From 11f79b83dab5d9f3424aee209c46325750abdfb9 Mon Sep 17 00:00:00 2001 From: Gyanendra Mishra Date: Thu, 1 Aug 2024 13:33:38 +0100 Subject: [PATCH] feat: create envoy filters and authorization policies for tracing (#107) --- kontrol-service/api/server.go | 13 +- kontrol-service/engine/flow/constants.go | 52 +++ kontrol-service/engine/flow/render.go | 389 ++++++++++++++++++++++- kontrol-service/go.mod | 6 +- kontrol-service/go.sum | 4 +- kontrol-service/gomod2nix.toml | 4 +- kontrol-service/types/k8s.go | 13 +- 7 files changed, 459 insertions(+), 22 deletions(-) create mode 100644 kontrol-service/engine/flow/constants.go diff --git a/kontrol-service/api/server.go b/kontrol-service/api/server.go index b9b839d..be13db4 100644 --- a/kontrol-service/api/server.go +++ b/kontrol-service/api/server.go @@ -102,6 +102,7 @@ func (sv *Server) GetTenantUuidTopology(_ context.Context, request api.GetTenant func (sv *Server) GetTenantUuidClusterResources(_ context.Context, request managerapi.GetTenantUuidClusterResourcesRequestObject) (managerapi.GetTenantUuidClusterResourcesResponseObject, error) { namespace := "prod" + // TODO - this can be removed? if cluster, found := sv.clusterByTenant[request.Uuid]; found { clusterResources := template.RenderClusterResources(cluster) managerAPIClusterResources := newManagerAPIClusterResources(clusterResources) @@ -156,10 +157,12 @@ func applyProdDevFlow(sv *Server, tenantUuidStr string, serviceConfigs []apitype func newManagerAPIClusterResources(clusterResources types.ClusterResources) managerapitypes.ClusterResources { return managerapitypes.ClusterResources{ - Deployments: &clusterResources.Deployments, - Services: &clusterResources.Services, - VirtualServices: &clusterResources.VirtualServices, - DestinationRules: &clusterResources.DestinationRules, - Gateway: &clusterResources.Gateway, + Deployments: &clusterResources.Deployments, + Services: &clusterResources.Services, + VirtualServices: &clusterResources.VirtualServices, + DestinationRules: &clusterResources.DestinationRules, + Gateway: &clusterResources.Gateway, + EnvoyFilters: &clusterResources.EnvoyFilters, + AuthorizationPolicies: &clusterResources.AuthorizationPolicies, } } diff --git a/kontrol-service/engine/flow/constants.go b/kontrol-service/engine/flow/constants.go new file mode 100644 index 0000000..c50869b --- /dev/null +++ b/kontrol-service/engine/flow/constants.go @@ -0,0 +1,52 @@ +package flow + +const ( + inboundRequestTraceIDFilter = ` +function envoy_on_request(request_handle) + local headers = request_handle:headers() + local trace_id = headers:get("x-kardinal-trace-id") + + if not trace_id then + request_handle:respond( + {[":status"] = "400"}, + "Missing required x-kardinal-trace-id header" + ) + end +end +` + // TODO(gm) - drop fallbacks and just exit the request like you exit in inboundRequestTraceIDFilter + outgoingRequestTraceIDFilter = ` +function envoy_on_request(request_handle) + local headers = request_handle:headers() + local trace_id = headers:get("x-kardinal-trace-id") + local hostname = headers:get(":authority") + + if trace_id then + local destination = determine_destination(request_handle, trace_id, hostname) + request_handle:headers():add("x-kardinal-destination", destination) + end +end + +function determine_destination(request_handle, trace_id, hostname) + hostname = hostname:match("^([^:]+)") + local headers, body = request_handle:httpCall( + "outbound|8080||trace-router.default.svc.cluster.local", + { + [":method"] = "GET", + [":path"] = "/route?trace_id=" .. trace_id .. "&hostname=" .. hostname, + [":authority"] = "trace-router.default.svc.cluster.local" + }, + "", + 5000 + ) + + if not headers then + return hostname .. "-prod" -- Fallback to prod + end + + return body +end +` + + luaFilterType = "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" +) diff --git a/kontrol-service/engine/flow/render.go