Release v1.1.3

[nxtcoder17]

release v1.1.3

Summary by Sourcery

Add support for intercepting services.

New Features:

• Introduce a ServiceIntercept CRD to intercept service traffic and forward it to a specified address.

Tests:

• Update tests to cover the new functionality.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request introduces a new GatewayResource message type and a new SendClusterGatewayResource RPC method to the MessageDispatchService. It also includes changes to the deployment process to use a service account and updates the WireGuard configuration to allow ping.

Sequence diagram for ServiceIntercept webhook flow

sequenceDiagram
    participant K8s as Kubernetes API
    participant W as ServiceIntercept Webhook
    participant P as Pod
    participant S as Service

    K8s->>W: Admission Request (Pod Creation)
    W->>W: Check if pod matches intercept selector
    alt Pod matches intercept selector
        W->>W: Add intercept labels
        W->>W: Add node selector
        W->>K8s: Allow with patches
    else Pod doesn't match
        W->>K8s: Allow without changes
    end
    K8s->>P: Create Pod
    P->>S: Register with Service

Loading

Class diagram for new GatewayResource message type

classDiagram
    class GatewayResource {
        +bytes gateway
    }
    class MessageDispatchService {
        +ValidateAccessToken(ValidateAccessTokenIn) ValidateAccessTokenOut
        +GetAccessToken(GetAccessTokenIn) GetAccessTokenOut
        +SendActions(Empty) Action
        +SendClusterGatewayResource(Empty) GatewayResource
        +ReceiveError(ErrorData) Empty
        +ReceiveConsoleResourceUpdate(ResourceUpdate) Empty
        +ReceiveIotConsoleResourceUpdate(ResourceUpdate) Empty
        +ReceiveInfraResourceUpdate(ResourceUpdate) Empty
        +ReceiveContainerRegistryUpdate(ResourceUpdate) Empty
        +Ping(Empty) PingOutput
    }
    MessageDispatchService ..> GatewayResource : returns

Loading

Class diagram for new ServiceIntercept CRD

classDiagram
    class ServiceIntercept {
        +ServiceInterceptSpec spec
        +ServiceInterceptStatus status
        +EnsureGVK()
        +GetStatus() *Status
        +GetEnsuredLabels() map[string]string
        +GetEnsuredAnnotations() map[string]string
    }
    class ServiceInterceptSpec {
        +string toAddr
        +SvcInterceptPortMappings[] portMappings
    }
    class ServiceInterceptStatus {
        +Status status
        +map[string]string selector
    }
    class SvcInterceptPortMappings {
        +uint16 containerPort
        +uint16 servicePort
    }
    ServiceIntercept *-- ServiceInterceptSpec
    ServiceIntercept *-- ServiceInterceptStatus
    ServiceInterceptSpec *-- SvcInterceptPortMappings

Loading

File-Level Changes

Change	Details	Files
Added GatewayResource message type.	Defined the GatewayResource message with a gateway field of type []byte. Added methods for GatewayResource such as Reset, String, ProtoMessage, ProtoReflect, and Descriptor. Implemented the GetGateway method to retrieve the gateway data. Updated the file descriptor and message types to include GatewayResource.	grpc-interfaces/grpc/messages/messages.pb.go
Added SendClusterGatewayResource RPC method.	Added the SendClusterGatewayResource method to the MessageDispatchServiceClient and MessageDispatchServiceServer interfaces. Implemented the client-side and server-side logic for the SendClusterGatewayResource RPC method. Updated the service descriptor to include the new RPC method.	grpc-interfaces/grpc/messages/messages_grpc.pb.go
Updated deployment process to use a service account.	Added a function to retrieve the service account name from the App object or use a default value. Modified the deployment template to use the retrieved service account name. Updated the deployment reconciliation logic to ensure the correct service account is used.	operators/app-n-lambda/internal/controllers/app/controller.go operators/app-n-lambda/internal/templates/app-deployment-svc-hpa.yml.tpl
Updated WireGuard configuration to allow ping.	Added a security context to the gateway deployment with a sysctl to configure the ping group range. Added commands to update resolv.conf in the WireGuard setup script.	operators/networking/internal/gateway/templates/gateway-deployment.yml.tpl operators/networking/internal/cmd/webhook/main.go
Added ServiceIntercept CRD and controller.	Added the ServiceIntercept CRD definition. Created the controller for the ServiceIntercept CRD. Added RBAC rules for the ServiceIntercept CRD. Created sample YAML for the ServiceIntercept CRD. Added necessary dependencies and configurations for the ServiceIntercept CRD and controller. Added webhook for intercepting pod creation. Updated agent and platform operators to register the service intercept controller.	apis/crds/v1/zz_generated.deepcopy.go apis/crds/v1/serviceintercept_types.go config/crd/kustomization.yaml config/samples/kustomization.yaml config/samples/crds_v1_serviceintercept.yaml config/crd/bases/crds.kloudlite.io_serviceintercepts.yaml config/rbac/crds_serviceintercept_editor_role.yaml config/rbac/crds_serviceintercept_viewer_role.yaml operators/service-intercept/internal/controllers/svci/controller.go operators/service-intercept/internal/templates/svc-intercept.yml.tpl operators/service-intercept/internal/templates/webhook.yml.tpl operators/service-intercept/Dockerfile operators/service-intercept/internal/env/env.go operators/service-intercept/internal/templates/embed.go operators/service-intercept/internal/templates/types.go config/crd/patches/webhook_in_crds_serviceintercepts.yaml operators/service-intercept/controller/register.go operators/service-intercept/main.go config/crd/patches/cainjection_in_crds_serviceintercepts.yaml operators/service-intercept/internal/cmd/webhook/main.go operators/service-intercept/internal/cmd/webhook/Taskfile.yml operators/service-intercept/internal/cmd/webhook/Dockerfile operators/service-intercept/.dockerignore operators/service-intercept/Containerfile.local cmd/agent-operator/main.go cmd/platform-operator/main.go
Updated pod pinger to use pro-bing library.	Replaced the use of exec.Command with the pro-bing library for pinging pods. Set timeouts for resolving and pinging the IP address.	operators/networking/internal/cmd/ip-binding-controller/pod-pinger/controller.go
Removed unused code and updated logging.	Removed unused code related to node affinity in the deployment template. Removed unused code and updated logging in the kubectl apply function. Removed unused code related to intercept and HPA configuration. Updated logging to use slog.	pkg/kubectl/without-kubectl.go operators/app-n-lambda/internal/controllers/app/controller.go
Removed main.go	Deleted the main.go file.	main.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @nxtcoder17 - I've reviewed your changes - here's some feedback:

Overall Comments:

• Please add documentation explaining the purpose and usage of the service intercept feature. The code looks good but some context would help users understand how to use it effectively.

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Make webhook port configuration consistent

The webhook port is hardcoded to 443 here but uses 9443 elsewhere in the code. Consider making this configurable and consistent.

Suggested implementation:

        port: {{ .WebhookPort | default "9443" }}

This change will require:

1. Ensuring the WebhookPort variable is passed in the template data structure where this template is rendered
2. Verifying that other parts of the code using port 9443 are using the same configuration variable
3. If there isn't already a central configuration for this port, consider creating one to maintain consistency