@ golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -368,16 +368,16 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
From 5f3b442f06c227a89dde596d72b1e57cf651dc10 Mon Sep 17 00:00:00 2001
From: Amir Blum
Date: Sat, 21 Dec 2024 09:53:44 +0200
Subject: [PATCH 2/4] chore: narrow RBAC permissions for instrumentor (#2042)
- move things we use only in namespace from clusterrole to role.
- reduce permission we don't need
- remove permissions we don't use
- sync controller-runtime cache with these changes.
This PR only touches the permissions, there are some opportunities to
improve more, not in this PR scope.
---
cli/cmd/resources/instrumentor.go | 218 +++++++++---------
.../templates/instrumentor/clusterrole.yaml | 79 +++----
helm/odigos/templates/instrumentor/role.yaml | 48 ++++
.../templates/instrumentor/rolebinding.yaml | 12 +
instrumentor/main.go | 22 +-
5 files changed, 214 insertions(+), 165 deletions(-)
create mode 100644 helm/odigos/templates/instrumentor/role.yaml
create mode 100644 helm/odigos/templates/instrumentor/rolebinding.yaml
diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go
index e2e972306..89e3c7d8e 100644
--- a/cli/cmd/resources/instrumentor.go
+++ b/cli/cmd/resources/instrumentor.go
@@ -23,12 +23,20 @@ import (
)
const (
- InstrumentorServiceName = "instrumentor"
- InstrumentorDeploymentName = "odigos-instrumentor"
- InstrumentorAppLabelValue = "odigos-instrumentor"
- InstrumentorContainerName = "manager"
- InstrumentorWebhookSecretName = "instrumentor-webhook-cert"
- InstrumentorWebhookVolumeName = "webhook-cert"
+ InstrumentorOtelServiceName = "instrumentor"
+ InstrumentorDeploymentName = "odigos-instrumentor"
+ InstrumentorAppLabelValue = InstrumentorDeploymentName
+ InstrumentorServiceName = InstrumentorDeploymentName
+ InstrumentorServiceAccountName = InstrumentorDeploymentName
+ InstrumentorRoleName = InstrumentorDeploymentName
+ InstrumentorRoleBindingName = InstrumentorDeploymentName
+ InstrumentorClusterRoleName = InstrumentorDeploymentName
+ InstrumentorClusterRoleBindingName = InstrumentorDeploymentName
+ InstrumentorCertificateName = InstrumentorDeploymentName
+ InstrumentorMutatingWebhookName = "mutating-webhook-configuration"
+ InstrumentorContainerName = "manager"
+ InstrumentorWebhookSecretName = "instrumentor-webhook-cert"
+ InstrumentorWebhookVolumeName = "webhook-cert"
)
func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount {
@@ -38,7 +46,7 @@ func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount {
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: InstrumentorDeploymentName,
+ Name: InstrumentorServiceAccountName,
Namespace: ns,
},
}
@@ -57,7 +65,7 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding {
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
- Name: "odigos-instrumentor",
+ Name: InstrumentorServiceAccountName,
},
},
RoleRef: rbacv1.RoleRef{
@@ -68,6 +76,71 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding {
}
}
+func NewInstrumentorRole(ns string) *rbacv1.Role {
+ return &rbacv1.Role{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "Role",
+ APIVersion: "rbac.authorization.k8s.io/v1",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Name: InstrumentorRoleName,
+ Namespace: ns,
+ },
+ Rules: []rbacv1.PolicyRule{
+ {
+ APIGroups: []string{""},
+ Resources: []string{"configmaps"},
+ ResourceNames: []string{"odigos-config"},
+ Verbs: []string{"get", "list", "watch"},
+ },
+ {
+ APIGroups: []string{"odigos.io"},
+ Resources: []string{"collectorsgroups"},
+ Verbs: []string{"get", "list", "watch"},
+ },
+ {
+ APIGroups: []string{"odigos.io"},
+ Resources: []string{"collectorsgroups/status"},
+ Verbs: []string{"get", "list", "watch"},
+ },
+ { // Needed for odigos own telemetry events reporting. Consider moving to scheduler
+ APIGroups: []string{"odigos.io"},
+ Resources: []string{"destinations"},
