diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..a3ab754 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,25 @@ +{ + "name": "Kubebuilder DevContainer", + "image": "golang:1.24", + "features": { + "ghcr.io/devcontainers/features/docker-in-docker:2": {}, + "ghcr.io/devcontainers/features/git:1": {} + }, + + "runArgs": ["--network=host"], + + "customizations": { + "vscode": { + "settings": { + "terminal.integrated.shell.linux": "/bin/bash" + }, + "extensions": [ + "ms-kubernetes-tools.vscode-kubernetes-tools", + "ms-azuretools.vscode-docker" + ] + } + }, + + "onCreateCommand": "bash .devcontainer/post-install.sh" +} + diff --git a/.devcontainer/post-install.sh b/.devcontainer/post-install.sh new file mode 100644 index 0000000..67f3e97 --- /dev/null +++ b/.devcontainer/post-install.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -x + +curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(go env GOARCH) +chmod +x ./kind +mv ./kind /usr/local/bin/kind + +curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/linux/$(go env GOARCH) +chmod +x kubebuilder +mv kubebuilder /usr/local/bin/ + +KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) +curl -LO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/$(go env GOARCH)/kubectl" +chmod +x kubectl +mv kubectl /usr/local/bin/kubectl + +docker network create -d=bridge --subnet=172.19.0.0/24 kind + +kind version +kubebuilder version +docker --version +go version +kubectl version --client diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..2c024ae --- /dev/null +++ b/.dockerignore @@ -0,0 +1,44 @@ +# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file +# Ignore everything by default and re-include only needed files +** + +# Re-include Go source files (but not *_test.go) +!**/*.go +**/*_test.go + +# Re-include Go module files +!go.mod +!go.sum + +# Explicitly exclude (even if matched above) +.git/ +.github/ +.devcontainer/ +.vscode/ +.idea/ + +# Build artifacts +bin/ +proxy +kubebuilder + +# Kubernetes configs (not needed for binary build) +config/ +deploy/ + +# Documentation +website/ +*.md +LICENSE + +# Tests +tests/ +test/ + +# Misc +*.backup +.env +.DS_Store +Makefile* +*.yaml +*.yml diff --git a/.github/cliff.toml b/.github/cliff.toml new file mode 100644 index 0000000..8197a04 --- /dev/null +++ b/.github/cliff.toml @@ -0,0 +1,41 @@ +# git-cliff configuration for changelog generation + +[changelog] +header = """ +# Changelog\n +""" +body = """ +{% for group, commits in commits | group_by(attribute="group") %} + ### {{ group | upper_first }} + {% for commit in commits %} + - {{ commit.message | upper_first }} ({{ commit.id | truncate(length=7, end="") }})\ + {% endfor %} +{% endfor %}\n +""" +footer = "" +trim = true + +[git] +conventional_commits = true +filter_unconventional = true +split_commits = false +commit_parsers = [ + { message = "^feat", group = "Features" }, + { message = "^fix", group = "Bug Fixes" }, + { message = "^doc", group = "Documentation" }, + { message = "^perf", group = "Performance" }, + { message = "^refactor", group = "Refactoring" }, + { message = "^style", group = "Style" }, + { message = "^test", group = "Testing" }, + { message = "^chore\\(release\\)", skip = true }, + { message = "^chore\\(deps\\)", skip = true }, + { message = "^chore", group = "Miscellaneous" }, + { message = "^ci", group = "CI/CD" }, +] +protect_breaking_commits = false +filter_commits = false +tag_pattern = "v[0-9].*" +skip_tags = "" +ignore_tags = "" +topo_order = false +sort_commits = "oldest" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..87953c7 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,161 @@ +name: CI + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + +env: + GO_VERSION: '1.24' + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: golangci-lint + uses: golangci/golangci-lint-action@v7 + with: + version: v2.5.0 + + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Run tests + run: make test + + - name: Upload coverage to Codecov + uses: codecov/codecov-action@v4 + with: + files: ./cover.out + fail_ci_if_error: false + + build: + name: Build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Build proxy + run: go build -v ./cmd/proxy + + - name: Build manager + run: go build -v ./cmd/main.go + + docker: + name: Docker Build + runs-on: ubuntu-latest + needs: [lint, test, build] + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build proxy