From 12f96fdc519ad9bf9db2066c3b1d800cd4964ed2 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sat, 29 Apr 2023 17:39:23 +0100 Subject: [PATCH 01/21] Add abillity to annotate a pod for a sidecar to be created and configured for a wireguard peer. --- cmd/manager/main.go | 29 +++- go.mod | 1 + images/sidecar/Dockerfile | 0 images/sidecar/start-wireguard.sh | 17 ++ .../wireguardsidecar_controller.go | 163 ++++++++++++++++++ 5 files changed, 202 insertions(+), 8 deletions(-) create mode 100644 images/sidecar/Dockerfile create mode 100644 images/sidecar/start-wireguard.sh create mode 100644 pkg/controllers/wireguardsidecar_controller.go diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 471f7610..ce6e3e00 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -50,18 +50,22 @@ func init() { } func main() { - var agentImagePullPolicy string + var wgImage string + var wgAgentImagePullPolicy string + var wgSidecarImage string + var wgSidecarAgentImagePullPolicy string var metricsAddr string var enableLeaderElection bool var probeAddr string - var wgImage string + flag.BoolVar(&enableLeaderElection, "leader-elect", false, flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") - flag.StringVar(&wgImage, "agent-image", "", "The image used for wireguard server") - flag.BoolVar(&enableLeaderElection, "leader-elect", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - flag.StringVar(&agentImagePullPolicy, "agent-image-pull-policy", "IfNotPresent", "Use userspace implementation") + flag.StringVar(&wgSidecarImage, "sidecar-image", "ghcr.io/jodevsa/wireguard-operator/sidecar:latest", "The image used for wireguard sidecar") + flag.StringVar(&wgSidecarImagePullPolicy, "sidecar-image-pull-policy", "IfNotPresent", "imagePullPolicy for wireguard sidecar") + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + flag.StringVar(&wgImage, "agent-image", "ghcr.io/jodevsa/wireguard-operator/agent:latest", "The image used for wireguard server") + flag.StringVar(&wgAgentImagePullPolicy, "agent-image-pull-policy", "IfNotPresent", "Use userspace implementation") opts := zap.Options{ Development: true, } @@ -92,7 +96,7 @@ func main() { Client: mgr.GetClient(), Scheme: mgr.GetScheme(), AgentImage: wgImage, - AgentImagePullPolicy: v1.PullPolicy(agentImagePullPolicy), + AgentImagePullPolicy: v1.PullPolicy(wgAgentImagePullPolicy), }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "Wireguard") os.Exit(1) @@ -104,6 +108,15 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "WireguardPeer") os.Exit(1) } + if err = (&controllers.WireguardSidecarReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + SidecarImage: wgSidecarImage, + SidecarImagePullPolicy: v1.PullPolicy(wgSidecarImagePullPolicy), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "WireguardSidecar") + os.Exit(1) + } //+kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { diff --git a/go.mod b/go.mod index d23120e1..f5ee971c 100644 --- a/go.mod +++ b/go.mod @@ -15,6 +15,7 @@ require ( github.com/mdlayher/netlink v1.7.1 // indirect github.com/onsi/ginkgo v1.16.4 github.com/onsi/gomega v1.24.1 + github.com/pkg/errors v0.9.1 github.com/vishvananda/netlink v1.1.0 go.opentelemetry.io/contrib v0.20.0 // indirect go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect diff --git a/images/sidecar/Dockerfile b/images/sidecar/Dockerfile new file mode 100644 index 00000000..e69de29b diff --git a/images/sidecar/start-wireguard.sh b/images/sidecar/start-wireguard.sh new file mode 100644 index 00000000..582d5fbf --- /dev/null +++ b/images/sidecar/start-wireguard.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +# Generate WireGuard keys +umask 077 + +# Start WireGuard +wg-quick up wg0 + +# Configure iptables to route traffic over the VPN +iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT +iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT +iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE + +# Start the main container process +exec "$@" diff --git a/pkg/controllers/wireguardsidecar_controller.go b/pkg/controllers/wireguardsidecar_controller.go new file mode 100644 index 00000000..620b031c --- /dev/null +++ b/pkg/controllers/wireguardsidecar_controller.go @@ -0,0 +1,163 @@ +/* +Copyright 2023. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + "fmt" + "io/ioutil" + "path/filepath" + "time" + + "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1" + "github.com/pkg/errors" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + "sigs.k8s.io/controller-runtime/pkg/event" + "sigs.k8s.io/controller-runtime/pkg/predicate" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/source" +) + +const ( + configMapName = "wireguard-peer-config" + configMapNamespace = "default" + configMapKey = "config" +) + +type WireguardSidecarReconciler struct { + client.Client + Scheme *runtime.Scheme + SidecarImage string + SidecarImagePullPolicy corev1.PullPolicy + RequeueAfter time.Duration +} + +func (r *WireguardSidecarReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&corev1.Pod{}). + WithEventFilter(predicate.Funcs{ + CreateFunc: func(e event.CreateEvent) bool { + return r.hasSidecarAnnotation(e.Object) + }, + UpdateFunc: func(e event.UpdateEvent) bool { + return r.hasSidecarAnnotation(e.ObjectNew) + }, + DeleteFunc: func(e event.DeleteEvent) bool { + // Ignore delete events + return false + }, + GenericFunc: func(e event.GenericEvent) bool { + // Ignore generic events + return false + }, + }). + Complete(r) +} + +func (r *WireguardSidecarReconciler) hasAnnotationSidecar(obj runtime.Object) bool { + pod, ok := obj.