Merge pull request #176 from hashicorp/connect-sidecar

Add new lifecycle-sidecar command
hashicorp · Dec 17, 2019 · ceb5400 · ceb5400
2 parents 5636d00 + 13c0e8c
commit ceb5400
Show file tree

Hide file tree

Showing 12 changed files with 644 additions and 6 deletions.
diff --git a/commands.go b/commands.go
@@ -6,6 +6,7 @@ import (
 	cmdACLInit "github.com/hashicorp/consul-k8s/subcommand/acl-init"
 	cmdDeleteCompletedJob "github.com/hashicorp/consul-k8s/subcommand/delete-completed-job"
 	cmdInjectConnect "github.com/hashicorp/consul-k8s/subcommand/inject-connect"
+	cmdLifecycleSidecar "github.com/hashicorp/consul-k8s/subcommand/lifecycle-sidecar"
 	cmdServerACLInit "github.com/hashicorp/consul-k8s/subcommand/server-acl-init"
 	cmdSyncCatalog "github.com/hashicorp/consul-k8s/subcommand/sync-catalog"
 	cmdVersion "github.com/hashicorp/consul-k8s/subcommand/version"
@@ -28,6 +29,10 @@ func init() {
 			return &cmdInjectConnect.Command{UI: ui}, nil
 		},
 
+		"lifecycle-sidecar": func() (cli.Command, error) {
+			return &cmdLifecycleSidecar.Command{UI: ui}, nil
+		},
+
 		"server-acl-init": func() (cli.Command, error) {
 			return &cmdServerACLInit.Command{UI: ui}, nil
 		},

diff --git a/connect-inject/container_sidecar.go → connect-inject/envoy_sidecar.go b/connect-inject/container_sidecar.go → connect-inject/envoy_sidecar.go
@@ -8,7 +8,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
-func (h *Handler) containerSidecar(pod *corev1.Pod) (corev1.Container, error) {
+func (h *Handler) envoySidecar(pod *corev1.Pod) (corev1.Container, error) {
 
 	// Render the command
 	var buf bytes.Buffer

diff --git a/connect-inject/handler.go b/connect-inject/handler.go
@@ -70,6 +70,11 @@ const (
 	// registration. This is specified in the format `<key>:<value>`
 	// e.g. consul.hashicorp.com/service-meta-foo:bar
 	annotationMeta = "consul.hashicorp.com/service-meta-"
+
+	// annotationSyncPeriod controls the -sync-period flag passed to the
+	// consul-k8s lifecycle-sidecar command. This flag controls how often the
+	// service is synced (i.e. re-registered) with the local agent.
+	annotationSyncPeriod = "consul.hashicorp.com/connect-sync-period"
 )
 
 var (
@@ -93,6 +98,10 @@ type Handler struct {
 	ImageConsul string
 	ImageEnvoy  string
 
+	// ImageConsulK8S is the container image for consul-k8s to use.
+	// This image is used for the lifecycle-sidecar container.
+	ImageConsulK8S string
+
 	// RequireAnnotation means that the annotation must be given to inject.
 	// If this is false, injection is default.
 	RequireAnnotation bool
@@ -248,18 +257,19 @@ func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionRespon
 		[]corev1.Container{container},
 		"/spec/initContainers")...)
 
-	// Add the Envoy sidecar
-	esContainer, err := h.containerSidecar(&pod)
+	// Add the Envoy and lifecycle sidecars.
+	esContainer, err := h.envoySidecar(&pod)
 	if err != nil {
 		return &v1beta1.AdmissionResponse{
 			Result: &metav1.Status{
 				Message: fmt.Sprintf("Error configuring injection sidecar container: %s", err),
 			},
 		}
 	}
+	connectContainer := h.lifecycleSidecar(&pod)
 	patches = append(patches, addContainer(
 		pod.Spec.Containers,
-		[]corev1.Container{esContainer},
+		[]corev1.Container{esContainer, connectContainer},
 		"/spec/containers")...)
 
