From 2ab51ed5a049ebf1723e525d2d7e6a262a9cc51f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 20 Dec 2024 20:29:06 +0200 Subject: [PATCH 1/4] chore(deps): bump golang.org/x/crypto from 0.25.0 to 0.31.0 in /frontend (#2045) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.25.0 to 0.31.0.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.25.0&new-version=0.31.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/odigos-io/odigos/network/alerts).
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- frontend/go.mod | 10 +++++----- frontend/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/frontend/go.mod b/frontend/go.mod index 9076933b6..13a1258e5 100644 --- a/frontend/go.mod +++ b/frontend/go.mod @@ -21,7 +21,7 @@ require ( go.opentelemetry.io/collector/pdata v1.12.0 go.opentelemetry.io/collector/receiver/otlpreceiver v0.106.1 go.opentelemetry.io/otel v1.29.0 - golang.org/x/sync v0.7.0 + golang.org/x/sync v0.10.0 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 k8s.io/client-go v0.31.0 @@ -132,12 +132,12 @@ require ( go.opentelemetry.io/collector/pdata/pprofile v0.106.1 // indirect go.opentelemetry.io/otel/trace v1.29.0 // indirect golang.org/x/arch v0.3.0 // indirect - golang.org/x/crypto v0.25.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/protobuf v1.34.2 // indirect diff --git a/frontend/go.sum b/frontend/go.sum index a6ed52ff1..7ae38cb33 100644 --- a/frontend/go.sum +++ b/frontend/go.sum @@ -338,8 +338,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU= golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -356,8 +356,8 @@ golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -368,16 +368,16 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= From 5f3b442f06c227a89dde596d72b1e57cf651dc10 Mon Sep 17 00:00:00 2001 From: Amir Blum Date: Sat, 21 Dec 2024 09:53:44 +0200 Subject: [PATCH 2/4] chore: narrow RBAC permissions for instrumentor (#2042) - move things we use only in namespace from clusterrole to role. - reduce permission we don't need - remove permissions we don't use - sync controller-runtime cache with these changes. This PR only touches the permissions, there are some opportunities to improve more, not in this PR scope. --- cli/cmd/resources/instrumentor.go | 218 +++++++++--------- .../templates/instrumentor/clusterrole.yaml | 79 +++---- helm/odigos/templates/instrumentor/role.yaml | 48 ++++ .../templates/instrumentor/rolebinding.yaml | 12 + instrumentor/main.go | 22 +- 5 files changed, 214 insertions(+), 165 deletions(-) create mode 100644 helm/odigos/templates/instrumentor/role.yaml create mode 100644 helm/odigos/templates/instrumentor/rolebinding.yaml diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go index e2e972306..89e3c7d8e 100644 --- a/cli/cmd/resources/instrumentor.go +++ b/cli/cmd/resources/instrumentor.go @@ -23,12 +23,20 @@ import ( ) const ( - InstrumentorServiceName = "instrumentor" - InstrumentorDeploymentName = "odigos-instrumentor" - InstrumentorAppLabelValue = "odigos-instrumentor" - InstrumentorContainerName = "manager" - InstrumentorWebhookSecretName = "instrumentor-webhook-cert" - InstrumentorWebhookVolumeName = "webhook-cert" + InstrumentorOtelServiceName = "instrumentor" + InstrumentorDeploymentName = "odigos-instrumentor" + InstrumentorAppLabelValue = InstrumentorDeploymentName + InstrumentorServiceName = InstrumentorDeploymentName + InstrumentorServiceAccountName = InstrumentorDeploymentName + InstrumentorRoleName = InstrumentorDeploymentName + InstrumentorRoleBindingName = InstrumentorDeploymentName + InstrumentorClusterRoleName = InstrumentorDeploymentName + InstrumentorClusterRoleBindingName = InstrumentorDeploymentName + InstrumentorCertificateName = InstrumentorDeploymentName + InstrumentorMutatingWebhookName = "mutating-webhook-configuration" + InstrumentorContainerName = "manager" + InstrumentorWebhookSecretName = "instrumentor-webhook-cert" + InstrumentorWebhookVolumeName = "webhook-cert" ) func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { @@ -38,7 +46,7 @@ func NewInstrumentorServiceAccount(ns string) *corev1.ServiceAccount { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: InstrumentorDeploymentName, + Name: InstrumentorServiceAccountName, Namespace: ns, }, } @@ -57,7 +65,7 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, }, }, RoleRef: rbacv1.RoleRef{ @@ -68,6 +76,71 @@ func NewInstrumentorLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding { } } +func NewInstrumentorRole(ns string) *rbacv1.Role { + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + Kind: "Role", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleName, + Namespace: ns, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + ResourceNames: []string{"odigos-config"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"collectorsgroups/status"}, + Verbs: []string{"get", "list", "watch"}, + }, + { // Needed for odigos own telemetry events reporting. Consider moving to scheduler + APIGroups: []string{"odigos.io"}, + Resources: []string{"destinations"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"odigos.io"}, + Resources: []string{"instrumentationrules"}, + Verbs: []string{"get", "list", "watch"}, + }, + }, + } +} + +func NewInstrumentorRoleBinding(ns string) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + Kind: "RoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: InstrumentorRoleBindingName, + Namespace: ns, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: InstrumentorServiceAccountName, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: InstrumentorRoleName, + }, + } +} + func NewInstrumentorClusterRole() *rbacv1.ClusterRole { return &rbacv1.ClusterRole{ TypeMeta: metav1.TypeMeta{ @@ -75,124 +148,49 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, Rules: []rbacv1.PolicyRule{ - { + { // Used in events reporting for own telemetry APIGroups: []string{""}, Resources: []string{"nodes"}, Verbs: []string{"list", "watch", "get"}, }, - { + { // Read instrumentation labels from namespaces APIGroups: []string{""}, Resources: []string{"namespaces"}, Verbs: []string{"list", "watch", "get"}, }, - { - APIGroups: []string{""}, - Resources: []string{"configmaps"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { + { // Read instrumentation labels from daemonsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"daemonsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"daemonsets/status"}, - Verbs: []string{"get"}, - }, - { + { // Read instrumentation labels from deployments and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"deployments"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"deployments/status"}, - Verbs: []string{"get"}, - }, - { + { // Read instrumentation labels from statefulsets and apply pod spec changes APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, - Verbs: []string{"create", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"statefulsets/status"}, - Verbs: []string{"get"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/finalizers"}, - Verbs: []string{"update"}, + Verbs: []string{"get", "list", "watch", "update", "patch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"collectorsgroups/status"}, - Verbs: []string{"get", "patch", "update"}, - }, - { + { // React to runtime detection in user workloads in all namespaces APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + Verbs: []string{"delete", "get", "list", "watch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentedapplications/finalizers"}, - Verbs: []string{"update"}, - }, - { + { // Update the status of the instrumented applications after device injection APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentedapplications/status"}, Verbs: []string{"get", "patch", "update"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations"}, - Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"destinations/status"}, - Verbs: []string{"get", "patch", "update"}, - }, { APIGroups: []string{"odigos.io"}, Resources: []string{"instrumentationconfigs"}, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, - { - APIGroups: []string{"odigos.io"}, - Resources: []string{"instrumentationrules"}, - Verbs: []string{"get", "list", "watch"}, - }, }, } } @@ -204,19 +202,19 @@ func NewInstrumentorClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding { APIVersion: "rbac.authorization.