feat: proxy mode use traffic-manager pod image (#635)

2025-12-24 11:51:13 +08:00 · 2025-06-10 19:02:04 +08:00
parent bfed866c04
commit 507da8a44c
21 changed files with 130 additions and 93 deletions
--- a/pkg/inject/controller.go
+++ b/pkg/inject/controller.go
@@ -38,13 +38,13 @@ func RemoveContainers(spec *v1.PodTemplateSpec) {
 }

 // AddMeshContainer todo envoy support ipv6
-func AddMeshContainer(spec *v1.PodTemplateSpec, ns, nodeID string, c util.PodRouteConfig, ipv6 bool, connectNamespace string, secret *v1.Secret) {
+func AddMeshContainer(spec *v1.PodTemplateSpec, ns, nodeID string, ipv6 bool, connectNamespace string, secret *v1.Secret, image string) {
 	// remove envoy proxy containers if already exist
 	RemoveContainers(spec)

 	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
 		Name:    config.ContainerSidecarVPN,
-		Image:   config.Image,
+		Image:   image,
 		Command: []string{"/bin/sh", "-c"},
 		Args: []string{`
 echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -136,7 +136,7 @@ kubevpn server -l "tun:/localhost:8422?net=${TunIPv4}&net6=${TunIPv6}&route=${CI
 	})
 	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
 		Name:  config.ContainerSidecarEnvoyProxy,
-		Image: config.Image,
+		Image: image,
 		Command: []string{
 			"envoy",
 			"-l",
@@ -171,13 +171,13 @@ kubevpn server -l "tun:/localhost:8422?net=${TunIPv4}&net6=${TunIPv6}&route=${CI
 	})
 }

-func AddEnvoyContainer(spec *v1.PodTemplateSpec, ns, nodeID string, ipv6 bool, connectNamespace string, secret *v1.Secret) {
+func AddEnvoyContainer(spec *v1.PodTemplateSpec, ns, nodeID string, ipv6 bool, connectNamespace string, image string) {
 	// remove envoy proxy containers if already exist
 	RemoveContainers(spec)

 	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
 		Name:    config.ContainerSidecarVPN,
-		Image:   config.Image,
+		Image:   image,
 		Command: []string{"/bin/sh", "-c"},
 		Args: []string{`
 kubevpn server -l "ssh://:2222"`,
@@ -200,7 +200,7 @@ kubevpn server -l "ssh://:2222"`,
 	})
 	spec.Spec.Containers = append(spec.Spec.Containers, v1.Container{
 		Name:  config.ContainerSidecarEnvoyProxy,
-		Image: config.Image,
+		Image: image,
 		Command: []string{
 			"envoy",
 			"-l",
--- a/pkg/inject/exchange.go
+++ b/pkg/inject/exchange.go
@@ -20,12 +20,12 @@ func RemoveContainer(spec *corev1.PodSpec) {
 	}
 }

-func AddContainer(spec *corev1.PodSpec, c util.PodRouteConfig, connectNamespace string, secret *corev1.Secret) {
+func AddContainer(spec *corev1.PodSpec, c util.PodRouteConfig, connectNamespace string, secret *corev1.Secret, image string) {
 	// remove vpn container if already exist
 	RemoveContainer(spec)
 	spec.Containers = append(spec.Containers, corev1.Container{
 		Name:  config.ContainerSidecarVPN,
-		Image: config.Image,
+		Image: image,
 		Env: []corev1.EnvVar{
 			{
 				Name:  "LocalTunIPv4",
--- a/pkg/inject/fargate.go
+++ b/pkg/inject/fargate.go
@@ -27,7 +27,12 @@ import (

 // InjectEnvoySidecar patch a sidecar, using iptables to do port-forward let this pod decide should go to 233.254.254.100 or request to 127.0.0.1
 // https://istio.io/latest/docs/ops/deployment/requirements/#ports-used-by-istio
-func InjectEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Factory, clientset *kubernetes.Clientset, connectNamespace string, current, object *runtimeresource.Info, headers map[string]string, portMap []string, secret *v1.Secret) (err error) {
+func InjectEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Factory, connectNamespace string, current, object *runtimeresource.Info, headers map[string]string, portMap []string, image string) (err error) {
+	var clientset *kubernetes.Clientset
+	clientset, err = f.KubernetesClientSet()
+	if err != nil {
+		return err
+	}
 	u := object.Object.(*unstructured.Unstructured)
 	var templateSpec *v1.PodTemplateSpec
 	var path []string
@@ -63,7 +68,7 @@ func InjectEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Factory, c

