Add new lifecycle-sidecar command

[lkysow]

This command is expected to run in a sidecar in all Connect
injected Pods. The command ensures that the service is registered with
the node's Consul client by re-registering the service on a configurable
period. This is necessary because if the Consul Client is restarted,
e.g. during an upgrade, it loses its registrations. With this sidecar,
the service will be re-registered once the new Client starts.

The command is generically named "lifecycle-sidecar" (i.e. rather than
re-registerer) to make room for more functionality in the future, e.g.
renewing tokens.

This change also updates the mutating webhook code to add the
connect-sidecar as a sidecar to Connect injected Pods. It adds a new
required flag to connect-inject: -consul-k8s-image that controls the
image used for the sidecar.

Fixes #161, #171

Design decisions that deserve scrutiny:

• naming of the command and sidecar (connect-sidecar) (update this is now lifecycle-sidecar)
• the new annotation on the Pods that can be used to control the sync-period consul.hashicorp.com/connect-sync-period
• the default sync period (10s)
• the name "sync period"
• the design of the work loop (clearly coded? good error handling?)

To run yourself

• Edit the connect-inject-deployment.yaml as follows:

   {{ if .Values.connectInject.imageEnvoy -}}
   -envoy-image="{{ .Values.connectInject.imageEnvoy }}" \
   {{ end -}}
  + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \

• Use Helm config:

  connectInject:
    enabled: true
  global:
    imageK8S: lkysow/consul-k8s-dev:dec11
    bootstrapACLs: true # or false, should work with both

• Apply the Pod:

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: static-server
  ---
  apiVersion: v1
  kind: Pod
  metadata:
    name: static-server
    annotations:
      "consul.hashicorp.com/connect-inject": "true"
  spec:
    containers:
      # This name will be the service name in Consul.
      - name: static-server
        image: hashicorp/http-echo:latest
        args:
          - -text="hello world"
          - -listen=:8080
        ports:
          - containerPort: 8080
            name: http
     # If ACLs are enabled, the serviceAccountName must match the Consul service name.
    serviceAccountName: static-server

• Note that the Pod comes up with 3 containers and that the consul-connect-sidecar container is running
• Find the Node that the Pod is on and the corresponding Consul client on that node
• Delete the Consul client Pod
• When the Pod restarts, the service should be re-registered in Consul

[lkysow]

Go kept updating these for me.

[ishustava]

Luke, this looks awesome. I did some basic testing on my cluster, and it works great!

I've left a couple of comments and suggestions.

My only other general feedback is to add some sort of integration test to check that this sidecar is actually added to the pod. Currently, we are checking the patch operations in the handler_test.go, but it would be nice if we could also check the containers that have been added, not sure if that's possible though.

[ishustava]

Maybe consul-service-register-sidecar or something like that to err on the side of more descriptive.

[lkysow]

The command is generically named "connect-sidecar" (i.e. rather than
re-registerer) to make room for more functionality in the future, e.g.
renewing tokens.

We could change that later I suppose, however folks might have tooling built around the name. I don't mind either way.

[ishustava]

Ah that's right! How about consul-agent-sidecar?

[lkysow]

That's a bit misleading as consul-agent might make folks think of an actual consul agent running in there.

[ishustava]

That's cool, I didn't know you can interpolate env variables in the env block.

[ishustava]

Any reason we don't want to use the consul test agent in these tests?

[lkysow]

It was because I didn't think I could configure the port for the Consul test agent and that I could only use whichever port it gave me. This wouldn't work because I need to know the port beforehand so I can start the command before the agent is actually listening on that port.

Thanks to your comment, I tried setting the port in the config and it actually worked so I've changed this to use the test agent now!

[ishustava]

The indentation is a bit off here, and github doesn't let me edit multipe lines.

[lkysow]

It had spaces in there and the rest was tabs! #embarrassing

[lkysow]

My only other general feedback is to add some sort of integration test to check that this sidecar is actually added to the pod. Currently, we are checking the patch operations in the handler_test.go, but it would be nice if we could also check the containers that have been added, not sure if that's possible though.

I don't think we can do this without running a Kube cluster. The handle function returns an AdmissionResponse that only contains the patches. Kube handles adding those patches and forming the pod.

func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {

// AdmissionResponse describes an admission response.
type AdmissionResponse struct {
...
	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
	// +optional
	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
}