-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(k8s): always inject Kuma as the first container #5436
Conversation
Thanks for the PR! This definitely needs to be flagged / configurable and documented as it's a breaking change. We should also document that this only represents a 'best-effort' to put our sidecar first, as another mutating controller could come along and be mischievous :) |
Agree. This pr still needs
Also, the pr itself isn't very useful without a postStart hook on the sidecar, so would probably want to tie that in if possible. Will try to follow up with the cleanup when I get a chance. (Unless someone with more free time wants to take it across the finish line) |
@slonka @johnharris85 Is it really a breaking change? I don't think it is without a postStart as the order of containers doesn't really influence anything (they are all started at once except if there's a |
I thought that we're only considering this feature it with |
It only really makes sense with postStart but we could always inject first and then set the config to add a postStart executable |
Right so without postStart it's not especially useful to have it first. So isn't it likely to just have it always first and then make postStart optional/opt-in . So for this PR maybe we should not make this configurable (it should just be first) |
This seems sensible and atomic. I might keep the function for testability but drop the boolean in that case. Originally I was going to incorporate both changes into this pr, but still not familiar with how configurations work in kuma so it's probably better to separate them. As a side note, I think that allowing the main pod to start without effectively having a network is a critical issue, despite workarounds. This is mostly Kubernetes's fault, but I feel that it's worth handling. Currently the best workaround that I have found is to crash-loop the main pod until you can connect to an outside server i.e. some persistence layer. If you don't do this, Kubernetes seems to assume your node is in a ready state which results in rollouts causing unwanted downtime. Unfortunately the next best workaround is to disable the sidecar proxy, which is even less ideal if you're trying to implement traffic rules with mTLS |
Ok so sounds like you should be able to update your PR to always inject it first (and sign your commit). Then we can help you work on adding the |
30c5aeb
to
131b874
Compare
/format /golden_files |
/format |
Looks like this actually fails |
131b874
to
ee5e411
Compare
d811a1e
to
b5c37fe
Compare
Your using go 19 that's why all these go embed got updated |
b5c37fe
to
69c5daa
Compare
1bd3c95
to
014cd11
Compare
/golden_files |
014cd11
to
07c9cbf
Compare
It looks like there are test cases under "should inject" that shouldn't inject
|
07af79d
to
e957bea
Compare
2a72598
to
e5d4147
Compare
Signed-off-by: c <curtis@commonstock.com>
e5d4147
to
5d23311
Compare
I think this last test failure might be a flake, but not familiar enough with your test suite |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx for the contrib!
Signed-off-by: Charly Molter <charly.molter@konghq.com>
cb9556e
to
13d279c
Compare
@curtiscook I added a message in UPGRADE.md because there's a small upgrade path required. Merging as soon as CI passes |
Checklist prior to review
syscall.Mkfifo
have equivalent implementation on the other OS --UPGRADE.md
? -- no> Changelog:
entry here or add aci/
label to run fewer/more tests?