 	// Add annotations so that we know we're injected

diff --git a/connect-inject/handler_test.go b/connect-inject/handler_test.go
@@ -88,6 +88,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),
@@ -143,6 +147,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),
@@ -200,6 +208,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),
@@ -234,6 +246,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),
@@ -269,6 +285,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),
@@ -306,6 +326,10 @@ func TestHandlerHandle(t *testing.T) {
 					Operation: "add",
 					Path:      "/spec/containers/-",
 				},
+				{
+					Operation: "add",
+					Path:      "/spec/containers/-",
+				},
 				{
 					Operation: "add",
 					Path:      "/metadata/annotations/" + escapeJSONPointer(annotationStatus),

diff --git a/connect-inject/lifecycle_sidecar.go b/connect-inject/lifecycle_sidecar.go
@@ -0,0 +1,46 @@
+package connectinject
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"strings"
+)
+
+func (h *Handler) lifecycleSidecar(pod *corev1.Pod) corev1.Container {
+	command := []string{
+		"consul-k8s",
+		"lifecycle-sidecar",
+		"-service-config", "/consul/connect-inject/service.hcl",
+	}
+	if h.AuthMethod != "" {
+		command = append(command, "-token-file=/consul/connect-inject/acl-token")
+	}
+	if period, ok := pod.Annotations[annotationSyncPeriod]; ok {
+		command = append(command, "-sync-period="+strings.TrimSpace(period))
+	}
+
+	return corev1.Container{
+		Name:  "consul-connect-lifecycle-sidecar",
+		Image: h.ImageConsulK8S,
+		Env: []corev1.EnvVar{
+			{
+				Name: "HOST_IP",
+				ValueFrom: &corev1.EnvVarSource{
+					FieldRef: &corev1.ObjectFieldSelector{FieldPath: "status.hostIP"},
+				},
+			},
+			// Kubernetes will interpolate HOST_IP when creating this environment
+			// variable.
+			{
+				Name:  "CONSUL_HTTP_ADDR",
+				Value: "$(HOST_IP):8500",
+			},
+		},
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      volumeName,
+				MountPath: "/consul/connect-inject",
+			},
+		},
+		Command: command,
+	}
+}
diff --git a/connect-inject/lifecycle_sidecar_test.go b/connect-inject/lifecycle_sidecar_test.go
@@ -0,0 +1,113 @@
+package connectinject
+
+import (
+	"github.com/hashicorp/go-hclog"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"testing"
+)
+
+// NOTE: This is tested here rather than in handler_test because doing it there
+// would require a lot of boilerplate to get at the underlying patches that would
+// complicate understanding the tests (which are simple).
+
+// Test that the lifecycle sidecar is as expected.
+func TestLifecycleSidecar_Default(t *testing.T) {
+	handler := Handler{
+		Log:            hclog.Default().Named("handler"),
+		ImageConsulK8S: "hashicorp/consul-k8s:9.9.9",
+	}
+	container := handler.lifecycleSidecar(&corev1.Pod{
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Name: "web",
+				},
+			},
+		},
+	})
+	require.Equal(t, corev1.Container{
+		Name:  "consul-connect-lifecycle-sidecar",
+		Image: "hashicorp/consul-k8s:9.9.9",
+		Env: []corev1.EnvVar{
+			{
+				Name: "HOST_IP",
+				ValueFrom: &corev1.EnvVarSource{
+					FieldRef: &corev1.ObjectFieldSelector{FieldPath: "status.hostIP"},
+				},
+			},
+			{
+				Name:  "CONSUL_HTTP_ADDR",
+				Value: "$(HOST_IP):8500",
+			},
+		},
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      volumeName,
+				MountPath: "/consul/connect-inject",
+			},
+		},
+		Command: []string{
+			"consul-k8s", "lifecycle-sidecar",
+			"-service-config", "/consul/connect-inject/service.hcl",
+		},
+	}, container)
+}
+
+// Test that if there's an auth method we set the -token-file flag
+// and if there isn't we don't.
+func TestLifecycleSidecar_AuthMethod(t *testing.T) {
+	for _, authMethod := range []string{"", "auth-method"} {
+		t.Run("authmethod: "+authMethod, func(t *testing.T) {
+			handler := Handler{
+				Log:            hclog.Default().Named("handler"),
+				AuthMethod:     authMethod,
+				ImageConsulK8S: "hashicorp/consul-k8s:9.9.9",
+			}
+			container := handler.lifecycleSidecar(&corev1.Pod{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "web",
+						},
+					},
+				},
+			})
+
+			if authMethod == "" {
+				require.NotContains(t, container.Command, "-token-file=/consul/connect-inject/acl-token")
+			} else {
+				require.Contains(t,
+					container.Command,
+					"-token-file=/consul/connect-inject/acl-token",
+				)
+			}
+		})
+	}
+}
+
+// Test that if there's an annotation on the original pod that changes the sync
+// period we use that value.
+func TestLifecycleSidecar_SyncPeriodAnnotation(t *testing.T) {
+	handler := Handler{
+		Log:            hclog.Default().Named("handler"),
+		ImageConsulK8S: "hashicorp/consul-k8s:9.9.9",
+	}
+	container := handler.lifecycleSidecar(&corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"consul.hashicorp.com/connect-sync-period": "55s",
+			},
+		},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Name: "web",
+				},
+			},
+		},
+	})
+
+	require.Contains(t, container.Command, "-sync-period=55s")
+}
diff --git a/go.mod b/go.mod
@@ -6,6 +6,8 @@ require (
 	github.com/SAP/go-hdb v0.12.1 // indirect
 	github.com/SermoDigital/jose v0.9.1 // indirect
 	github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f // indirect
+	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
+	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf // indirect
 	github.com/cenkalti/backoff v2.1.1+incompatible
@@ -42,13 +44,14 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/prometheus/client_golang v0.8.0 // indirect
 	github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 // indirect
-	github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e // indirect
+	github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e
 	github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273 // indirect
 	github.com/radovskyb/watcher v1.0.2
 	github.com/shirou/gopsutil v2.17.12+incompatible // indirect
-	github.com/stretchr/testify v1.3.0
+	github.com/stretchr/testify v1.4.0
 	github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 // indirect
 	google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 // indirect
+	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 	gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce // indirect
 	k8s.io/api v0.0.0-20190325185214-7544f9db76f6
 	k8s.io/apimachinery v0.0.0-20190223001710-c182ff3b9841

