From 0d0588d47d966cad07a9a1e561fd2bb171ed2d0c Mon Sep 17 00:00:00 2001 From: Marc Barry <4965634+marc-barry@users.noreply.github.com> Date: Tue, 28 Nov 2023 13:58:17 -0500 Subject: [PATCH 1/2] Adjust the priority for egress enablement. First check namespace label then pod annotation. --- api/v1/config.go | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/api/v1/config.go b/api/v1/config.go index acbb30a..ae24351 100644 --- a/api/v1/config.go +++ b/api/v1/config.go @@ -23,28 +23,34 @@ type Config struct { } func (c *Config) Init(pod *corev1.Pod) error { - // check to see if an annotation is set on the pod to enable egress - egress, exists := pod.Annotations["qpoint.io/egress"] - if exists && egress == "enabled" { + // first check if the namespace has the label. If it does then assume that egress is enabled + namespace := &corev1.Namespace{} + if err := c.Client.Get(c.Ctx, client.ObjectKey{Name: c.Namespace}, namespace); err != nil { + return fmt.Errorf("fetching namespace '%s' from the api: %w", c.Namespace, err) + } + + // if the namespace is labeled, then we enable. A pod annotation override will be checked below + if namespace.Labels["qpoint-egress"] == "enabled" { c.Enabled = true } - // if we're not enabled yet, let's check the namespace - if !c.Enabled { - namespace := &corev1.Namespace{} - if err := c.Client.Get(c.Ctx, client.ObjectKey{Name: c.Namespace}, namespace); err != nil { - return fmt.Errorf("fetching namespace '%s' from the api: %w", c.Namespace, err) + // check to see if an annotation is set on the pod to enable or disable egress while also verifying + // if it was enabled for the namespace but needs to be disabled for the pod + egress, exists := pod.Annotations["qpoint.io/egress"] + + // if the annotation doesn't exist nothing else needs to be checked + if exists { + if c.Enabled && egress != "enabled" { + c.Enabled = false } - // if the namespace is labeled, then we enable - if namespace.Labels["qpoint-egress"] == "enabled" { + if !c.Enabled && egress == "enabled" { c.Enabled = true } } // if we're enabled if c.Enabled { - // let's fetch the default settings in the configmap configMap := &corev1.ConfigMap{} if err := c.Client.Get(c.Ctx, client.ObjectKey{Name: ANNOTATIONS_CONFIGMAP, Namespace: c.OperatorNamespace}, configMap); err != nil { From 4a2684c2d6080c305004b09e96e61721d7ef11db Mon Sep 17 00:00:00 2001 From: Marc Barry <4965634+marc-barry@users.noreply.github.com> Date: Tue, 28 Nov 2023 14:14:59 -0500 Subject: [PATCH 2/2] Update readme. --- README.md | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 653de40..73e609f 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,31 @@ # qtap-operator + A kubernetes operator to simplify routing outbound traffic through Qpoint's 3rd-party API Gateway ## Install Helm -``` -todo +```text +helm install qtap-operator qpoint/qtap-operator --namespace qpoint ``` Manual -``` -todo -``` + +The pre-built Docker container can be found at us-docker.pkg.dev/qpoint-edge/public/kubernetes-qtap-operator and uses the tag for the release . See for an example of a Deployment. ## Configure Egress __Option 1:__ Namespace label -``` +```text kubectl label namespace qpoint-egress=enabled ``` __Option 2:__ Pod annotation -``` +```text apiVersion: v1 kind: Pod metadata: @@ -34,11 +34,26 @@ metadata: qpoint.io/egress: enabled ``` +The order of precedence is that a pod annotation can override a namespace label. For example the following would enable for a namespace but disable for a pod. + +```text +kubectl label namespace qpoint-egress=enabled +``` + +```text +apiVersion: v1 +kind: Pod +metadata: + name: hello-world + annotations: + qpoint.io/egress: disabled +``` + ## Local Dev Bootstrap dev cluster (uses KinD) with live-reloading -``` +```text make dev ```