Add build rules and instructions for enabling Istio sidecar injection

BUILD.ca_bundle

@@ -0,0 +1,7 @@
+genrule(
+    name = "gen-ca-bundle",
+    srcs = ["client-ca-file"],
+    outs = ["ca-bundle"],
+    cmd = "base64 <$< | tr -d '\n' >$@",
+    visibility = ["//visibility:public"],
+)

BUILD.istio

@@ -1,7 +1,8 @@
 load("@k8s_object//:defaults.bzl", "k8s_object")
 load("@io_bazel_rules_k8s//k8s:objects.bzl", "k8s_objects")
+load("@//:istio.bzl", "disable_policy")
 
-package(default_visibility=["//visibility:public"])
+package(default_visibility = ["//visibility:public"])
 
 # Generate a istioclusterrolebinding.yaml based on the
 # K8S_USER_OVERRIDE env variable.
@@ -38,10 +39,47 @@ k8s_object(
     visibility = ["//visibility:public"],
 )
 
+disable_policy(
+    name = "istio-sidecar-injector-configmap-disabled",
+    template = "istio-sidecar-injector-configmap-release.yaml",
+)
+
+k8s_object(
+    name = "istio-sidecar-injector-configmap",
+    template = ":istio-sidecar-injector-configmap-disabled",
+)
+
+sh_binary(
+    name = "webhook-create-signed-cert",
+    srcs = ["webhook-create-signed-cert.sh"],
+    args = [
+        "--service istio-sidecar-injector",
+        "--namespace istio-system",
+        "--secret sidecar-injector-certs",
+    ],
+)
+
+genrule(
+    name = "gen-istio-sidecar-injector-with-ca-bundle",
+    srcs = [
+        "@cluster_ca_bundle//:ca-bundle",
+        "istio-sidecar-injector.yaml",
+    ],
+    outs = ["istio-sidecar-injector-with-ca-bundle.yaml"],
+    cmd = "CA_BUNDLE=$$(< $(location @cluster_ca_bundle//:ca-bundle)) envsubst <$(location istio-sidecar-injector.yaml) >$@",
+)
+
+k8s_object(
+    name = "istio-sidecar-injector-with-ca-bundle",
+    template = "istio-sidecar-injector-with-ca-bundle.yaml",
+)
+
 k8s_objects(
     name = "istio",
     objects = [
         ":istioclusterrolebinding",
         ":istio-core",
+        ":istio-sidecar-injector-configmap",
+        ":istio-sidecar-injector-with-ca-bundle",
     ],
 )

DEVELOPMENT.md

@@ -117,6 +117,22 @@ You can access the Elafros Controller's logs with:
 $ kubectl -n ela-system logs $(kubectl -n ela-system get pods -l app=ela-controller -o name)
 ```
 
+## Enabling Istio Sidecar Injection
+After standing up elafros, perform the following steps to enable automatic
+sidecar injection.
+
+First, create a signed cert for the Istio webhook:
+
+```shell
+bazel run @istio_release//:webhook-create-signed-cert
+```
+
+Second, label namespaces with `istio-injection=enabled`:
+
+```shell
+kubectl label namespace default istio-injection=enabled
+```
+
 ## Iterating
 
 As you make changes to the code-base, there are two special cases to be aware of:

README.md

@@ -7,7 +7,7 @@ If you are interested in contributing to `Elafros`, see
 
 ## Getting Started
 
-* [Setup Istio](https://istio.io/docs/setup/kubernetes/quick-start.html)
+* [Setup Istio](https://istio.io/docs/setup/kubernetes/quick-start.html): Make sure to enable automatic sidecar injection for the default namespace (or any other namespace containing Elafros services).
 * [Setup Elafros](#latest-release)
 * [Run samples](./sample/README.md)
 

WORKSPACE

@@ -85,12 +85,12 @@ go_repository(
 )
 
 # Istio
-ISTIO_RELEASE = "0.5.1"
+ISTIO_RELEASE = "0.6.0"
 
 new_http_archive(
     name = "istio_release",
     build_file = "BUILD.istio",
-    sha256 = "f811d29df1b14f71f9e4c14622c949f8b7a1a049ca970e62811933e37a128727",
+    sha256 = "fa9bc2c6a197096812b6f4a5a284d13b38bbdba4ee1fc6586a60c9a63337b4d8",
     strip_prefix = "istio-" + ISTIO_RELEASE + "/install/kubernetes",
     type = "tar.gz",
     url = "https://github.com/istio/istio/releases/download/" + ISTIO_RELEASE + "/istio-" + ISTIO_RELEASE + "-linux.tar.gz",
@@ -119,3 +119,7 @@ private_git_repository(
 load("@buildcrd//:deps.bzl", "repositories")
 
 repositories()
+
+load(":ca_bundle.bzl", "cluster_ca_bundle")
+
+cluster_ca_bundle(name = "cluster_ca_bundle")

ca_bundle.bzl

@@ -0,0 +1,21 @@
+def _cluster_ca_bundle_impl(ctx):
+  ctx.symlink(Label("//:BUILD.ca_bundle"), "BUILD")
+  cluster = ctx.execute([
+      "sh", "-c",
+      "grep STABLE_K8S_CLUSTER bazel-out/stable-status.txt | cut -d' ' -f 2"]).stdout
+
+  result = ctx.execute([
+      "kubectl", "get", "configmap",
+      "--namespace=kube-system",
+      "extension-apiserver-authentication",
+      "-o=jsonpath={.data.client-ca-file}",
+      "--cluster=" + cluster])
+
+  if result.return_code != 0:
+    fail("Failed to get ca bundle: %s" % result.stderr)
+
+  ctx.file("client-ca-file", content=result.stdout)
+
+cluster_ca_bundle = repository_rule(
+    implementation = _cluster_ca_bundle_impl,
+)

istio.bzl

@@ -0,0 +1,15 @@
+def _disable_policy_impl(ctx):
+  ctx.actions.expand_template(
+      template=ctx.file.template,
+      output=ctx.outputs.out,
+      substitutions={
+          "policy: enabled": "policy: disabled",
+      })
+
+disable_policy = rule(
+    implementation=_disable_policy_impl,
+    attrs={
+        "template": attr.label(allow_files=True, single_file=True),
+    },
+    outputs={"out": "%{name}.yaml"}
+)

pkg/controller/revision/ela_autoscaler.go

@@ -59,6 +59,9 @@ func MakeElaAutoscalerDeployment(u *v1alpha1.Revision, namespace string) *v1beta
 					Labels: map[string]string{
 						"autoscaler": controller.GetRevisionAutoscalerName(u),
 					},
+					Annotations: map[string]string{
+						"sidecar.istio.io/inject": "false",
+					},
 				},
 				Spec: corev1.PodSpec{
 					Containers: []corev1.Container{

pkg/controller/revision/ela_pod.go

@@ -167,31 +167,9 @@ func MakeElaPodSpec(u *v1alpha1.Revision) *corev1.PodSpec {
 		},
 	}
 
-	fluentdContainer := corev1.Container{
-		Name:  fluentdContainerName,
-		Image: fluentdSidecarImage,
-		Resources: corev1.ResourceRequirements{
-			Requests: corev1.ResourceList{
-				corev1.ResourceName("cpu"): resource.MustParse(fluentdContainerCpu),
-			},
-		},
-		VolumeMounts: []corev1.VolumeMount{
-			{
-				MountPath: nginxLogVolumeMountPath,
-				Name:      nginxLogVolumeName,
-				//ReadOnly:  true,
-			},
-			{
-				MountPath: elaContainerLogVolumeMountPath,
-				Name:      elaContainerLogVolumeName,
-				//ReadOnly:  true,
-			},
-		},
-	}
-
 	return &corev1.PodSpec{
 		Volumes:    []corev1.Volume{elaContainerLogVolume, nginxConfigVolume, nginxLogVolume},
-		Containers: []corev1.Container{*elaContainer, queueContainer, nginxContainer, fluentdContainer},
+		Containers: []corev1.Container{*elaContainer, queueContainer, nginxContainer},
 	}
 }
 
@@ -217,6 +195,9 @@ func MakeElaDeployment(u *v1alpha1.Revision, namespace string) *v1beta1.Deployme
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: meta_v1.ObjectMeta{
 					Labels: MakeElaResourceLabels(u),
+					Annotations: map[string]string{
+						"sidecar.istio.io/inject": "true",
+					},
 				},
 			},
 		},