Merge pull request #266 from appgate/improvements

Logging improvements + README for Non-Deployment Injection

README.md

@@ -22,6 +22,7 @@ For ingress access, from external clients to SDP Gateway protected workloads in
   * [Alternative Client Versions](#alternative-client-versions)
   * [Init Containers](#init-containers)
   * [Multiple Clusters](#multiple-clusters)
+  * [Injecting SDP Client to Non-Deployment Resources](#injecting-sdp-client-to-non-deployment-resource)
 * [Annotations](#annotations)
 * [Helm Values](#parameters)
   * [SDP Parameters](#sdp-parameters)
@@ -323,6 +324,101 @@ $ kubectl annotate Deployment <DEPLOYMENT> k8s.appgate.com/sdp-injector.disable-
 ### Multiple Clusters
 You can connect multiple Kubernetes clusters to a single SDP system by installing an injector on each cluster. When installing the Injector, set a unique cluster ID in the helm value `sdp.clusterID`. To prevent collision of resources created by the Injector, the SDP system will use this ID as a tag or prefix (e.g. Client Profiles, Service Users). It is advised to tag your admin users for each injector with the cluster ID.
 
+### Injecting SDP Client to Non-Deployment Resource
+SDP Injector only supports Deployment out of the box, but there is a workaround to support other Kubernetes resources such as Pods, Replicasets, Statefulsets, etc. using the SDPService CRD.
+
+In the example below, we will use a ReplicaSet as an example for Non-Deployment resource use-case. Assume the `sdp-demo` namespace is enabled for injection.
+
+Applying the following SDPService will generate a ServiceIdentity (e.g. allocate service user and device IDs) for the replicaset. 
+```yaml
+apiVersion: injector.sdp.com/v1
+kind: SDPService
+metadata:
+  labels:
+    app: example-replicaset
+  name: example-replicaset
+  namespace: sdp-demo
+spec:
+  kind: replicaset
+  name: example-replicaset
+```
+
+In the IdentityService, you should see logs about ServiceIdentity, secret, and config being created for the SDPService:
+```log
+[IdentityManager] [sdp-demo_example-replicaset] New ServiceIdentity requested for ServiceCandidate sdp-demo_example-replicaset
+[IdentityManager] [sdp-demo_example-replicaset] ServiceCandidate sdp-demo_example-replicaset has no associated ServiceIdentities. Registering.
+[IdentityManager] [sdp-demo-example-replicaset] Creating ServiceIdentity
+[IdentityManager] [sdp-demo_example-replicaset] ServiceIdentity created for service sdp-demo_example-replicaset
+[IdentityManager] [sdp-demo_example-replicaset] Requesting new UserCredentials to add to the pool
+[IdentityCreator] Creating ServiceUser 524a6a36-697a-4cc1-a220-e27f82b46a10 (id: 524a6a36-697a-4cc1-a220-e27f82b46a10)
+[SDPSystem] Creating new ServiceUser in SDP system: 524a6a36-697a-4cc1-a220-e27f82b46a10
+[ServiceIdentityProvider] Password entry update for ServiceUser 524a6a36-697a-4cc1-a220-e27f82b46a10 is required
+[ServiceIdentityProvider] Creating secrets in K8S for ServiceUer: 524a6a36-697a-4cc1-a220-e27f82b46a10
+[IdentityCreator] New ServiceUser 524a6a36-697a-4cc1-a220-e27f82b46a10 (id: 524a6a36-697a-4cc1-a220-e27f82b46a10) created, notifying IdentityManager
+[IdentityCreator] [sdp-demo_example-replicaset] Activating ServiceUser test_sdp-demo_example-replicaset_u6pww (id: 0bb4b9ca-a16d-45b6-9359-24dffca293e2)
+[IdentityManager] [524a6a36-697a-4cc1-a220-e27f82b46a10 | 524a6a36-697a-4cc1-a220-e27f82b46a10] Found deactivated ServiceUser
+[SDPSystem] Modifying new ServiceUser in SDP system: [test_sdp-demo_example-replicaset_u6pww] 0bb4b9ca-a16d-45b6-9359-24dffca293e2
+[SDPSystem] Authenticating with SDP Controller
+[IdentityCreator] [sdp-demo_example-replicaset] Creating secrets for ServiceUser test_sdp-demo_example-replicaset_u6pww (id: 0bb4b9ca-a16d-45b6-9359-24dffca293e2)
+[IdentityManager] [sdp-demo_example-replicaset] ServiceUser test_sdp-demo_example-replicaset_u6pww (id: 0bb4b9ca-a16d-45b6-9359-24dffca293e2) has been activated, updating ServiceIdentity
+[IdentityCreator] [sdp-demo_example-replicaset] Creating config for ServiceUser example-replicaset
+```
+
+The following is the corresponding ServiceIdentity created by the IdentityService
+```yaml
+apiVersion: injector.sdp.com/v1
+kind: ServiceIdentity
+metadata:
+  name: sdp-demo-example-replicaset
+  namespace: sdp-system
+spec:
+  disabled: false
+  labels:
+    app: example-replicaset
+    name: example-replicaset
+    namespace: sdp-demo
+  service_name: example-replicaset
+  service_namespace: sdp-demo
+  service_user:
+    device_ids: []
+    id: <UUID>
+    name: test_sdp-demo_example-replicaset_u6pww
+    password: <PASSWORD>
+    profile_url: appgate://<HOSTNAME>/xxxxxxxxxxx
+```
+
+Add following annotation to the podTemplate of the Replicaset. The annotation value must match the name of the SDPService 
+```yaml
+"k8s.appgate.com/sdp-injector.pod-name": "example-replicaset"
+```
+The resulting ReplicaSet definition is as follows
+```yaml
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: nginx-replicaset
+  namespace: sdp-demo
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      annotations:
+        "k8s.appgate.com/sdp-injector.pod-name": "example-replicaset"
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.25
+        ports:
+        - containerPort: 80
+```
+
 ## Annotations
 SDP Kubernetes Injector supports various annotation-based behavior customization
 

