Introducing sidecarInjection to ApplicationLayer resource

api/v1/applicationlayer_types.go

@@ -36,11 +36,17 @@ type ApplicationLayerSpec struct {
 	// L7LogCollectorDaemonSet configures the L7LogCollector DaemonSet.
 	// +optional
 	L7LogCollectorDaemonSet *L7LogCollectorDaemonSet `json:"l7LogCollectorDaemonSet,omitempty"`
+
+	// SidecarInjection controls whether or not sidecar injection is enabled for the cluster.
+	// When enabled, sidecar containers can be injected into pods to provide additional L7 functionality.
+	// +optional
+	SidecarInjection *SidecarStatusType `json:"sidecarInjection,omitempty"`
 }
 
 type LogCollectionStatusType string
 type WAFStatusType string
 type ApplicationLayerPolicyStatusType string
+type SidecarStatusType string
 
 const (
 	WAFDisabled                    WAFStatusType                    = "Disabled"
@@ -49,6 +55,8 @@ const (
 	L7LogCollectionEnabled         LogCollectionStatusType          = "Enabled"
 	ApplicationLayerPolicyEnabled  ApplicationLayerPolicyStatusType = "Enabled"
 	ApplicationLayerPolicyDisabled ApplicationLayerPolicyStatusType = "Disabled"
+	SidecarEnabled                 SidecarStatusType                = "Enabled"
+	SidecarDisabled                SidecarStatusType                = "Disabled"
 )
 
 type EnvoySettings struct {

config/enterprise_versions.yml

@@ -145,6 +145,9 @@ components:
   dikastes:
     image: tigera/dikastes
     version: master
+  l7-admission-controller:
+    image: tigera/l7-admission-controller
+    version: master
   egress-gateway:
     image: tigera/egress-gateway
     version: master

hack/gen-versions/enterprise.go.tpl

@@ -247,6 +247,13 @@ var (
 		Registry: "{{ .Registry }}",
 	}
 {{- end }}
+{{ with index .Components "l7-admission-controller" }}
+	ComponentL7AdmissionController = Component{
+		Version:  "{{ .Version }}",
+		Image:    "{{ .Image }}",
+		Registry: "{{ .Registry }}",
+	}
+{{- end }}
 {{ with index .Components "coreos-prometheus" }}
 	ComponentCoreOSPrometheus = Component{
 		Version:  "{{ .Version }}",
@@ -409,6 +416,7 @@ var (
 		ComponentESGateway,
 		ComponentLinseed,
 		ComponentDikastes,
+		ComponentL7AdmissionController,
 		ComponentTigeraFlexVolume,
 		ComponentTigeraCSI,
 		ComponentTigeraCSINodeDriverRegistrar,

pkg/components/enterprise.go

@@ -215,6 +215,12 @@ var (
 		Registry: "",
 	}
 
+	ComponentL7AdmissionController = Component{
+		Version:  "master",
+		Image:    "tigera/l7-admission-controller",
+		Registry: "",
+	}
+
 	ComponentCoreOSPrometheus = Component{
 		Version:  "v2.48.1",
 		Registry: "",
@@ -359,6 +365,7 @@ var (
 		ComponentESGateway,
 		ComponentLinseed,
 		ComponentDikastes,
+		ComponentL7AdmissionController,
 		ComponentTigeraFlexVolume,
 		ComponentTigeraCSI,
 		ComponentTigeraCSINodeDriverRegistrar,

pkg/controller/apiserver/apiserver_controller.go

@@ -123,6 +123,12 @@ func add(c ctrlruntime.Controller, r *ReconcileAPIServer) error {
 	}
 
 	if r.enterpriseCRDsExist {
+		// Watch for changes to ApplicationLayer
+		err = c.WatchObject(&operatorv1.ApplicationLayer{ObjectMeta: metav1.ObjectMeta{Name: utils.DefaultTSEEInstanceKey.Name}}, &handler.EnqueueRequestForObject{})
+		if err != nil {
+			return fmt.Errorf("apiserver-controller failed to watch ApplicationLayer resource: %v", err)
+		}
+
 		// Watch for changes to primary resource ManagementCluster
 		err = c.WatchObject(&operatorv1.ManagementCluster{}, &handler.EnqueueRequestForObject{})
 		if err != nil {
@@ -283,10 +289,17 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 	// Query enterprise-only data.
 	var tunnelCAKeyPair certificatemanagement.KeyPairInterface
 	var trustedBundle certificatemanagement.TrustedBundle
+	var applicationLayer *operatorv1.ApplicationLayer
 	var managementCluster *operatorv1.ManagementCluster
 	var managementClusterConnection *operatorv1.ManagementClusterConnection
 	includeV3NetworkPolicy := false
 	if installationSpec.Variant == operatorv1.TigeraSecureEnterprise {
+		applicationLayer, err = utils.GetApplicationLayer(ctx, r.client)
+		if err != nil {
+			r.status.SetDegraded(operatorv1.ResourceReadError, "Error reading ApplicationLayer", err, reqLogger)
+			return reconcile.Result{}, err
+		}
+
 		managementCluster, err = utils.GetManagementCluster(ctx, r.client)
 		if err != nil {
 			r.status.SetDegraded(operatorv1.ResourceReadError, "Error reading ManagementCluster", err, reqLogger)
@@ -374,6 +387,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 		Installation:                installationSpec,
 		APIServer:                   &instance.Spec,
 		ForceHostNetwork:            false,
+		ApplicationLayer:            applicationLayer,
 		ManagementCluster:           managementCluster,
 		ManagementClusterConnection: managementClusterConnection,
 		TLSKeyPair:                  tlsSecret,

