dariuszski / ziti-agent-wh Goto Github PK

Role precedence idea:

if pod annotation (typically via a Deployment) with a "safe" separator, not space or comma;
else if explicit namespace annotation (can use the same annotation key, e.g., identity.openziti.io/roles;
else deterministic (predictable, conventional) role like { deployment metadata.name }.{ namespace metadata.name}.{cluster metadata.name, else random ID}

This change will help to avoid confusion about which version of ziti is installed.

ref: https://github.com/openziti/ziti/blob/release-next/dist/docker-images/ziti-controller/Dockerfile

If the image will use ziti CLI, even if it will not be based on the RedHat UBI, then we can add a build stage in our Dockerfile that sources a pinned ziti version.

example Dockerfile

ARG ZITI_CLI_TAG="latest"
ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"

# this builds docker.io/openziti/ziti-k8s-agent
FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}

# set up image as root
USER root

# do stuff as root
RUN chmod 0755 /usr/local/bin/ziti-agent-wh

# drop privs to ziggy
USER ziggy
COPY ${DOCKER_BUILD_DIR}/deployment/bashrc /home/ziggy/.bashrc
ENTRYPOINT [ "ziti-agent-wh" ]

Need a retry behavior for Ziti CRUD ops that follows some kind of backoff policy to avoid hammering a limping controller

Each tproxy sidecar needs cluster DNS configuration to effect precedence:

1. Ziti DNS
2. Cluster DNS

For the MVP we can find and inject the coredns or kube-dns ClusterIP by the common label selector: k8s-app=kube-dns

e.g.,

kubectl --namespace kube-system \
get services --selector=k8s-app=kube-dns \
--output go-template='{{range .items}}{{ .spec.clusterIP }}{{"\n"}}{{end}}'