fix: inject volumes into injected init containers too

cmd/serve.go

@@ -101,6 +101,9 @@ func CommandServe(cfg *config.Config, globalFlags []cli.Flag) *cli.Command {
 
 		Before: func(clictx *cli.Context) error {
 			for _, i := range cfg.Inject {
+				if i.MaxIterations <= 0 {
+					i.MaxIterations = config.DefaultMaxIterations
+				}
 				if i.LabelSelector != nil {
 					if _, err := i.LabelSelector.LabelSelector(); err != nil {
 						return err

config/config.go

@@ -9,10 +9,10 @@ import (
 )
 
 type Config struct {
-	Inject []Inject `yaml:"inject,omitempty"`
-	K8S    K8S      `yaml:"k8s"`
-	Log    Log      `yaml:"log"`
-	Server Server   `yaml:"server"`
+	Inject []*Inject `yaml:"inject,omitempty"`
+	K8S    K8S       `yaml:"k8s"`
+	Log    Log       `yaml:"log"`
+	Server Server    `yaml:"server"`
 
 	Version string
 }

config/defaults.go

@@ -0,0 +1,5 @@
+package config
+
+const (
+	DefaultMaxIterations = 16
+)

config/inject.go

@@ -8,11 +8,12 @@ import (
 type Inject struct {
 	Name string `yaml:"name,omitempty"`
 
+	MaxIterations int `yaml:"maxIterations,omitempty"`
+
 	LabelSelector     *InjectLabelSelector `yaml:"labelSelector,omitempty"`
 	NamespaceSelector *InjectLabelSelector `yaml:"namespaceSelector,omitempty"`
 
-	Annotations map[string]string `yaml:"annotations,omitempty"`
-	Labels      map[string]string `yaml:"labels,omitempty"`
+	Labels map[string]string `yaml:"labels,omitempty"`
 
 	Containers   []InjectContainer   `yaml:"containers,omitempty"`
 	VolumeMounts []InjectVolumeMount `yaml:"volumeMounts,omitempty"`
@@ -44,22 +45,6 @@ func (i Inject) Fingerprint() string {
 		}
 	}
 
-	{ // annotations
-		if len(i.Annotations) > 0 {
-			sum.Write([]byte("annotations:"))
-			for k, v := range i.Annotations {
-				sum.Write([]byte("key:"))
-				sum.Write([]byte(k))
-				sum.Write([]byte{255})
-
-				sum.Write([]byte("value:"))
-				sum.Write([]byte(v))
-				sum.Write([]byte{255})
-			}
-			sum.Write([]byte{255})
-		}
-	}
-
 	{ // labels
 		if len(i.Labels) > 0 {
 			sum.Write([]byte("labels:"))

patch/update_pod_annotations.go → patch/annotations.go

@@ -6,7 +6,7 @@ import (
 	core_v1 "k8s.io/api/core/v1"
 )
 
-func UpdatePodAnnotations(
+func UpsertPodAnnotations(
 	pod *core_v1.Pod,
 	annotations map[string]string,
 ) (json_patch.Patch, error) {

patch/add_pod_containers.go → patch/containers.go

@@ -6,7 +6,7 @@ import (
 	core_v1 "k8s.io/api/core/v1"
 )
 
-func AddPodContainers(
+func InsertPodContainers(
 	pod *core_v1.Pod,
 	containers []core_v1.Container,
 ) (json_patch.Patch, error) {

patch/update_pod_labels.go → patch/labels.go

@@ -6,7 +6,7 @@ import (
 	core_v1 "k8s.io/api/core/v1"
 )
 
