Fixes after first @caseydevenport review

tigera · Sep 10, 2024 · ed81c92 · ed81c92
1 parent e048439
commit ed81c92
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 13 deletions.
diff --git a/api/v1/applicationlayer_types.go b/api/v1/applicationlayer_types.go
@@ -38,7 +38,10 @@ type ApplicationLayerSpec struct {
 	L7LogCollectorDaemonSet *L7LogCollectorDaemonSet `json:"l7LogCollectorDaemonSet,omitempty"`
 
 	// SidecarInjection controls whether or not sidecar injection is enabled for the cluster.
-	// When enabled, sidecar containers can be injected into pods to provide additional L7 functionality.
+	// When enabled, containers that has the label
+	// "applicationlayer.projectcalico.io/sidecar"="true" will have injected
+	// sidecar, that will replace system firewall rules for L7
+	// functionality, like WAF and ALP.
 	// +optional
 	SidecarInjection *SidecarStatusType `json:"sidecarInjection,omitempty"`
 }

diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -288,7 +288,7 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 		namespacedEnterpriseObjects = append(namespacedEnterpriseObjects, c.cfg.TrustedBundle.ConfigMap(QueryserverNamespace))
 	}
 	if c.cfg.IsSidecarInjectionEnabled() {
-		namespacedEnterpriseObjects = append(namespacedEnterpriseObjects, c.sidecarMutatingWbhConfig())
+		namespacedEnterpriseObjects = append(namespacedEnterpriseObjects, c.sidecarMutatingWebhookConfig())
 	} else {
 		objsToDelete = append(objsToDelete, &admregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: SidecarMutatingWebhookConfigName}})
 	}
@@ -1045,7 +1045,7 @@ func (c *apiServerComponent) apiServerDeployment() *appsv1.Deployment {
 }
 
 // apiServer creates a MutatingWebhookConfiguration for sidecars.
-func (c *apiServerComponent) sidecarMutatingWbhConfig() *admregv1.MutatingWebhookConfiguration {
+func (c *apiServerComponent) sidecarMutatingWebhookConfig() *admregv1.MutatingWebhookConfiguration {
 	var cacert []byte
 	var svcPort int32 = L7AdmssCtrlPort
 

diff --git a/pkg/render/applicationlayer/applicationlayer.go b/pkg/render/applicationlayer/applicationlayer.go
@@ -166,7 +166,7 @@ func (c *component) Objects() ([]client.Object, []client.Object) {
 		c.config.ALPEnabled ||
 		c.config.LogsEnabled
 
-	// If Web Application Firewall is enabled, we need WAF ruleset ConfigMap present.
+	// If Web Application Firewall or Sidecar Injection is enabled, we need WAF ruleset ConfigMap present.
 	if c.config.WAFEnabled || c.config.SidecarInjectionEnabled {
 		// this ConfigMap is a copy of the provided configuration from the operator namespace into the calico-system namespace
 		objs = append(objs, c.modSecurityConfigMap())
@@ -311,10 +311,7 @@ func (c *component) containers() []corev1.Container {
 				"--waf-ruleset-file", filepath.Join(ModSecurityRulesetVolumePath, "tigera.conf"),
 			)
 			if c.config.WAFEnabled {
-				commandArgs = append(
-					commandArgs,
-					"--waf-enabled",
-				)
+				commandArgs = append(commandArgs, "--waf-enabled")
 			}
 			volMounts = append(
 				volMounts,
@@ -333,10 +330,7 @@ func (c *component) containers() []corev1.Container {
 		}
 
 		if c.config.ALPEnabled {
-			commandArgs = append(
-				commandArgs,
-				"--alp-enabled",
-			)
+			commandArgs = append(commandArgs, "--alp-enabled")
 		}
 
 		dikastes := corev1.Container{
@@ -447,7 +441,7 @@ func (c *component) volumes() []corev1.Volume {
 		})
 
 		// Needed for ModSecurity library - contains rule set.
-		if c.config.WAFEnabled || c.config.SidecarInjectionEnabled { // WAF-only
+		if c.config.WAFEnabled || c.config.SidecarInjectionEnabled {
 			// WAF logs need HostPath volume - logs to be consumed by fluentd.
 			volumes = append(volumes, corev1.Volume{
 				Name: CalicoLogsVolumeName,