+ Verbs: []string{"get", "list", "watch"},
+ },
+ {
+ APIGroups: []string{"odigos.io"},
+ Resources: []string{"instrumentationrules"},
+ Verbs: []string{"get", "list", "watch"},
+ },
+ },
+ }
+}
+
+func NewInstrumentorRoleBinding(ns string) *rbacv1.RoleBinding {
+ return &rbacv1.RoleBinding{
+ TypeMeta: metav1.TypeMeta{
+ Kind: "RoleBinding",
+ APIVersion: "rbac.authorization.k8s.io/v1",
+ },
+ ObjectMeta: metav1.ObjectMeta{
+ Name: InstrumentorRoleBindingName,
+ Namespace: ns,
+ },
+ Subjects: []rbacv1.Subject{
+ {
+ Kind: "ServiceAccount",
+ Name: InstrumentorServiceAccountName,
+ },
+ },
+ RoleRef: rbacv1.RoleRef{
+ APIGroup: "rbac.authorization.k8s.io",
+ Kind: "Role",
+ Name: InstrumentorRoleName,
+ },
+ }
+}
+
func NewInstrumentorClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
@@ -75,124 +148,49 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole {
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: "odigos-instrumentor",
+ Name: InstrumentorClusterRoleName,
},
Rules: []rbacv1.PolicyRule{
- {
+ { // Used in events reporting for own telemetry
APIGroups: []string{""},
Resources: []string{"nodes"},
Verbs: []string{"list", "watch", "get"},
},
- {
+ { // Read instrumentation labels from namespaces
APIGroups: []string{""},
Resources: []string{"namespaces"},
Verbs: []string{"list", "watch", "get"},
},
- {
- APIGroups: []string{""},
- Resources: []string{"configmaps"},
- Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
- },
- {
+ { // Read instrumentation labels from daemonsets and apply pod spec changes
APIGroups: []string{"apps"},
Resources: []string{"daemonsets"},
- Verbs: []string{"create", "get", "list", "patch", "update", "watch"},
- },
- {
- APIGroups: []string{"apps"},
- Resources: []string{"daemonsets/finalizers"},
- Verbs: []string{"update"},
+ Verbs: []string{"get", "list", "watch", "update", "patch"},
},
- {
- APIGroups: []string{"apps"},
- Resources: []string{"daemonsets/status"},
- Verbs: []string{"get"},
- },
- {
+ { // Read instrumentation labels from deployments and apply pod spec changes
APIGroups: []string{"apps"},
Resources: []string{"deployments"},
- Verbs: []string{"create", "get", "list", "patch", "update", "watch"},
+ Verbs: []string{"get", "list", "watch", "update", "patch"},
},
- {
- APIGroups: []string{"apps"},
- Resources: []string{"deployments/finalizers"},
- Verbs: []string{"update"},
- },
- {
- APIGroups: []string{"apps"},
- Resources: []string{"deployments/status"},
- Verbs: []string{"get"},
- },
- {
+ { // Read instrumentation labels from statefulsets and apply pod spec changes
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
- Verbs: []string{"create", "get", "list", "patch", "update", "watch"},
- },
- {
- APIGroups: []string{"apps"},
- Resources: []string{"statefulsets/finalizers"},
- Verbs: []string{"update"},
- },
- {
- APIGroups: []string{"apps"},
- Resources: []string{"statefulsets/status"},
- Verbs: []string{"get"},
- },
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"collectorsgroups"},
- Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
- },
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"collectorsgroups/finalizers"},
- Verbs: []string{"update"},
+ Verbs: []string{"get", "list", "watch", "update", "patch"},
},
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"collectorsgroups/status"},
- Verbs: []string{"get", "patch", "update"},
- },
- {
+ { // React to runtime detection in user workloads in all namespaces
APIGroups: []string{"odigos.io"},
Resources: []string{"instrumentedapplications"},
- Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+ Verbs: []string{"delete", "get", "list", "watch"},
},
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"instrumentedapplications/finalizers"},
- Verbs: []string{"update"},
- },
- {
+ { // Update the status of the instrumented applications after device injection
APIGroups: []string{"odigos.io"},