image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.proxy + push: false + tags: contextforge-proxy:test + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Build operator image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.operator + push: false + tags: contextforge-operator:test + cache-from: type=gha + cache-to: type=gha,mode=max + + helm: + name: Helm Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Helm + uses: azure/setup-helm@v3 + with: + version: v3.13.0 + + - name: Lint chart + run: helm lint deploy/helm/contextforge + + security: + name: Security Scan + runs-on: ubuntu-latest + needs: [docker] + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner (filesystem) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH' + exit-code: '1' + ignore-unfixed: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build proxy image for scanning + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.proxy + push: false + load: true + tags: contextforge-proxy:scan + + - name: Run Trivy vulnerability scanner (proxy image) + uses: aquasecurity/trivy-action@master + with: + image-ref: 'contextforge-proxy:scan' + severity: 'CRITICAL,HIGH' + exit-code: '1' + ignore-unfixed: true + + - name: Build operator image for scanning + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.operator + push: false + load: true + tags: contextforge-operator:scan + + - name: Run Trivy vulnerability scanner (operator image) + uses: aquasecurity/trivy-action@master + with: + image-ref: 'contextforge-operator:scan' + severity: 'CRITICAL,HIGH' + exit-code: '1' + ignore-unfixed: true diff --git a/.github/workflows/deploy-website.yaml b/.github/workflows/deploy-website.yaml new file mode 100644 index 0000000..2dc0920 --- /dev/null +++ b/.github/workflows/deploy-website.yaml @@ -0,0 +1,74 @@ +name: Deploy Website + +on: + push: + branches: [main, master] + paths: + - 'website/**' + - '.github/workflows/deploy-website.yaml' + workflow_dispatch: + +permissions: + contents: write + pages: write + id-token: write + +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Setup Hugo + uses: peaceiris/actions-hugo@v3 + with: + hugo-version: 'latest' + extended: true + + - name: Build website + working-directory: website + run: | + hugo mod get -u + hugo --minify --baseURL "https://ctxforge.io/" + + - name: Checkout gh-pages branch + uses: actions/checkout@v4 + with: + ref: gh-pages + path: gh-pages-existing + continue-on-error: true + + - name: Preserve Helm chart files + run: | + # Copy Helm chart repository files to Hugo output if they exist + if [ -d "gh-pages-existing" ]; then + # Copy index.yaml (Helm repo index) + cp gh-pages-existing/index.yaml website/public/ 2>/dev/null || true + # Copy chart tarballs + cp gh-pages-existing/*.tgz website/public/ 2>/dev/null || true + echo "Preserved existing Helm chart files" + else + echo "No existing gh-pages branch found, skipping preservation" + fi + + - name: Deploy to GitHub Pages + uses: peaceiris/actions-gh-pages@v4 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: ./website/public + cname: ctxforge.io + user_name: 'github-actions[bot]' + user_email: 'github-actions[bot]@users.noreply.github.com' + commit_message: 'Deploy website' diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml new file mode 100644 index 0000000..3d4fcf3 --- /dev/null +++ b/.github/workflows/e2e.yaml @@ -0,0 +1,121 @@ +name: E2E Tests + +on: + push: + branches: [main, master] + pull_request: + branches: [main, master] + paths: + - '**.go' + - 'go.mod' + - 'go.sum' + - 'deploy/**' + - 'Dockerfile.*' + - '.github/workflows/e2e.yaml' + +env: + GO_VERSION: '1.24' + +jobs: + e2e: + name: E2E Tests + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Install kind + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + + - name: Install kubectl + run: | + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x kubectl + sudo mv kubectl /usr/local/bin/kubectl + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.13.0 + + - name: Create kind cluster + run: | + kind create cluster --name ctxforge-e2e --wait 120s + + - name: Build Docker images + run: | + docker build -t contextforge-proxy:e2e -f Dockerfile.proxy . + docker build -t contextforge-operator:e2e -f Dockerfile.operator . + + - name: Load images into kind + run: | + kind load docker-image contextforge-proxy:e2e --name ctxforge-e2e + kind load docker-image contextforge-operator:e2e --name ctxforge-e2e + + - name: Install cert-manager + run: | + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml + kubectl wait --for=condition=Available deployment/cert-manager -n cert-manager --timeout=120s + kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=120s + kubectl wait --for=condition=Available deployment/cert-manager-cainjector -n cert-manager --timeout=120s + + - name: Generate manifests + run: make manifests generate + + - name: Install CRDs + run: make install + + - name: Deploy with Helm + run: | + helm upgrade --install contextforge deploy/helm/contextforge \ + --namespace contextforge-system \ + --create-namespace \ + --set namespace.create=false \ + --set operator.image.repository=contextforge-operator \ + --set operator.image.tag=e2e \ + --set operator.image.pullPolicy=Never \ + --set proxy.image.repository=contextforge-proxy \ + --set proxy.image.tag=e2e \ + --set proxy.image.pullPolicy=Never \ + --set webhook.certManager.enabled=true \ + --wait \ + --timeout 180s + + - name: Wait for operator + run: | + kubectl wait --for=condition=Available deployment/contextforge-operator \ + -n contextforge-system \ + --timeout=120s + + - name: Run E2E tests + run: go test -v ./tests/e2e/... -timeout 20m + + - name: Collect logs on failure + if: failure() + run: | + echo "=== Operator logs ===" + kubectl logs -n contextforge-system deployment/contextforge-operator --tail=100 || true + echo "" + echo "=== Pod status ===" + kubectl get pods -A || true + echo "" + echo "=== Events ===" + kubectl get events -n contextforge-system --sort-by='.lastTimestamp' || true + echo "" + echo "=== Certificate status ===" + kubectl get certificate -n contextforge-system || true + kubectl describe certificate -n contextforge-system || true + echo "" + echo "=== Secrets ===" + kubectl get secrets -n contextforge-system || true + + - name: Cleanup + if: always() + run: kind delete cluster --name ctxforge-e2e diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml new file mode 100644 index 0000000..9a901ea --- /dev/null +++ b/.github/workflows/release-helm.yaml @@ -0,0 +1,36 @@ +name: Release Helm Charts + +on: + push: + branches: [main, master] + paths: + - 'deploy/helm/**' + - '.github/workflows/release-helm.yaml' + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.13.0 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.6.0 + with: + charts_dir: deploy/helm + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..5f92bd1 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,226 @@ +name: Release + +on: + push: + tags: + - 'v*.*.*' + +env: + REGISTRY: ghcr.io + OPERATOR_IMAGE: ghcr.io/${{ github.repository_owner }}/contextforge-operator + PROXY_IMAGE: ghcr.io/${{ github.repository_owner }}/contextforge-proxy + +jobs: + test: + name: Test before release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: Run tests + run: make test + + build-and-push: + name: Build and Push Images + runs-on: ubuntu-latest + needs: test + permissions: + contents: read + packages: write + outputs: + version: ${{ steps.meta.outputs.version }} + steps: + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata for operator + id: meta-operator + uses: docker/metadata-action@v5 + with: + images: ${{ env.OPERATOR_IMAGE }} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Extract metadata for proxy + id: meta-proxy + uses: docker/metadata-action@v5 + with: + images: ${{ env.PROXY_IMAGE }} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Extract version + id: meta + run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT + + - name: Build and push operator image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.operator + push: true + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta-operator.outputs.tags }} + labels: ${{ steps.meta-operator.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Build and push proxy image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.proxy + push: true + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta-proxy.outputs.tags }} + labels: ${{ steps.meta-proxy.