stefanprodan
diff --git a/‎.github/workflows/analyze.yaml
Lines changed: 4 additions & 8 deletions b/‎.github/workflows/analyze.yaml
Lines changed: 4 additions & 8 deletions
diff --git a/‎.github/workflows/inject-sidecar.yaml
Lines changed: 97 additions & 0 deletions b/‎.github/workflows/inject-sidecar.yaml
Lines changed: 97 additions & 0 deletions
diff --git a/‎.github/workflows/jsondiff.py
Lines changed: 39 additions & 0 deletions b/‎.github/workflows/jsondiff.py
Lines changed: 39 additions & 0 deletions
diff --git a/‎apps/backend/deployment.patch.yaml
Lines changed: 216 additions & 0 deletions b/‎apps/backend/deployment.patch.yaml
Lines changed: 216 additions & 0 deletions
diff --git a/‎apps/backend/kustomization.yaml
Lines changed: 7 additions & 0 deletions b/‎apps/backend/kustomization.yaml
Lines changed: 7 additions & 0 deletions
@@ -23,16 +23,12 @@ jobs:
           echo "ISTIO_VERSION=$ISTIO_VERSION" >> $GITHUB_ENV
       - name: Get Istio CTL URL
         id: get-istioctl
-        uses: istio/get-istioctl@e9b2b82bc1cecf150ec6aee77ceee8c256f4faf4
+        uses: istio/get-istioctl@v0.3
         with:
           version: ${{ env.ISTIO_VERSION }}
-      - name: Download Istio CTL
-        run: |
-          curl -o istioctl.tar.gz -fsLO ${{ steps.get-istioctl.outputs.istioctl-url }}
-          tar -xzf istioctl.tar.gz
-          ./istioctl version --remote=false
       - name: Analyze manifests
         run: |
-          ./istioctl analyze -A --use-kube=false \
+          istioctl analyze -A --use-kube=false \
             --failure-threshold ERROR \
-            $(find . -not -path "*/.git*/*" -not -path "*/clusters/*" -name "*.yaml" -type f)
+            $(find . -not -path "*/.git*/*" -not -path "*/clusters/*" \
+              -not -name "*.patch.yaml" -not -name "kustomization.yaml" -name "*.yaml" -type f)
@@ -0,0 +1,97 @@
+name: inject-sidecar
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+
+jobs:
+  inject-istio:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: chrisdickinson/setup-yq@latest
+        with:
+          yq-version: v4.25.1
+      - name: get istio controlplane version
+        id: get-istio-version
+        run: |
+          ISTIO_VERSION=$(yq eval '.data.version' ./clusters/my-cluster/istio-version.yaml)
+          echo "ISTIO_VERSION=$ISTIO_VERSION" >> $GITHUB_ENV
+      - name: get istioctl uri
+        id: get-istioctl
+        uses: istio/[email protected]
+        with:
+          version: ${{ env.ISTIO_VERSION }}
+      - uses: azure/setup-helm@v1
+        id: install
+      - name: Get Istioctl
+        run: |
+          istioctl version --remote=false
+
+      - uses: "actions/setup-python@v2"
+        with:
+          python-version: "3.8"
+      - name: Inject Sidecar
+        id: inject
+        run: |
+          # hydrate isto manifest into configmap files
+
+          URI=$(cat istio/system/istio.yaml | yq e '. | select(.kind == "HelmRepository" and .metadata.name =="istio") | .spec.url' -)
+          cat istio/system/istio.yaml | yq e '. | select(.kind == "HelmRelease" and .metadata.name =="istiod") | .spec.values' - > values.yaml
+          VERSION=$(cat clusters/my-cluster/istio-version.yaml | yq e '.data.version' -)
+          helm repo add istio $URI
+          helm template -f values.yaml --version $VERSION istiod istio/istiod | yq e '.| select(.kind == "ConfigMap" and .metadata.name == "istio-sidecar-injector") | .data.config' - > injector.yaml
+          helm template -f values.yaml --version $VERSION istiod istio/istiod | yq e '.| select(.kind == "ConfigMap" and .metadata.name == "istio") | .data.mesh' - > mesh.yaml
+          helm template -f values.yaml --version $VERSION istiod istio/istiod | yq e '.| select(.kind == "ConfigMap" and .metadata.name == "istio-sidecar-injector") | .data.values' - > inj-values.yaml
+
+          python -m pip install jsonpatch
+
+          inject() {
+            NAME="${1%.*}"
+            echo "name =$NAME"
+            EXTENSION="${1##*.}"
+            echo "ext =$EXTENSION"
+            istioctl kube-inject \