(*corev1.Pod) + if !ok { + return false + } + + enable, ok := pod.Annotations["vpn.example.com/sidecar-enable"] + if !ok || enable != "true" { + return false + } + + wgRef, ok := pod.Annotations["vpn.example.com/sidecar-wireguard-ref"] + if !ok || wgRef == "" { + r.Log.Error(fmt.Errorf("missing or empty vpn.example.com/sidecar-wireguard-ref annotation for pod %s/%s", pod.Namespace, pod.Name), "failed to reconcile pod") + return false + } + + // Validate the wireguard reference here + // ... + + // Create the wireguard peer object + peer := &v1alpha1.WireguardPeer{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-sidecar", pod.Name), + Namespace: pod.Namespace, + }, + Spec: v1alpha1.WireguardPeerSpec{ + WireguardRef: wgRef, + }, + } + + // Create or update the wireguard peer object in the cluster + err := r.Client.CreateOrUpdate(context.Background(), peer, func() error { + return ctrl.SetControllerReference(pod, peer, r.Scheme) + }) + if err != nil { + r.Log.Error(err, "failed to create or update WireguardPeer", "peer", peer) + return false + } + + // Create the configmap for the peer status config + configMapName := fmt.Sprintf("%s-sidecar", pod.Name) + configMap := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: pod.Namespace, + }, + Data: map[string]string{ + "wg0.conf": peer.Status.Config, + }, + } + + err = r.Client.Create(context.Background(), configMap) + if err != nil { + r.Log.Error(err, "failed to create ConfigMap", "configMap", configMap) + return false + } + + // Add the configmap volume to the pod spec + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{ + Name: configMapName, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + Name: configMapName, + }, + }, + }) + + // Mount the configmap in the sidecar container + pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{ + Name: "wireguard-sidecar", + Image: r.SidecarImage, + ImagePullPolicy: r.SidecarImagePullPolicy, + // Add any required configuration for the sidecar container here + VolumeMounts: []corev1.VolumeMount{ + { + Name: configMapName, + MountPath: "/etc/wireguard/wg0.conf", + SubPath: "wg0.conf", + }, + }, + }) + + return true +} From 646378b50c534dd79f847861d137a8601fbc868b Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sat, 29 Apr 2023 17:43:57 +0100 Subject: [PATCH 02/21] Add check to ensure wireguard server exists before creating peers --- pkg/controllers/wireguardsidecar_controller.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/controllers/wireguardsidecar_controller.go b/pkg/controllers/wireguardsidecar_controller.go index 620b031c..ee0a239c 100644 --- a/pkg/controllers/wireguardsidecar_controller.go +++ b/pkg/controllers/wireguardsidecar_controller.go @@ -89,13 +89,16 @@ func (r *WireguardSidecarReconciler) hasAnnotationSidecar(obj runtime.Object) bo wgRef, ok := pod.Annotations["vpn.example.com/sidecar-wireguard-ref"] if !ok || wgRef == "" { + wireguardObj := &v1alpha1.Wireguard{} + err := r.Client.Get(context.Background(), types.NamespacedName{Name: wgRef}, wireguardObj) + if err != nil { + r.Log.Error(err, fmt.Sprintf("failed to get Wireguard object %s", wireguardName)) + return false + } r.Log.Error(fmt.Errorf("missing or empty vpn.example.com/sidecar-wireguard-ref annotation for pod %s/%s", pod.Namespace, pod.Name), "failed to reconcile pod") return false } - // Validate the wireguard reference here - // ... - // Create the wireguard peer object peer := &v1alpha1.WireguardPeer{ ObjectMeta: metav1.ObjectMeta{ From 12e62ba970341ccce68e726df1c958c3d27a5c26 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sat, 29 Apr 2023 17:44:32 +0100 Subject: [PATCH 03/21] Add building sidecar to github actions --- .github/workflows/build-docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml index 633d73ba..ca3ff6a3 100644 --- a/.github/workflows/build-docker.yaml +++ b/.github/workflows/build-docker.yaml @@ -20,6 +20,7 @@ jobs: image: - manager - agent + - sidecar runs-on: ubuntu-latest steps: From 5c245e7eef2afc0655a7ae53648920668d944329 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sat, 29 Apr 2023 17:48:56 +0100 Subject: [PATCH 04/21] Fix unsaved Dockerfile --- images/sidecar/Dockerfile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/images/sidecar/Dockerfile b/images/sidecar/Dockerfile index e69de29b..1b8a4858 100644 --- a/images/sidecar/Dockerfile +++ b/images/sidecar/Dockerfile @@ -0,0 +1,8 @@ +FROM alpine:latest + +RUN apk --no-cache add wireguard-tools iptables + +COPY start-wireguard.sh / +RUN chmod +x /start-wireguard.sh + +CMD ["/start-wireguard.sh"] From 39b38ddd0ae712c2f62523d43ff85240bca99813 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Sat, 29 Apr 2023 17:50:31 +0100 Subject: [PATCH 05/21] Fix invalid path to dependent