replace replacable env variables

edgelesssys · Jun 14, 2024 · a142df0 · a142df0
1 parent fdf3062
commit a142df0
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 28 deletions.
diff --git a/docs/docs/components/service-mesh.md b/docs/docs/components/service-mesh.md
@@ -23,8 +23,8 @@ The service mesh container can be configured using the following object annotati
   admin interface. If not specified, no admin interface will be started.
 
 If you aren't using the automatic service mesh injection and want to configure the
-service mesh manually, set the environment variables `EDG_INGRESS_PROXY_CONFIG`,
-`EDG_EGRESS_PROXY_CONFIG` and `EDG_ADMIN_PORT` in the service mesh sidecar directly.
+service mesh manually, set the environment variables `CONTRAST_INGRESS_PROXY_CONFIG`,
+`CONTRAST_EGRESS_PROXY_CONFIG` and `CONTRAST_ADMIN_PORT` in the service mesh sidecar directly.
 
 ### Ingress
 
@@ -83,7 +83,7 @@ Contrast service mesh as an init container.
 # ...
       initContainers:
         - env:
-            - name: EDG_INGRESS_PROXY_CONFIG
+            - name: CONTRAST_INGRESS_PROXY_CONFIG
               value: "web#8080#false##metrics#7890#true"
           image: "ghcr.io/edgelesssys/contrast/service-mesh-proxy@sha256:..."
           name: contrast-service-mesh

diff --git a/internal/kuberesource/mutators.go b/internal/kuberesource/mutators.go
@@ -126,7 +126,7 @@ func AddServiceMesh(
 			}
 
 			serviceMeshProxy.
-				WithEnv(NewEnvVar("EDG_ADMIN_PORT", portAnnotation)).
+				WithEnv(NewEnvVar("CONTRAST_ADMIN_PORT", portAnnotation)).
 				WithPorts(
 					ContainerPort().
 						WithName("contrast-admin").
@@ -135,10 +135,10 @@ func AddServiceMesh(
 		}
 
 		if ingressConfig != "" {
-			serviceMeshProxy.WithEnv(NewEnvVar("EDG_INGRESS_PROXY_CONFIG", ingressConfig))
+			serviceMeshProxy.WithEnv(NewEnvVar("CONTRAST_INGRESS_PROXY_CONFIG", ingressConfig))
 		}
 		if egressConfig != "" {
-			serviceMeshProxy.WithEnv(NewEnvVar("EDG_EGRESS_PROXY_CONFIG", egressConfig))
+			serviceMeshProxy.WithEnv(NewEnvVar("CONTRAST_EGRESS_PROXY_CONFIG", egressConfig))
 		}
 
 		return meta, spec.WithInitContainers(serviceMeshProxy)

diff --git a/service-mesh/iptables.go b/service-mesh/iptables.go
@@ -38,17 +38,17 @@ func IngressIPTableRules(ingressEntries []ingressConfigEntry) error {
 
 	// Reconcile to clean iptables chains.
 	// Similar to `ClearChain`, all errors are treated as "chain already exists"
-	_ = iptablesExec.NewChain("mangle", "EDG_INBOUND")
-	_ = iptablesExec.NewChain("mangle", "EDG_IN_REDIRECT")
+	_ = iptablesExec.NewChain("mangle", "CONTRAST_INBOUND")
+	_ = iptablesExec.NewChain("mangle", "CONTRAST_IN_REDIRECT")
 
-	// Route all TCP traffic to the EDG_INBOUND chain.
-	if err := iptablesExec.AppendUnique("mangle", "PREROUTING", "-p", "tcp", "-j", "EDG_INBOUND"); err != nil {
-		return fmt.Errorf("failed to append EDG_INBOUND chain to PREROUTING chain: %w", err)
+	// Route all TCP traffic to the CONTRAST_INBOUND chain.
+	if err := iptablesExec.AppendUnique("mangle", "PREROUTING", "-p", "tcp", "-j", "CONTRAST_INBOUND"); err != nil {
+		return fmt.Errorf("failed to append CONTRAST_INBOUND chain to PREROUTING chain: %w", err)
 	}
 
-	// RETURN all local traffic from the EDG_INBOUND chain back to the PREROUTING chain.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-i", "lo", "-j", "RETURN"); err != nil {
-		return fmt.Errorf("failed to append dport exception to EDG_INBOUND chain: %w", err)
+	// RETURN all local traffic from the CONTRAST_INBOUND chain back to the PREROUTING chain.
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-i", "lo", "-j", "RETURN"); err != nil {
+		return fmt.Errorf("failed to append dport exception to CONTRAST_INBOUND chain: %w", err)
 	}
 	// RETURN all related and established traffic.
 	// Since the mangle table executes on every packet and not just before the
@@ -61,30 +61,30 @@ func IngressIPTableRules(ingressEntries []ingressConfigEntry) error {
 	// module (see: https://github.com/istio/istio/pull/22527).
 	// In our own Contrast image the module is available, but we cannot
 	// guarantee that it is available in all environments.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "RETURN"); err != nil {
-		return fmt.Errorf("failed to append dport exception to EDG_INBOUND chain: %w", err)
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "RETURN"); err != nil {
+		return fmt.Errorf("failed to append dport exception to CONTRAST_INBOUND chain: %w", err)
 	}
-	// Route all other traffic to the EDG_IN_REDIRECT chain.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_INBOUND", "-p", "tcp", "-j", "EDG_IN_REDIRECT"); err != nil {
-		return fmt.Errorf("failed to append EDG_IN_REDIRECT chain to EDG_INBOUND chain: %w", err)
+	// Route all other traffic to the CONTRAST_IN_REDIRECT chain.
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_INBOUND", "-p", "tcp", "-j", "CONTRAST_IN_REDIRECT"); err != nil {
+		return fmt.Errorf("failed to append CONTRAST_IN_REDIRECT chain to CONTRAST_INBOUND chain: %w", err)
 	}
 
 	for _, entry := range ingressEntries {
 		if entry.disableTLS {
-			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "RETURN"); err != nil {
-				return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable TLS: %w", err)
+			if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "RETURN"); err != nil {
+				return fmt.Errorf("failed to append dport exception to CONTRAST_IN_REDIRECT chain to disable TLS: %w", err)
 			}
 		} else {
-			if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPortNoClientCert)); err != nil {
-				return fmt.Errorf("failed to append dport exception to EDG_IN_REDIRECT chain to disable client auth: %w", err)
+			if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "--dport", fmt.Sprintf("%d", entry.listenPort), "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPortNoClientCert)); err != nil {
+				return fmt.Errorf("failed to append dport exception to CONTRAST_IN_REDIRECT chain to disable client auth: %w", err)
 			}
 		}
 	}
 
 	// Route all remaining traffic (TCP SYN packets that do not have a TLS exemption)
 	// to the Envoy proxy port that requires client authentication.
-	if err := iptablesExec.AppendUnique("mangle", "EDG_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
-		return fmt.Errorf("failed to append default TPROXY rule to EDG_IN_REDIRECT chain: %w", err)
+	if err := iptablesExec.AppendUnique("mangle", "CONTRAST_IN_REDIRECT", "-p", "tcp", "-j", "TPROXY", "--on-port", fmt.Sprintf("%d", EnvoyIngressPort)); err != nil {
+		return fmt.Errorf("failed to append default TPROXY rule to CONTRAST_IN_REDIRECT chain: %w", err)
 	}
 
 	return nil

diff --git a/service-mesh/main.go b/service-mesh/main.go
@@ -12,9 +12,9 @@ import (
 )
 
 const (
-	egressProxyConfigEnvVar  = "EDG_EGRESS_PROXY_CONFIG"
-	ingressProxyConfigEnvVar = "EDG_INGRESS_PROXY_CONFIG"
-	adminPortEnvVar          = "EDG_ADMIN_PORT"
+	egressProxyConfigEnvVar  = "CONTRAST_EGRESS_PROXY_CONFIG"
+	ingressProxyConfigEnvVar = "CONTRAST_INGRESS_PROXY_CONFIG"
+	adminPortEnvVar          = "CONTRAST_ADMIN_PORT"
 	envoyConfigFile          = "/envoy-config.yml"
 )