Skip to content

Update Sidecar Injector and Pod Reconciler to support new transparent proxy config flow #13341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
12 tasks
bartsmykla opened this issue Apr 7, 2025 · 0 comments · May be fixed by #13491
Open
12 tasks

Update Sidecar Injector and Pod Reconciler to support new transparent proxy config flow #13341

bartsmykla opened this issue Apr 7, 2025 · 0 comments · May be fixed by #13491
Assignees
@bartsmykla
Labels
kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it
Milestone
2.11.x

Comments

@bartsmykla
Copy link
Contributor

bartsmykla commented Apr 7, 2025
edited
Loading

Description

Summary

Update the Sidecar Injector and Pod Reconciler components in the control plane to implement the new way of configuring the transparent proxy as described in the MADR Transparent Proxy ConfigMap Handling Outside the Control Plane. This includes generating the config from merged sources, applying annotations, setting up Downward API and ConfigMap mounts, and removing the need for the control plane to access ConfigMaps in all namespaces.

Background

Previously, the control plane was responsible for assembling the full transparent proxy configuration and required access to ConfigMaps across all namespaces. With the new approach, each data plane component (kuma-init, kuma-sidecar) will build its own configuration from mounted sources. The control plane will now only handle setting the correct annotations and mounts during sidecar injection.

Tasks

  • In the Sidecar Injector:
    • Merge default config from control plane settings and the kuma-system ConfigMap
    • Apply any Pod-level transparent proxy annotations
    • Compute only the delta from defaults
    • Inject the traffic.kuma.io/transparent-proxy-config annotation
    • Add a downward API volume for the annotation mounted as /tmp/transparent-proxy/default/config.yaml
    • If traffic.kuma.io/transparent-proxy-configmap-name is present, mount the specified ConfigMap at /tmp/transparent-proxy/custom/config.yaml
    • Add CLI args for --transparent-proxy-config to kuma-sidecar and --config to kuma-init
  • In the Pod Reconciler:
    • Stop setting transparent proxy fields in the Dataplane resource
  • Remove ClusterRole permissions that allow the control plane to access ConfigMaps in all namespaces
  • Add tests for expected Pod spec output based on merged configuration

Acceptance Criteria

  • Sidecar injection produces a Pod spec like the example shown in the MADR:
    • Includes the traffic.kuma.io/transparent-proxy-config annotation with computed values
    • Mounts the annotation and any referenced ConfigMap as files in /tmp/transparent-proxy
    • CLI flags --transparent-proxy-config=/tmp/transparent-proxy/default/config.yaml and --transparent-proxy-config=/tmp/transparent-proxy/custom/config.yaml are present
  • Pod Reconciler no longer uses or sets redirectPortInbound, redirectPortOutbound, or ipFamilyMode in the Dataplane resource
  • ClusterRole used by the control plane no longer includes access to ConfigMaps in * namespaces
@bartsmykla bartsmykla added kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it labels Apr 7, 2025
@bartsmykla bartsmykla added this to the 2.11.x milestone Apr 7, 2025
@bartsmykla bartsmykla self-assigned this Apr 7, 2025
@bartsmykla bartsmykla linked a pull request Apr 30, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bartsmykla bartsmykla

Labels
kind/improvement Improvement on an existing feature triage/accepted The issue was reviewed and is complete enough to start working on it
Projects
None yet
Milestone
2.11.x
1 participant
@bartsmykla