Merge pull request #2 from qpoint-io/mutate-egress

Wire up egress init mutation
qpoint-io · Nov 9, 2023 · af1ef8a · af1ef8a
2 parents 48303b9 + 146ea76
commit af1ef8a
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 25 deletions.
diff --git a/api/v1/egress.go b/api/v1/egress.go
@@ -1,24 +1,76 @@
 package v1
 
 import (
+	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 )
 
+const INIT_IMAGE = "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init"
+
 func MutateEgress(pod *corev1.Pod, config *Config) error {
-	// // create an init container
-	// initContainer := corev1.Container{
-	// 	Name:  "qtap-init",
-	// 	Image: "us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-init",
-	// 	Env:   []corev1.EnvVar{},
-	// 	SecurityContext: &corev1.SecurityContext{
-	// 		Capabilities: &corev1.Capabilities{
-	// 			Add: []corev1.Capability{"NET_ADMIN"},
-	// 		},
-	// 	},
-	// }
-
-	// // append to the list
-	// pod.Spec.InitContainers = append(pod.Spec.InitContainers, initContainer)
+	// fetch the init image tag
+	tag := config.Get("egress-init-tag")
+
+	// create an init container
+	initContainer := corev1.Container{
+		Name:  "qtap-init",
+		Image: fmt.Sprintf("%s:%s", INIT_IMAGE, tag),
+		Env:   []corev1.EnvVar{},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Add: []corev1.Capability{"NET_ADMIN"},
+			},
+		},
+	}
+
+	// TO_DOMAIN
+	toDomain := config.Get("egress-to-domain")
+	if toDomain != "" {
+		initContainer.Env = append(initContainer.Env, corev1.EnvVar{
+			Name:  "TO_DOMAIN",
+			Value: toDomain,
+		})
+	}
+
+	// TO_ADDR
+	toAddr := config.Get("egress-to-addr")
+	if toAddr != "" {
+		initContainer.Env = append(initContainer.Env, corev1.EnvVar{
+			Name:  "TO_ADDR",
+			Value: toAddr,
+		})
+	}
+
+	// PORT_MAPPING
+	portMapping := config.Get("egress-port-mapping")
+	if portMapping != "" {
+		initContainer.Env = append(initContainer.Env, corev1.EnvVar{
+			Name:  "PORT_MAPPING",
+			Value: portMapping,
+		})
+	}
+
+	// ACCEPT_UIDS
+	acceptUids := config.Get("egress-accept-uids")
+	if acceptUids != "" {
+		initContainer.Env = append(initContainer.Env, corev1.EnvVar{
+			Name:  "ACCEPT_UIDS",
+			Value: acceptUids,
+		})
+	}
+
+	// ACCEPT_GIDS
+	acceptGids := config.Get("egress-accept-gids")
+	if acceptGids != "" {
+		initContainer.Env = append(initContainer.Env, corev1.EnvVar{
+			Name:  "ACCEPT_GIDS",
+			Value: acceptGids,
+		})
+	}
+
+	// append to the list
+	pod.Spec.InitContainers = append(pod.Spec.InitContainers, initContainer)
 
 	// gtg
 	return nil

diff --git a/api/v1/webhook.go b/api/v1/webhook.go
@@ -49,12 +49,6 @@ func (w *Webhook) Handle(ctx context.Context, req admission.Request) admission.R
 	if config.Enabled {
 		webhookLog.Info("Qpoint egress enabled, mutating...")
 
-		// if w.Development {
-		// 	fmt.Println("Before: ")
-		// 	jsonBytes, _ := json.MarshalIndent(pod, "", "  ")
-		// 	fmt.Println(string(jsonBytes))
-		// }
-
 		// mutate the pod to include egress through the gateway
 		if err := MutateEgress(pod, config); err != nil {
 			webhookLog.Error(err, "failed to mutate pod for egress")
@@ -73,11 +67,6 @@ func (w *Webhook) Handle(ctx context.Context, req admission.Request) admission.R
 			}
 		}
 
-		// if w.Development {
-		// 	fmt.Println("AFTER: ")
-		// 	jsonBytes, _ := json.MarshalIndent(pod, "", "  ")
-		// 	fmt.Println(string(jsonBytes))
-		// }
 	} else {
 		webhookLog.Info("Qpoint egress not enabled, ignoring...")
 	}

diff --git a/config/webhook/configmap.yaml b/config/webhook/configmap.yaml
@@ -6,5 +6,6 @@ metadata:
 data:
   annotations.yaml: |
     qpoint.io/inject-ca: "true"
+    qpoint.io/egress-init-tag: "release-v0.0.2"
     qpoint.io/egress-to-domain: "qtap.qpoint.svc.cluster.local"