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleBindingName, }, Subjects: []rbacv1.Subject{ { Kind: "ServiceAccount", - Name: "odigos-instrumentor", + Name: InstrumentorServiceAccountName, Namespace: ns, }, }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: "odigos-instrumentor", + Name: InstrumentorClusterRoleName, }, } } @@ -294,7 +292,7 @@ func NewInstrumentorService(ns string) *corev1.Service { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, }, Spec: corev1.ServiceSpec{ @@ -319,10 +317,10 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis APIVersion: "admissionregistration.k8s.io/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "mutating-webhook-configuration", + Name: InstrumentorMutatingWebhookName, Labels: map[string]string{ "app.kubernetes.io/name": "pod-mutating-webhook", - "app.kubernetes.io/instance": "mutating-webhook-configuration", + "app.kubernetes.io/instance": InstrumentorMutatingWebhookName, "app.kubernetes.io/component": "webhook", "app.kubernetes.io/created-by": "instrumentor", "app.kubernetes.io/part-of": "odigos", @@ -333,7 +331,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis Name: "pod-mutating-webhook.odigos.io", ClientConfig: admissionregistrationv1.WebhookClientConfig{ Service: &admissionregistrationv1.ServiceReference{ - Name: "odigos-instrumentor", + Name: InstrumentorServiceName, Namespace: ns, Path: ptrString("/mutate--v1-pod"), Port: intPtr(9443), @@ -359,7 +357,7 @@ func NewMutatingWebhookConfiguration(ns string, caBundle []byte) *admissionregis TimeoutSeconds: intPtr(10), ObjectSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ - "odigos.io/inject-instrumentation": "true", + consts.OdigosInjectInstrumentationLabel: "true", }, }, AdmissionReviewVersions: []string{ @@ -425,7 +423,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, APIVersion: "apps/v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "odigos-instrumentor", + Name: InstrumentorDeploymentName, Namespace: ns, Labels: map[string]string{ "app.kubernetes.io/name": InstrumentorAppLabelValue, @@ -459,7 +457,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, Env: []corev1.EnvVar{ { Name: "OTEL_SERVICE_NAME", - Value: InstrumentorServiceName, + Value: InstrumentorOtelServiceName, }, { Name: "CURRENT_NS", @@ -531,7 +529,7 @@ func NewInstrumentorDeployment(ns string, version string, telemetryEnabled bool, }, }, TerminationGracePeriodSeconds: ptrint64(10), - ServiceAccountName: "odigos-instrumentor", + ServiceAccountName: InstrumentorServiceAccountName, SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptrbool(true), }, @@ -591,6 +589,8 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er resources := []kube.Object{ NewInstrumentorServiceAccount(a.ns), NewInstrumentorLeaderElectionRoleBinding(a.ns), + NewInstrumentorRole(a.ns), + NewInstrumentorRoleBinding(a.ns), NewInstrumentorClusterRole(), NewInstrumentorClusterRoleBinding(a.ns), NewInstrumentorDeployment(a.ns, a.odigosVersion, a.config.TelemetryEnabled, a.config.ImagePrefix, a.config.InstrumentorImage), @@ -604,14 +604,14 @@ func (a *instrumentorResourceManager) InstallFromScratch(ctx context.Context) er }, resources...) } else { - ca, err := crypto.GenCA("odigos-instrumentor", 365) + ca, err := crypto.GenCA(InstrumentorCertificateName, 365) if err != nil { return fmt.Errorf("failed to generate CA: %w", err) } altNames := []string{ - fmt.Sprintf("odigos-instrumentor.%s.svc", a.ns), - fmt.Sprintf("odigos-instrumentor.%s.svc.cluster.local", a.ns), + fmt.Sprintf("%s.%s.svc", InstrumentorServiceName, a.ns), + fmt.Sprintf("%s.%s.svc.cluster.local", InstrumentorServiceName, a.ns), } cert, err := crypto.GenerateSignedCertificate("serving-cert", nil, altNames, 365, ca) diff --git a/helm/odigos/templates/instrumentor/clusterrole.yaml b/helm/odigos/templates/instrumentor/clusterrole.yaml index 1c558fcf8..d1d479f72 100644 --- a/helm/odigos/templates/instrumentor/clusterrole.yaml +++ b/helm/odigos/templates/instrumentor/clusterrole.yaml @@ -6,102 +6,75 @@ rules: - apiGroups: - "" resources: - - namespaces - nodes verbs: - - get - list - watch + - get - apiGroups: - - apps + - "" resources: - - daemonsets - - deployments - - statefulsets + - namespaces verbs: - - create - - get - list - - patch - - update - watch + - get - apiGroups: - - "" + - apps resources: - - configmaps + - daemonsets verbs: - - create - - delete - get - list - - patch - - update - watch + - update + - patch - apiGroups: - apps resources: - - daemonsets/finalizers - - deployments/finalizers - - statefulsets/finalizers + - deployments verbs: + - get + - list + - watch - update + - patch - apiGroups: - apps resources: - - daemonsets/status - - deployments/status - - statefulsets/status + - statefulsets verbs: - get + - list + - watch + - update + - patch - apiGroups: - odigos.io resources: - - collectorsgroups - instrumentedapplications - - destinations verbs: - - create - delete - get - list - - patch - - update - watch - apiGroups: - odigos.io resources: - - collectorsgroups/finalizers - - instrumentedapplications/finalizers - - destinations/finalizers + - instrumentedapplications/status verbs: + - get + - patch - update - apiGroups: - odigos.io resources: - - collectorsgroups/status - - instrumentedapplications/status - - destinations/status + - instrumentationconfigs verbs: + - create + - delete - get + - list - patch - update - - apiGroups: - - odigos.io - resources: - - instrumentationconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - odigos.io - resources: - - instrumentationrules - verbs: - - get - - list - - watch + - watch diff --git a/helm/odigos/templates/instrumentor/role.yaml b/helm/odigos/templates/instrumentor/role.yaml new file mode 100644 index 000000000..05e6908a6 --- /dev/null +++ b/helm/odigos/templates/instrumentor/role.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resourceNames: + - odigos-config + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - collectorsgroups/status + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - destinations + verbs: + - get + - list + - watch + - apiGroups: + - odigos.io + resources: + - instrumentationrules + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/helm/odigos/templates/instrumentor/rolebinding.yaml b/helm/odigos/templates/instrumentor/rolebinding.yaml new file mode 100644 index 000000000..7d3bc38ab --- /dev/null +++ b/helm/odigos/templates/instrumentor/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: odigos-instrumentor + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: odigos-instrumentor +subjects: +- kind: ServiceAccount + name: odigos-instrumentor diff --git a/instrumentor/main.go b/instrumentor/main.go index beb2b6855..131c9d2f2 100644 --- a/instrumentor/main.go +++ b/instrumentor/main.go @@ -20,6 +20,7 @@ import ( "flag" "os" + "github.com/odigos-io/odigos/common/consts" "github.com/odigos-io/odigos/k8sutils/pkg/env" "github.com/odigos-io/odigos/instrumentor/controllers/instrumentationconfig" @@ -38,7 +39,7 @@ import ( "github.com/go-logr/zapr" bridge "github.com/odigos-io/opentelemetry-zap-bridge" - v1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" + odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1" "github.com/odigos-io/odigos/common" "github.com/odigos-io/odigos/instrumentor/controllers/deleteinstrumentedapplication" @@ -48,6 +49,7 @@ import ( // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. + "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -69,7 +71,7 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) - utilruntime.Must(v1.AddToScheme(scheme)) + utilruntime.Must(odigosv1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -97,6 +99,11 @@ func main() { logger := zapr.NewLogger(zapLogger) ctrl.SetLogger(logger) + odigosNs := env.GetCurrentNamespace() + nsSelector := client.InNamespace(odigosNs).AsSelector() + odigosConfigNameSelector := fields.OneTermEqualSelector("metadata.name", consts.OdigosConfigurationName) + odigosConfigSelector := fields.AndSelectors(nsSelector, odigosConfigNameSelector) + mgrOptions := ctrl.Options{ Scheme: scheme, Metrics: metricsserver.Options{ @@ -111,7 +118,16 @@ func main() { // Currently, instrumentor only need the labels and the .spec.template.spec field of the workloads. ByObject: map[client.Object]cache.ByObject{ &corev1.ConfigMap{}: { - Field: client.InNamespace(env.GetCurrentNamespace()).AsSelector(), + Field: odigosConfigSelector, + }, + &odigosv1.CollectorsGroup{}: { + Field: nsSelector, + }, + &odigosv1.Destination{}: { + Field: nsSelector, + }, + &odigosv1.InstrumentationRule{}: { + Field: nsSelector, }, }, }, From 21b705d6f8866462a723eb223066a62f9f12f47a Mon Sep 17 00:00:00 2001 From: Ben Elferink Date: Mon, 23 Dec 2024 12:24:03 +0200 Subject: [PATCH 3/4] [GEN-2080]: fix useConnectDestinationForm to support additional component properties for checkboxes (#2043) This pull request focuses on replacing the `initialValue` prop with the `value` prop for the `Checkbox` component across various parts of the codebase. This change aims to standardize the usage of the `Checkbox` component and ensure consistency in its implementation. Key