+                               --injectConfigFile injector.yaml \
+                                --meshConfigFile mesh.yaml \
+                                --valuesFile inj-values.yaml \
+                               -f $1 -o $NAME.gen.$EXTENSION
+
+            # injected yaml ends with '---', so remove before converting to json
+            yq -N eval '.' $NAME.gen.$EXTENSION | yq -N -o json eval > $NAME.gen.json
+            yq eval -o=json $NAME.$EXTENSION > $NAME.json
+
+            python ./.github/workflows/jsondiff.py "$(pwd)""${NAME#.}".json "$(pwd)"/$NAME.gen.json > $NAME.patch.json
+            yq eval -P $NAME.patch.json > $NAME.patch.$EXTENSION
+            rm $NAME.gen.$EXTENSION
+            rm $NAME.json
+            rm $NAME.gen.json
+            rm $NAME.patch.json
+          }
+
+          export -f inject
+
+          find . -not -path "*/istio-$ISTIO_VERSION/*" \
+                 -not -path "*/.git*/*" -not -path "*/clusters/*" -name "*.yaml" \
+                 -not -path "*/istio/operator/manifests.yaml" -name "*deployment.yaml" \
+                 -print0 | xargs -0 -I{} bash -c "inject {}"
+
+          rm manifests.yaml injector.yaml values.yaml mesh.yaml
+          if [[ $(git diff --stat) != '' ]]; then
+            echo ::set-output name=version::${ISTIO_VERSION}
+          fi
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        if: steps.inject.outputs.version
+        with:
+          token: ${{ secrets.GH_ADMIN_TOKEN }}
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          commit-message: Update Sidecars to ${{ env.ISTIO_VERSION }}
+          title: Update Istio sidecar ${{ env.ISTIO_VERSION }}
+          body: |
+            Istio sidecar v${{ env.ISTIO_VERSION }}
+          branch: update-sidecar-${{ env.ISTIO_VERSION }}
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from __future__ import print_function
+
+import sys
+import json
+import jsonpatch
+import argparse
+
+
+parser = argparse.ArgumentParser(description='Diff two JSON files')
+parser.add_argument('FILE1', type=argparse.FileType('r'))
+parser.add_argument('FILE2', type=argparse.FileType('r'))
+parser.add_argument('--indent', type=int, default=None,
+                    help='Indent output by n spaces')
+parser.add_argument('-v', '--version', action='version',
+                    version='%(prog)s ' + jsonpatch.__version__)
+
+
+def main():
+  try:
+    diff_files()
+  except KeyboardInterrupt:
+    sys.exit(1)
+
+
+def diff_files():
+  """ Diffs two JSON files and prints a patch """
+  args = parser.parse_args()
+  doc1 = json.load(args.FILE1)
+  doc2 = json.load(args.FILE2)
+  patch = jsonpatch.make_patch(doc1, doc2)
+  if patch.patch:
+    print(json.dumps(patch.patch, indent=args.indent))
+    sys.exit(1)
+
+if __name__ == "__main__":
+  main()
@@ -0,0 +1,216 @@
+- op: add
+  path: /status
+  value: {}
+- op: add
+  path: /spec/template/spec/volumes
+  value:
+  - emptyDir:
+      medium: Memory
+    name: istio-envoy
+  - emptyDir: {}
+    name: istio-data
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+      - fieldRef:
+          fieldPath: metadata.annotations
+        path: annotations
+    name: istio-podinfo
+  - name: istio-token
+    projected:
+      sources:
+      - serviceAccountToken:
+          audience: istio-ca
+          expirationSeconds: 43200
+          path: istio-token
+  - configMap:
+      name: istio-ca-root-cert
+    name: istiod-ca-cert
+- op: add
+  path: /spec/template/spec/securityContext
+  value:
+    fsGroup: 1337
+- op: add
+  path: /spec/template/spec/initContainers
+  value:
+  - args:
+    - istio-iptables
+    - -p
+    - "15001"
+    - -z
+    - "15006"
+    - -u
+    - "1337"
+    - -m
+    - REDIRECT
+    - -i
+    - '*'
+    - -x
+    - ""
+    - -b
+    - '*'
+    - -d
+    - 15090,15021,15020
+    image: docker.io/istio/proxyv2:1.13.2
+    name: istio-init
+    resources:
+      limits:
+        cpu: "2"
+        memory: 1Gi
+      requests:
+        cpu: 10m
+        memory: 40Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_ADMIN