-func UpdatePodLabels(
+func InsertPodLabels(
 	pod *core_v1.Pod,
 	labels map[string]string,
 ) (json_patch.Patch, error) {
@@ -25,21 +25,15 @@ func UpdatePodLabels(
 	res := make(json_patch.Patch, 0, len(labels))
 
 	for k, v := range labels {
-		if o, exists := pod.Labels[k]; exists {
-			if o != v {
-				op, err := operation.Replace("/metadata/labels/"+operation.Escape(k), v)
-				if err != nil {
-					return nil, err
-				}
-				res = append(res, op)
-			}
-		} else {
-			op, err := operation.Add("/metadata/labels/"+operation.Escape(k), v)
-			if err != nil {
-				return nil, err
-			}
-			res = append(res, op)
+		if _, exists := pod.Labels[k]; exists {
+			continue
 		}
+
+		op, err := operation.Add("/metadata/labels/"+operation.Escape(k), v)
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, op)
 	}
 
 	return res, nil

patch/add_init_container_volume_mounts.go → patch/volume_mounts.go

@@ -8,7 +8,41 @@ import (
 	core_v1 "k8s.io/api/core/v1"
 )
 
-func AddInitContainerVolumeMounts(
+func InsertContainerVolumeMounts(
+	idx int,
+	container *core_v1.Container,
+	volumeMounts []core_v1.VolumeMount,
+) (json_patch.Patch, error) {
+	if len(volumeMounts) == 0 {
+		return nil, nil
+	}
+
+	res := make(json_patch.Patch, 0, len(volumeMounts))
+
+	notEmpty := len(container.VolumeMounts) > 0
+	for _, vm := range volumeMounts {
+		var (
+			op  json_patch.Operation
+			err error
+		)
+
+		if notEmpty {
+			op, err = operation.Add("/spec/containers/"+strconv.Itoa(idx)+"/volumeMounts/-", vm)
+		} else {
+			notEmpty = true
+			op, err = operation.Add("/spec/containers/"+strconv.Itoa(idx)+"/volumeMounts", []core_v1.VolumeMount{vm})
+		}
+
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, op)
+	}
+
+	return res, nil
+}
+
+func InsertInitContainerVolumeMounts(
 	idx int,
 	container *core_v1.Container,
 	volumeMounts []core_v1.VolumeMount,

patch/add_pod_volumes.go → patch/volumes.go

@@ -6,7 +6,7 @@ import (
 	core_v1 "k8s.io/api/core/v1"
 )
 
-func AddPodVolumes(
+func InsertPodVolumes(
 	pod *core_v1.Pod,
 	volumes []core_v1.Volume,
 ) (json_patch.Patch, error) {

server/k8s.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strconv"
 	"time"
 
 	json_patch "github.com/evanphx/json-patch"
@@ -191,7 +192,7 @@ func (s *Server) mutate(
 		res.Result = &meta_v1.Status{Message: err.Error()}
 		return res
 	}
-	if len(patches) > 0 {
+	if patches != nil && len(patches) > 0 {
 		b, err := json.Marshal(patches)
 		if err != nil {
 			l.Error("Failed to encode pod patches",
@@ -233,14 +234,6 @@ func (s *Server) mutatePod(
 		)
 	}
 
-	annotationProcessed := s.cfg.K8S.ServiceName + "." + global.OrgDomain + "/" + fingerprint
-	if timestamp, alreadyProcessed := pod.Annotations[annotationProcessed]; alreadyProcessed {
-		l.Info("Pod was already processed by inject-configuration with the same fingerprint => skipping...",
-			zap.String("webhookFingerprintTimestamp", timestamp),
-		)
-		return nil, nil
-	}
-
 	res := make(json_patch.Patch, 0)
 
 	// inject volumes
@@ -269,7 +262,7 @@ func (s *Server) mutatePod(
 			volumes = append(volumes, *volume)
 		}
 
-		p, err := patch.AddPodVolumes(pod, volumes)
+		p, err := patch.InsertPodVolumes(pod, volumes)
 		if err != nil {
 			return nil, err
 		}
@@ -305,7 +298,7 @@ func (s *Server) mutatePod(
 				volumeMounts = append(volumeMounts, *volumeMount)
 			}
 
-			p, err := patch.AddInitContainerVolumeMounts(idx, &c, volumeMounts)
+			p, err := patch.InsertInitContainerVolumeMounts(idx, &c, volumeMounts)
 			if err != nil {
 				return nil, err
 			}
@@ -339,7 +332,7 @@ func (s *Server) mutatePod(
 				volumeMounts = append(volumeMounts, *volumeMount)
 			}
 