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + create-release: + name: Create GitHub Release + runs-on: ubuntu-latest + needs: build-and-push + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Generate changelog + id: changelog + uses: orhun/git-cliff-action@v3 + with: + config: .github/cliff.toml + args: --latest --strip header + env: + OUTPUT: CHANGELOG.md + + - name: Create GitHub Release + uses: softprops/action-gh-release@v1 + with: + body: | + ## Docker Images + + ```bash + # Operator + docker pull ${{ env.OPERATOR_IMAGE }}:${{ needs.build-and-push.outputs.version }} + + # Proxy + docker pull ${{ env.PROXY_IMAGE }}:${{ needs.build-and-push.outputs.version }} + ``` + + ## Helm Installation + + ```bash + helm repo add contextforge https://ctxforge.io + helm repo update + helm upgrade --install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace \ + --set operator.image.tag=${{ needs.build-and-push.outputs.version }} \ + --set proxy.image.tag=${{ needs.build-and-push.outputs.version }} + ``` + + ## Changelog + + ${{ steps.changelog.outputs.content }} + draft: false + prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + update-helm-chart: + name: Update Helm Chart Version + runs-on: ubuntu-latest + needs: [build-and-push, create-release] + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.repository.default_branch }} + fetch-depth: 0 + + - name: Update Chart.yaml version + run: | + VERSION=${{ needs.build-and-push.outputs.version }} + sed -i "s/^version:.*/version: ${VERSION}/" deploy/helm/contextforge/Chart.yaml + sed -i "s/^appVersion:.*/appVersion: \"${VERSION}\"/" deploy/helm/contextforge/Chart.yaml + + - name: Update values.yaml image tags + run: | + VERSION=${{ needs.build-and-push.outputs.version }} + sed -i "s/tag:.*/tag: \"${VERSION}\"/" deploy/helm/contextforge/values.yaml + + - name: Generate full changelog for website + uses: orhun/git-cliff-action@v3 + with: + config: .github/cliff.toml + args: --strip header + env: + OUTPUT: CHANGELOG_FULL.md + + - name: Update website changelog + run: | + VERSION=${{ needs.build-and-push.outputs.version }} + DATE=$(date +%Y-%m-%d) + + # Create new changelog content + cat > website/content/docs/changelog.md << 'HEADER' + --- + title: Changelog + weight: 10 + --- + + All notable changes to ContextForge are documented here. + + This changelog is automatically updated with each release. + + HEADER + + # Append the generated changelog + cat CHANGELOG_FULL.md >> website/content/docs/changelog.md + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "chore: bump to v${{ needs.build-and-push.outputs.version }}" + title: "chore: release v${{ needs.build-and-push.outputs.version }}" + body: | + Automated PR to update versions after release v${{ needs.build-and-push.outputs.version }}. + + **Changes:** + - Updates Helm `Chart.yaml` version and appVersion + - Updates Helm `values.yaml` image tags + - Updates website changelog + + Once merged, the Helm chart and website will be automatically released. + branch: chore/release-${{ needs.build-and-push.outputs.version }} + delete-branch: true diff --git a/.gitignore b/.gitignore index aaadf73..d96a8bb 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,11 @@ *.dll *.so *.dylib +bin/ +/proxy + +# Downloaded tools +/kubebuilder # Test binary, built with `go test -c` *.test @@ -24,9 +29,27 @@ profile.cov go.work go.work.sum +# Backup files +*.backup + +# Planning/temporary files +pre_plan.md +tech_plan.md + # env file .env # Editor/IDE -# .idea/ -# .vscode/ +.idea/ +.vscode/ +*.swp +*.swo +*~ + +# macOS +.DS_Store + +# Hugo (website) +website/public/ +website/resources/ +website/.hugo_build.lock diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..7eec397 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,68 @@ +version: "2" +run: + allow-parallel-runners: true +linters: + default: none + enable: + - copyloopvar + - dupl + - errcheck + - ginkgolinter + - goconst + - gocyclo + - govet + - ineffassign + - lll + - misspell + - nakedret + - prealloc + - revive + - staticcheck + - unconvert + - unparam + - unused + settings: + revive: + rules: + - name: comment-spacings + - name: import-shadowing + exclusions: + generated: lax + rules: + - linters: + - lll + path: api/* + - linters: + - dupl + - lll + path: internal/* + # Relax linters for test files + - linters: + - dupl + - errcheck + - goconst + - ginkgolinter + - lll + path: _test\.go$ + # Relax linters for e2e tests + - linters: + - dupl + - errcheck + - goconst + - ginkgolinter + - lll + path: tests/ + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - gofmt + - goimports + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..2509abd --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,202 @@ +# Contributing to ContextForge + +Thank you for your interest in contributing to