+        - NET_RAW
+        drop:
+        - ALL
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+- op: replace
+  path: /spec/template/spec/containers/0/resources/limits/cpu
+  value: "2"
+- op: add
+  path: /spec/template/spec/containers/1
+  value:
+    args:
+    - proxy
+    - sidecar
+    - --domain
+    - $(POD_NAMESPACE).svc.cluster.local
+    - --proxyLogLevel=warning
+    - --proxyComponentLogLevel=misc:error
+    - --log_output_level=default:info
+    - --concurrency
+    - "2"
+    env:
+    - name: JWT_POLICY
+      value: third-party-jwt
+    - name: PILOT_CERT_PROVIDER
+      value: istiod
+    - name: CA_ADDR
+      value: istiod.istio-system.svc:15012
+    - name: POD_NAME
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.name
+    - name: POD_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    - name: INSTANCE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    - name: SERVICE_ACCOUNT
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.serviceAccountName
+    - name: HOST_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+    - name: PROXY_CONFIG
+      value: |
+        {}
+    - name: ISTIO_META_POD_PORTS
+      value: |-
+        [
+            {"name":"http","containerPort":9898,"protocol":"TCP"}
+        ]
+    - name: ISTIO_META_APP_CONTAINERS
+      value: backend
+    - name: ISTIO_META_CLUSTER_ID
+      value: Kubernetes
+    - name: ISTIO_META_INTERCEPTION_MODE
+      value: REDIRECT
+    - name: ISTIO_META_WORKLOAD_NAME
+      value: backend
+    - name: ISTIO_META_OWNER
+      value: kubernetes://apis/apps/v1/namespaces/prod/deployments/backend
+    - name: ISTIO_META_MESH_ID
+      value: cluster.local
+    - name: TRUST_DOMAIN
+      value: cluster.local
+    - name: ISTIO_PROMETHEUS_ANNOTATIONS
+      value: '{"scrape":"true","path":"","port":""}'
+    image: docker.io/istio/proxyv2:1.13.2
+    name: istio-proxy
+    ports:
+    - containerPort: 15090
+      name: http-envoy-prom
+      protocol: TCP
+    readinessProbe:
+      failureThreshold: 30
+      httpGet:
+        path: /healthz/ready
+        port: 15021
+      initialDelaySeconds: 1
+      periodSeconds: 2
+      timeoutSeconds: 3
+    resources:
+      limits:
+        cpu: "2"
+        memory: 1Gi
+      requests:
+        cpu: 10m
+        memory: 40Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1337
+      runAsNonRoot: true
+      runAsUser: 1337
+    volumeMounts:
+    - mountPath: /var/run/secrets/istio
+      name: istiod-ca-cert
+    - mountPath: /var/lib/istio/data
+      name: istio-data
+    - mountPath: /etc/istio/proxy
+      name: istio-envoy
+    - mountPath: /var/run/secrets/tokens
+      name: istio-token
+    - mountPath: /etc/istio/pod
+      name: istio-podinfo
+- op: add
+  path: /spec/template/metadata/creationTimestamp
+  value: null
+- op: add
+  path: /spec/template/metadata/labels/security.istio.io~1tlsMode
+  value: istio
+- op: add
+  path: /spec/template/metadata/labels/service.istio.io~1canonical-revision
+  value: latest
+- op: add
+  path: /spec/template/metadata/labels/service.istio.io~1canonical-name
+  value: backend
+- op: add
+  path: /spec/template/metadata/annotations/sidecar.istio.io~1status
+  value: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
+- op: add
+  path: /spec/template/metadata/annotations/kubectl.kubernetes.io~1default-logs-container
+  value: backend
+- op: add
+  path: /spec/template/metadata/annotations/kubectl.kubernetes.io~1default-container
+  value: backend
+- op: add
+  path: /spec/template/metadata/annotations/prometheus.io~1path
+  value: /stats/prometheus
+- op: add
+  path: /spec/template/metadata/annotations/prometheus.io~1port
+  value: "15020"
+- op: add
+  path: /metadata/creationTimestamp
+  value: null
@@ -8,3 +8,10 @@ images:
   - name: ghcr.io/stefanprodan/podinfo
     newName: ghcr.io/stefanprodan/podinfo
     newTag: 6.1.0
+patchesJson6902:
+- path: deployment.patch.yaml
+  target:
+      group: apps
+      kind: Deployment
+      name: backend
+      version: v1