From fbc8344e90d712964686a8f6c25708f6d01e913d Mon Sep 17 00:00:00 2001 From: Jakub Dyszkiewicz Date: Wed, 30 Oct 2024 12:48:21 +0100 Subject: [PATCH] fix(cni): delegated gateway was not correctly injected (#11922) I wanted to run Zone 2 in e2e tests in CNI mode and I encountered a problem with injection. We were injecting such init container ``` initContainers: - name: "" resources: {} ``` I fixed it and switched one zone to CNI to avoid this in the future. Inject container only if it's created Placing run-full-matrix, because I need to see if all variants are ok. I checked locally and e2e is fine with CNI. Signed-off-by: Jakub Dyszkiewicz --- .../runtime/k8s/webhooks/injector/injector.go | 137 +++++++++++++++ .../k8s/webhooks/injector/injector_test.go | 156 ++++++++++++++++++ .../injector/testdata/inject.41.golden.yaml | 139 ++++++++++++++++ .../injector/testdata/inject.41.input.yaml | 21 +++ .../inject.sidecar-feature.41.golden.yaml | 153 +++++++++++++++++ test/framework/envs/multizone/env.go | 16 ++ 6 files changed, 622 insertions(+) create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.golden.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.input.yaml create mode 100644 pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.41.golden.yaml diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go index b5e499c0fe50..efdc029b4569 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector.go @@ -121,6 +121,7 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error pod.Annotations[kube_podcmd.DefaultContainerAnnotationName] = pod.Spec.Containers[0].Name } +<<<<<<< HEAD // inject sidecar as first container pod.Spec.Containers = append([]kube_core.Container{patchedContainer}, pod.Spec.Containers...) @@ -130,6 +131,98 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error } for key, value := range annotations { pod.Annotations[key] = value +======= + var annotations map[string]string + var injectedInitContainer *kube_core.Container + + if i.cfg.TransparentProxyConfigMapName != "" { + tproxyCfg, err := i.getTransparentProxyConfig(ctx, logger, pod) + if err != nil { + return err + } + + tproxyCfgYAMLBytes, err := yaml.Marshal(tproxyCfg) + if err != nil { + return err + } + tproxyCfgYAML := string(tproxyCfgYAMLBytes) + + if annotations, err = tproxy_k8s.ConfigToAnnotations( + tproxyCfg, + i.cfg, + pod.Annotations, + i.defaultAdminPort, + ); err != nil { + return errors.Wrap(err, "could not generate annotations for pod") + } + + for key, value := range annotations { + pod.Annotations[key] = value + } + + if pod.Labels == nil { + pod.Labels = map[string]string{} + } + pod.Labels[metadata.KumaMeshLabel] = meshName + + switch { + case !tproxyCfg.CNIMode: + initContainer := i.NewInitContainer([]string{"--config", tproxyCfgYAML}) + injected, err := i.applyCustomPatches(logger, initContainer, initPatches) + if err != nil { + return err + } + injectedInitContainer = &injected + case tproxyCfg.Redirect.Inbound.Enabled: + ipFamilyMode := tproxyCfg.IPFamilyMode.String() + inboundPort := tproxyCfg.Redirect.Inbound.Port.String() + validationContainer := i.NewValidationContainer(ipFamilyMode, inboundPort, sidecarTmp.Name) + injected, err := i.applyCustomPatches(logger, validationContainer, initPatches) + if err != nil { + return err + } + injectedInitContainer = &injected + fallthrough + default: + pod.Annotations[metadata.KumaTrafficTransparentProxyConfig] = tproxyCfgYAML + } + } else { // this is legacy and deprecated - will be removed soon + if annotations, err = i.NewAnnotations(pod, logger); err != nil { + return errors.Wrap(err, "could not generate annotations for pod") + } + + for key, value := range annotations { + pod.Annotations[key] = value + } + + if pod.Labels == nil { + pod.Labels = map[string]string{} + } + pod.Labels[metadata.KumaMeshLabel] = meshName + + podRedirect, err := tproxy_k8s.NewPodRedirectFromAnnotations(pod.Annotations) + if