Resources: []string{"instrumentedapplications/status"},
Verbs: []string{"get", "patch", "update"},
},
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"destinations"},
- Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
- },
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"destinations/finalizers"},
- Verbs: []string{"update"},
- },
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"destinations/status"},
- Verbs: []string{"get", "patch", "update"},
- },
{
APIGroups: []string{"odigos.io"},
Resources: []string{"instrumentationconfigs"},
Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
},
- {
- APIGroups: []string{"odigos.io"},
- Resources: []string{"instrumentationrules"},
- Verbs: []string{"get", "list", "watch"},
- },
},
}
}
@@ -204,19 +202,19 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: "odigos-instrumentor",
+ Name: InstrumentorClusterRoleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
- Name: "odigos-instrumentor",
+ Name: InstrumentorServiceAccountName,
Namespace: ns,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
- Name: "odigos-instrumentor",
+ Name: InstrumentorClusterRoleName,
},
}
}
@@ -294,7 +292,7 @@ func NewInstrumentorService(ns string) *corev1.Service {
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: "odigos-instrumentor",
+ Name: InstrumentorServiceName,
Namespace: ns,
},
Spec: corev1.ServiceSpec{
@@ -319,10 +317,10 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis
APIVersion: "admissionregistration.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: "mutating-webhook-configuration",
+ Name: InstrumentorMutatingWebhookName,
Labels: map[string]string{
"app.kubernetes.io/name": "pod-mutating-webhook",
- "app.kubernetes.io/instance": "mutating-webhook-configuration",
+ "app.kubernetes.io/instance": InstrumentorMutatingWebhookName,
"app.kubernetes.io/component": "webhook",
"app.kubernetes.io/created-by": "instrumentor",
"app.kubernetes.io/part-of": "odigos",
@@ -333,7 +331,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis
Name: "pod-mutating-webhook.odigos.io",
ClientConfig: admissionregistrationv1.WebhookClientConfig{
Service: &admissionregistrationv1.ServiceReference{
- Name: "odigos-instrumentor",
+ Name: InstrumentorServiceName,
Namespace: ns,
Path: ptrString("/mutate--v1-pod"),
Port: intPtr(9443),
@@ -359,7 +357,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis
TimeoutSeconds: intPtr(10),
ObjectSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
- "odigos.io/inject-instrumentation": "true",
+ consts.OdigosInjectInstrumentationLabel: "true",
},
},
AdmissionReviewVersions: []string{
@@ -425,7 +423,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool,
APIVersion: "apps/v1",
},
ObjectMeta: metav1.ObjectMeta{
- Name: "odigos-instrumentor",
+ Name: InstrumentorDeploymentName,
Namespace: ns,
Labels: map[string]string{
"app.kubernetes.io/name": InstrumentorAppLabelValue,
@@ -459,7 +457,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool,
Env: []corev1.EnvVar{
{
Name: "OTEL_SERVICE_NAME",
- Value: InstrumentorServiceName,
+ Value: InstrumentorOtelServiceName,
},
{
Name: "CURRENT_NS",
@@ -531,7 +529,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool,
},
},
TerminationGracePeriodSeconds: ptrint64(10),
- ServiceAccountName: "odigos-instrumentor",
+ ServiceAccountName: InstrumentorServiceAccountName,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptrbool(true),
},
@@ -591,6 +589,8 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er
resources := []kube.Object{
NewInstrumentorServiceAccount(a.ns),
NewInstrumentorLeaderElectionRoleBinding(a.ns),
+ NewInstrumentorRole(a.ns),
+ NewInstrumentorRoleBinding(a.ns),
NewInstrumentorClusterRole(),
NewInstrumentorClusterRoleBinding(a.ns),
NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage),
@@ -604,14 +604,14 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er
},
resources...)