-			p, err := patch.AddContainerVolumeMounts(idx, &c, volumeMounts)
+			p, err := patch.InsertContainerVolumeMounts(idx, &c, volumeMounts)
 			if err != nil {
 				return nil, err
 			}
@@ -373,42 +366,58 @@ func (s *Server) mutatePod(
 			containers = append(containers, *container)
 		}
 
-		p, err := patch.AddPodContainers(pod, containers)
+		p, err := patch.InsertPodContainers(pod, containers)
 		if err != nil {
 			return nil, err
 		}
 		res = append(res, p...)
 	}
 
-	{ // label
-		p, err := patch.UpdatePodLabels(pod, inject.Labels)
+	{ // inject labels
+		p, err := patch.InsertPodLabels(pod, inject.Labels)
 		if err != nil {
 			return nil, err
 		}
 		res = append(res, p...)
 	}
 
-	{ // annotate
-		p, err := patch.UpdatePodAnnotations(pod, inject.Annotations)
-		if err != nil {
-			return nil, err
-		}
-		res = append(res, p...)
+	if len(res) == 0 {
+		l.Info("Empty patch produced for the pod => skipping...")
+		return nil, nil
 	}
 
-	// mark pod as processed
-	if len(res) > 0 {
-		timestamp := time.Now().Format(time.RFC3339)
-		p, err := patch.UpdatePodAnnotations(pod, map[string]string{
-			annotationProcessed: timestamp,
+	{ // circuit break
+		iterationsCount := 0
+
+		annotationIterationsCount := s.cfg.K8S.ServiceName + "." + global.OrgDomain + "/" + fingerprint
+		annotationProcessedTimestamp := s.cfg.K8S.ServiceName + "." + global.OrgDomain + "/" + inject.Name
+
+		if strIterations, previouslyProcessed := pod.Annotations[annotationIterationsCount]; previouslyProcessed {
+			if _iterations, err := strconv.Atoi(strIterations); err == nil {
+				iterationsCount = _iterations
+			}
+		}
+
+		if iterationsCount >= inject.MaxIterations {
+			l.Info("Inject iterations threshold was exceeded by the pod => skipping...",
+				zap.Int("iterationCount", iterationsCount),
+				zap.Int("maxIterations", inject.MaxIterations),
+			)
+			return nil, nil
+		}
+
+		iterationsCount += 1
+		p, err := patch.UpsertPodAnnotations(pod, map[string]string{
+			annotationIterationsCount:    strconv.Itoa(iterationsCount),
+			annotationProcessedTimestamp: time.Now().Format(time.RFC3339),
 		})
 		if err != nil {
 			return nil, err
 		}
 		res = append(res, p...)
-
-		l.Info("Processed pod")
 	}
 
+	l.Info("Processed pod")
+
 	return res, nil
 }

server/server.go

@@ -72,7 +72,7 @@ func New(cfg *config.Config) (*Server, error) {
 
 	srv.inject = make(map[string]*config.Inject, len(cfg.Inject))
 	for _, i := range cfg.Inject {
-		srv.inject[i.Fingerprint()] = &i
+		srv.inject[i.Fingerprint()] = i
 	}
 
 	return srv, nil

test/deployment-fargate.yaml

@@ -35,7 +35,7 @@ spec:
       serviceAccountName: kube-sidecar-injector
       containers:
         - name: kube-sidecar-injector-fargate
-          image: kube-sidecar-injector:0.0.9-dev
+          image: kube-sidecar-injector:0.0.11-dev
           args: [
             "--log-level", "info",
             "--log-mode", "dev",

test/deployment-node-exporter.yaml

@@ -35,7 +35,7 @@ spec:
       serviceAccountName: kube-sidecar-injector
       containers:
         - name: kube-sidecar-injector-node-exporter
-          image: kube-sidecar-injector:0.0.9-dev
+          image: kube-sidecar-injector:0.0.11-dev
           args: [
             "--log-level", "info",
             "--log-mode", "dev",