err != nil { + return err + } + + if !i.cfg.CNIEnabled { + initContainer := i.NewInitContainer(podRedirect.AsKumactlCommandLine()) + injected, err := i.applyCustomPatches(logger, initContainer, initPatches) + if err != nil { + return err + } + injectedInitContainer = &injected + } else if podRedirect.RedirectInbound { + ipFamilyMode := podRedirect.IpFamilyMode + inboundPort := fmt.Sprintf("%d", podRedirect.RedirectPortInbound) + validationContainer := i.NewValidationContainer(ipFamilyMode, inboundPort, sidecarTmp.Name) + injected, err := i.applyCustomPatches(logger, validationContainer, initPatches) + if err != nil { + return err + } + injectedInitContainer = &injected + } +>>>>>>> ebcc4be57 (fix(cni): delegated gateway was not correctly injected (#11922)) } if i.cfg.EBPF.Enabled { @@ -150,10 +243,54 @@ func (i *KumaInjector) InjectKuma(ctx context.Context, pod *kube_core.Pod) error }) } +<<<<<<< HEAD // init container if !i.cfg.CNIEnabled { ic, err := i.NewInitContainer(pod) if err != nil { +======= + initFirst, _, err := metadata.Annotations(pod.Annotations).GetEnabled(metadata.KumaInitFirst) + if err != nil { + return err + } + + var prependInitContainers []kube_core.Container + var appendInitContainers []kube_core.Container + + if injectedInitContainer != nil { + if initFirst || i.sidecarContainersEnabled { + prependInitContainers = append(prependInitContainers, *injectedInitContainer) + } else { + appendInitContainers = append(appendInitContainers, *injectedInitContainer) + } + } + + if i.sidecarContainersEnabled { + // inject sidecar after init + patchedContainer.RestartPolicy = pointer.To(kube_core.ContainerRestartPolicyAlways) + patchedContainer.Lifecycle = &kube_core.Lifecycle{ + PreStop: &kube_core.LifecycleHandler{ + Exec: &kube_core.ExecAction{ + Command: []string{"killall", "-USR2", "kuma-dp"}, + }, + }, + } + prependInitContainers = append(prependInitContainers, patchedContainer) + } else { + // inject sidecar as first container + pod.Spec.Containers = append([]kube_core.Container{patchedContainer}, pod.Spec.Containers...) + } + + pod.Spec.InitContainers = append(append(prependInitContainers, pod.Spec.InitContainers...), appendInitContainers...) + + disabledAppProbeProxy, err := probes.ApplicationProbeProxyDisabled(pod) + if err != nil { + return err + } + + if disabledAppProbeProxy { + if err := i.overrideHTTPProbes(pod); err != nil { +>>>>>>> ebcc4be57 (fix(cni): delegated gateway was not correctly injected (#11922)) return err } patchedIc, err := i.applyCustomPatches(logger, ic, initPatches) diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go index da63adb0a372..ed07a814e976 100644 --- a/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go +++ b/pkg/plugins/runtime/k8s/webhooks/injector/injector_test.go @@ -671,6 +671,162 @@ spec: kuma.io/sidecar-injection: enabled`, cfgFile: "inject.config.yaml", }), +<<<<<<< HEAD +======= + Entry("33. kuma.io/transparent-proxying-ip-family-mode", testCase{ + num: "33", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config-ipv6-disabled.yaml", + }), + Entry("34. cni enabled", testCase{ + num: "34", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config-cni.yaml", + }), + Entry("native sidecar with probe", testCase{ + num: "35", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config.yaml", + }), + Entry("36. traffic.kuma.io/drop-invalid-packets overrides config", testCase{ + num: "36", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config.yaml", + }), + Entry("37. traffic.kuma.io/iptables-logs overrides config", testCase{ + num: "37", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config.yaml", + }), + Entry("38. traffic.kuma.io/exclude-outbound-ips overrides config", testCase{ + num: "38", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config.yaml", + }), + Entry("39. traffic.kuma.io/exclude-inbound-ips