} else {
- ca, err := crypto.GenCA("odigos-instrumentor", 365)
+ ca, err := crypto.GenCA(InstrumentorCertificateName, 365)
if err != nil {
return fmt.Errorf("failed to generate CA: %w", err)
}
altNames := []string{
- fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns),
- fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns),
+ fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns),
+ fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns),
}
cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca)
diff --git a/helm/odigos/templates/instrumentor/clusterrole.yaml b/helm/odigos/templates/instrumentor/clusterrole.yaml
index 1c558fcf8..d1d479f72 100644
--- a/helm/odigos/templates/instrumentor/clusterrole.yaml
+++ b/helm/odigos/templates/instrumentor/clusterrole.yaml
@@ -6,102 +6,75 @@ rules:
- apiGroups:
- ""
resources:
- - namespaces
- nodes
verbs:
- - get
- list
- watch
+ - get
- apiGroups:
- - apps
+ - ""
resources:
- - daemonsets
- - deployments
- - statefulsets
+ - namespaces
verbs:
- - create
- - get
- list
- - patch
- - update
- watch
+ - get
- apiGroups:
- - ""
+ - apps
resources:
- - configmaps
+ - daemonsets
verbs:
- - create
- - delete
- get
- list
- - patch
- - update
- watch
+ - update
+ - patch
- apiGroups:
- apps
resources:
- - daemonsets/finalizers
- - deployments/finalizers
- - statefulsets/finalizers
+ - deployments
verbs:
+ - get
+ - list
+ - watch
- update
+ - patch
- apiGroups:
- apps
resources:
- - daemonsets/status
- - deployments/status
- - statefulsets/status
+ - statefulsets
verbs:
- get
+ - list
+ - watch
+ - update
+ - patch
- apiGroups:
- odigos.io
resources:
- - collectorsgroups
- instrumentedapplications
- - destinations
verbs:
- - create
- delete
- get
- list
- - patch
- - update
- watch
- apiGroups:
- odigos.io
resources:
- - collectorsgroups/finalizers
- - instrumentedapplications/finalizers
- - destinations/finalizers
+ - instrumentedapplications/status
verbs:
+ - get
+ - patch
- update
- apiGroups:
- odigos.io
resources:
- - collectorsgroups/status
- - instrumentedapplications/status
- - destinations/status
+ - instrumentationconfigs
verbs:
+ - create
+ - delete
- get
+ - list
- patch
- update
- - apiGroups:
- - odigos.io
- resources:
- - instrumentationconfigs
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - apiGroups:
- - odigos.io
- resources:
- - instrumentationrules
- verbs:
- - get
- - list
- - watch
+ - watch
diff --git a/helm/odigos/templates/instrumentor/role.yaml b/helm/odigos/templates/instrumentor/role.yaml
new file mode 100644
index 000000000..05e6908a6
--- /dev/null
+++ b/helm/odigos/templates/instrumentor/role.yaml
@@ -0,0 +1,48 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: odigos-instrumentor
+ namespace: {{ .Release.Namespace }}
+rules:
+ - apiGroups:
+ - ""
+ resourceNames:
+ - odigos-config
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - odigos.io
+ resources:
+ - collectorsgroups
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - odigos.io
+ resources:
+ - collectorsgroups/status
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - odigos.io
+ resources:
+ - destinations
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - odigos.io
+ resources:
+ - instrumentationrules
+ verbs:
+ - get
+ - list
+ - watch
\ No newline at end of file