ContextForge! This document provides guidelines and instructions for contributing. + +## Code of Conduct + +By participating in this project, you agree to maintain a respectful and inclusive environment for everyone. + +## License + +ContextForge is licensed under the [Apache License 2.0](LICENSE). By contributing, you agree that your contributions will be licensed under the same license. + +## Getting Started + +### Prerequisites + +- Go 1.24+ +- Docker +- kubectl +- kind (for local testing) +- Helm 3+ + +### Development Setup + +1. **Fork and clone the repository** + + ```bash + git clone https://github.com/YOUR_USERNAME/contextforge.git + cd contextforge + ``` + +2. **Install dependencies** + + ```bash + go mod download + ``` + +3. **Build the project** + + ```bash + make build-all + ``` + +4. **Run tests** + + ```bash + # Unit tests + make test + + # E2E tests (creates Kind cluster) + make test-e2e + ``` + +### Local Development with Kind + +```bash +# Create a Kind cluster +kind create cluster --name ctxforge-dev + +# Install CRDs +make install + +# Run the operator locally +make run +``` + +## How to Contribute + +### Reporting Issues + +- Check existing issues before creating a new one +- Use issue templates when available +- Provide clear reproduction steps for bugs +- Include relevant logs and environment details + +### Submitting Changes + +1. **Create a feature branch** + + ```bash + git checkout -b feature/amazing-feature + ``` + +2. **Make your changes** + + - Follow the code style guidelines below + - Add tests for new functionality + - Update documentation as needed + +3. **Run tests locally** + + ```bash + make test + make lint # if available + ``` + +4. **Commit your changes** + + Use [Conventional Commits](https://www.conventionalcommits.org/) format: + + ```bash + git commit -m "feat: add amazing feature" + git commit -m "fix: resolve header propagation issue" + git commit -m "docs: update installation guide" + ``` + + **Commit types:** + - `feat`: New feature + - `fix`: Bug fix + - `docs`: Documentation changes + - `test`: Adding or updating tests + - `refactor`: Code refactoring + - `chore`: Maintenance tasks + +5. **Push and create a Pull Request** + + ```bash + git push origin feature/amazing-feature + ``` + + Then open a Pull Request on GitHub. + +### Pull Request Guidelines + +- Provide a clear description of the changes +- Reference related issues (e.g., "Fixes #123") +- Ensure all CI checks pass +- Keep PRs focused on a single concern +- Be responsive to review feedback + +## Code Style + +### Go Code + +- Follow standard Go conventions and [Effective Go](https://golang.org/doc/effective_go) +- Use `gofmt` for formatting +- Use descriptive variable and function names +- Add comments for exported functions and types +- Handle errors explicitly + +### Kubernetes Resources + +- Use lowercase with hyphens for resource names +- Follow Kubernetes naming conventions +- Include appropriate labels and annotations + +### Documentation + +- Use clear, concise language +- Include code examples where helpful +- Keep README.md and docs in sync with code changes + +## Project Structure + +``` +contextforge/ +├── api/v1alpha1/ # CRD type definitions +├── cmd/ +│ ├── proxy/ # Sidecar proxy binary +│ └── main.go # Operator binary +├── internal/ +│ ├── config/ # Configuration loading +│ ├── handler/ # HTTP proxy handler +│ ├── server/ # HTTP server +│ └── webhook/ # Admission webhook +├── deploy/ +│ └── helm/contextforge/ # Helm chart +├── website/ # Documentation site +├── tests/e2e/ # E2E tests +├── Dockerfile.proxy # Proxy image +└── Dockerfile.operator # Operator image +``` + +## Testing + +### Unit Tests + +```bash +make test +``` + +### E2E Tests + +E2E tests run against a real Kubernetes cluster (Kind): + +```bash +make test-e2e +``` + +### Writing Tests + +- Place unit tests next to the code they test (`*_test.go`) +- Place E2E tests in `tests/e2e/` +- Use table-driven tests where appropriate +- Mock external dependencies + +## Questions? + +- Open a [GitHub Discussion](https://github.com/bgruszka/contextforge/discussions) for questions +- Check existing [documentation](https://ctxforge.io/docs/) + +Thank you for contributing! diff --git a/Dockerfile.operator b/Dockerfile.operator new file mode 100644 index 0000000..6466c48 --- /dev/null +++ b/Dockerfile.operator @@ -0,0 +1,31 @@ +# Build the manager binary +FROM golang:1.24 AS builder +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the Go source (relies on .dockerignore to filter) +COPY . . + +# Build +# the GOARCH has no default value to allow the binary to be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go + +# Use distroless as minimal base image to package the manager binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot +WORKDIR / +COPY --from=builder /workspace/manager . +USER 65532:65532 + +ENTRYPOINT ["/manager"] diff --git a/Dockerfile.proxy b/Dockerfile.proxy new file mode 100644 index 0000000..17b6b17 --- /dev/null +++ b/Dockerfile.proxy @@ -0,0 +1,52 @@ +# Build stage +FROM golang:1.24-alpine AS builder + +# Install git and ca-certificates (needed for HTTPS) +RUN apk add --no-cache git ca-certificates tzdata + +# Set working directory +WORKDIR /app + +# Copy go mod files first for better caching +COPY go.mod go.sum ./ +RUN go mod download + +# Copy source code +COPY . . + +# Build the binary +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags='-w -s -extldflags "-static"' \ + -o /contextforge-proxy \ + ./cmd/proxy + +# Final stage +FROM alpine:3.21 + +# Add non-root user +RUN adduser -D -u 65532 -g "" nonroot + +# Install ca-certificates for HTTPS support +RUN apk add --no-cache ca-certificates + +# Copy binary from builder +COPY --from=builder /contextforge-proxy /contextforge-proxy + +# Copy timezone data +COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo + +# Set ownership +RUN chown nonroot:nonroot /contextforge-proxy + +# Use non-root user +USER nonroot + +# Expose ports +EXPOSE 9090 9091 + +# Health check +HEALTHCHECK --interval=10s --timeout=3s --start-period=5s --retries=3 \ + CMD wget --no-verbose --tries=1 --spider http://localhost:9090/healthz || exit 1 + +# Run the binary +ENTRYPOINT ["/contextforge-proxy"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c51d9d1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to the Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2024 ContextForge Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..79e3146 --- /dev/null +++ b/Makefile @@ -0,0 +1,303 @@ +# Image URL to use all building/pushing image targets +IMG ?= controller:latest + +# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) +ifeq (,$(shell go env GOBIN)) +GOBIN=$(shell go env GOPATH)/bin +else +GOBIN=$(shell go env GOBIN) +endif + +# CONTAINER_TOOL defines the container tool to be used for building images. +# Be aware that the target commands are only tested with Docker which is +# scaffolded by default. However, you might want to replace it to use other +# tools. (i.e. podman) +CONTAINER_TOOL ?= docker + +# Setting SHELL to bash allows bash commands to be executed by recipes. +# Options are set to exit when a recipe line exits non-zero or a piped command fails. +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec + +.PHONY: all +all: build + +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk command is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +##@ Development + +.PHONY: manifests +manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + "$(CONTROLLER_GEN)" rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + +.PHONY: generate +generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. + "$(CONTROLLER_GEN)" object:headerFile="hack/boilerplate.go.txt" paths="./..." + +.PHONY: fmt +fmt: ## Run go fmt against code. + go fmt ./... + +.PHONY: vet +vet: ## Run go vet against code. + go vet ./... + +.PHONY: test +test: manifests generate fmt vet setup-envtest ## Run tests. + KUBEBUILDER_ASSETS="$(shell "$(ENVTEST)" use $(ENVTEST_K8S_VERSION) --bin-dir "$(LOCALBIN)" -p path)" go test $$(go list ./... | grep -v /e2e) -coverprofile cover.out + +# E2E test configuration +# The default setup assumes Kind is pre-installed and builds/loads the Manager Docker image locally. +KIND_CLUSTER ?= contextforge-test-e2e +E2E_IMG ?= contextforge-controller:e2e +E2E_PROXY_IMG ?= contextforge-proxy:e2e +CERT_MANAGER_VERSION ?