feat: introduce initContainers field on EnvoyProxy API (#1972)

* feat: introduce initContainers field on EnvoyProxy API

Signed-off-by: Ardika Bagus <me@ardikabs.com>

* chore: re-generate crd

Signed-off-by: Ardika Bagus <me@ardikabs.com>

---------

Signed-off-by: Ardika Bagus <me@ardikabs.com>

api/v1alpha1/shared_types.go

@@ -56,16 +56,22 @@ type KubernetesDeploymentSpec struct {
 	// +optional
 	Strategy *appv1.DeploymentStrategy `json:"strategy,omitempty"`
 
-	// Pod defines the desired annotations and securityContext of container.
+	// Pod defines the desired specification of pod.
 	//
 	// +optional
 	Pod *KubernetesPodSpec `json:"pod,omitempty"`
 
-	// Container defines the resources and securityContext of container.
+	// Container defines the desired specification of main container.
 	//
 	// +optional
 	Container *KubernetesContainerSpec `json:"container,omitempty"`
 
+	// List of initialization containers belonging to the pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+	//
+	// +optional
+	InitContainers []corev1.Container `json:"initContainers,omitempty"`
+
 	// TODO: Expose config as use cases are better understood, e.g. labels.
 }
 

internal/infrastructure/kubernetes/proxy/resource_provider.go

@@ -212,6 +212,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 				},
 				Spec: corev1.PodSpec{
 					Containers:                    containers,
+					InitContainers:                deploymentConfig.InitContainers,
 					ServiceAccountName:            ExpectedResourceHashedName(r.infra.Name),
 					AutomountServiceAccountToken:  pointer.Bool(false),
 					TerminationGracePeriodSeconds: pointer.Int64(int64(300)),

internal/infrastructure/kubernetes/proxy/resource_provider_test.go

@@ -270,6 +270,69 @@ func TestDeployment(t *testing.T) {
 			concurrency: pointer.Int32(4),
 			bootstrap:   `test bootstrap config`,
 		},
+		{
+			caseName: "custom_with_initcontainers",
+			infra:    newTestInfra(),
+			deploy: &egv1a1.KubernetesDeploymentSpec{
+				Replicas: pointer.Int32(3),
+				Strategy: egv1a1.DefaultKubernetesDeploymentStrategy(),
+				Pod: &egv1a1.KubernetesPodSpec{
+					Annotations: map[string]string{
+						"prometheus.io/scrape": "true",
+					},
+					Labels: map[string]string{
+						"foo.bar": "custom-label",
+					},
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsUser: pointer.Int64(1000),
+					},
+					Volumes: []corev1.Volume{
+						{
+							Name: "custom-libs",
+							VolumeSource: corev1.VolumeSource{
+								EmptyDir: &corev1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+				Container: &egv1a1.KubernetesContainerSpec{
+					Image: pointer.String("envoyproxy/envoy:v1.2.3"),
+					Resources: &corev1.ResourceRequirements{
+						Limits: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("400m"),
+							corev1.ResourceMemory: resource.MustParse("2Gi"),
+						},
+						Requests: corev1.ResourceList{
+							corev1.ResourceCPU:    resource.MustParse("200m"),
+							corev1.ResourceMemory: resource.MustParse("1Gi"),
+						},
+					},
+					SecurityContext: &corev1.SecurityContext{
+						Privileged: pointer.Bool(true),
+					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "custom-libs",
+							MountPath: "/lib/filter_foo.so",
+						},
+					},
+				},
+				InitContainers: []corev1.Container{
+					{
+						Name:    "install-filter-foo",
+						Image:   "alpine:3.11.3",
+						Command: []string{"/bin/sh", "-c"},
+						Args:    []string{"echo \"Installing filter-foo\"; wget -q https://example.com/download/filter_foo_v1.0.0.tgz -O - | tar -xz --directory=/lib filter_foo.so; echo \"Done\";"},
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name:      "custom-libs",
+								MountPath: "/lib",
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {

internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml

@@ -0,0 +1,236 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: envoy
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/managed-by: envoy-gateway
+    gateway.envoyproxy.io/owning-gateway-name: default
+    gateway.envoyproxy.io/owning-gateway-namespace: default
+  name: envoy-default-37a8eec1
+  namespace: envoy-gateway-system
+spec:
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: envoy
+      app.kubernetes.io/component: proxy
+      app.kubernetes.io/managed-by: envoy-gateway
+      gateway.envoyproxy.io/owning-gateway-name: default
+      gateway.envoyproxy.io/owning-gateway-namespace: default
+      foo.bar: custom-label
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: envoy
+        app.kubernetes.io/component: proxy
+        app.kubernetes.io/managed-by: envoy-gateway
+        gateway.envoyproxy.io/owning-gateway-name: default
+        gateway.envoyproxy.io/owning-gateway-namespace: default
+        foo.bar: custom-label
+      annotations:
+        prometheus.io/scrape: "true"
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - --service-cluster default
+            - --service-node $(ENVOY_POD_NAME)
+            - |
+              --config-yaml admin:
+                access_log:
+                - name: envoy.access_loggers.file
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+                    path: /dev/null
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 19000
+              dynamic_resources:
+                ads_config:
+                  api_type: DELTA_GRPC
+                  transport_api_version: V3
+                  grpc_services:
+                  - envoy_grpc:
+                      cluster_name: xds_cluster
+                  set_node_on_first_message_only: true
+                lds_config:
+                  ads: {}
+                  resource_api_version: V3
+                cds_config:
+                  ads: {}
+                  resource_api_version: V3
+              static_resources:
+                listeners:
+                - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+                  address:
+                    socket_address:
+                      address: 0.0.0.0
+                      port_value: 19001
+                      protocol: TCP
+                  filter_chains:
+                  - filters:
+                    - name: envoy.filters.network.http_connection_manager
+                      typed_config:
+                        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                        stat_prefix: eg-ready-http
+                        route_config:
+                          name: local_route
+                        http_filters:
+                        - name: envoy.filters.http.health_check
+                          typed_config:
+                            "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+                            pass_through_mode: false
+                            headers:
+                            - name: ":path"
+                              string_match:
+                                exact: /ready
+                        - name: envoy.filters.http.router
+                          typed_config:
+                            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                clusters:
+                - connect_timeout: 10s
+                  load_assignment:
+                    cluster_name: xds_cluster
+                    endpoints:
+                    - load_balancing_weight: 1
+                      lb_endpoints:
+                      - load_balancing_weight: 1
+                        endpoint:
+                          address:
+                            socket_address:
+                              address: envoy-gateway
+                              port_value: 18000
+                  typed_extension_protocol_options:
+                    envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+                      "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+                      explicit_http_config:
+                        http2_protocol_options: {}
+                  name: xds_cluster
+                  type: STRICT_DNS
+                  http2_protocol_options:
+                    connection_keepalive:
+                      interval: 30s
+                      timeout: 5s
+                  transport_socket:
+                    name: envoy.transport_sockets.tls
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+                      common_tls_context:
+                        tls_params:
+                          tls_maximum_protocol_version: TLSv1_3
+                        tls_certificate_sds_secret_configs:
+                        - name: xds_certificate
+                          sds_config:
+                            path_config_source:
+                              path: "/sds/xds-certificate.json"
+                            resource_api_version: V3
+                        validation_context_sds_secret_config:
+                          name: xds_trusted_ca
+                          sds_config:
+                            path_config_source:
+                              path: "/sds/xds-trusted-ca.json"
+                            resource_api_version: V3
+              layered_runtime:
+                layers:
+                - name: runtime-0
+                  rtds_layer:
+                    rtds_config:
+                      ads: {}
+                      resource_api_version: V3
+                    name: runtime-0
+            - --log-level warn
+            - --cpuset-threads
+          command:
+            - envoy
+          env:
+            - name: ENVOY_GATEWAY_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: ENVOY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+          image: envoyproxy/envoy:v1.2.3
+          imagePullPolicy: IfNotPresent
+          name: envoy
+          ports:
+            - containerPort: 8080
+              name: EnvoyHTTPPort
+              protocol: TCP
+            - containerPort: 8443
+              name: EnvoyHTTPSPort
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 400m
+              memory: 2Gi
+            requests:
+              cpu: 200m
+              memory: 1Gi
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 19001
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /certs
+              name: certs
+              readOnly: true
+            - mountPath: /sds
+              name: sds
+            - mountPath: /lib/filter_foo.so
+              name: custom-libs
+      initContainers:
+        - name: install-filter-foo
+          image: alpine:3.11.3
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - echo "Installing filter-foo";
+              wget -q https://example.com/download/filter_foo_v1.0.0.tgz -O - | tar -xz --directory=/lib filter_foo.so;
+              echo "Done";
+          volumeMounts:
+            - mountPath: /lib
+              name: custom-libs
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccountName: envoy-default-37a8eec1
+      terminationGracePeriodSeconds: 300
+      securityContext:
+        runAsUser: 1000
+      volumes:
+        - name: certs
+          secret:
+            secretName: envoy
+            defaultMode: 420
+        - configMap:
+            defaultMode: 420
+            items:
+              - key: xds-trusted-ca.json
+                path: xds-trusted-ca.json
+              - key: xds-certificate.json
+                path: xds-certificate.json
+            name: envoy-default-37a8eec1
+            optional: false
+          name: sds
+        - name: custom-libs
+          emptyDir: {}
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

site/content/en/latest/api/extension_types.md

@@ -840,8 +840,9 @@ _Appears in:_
 | --- | --- |
 | `replicas` _integer_ | Replicas is the number of desired pods. Defaults to 1. |
 | `strategy` _[DeploymentStrategy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#deploymentstrategy-v1-apps)_ | The deployment strategy to use to replace existing pods with new ones. |
-| `pod` _[KubernetesPodSpec](#kubernetespodspec)_ | Pod defines the desired annotations and securityContext of container. |
-| `container` _[KubernetesContainerSpec](#kubernetescontainerspec)_ | Container defines the resources and securityContext of container. |
+| `pod` _[KubernetesPodSpec](#kubernetespodspec)_ | Pod defines the desired specification of pod. |
+| `container` _[KubernetesContainerSpec](#kubernetescontainerspec)_ | Container defines the desired specification of main container. |
+| `initContainers` _[Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#container-v1-core) array_ | List of initialization containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
 
 
 #### KubernetesPodSpec