diff --git a/helm/odigos/templates/instrumentor/rolebinding.yaml b/helm/odigos/templates/instrumentor/rolebinding.yaml
new file mode 100644
index 000000000..7d3bc38ab
--- /dev/null
+++ b/helm/odigos/templates/instrumentor/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: odigos-instrumentor
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: odigos-instrumentor
+subjects:
+- kind: ServiceAccount
+ name: odigos-instrumentor
diff --git a/instrumentor/main.go b/instrumentor/main.go
index beb2b6855..131c9d2f2 100644
--- a/instrumentor/main.go
+++ b/instrumentor/main.go
@@ -20,6 +20,7 @@ import (
"flag"
"os"
+ "github.com/odigos-io/odigos/common/consts"
"github.com/odigos-io/odigos/k8sutils/pkg/env"
"github.com/odigos-io/odigos/instrumentor/controllers/instrumentationconfig"
@@ -38,7 +39,7 @@ import (
"github.com/go-logr/zapr"
bridge "github.com/odigos-io/opentelemetry-zap-bridge"
- v1 "github.com/odigos-io/odigos/api/odigos/v1alpha1"
+ odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1"
"github.com/odigos-io/odigos/common"
"github.com/odigos-io/odigos/instrumentor/controllers/deleteinstrumentedapplication"
@@ -48,6 +49,7 @@ import (
// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
// to ensure that exec-entrypoint and run can make use of them.
+ "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -69,7 +71,7 @@ var (
func init() {
utilruntime.Must(clientgoscheme.AddToScheme(scheme))
- utilruntime.Must(v1.AddToScheme(scheme))
+ utilruntime.Must(odigosv1.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme
}
@@ -97,6 +99,11 @@ func main() {
logger := zapr.NewLogger(zapLogger)
ctrl.SetLogger(logger)
+ odigosNs := env.GetCurrentNamespace()
+ nsSelector := client.InNamespace(odigosNs).AsSelector()
+ odigosConfigNameSelector := fields.OneTermEqualSelector("metadata.name", consts.OdigosConfigurationName)
+ odigosConfigSelector := fields.AndSelectors(nsSelector, odigosConfigNameSelector)
+
mgrOptions := ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
@@ -111,7 +118,16 @@ func main() {
// Currently, instrumentor only need the labels and the .spec.template.spec field of the workloads.
ByObject: map[client.Object]cache.ByObject{
&corev1.ConfigMap{}: {
- Field: client.InNamespace(env.GetCurrentNamespace()).AsSelector(),
+ Field: odigosConfigSelector,
+ },
+ &odigosv1.CollectorsGroup{}: {
+ Field: nsSelector,
+ },
+ &odigosv1.Destination{}: {
+ Field: nsSelector,
+ },
+ &odigosv1.InstrumentationRule{}: {
+ Field: nsSelector,
},
},
},
From 21b705d6f8866462a723eb223066a62f9f12f47a Mon Sep 17 00:00:00 2001
From: Ben Elferink
Date: Mon, 23 Dec 2024 12:24:03 +0200
Subject: [PATCH 3/4] [GEN-2080]: fix useConnectDestinationForm to support
additional component properties for checkboxes (#2043)
This pull request focuses on replacing the `initialValue` prop with the
`value` prop for the `Checkbox` component across various parts of the
codebase. This change aims to standardize the usage of the `Checkbox`
component and ensure consistency in its implementation.
Key changes include:
*Checkbox Component Update:*
*
[`frontend/webapp/reuseable-components/checkbox/index.tsx`](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L12-R12):
Replaced `initialValue` prop with `value` prop in the `Checkbox`
component. Updated the state management and useEffect hook accordingly.