= v1.16.2 + +.PHONY: setup-test-e2e +setup-test-e2e: ## Set up a Kind cluster for e2e tests if it does not exist + @command -v $(KIND) >/dev/null 2>&1 || { \ + echo "Kind is not installed. Please install Kind manually."; \ + exit 1; \ + } + @case "$$($(KIND) get clusters)" in \ + *"$(KIND_CLUSTER)"*) \ + echo "Kind cluster '$(KIND_CLUSTER)' already exists. Skipping creation." ;; \ + *) \ + echo "Creating Kind cluster '$(KIND_CLUSTER)'..."; \ + $(KIND) create cluster --name $(KIND_CLUSTER) ;; \ + esac + +.PHONY: install-cert-manager +install-cert-manager: ## Install cert-manager in the cluster + @echo "Installing cert-manager $(CERT_MANAGER_VERSION)..." + $(KUBECTL) apply -f https://github.com/cert-manager/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml + @echo "Waiting for cert-manager to be ready..." + $(KUBECTL) wait --for=condition=available --timeout=180s deployment/cert-manager -n cert-manager + $(KUBECTL) wait --for=condition=available --timeout=180s deployment/cert-manager-webhook -n cert-manager + $(KUBECTL) wait --for=condition=available --timeout=180s deployment/cert-manager-cainjector -n cert-manager + @sleep 10 + +.PHONY: deploy-test-e2e +deploy-test-e2e: setup-test-e2e manifests generate docker-build-e2e install-cert-manager ## Build images, load into Kind, and deploy operator for e2e tests + @echo "Loading images into Kind cluster..." + $(KIND) load docker-image $(E2E_IMG) --name $(KIND_CLUSTER) + $(KIND) load docker-image $(E2E_PROXY_IMG) --name $(KIND_CLUSTER) + @echo "Installing CRDs..." + $(MAKE) install + @echo "Deploying operator..." + cd config/manager && "$(KUSTOMIZE)" edit set image controller=$(E2E_IMG) + "$(KUSTOMIZE)" build config/default | "$(KUBECTL)" apply -f - + @echo "Configuring proxy image for e2e tests..." + $(KUBECTL) set env deployment/contextforge-controller-manager -n contextforge-system PROXY_IMAGE=$(E2E_PROXY_IMG) + @echo "Waiting for webhook to be ready..." + $(KUBECTL) rollout status deployment/contextforge-controller-manager -n contextforge-system --timeout=120s || true + @sleep 5 + +.PHONY: docker-build-e2e +docker-build-e2e: ## Build docker images for e2e tests + $(CONTAINER_TOOL) build -t $(E2E_IMG) -f Dockerfile.operator . + $(CONTAINER_TOOL) build -t $(E2E_PROXY_IMG) -f Dockerfile.proxy . + +.PHONY: test-e2e +test-e2e: deploy-test-e2e fmt vet ## Run the e2e tests. Creates Kind cluster, deploys operator, runs tests, then cleans up. + KIND=$(KIND) KIND_CLUSTER=$(KIND_CLUSTER) go test ./tests/e2e/... -v -ginkgo.v + $(MAKE) cleanup-test-e2e + +.PHONY: cleanup-test-e2e +cleanup-test-e2e: ## Tear down the Kind cluster used for e2e tests + @$(KIND) delete cluster --name $(KIND_CLUSTER) + +.PHONY: lint +lint: golangci-lint ## Run golangci-lint linter + "$(GOLANGCI_LINT)" run + +.PHONY: lint-fix +lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes + "$(GOLANGCI_LINT)" run --fix + +.PHONY: lint-config +lint-config: golangci-lint ## Verify golangci-lint linter configuration + "$(GOLANGCI_LINT)" config verify + +##@ Build + +.PHONY: build +build: manifests generate fmt vet ## Build manager binary. + go build -o bin/manager cmd/main.go + +.PHONY: build-proxy +build-proxy: fmt vet ## Build proxy binary. + go build -o bin/proxy cmd/proxy/main.go + +.PHONY: build-all +build-all: build build-proxy ## Build all binaries. + +.PHONY: run +run: manifests generate fmt vet ## Run a controller from your host. + go run ./cmd/main.go + +# If you wish to build the manager image targeting other platforms you can use the --platform flag. +# (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. +# More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +.PHONY: docker-build +docker-build: ## Build docker image with the manager. + $(CONTAINER_TOOL) build -t ${IMG} -f Dockerfile.operator . + +.PHONY: docker-push +docker-push: ## Push docker image with the manager. + $(CONTAINER_TOOL) push ${IMG} + +# Proxy Docker targets +PROXY_IMG ?= contextforge-proxy:latest + +.PHONY: docker-build-proxy +docker-build-proxy: ## Build docker image for the proxy. + $(CONTAINER_TOOL) build -t ${PROXY_IMG} -f Dockerfile.proxy . + +.PHONY: docker-push-proxy +docker-push-proxy: ## Push docker image for the proxy. + $(CONTAINER_TOOL) push ${PROXY_IMG} + +.PHONY: docker-build-all +docker-build-all: docker-build docker-build-proxy ## Build all docker images. + +# PLATFORMS defines the target platforms for the manager image be built to provide support to multiple +# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: +# - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/ +# - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +# - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=> then the export will fail) +# To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. +PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +.PHONY: docker-buildx +docker-buildx: ## Build and push docker image for the manager