script for sidecar docker file --- images/sidecar/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/sidecar/Dockerfile b/images/sidecar/Dockerfile index 1b8a4858..4ae33e24 100644 --- a/images/sidecar/Dockerfile +++ b/images/sidecar/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:latest RUN apk --no-cache add wireguard-tools iptables -COPY start-wireguard.sh / +COPY images/sidecar/start-wireguard.sh / RUN chmod +x /start-wireguard.sh CMD ["/start-wireguard.sh"] From a78dc538e3e964cf2bcabe3412ad13beebbcdcb3 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 2 May 2023 20:05:27 +0100 Subject: [PATCH 06/21] Fix up very broken code for wireguard-sidecar controller, add basic functionality for appending to pod spec --- cmd/manager/main.go | 13 +- pkg/controllers/wireguard_controller.go | 6 +- .../wireguardsidecar_controller.go | 187 +++++++----------- 3 files changed, 80 insertions(+), 126 deletions(-) diff --git a/cmd/manager/main.go b/cmd/manager/main.go index ce6e3e00..b0cd69f5 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -19,10 +19,11 @@ package main import ( "flag" "fmt" + "os" + vpnv1alpha1 "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1" "github.com/jodevsa/wireguard-operator/pkg/controllers" v1 "k8s.io/api/core/v1" - "os" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. @@ -53,17 +54,17 @@ func main() { var wgImage string var wgAgentImagePullPolicy string var wgSidecarImage string - var wgSidecarAgentImagePullPolicy string + var wgSidecarImagePullPolicy string var metricsAddr string var enableLeaderElection bool var probeAddr string flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.StringVar(&wgSidecarImage, "sidecar-image", "ghcr.io/jodevsa/wireguard-operator/sidecar:latest", "The image used for wireguard sidecar") flag.StringVar(&wgSidecarImagePullPolicy, "sidecar-image-pull-policy", "IfNotPresent", "imagePullPolicy for wireguard sidecar") - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") flag.StringVar(&wgImage, "agent-image", "ghcr.io/jodevsa/wireguard-operator/agent:latest", "The image used for wireguard server") flag.StringVar(&wgAgentImagePullPolicy, "agent-image-pull-policy", "IfNotPresent", "Use userspace implementation") opts := zap.Options{ @@ -109,8 +110,8 @@ func main() { os.Exit(1) } if err = (&controllers.WireguardSidecarReconciler{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), SidecarImage: wgSidecarImage, SidecarImagePullPolicy: v1.PullPolicy(wgSidecarImagePullPolicy), }).SetupWithManager(mgr); err != nil { diff --git a/pkg/controllers/wireguard_controller.go b/pkg/controllers/wireguard_controller.go index 7b265f4a..b722b111 100644 --- a/pkg/controllers/wireguard_controller.go +++ b/pkg/controllers/wireguard_controller.go @@ -632,10 +632,10 @@ func (r *WireguardReconciler) serviceForWireguard(m *v1alpha1.Wireguard, service dep := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: m.Name + "-svc", - Namespace: m.Namespace, + Name: m.Name + "-svc", + Namespace: m.Namespace, Annotations: m.Spec.ServiceAnnotations, - Labels: labels, + Labels: labels, }, Spec: corev1.ServiceSpec{ Selector: labels, diff --git a/pkg/controllers/wireguardsidecar_controller.go b/pkg/controllers/wireguardsidecar_controller.go index ee0a239c..5a17c7ee 100644 --- a/pkg/controllers/wireguardsidecar_controller.go +++ b/pkg/controllers/wireguardsidecar_controller.go @@ -19,25 +19,17 @@ package controllers import ( "context" "fmt" - "io/ioutil" - "path/filepath" "time" "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1" - "github.com/pkg/errors" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/wait" + ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/event" "sigs.k8s.io/controller-runtime/pkg/predicate" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - "sigs.k8s.io/controller-runtime/pkg/source" ) const ( @@ -48,119 +40,80 @@ const ( type WireguardSidecarReconciler struct { client.Client - Scheme *runtime.Scheme - SidecarImage string - SidecarImagePullPolicy corev1.PullPolicy - RequeueAfter time.Duration + Scheme *runtime.Scheme + SidecarImage string + SidecarImagePullPolicy corev1.PullPolicy + RequeueAfter time.Duration } func (r *WireguardSidecarReconciler) SetupWithManager(mgr ctrl.Manager) error { - return ctrl.NewControllerManagedBy(mgr). - For(&corev1.Pod{}). - WithEventFilter(predicate.Funcs{ - CreateFunc: func(e event.CreateEvent) bool { - return r.hasSidecarAnnotation(e.Object) - }, - UpdateFunc: func(e event.UpdateEvent) bool { - return r.hasSidecarAnnotation(e.ObjectNew) - }, - DeleteFunc: func(e event.DeleteEvent) bool { - // Ignore delete events - return false - }, - GenericFunc: func(e event.GenericEvent) bool { - // Ignore generic events - return false - }, - }). - Complete(r) + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &corev1.Pod{}, "metadata.annotations", func(rawObj client.Object) []string { + pod := rawObj.(*corev1.Pod) + return []string{pod.ObjectMeta.Annotations["vpn.example.com/enable-sidecar"]} + }); err != nil { + return err + } + + return ctrl.NewControllerManagedBy(mgr). + For(&corev1.Pod{}). + WithEventFilter(predicate.Funcs{ + UpdateFunc: func(e event.UpdateEvent) bool { + oldPod := e.ObjectOld.