feat: mode-aware image selection and proxy-sidecar injection#295
feat: mode-aware image selection and proxy-sidecar injection#295
Conversation
Add authbridge deployment mode annotation (kagenti.io/authbridge-mode) with three modes: - envoy-sidecar (default): iptables + Envoy + ext_proc using authbridge-envoy image. Unchanged from current behavior. - proxy-sidecar: lightweight authbridge-light image (29 MB) with HTTP_PROXY/HTTPS_PROXY env vars injected into app containers. No iptables, no proxy-init, no Envoy. App routes outbound traffic through authbridge forward proxy on localhost:8081. - waypoint: standalone deployment (not a sidecar). Skips injection. Also updates default images from authbridge-unified to authbridge-envoy and adds authbridge-light image field to ImageConfig. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Well-structured PR that adds three authbridge deployment modes behind an opt-in annotation. The envoy-sidecar default path is unchanged, proxy-sidecar mode correctly injects the lightweight container + HTTP_PROXY env vars into all app containers, and waypoint mode cleanly short-circuits injection. All 16 CI checks pass including E2E and unit tests.
The main gap is the absence of new unit tests in the diff — the existing pod_mutator_test.go and container_builder_test.go should cover the new modes.
Areas reviewed: Go (injector, config), Security
Commits: 1 commit, signed-off ✓, Assisted-By trailer ✓
CI status: all 16 checks passing
Verdict: COMMENT — no must-fix issues, one suggestion for test coverage.
|
|
||
| // ======================================== | ||
| // Envoy-sidecar mode (default) | ||
| // ======================================== |
There was a problem hiding this comment.
suggestion: No unit tests in the diff for the new proxy-sidecar mode. pod_mutator_test.go and container_builder_test.go both exist — consider adding cases for:
- proxy-sidecar mode injects
authbridge-proxycontainer +HTTP_PROXYenv vars into app containers - waypoint mode returns early with no mutation (
false, nil) injectHTTPProxyEnvdoesn't duplicate existing env varsBuildProxySidecarContainerwith/without SPIRE enabled
The mode-aware branching logic is the core of this PR, so test coverage here would be high-value.
| RunAsNonRoot: ptr.To(true), | ||
| AllowPrivilegeEscalation: ptr.To(false), | ||
| }, | ||
| VolumeMounts: volumeMounts, |
There was a problem hiding this comment.
nit: Resources: b.cfg.Resources.EnvoyProxy — consistent with existing builders, but since authbridge-light is ~5× smaller (29 MB vs 140 MB), a follow-up could add an AuthBridgeLight resource config so operators can tune memory/CPU independently for the lightweight variant.
| // spiffe-helper and client-registration are still injected | ||
| if decision.SpiffeHelper.Inject && !containerExists(podSpec.Containers, SpiffeHelperContainerName) { | ||
| podSpec.Containers = append(podSpec.Containers, builder.BuildSpiffeHelperContainer()) | ||
| } |
There was a problem hiding this comment.
praise: Clean mode-aware branching — proxy-sidecar properly re-uses the shared volume/SPIRE/client-registration infrastructure while stripping iptables and Envoy. Good idempotency via containerExists and envExists checks. The injectHTTPProxyEnv helper correctly skips the authbridge container itself.
