Updated NGINX Service Mesh references in Helm templates #3602
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3602 +/- ##
==========================================
- Coverage 52.35% 52.24% -0.11%
==========================================
Files 59 59
Lines 16880 16873 -7
==========================================
- Hits 8838 8816 -22
- Misses 7747 7762 +15
Partials 295 295 see 7 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
@jbyers19 does this mean that we can remove |
|
@lucacome, no. The internal functionality is still the same. The webhook just adds all these values to the pod spec when it is deployed. So if a user is deploying the ingress from a plain manifest instead of helm they do not have to manually add all these fields. They just need to add the |
|
so we're still giving users the option to use those flags as well? |
|
Yes, a user can manually add those if they want. However, the webhook will detect the incoming ingress deployment/daemonset and automatically add those to the spec if the Here's a snippet from that webhook (NSM code) that adds those specific flags you are asking about: args = append(args, "-spire-agent-address=/run/spire/sockets/agent.sock")
if pod.HasEgressLabelEnabled(objForMutation) {
args = append(args, "-enable-internal-routes")
}The webhook will add all those fields I removed from the template if the NSM label is present and set to |
|
I was hoping that we could remove them for good and have fewer moving pieces 😅 |
|
@jbyers19 I was actually thinking that IMO it would make more sense for KIC to enable the internal routes, etc. based on the labels, rather than having NSM add CLI arguments to KIC based on KIC's labels. What do you think? |
|
@lucacome, maybe. We already did the work and added the webhook to do this in the last NSM release though. I think it would only work for args though. We would still need the labels, volumes, etc. in the pod spec. |
github-actions
bot
added
dependencies
|
@jbyers19 looks like pr has fair bit of merge commits, can you please rebase with main and only keep the relevant bits |
github-actions
bot
removed
tests
Signed-off-by: Jared Byers <[email protected]>
Update NGINX Service Mesh Helm templates refs Signed-off-by: Jared Byers <[email protected]> (cherry picked from commit 97da5d3)
Updated NGINX Service Mesh references in Helm templates (#3602) Update NGINX Service Mesh Helm templates refs Signed-off-by: Jared Byers <[email protected]> (cherry picked from commit 97da5d3) Co-authored-by: Jared Byers <[email protected]>
Proposed changes
This change updates the
deployments/helm-chart/templates/controller-daemonset.yamlanddeployments/helm-chart/templates/controller-deployment.yamltemplates. In the latest NSM release, thensm.nginx.com/enable-ingressandnsm.nginx.com/enable-egressannotations were moved to labels. This change updates the templates accordingly. It also removes mostif .Values.nginxServiceMesh.enable/enableEgressreferences as these values are now handled by a mutating webhook run by NSM.Update: reverted this change.
One thing to note is that I removed theiffor thePOD_SERVICEACCOUNTenv variable so it is now added regardless of whether NSM is enabled or not. Since this is an environment variable used by the KIC controller, I thought it would be better to always include it in the pod spec.Testing:
helm lintpassed on the updated templates:helm lint . -f values-nsm.yaml --set controller.kind=daemonsethelm lint . -f values-nsm.yaml --set controller.kind=deploymenthelm install kic -f values-nsm.yaml --set controller.kind=daemonset . --dry-runhelm install kic -f values-nsm.yaml --set controller.kind=deployment . --dry-runChecklist
Before creating a PR, run through this checklist and mark each as complete.