b/kontrol-service/engine/flow/render.go index 8324832..c7d5a1e 100644 --- a/kontrol-service/engine/flow/render.go +++ b/kontrol-service/engine/flow/render.go @@ -2,35 +2,77 @@ package flow import ( "fmt" - "github.com/samber/lo" + "github.com/sirupsen/logrus" + "google.golang.org/protobuf/types/known/structpb" "istio.io/api/networking/v1alpha3" + securityapi "istio.io/api/security/v1beta1" + typev1beta1 "istio.io/api/type/v1beta1" istioclient "istio.io/client-go/pkg/apis/networking/v1alpha3" + securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" appsv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "kardinal.kontrol-service/types" "kardinal.kontrol-service/types/cluster_topology/resolved" + "strings" ) +// RenderClusterResources returns a cluster resource for a given topology +// Perhaps we can make this throw an error if the # of extHosts != # of versions +// This assumes that there is a dev version of the ext host as well func RenderClusterResources(clusterTopology *resolved.ClusterTopology, namespace string) types.ClusterResources { virtualServices := []istioclient.VirtualService{} destinationRules := []istioclient.DestinationRule{} + envoyFilters := []istioclient.EnvoyFilter{} + authorizationPolicies := []securityv1beta1.AuthorizationPolicy{} + serviceSeenSet := map[string]bool{} + + servicesAgainstVersions := map[string][]string{} + versionsAgainstExtHost := map[string]string{} + for _, service := range clusterTopology.Services { var gateway *string var extHost *string + if _, found := servicesAgainstVersions[service.ServiceID]; !found { + servicesAgainstVersions[service.ServiceID] = []string{} + } + servicesAgainstVersions[service.ServiceID] = append(servicesAgainstVersions[service.ServiceID], service.Version) + if clusterTopology.IsIngressDestination(service) { gateway = &clusterTopology.Ingress.IngressID extHost = clusterTopology.Ingress.GetHost() + versionsAgainstExtHost[service.Version] = *extHost } virtualService, destinationRule := getVirtualService(service, namespace, gateway, extHost) virtualServices = append(virtualServices, *virtualService) if destinationRule != nil { destinationRules = append(destinationRules, *destinationRule) } + + if _, found := serviceSeenSet[service.ServiceID]; found { + continue + } + + logrus.Infof("adding filters and authorization policies for service '%s'", service.ServiceID) + + envoyFiltersForService := getEnvoyFilters(service, namespace) + envoyFilters = append(envoyFilters, envoyFiltersForService...) + + authorizationPolicy := getAuthorizationPolicy(service, namespace) + if authorizationPolicy != nil { + authorizationPolicies = append(authorizationPolicies, *authorizationPolicy) + } + + serviceSeenSet[service.ServiceID] = true } + logrus.Infof("have total of %d envoy filters", len(envoyFilters)) + + gatewayFilter := getEnvoyFilterForGateway(servicesAgainstVersions, versionsAgainstExtHost) + envoyFilters = append(envoyFilters, *gatewayFilter) + return types.ClusterResources{ Services: lo.Map(clusterTopology.Services, func(service *resolved.Service, _ int) v1.Service { return *getService(service, namespace) @@ -45,6 +87,9 @@ func RenderClusterResources(clusterTopology *resolved.ClusterTopology, namespace VirtualServices: virtualServices, DestinationRules: destinationRules, + + EnvoyFilters: envoyFilters, + AuthorizationPolicies: []securityv1beta1.AuthorizationPolicy{}, } } @@ -53,6 +98,7 @@ func getTCPRoute(service *resolved.Service, servicePort *v1.ServicePort) *v1alph Match: []*v1alpha3.L4MatchAttributes{{ Port: uint32(servicePort.Port), }}, + // TODO(edgar) - do we need the version here? Route: []*v1alpha3.RouteDestination{ { Destination: &v1alpha3.Destination{ @@ -67,15 +113,39 @@ func getTCPRoute(service *resolved.Service, servicePort *v1.ServicePort) *v1alph } } -func getHTTPRoute(service *resolved.Service, servicePort *v1.ServicePort) *v1alpha3.HTTPRoute { +func getHTTPRoute(service *resolved.Service, host *string) *v1alpha3.HTTPRoute { + matches := []*v1alpha3.HTTPMatchRequest{ + { + Headers: map[string]*v1alpha3.StringMatch{ + "x-kardinal-destination": { + MatchType: &v1alpha3.StringMatch_Exact{ + Exact: service.ServiceID + "-" + service.Version, + }, + }, + }, + }, + } + + if host != nil { + matches = append(matches, &v1alpha3.HTTPMatchRequest{ + Headers: map[string]*v1alpha3.StringMatch{ + "x-kardinal-destination": { + MatchType: &v1alpha3.StringMatch_Exact{ + Exact: *host + "-" + service.Version, + }, + }, + }, + }) + } + return &v1alpha3.HTTPRoute{ + Match: matches, Route: []*v1alpha3.HTTPRouteDestination{ { Destination: &v1alpha3.Destination{ Host: service.ServiceID, Subset: service.Version, }, - Weight: 100, }, }, } @@ -88,8 +158,8 @@ func getVirtualService(service *resolved.Service, namespace string, gateway *str virtualServiceSpec := v1alpha3.VirtualService{} var destinationRule *istioclient.DestinationRule - if servicePort.AppProtocol != nil && *servicePort.AppProtocol == "HTTP" { - virtualServiceSpec.Http = []*v1alpha3.HTTPRoute{getHTTPRoute(service, servicePort)} + if isHttp(service) { + virtualServiceSpec.Http = []*v1alpha3.HTTPRoute{getHTTPRoute(service, extHost)} destinationRule = getDestinationRule(service, namespace) } else { virtualServiceSpec.Tcp = []*v1alpha3.TCPRoute{getTCPRoute(service, servicePort)} @@ -244,3 +314,312 @@ func getGateway(ingress *resolved.Ingress, namespace string) *istioclient.Gatewa }, } } + +func getEnvoyFilters(service *resolved.Service, namespace string) []istioclient.EnvoyFilter { + if !isHttp(service) { + return []istioclient.EnvoyFilter{} + } + inboundFilter := &istioclient.EnvoyFilter{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "networking.istio.io/v1alpha3", + Kind: "EnvoyFilter", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-inbound-trace-id-check", service.ServiceID), + Namespace: namespace, + }, + Spec: v1alpha3.EnvoyFilter{ + WorkloadSelector: &v1alpha3.WorkloadSelector{ + Labels: map[string]string{ + "app": service.ServiceID, + }, + }, + ConfigPatches: []*v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ + { + ApplyTo: v1alpha3.EnvoyFilter_HTTP_FILTER, + Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ + Context: v1alpha3.EnvoyFilter_SIDECAR_INBOUND, + ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_Listener{ + Listener: &v1alpha3.EnvoyFilter_ListenerMatch{ + FilterChain: &v1alpha3.EnvoyFilter_ListenerMatch_FilterChainMatch{ + Filter: &v1alpha3.EnvoyFilter_ListenerMatch_FilterMatch{ + Name: "envoy.filters.network.http_connection_manager", + }, + }, + }, + }, + }, + Patch: &v1alpha3.EnvoyFilter_Patch{ + Operation: v1alpha3.EnvoyFilter_Patch_INSERT_BEFORE, + Value: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "name": {Kind: &structpb.Value_StringValue{StringValue: "envoy.lua"}}, + "typed_config": { + Kind: &structpb.Value_StructValue{ + StructValue: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "@type": {Kind: &structpb.Value_StringValue{StringValue: luaFilterType}}, + "inlineCode": {Kind: &structpb.Value_StringValue{StringValue: inboundRequestTraceIDFilter}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + + outboundFilter := &istioclient.EnvoyFilter{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "networking.istio.io/v1alpha3", + Kind: "EnvoyFilter", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-outbound-trace-router", service.ServiceID), + Namespace: namespace, + }, + Spec: v1alpha3.EnvoyFilter{ + WorkloadSelector: &v1alpha3.WorkloadSelector{ + Labels: map[string]string{ + "app": service.ServiceID, + }, + }, + ConfigPatches: []*v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ + { + ApplyTo: v1alpha3.EnvoyFilter_HTTP_FILTER, + Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ + Context: v1alpha3.EnvoyFilter_SIDECAR_OUTBOUND, + ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_Listener{ + Listener: &v1alpha3.EnvoyFilter_ListenerMatch{ + FilterChain: &v1alpha3.EnvoyFilter_ListenerMatch_FilterChainMatch{ + Filter: &v1alpha3.EnvoyFilter_ListenerMatch_FilterMatch{ + Name: "envoy.filters.network.http_connection_manager", + }, + }, + }, + }, + }, + Patch: &v1alpha3.EnvoyFilter_Patch{ + Operation: v1alpha3.EnvoyFilter_Patch_INSERT_BEFORE, + Value: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "name": {Kind: &structpb.Value_StringValue{StringValue: "envoy.lua"}}, + "typed_config": { + Kind: &structpb.Value_StructValue{ + StructValue: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "@type": {Kind: &structpb.Value_StringValue{StringValue: luaFilterType}}, + "inlineCode": {Kind: &structpb.Value_StringValue{StringValue: outgoingRequestTraceIDFilter}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + + return []istioclient.EnvoyFilter{*inboundFilter, *outboundFilter} +} + +// getAuthorizationPolicy returns an authorization policy that denies requests with the missing header +// this is not really needed as we have an inbound rule +func getAuthorizationPolicy(service *resolved.Service, namespace string) *securityv1beta1.AuthorizationPolicy { + if !isHttp(service) { + return nil + } + return &securityv1beta1.AuthorizationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-require-trace-id", service.ServiceID), + Namespace: namespace, + }, + Spec: securityapi.AuthorizationPolicy{ + Selector: &typev1beta1.WorkloadSelector{ + MatchLabels: map[string]string{ + "app": service.ServiceID, + }, + }, + Action: securityapi.AuthorizationPolicy_DENY, + Rules: []*securityapi.Rule{ + { + When: []*securityapi.Condition{ + { + Key: "request.headers[x-kardinal-trace-id]", + NotValues: []string{"*"}, + }, + }, + }, + }, + }, + } +} + +func getEnvoyFilterForGateway(servicesAgainstVersions map[string][]string, serviceAndVersionAgainstExtHost map[string]string) *istioclient.EnvoyFilter { + luaScript := generateDynamicLuaScript(servicesAgainstVersions, serviceAndVersionAgainstExtHost) + + return &istioclient.EnvoyFilter{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "networking.istio.io/v1alpha3", + Kind: "EnvoyFilter", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "kardinal-gateway-tracing", + Namespace: "istio-system", + }, + Spec: v1alpha3.EnvoyFilter{ + WorkloadSelector: &v1alpha3.WorkloadSelector{ + Labels: map[string]string{ + "istio": "ingressgateway", + }, + }, + ConfigPatches: []*v1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{ + { + ApplyTo: v1alpha3.EnvoyFilter_HTTP_FILTER, + Match: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{ + Context: v1alpha3.EnvoyFilter_GATEWAY, + ObjectTypes: &v1alpha3.EnvoyFilter_EnvoyConfigObjectMatch_Listener{ + Listener: &v1alpha3.EnvoyFilter_ListenerMatch{ + FilterChain: &v1alpha3.EnvoyFilter_ListenerMatch_FilterChainMatch{ + Filter: &v1alpha3.EnvoyFilter_ListenerMatch_FilterMatch{ + Name: "envoy.filters.network.http_connection_manager", + }, + }, + }, + }, + }, + Patch: &v1alpha3.EnvoyFilter_Patch{ + Operation: v1alpha3.EnvoyFilter_Patch_INSERT_BEFORE, + Value: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "name": {Kind: &structpb.Value_StringValue{StringValue: "envoy.lua"}}, + "typed_config": { + Kind: &structpb.Value_StructValue{ + StructValue: &structpb.Struct{ + Fields: map[string]*structpb.Value{ + "@type": {Kind: &structpb.Value_StringValue{StringValue: luaFilterType}}, + "inlineCode": {Kind: &structpb.Value_StringValue{StringValue: luaScript}}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } +} + +func generateDynamicLuaScript(servicesAgainstVersions map[string][]string, versionAgainstExtHost map[string]string) string { + var setRouteCalls strings.Builder + + // Helper function to add a setRoute call + addSetRouteCall := func(service, destination string) { + setRouteCalls.WriteString(fmt.Sprintf(` + request_handle:httpCall( + "outbound|8080||trace-router.default.svc.cluster.local", + { + [":method"] = "POST", + [":path"] = "/set-route?trace_id=" .. trace_id .. "&hostname=%s&destination=%s", + [":authority"] = "trace-router.default.svc.cluster.local", + ["Content-Type"] = "application/json" + }, + "{}", + 5000 + ) +`, service, destination)) + } + + // This is the one we are interested in + // For prod host all goes to prod + // For non prod host we add a non prod mapping for the non prod service and everything else falls back + for service, versions := range servicesAgainstVersions { + for _, version := range versions { + setRouteCalls.WriteString(fmt.Sprintf(` + if hostname == "%s" then`, versionAgainstExtHost[version])) + destination := fmt.Sprintf("%s-%s", service, version) + addSetRouteCall(service, destination) + setRouteCalls.WriteString(` + end`) + } + } + + // this gets consumed by the virtual source route for the gateway + for version, extHost := range versionAgainstExtHost { + destination := fmt.Sprintf("%s-%s", extHost, version) + addSetRouteCall(extHost, destination) + } + + return fmt.Sprintf(` +function envoy_on_request(request_handle) + local headers = request_handle:headers() + local trace_id = headers:get("x-kardinal-trace-id") + local hostname = headers:get(":authority") + + request_handle:logInfo("Processing request - Initial trace ID: " .. (trace_id or "none") .. ", Hostname: " .. (hostname or "none")) + + if not trace_id then + trace_id = string.format("%%032x", math.random(2^128 - 1)) + request_handle:logInfo("Generated new trace ID: " .. trace_id) + + local generate_headers, generate_body = request_handle:httpCall( + "outbound|8080||trace-router.default.svc.cluster.local", + { + [":method"] = "GET", + [":path"] = "/generate-trace-id", + [":authority"] = "trace-router.default.svc.cluster.local" + }, + "", + 5000 + ) + + if generate_headers and generate_headers[":status"] == "200" then + trace_id = generate_body + request_handle:logInfo("Received trace ID from trace-router: " .. trace_id) + else + request_handle:logWarn("Failed to get trace ID from trace-router, using generated: " .. trace_id) + end + + request_handle:headers():add("x-kardinal-trace-id", trace_id) + + %s + end + + local determine_headers, determine_body = request_handle:httpCall( + "outbound|8080||trace-router.default.svc.cluster.local", + { + [":method"] = "GET", + [":path"] = "/route?trace_id=" .. trace_id .. "&hostname=" .. hostname, + [":authority"] = "trace-router.default.svc.cluster.local" + }, + "", + 5000 + ) + + local destination + if determine_headers and determine_headers[":status"] == "200" then + destination = determine_body + request_handle:logInfo("Determined destination: " .. destination) + else + destination = hostname .. "-prod" + request_handle:logWarn("Failed to determine destination, using fallback: " .. destination) + end + + request_handle:headers():add("x-kardinal-destination", destination) + request_handle:logInfo("Final headers - Trace ID: " .. trace_id .. ", Destination: " .. destination) +end +`, setRouteCalls.String()) +} + +// isHttp - TODO support multiple ports +func isHttp(service *resolved.Service) bool { + servicePort := &service.ServiceSpec.Ports[0] + return servicePort.AppProtocol != nil && *servicePort.AppProtocol == "HTTP" +} diff --git a/kontrol-service/go.mod b/kontrol-service/go.mod index 27318fa..2ace97a 100644 --- a/kontrol-service/go.mod +++ b/kontrol-service/go.mod @@ -7,13 +7,13 @@ toolchain go1.22.3 require ( github.com/dominikbraun/graph v0.23.0 github.com/kurtosis-tech/kardinal/libs/cli-kontrol-api v0.0.0-20240712091137-4bcda1fd7034 - github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240704193727-15a1b0d2bfb8 + github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240729141447-216e60670e4d github.com/kurtosis-tech/stacktrace v0.0.0-20211028211901-1c67a77b5409 github.com/labstack/echo/v4 