overrides config", testCase{ + num: "39", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config.yaml", + }), + Entry("40. application probe proxy: config - disabled, pod - enabled", testCase{ + num: "40", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.vp-disabled.config.yaml", + }), + Entry("41. gateway provided with cni enabled", testCase{ + num: "41", + mesh: ` + apiVersion: kuma.io/v1alpha1 + kind: Mesh + metadata: + name: default + spec: {}`, + namespace: ` + apiVersion: v1 + kind: Namespace + metadata: + name: default + labels: + kuma.io/sidecar-injection: enabled`, + cfgFile: "inject.config-cni.yaml", + }), +>>>>>>> ebcc4be57 (fix(cni): delegated gateway was not correctly injected (#11922)) ) DescribeTable("should not inject Kuma into a Pod", diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.golden.yaml new file mode 100644 index 000000000000..5d57e8a29fd4 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.golden.yaml @@ -0,0 +1,139 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + k8s.v1.cni.cncf.io/networks: kuma-cni + kubectl.kubernetes.io/default-container: busybox + kuma.io/application-probe-proxy-port: "0" + kuma.io/envoy-admin-port: "9901" + kuma.io/gateway: enabled + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-inbound-port: "15055" + kuma.io/transparent-proxying-ip-family-mode: ipv4 + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + kuma.io/mesh: default + run: busybox + name: busybox +spec: + containers: + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_APPLICATION_PROBE_PROXY_PORT + value: "0" + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-init-tmp + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.input.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.input.yaml new file mode 100644 index 000000000000..887ac6b1213f --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.41.input.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox + annotations: + kuma.io/gateway: enabled + labels: + run: busybox +spec: + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + containers: + - name: busybox + image: busybox + resources: {} + volumeMounts: + - name: default-token-w7dxf + readOnly: true + mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" diff --git a/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.41.golden.yaml b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.41.golden.yaml new file mode 100644 index 000000000000..09be88b7ebb5 --- /dev/null +++ b/pkg/plugins/runtime/k8s/webhooks/injector/testdata/inject.sidecar-feature.41.golden.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + k8s.v1.cni.cncf.io/networks: kuma-cni + kubectl.kubernetes.io/default-container: busybox + kuma.io/application-probe-proxy-port: "0" + kuma.io/envoy-admin-port: "9901" + kuma.io/gateway: enabled + kuma.io/sidecar-injected: "true" + kuma.io/sidecar-uid: "5678" + kuma.io/transparent-proxying: enabled + kuma.io/transparent-proxying-inbound-port: "15055" + kuma.io/transparent-proxying-ip-family-mode: ipv4 + kuma.io/transparent-proxying-outbound-port: "15001" + kuma.io/virtual-probes: disabled + kuma.io/virtual-probes-port: "9000" + creationTimestamp: null + labels: + kuma.io/mesh: default + run: busybox + name: busybox +spec: + containers: + - image: busybox + name: busybox + resources: {} + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + initContainers: + - args: + - run + - --log-level=info + - --concurrency=2 + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: KUMA_APPLICATION_PROBE_PROXY_PORT + value: "0" + - name: KUMA_CONTROL_PLANE_CA_CERT + value: | + -----BEGIN CERTIFICATE----- + MIIDMzCCAhugAwIBAgIQDhlInfsXYHamKN+29qnQvzANBgkqhkiG9w0BAQsFADAP + MQ0wCwYDVQQDEwRrdW1hMB4XDTIxMDQwMjEwMjIyNloXDTMxMDMzMTEwMjIyNlow + DzENMAsGA1UEAxMEa3VtYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AL4GGg+e2O7eA12F0F6v2rr8j2iVSFKepnZtL15lrCds6lqK50sXWOw8PKZp2ihA + XJVTSZzKasyLDTAR9VYQjTpE526EzvtdthSagf32QWW+wY6LMpEdexKOOCx2se55 + Rd97L33yYPfgX15OYliHPD056jjhotHLdN2lpy7+STDvQyRnXAu73YkY37Ed4hI4 + t/V6soHyEGNcDhm9p5fBGqz0njBbQkp2lTY5/kj42qB7Q6rCM2tbPsEMooeAAw5m + hyY4xj0tP9ucqlUz8gc+6o8HDNst8NeJXZktWn+COytjr/NzGgS22kvSDphisJot + o0FyoIOdAtxC1qxXXR+XuUUCAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCAqQwHQYD + VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYD + VR0OBBYEFKRLkgIzX/OjKw9idepuQ/RMtT+AMCYGA1UdEQQfMB2CCWxvY2FsaG9z + dIcQ/QChIwAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAPs5yJZhoYlGW + CpA8dSISivM8/8iBNQ3fVwP63ft0EJLMVGu2RFZ4/UAJ/rUPSGN8xhXSk5+1d56a + /kaH9rX0HaRIHHlxA7iPUKxAj44x9LKmqPHToL3XlWY1AXzvicW9d+GM2FaQee+I + leaqLbz0AZvlnu271Z1CeaACuU9GljujvyiTTE9naHUEqvHgSpPtilJalyJ5/zIl + Z9F0+UWt3TOYMs5g+SCt0MwHTNbisbmewpcFFJzjt2kvtrc9t9dkF81xhcS19w7q + h1AeP3RRlLl7bv9EAVXEmIavih/29PA3ZSy+pbYNW7jNJHjMQ4hQ0E+xcCazU/O4 + ypWGaanvPg== + -----END CERTIFICATE----- + - name: KUMA_CONTROL_PLANE_URL + value: http://kuma-control-plane.kuma-system:5681 + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 31s + - name: KUMA_DATAPLANE_MESH + value: default + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DNS_ENABLED + value: "false" + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: kuma/kuma-sidecar:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - killall + - -USR2 + - kuma-dp + livenessProbe: + failureThreshold: 212 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 260 + periodSeconds: 25 + successThreshold: 1 + timeoutSeconds: 23 + name: kuma-sidecar + readinessProbe: + failureThreshold: 112 + httpGet: + path: /ready + port: 9901 + initialDelaySeconds: 11 + periodSeconds: 15 + successThreshold: 11 + timeoutSeconds: 13 + resources: + limits: + cpu: 1100m + ephemeral-storage: 1G + memory: 1512Mi + requests: + cpu: 150m + ephemeral-storage: 50M + memory: 164Mi + restartPolicy: Always + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 5678 + runAsUser: 5678 + startupProbe: + httpGet: + path: /ready + port: 9901 + successThreshold: 1 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: default-token-w7dxf + readOnly: true + - mountPath: /tmp + name: kuma-sidecar-tmp + volumes: + - name: default-token-w7dxf + secret: + secretName: default-token-w7dxf + - emptyDir: + sizeLimit: 10M + name: kuma-init-tmp + - emptyDir: + sizeLimit: 10M + name: kuma-sidecar-tmp +status: {} diff --git a/test/framework/envs/multizone/env.go b/test/framework/envs/multizone/env.go index ad2ac90cd9de..cfba26a402b3 100644 --- a/test/framework/envs/multizone/env.go +++ b/test/framework/envs/multizone/env.go @@ -91,6 +91,7 @@ func SetupAndGetState() []byte { Expect(KubeZone1.Install(Kuma(core.Zone, kubeZone1Options...))).To(Succeed()) }() +<<<<<<< HEAD kubeZone2Options := append( []framework.KumaDeploymentOption{ WithEnv("KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF", "1s"), @@ -102,6 +103,21 @@ func SetupAndGetState() []byte { WithCNI(), }, framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Multizone.KubeZone2)..., +======= + kubeZone2Options := framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Multizone.KubeZone2) + kubeZone2Options = append(kubeZone2Options, WithCNI()) + KubeZone2 = setupKubeZone(&wg, Kuma2, kubeZone2Options...) + + UniZone1 = setupUniZone(&wg, Kuma4, framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Multizone.UniZone1)...) + + vipCIDROverride := "251.0.0.0/8" + if Config.IPV6 { + vipCIDROverride = "fd00:fd11::/64" + } + uniZone2Options := append( + framework.KumaDeploymentOptionsFromConfig(framework.Config.KumaCpConfig.Multizone.UniZone2), + WithEnv("KUMA_IPAM_MESH_SERVICE_CIDR", vipCIDROverride), // just to see that the status is not synced around +>>>>>>> ebcc4be57 (fix(cni): delegated gateway was not correctly injected (#11922)) ) KubeZone2 = NewK8sCluster(NewTestingT(), Kuma2, Verbose) go func() {