[[1]](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L12-R12)
[[2]](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L39-R41)
*Usage in Forms and Fields:*
*
[`frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx`](diffhunk://#diff-1d91fa50761c80281ff07b7acecbeceb87478bdfd17634c6ee9ff0dd8905b5d5L69-R69):
Updated `Checkbox` component to use `value` instead of `initialValue`.
*
[`frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx`](diffhunk://#diff-c17889e1ffea148a206f57df5da9f8cc755e7e522a9057a339f6887c01ed5815L27-R27):
Updated `Checkbox` component to use `value` instead of `initialValue`.
*
[`frontend/webapp/containers/main/instrumentation-rules/rule-form-body/custom-fields/payload-collection.tsx`](diffhunk://#diff-e24d6b5b41b8be540f0fb09e0cc33f0d4aff8a7e61e19053129e9e1d36c845daL94-R94):
Updated `Checkbox` component to use `value` instead of `initialValue`.
*Usage in Source Selection:*
*
[`frontend/webapp/containers/main/sources/choose-sources/choose-sources-body/choose-sources-body-fast/source-controls/index.tsx`](diffhunk://#diff-9730809c6d075f90b2e6e31dc914c93f5507fc1ad62343607b690162c0af150dL37-R37):
Updated `Checkbox` component to use `value` instead of `initialValue`.
*
[`frontend/webapp/containers/main/sources/choose-sources/choose-sources-body/choose-sources-body-fast/sources-list/index.tsx`](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL142-R142):
Updated `Checkbox` component to use `value` instead of `initialValue`.
[[1]](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL142-R142)
[[2]](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL169-R169)
*Other Updates:*
*
[`frontend/webapp/hooks/destinations/useConnectDestinationForm.ts`](diffhunk://#diff-ff55b24fb020911d3ee70fd88fce706bdc4348bfdebe633f7e6967f560218b4eL8-R61):
Refactored the `buildFormDynamicFields` function to use the `value` prop
for various input types including `CHECKBOX`.
*
[`frontend/webapp/reuseable-components/dropdown/index.tsx`](diffhunk://#diff-707b6e11fbf977d74c45816fab07924a0eaa2d139b296cc58b74c98fd76f463dL253-R253):
Updated `Checkbox` component to use `value` instead of `initialValue` in
the dropdown list item.
These changes ensure that the `Checkbox` component is consistently using
the `value` prop, which improves the readability and maintainability of
the codebase.
---
.../custom-fields/pii-masking.tsx | 2 +-
.../dynamic-fields/index.tsx | 2 +-
.../custom-fields/payload-collection.tsx | 2 +-
.../source-controls/index.tsx | 2 +-
.../sources-list/index.tsx | 4 +-
.../source-controls/index.tsx | 7 +--
.../sources-list/index.tsx | 2 +-
.../destinations/useConnectDestinationForm.ts | 60 +++++++++----------
.../reuseable-components/checkbox/index.tsx | 8 +--
.../reuseable-components/dropdown/index.tsx | 2 +-
.../reuseable-components/input/index.tsx | 8 +--
.../monitoring-checkboxes/index.tsx | 4 +-
.../nodes-data-flow/nodes/base-node.tsx | 2 +-
.../nodes-data-flow/nodes/header-node.tsx | 2 +-
14 files changed, 48 insertions(+), 59 deletions(-)
diff --git a/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx b/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx
index 3a719af67..e386c8941 100644
--- a/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx
+++ b/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx
@@ -66,7 +66,7 @@ const PiiMasking: React.FC = ({ value, setValue, errorMessage }) => {
{strictPicklist.map(({ id, label }) => (
- handleChange(id, bool)} />
+ handleChange(id, bool)} />
))}
{!!errorMessage && {errorMessage}}
diff --git a/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx b/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx
index d7e73213d..e3c3ddff5 100644
--- a/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx
+++ b/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx
@@ -24,7 +24,7 @@ export const DestinationDynamicFields: React.FC = ({ fields, onChange, fo
case INPUT_TYPES.TEXTAREA:
return