(*corev1.Pod) + newPod := e.ObjectNew.(*corev1.Pod) + return oldPod.ObjectMeta.Annotations["vpn.example.com/enable-sidecar"] != newPod.ObjectMeta.Annotations["vpn.example.com/enable-sidecar"] + }, + }). + Complete(r) } -func (r *WireguardSidecarReconciler) hasAnnotationSidecar(obj runtime.Object) bool { - pod, ok := obj.(*corev1.Pod) - if !ok { - return false - } - - enable, ok := pod.Annotations["vpn.example.com/sidecar-enable"] - if !ok || enable != "true" { - return false - } - - wgRef, ok := pod.Annotations["vpn.example.com/sidecar-wireguard-ref"] - if !ok || wgRef == "" { - wireguardObj := &v1alpha1.Wireguard{} - err := r.Client.Get(context.Background(), types.NamespacedName{Name: wgRef}, wireguardObj) +func (r *WireguardSidecarReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + var pod corev1.Pod + if err := r.Get(ctx, req.NamespacedName, &pod); err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + + if pod.ObjectMeta.Annotations["vpn.example.com/enable-sidecar"] != "true" { + // Pod does not have the desired annotation implement check and garbage collection logic + return ctrl.Result{}, nil + } + + // Check if a sidecar container already exists in the pod spec + hasSidecar := false + for _, container := range pod.Spec.Containers { + if container.Name == "wireguard-sidecar" { + hasSidecar = true + break + } + } + + if !hasSidecar { + + ref, hasRef := pod.ObjectMeta.Annotations["vpn.example.com/sidecar-wireguard-ref"] + + if !hasRef { + return ctrl.Result{}, fmt.Errorf("%s does not have ref annotation", req.Name) + } + + wireguard := &v1alpha1.Wireguard{} + err := r.Get(context.Background(), types.NamespacedName{Name: ref}, wireguard) if err != nil { - r.Log.Error(err, fmt.Sprintf("failed to get Wireguard object %s", wireguardName)) - return false + if errors.IsNotFound(err) { + return ctrl.Result{}, fmt.Errorf("Wireguard resource %s not found", req.Name) + } + return ctrl.Result{}, err } - r.Log.Error(fmt.Errorf("missing or empty vpn.example.com/sidecar-wireguard-ref annotation for pod %s/%s", pod.Namespace, pod.Name), "failed to reconcile pod") - return false - } - - // Create the wireguard peer object - peer := &v1alpha1.WireguardPeer{ - ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("%s-sidecar", pod.Name), - Namespace: pod.Namespace, - }, - Spec: v1alpha1.WireguardPeerSpec{ - WireguardRef: wgRef, - }, - } - - // Create or update the wireguard peer object in the cluster - err := r.Client.CreateOrUpdate(context.Background(), peer, func() error { - return ctrl.SetControllerReference(pod, peer, r.Scheme) - }) - if err != nil { - r.Log.Error(err, "failed to create or update WireguardPeer", "peer", peer) - return false - } - - // Create the configmap for the peer status config - configMapName := fmt.Sprintf("%s-sidecar", pod.Name) - configMap := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: configMapName, - Namespace: pod.Namespace, - }, - Data: map[string]string{ - "wg0.conf": peer.Status.Config, - }, - } - - err = r.Client.Create(context.Background(), configMap) - if err != nil { - r.Log.Error(err, "failed to create ConfigMap", "configMap", configMap) - return false - } - - // Add the configmap volume to the pod spec - pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{ - Name: configMapName, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - Name: configMapName, - }, - }, - }) - - // Mount the configmap in the sidecar container - pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{ - Name: "wireguard-sidecar", - Image: r.SidecarImage, - ImagePullPolicy: r.SidecarImagePullPolicy, - // Add any required configuration for the sidecar container here - VolumeMounts: []corev1.VolumeMount{ - { - Name: configMapName, - MountPath: "/etc/wireguard/wg0.conf", - SubPath: "wg0.conf", - }, - }, - }) - - return true + + // Add the sidecar container to the pod spec + pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{ + Name: "wireagurd-sidecar", + Image: r.SidecarImage, + ImagePullPolicy: r.SidecarImagePullPolicy, + }) + + if err := r.Update(ctx, &pod); err != nil { + return ctrl.Result{}, err + } + } + + return ctrl.Result{}, nil } From e6e5438daa22fce41c86c50bcd37b597fe21927a Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 2 May 2023 20:23:38 +0100 Subject: [PATCH 07/21] Re-add config map mounting --- .../wireguardsidecar_controller.go | 58 +++++++++++++++++-- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/pkg/controllers/wireguardsidecar_controller.go b/pkg/controllers/wireguardsidecar_controller.go index 5a17c7ee..a7c86f85 100644 --- a/pkg/controllers/wireguardsidecar_controller.go +++ b/pkg/controllers/wireguardsidecar_controller.go @@ -24,6 +24,7 @@ import ( "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" @@ -103,16 +104,63 @@ func (r *WireguardSidecarReconciler) Reconcile(ctx context.Context, req ctrl.Req return ctrl.Result{}, err } - // Add the sidecar container to the pod spec + peer := &v1alpha1.WireguardPeer{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-sidecar", pod.Name), + Namespace: pod.Namespace, + }, + Spec: v1alpha1.WireguardPeerSpec{ + WireguardRef: ref, + }, + } + + err = r.Client.Create(context.Background(), peer) + if err != nil { + return ctrl.Result{}, fmt.Errorf("Unable to create peer %s", peer.Name) + } + + // Create the configmap for the peer status config + configMapName := fmt.Sprintf("%s-sidecar", pod.Name) + configMap := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: pod.Namespace, + }, + Data: map[string]string{ + "wg0.conf": peer.Status.Config, + }, + } + + err = r.Client.Create(context.Background(), configMap) + if err != nil { + return ctrl.Result{}, fmt.Errorf("Unable to create configMap %s", configMap.Name) + } + + // Add the configmap volume to the pod spec + pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{ + Name: configMap.Name, + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMap.Name, + }, + }, + }, + }) + + // Mount the configmap in the sidecar container pod.Spec.Containers = append(pod.Spec.Containers, corev1.Container{ - Name: "wireagurd-sidecar", + Name: "wireguard-sidecar", Image: r.SidecarImage, ImagePullPolicy: r.SidecarImagePullPolicy, + VolumeMounts: []corev1.VolumeMount{{ + Name: configMap.Name, + MountPath: "/etc/wireguard/wg0.conf", + SubPath: "wg0.conf", + }}, }) - if err := r.Update(ctx, &pod); err != nil { - return ctrl.Result{}, err - } + return ctrl.Result{}, nil } return ctrl.Result{}, nil From 276287ee8267c2cb8496cb352d61b05571d8fee0 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 2 May 2023 20:24:37 +0100 Subject: [PATCH 08/21] Re-add missing update of resources --- pkg/controllers/wireguardsidecar_controller.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/controllers/wireguardsidecar_controller.go b/pkg/controllers/wireguardsidecar_controller.go index a7c86f85..b1155322 100644 --- a/pkg/controllers/wireguardsidecar_controller.go +++ b/pkg/controllers/wireguardsidecar_controller.go @@ -160,6 +160,10 @@ func (r *WireguardSidecarReconciler) Reconcile(ctx context.Context, req ctrl.Req }}, }) + if err := r.Update(ctx, &pod); err != nil { + return ctrl.Result{}, err + } + return ctrl.Result{}, nil } From 9b0f2a5fd254da462e2e3d332fdb13f40c913c82 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:11:42 +0100 Subject: [PATCH 09/21] Fix up kustomize generation for new values --- Makefile | 8 ++++++-- config/default/manager_auth_proxy_patch.yaml | 1 + config/default/manager_auth_proxy_patch.yaml.template | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d92448c1..c9b0dc60 100644 --- a/Makefile +++ b/Makefile @@ -27,8 +27,9 @@ KIND_VERSION ?= v0.19.0 # images -AGENT_IMAGE ?= "agent:dev" -MANAGER_IMAGE ?= "manager:dev" +AGENT_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/agent:main" +MANAGER_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/manager:main" +SIDECAR_IMAGE ?= "ghcr.io/jodevsa/wireguard-operator/sidecar:main" # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") @@ -131,6 +132,9 @@ docker-build-agent: ## Build docker image with the manager. docker-build-manager: ## Build docker image with the manager. docker build -t ${MANAGER_IMAGE} . -f ./images/manager/Dockerfile +docker-build-sidecar: ## Build docker image with the sidecar. + docker build -t ${SIDECAR_IMAGE} . -f ./images/sidecar/Dockerfile + docker-build-integration-test: docker-build-manager $(MAKE) docker-build-agent $(MAKE) docker-build-manager diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 5324092b..994845c2 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -33,3 +33,4 @@ spec: - "--metrics-bind-address=127.0.0.1:8080" - "--leader-elect" - "--agent-image=ghcr.io/jodevsa/wireguard-operator/agent:main" + - "--sidecar-image=ghcr.io/jodevsa/wireguard-operator/sidecar:main" diff --git a/config/default/manager_auth_proxy_patch.yaml.template b/config/default/manager_auth_proxy_patch.yaml.template index 8b189e6a..821b6d80 100644 --- a/config/default/manager_auth_proxy_patch.yaml.template +++ b/config/default/manager_auth_proxy_patch.yaml.template @@ -33,3 +33,4 @@ spec: - "--metrics-bind-address=127.0.0.1:8080" - "--leader-elect" - "--agent-image=${AGENT_IMAGE}" + - "--sidecar-image=${SIDECAR_IMAGE}" From 75df0a190faf5473dbb087ec6f34ca7bd64b0baf Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:14:18 +0100 Subject: [PATCH 10/21] Add makefile step for loading images into kind --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c9b0dc60..ee2302dc 100644 --- a/Makefile +++ b/Makefile @@ -139,6 +139,8 @@ docker-build-integration-test: docker-build-manager $(MAKE) docker-build-agent $(MAKE) docker-build-manager +docker-load-kind: + kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE} run-e2e: AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-image @@ -174,7 +176,6 @@ generate-release-file: kustomize update-agent-image update-manager-image git checkout ./config/manager/kustomization.yaml deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. From 3acde10763c1a37efe0cffc0a46b17702c8ecd21 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:16:10 +0100 Subject: [PATCH 11/21] Add docker build all action --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ee2302dc..3136a0f4 100644 --- a/Makefile +++ b/Makefile @@ -135,9 +135,10 @@ docker-build-manager: ## Build docker image with the manager. docker-build-sidecar: ## Build docker image with the sidecar. docker build -t ${SIDECAR_IMAGE} . -f ./images/sidecar/Dockerfile -docker-build-integration-test: docker-build-manager +docker-build-all: $(MAKE) docker-build-agent $(MAKE) docker-build-manager + ${MAKE} docker-build-sidecar docker-load-kind: kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE} From 696ca64ace46a78329a8744e3687aeb1610ce768 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:19:46 +0100 Subject: [PATCH 12/21] Add sidecar update to e2e test --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 3136a0f4..2534dfef 100644 --- a/Makefile +++ b/Makefile @@ -146,6 +146,7 @@ docker-load-kind: run-e2e: AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-image MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image + SIDECAR_IMAGE=${SIDECAR_IMAGE} $(MAKE) update-sidecar-image $(KUSTOMIZE) build config/default > release_it.yaml git checkout ./config/default/manager_auth_proxy_patch.yaml git checkout ./config/manager/kustomization.yaml From 7bbfb0fbb2c55d7a6858b998d4561c1a725c5d7e Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:31:39 +0100 Subject: [PATCH 13/21] Fix up make e2e test for sidecar --- Makefile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 2534dfef..2aa84cce 100644 --- a/Makefile +++ b/Makefile @@ -124,8 +124,6 @@ build-manager: generate fmt vet ## Build manager binary. run: manifests generate fmt vet ## Run a controller from your host. go run ./cmd/manager/main.go - - docker-build-agent: ## Build docker image with the manager. docker build -t ${AGENT_IMAGE} . -f ./images/agent/Dockerfile @@ -144,9 +142,8 @@ docker-load-kind: kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE} run-e2e: - AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-image + SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-and-sidecar-image MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image - SIDECAR_IMAGE=${SIDECAR_IMAGE} $(MAKE) update-sidecar-image $(KUSTOMIZE) build config/default > release_it.yaml git checkout ./config/default/manager_auth_proxy_patch.yaml git checkout ./config/manager/kustomization.yaml @@ -164,9 +161,9 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified $(KUSTOMIZE) build config/crd | kubectl delete -f - -update-agent-image: kustomize +update-agent-and-sidecar-image: kustomize ## TODO: Simplify later - AGENT_IMAGE=$(AGENT_IMAGE) envsubst < ./config/default/manager_auth_proxy_patch.yaml.template > ./config/default/manager_auth_proxy_patch.yaml + SIDECAR_IMAGE=$(SIDECAR_IMAGE) AGENT_IMAGE=$(AGENT_IMAGE) envsubst < ./config/default/manager_auth_proxy_patch.yaml.template > ./config/default/manager_auth_proxy_patch.yaml update-manager-image: kustomize $(info MANAGER_IMAGE: "$(MANAGER_IMAGE)") From 7e48d048327f83e46ea475af3ade5c476f6ea700 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:50:25 +0100 Subject: [PATCH 14/21] Add sidecar to e2e tests suit --- Makefile | 2 +- internal/it/suite_test.go | 22 +++++++++++++++------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 2aa84cce..f9fc010a 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,7 @@ run-e2e: $(KUSTOMIZE) build config/default > release_it.yaml git checkout ./config/default/manager_auth_proxy_patch.yaml git checkout ./config/manager/kustomization.yaml - KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1 + KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" AGENT_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1 docker-push: ## Push docker image with the manager. docker push ${IMG} diff --git a/internal/it/suite_test.go b/internal/it/suite_test.go index 445583be..2dd282c6 100644 --- a/internal/it/suite_test.go +++ b/internal/it/suite_test.go @@ -3,6 +3,13 @@ package it import ( "context" "fmt" + "log" + "os" + "os/exec" + "strings" + "testing" + "time" + "github.com/go-logr/stdr" "github.com/jodevsa/wireguard-operator/pkg/api/v1alpha1" . "github.com/onsi/ginkgo" @@ -12,17 +19,11 @@ import ( "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" - "log" - "os" - "os/exec" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/envtest" "sigs.k8s.io/kind/pkg/apis/config/v1alpha4" kind "sigs.k8s.io/kind/pkg/cluster" log2 "sigs.k8s.io/kind/pkg/log" - "strings" - "testing" - "time" //+kubebuilder:scaffold:imports ) @@ -34,6 +35,7 @@ var k8sClient client.Client var testEnv *envtest.Environment var releasePath string var agentImage string +var sidecarImage string var managerImage string var kindBinary string var kubeConfigPath string @@ -184,7 +186,13 @@ var _ = BeforeSuite(func() { cmd = exec.Command(kindBinary, "load", "docker-image", agentImage, "--name", testClusterName) b, err = cmd.Output() if err != nil { - log.Error(err, "unable to load local image agent:dev") + log.Error(err, "unable to load local image for agent") + return + } + cmd = exec.Command(kindBinary, "load", "docker-image", sidecarImage, "--name", testClusterName) + b, err = cmd.Output() + if err != nil { + log.Error(err, "unable to load local image for sidecar") return } From 619d53a436ebbf1f9770260fb82845a80f49c6f8 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:51:29 +0100 Subject: [PATCH 15/21] Extend e2e to build images --- Makefile | 1 + internal/it/suite_test.go | 1 + 2 files changed, 2 insertions(+) diff --git a/Makefile b/Makefile index f9fc010a..a5917aaf 100644 --- a/Makefile +++ b/Makefile @@ -142,6 +142,7 @@ docker-load-kind: kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE} run-e2e: + ${MAKE} docker-build-all SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-and-sidecar-image MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image $(KUSTOMIZE) build config/default > release_it.yaml diff --git a/internal/it/suite_test.go b/internal/it/suite_test.go index 2dd282c6..7760575d 100644 --- a/internal/it/suite_test.go +++ b/internal/it/suite_test.go @@ -118,6 +118,7 @@ func KubectlApply(resource string, namespace string) (string, error) { var _ = BeforeSuite(func() { releasePath = os.Getenv("WIREGUARD_OPERATOR_RELEASE_PATH") agentImage = os.Getenv("AGENT_IMAGE") + sidecarImage = os.Getenv("SIDECAR_IMAGE") managerImage = os.Getenv("MANAGER_IMAGE") kindBinary = os.Getenv("KIND_BIN") kubeConfigPath = os.Getenv("KUBE_CONFIG") From e16cf3caa8596555f8007d8506b02659f62e39f5 Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:54:32 +0100 Subject: [PATCH 16/21] Remove renamed files which have been merged --- .github/workflows/build-docker.yaml | 67 ----------------------------- 1 file changed, 67 deletions(-) delete mode 100644 .github/workflows/build-docker.yaml diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml deleted file mode 100644 index ca3ff6a3..00000000 --- a/.github/workflows/build-docker.yaml +++ /dev/null @@ -1,67 +0,0 @@ -name: Build Docker Images -env: - TARGET_PLATFORMS: linux/amd64,linux/arm64 - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} -on: - pull_request: {} - push: - branches: - - 'main' - -permissions: - contents: read - packages: write - -jobs: - build-images: - strategy: - matrix: - image: - - manager - - agent - - sidecar - runs-on: ubuntu-latest - - steps: - - - uses: actions/checkout@v3 - name: Checkout repository - with: - submodules: true - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2 - with: - install: true - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate docker metadata - id: image-meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.image }} - - - uses: actions/setup-go@v3 - with: - go-version: '^1.20' - - - name: Build and push docker image - uses: docker/build-push-action@v3 - with: - context: . - file: images/${{ matrix.image }}/Dockerfile - platforms: ${{ env.TARGET_PLATFORMS }} - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.image-meta.outputs.tags }} - labels: ${{ steps.image-meta.outputs.labels }} \ No newline at end of file From 0dcf94e600d7fcb18a11dcdedd283a7f58453b8c Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:55:20 +0100 Subject: [PATCH 17/21] Add expects for missing sidecar image property --- internal/it/suite_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/it/suite_test.go b/internal/it/suite_test.go index 7760575d..9ff52153 100644 --- a/internal/it/suite_test.go +++ b/internal/it/suite_test.go @@ -125,6 +125,7 @@ var _ = BeforeSuite(func() { Expect(releasePath).NotTo(Equal("")) Expect(agentImage).NotTo(Equal("")) + Expect(sidecarImage).NotTo(Equal("")) Expect(releasePath).NotTo(Equal("")) Expect(managerImage).NotTo(Equal("")) Expect(kindBinary).NotTo(Equal("")) From 01247a3d90a45781fcbf5bef9725df79fba22a0e Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:56:55 +0100 Subject: [PATCH 18/21] Fix invalid var passed into e2e test for sidecar image --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a5917aaf..c8058d3a 100644 --- a/Makefile +++ b/Makefile @@ -148,7 +148,7 @@ run-e2e: $(KUSTOMIZE) build config/default > release_it.yaml git checkout ./config/default/manager_auth_proxy_patch.yaml git checkout ./config/manager/kustomization.yaml - KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" AGENT_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1 + KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1 docker-push: ## Push docker image with the manager. docker push ${IMG} From fe9e6bc57c0967a735bd8987e32b5936dbb66f5a Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Tue, 23 May 2023 23:59:02 +0100 Subject: [PATCH 19/21] Remove build target from e2e test --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index c8058d3a..bf2f376e 100644 --- a/Makefile +++ b/Makefile @@ -142,7 +142,6 @@ docker-load-kind: kind load docker-image ${AGENT_IMAGE} ${SIDECAR_IMAGE} ${MANAGER_IMAGE} run-e2e: - ${MAKE} docker-build-all SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-and-sidecar-image MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image $(KUSTOMIZE) build config/default > release_it.yaml From a8ec652d467e6a98057293d9a7b611024853968e Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Wed, 24 May 2023 00:27:17 +0100 Subject: [PATCH 20/21] Add sidecar functionality test to e2e --- Makefile | 2 +- config/e2e/kustomization.yaml | 20 ++++++++++++++++++++ config/e2e/sidecar-test-deployment.yaml | 22 ++++++++++++++++++++++ config/e2e/sidecar-test-service.yaml | 12 ++++++++++++ internal/it/suite_test.go | 24 +++++++++++++----------- 5 files changed, 68 insertions(+), 12 deletions(-) create mode 100644 config/e2e/kustomization.yaml create mode 100644 config/e2e/sidecar-test-deployment.yaml create mode 100644 config/e2e/sidecar-test-service.yaml diff --git a/Makefile b/Makefile index bf2f376e..e8885417 100644 --- a/Makefile +++ b/Makefile @@ -144,7 +144,7 @@ docker-load-kind: run-e2e: SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} $(MAKE) update-agent-and-sidecar-image MANAGER_IMAGE=${MANAGER_IMAGE} $(MAKE) update-manager-image - $(KUSTOMIZE) build config/default > release_it.yaml + $(KUSTOMIZE) build config/e2e > release_it.yaml git checkout ./config/default/manager_auth_proxy_patch.yaml git checkout ./config/manager/kustomization.yaml KUBE_CONFIG=$(HOME)/.kube/config KIND_BIN=${KIND} WIREGUARD_OPERATOR_RELEASE_PATH="../../release_it.yaml" SIDECAR_IMAGE=${SIDECAR_IMAGE} AGENT_IMAGE=${AGENT_IMAGE} MANAGER_IMAGE=${MANAGER_IMAGE} go test ./internal/it/ -v -count=1 diff --git a/config/e2e/kustomization.yaml b/config/e2e/kustomization.yaml new file mode 100644 index 00000000..c2540e68 --- /dev/null +++ b/config/e2e/kustomization.yaml @@ -0,0 +1,20 @@ +# Adds namespace to all resources. +namespace: wireguard-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: wireguard- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +bases: +- ../default + +resources: +- sidecar-test-deployment.yaml +- sidecar-test-service.yaml \ No newline at end of file diff --git a/config/e2e/sidecar-test-deployment.yaml b/config/e2e/sidecar-test-deployment.yaml new file mode 100644 index 00000000..c664bd72 --- /dev/null +++ b/config/e2e/sidecar-test-deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hello-kubernetes + annotations: + vpn.example.com/enable-sidecar: "true" + vpn.example.com/sidecar-wireguard-ref: abcde12345 +spec: + replicas: 1 + selector: + matchLabels: + app: hello-kubernetes + template: + metadata: + labels: + app: hello-kubernetes + spec: + containers: + - name: hello-kubernetes + image: paulbouwer/hello-kubernetes + ports: + - containerPort: 8080 diff --git a/config/e2e/sidecar-test-service.yaml b/config/e2e/sidecar-test-service.yaml new file mode 100644 index 00000000..4955b66f --- /dev/null +++ b/config/e2e/sidecar-test-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: hello-kubernetes +spec: + selector: + app: hello-kubernetes + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + type: ClusterIP diff --git a/internal/it/suite_test.go b/internal/it/suite_test.go index 9ff52153..0bbeef16 100644 --- a/internal/it/suite_test.go +++ b/internal/it/suite_test.go @@ -211,17 +211,19 @@ var _ = BeforeSuite(func() { "namespace/wireguard-system", "customresourcedefinition.apiextensions.k8s.io/wireguardpeers.vpn.example.com", "customresourcedefinition.apiextensions.k8s.io/wireguards.vpn.example.com", - "serviceaccount/wireguard-controller-manager", - "role.rbac.authorization.k8s.io/wireguard-leader-election-role", - "clusterrole.rbac.authorization.k8s.io/wireguard-manager-role", - "clusterrole.rbac.authorization.k8s.io/wireguard-metrics-reader", - "clusterrole.rbac.authorization.k8s.io/wireguard-proxy-role", - "rolebinding.rbac.authorization.k8s.io/wireguard-leader-election-rolebinding", - "clusterrolebinding.rbac.authorization.k8s.io/wireguard-manager-rolebinding", - "clusterrolebinding.rbac.authorization.k8s.io/wireguard-proxy-rolebinding", - "configmap/wireguard-manager-config", - "service/wireguard-controller-manager-metrics-service", - "deployment.apps/wireguard-controller-manager", + "serviceaccount/wireguard-wireguard-controller-manager", + "role.rbac.authorization.k8s.io/wireguard-wireguard-leader-election-role", + "clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-manager-role", + "clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-metrics-reader", + "clusterrole.rbac.authorization.k8s.io/wireguard-wireguard-proxy-role", + "rolebinding.rbac.authorization.k8s.io/wireguard-wireguard-leader-election-rolebinding", + "clusterrolebinding.rbac.authorization.k8s.io/wireguard-wireguard-manager-rolebinding", + "clusterrolebinding.rbac.authorization.k8s.io/wireguard-wireguard-proxy-rolebinding", + "configmap/wireguard-wireguard-manager-config", + "service/wireguard-hello-kubernetes", + "service/wireguard-wireguard-controller-manager-metrics-service", + "deployment.apps/wireguard-hello-kubernetes", + "deployment.apps/wireguard-wireguard-controller-manager", } Expect(strings.Split(strings.Trim(strings.ReplaceAll(string(b), " created", ""), "\n"), "\n")).To(BeEquivalentTo(expectedResources)) From 7ecd7570e7173e78b2b55250b2f3fdce559ff6de Mon Sep 17 00:00:00 2001 From: Matt Beckett Date: Wed, 24 May 2023 00:27:29 +0100 Subject: [PATCH 21/21] Fix invalid default value for vars in kustomization --- config/default/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index dfd0f433..568a4cdc 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -44,7 +44,7 @@ patchesStrategicMerge: #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: +vars: [] # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: