refactor: refactor code (#299)

2025-12-24 11:51:13 +08:00 · 2024-07-19 22:25:23 +08:00
parent bc7d205695
commit 1feaacaba9
5 changed files with 7 additions and 8 deletions
--- a/pkg/inject/controller.go
+++ b/pkg/inject/controller.go
@@ -0,0 +1,166 @@
+package inject
+
+import (
+	_ "embed"
+
+	log "github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/utils/pointer"
+
+	"github.com/wencaiwulue/kubevpn/v2/pkg/config"
+	"github.com/wencaiwulue/kubevpn/v2/pkg/util"
+)
+
+//go:embed envoy.yaml
+var envoyConfig []byte
+
+func RemoveContainers(spec *v1.PodTemplateSpec) {
+	for i := 0; i < len(spec.Spec.Containers); i++ {
+		if sets.New[string](config.ContainerSidecarEnvoyProxy, config.ContainerSidecarVPN).Has(spec.Spec.Containers[i].Name) {
+			spec.Spec.Containers = append(spec.Spec.Containers[:i], spec.Spec.Containers[i+1:]...)
+			i--
+		}
+	}
+}
+
+// AddMeshContainer todo envoy support ipv6
+func AddMeshContainer(spec *v1.PodTemplateSpec, nodeId string, c util.PodRouteConfig) {
+	// remove envoy proxy containers if already exist
+	RemoveContainers(spec)
+
+	envoyLogLevel := "error"
+	if config.Debug {
+		envoyLogLevel = "debug"
+	}
+	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
+		Name:    config.ContainerSidecarVPN,
+		Image:   config.Image,
+		Command: []string{"/bin/sh", "-c"},
+		Args: []string{`
+sysctl -w net.ipv4.ip_forward=1
+sysctl -w net.ipv6.conf.all.disable_ipv6=0
+sysctl -w net.ipv6.conf.all.forwarding=1
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+iptables -F
+ip6tables -F
+iptables -P INPUT ACCEPT
+ip6tables -P INPUT ACCEPT
+iptables -P FORWARD ACCEPT
+ip6tables -P FORWARD ACCEPT
+iptables -t nat -A PREROUTING ! -p icmp ! -s 127.0.0.1 ! -d ${CIDR4} -j DNAT --to :15006
+ip6tables -t nat -A PREROUTING ! -p icmp ! -s 0:0:0:0:0:0:0:1 ! -d ${CIDR6} -j DNAT --to :15006
+iptables -t nat -A POSTROUTING ! -p icmp ! -s 127.0.0.1 ! -d ${CIDR4} -j MASQUERADE
+ip6tables -t nat -A POSTROUTING ! -p icmp ! -s 0:0:0:0:0:0:0:1 ! -d ${CIDR6} -j MASQUERADE
+kubevpn serve -L "tun:/localhost:8422?net=${TunIPv4}&route=${CIDR4}" -F "tcp://${TrafficManagerService}:10800"`,
+		},
+		EnvFrom: []v1.EnvFromSource{{
+			SecretRef: &v1.SecretEnvSource{
+				LocalObjectReference: v1.LocalObjectReference{
+					Name: config.ConfigMapPodTrafficManager,
+				},
+			},
+		}},
+		Env: []v1.EnvVar{
+			{
+				Name:  "CIDR4",
+				Value: config.CIDR.String(),
+			},
+			{
+				Name:  "CIDR6",
+				Value: config.CIDR6.String(),
+			},
+			{
+				Name:  config.EnvInboundPodTunIPv4,
+				Value: "",
+			},
+			{
+				Name:  config.EnvInboundPodTunIPv6,
+				Value: "",
+			},
+			{
+				Name:  "TrafficManagerService",
+				Value: config.ConfigMapPodTrafficManager,
+			},
+			{
+				Name: config.EnvPodNamespace,
+				ValueFrom: &v1.EnvVarSource{
+					FieldRef: &v1.ObjectFieldSelector{
+						FieldPath: "metadata.namespace",
+					},
+				},
+			},
+			{
+				Name: config.EnvPodName,
+				ValueFrom: &v1.EnvVarSource{
+					FieldRef: &v1.ObjectFieldSelector{
+						FieldPath: "metadata.name",
+					},
+				},
+			},
+		},
+		Resources: v1.ResourceRequirements{
+			Requests: map[v1.ResourceName]resource.Quantity{
+				v1.ResourceCPU:    resource.MustParse("128m"),
+				v1.ResourceMemory: resource.MustParse("128Mi"),
+			},
+			Limits: map[v1.ResourceName]resource.Quantity{
+				v1.ResourceCPU:    resource.MustParse("256m"),
+				v1.ResourceMemory: resource.MustParse("256Mi"),
+			},
+		},
+		ImagePullPolicy: v1.PullIfNotPresent,
+		SecurityContext: &v1.SecurityContext{
+			Capabilities: &v1.Capabilities{
+				Add: []v1.Capability{
+					"NET_ADMIN",
+					//"SYS_MODULE",
+				},
+			},
+			RunAsUser:  pointer.Int64(0),
+			RunAsGroup: pointer.Int64(0),
+			Privileged: pointer.Bool(true),
+		},
+	})
+	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
+		Name:  config.ContainerSidecarEnvoyProxy,
+		Image: config.Image,
+		Command: []string{
+			"envoy",
+			"-l",
+			envoyLogLevel,
+			"--base-id",
+			"1",
+			"--service-node",
+			nodeId,
+			"--service-cluster",
+			nodeId,
+			"--config-yaml",
+		},
+		Args: []string{
+			string(envoyConfig),
+		},
+		Resources: v1.ResourceRequirements{
+			Requests: map[v1.ResourceName]resource.Quantity{
+				v1.ResourceCPU:    resource.MustParse("128m"),
+				v1.ResourceMemory: resource.MustParse("128Mi"),
+			},
+			Limits: map[v1.ResourceName]resource.Quantity{
+				v1.ResourceCPU:    resource.MustParse("256m"),
+				v1.ResourceMemory: resource.MustParse("256Mi"),
+			},
+		},
+		ImagePullPolicy: v1.PullIfNotPresent,
+	})
+}
+
+func init() {
+	json, err := yaml.ToJSON(envoyConfig)
+	if err != nil {
+		log.Errorf("Error converting json to bytes: %v", err)
+		return
+	}
+	envoyConfig = json
+}
--- a/pkg/inject/envoy.go
+++ b/pkg/inject/envoy.go
@@ -25,7 +25,6 @@ import (

 	"github.com/wencaiwulue/kubevpn/v2/pkg/config"
 	"github.com/wencaiwulue/kubevpn/v2/pkg/controlplane"
-	"github.com/wencaiwulue/kubevpn/v2/pkg/mesh"
 	"github.com/wencaiwulue/kubevpn/v2/pkg/util"
 )

@@ -112,7 +111,7 @@ func InjectVPNAndEnvoySidecar(ctx1 context.Context, factory cmdutil.Factory, cli
 		return err
 	}

-	mesh.AddMeshContainer(templateSpec, nodeID, c)
+	AddMeshContainer(templateSpec, nodeID, c)
 	helper := pkgresource.NewHelper(object.Client, object.Mapping)
 	ps := []P{
 		{
@@ -170,7 +169,7 @@ func UnPatchContainer(factory cmdutil.Factory, mapInterface v12.ConfigMapInterfa

 	log.Infof("leave workload %s", workload)

-	mesh.RemoveContainers(templateSpec)
+	RemoveContainers(templateSpec)
 	if u.GetAnnotations() != nil && u.GetAnnotations()[config.KubeVPNRestorePatchKey] != "" {
 		patchStr := u.GetAnnotations()[config.KubeVPNRestorePatchKey]
 		var ps []P
--- a/pkg/inject/envoy.yaml
+++ b/pkg/inject/envoy.yaml
@@ -0,0 +1,53 @@
+admin:
+  access_log_path: /dev/null
+  address:
+    socket_address:
+      address: "::"
+      port_value: 9003
+      ipv4_compat: true
+dynamic_resources:
+  ads_config:
+    api_type: GRPC
+    transport_api_version: V3
+    grpc_services:
+      - envoy_grpc:
+          cluster_name: xds_cluster
+    set_node_on_first_message_only: true
+  cds_config:
+    resource_api_version: V3
+    ads: { }
+  lds_config:
+    resource_api_version: V3
+    ads: { }
+static_resources:
+  listeners:
+    - name: default_listener
+      address:
+        socket_address:
+          address: "::"
+          port_value: 15006
+          ipv4_compat: true
+      use_original_dst: true
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: tcp
+                cluster: origin_cluster
+  clusters:
+    - name: xds_cluster
+      connect_timeout: 2s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: xds_cluster
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: kubevpn-traffic-manager
+                      port_value: 9002
+                      ipv4_compat: true
+      http2_protocol_options: { }