pkg/controller/apiserver/apiserver_controller_test.go

@@ -25,6 +25,7 @@ import (
 	. "github.com/onsi/gomega"
 	"github.com/stretchr/testify/mock"
 
+	admregv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
@@ -74,6 +75,7 @@ var _ = Describe("apiserver controller tests", func() {
 		Expect(apis.AddToScheme(scheme)).ShouldNot(HaveOccurred())
 		Expect(appsv1.SchemeBuilder.AddToScheme(scheme)).ShouldNot(HaveOccurred())
 		Expect(rbacv1.SchemeBuilder.AddToScheme(scheme)).ShouldNot(HaveOccurred())
+		Expect(admregv1.SchemeBuilder.AddToScheme(scheme)).ShouldNot(HaveOccurred())
 
 		ctx = context.Background()
 		cli = ctrlrfake.DefaultFakeClientBuilder(scheme).Build()

pkg/controller/applicationlayer/applicationlayer_controller.go

@@ -265,18 +265,19 @@ func (r *ReconcileApplicationLayer) Reconcile(ctx context.Context, request recon
 
 	lcSpec := instance.Spec.LogCollection
 	config := &applicationlayer.Config{
-		PullSecrets:            pullSecrets,
-		Installation:           installation,
-		OsType:                 rmeta.OSTypeLinux,
-		WAFEnabled:             r.isWAFEnabled(&instance.Spec),
-		LogsEnabled:            r.isLogsCollectionEnabled(&instance.Spec),
-		ALPEnabled:             r.isALPEnabled(&instance.Spec),
-		LogRequestsPerInterval: lcSpec.LogRequestsPerInterval,
-		LogIntervalSeconds:     lcSpec.LogIntervalSeconds,
-		ModSecurityConfigMap:   modSecurityRuleSet,
-		UseRemoteAddressXFF:    instance.Spec.EnvoySettings.UseRemoteAddress,
-		NumTrustedHopsXFF:      instance.Spec.EnvoySettings.XFFNumTrustedHops,
-		ApplicationLayer:       instance,
+		PullSecrets:             pullSecrets,
+		Installation:            installation,
+		OsType:                  rmeta.OSTypeLinux,
+		WAFEnabled:              r.isWAFEnabled(&instance.Spec),
+		LogsEnabled:             r.isLogsCollectionEnabled(&instance.Spec),
+		ALPEnabled:              r.isALPEnabled(&instance.Spec),
+		SidecarInjectionEnabled: r.isSidecarInjectionEnabled(&instance.Spec),
+		LogRequestsPerInterval:  lcSpec.LogRequestsPerInterval,
+		LogIntervalSeconds:      lcSpec.LogIntervalSeconds,
+		ModSecurityConfigMap:    modSecurityRuleSet,
+		UseRemoteAddressXFF:     instance.Spec.EnvoySettings.UseRemoteAddress,
+		NumTrustedHopsXFF:       instance.Spec.EnvoySettings.XFFNumTrustedHops,
+		ApplicationLayer:        instance,
 	}
 	component := applicationlayer.ApplicationLayer(config)
 
@@ -327,6 +328,7 @@ func updateApplicationLayerWithDefaults(al *operatorv1.ApplicationLayer) {
 		defaultLogCollectionStatusType          operatorv1.LogCollectionStatusType          = operatorv1.L7LogCollectionDisabled
 		defaultWebApplicationFirewallStatusType operatorv1.WAFStatusType                    = operatorv1.WAFDisabled
 		defaultApplicationLayerPolicyStatusType operatorv1.ApplicationLayerPolicyStatusType = operatorv1.ApplicationLayerPolicyDisabled
+		defaultSidecarStatusType                operatorv1.SidecarStatusType                = operatorv1.SidecarDisabled
 	)
 
 	if al.Spec.LogCollection == nil {
@@ -360,6 +362,10 @@ func updateApplicationLayerWithDefaults(al *operatorv1.ApplicationLayer) {
 			XFFNumTrustedHops: 0,
 		}
 	}
+
+	if al.Spec.SidecarInjection == nil {
+		al.Spec.SidecarInjection = &defaultSidecarStatusType
+	}
 }
 