changes include: *Checkbox Component Update:* * [`frontend/webapp/reuseable-components/checkbox/index.tsx`](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L12-R12): Replaced `initialValue` prop with `value` prop in the `Checkbox` component. Updated the state management and useEffect hook accordingly. [[1]](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L12-R12) [[2]](diffhunk://#diff-e3e26dd8177396b9bc7c42ef92c2501572b33fed1806496d512ed90c2539f831L39-R41) *Usage in Forms and Fields:* * [`frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx`](diffhunk://#diff-1d91fa50761c80281ff07b7acecbeceb87478bdfd17634c6ee9ff0dd8905b5d5L69-R69): Updated `Checkbox` component to use `value` instead of `initialValue`. * [`frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx`](diffhunk://#diff-c17889e1ffea148a206f57df5da9f8cc755e7e522a9057a339f6887c01ed5815L27-R27): Updated `Checkbox` component to use `value` instead of `initialValue`. * [`frontend/webapp/containers/main/instrumentation-rules/rule-form-body/custom-fields/payload-collection.tsx`](diffhunk://#diff-e24d6b5b41b8be540f0fb09e0cc33f0d4aff8a7e61e19053129e9e1d36c845daL94-R94): Updated `Checkbox` component to use `value` instead of `initialValue`. *Usage in Source Selection:* * [`frontend/webapp/containers/main/sources/choose-sources/choose-sources-body/choose-sources-body-fast/source-controls/index.tsx`](diffhunk://#diff-9730809c6d075f90b2e6e31dc914c93f5507fc1ad62343607b690162c0af150dL37-R37): Updated `Checkbox` component to use `value` instead of `initialValue`. * [`frontend/webapp/containers/main/sources/choose-sources/choose-sources-body/choose-sources-body-fast/sources-list/index.tsx`](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL142-R142): Updated `Checkbox` component to use `value` instead of `initialValue`. [[1]](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL142-R142) [[2]](diffhunk://#diff-6b67649d370d208941f4e5a78c0c9de2f5b9b65fd49e0ede8ef57066982450aaL169-R169) *Other Updates:* * [`frontend/webapp/hooks/destinations/useConnectDestinationForm.ts`](diffhunk://#diff-ff55b24fb020911d3ee70fd88fce706bdc4348bfdebe633f7e6967f560218b4eL8-R61): Refactored the `buildFormDynamicFields` function to use the `value` prop for various input types including `CHECKBOX`. * [`frontend/webapp/reuseable-components/dropdown/index.tsx`](diffhunk://#diff-707b6e11fbf977d74c45816fab07924a0eaa2d139b296cc58b74c98fd76f463dL253-R253): Updated `Checkbox` component to use `value` instead of `initialValue` in the dropdown list item. These changes ensure that the `Checkbox` component is consistently using the `value` prop, which improves the readability and maintainability of the codebase. --- .../custom-fields/pii-masking.tsx | 2 +- .../dynamic-fields/index.tsx | 2 +- .../custom-fields/payload-collection.tsx | 2 +- .../source-controls/index.tsx | 2 +- .../sources-list/index.tsx | 4 +- .../source-controls/index.tsx | 7 +-- .../sources-list/index.tsx | 2 +- .../destinations/useConnectDestinationForm.ts | 60 +++++++++---------- .../reuseable-components/checkbox/index.tsx | 8 +-- .../reuseable-components/dropdown/index.tsx | 2 +- .../reuseable-components/input/index.tsx | 8 +-- .../monitoring-checkboxes/index.tsx | 4 +- .../nodes-data-flow/nodes/base-node.tsx | 2 +- .../nodes-data-flow/nodes/header-node.tsx | 2 +- 14 files changed, 48 insertions(+), 59 deletions(-) diff --git a/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx b/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx index 3a719af67..e386c8941 100644 --- a/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx +++ b/frontend/webapp/containers/main/actions/action-form-body/custom-fields/pii-masking.tsx @@ -66,7 +66,7 @@ const PiiMasking: React.FC = ({ value, setValue, errorMessage }) => { {strictPicklist.map(({ id, label }) => ( - handleChange(id, bool)} /> + handleChange(id, bool)} /> ))} {!!errorMessage && {errorMessage}} diff --git a/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx b/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx index d7e73213d..e3c3ddff5 100644 --- a/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx +++ b/frontend/webapp/containers/main/destinations/destination-form-body/dynamic-fields/index.tsx @@ -24,7 +24,7 @@ export const DestinationDynamicFields: React.FC = ({ fields, onChange, fo case INPUT_TYPES.TEXTAREA: return