From f6599fa4c458e2244be5b33cdbc06d8ba5ba4743 Mon Sep 17 00:00:00 2001 From: Manuel Hutter Date: Fri, 25 Oct 2024 16:45:32 +0200 Subject: [PATCH] feat: Disable Service Links by default In the default configuration, Kubernetes will inject a bunch of environment variables for each service in the Namespace. The idea is to aid with service discovery, but while they are rarely used in practice, the injected environment variables might interfere that try to determine their configuration from environment variables. This commit disables this behaviour by default by setting `enableServiceLinks: false` in the pod specs, but allows users to reenable the links using a label. Signed-off-by: Manuel Hutter --- README.md | 1 + docs/conversion.md | 4 ++++ pkg/converter/converter.go | 3 +++ tests/golden/101/manifests/nginx-oasp-deployment.yaml | 1 + .../manifests/nginx-oasp-deployment.yaml | 1 + .../golden/defaults/manifests/nginx-oasp-deployment.yaml | 1 + tests/golden/demo/docker-compose.yml | 8 +++++--- tests/golden/demo/manifests/mongo-statefulset.yaml | 1 + tests/golden/demo/manifests/portal-oasp-deployment.yaml | 1 + .../manifests/pinger-oasp-deployment.yaml | 1 + .../manifests/pinger-oasp-deployment.yaml | 1 + .../golden/env-vars/manifests/fooBar-oasp-deployment.yaml | 1 + .../manifests/nginx-oasp-deployment.yaml | 1 + .../expose-plain/manifests/nginx-oasp-deployment.yaml | 1 + .../golden/noports/manifests/pinger-oasp-deployment.yaml | 1 + .../manifests/nginx-frontend-oasp-deployment.yaml | 1 + tests/golden/parts/manifests/mongo-statefulset.yaml | 1 + .../parts/manifests/nginx-frontend-oasp-deployment.yaml | 1 + .../manifests/nginx-oasp-deployment.yaml | 1 + .../manifests/default-oasp-statefulset.yaml | 1 + .../manifests/default-shared-oasp-deployment.yaml | 1 + .../manifests/share-0-oasp-deployment.yaml | 1 + .../manifests/share-1-oasp-deployment.yaml | 1 + .../manifests/singleton-db-statefulset.yaml | 1 + .../storage/manifests/default-oasp-statefulset.yaml | 1 + .../storage/manifests/default-shared-oasp-deployment.yaml | 1 + .../golden/storage/manifests/share-0-oasp-deployment.yaml | 1 + .../golden/storage/manifests/share-1-oasp-deployment.yaml | 1 + .../storage/manifests/singleton-db-statefulset.yaml | 1 + 29 files changed, 38 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e267d13..f54106a 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,7 @@ Service Labels | `k8ify.exposePlain.$port.type: ClusterIP\|LoadBalancer\|ExternalName\|NodePort` | Set the k8s Service type (default `LoadBalancer`) | | `k8ify.exposePlain.$port.externalTrafficPolicy: Cluster\|Local` | Set the k8s Service traffic policy (default `Local`). `Local` makes the client IP visible to the application but may provide worse load balancing than `Cluster`. | | `k8ify.exposePlain.$port.healthCheckNodePort: $port` | Set the k8s Service health check port number. | +| `k8ify.enableServiceLinks: $value` | Inject ENV variables for each K8s service in the namespace. | Volume Labels diff --git a/docs/conversion.md b/docs/conversion.md index 2aa5ea3..50b85a7 100644 --- a/docs/conversion.md +++ b/docs/conversion.md @@ -116,6 +116,8 @@ spec: # `services.$name.labels["k8ify.annotations"]` merged with `services.$name.labels["k8ify.Pod.annotations"]` (latter take priority) foo: bar spec: + # `services.$name.labels."k8ify.enableServiceLinks`, defaults to `false` + enableServiceLinks: false # Anti-affinity is always configured to avoid running multiple replicas (instances) of the same deployment on the same node affinity: podAntiAffinity: @@ -237,6 +239,8 @@ spec: # timestamp to ensure restarts of all pods k8ify.restart-trigger: "1675680748" spec: + # `services.