k8s/chart/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.3.6"
+version: "1.3.7"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.3.6"
+appVersion: "1.3.7"

k8s/crd/Chart.yaml

@@ -5,7 +5,7 @@ description: Helm chart for SDP Kubernetes Injector CRD
 type: application
 
 # Chart version should remain consistent with ../chart/Chart.yaml
-version: "1.3.6"
+version: "1.3.7"
 
 # Chart appVersion should be the same as ../chart/Chart.yaml
-appVersion: "1.3.6"
+appVersion: "1.3.7"

sdp-common/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sdp-common"
-version = "1.3.6"
+version = "1.3.7"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

sdp-common/src/kubernetes.rs

@@ -6,7 +6,7 @@ use k8s_openapi::api::{
     core::v1::{Namespace, Pod},
 };
 use kube::{core::admission::AdmissionRequest, Client, Config, Resource, ResourceExt};
-use log::error;
+use log::{debug, error};
 
 use crate::{
     annotations::SDP_INJECTOR_ANNOTATION_POD_NAME,
@@ -46,7 +46,7 @@ impl Named for Pod {
     fn name(&self) -> String {
         /*
         To get the service name for a pod we do:
-         1. Check if it's in an annotation defined (added by injector). If it's tehre return it
+         1. Check if it's in an annotation defined (added by injector). If it's there, return it
          2. Check if we have a generate_name field in the metadata (replica set owner / old injectors), then use it.
          3. Return the name as it is
         */
@@ -68,7 +68,7 @@ impl Named for Pod {
                         }
                     }
                     None => self.metadata.name.as_ref().map(Clone::clone).unwrap_or({
-                        error!("Unable to find service name for Pod");
+                        error!("Unable to find .metadata.name of Pod");
                         uuid::Uuid::new_v4().to_string()
                     }),
                 }

sdp-common/src/watcher.rs

@@ -152,11 +152,11 @@ where
                 };
                 let msg = match op {
                     WatcherOperation::Apply => {
-                        info!("Sending Applied message for {}", e.name_any());
+                        debug!("Sending Applied message for {}", e.name_any());
                         e.applied(ns)
                     }
                     WatcherOperation::ReApply => {
-                        info!("Sending Reapplied message for {}", e.name_any());
+                        debug!("Sending Reapplied message for {}", e.name_any());
                         e.reapplied(ns)
                     }
                 };

sdp-identity-service/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sdp-identity-service"
-version = "1.3.6"
+version = "1.3.7"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

sdp-injector/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sdp-injector"
-version = "1.3.6"
+version = "1.3.7"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

sdp-injector/src/injector.rs

@@ -266,7 +266,7 @@ async fn dns_service_discover(services_api: &Api<KubeService>) -> Option<KubeSer
                         // k8s-app label is by design: https://github.com/coredns/deployment/issues/116
                         let maybe_dns_service = l.get("k8s-app");
                         if let Some(dns) = maybe_dns_service {
-                            info!("Kubernetes DNS Service: {}", dns);
+                            debug!("Kubernetes DNS Service: {}", dns);
                         }
                         maybe_dns_service
                     })
@@ -661,7 +661,7 @@ impl Patched for SDPPod {
                 }));
             }
         }
-        debug!("Pod patches: {:?}", patches);
+        info!("Applying the following patch to the Pod: {:?}", patches);
         Ok(Patch(patches))
     }
 }
@@ -2494,10 +2494,11 @@ pub async fn injector_handler<E: DeviceIdRequester>(
             match mutate(bs, sdp_context).await {
                 // Object properly patched and allowed
                 Ok(SDPPatchResponse::Allow(mut response)) => {
-                    info!(
-                        "Resource patched with {} patches",
-                        response.patch.as_ref().map(|xs| xs.len()).unwrap_or(0)
-                    );
+                    if let Some(xs) = response.patch.as_ref() {
+                        if !xs.is_empty() {
+                            info!("Resource patched with {} patches",  xs.len());
+                        }
+                    }
                     // Object properly patched and allowed
                     allow_admission_response!(response => response)
                 }

sdp-macros/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sdp-macros"
-version = "1.3.6"
+version = "1.3.7"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

sdp-test-macros/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "sdp-test-macros"
-version = "1.3.6"
+version = "1.3.7"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html