v4.12.0 - github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/samber/lo v1.39.0 github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.9.0 + google.golang.org/protobuf v1.34.1 gopkg.in/yaml.v2 v2.4.0 istio.io/api v1.22.1-0.20240524024004-b6815be0740d istio.io/client-go v1.22.1 @@ -42,6 +42,7 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect github.com/oapi-codegen/runtime v1.1.1 // indirect github.com/perimeterx/marshmallow v1.1.5 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -55,7 +56,6 @@ require ( golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect - google.golang.org/protobuf v1.34.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/kontrol-service/go.sum b/kontrol-service/go.sum index 284dba1..8dabf1a 100644 --- a/kontrol-service/go.sum +++ b/kontrol-service/go.sum @@ -46,8 +46,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kurtosis-tech/kardinal/libs/cli-kontrol-api v0.0.0-20240712091137-4bcda1fd7034 h1:Dho48cym5VAhbp4d9jxQr+gA7Hld/RPL718W25aHv+o= github.com/kurtosis-tech/kardinal/libs/cli-kontrol-api v0.0.0-20240712091137-4bcda1fd7034/go.mod h1:Zlbpg7q5pTUaddoMN9zaraCNvvuD4KJNPPC8WyUF8DI= -github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240704193727-15a1b0d2bfb8 h1:LD7k8zDrdd587YlPCr9dfRyI8gQPjhJqgAeF72/DqOo= -github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240704193727-15a1b0d2bfb8/go.mod h1:lj6oLhpXgnc9ZaulV7jysgRaeZUDPK6XiM2TxpcGRqM= +github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240729141447-216e60670e4d h1:SmNXPJG4CPN3HeW0vB9oCSEv2poBMaRCsEyJL/R3TYA= +github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api v0.0.0-20240729141447-216e60670e4d/go.mod h1:lj6oLhpXgnc9ZaulV7jysgRaeZUDPK6XiM2TxpcGRqM= github.com/kurtosis-tech/stacktrace v0.0.0-20211028211901-1c67a77b5409 h1:YQTATifMUwZEtZYb0LVA7DK2pj8s71iY8rzweuUQ5+g= github.com/kurtosis-tech/stacktrace v0.0.0-20211028211901-1c67a77b5409/go.mod h1:y5weVs5d9wXXHcDA1awRxkIhhHC1xxYJN8a7aXnE6S8= github.com/labstack/echo/v4 v4.12.0 h1:IKpw49IMryVB2p1a4dzwlhP1O2Tf2E0Ir/450lH+kI0= diff --git a/kontrol-service/gomod2nix.toml b/kontrol-service/gomod2nix.toml index 260bd50..ccf58e7 100644 --- a/kontrol-service/gomod2nix.toml +++ b/kontrol-service/gomod2nix.toml @@ -200,8 +200,8 @@ schema = 3 version = "v0.0.0-20240712091137-4bcda1fd7034" hash = "sha256-f+f7kLaepL6un6tZJ7PVvCxANHlUGDcA2WYLm75SfGc=" [mod."github.com/kurtosis-tech/kardinal/libs/manager-kontrol-api"] - version = "v0.0.0-20240704193727-15a1b0d2bfb8" - hash = "sha256-3uOWMwe8QIi92v9MY43g3mx+yHS635GSgg4R124Iqpg=" + version = "v0.0.0-20240729141447-216e60670e4d" + hash = "sha256-Bgkp3c31Dh9cgCrUsyCdQnQYjnQ49dd9AmYY35VscZA=" [mod."github.com/kurtosis-tech/stacktrace"] version = "v0.0.0-20211028211901-1c67a77b5409" hash = "sha256-xm9l7tlCb0U25WJvByFikWxnAmOwTmOtlSDBdbyDMMY=" diff --git a/kontrol-service/types/k8s.go b/kontrol-service/types/k8s.go index a678da7..834e3c8 100644 --- a/kontrol-service/types/k8s.go +++ b/kontrol-service/types/k8s.go @@ -2,14 +2,17 @@ package types import ( "istio.io/client-go/pkg/apis/networking/v1alpha3" + securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" ) type ClusterResources struct { - Services []corev1.Service `json:"services"` - Deployments []appsv1.Deployment `json:"deployments"` - VirtualServices []v1alpha3.VirtualService `json:"virtualServices"` - DestinationRules []v1alpha3.DestinationRule `json:"destinationRules"` - Gateway v1alpha3.Gateway `json:"gateway"` + Services []corev1.Service `json:"services"` + Deployments []appsv1.Deployment `json:"deployments"` + VirtualServices []v1alpha3.VirtualService `json:"virtualServices"` + DestinationRules []v1alpha3.DestinationRule `json:"destinationRules"` + Gateway v1alpha3.Gateway `json:"gateway"` + EnvoyFilters []v1alpha3.EnvoyFilter `json:"envoy_filters"` + AuthorizationPolicies []securityv1beta1.AuthorizationPolicy `json:"authorization_policies"` }