Merge pull request #19 from netfoundry/pod-level-label

Pod level label

.github/workflows/pr.yaml

@@ -515,7 +515,7 @@ jobs:
               admissionReviewVersions: ["v1"]
               namespaceSelector:
                 matchLabels:
-                  openziti/ziti-tunnel: enabled
+                  openziti/ziti-tunnel: namespace
               rules:
                 - operations: ["CREATE","UPDATE","DELETE"]
                   apiGroups: [""]
@@ -583,6 +583,8 @@ jobs:
           kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml --context $GKE_CLUSTER
           sleep 30
           kubectl apply -f ziti-k8s-agent-webhook-spec.yaml --context $AWS_CLUSTER
+          sed -i -e 's/namespaceSelector/objectSelector/g' ziti-k8s-agent-webhook-spec.yaml
+          sed -i -e 's/ziti-tunnel: namespace/ziti-tunnel: pod/g' ziti-k8s-agent-webhook-spec.yaml
           kubectl apply -f ziti-k8s-agent-webhook-spec.yaml --context $GKE_CLUSTER
           sleep 30
       -
@@ -596,12 +598,18 @@ jobs:
         if: success() || failure()
         run: |
           kubectl create namespace test1 --context $AWS_CLUSTER
-          kubectl label namespace test1 openziti/ziti-tunnel=enabled --context $AWS_CLUSTER
+          kubectl label namespace test1 openziti/ziti-tunnel=namespace --context $AWS_CLUSTER
           kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml --context $AWS_CLUSTER -n test1 
           kubectl create namespace test2 --context $GKE_CLUSTER
-          kubectl label namespace test2 openziti/ziti-tunnel=enabled --context $GKE_CLUSTER
           kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml --context $GKE_CLUSTER -n test2
-          sleep 150
+          sleep 30
+          kubectl patch deployment/ratings-v1 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          kubectl patch deployment/productpage-v1 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          kubectl patch deployment/details-v1 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          kubectl patch deployment/reviews-v1 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          kubectl patch deployment/reviews-v2 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          kubectl patch deployment/reviews-v3 -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' --context $GKE_CLUSTER -n test2
+          sleep 120
       - 
         name: run-testcase-01
         run: |

CHANGELOG.md

@@ -3,6 +3,16 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [0.1.2] - 2024-11-22
+
+- Added per pod injection to webhook
+
+  ```shell
+  objectSelector:
+    matchLabels:
+      openziti/ziti-tunnel: pod
+  ```
+
 ## [0.1.1] - 2024-09-27
 
 - Updated the security context of the sidecar container

README.md

@@ -21,28 +21,54 @@ data:
   podSecurityContextOverride: "false"
   SearchDomainList: "$WHITESPACE_SEPERATED_STRING" #Default cluster.local $POD_NAMESPACE.svc
 ```
+There are two options to enable ziti tunnel proxy injection. Snippets of mutating webhook configs in [the spec](./deployment/ziti-webhook-spec.yaml) 
+
+  1. Per Namespace
+
+      ```shell
+      namespaceSelector:
+        matchLabels:
+          openziti/ziti-tunnel: namespace
+      ```
+
+  1. Per Pod
+
+      ```shell
+      objectSelector:
+        matchLabels:
+          openziti/ziti-tunnel: pod
+      ```
 
 ## Update Webhook Namespace
 
 Replace $WEBHOOK_NAMESPACE with the new namespace you wish to dedicate to the webhook. This will not be the same namespace as the pods that will have sidecars injected, and the webook's dedicated amespace will be deleted if you uninstall the webook like `kubectl delete -f ziti-webhook-spec.yaml --context $CLUSTER`.
 
-Run the spec
+Run the spec.  
 
