Bug fixes after tests

tigera · Sep 9, 2024 · 89abfc3 · 89abfc3
1 parent 0a3cfb0
commit 89abfc3
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 54 deletions.
diff --git a/pkg/controller/applicationlayer/applicationlayer_controller.go b/pkg/controller/applicationlayer/applicationlayer_controller.go
@@ -252,7 +252,7 @@ func (r *ReconcileApplicationLayer) Reconcile(ctx context.Context, request recon
 
 	var passthroughModSecurityRuleSet bool
 	var modSecurityRuleSet *corev1.ConfigMap
-	if r.isWAFEnabled(&instance.Spec) {
+	if r.isWAFEnabled(&instance.Spec) || r.isSidecarInjectionEnabled(&instance.Spec) {
 		if modSecurityRuleSet, passthroughModSecurityRuleSet, err = r.getModSecurityRuleSet(ctx); err != nil {
 			r.status.SetDegraded(operatorv1.ResourceReadError, "Error getting Web Application Firewall ModSecurity rule set", err, reqLogger)
 			return reconcile.Result{}, err
@@ -498,7 +498,8 @@ func (r *ReconcileApplicationLayer) getPolicySyncPathPrefix(fcSpec *crdv1.FelixC
 
 	// No existing value. However, at least one of the applicationLayer features are enabled
 	spec := &al.Spec
-	if r.isALPEnabled(spec) || r.isWAFEnabled(spec) || r.isLogsCollectionEnabled(spec) {
+	if r.isALPEnabled(spec) || r.isWAFEnabled(spec) || r.isLogsCollectionEnabled(spec) ||
+		r.isSidecarInjectionEnabled(spec) {
 		return DefaultPolicySyncPrefix
 	}
 	return ""

diff --git a/pkg/render/applicationlayer/applicationlayer.go b/pkg/render/applicationlayer/applicationlayer.go
@@ -46,6 +46,7 @@ const (
 	RoleName                         = "application-layer"
 	ApplicationLayerDaemonsetName    = "l7-log-collector"
 	L7CollectorContainerName         = "l7-collector"
+	L7CollectorSocksVolumeName       = "l7-collector-socks"
 	ProxyContainerName               = "envoy-proxy"
 	EnvoyLogsVolumeName              = "envoy-logs"
 	EnvoyConfigMapName               = "envoy-config"
@@ -96,11 +97,13 @@ type Config struct {
 	SidecarInjectionEnabled bool
 
 	// Calculated internal fields.
-	proxyImage      string
-	collectorImage  string
-	dikastesImage   string
-	dikastesEnabled bool
-	envoyConfigMap  *corev1.ConfigMap
+	proxyImage            string
+	collectorImage        string
+	dikastesImage         string
+	dikastesEnabled       bool
+	envoyEnabled          bool
+	l7logcollectorEnabled bool
+	envoyConfigMap        *corev1.ConfigMap
 
 	// envoy user-configurable overrides
 	UseRemoteAddressXFF bool
@@ -156,15 +159,24 @@ func (c *component) Objects() ([]client.Object, []client.Object) {
 		c.config.ALPEnabled ||
 		c.config.SidecarInjectionEnabled
 
+	c.config.l7logcollectorEnabled = c.config.LogsEnabled ||
+		c.config.SidecarInjectionEnabled
+
+	c.config.envoyEnabled = c.config.WAFEnabled ||
+		c.config.ALPEnabled ||
+		c.config.LogsEnabled
+
 	// If Web Application Firewall is enabled, we need WAF ruleset ConfigMap present.
-	if c.config.WAFEnabled {
+	if c.config.WAFEnabled || c.config.SidecarInjectionEnabled {
 		// this ConfigMap is a copy of the provided configuration from the operator namespace into the calico-system namespace
 		objs = append(objs, c.modSecurityConfigMap())
 	}
 
 	// Envoy configuration
-	c.config.envoyConfigMap = c.envoyL7ConfigMap()
-	objs = append(objs, c.config.envoyConfigMap)
+	if c.config.envoyEnabled {
+		c.config.envoyConfigMap = c.envoyL7ConfigMap()
+		objs = append(objs, c.config.envoyConfigMap)
+	}
 
 	// Envoy & Dikastes Daemonset
 	objs = append(objs, c.daemonset())
@@ -243,26 +255,28 @@ func (c *component) containers() []corev1.Container {
 	var containers []corev1.Container
 
 	// Daemonset needs root and NET_ADMIN, NET_RAW permission to be able to use netfilter tproxy option.
-	sc := securitycontext.NewRootContext(false)
-	sc.Capabilities.Add = []corev1.Capability{
-		"NET_ADMIN",
-		"NET_RAW",
-	}
-	proxy := corev1.Container{
-		Name:            ProxyContainerName,
-		Image:           c.config.proxyImage,
-		ImagePullPolicy: render.ImagePullPolicy(),
-		Command: []string{
-			"envoy", "-c", "/etc/envoy/envoy-config.yaml",
-		},
-		SecurityContext: sc,
-		Env:             c.proxyEnv(),
-		VolumeMounts:    c.proxyVolMounts(),
-	}
+	if c.config.envoyEnabled {
+		sc := securitycontext.NewRootContext(false)
+		sc.Capabilities.Add = []corev1.Capability{
+			"NET_ADMIN",
+			"NET_RAW",
+		}
+		proxy := corev1.Container{
+			Name:            ProxyContainerName,
+			Image:           c.config.proxyImage,
+			ImagePullPolicy: render.ImagePullPolicy(),
+			Command: []string{
+				"envoy", "-c", "/etc/envoy/envoy-config.yaml",
+			},
+			SecurityContext: sc,
+			Env:             c.proxyEnv(),
+			VolumeMounts:    c.proxyVolMounts(),
+		}
 