diff --git a/go.sum b/go.sum
@@ -32,6 +32,10 @@ github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f h1:5ZfJxyXo8KyX8
 github.com/StackExchange/wmi v0.0.0-20180725035823-b12b22c5341f/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af h1:DBNMBMuMiWYu0b+8KMJuWmfCkcxl09JwdlqwDZZ6U14=
 github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
+github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e h1:QEF07wC0T1rKkctt1RINW/+RMTVmiwxETico2l3gxJA=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I=
@@ -382,6 +386,8 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tent/http-link-go v0.0.0-20130702225549-ac974c61c2f9 h1:/Bsw4C+DEdqPjt8vAqaC9LAqpAQnaCQQqmolqq3S1T4=
 github.com/tent/http-link-go v0.0.0-20130702225549-ac974c61c2f9/go.mod h1:RHkNRtSLfOK7qBTHaeSX1D6BNpI3qw7NTxsmNr4RvN8=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 h1:G3dpKMzFDjgEh2q1Z7zUUtKa8ViPtH+ocF0bE0g00O8=
@@ -447,6 +453,8 @@ google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 gopkg.in/airbrake/gobrake.v2 v2.0.9 h1:7z2uVWwn7oVeeugY1DtlPAy5H+KYgB1KeKTnqjNatLo=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -466,6 +474,8 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=