$name.labels."k8ify.enableServiceLinks`, defaults to `false` + enableServiceLinks: false # Anti-affinity is always configured to avoid running multiple replicas (instances) of the same deployment on the same node affinity: podAntiAffinity: diff --git a/pkg/converter/converter.go b/pkg/converter/converter.go index 0671e33..3d3dccc 100644 --- a/pkg/converter/converter.go +++ b/pkg/converter/converter.go @@ -255,7 +255,10 @@ func composeServiceToPodTemplate( volumesArray = append(volumesArray, volumes[key]) } + enableServiceLinks := util.GetBoolean(workload.Labels(), "k8ify.enableServiceLinks") + podSpec := core.PodSpec{ + EnableServiceLinks: &enableServiceLinks, Containers: containers, RestartPolicy: core.RestartPolicyAlways, Volumes: volumesArray, diff --git a/tests/golden/101/manifests/nginx-oasp-deployment.yaml b/tests/golden/101/manifests/nginx-oasp-deployment.yaml index 82aa995..abc0081 100644 --- a/tests/golden/101/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/101/manifests/nginx-oasp-deployment.yaml @@ -52,5 +52,6 @@ spec: tcpSocket: port: 80 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/cluster-apps-domain/manifests/nginx-oasp-deployment.yaml b/tests/golden/cluster-apps-domain/manifests/nginx-oasp-deployment.yaml index e648d9c..189ae4b 100644 --- a/tests/golden/cluster-apps-domain/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/cluster-apps-domain/manifests/nginx-oasp-deployment.yaml @@ -51,5 +51,6 @@ spec: tcpSocket: port: 80 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/defaults/manifests/nginx-oasp-deployment.yaml b/tests/golden/defaults/manifests/nginx-oasp-deployment.yaml index e648d9c..189ae4b 100644 --- a/tests/golden/defaults/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/defaults/manifests/nginx-oasp-deployment.yaml @@ -51,5 +51,6 @@ spec: tcpSocket: port: 80 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/demo/docker-compose.yml b/tests/golden/demo/docker-compose.yml index c5a7743..1df38af 100644 --- a/tests/golden/demo/docker-compose.yml +++ b/tests/golden/demo/docker-compose.yml @@ -1,13 +1,15 @@ -version: '3.4' +version: "3.4" services: mongo: image: mongo:4.0 restart: always ports: - - '127.0.0.1:27017:27017' + - "127.0.0.1:27017:27017" volumes: - mongodb_data:/data/db portal: + labels: + k8ify.enableServiceLinks: "true" image: vshn/portal:dev build: target: base @@ -20,7 +22,7 @@ services: - "8001:8000" volumes: - ./:/src - entrypoint: + entrypoint: - echo command: - "Hello World" diff --git a/tests/golden/demo/manifests/mongo-statefulset.yaml b/tests/golden/demo/manifests/mongo-statefulset.yaml index bdcc049..39b4179 100644 --- a/tests/golden/demo/manifests/mongo-statefulset.yaml +++ b/tests/golden/demo/manifests/mongo-statefulset.yaml @@ -63,6 +63,7 @@ spec: volumeMounts: - mountPath: /data/db name: mongodb-data + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: diff --git a/tests/golden/demo/manifests/portal-oasp-deployment.yaml b/tests/golden/demo/manifests/portal-oasp-deployment.yaml index c518516..6bd797d 100644 --- a/tests/golden/demo/manifests/portal-oasp-deployment.yaml +++ b/tests/golden/demo/manifests/portal-oasp-deployment.yaml @@ -81,6 +81,7 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 60 + enableServiceLinks: true restartPolicy: Always serviceAccountName: portalk8saccess status: {} diff --git a/tests/golden/empty-env-vars-list/manifests/pinger-oasp-deployment.yaml b/tests/golden/empty-env-vars-list/manifests/pinger-oasp-deployment.yaml index 6b57fac..49fe3e0 100644 --- a/tests/golden/empty-env-vars-list/manifests/pinger-oasp-deployment.yaml +++ b/tests/golden/empty-env-vars-list/manifests/pinger-oasp-deployment.yaml @@ -38,5 +38,6 @@ spec: imagePullPolicy: Always name: pinger-oasp resources: {} + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/empty-env-vars-map/manifests/pinger-oasp-deployment.yaml b/tests/golden/empty-env-vars-map/manifests/pinger-oasp-deployment.yaml index 6b57fac..49fe3e0 100644 --- a/tests/golden/empty-env-vars-map/manifests/pinger-oasp-deployment.yaml +++ b/tests/golden/empty-env-vars-map/manifests/pinger-oasp-deployment.yaml @@ -38,5 +38,6 @@ spec: imagePullPolicy: Always name: pinger-oasp resources: {} + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/env-vars/manifests/fooBar-oasp-deployment.yaml b/tests/golden/env-vars/manifests/fooBar-oasp-deployment.yaml index f82c613..51ceb89 100644 --- a/tests/golden/env-vars/manifests/fooBar-oasp-deployment.yaml +++ b/tests/golden/env-vars/manifests/fooBar-oasp-deployment.yaml @@ -54,5 +54,6 @@ spec: imagePullPolicy: Always name: fooBar-oasp resources: {} + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/expose-http-and-plain/manifests/nginx-oasp-deployment.yaml b/tests/golden/expose-http-and-plain/manifests/nginx-oasp-deployment.yaml index cd8df82..17b54af 100644 --- a/tests/golden/expose-http-and-plain/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/expose-http-and-plain/manifests/nginx-oasp-deployment.yaml @@ -55,5 +55,6 @@ spec: tcpSocket: port: 8888 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/expose-plain/manifests/nginx-oasp-deployment.yaml b/tests/golden/expose-plain/manifests/nginx-oasp-deployment.yaml index cd8df82..17b54af 100644 --- a/tests/golden/expose-plain/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/expose-plain/manifests/nginx-oasp-deployment.yaml @@ -55,5 +55,6 @@ spec: tcpSocket: port: 8888 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/noports/manifests/pinger-oasp-deployment.yaml b/tests/golden/noports/manifests/pinger-oasp-deployment.yaml index 2053498..521a807 100644 --- a/tests/golden/noports/manifests/pinger-oasp-deployment.yaml +++ b/tests/golden/noports/manifests/pinger-oasp-deployment.yaml @@ -35,5 +35,6 @@ spec: imagePullPolicy: Always name: pinger-oasp resources: {} + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/parts-ingress/manifests/nginx-frontend-oasp-deployment.yaml b/tests/golden/parts-ingress/manifests/nginx-frontend-oasp-deployment.yaml index f970d7b..329a2a5 100644 --- a/tests/golden/parts-ingress/manifests/nginx-frontend-oasp-deployment.yaml +++ b/tests/golden/parts-ingress/manifests/nginx-frontend-oasp-deployment.yaml @@ -71,5 +71,6 @@ spec: tcpSocket: port: 4480 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/parts/manifests/mongo-statefulset.yaml b/tests/golden/parts/manifests/mongo-statefulset.yaml index fece827..2c925fb 100644 --- a/tests/golden/parts/manifests/mongo-statefulset.yaml +++ b/tests/golden/parts/manifests/mongo-statefulset.yaml @@ -84,6 +84,7 @@ spec: volumeMounts: - mountPath: /data/db name: mongodb-data + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: diff --git a/tests/golden/parts/manifests/nginx-frontend-oasp-deployment.yaml b/tests/golden/parts/manifests/nginx-frontend-oasp-deployment.yaml index 858d74a..75c5efd 100644 --- a/tests/golden/parts/manifests/nginx-frontend-oasp-deployment.yaml +++ b/tests/golden/parts/manifests/nginx-frontend-oasp-deployment.yaml @@ -98,6 +98,7 @@ spec: name: sessions - mountPath: /data/web name: webdata + enableServiceLinks: false restartPolicy: Always volumes: - name: sessions diff --git a/tests/golden/poddisruptionbudget/manifests/nginx-oasp-deployment.yaml b/tests/golden/poddisruptionbudget/manifests/nginx-oasp-deployment.yaml index 2caf595..840a32d 100644 --- a/tests/golden/poddisruptionbudget/manifests/nginx-oasp-deployment.yaml +++ b/tests/golden/poddisruptionbudget/manifests/nginx-oasp-deployment.yaml @@ -52,5 +52,6 @@ spec: tcpSocket: port: 80 timeoutSeconds: 60 + enableServiceLinks: false restartPolicy: Always status: {} diff --git a/tests/golden/storage-encrypted/manifests/default-oasp-statefulset.yaml b/tests/golden/storage-encrypted/manifests/default-oasp-statefulset.yaml index 2846fd2..6c68827 100644 --- a/tests/golden/storage-encrypted/manifests/default-oasp-statefulset.yaml +++ b/tests/golden/storage-encrypted/manifests/default-oasp-statefulset.yaml @@ -37,6 +37,7 @@ spec: volumeMounts: - mountPath: /data name: default-data + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: diff --git a/tests/golden/storage-encrypted/manifests/default-shared-oasp-deployment.yaml b/tests/golden/storage-encrypted/manifests/default-shared-oasp-deployment.yaml index d3a9993..535bc8f 100644 --- a/tests/golden/storage-encrypted/manifests/default-shared-oasp-deployment.yaml +++ b/tests/golden/storage-encrypted/manifests/default-shared-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: default-shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: default-shared-data diff --git a/tests/golden/storage-encrypted/manifests/share-0-oasp-deployment.yaml b/tests/golden/storage-encrypted/manifests/share-0-oasp-deployment.yaml index 1da7479..b2fc67d 100644 --- a/tests/golden/storage-encrypted/manifests/share-0-oasp-deployment.yaml +++ b/tests/golden/storage-encrypted/manifests/share-0-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: shared-data diff --git a/tests/golden/storage-encrypted/manifests/share-1-oasp-deployment.yaml b/tests/golden/storage-encrypted/manifests/share-1-oasp-deployment.yaml index a8a6d95..61021cc 100644 --- a/tests/golden/storage-encrypted/manifests/share-1-oasp-deployment.yaml +++ b/tests/golden/storage-encrypted/manifests/share-1-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: shared-data diff --git a/tests/golden/storage-encrypted/manifests/singleton-db-statefulset.yaml b/tests/golden/storage-encrypted/manifests/singleton-db-statefulset.yaml index 83cdd7f..ab427b2 100644 --- a/tests/golden/storage-encrypted/manifests/singleton-db-statefulset.yaml +++ b/tests/golden/storage-encrypted/manifests/singleton-db-statefulset.yaml @@ -34,6 +34,7 @@ spec: volumeMounts: - mountPath: /data name: singleton-db-storage + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: diff --git a/tests/golden/storage/manifests/default-oasp-statefulset.yaml b/tests/golden/storage/manifests/default-oasp-statefulset.yaml index 80a7f9d..3644020 100644 --- a/tests/golden/storage/manifests/default-oasp-statefulset.yaml +++ b/tests/golden/storage/manifests/default-oasp-statefulset.yaml @@ -37,6 +37,7 @@ spec: volumeMounts: - mountPath: /data name: default-data + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: diff --git a/tests/golden/storage/manifests/default-shared-oasp-deployment.yaml b/tests/golden/storage/manifests/default-shared-oasp-deployment.yaml index d3a9993..535bc8f 100644 --- a/tests/golden/storage/manifests/default-shared-oasp-deployment.yaml +++ b/tests/golden/storage/manifests/default-shared-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: default-shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: default-shared-data diff --git a/tests/golden/storage/manifests/share-0-oasp-deployment.yaml b/tests/golden/storage/manifests/share-0-oasp-deployment.yaml index 1da7479..b2fc67d 100644 --- a/tests/golden/storage/manifests/share-0-oasp-deployment.yaml +++ b/tests/golden/storage/manifests/share-0-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: shared-data diff --git a/tests/golden/storage/manifests/share-1-oasp-deployment.yaml b/tests/golden/storage/manifests/share-1-oasp-deployment.yaml index a8a6d95..61021cc 100644 --- a/tests/golden/storage/manifests/share-1-oasp-deployment.yaml +++ b/tests/golden/storage/manifests/share-1-oasp-deployment.yaml @@ -38,6 +38,7 @@ spec: volumeMounts: - mountPath: /data name: shared-data + enableServiceLinks: false restartPolicy: Always volumes: - name: shared-data diff --git a/tests/golden/storage/manifests/singleton-db-statefulset.yaml b/tests/golden/storage/manifests/singleton-db-statefulset.yaml index 5e8cef1..ac1a668 100644 --- a/tests/golden/storage/manifests/singleton-db-statefulset.yaml +++ b/tests/golden/storage/manifests/singleton-db-statefulset.yaml @@ -34,6 +34,7 @@ spec: volumeMounts: - mountPath: /data name: singleton-db-storage + enableServiceLinks: false restartPolicy: Always updateStrategy: {} volumeClaimTemplates: