Merge pull request #40 from netfoundry/refactor-for-router

Author: dariuszSki

.gitignore

@@ -23,7 +23,5 @@
 # build dir
 /build
 
-# local temp files
-/ziti-agent.yaml
-/ziti-client.yaml
-/test-admin.j*
+# local test files
+/test-*

README.md

@@ -79,16 +79,41 @@ Pods authorized to bind a Ziti service require that service to have a host addre
 These optional variables will override defaults.
 
 ```bash
-export ZITI_AGENT_NAMESPACE="default"
-export CLUSTER_DNS_ZONE="cluster.local"
+# Namespace configuration
+export ZITI_AGENT_NAMESPACE="default"      # Namespace to deploy the agent
+export CLUSTER_DNS_ZONE="cluster.local"    # Kubernetes cluster DNS zone
+
+# Agent image configuration
+export ZITI_AGENT_IMAGE="docker.io/netfoundry/ziti-k8s-agent"  # Agent container image
+export ZITI_AGENT_IMAGE_PULL_POLICY="IfNotPresent"             # Pull policy for agent image
+export ZITI_AGENT_LOG_LEVEL="2"                                # Log level for agent (0-5)
+
+# Sidecar configuration
+export SIDECAR_IMAGE="docker.io/openziti/ziti-tunnel"         # Sidecar container image
+export SIDECAR_IMAGE_VERSION="latest"                         # Sidecar image version
+export SIDECAR_IMAGE_PULL_POLICY="IfNotPresent"              # Pull policy for sidecar image
+
+# Resource configuration
+export ZITI_AGENT_CPU="100m"              # CPU request for agent
+export ZITI_AGENT_MEMORY="128Mi"          # Memory request for agent
+export ZITI_AGENT_CPU_LIMIT="500m"        # CPU limit for agent
+export ZITI_AGENT_MEMORY_LIMIT="512Mi"    # Memory limit for agent
+
+# Webhook configuration
+export ZITI_AGENT_WEBHOOK_FAILURE_POLICY="Fail"  # How webhook failures are handled (Fail or Ignore)
+
+# DNS configuration
+export SEARCH_DOMAINS=""                   # Space-separated list of DNS search domains
 ```
 
 You may replace the cluster's default DNS search domains for selected pods by exporting `SEARCH_DOMAINS` as a space separated list of domain name suffixes. This may be useful if the selected pods never need to resolve the names of cluster services, but do need to resolve short names in a DNS zone that you control outside of the cluster, e.g., `ziti.internal ziti.example.com`.
 
 ### Generate a Manifest
 
-- `IDENTITY_FILE` is the path to the JSON file from the enrollment step.
-- `SIDECAR_SELECTORS` is a comma-separated list of methods by which pods are selected for sidecar injection: `namespace`, `pod`, or both (see [Select Pods for Sidecar Injection](#select-pods-for-sidecar-injection) above).
+Required environment variables:
+
+- `IDENTITY_FILE` - path to the JSON file from the admin identity enrollment step
+- `SIDECAR_SELECTORS` - comma-separated list of methods by which pods are selected for sidecar injection: `namespace`, `pod`, or both (see [Select Pods for Sidecar Injection](#select-pods-for-sidecar-injection) above)
 
 ```bash
 IDENTITY_FILE="ziti-k8s-agent.json" SIDECAR_SELECTORS="namespace,pod" ./generate-ziti-agent-manifest.bash > ./ziti-agent.yaml

generate-ziti-agent-manifest.bash

@@ -189,6 +189,7 @@ webhooks:
   - name: tunnel.ziti.webhook
     admissionReviewVersions: ["v1"]
     matchPolicy: Equivalent
+    failurePolicy: ${ZITI_AGENT_WEBHOOK_FAILURE_POLICY:-Fail}
     namespaceSelector:
       matchExpressions:
         - key: kubernetes.io/metadata.name
@@ -201,16 +202,23 @@ for SELECTOR in "${SELECTORS[@]}"; do
   case "$SELECTOR" in
     namespace)
       cat <<SEL
-    namespaceSelector:
-      matchLabels:
-        tunnel.openziti.io/enabled: "true"
+        - key: tunnel.openziti.io/enabled
+          operator: In
+          values:
+          - "true"
+          - "false"
 SEL
     ;;
     pod)
       cat <<SEL
     objectSelector:
-      matchLabels:
-        tunnel.openziti.io/enabled: "true"
+      namespaceSelector:
+      matchExpressions:
+      - key: tunnel.openziti.io/enabled
+        operator: In
+        values:
+        - "true"
+        - "false"
 SEL
     ;;
     *)
@@ -245,11 +253,8 @@ metadata:
 rules:
   # "" indicates the core API group
   - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["services"]
-    verbs: ["get"]
+    resources: ["services", "namespaces"]
+    verbs: ["get", "list"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

go.mod

@@ -3,7 +3,7 @@ module github.com/netfoundry/ziti-k8s-agent
 go 1.23.2
 
 require (
-	github.com/openziti/edge-api v0.26.22
+	github.com/openziti/edge-api v0.26.38
 	github.com/openziti/sdk-golang v0.23.39
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.8.1
@@ -12,7 +12,6 @@ require (
 	k8s.io/apimachinery v0.30.3
 	k8s.io/client-go v0.30.3
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 )
 
 require (
@@ -104,6 +103,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	nhooyr.io/websocket v1.8.17 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

go.sum

@@ -327,8 +327,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/openziti/channel/v2 v2.0.136 h1:XWjcNrPhto2XiD5HLhsh7GhmqfHEweQIJ/eUjtVKUJs=
 github.com/openziti/channel/v2 v2.0.136/go.mod h1:7jhk6JtJPP1O8aWYx+w2IuwCunFJ88Ot4AQcrKiX5og=
-github.com/openziti/edge-api v0.26.22 h1:kpd+SxdO4UO4/SO3DFWyndseY90J5zWtO5EsAqHJHvM=
-github.com/openziti/edge-api v0.26.22/go.mod h1:t0qfgV5u2+HItpvgDIShA69v6m7RZ+PrbQuLQaDDdx8=
+github.com/openziti/edge-api v0.26.38 h1:3xDWC5SFn3qUVR428TIBpRc2lrjVV7Gz0Rx4pQx0JSg=
+github.com/openziti/edge-api v0.26.38/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.56 h1:YXqBmkrN0fYr3TqIlWZSZGluE2QpJxlA29Z6okZyQ5I=
 github.com/openziti/foundation/v2 v2.0.56/go.mod h1:f12R1pwEod348qONZr6esZgackX1ScLGDcEyPF2G5/w=
 github.com/openziti/identity v1.0.94 h1:nF4etu/5LmOlbT24lpSKq9p+90A9jeyLr5U23LemgD4=

ziti-agent/cmd/webhook/config.go

@@ -169,11 +169,9 @@ func lookupEnvVars() {
 	}
 
 	value, ok = os.LookupEnv("ZITI_ROLE_KEY")
-	if ok && len(value) > 0 {
+	if ok {
 		zitiRoleKey = value
 	}
-	if len(zitiRoleKey) == 0 {
-		klog.V(4).Info(&MissingEnvVarError{variable: "ZITI_ROLE_KEY"})
-		klog.V(4).Info(&MissingCmdLineVarError{variable: "ZITI_ROLE_KEY"})
-	}
+	zitiRoleKey = getValueOrDefault(zitiRoleKey, defaultZitiRoleAttributesKey)
+	klog.V(4).Infof("Using Ziti role key: %s", zitiRoleKey)
 }