 	enableIPv6, _ := util.DetectPodSupportIPv6(ctx, f, connectNamespace)
 	// (1) add mesh container
-	AddEnvoyContainer(templateSpec, object.Namespace, nodeID, enableIPv6, connectNamespace, secret)
+	AddEnvoyContainer(templateSpec, object.Namespace, nodeID, enableIPv6, connectNamespace, image)
 	helper := pkgresource.NewHelper(object.Client, object.Mapping)
 	ps := []P{
 		{
--- a/pkg/inject/mesh.go
+++ b/pkg/inject/mesh.go
@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	pkgresource "k8s.io/cli-runtime/pkg/resource"
 	runtimeresource "k8s.io/cli-runtime/pkg/resource"
+	"k8s.io/client-go/kubernetes"
 	v12 "k8s.io/client-go/kubernetes/typed/core/v1"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"sigs.k8s.io/yaml"
@@ -31,7 +32,13 @@ import (
 // https://istio.io/latest/docs/ops/deployment/requirements/#ports-used-by-istio

 // InjectVPNAndEnvoySidecar patch a sidecar, using iptables to do port-forward let this pod decide should go to 233.254.254.100 or request to 127.0.0.1
-func InjectVPNAndEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Factory, mapInterface v12.ConfigMapInterface, connectNamespace string, object *runtimeresource.Info, c util.PodRouteConfig, headers map[string]string, portMaps []string, secret *v1.Secret) (err error) {
+func InjectVPNAndEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Factory, connectNamespace string, object *runtimeresource.Info, c util.PodRouteConfig, headers map[string]string, portMaps []string, secret *v1.Secret, image string) (err error) {
+	var clientset *kubernetes.Clientset
+	clientset, err = f.KubernetesClientSet()
+	if err != nil {
+		return err
+	}
+
 	u := object.Object.(*unstructured.Unstructured)
 	var templateSpec *v1.PodTemplateSpec
 	var path []string
@@ -70,7 +77,7 @@ func InjectVPNAndEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Fact
 		}
 	}

-	err = addEnvoyConfig(mapInterface, object.Namespace, nodeID, c, headers, ports, portmap)
+	err = addEnvoyConfig(clientset.CoreV1().ConfigMaps(connectNamespace), object.Namespace, nodeID, c, headers, ports, portmap)
 	if err != nil {
 		plog.G(ctx).Errorf("Failed to add envoy config: %v", err)
 		return err
@@ -88,7 +95,7 @@ func InjectVPNAndEnvoySidecar(ctx context.Context, nodeID string, f cmdutil.Fact

 	enableIPv6, _ := util.DetectPodSupportIPv6(ctx, f, connectNamespace)
 	// (1) add mesh container
-	AddMeshContainer(templateSpec, object.Namespace, nodeID, c, enableIPv6, connectNamespace, secret)
+	AddMeshContainer(templateSpec, object.Namespace, nodeID, enableIPv6, connectNamespace, secret, image)
 	helper := pkgresource.NewHelper(object.Client, object.Mapping)
 	ps := []P{
 		{
--- a/pkg/inject/proxy.go
+++ b/pkg/inject/proxy.go
@@ -24,7 +24,7 @@ import (
 	util2 "github.com/wencaiwulue/kubevpn/v2/pkg/util"
 )

-func InjectVPNSidecar(ctx context.Context, nodeID string, f util.Factory, connectNamespace string, object *resource.Info, c util2.PodRouteConfig, secret *v1.Secret) error {
+func InjectVPNSidecar(ctx context.Context, nodeID string, f util.Factory, connectNamespace string, object *resource.Info, c util2.PodRouteConfig, secret *v1.Secret, image string) error {
 	u := object.Object.(*unstructured.Unstructured)

 	podTempSpec, path, err := util2.GetPodTemplateSpecPath(u)
@@ -50,7 +50,7 @@ func InjectVPNSidecar(ctx context.Context, nodeID string, f util.Factory, connec
 		return err
 	}

-	AddContainer(&podTempSpec.Spec, c, connectNamespace, secret)
+	AddContainer(&podTempSpec.Spec, c, connectNamespace, secret, image)

 	workload := fmt.Sprintf("%s/%s", object.Mapping.Resource.Resource, object.Name)
 	helper := resource.NewHelper(object.Client, object.Mapping)