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
/LGTM
Approving - up to you if you'd like to add the tests
- TestBuildProxySidecarContainer with/without SPIRE - TestInjectAuthBridge_WaypointMode_SkipsInjection - TestInjectAuthBridge_ProxySidecarMode_InjectsCorrectly - TestInjectHTTPProxyEnv_DoesNotDuplicate Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
github-project-automation
Bot
moved this from Backlog
to Done
in Kagenti Issue Prioritization
|
test cases are added. Thanks @pdettori. |
- Chart.yaml: subchart 0.2.0-alpha.27 -> 0.2.0-alpha.28
- values.yaml: operator image 0.2.0-alpha.27 -> 0.2.0-alpha.28
- Rename authbridge-unified-config ConfigMap to authbridge-config
- Add listener section with env var placeholders for proxy-sidecar mode:
reverse_proxy_addr, reverse_proxy_backend, forward_proxy_addr
- These are expanded via ${...} when the operator injects env vars
for proxy-sidecar mode; ignored in envoy-sidecar mode
Depends on:
- kagenti/kagenti-operator#295 (mode-aware images)
- kagenti/kagenti-operator#296 (port-stealing)
Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Hai Huang <huang195@gmail.com>
- Chart.yaml: subchart 0.2.0-alpha.27 -> 0.2.0-alpha.28 - values.yaml: operator image 0.2.0-alpha.27 -> 0.2.0-alpha.28 - Rename authbridge-unified-config ConfigMap to authbridge-runtime-config (authbridge-config is already used by the flat key-value ConfigMap) - Add listener section with env var placeholders for proxy-sidecar mode Depends on: - kagenti/kagenti-operator#295 (mode-aware images) - kagenti/kagenti-operator#296 (port-stealing + rename) Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
- Chart.yaml: subchart 0.2.0-alpha.27 -> 0.2.0-alpha.28 - values.yaml: operator image 0.2.0-alpha.27 -> 0.2.0-alpha.28 - Rename authbridge-unified-config ConfigMap to authbridge-runtime-config (authbridge-config is already used by the flat key-value ConfigMap) - Add listener section with env var placeholders for proxy-sidecar mode Depends on: - kagenti/kagenti-operator#295 (mode-aware images) - kagenti/kagenti-operator#296 (port-stealing + rename) Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
- Chart.yaml: subchart 0.2.0-alpha.27 -> 0.2.0-alpha.28 - values.yaml: operator image 0.2.0-alpha.27 -> 0.2.0-alpha.28 - Rename authbridge-unified-config ConfigMap to authbridge-runtime-config (authbridge-config is already used by the flat key-value ConfigMap) - Add listener section with env var placeholders for proxy-sidecar mode Depends on: - kagenti/kagenti-operator#295 (mode-aware images) - kagenti/kagenti-operator#296 (port-stealing + rename) Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
- Chart.yaml: subchart 0.2.0-alpha.27 -> 0.2.0-alpha.28 - values.yaml: operator image 0.2.0-alpha.27 -> 0.2.0-alpha.28 - Rename authbridge-unified-config ConfigMap to authbridge-runtime-config (authbridge-config is already used by the flat key-value ConfigMap) - Add listener section with env var placeholders for proxy-sidecar mode Depends on: - kagenti/kagenti-operator#295 (mode-aware images) - kagenti/kagenti-operator#296 (port-stealing + rename) Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
3 participants
Summary
Add authbridge deployment mode support with three modes controlled by the
kagenti.io/authbridge-modeannotation:envoy-sidecar(default)proxy-sidecarwaypointChanges
AuthBridgeLightimage field toImageConfigEnvoyProxyimage fromauthbridge-unifiedtoauthbridge-envoyAnnotationAuthBridgeModeannotation and mode constantsBuildProxySidecarContainerto container builderpod_mutator.go:injectHTTPProxyEnvandenvExistshelpersProxy-sidecar mode (from Klaviger pattern)
Based on the Klaviger sidecar proxy pattern. The app container gets
HTTP_PROXY=http://127.0.0.1:8081injected, so standard HTTP clients automatically route outbound traffic through authbridge. No iptables or proxy-init needed.Test plan
go build ./...passesgo test ./internal/webhook/injector/...passesgo test ./internal/webhook/config/...passeskagenti.io/authbridge-mode: proxy-sidecar, verify authbridge-light injected with HTTP_PROXY env varsDepends on kagenti/kagenti-extensions v0.5.0-alpha.4 (authbridge-envoy + authbridge-light images).
Assisted-By: Claude (Anthropic AI) noreply@anthropic.com