 ```bash
 kubectl create -f ziti-webhook-spec.yaml --context $CLUSTER
 ```
 
-Once the webhook has been deployed successfully, one can enable injection per namespace by adding label `openziti/ziti-tunnel=enabled`
+Once the webhook has been deployed successfully, label the namespace or pods
 
-```bash
-kubectl label namespace {ns name} openziti/ziti-tunnel=enabled --context $CLUSTER
-```
+1. Per namespace by adding label `openziti/ziti-tunnel=namespace`
+
+    ```bash
+    kubectl label namespace {ns name} openziti/ziti-tunnel=namespace --context $CLUSTER
+    ```
+    if resources are already deployed for the namespace injection, one can run this to restart all pods per deployment.
+
+    ```bash
+    kubectl rollout restart deployment/{appname} -n {ns name} --context $CLUSTER 
+    ```
+
+1. Per Pod by adding label `openziti/ziti-tunnel=pod`
+
+    ```bash
+    kubectl patch deployment/example-app -p '{"spec":{"template":{"metadata":{"labels":{"openziti/ziti-tunnel":"pod"}}}}}' -n $NAMESPACE --context $CLUSTER
+    ```
 
-if resources are already deployed in this namespace, one can run this to restart all pods per deployment.
 
-```bash
-kubectl rollout restart deployment/{appname} -n {ns name} --context $CLUSTER 
-```
 
 **Note: The identity role attribute is set to the pod's app name if it lacks a Ziti identity role annotation. Add a Ziti identity role annotation at any time to update identity role attributes without restarting pods. If more than one replica is present in the deployment, then the deployment needs to be updated and pods will be restarted. You can avoid the rolling restart by annotating the dedployment's replicas individually.**
 

demo/README.md

@@ -120,7 +120,7 @@ export GKE_REGION="The region where the above subnet is configured"
     metadata:
       name: ${CLUSTER_NAME}
       region: ${AWS_REGION}
-      version: "1.28"
+      version: "1.30"
     managedNodeGroups:
     - name: ng-1
       instanceType: t3.medium
@@ -3545,7 +3545,7 @@ webhooks:
     admissionReviewVersions: ["v1"]
     namespaceSelector:
       matchLabels:
-        openziti/ziti-tunnel: enabled
+        openziti/ziti-tunnel: namespace
     rules:
       - operations: ["CREATE","UPDATE","DELETE"]
         apiGroups: [""]
@@ -3632,7 +3632,7 @@ kubectl logs `kubectl get pods -n ziti --context  $AWS_CLUSTER -o name | grep zi
 ### Deploy Bookinfo to EKS
 ```shell 
 kubectl create namespace test1 --context $AWS_CLUSTER
-kubectl label namespace test1 openziti/ziti-tunnel=enabled --context $AWS_CLUSTER
+kubectl label namespace test1 openziti/ziti-tunnel=namespace --context $AWS_CLUSTER
 kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml --context $AWS_CLUSTER -n test1
 ```
 
@@ -3652,7 +3652,7 @@ kubectl logs `kubectl get pods -n ziti --context  $GKE_CLUSTER -o name | grep zi
 ### Deploy Bookinfo to GKE
 ```shell
 kubectl create namespace test2 --context $GKE_CLUSTER
-kubectl label namespace test2 openziti/ziti-tunnel=enabled --context $GKE_CLUSTER
+kubectl label namespace test2 openziti/ziti-tunnel=namespace --context $GKE_CLUSTER
 kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml --context $GKE_CLUSTER -n test2
 ```
 

deployment/ziti-webhook-spec.yaml

@@ -137,7 +137,10 @@ webhooks:
     admissionReviewVersions: ["v1"]
     namespaceSelector:
       matchLabels:
-        openziti/ziti-tunnel: enabled
+        openziti/ziti-tunnel: namespace
+    # objectSelector:
+    #   matchLabels:
+    #     openziti/ziti-tunnel: pod
     rules:
       - operations: ["CREATE","UPDATE","DELETE"]
         apiGroups: [""]

ziti-agent/cmd/common/version.go

@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var Version = "0.1.1"
+var Version = "0.1.2"
 
 func NewVersionCmd() *cobra.Command {
 	return &cobra.Command{