 // validateApplicationLayer validates ApplicationLayer
@@ -380,9 +386,14 @@ func validateApplicationLayer(al *operatorv1.ApplicationLayer) error {
 		log.Info("L7 ALP found enabled")
 		atLeastOneFeatureDetected = true
 	}
+
+	if *al.Spec.SidecarInjection == operatorv1.SidecarEnabled {
+		log.Info("L7 SidecarInjection found enabled")
+		atLeastOneFeatureDetected = true
+	}
 	// If ApplicationLayer spec exists then one of its features should be set.
 	if !atLeastOneFeatureDetected {
-		return errors.New("at least one of webApplicationFirewall, policy.Mode or logCollection.collectLogs must be specified in ApplicationLayer resource")
+		return errors.New("at least one of webApplicationFirewall, policy.Mode, logCollection.collectLogs or sidecarInjection must be specified in ApplicationLayer resource")
 	}
 
 	return nil
@@ -467,6 +478,11 @@ func (r *ReconcileApplicationLayer) isWAFEnabled(applicationLayerSpec *operatorv
 		*applicationLayerSpec.WebApplicationFirewall == operatorv1.WAFEnabled
 }
 
+func (r *ReconcileApplicationLayer) isSidecarInjectionEnabled(applicationLayerSpec *operatorv1.ApplicationLayerSpec) bool {
+	return applicationLayerSpec.SidecarInjection != nil &&
+		*applicationLayerSpec.SidecarInjection == operatorv1.SidecarEnabled
+}
+
 func (r *ReconcileApplicationLayer) getPolicySyncPathPrefix(fcSpec *crdv1.FelixConfigurationSpec, al *operatorv1.ApplicationLayer) string {
 	// Respect existing policySyncPathPrefix if it's already set (e.g. EGW)
 	// This will cause policySyncPathPrefix value to remain when ApplicationLayer is disabled.

pkg/controller/utils/utils.go

@@ -409,6 +409,22 @@ func GetNetworkingPullSecrets(i *operatorv1.InstallationSpec, c client.Client) (
 	return secrets, nil
 }
 
+// Return the AplicationLayer CR if present. No error is returned if it was not
+// found.
+func GetApplicationLayer(ctx context.Context, c client.Client) (*operatorv1.ApplicationLayer, error) {
+	applicationLayer := &operatorv1.ApplicationLayer{}
+
+	err := c.Get(ctx, DefaultTSEEInstanceKey, applicationLayer)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return applicationLayer, nil
+}
+
 // Return the ManagementCluster CR if present. No error is returned if it was not found.
 func GetManagementCluster(ctx context.Context, c client.Client) (*operatorv1.ManagementCluster, error) {
 	managementCluster := &operatorv1.ManagementCluster{}

pkg/crds/enterprise/crd.projectcalico.org_bgpfilters.yaml

@@ -49,6 +49,19 @@ spec:
                       type: string
                     matchOperator:
                       type: string
+                    prefixLength:
+                      properties:
+                        max:
+                          format: int32
+                          maximum: 32
+                          minimum: 0
+                          type: integer
+                        min:
+                          format: int32
+                          maximum: 32
+                          minimum: 0
+                          type: integer
+                      type: object
                     source:
                       type: string
                   required:
@@ -70,6 +83,19 @@ spec:
                       type: string
                     matchOperator:
                       type: string
+                    prefixLength:
+                      properties:
+                        max:
+                          format: int32
+                          maximum: 128
+                          minimum: 0
+                          type: integer
+                        min:
+                          format: int32
+                          maximum: 128
+                          minimum: 0
+                          type: integer
+                      type: object
                     source:
                       type: string
                   required:
@@ -91,6 +117,19 @@ spec:
                       type: string
                     matchOperator:
                       type: string
+                    prefixLength:
+                      properties:
+                        max:
+                          format: int32
+                          maximum: 32
+                          minimum: 0
+                          type: integer
+                        min:
+                          format: int32
+                          maximum: 32
+                          minimum: 0
+                          type: integer
+                      type: object
                     source:
                       type: string
                   required:
@@ -112,6 +151,19 @@ spec:
                       type: string
                     matchOperator:
                       type: string
+                    prefixLength:
+                      properties:
+                        max:
+                          format: int32
+                          maximum: 128
+                          minimum: 0
+                          type: integer
+                        min:
+                          format: int32
+                          maximum: 128
+                          minimum: 0
+                          type: integer
+                      type: object
                     source:
                       type: string
                   required:

pkg/crds/operator/operator.tigera.io_applicationlayers.yaml

@@ -255,6 +255,11 @@ spec:
                     format: int64
                     type: integer
                 type: object
+              sidecarInjection:
+                description: |-
+                  SidecarInjection controls whether or not sidecar injection is enabled for the cluster.
+                  When enabled, sidecar containers can be injected into pods to provide additional L7 functionality.
+                type: string
               webApplicationFirewall:
                 description: |-
                   WebApplicationFirewall controls whether or not ModSecurity enforcement is enabled for the cluster.