-	containers = append(containers, proxy)
+		containers = append(containers, proxy)
+	}
 
-	if c.config.LogsEnabled {
+	if c.config.l7logcollectorEnabled {
 		// Log collection specific container
 		collector := corev1.Container{
 			Name:            L7CollectorContainerName,
@@ -290,13 +304,18 @@ func (c *component) containers() []corev1.Container {
 			{Name: DikastesSyncVolumeName, MountPath: "/var/run/dikastes"},
 		}
 
-		if c.config.WAFEnabled {
+		if c.config.WAFEnabled || c.config.SidecarInjectionEnabled {
 			commandArgs = append(
 				commandArgs,
-				"--waf-enabled",
 				"--waf-log-file", filepath.Join(CalicologsVolumePath, "waf", "waf.log"),
 				"--waf-ruleset-file", filepath.Join(ModSecurityRulesetVolumePath, "tigera.conf"),
 			)
+			if c.config.WAFEnabled {
+				commandArgs = append(
+					commandArgs,
+					"--waf-enabled",
+				)
+			}
 			volMounts = append(
 				volMounts,
 				[]corev1.VolumeMount{
@@ -313,6 +332,13 @@ func (c *component) containers() []corev1.Container {
 			)
 		}
 
+		if c.config.ALPEnabled {
+			commandArgs = append(
+				commandArgs,
+				"--alp-enabled",
+			)
+		}
+
 		dikastes := corev1.Container{
 			Name:            DikastesContainerName,
 			Image:           c.config.dikastesImage,
@@ -364,36 +390,49 @@ func (c *component) collectorEnv() []corev1.EnvVar {
 }
 
 func (c *component) volumes() []corev1.Volume {
-	var volumes []corev1.Volume
-
-	// This empty directory volume will be mounted at /tmp/ which will contain the access logs file generated by envoy.
-	volumes = append(volumes, corev1.Volume{
-		Name: EnvoyLogsVolumeName,
-		VolumeSource: corev1.VolumeSource{
-			EmptyDir: &corev1.EmptyDirVolumeSource{},
+	hostPathDirectoryOrCreate := corev1.HostPathDirectoryOrCreate
+	volumes := []corev1.Volume{
+		{
+			Name: FelixSync,
+			VolumeSource: corev1.VolumeSource{
+				CSI: &corev1.CSIVolumeSource{
+					Driver: "csi.tigera.io",
+				},
+			},
 		},
-	})
-
-	volumes = append(volumes, corev1.Volume{
-		Name: EnvoyConfigMapName,
-		VolumeSource: corev1.VolumeSource{
-			ConfigMap: &corev1.ConfigMapVolumeSource{
-				LocalObjectReference: corev1.LocalObjectReference{Name: EnvoyConfigMapName},
+		// This empty directory volume will be mounted at /tmp/ which will contain the access logs file generated by envoy.
+		{
+			Name: EnvoyLogsVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		},
-	})
+	}
 
-	volumes = append(volumes, corev1.Volume{
-		Name: FelixSync,
-		VolumeSource: corev1.VolumeSource{
-			CSI: &corev1.CSIVolumeSource{
-				Driver: "csi.tigera.io",
+	if c.config.envoyEnabled {
+		volumes = append(volumes, corev1.Volume{
+			Name: EnvoyConfigMapName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{Name: EnvoyConfigMapName},
+				},
 			},
-		},
-	})
+		})
+	}
+
+	if c.config.l7logcollectorEnabled {
+		volumes = append(volumes, corev1.Volume{
+			Name: L7CollectorSocksVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Path: "/var/run/l7-collector",
+					Type: &hostPathDirectoryOrCreate,
+				},
+			},
+		})
+	}
 
 	if c.config.dikastesEnabled {
-		hostPathDirectoryOrCreate := corev1.HostPathDirectoryOrCreate
 		// Web Application Firewall + ApplicationLayer Policy specific volumes.
 
 		// Needed for Dikastes' authz check server.
@@ -408,7 +447,7 @@ func (c *component) volumes() []corev1.Volume {
 		})
 
 		// Needed for ModSecurity library - contains rule set.
-		if c.config.WAFEnabled { // WAF-only
+		if c.config.WAFEnabled || c.config.SidecarInjectionEnabled { // WAF-only
 			// WAF logs need HostPath volume - logs to be consumed by fluentd.
 			volumes = append(volumes, corev1.Volume{
 				Name: CalicoLogsVolumeName,
@@ -459,6 +498,7 @@ func (c *component) collectorVolMounts() []corev1.VolumeMount {
 	return []corev1.VolumeMount{
 		{Name: EnvoyLogsVolumeName, MountPath: "/tmp/"},
 		{Name: FelixSync, MountPath: "/var/run/felix"},
+		{Name: L7CollectorSocksVolumeName, MountPath: "/var/run/l7-collector"},
 	}
 }