don't patch deployments anymore

[krancour]

This is a pre-requisite for #38.

This PR simplifies the function of the proxy injector. Instead of looking for an annotation on the deployment and copying that annotation down to the deployment's pod spec template, only to later act on it, users are now required to annotate their deployment's pod spec templates directly.

While this is a breaking change (although it should be noted that Osiris has not had even a single release yet, nevermind a GA one) and a minor inconvenience, this produces much, much more reliable behavior (because there is a likely circumstances in which the proxy injector will not intercept changes to a deployment; see detailed explanation here).

Since #38 is set to expand the configuration options for pods and would be affected by this same issue, it is advisable to get this straightened out first, as #38 will emulate whatever approach we utilize here.

cc @vbehar I would love your 👀 on this if you don't mind.

[codecov-io]

Codecov Report

Merging #47 into master will decrease coverage by 0.31%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master      #47      +/-   ##
==========================================
- Coverage   59.09%   58.77%   -0.32%     
==========================================
  Files          11       11              
  Lines         638      638              
==========================================
- Hits          377      375       -2     
- Misses        232      234       +2     
  Partials       29       29

Impacted Files	Coverage Δ
pkg/kubernetes/osiris.go	100% <100%> (ø)	⬆️
pkg/net/http/httputil/reverseproxy.go	72.22% <0%> (-0.8%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4df375...7eeb667. Read the comment docs.

[vbehar]

👍

[vbehar]

shouldn't this new sentence be written in the description column, instead of the default one?

[krancour]

It sure should. Nice catch.

[vbehar]

@krancour I'm wondering if we shouldn't give this annotation a different name, to avoid confusion with the one on the deployment. This one is only used to inject the proxy, so maybe osiris.deislabs.io/injectProxy: "true" ?

I'm saying that because I have something else I'd like to add to osiris: a proxy-less mode. The proxy is only used to collect metrics, but we could imagine different implementations of the metrics collector, with one collecting metrics from a prometheus endpoint. For people already using prometheus, this would have the following benefits:

• complete control over how a request is counted, ie no need to use the ignoredPaths, and if needed requests can be ignored based on different input: user-agent, source IP, ...
• allow the use of another tool that inject a transparent proxy as a sidecar container, like a service mesh.

I imagine using a different metrics collector could be done by:

• not adding the osiris.deislabs.io/injectProxy annotation on the pods
• adding a new annotation on the deployment to enable the prometheus metrics collector, and specify the port, endpoint, metrics names, ...
  I'll create a ticket to detail this proposal. so all that just to say that maybe we could use a more-specific name for this annotation ;-)

[krancour]

New feature aside, I am on board with renaming this annotation (and for that matter, renaming osiris.deislabs.io/enabled in the other places it is used as well) with names that are more unambiguously indicative of the specific behaviors that are being added.

I do, however, think that should happen in a follow-up PR. In the even that renaming some annotations proves controversial, it will be easier to undo.