fixed: kubelet probe failed with envoy redirect (#2)

pkg/sandbox/sidecar/envoy.go

@@ -25,6 +25,7 @@ import (
 	originaldst "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3"
 	http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
+	"github.com/golang/protobuf/ptypes/any"
 	"github.com/golang/protobuf/ptypes/duration"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
@@ -127,12 +128,12 @@ func getEnvoyContainerPorts() []corev1.ContainerPort {
 	return containerPorts
 }
 
-func getEnvoyConfig(username string, injectPolicy, injectWs, injectUpload bool, appDomains []string) string {
+func getEnvoyConfig(username string, injectPolicy, injectWs, injectUpload bool, appDomains []string, pod *corev1.Pod) string {
 	setCookieInlineCode, err := genEnvoySetCookieScript(appDomains)
 	if err != nil {
 		klog.Errorf("Failed to get setCookieInlineCode err=%v", err)
 	}
-	ec := New(username, setCookieInlineCode)
+	ec := New(username, setCookieInlineCode, getHTTProbePath(pod))
 	if injectPolicy {
 		ec.WithPolicy()
 	}
@@ -291,7 +292,7 @@ var httpM *http_connection_manager.HttpConnectionManager
 var routeConfig *routev3.RouteConfiguration
 
 // New build a new envoy config.
-func New(username string, inlineCode []byte) *envoyConfig {
+func New(username string, inlineCode []byte, probesPath []string) *envoyConfig {
 	httpFilters = []*http_connection_manager.HttpFilter{
 		{
 			Name: "envoy.filters.http.router",
@@ -318,6 +319,17 @@ func New(username string, inlineCode []byte) *envoyConfig {
 			{
 				Name:    "service",
 				Domains: []string{"*"},
+				TypedPerFilterConfig: map[string]*any.Any{
+					"envoy.filters.http.ext_authz": utils.MessageToAny(&envoy_authz.ExtAuthzPerRoute{
+						Override: &envoy_authz.ExtAuthzPerRoute_CheckSettings{
+							CheckSettings: &envoy_authz.CheckSettings{
+								ContextExtensions: map[string]string{
+									"virtual_host": "service",
+								},
+							},
+						},
+					}),
+				},
 				Routes: []*routev3.Route{
 					{
 						Match: &routev3.RouteMatch{
@@ -337,6 +349,30 @@ func New(username string, inlineCode []byte) *envoyConfig {
 			},
 		},
 	}
+	for _, path := range probesPath {
+		routeConfig.VirtualHosts[0].Routes = append(
+			[]*routev3.Route{{
+				Match: &routev3.RouteMatch{
+					PathSpecifier: &routev3.RouteMatch_Prefix{
+						Prefix: path,
+					},
+				},
+				Action: &routev3.Route_Route{
+					Route: &routev3.RouteAction{
+						ClusterSpecifier: &routev3.RouteAction_Cluster{
+							Cluster: "original_dst",
+						},
+					},
+				},
+				TypedPerFilterConfig: map[string]*any.Any{
+					"envoy.filters.http.ext_authz": utils.MessageToAny(&envoy_authz.ExtAuthzPerRoute{
+						Override: &envoy_authz.ExtAuthzPerRoute_Disabled{
+							Disabled: true,
+						},
+					}),
+				},
+			}}, routeConfig.VirtualHosts[0].Routes...)
+	}
 
 	httpM = &http_connection_manager.HttpConnectionManager{
 		StatPrefix: "desktop_http",

pkg/sandbox/sidecar/set_cookie_tpl.go

@@ -3,6 +3,8 @@ package sidecar
 import (
 	"bytes"
 	"text/template"
+
+	corev1 "k8s.io/api/core/v1"
 )
 
 const envoySetCookie = `
@@ -130,3 +132,18 @@ func genEnvoySetCookieScript(appDomains []string) ([]byte, error) {
 	}
 	return envoySetCookie.Bytes(), nil
 }
+
+func getHTTProbePath(pod *corev1.Pod) (probesPath []string) {
+	for _, c := range pod.Spec.Containers {
+		if c.LivenessProbe != nil && c.LivenessProbe.HTTPGet != nil {
+			probesPath = append(probesPath, c.LivenessProbe.HTTPGet.Path)
+		}
+		if c.ReadinessProbe != nil && c.ReadinessProbe.HTTPGet != nil {
+			probesPath = append(probesPath, c.ReadinessProbe.HTTPGet.Path)
+		}
+		if c.StartupProbe != nil && c.StartupProbe.HTTPGet != nil {
+			probesPath = append(probesPath, c.StartupProbe.HTTPGet.Path)
+		}
+	}
+	return probesPath
+}

pkg/sandbox/sidecar/sidecar.go

@@ -8,14 +8,14 @@ import (
 )
 
 // GetSidecarConfigMap returns a configmap that data is envoy.yaml.
-func GetSidecarConfigMap(configMapName, namespace, username string, injectPolicy, injectWs, injectUpload bool, appDomains []string) *corev1.ConfigMap {
+func GetSidecarConfigMap(configMapName, namespace, username string, injectPolicy, injectWs, injectUpload bool, appDomains []string, pod *corev1.Pod) *corev1.ConfigMap {
 	return &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      configMapName,
 			Namespace: namespace,
 		},
 		Data: map[string]string{
-			constants.EnvoyConfigFileName: getEnvoyConfig(username, injectPolicy, injectWs, injectUpload, appDomains),
+			constants.EnvoyConfigFileName: getEnvoyConfig(username, injectPolicy, injectWs, injectUpload, appDomains, pod),
 		},
 	}
 }

pkg/webhook/webhook.go

@@ -131,7 +131,7 @@ func (wh *Webhook) CreatePatch(
 		return makePatches(req, pod)
 	}
 
-	configMapName, err := wh.createSidecarConfigMap(ctx, proxyUUID.String(), req.Namespace, injectPolicy, injectWs, injectUpload)
+	configMapName, err := wh.createSidecarConfigMap(ctx, pod, proxyUUID.String(), req.Namespace, injectPolicy, injectWs, injectUpload)
 	if err != nil {
 		return nil, err
 	}
@@ -254,7 +254,7 @@ func (wh *Webhook) isAppEntrancePod(ctx context.Context, appname, host string, p
 }
 
 func (wh *Webhook) createSidecarConfigMap(
-	ctx context.Context,
+	ctx context.Context, pod *corev1.Pod,
 	proxyUUID, namespace string, injectPolicy, injectWs, injectUpload bool,
 ) (string, error) {
 	configMapName := fmt.Sprintf("%s-%s", constants.SidecarConfigMapVolumeName, proxyUUID)
@@ -290,7 +290,7 @@ func (wh *Webhook) createSidecarConfigMap(
 		}
 	}
 
-	newConfigMap := sidecar.GetSidecarConfigMap(configMapName, namespace, appcfg.OwnerName, injectPolicy, injectWs, injectUpload, appDomains)
+	newConfigMap := sidecar.GetSidecarConfigMap(configMapName, namespace, appcfg.OwnerName, injectPolicy, injectWs, injectUpload, appDomains, pod)
 	if e == nil {
 		// configmap found
 		cm.Data = newConfigMap.Data