for cross-platform support + # copy existing Dockerfile.operator and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile.operator > Dockerfile.cross + - $(CONTAINER_TOOL) buildx create --name contextforge-builder + $(CONTAINER_TOOL) buildx use contextforge-builder + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - $(CONTAINER_TOOL) buildx rm contextforge-builder + rm Dockerfile.cross + +.PHONY: build-installer +build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. + mkdir -p dist + cd config/manager && "$(KUSTOMIZE)" edit set image controller=${IMG} + "$(KUSTOMIZE)" build config/default > dist/install.yaml + +##@ Deployment + +ifndef ignore-not-found + ignore-not-found = false +endif + +.PHONY: install +install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + @out="$$( "$(KUSTOMIZE)" build config/crd 2>/dev/null || true )"; \ + if [ -n "$$out" ]; then echo "$$out" | "$(KUBECTL)" apply -f -; else echo "No CRDs to install; skipping."; fi + +.PHONY: uninstall +uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + @out="$$( "$(KUSTOMIZE)" build config/crd 2>/dev/null || true )"; \ + if [ -n "$$out" ]; then echo "$$out" | "$(KUBECTL)" delete --ignore-not-found=$(ignore-not-found) -f -; else echo "No CRDs to delete; skipping."; fi + +.PHONY: deploy +deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. + cd config/manager && "$(KUSTOMIZE)" edit set image controller=${IMG} + "$(KUSTOMIZE)" build config/default | "$(KUBECTL)" apply -f - + +.PHONY: undeploy +undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + "$(KUSTOMIZE)" build config/default | "$(KUBECTL)" delete --ignore-not-found=$(ignore-not-found) -f - + +##@ Dependencies + +## Location to install dependencies to +LOCALBIN ?= $(shell pwd)/bin +$(LOCALBIN): + mkdir -p "$(LOCALBIN)" + +## Tool Binaries +KUBECTL ?= kubectl +KIND ?= kind +KUSTOMIZE ?= $(LOCALBIN)/kustomize +CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen +ENVTEST ?= $(LOCALBIN)/setup-envtest +GOLANGCI_LINT = $(LOCALBIN)/golangci-lint + +## Tool Versions +KUSTOMIZE_VERSION ?= v5.7.1 +CONTROLLER_TOOLS_VERSION ?= v0.19.0 + +#ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20) +ENVTEST_VERSION ?= $(shell v='$(call gomodver,sigs.k8s.io/controller-runtime)'; \ + [ -n "$$v" ] || { echo "Set ENVTEST_VERSION manually (controller-runtime replace has no tag)" >&2; exit 1; }; \ + printf '%s\n' "$$v" | sed -E 's/^v?([0-9]+)\.([0-9]+).*/release-\1.\2/') + +#ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31) +ENVTEST_K8S_VERSION ?= $(shell v='$(call gomodver,k8s.io/api)'; \ + [ -n "$$v" ] || { echo "Set ENVTEST_K8S_VERSION manually (k8s.io/api replace has no tag)" >&2; exit 1; }; \ + printf '%s\n' "$$v" | sed -E 's/^v?[0-9]+\.([0-9]+).*/1.\1/') + +GOLANGCI_LINT_VERSION ?= v2.5.0 +.PHONY: kustomize +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. +$(KUSTOMIZE): $(LOCALBIN) + $(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION)) + +.PHONY: controller-gen +controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. +$(CONTROLLER_GEN): $(LOCALBIN) + $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION)) + +.PHONY: setup-envtest +setup-envtest: envtest ## Download the binaries required for ENVTEST in the local bin directory. + @echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..." + @"$(ENVTEST)" use $(ENVTEST_K8S_VERSION) --bin-dir "$(LOCALBIN)" -p path || { \ + echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \ + exit 1; \ + } + +.PHONY: envtest +envtest: $(ENVTEST) ## Download setup-envtest locally if necessary. +$(ENVTEST): $(LOCALBIN) + $(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_VERSION)) + +.PHONY: golangci-lint +golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. +$(GOLANGCI_LINT): $(LOCALBIN) + $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) + +# go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist +# $1 - target path with name of binary +# $2 - package url which can be installed +# $3 - specific version of package +define go-install-tool +@[ -f "$(1)-$(3)" ] && [ "$$(readlink -- "$(1)" 2>/dev/null)" = "$(1)-$(3)" ] || { \ +set -e; \ +package=$(2)@$(3) ;\ +echo "Downloading $${package}" ;\ +rm -f "$(1)" ;\ +GOBIN="$(LOCALBIN)" go install $${package} ;\ +mv "$(LOCALBIN)/$$(basename "$(1)")" "$(1)-$(3)" ;\ +} ;\ +ln -sf "$$(realpath "$(1)-$(3)")" "$(1)" +endef + +define gomodver +$(shell go list -m -f '{{if .Replace}}{{.Replace.Version}}{{else}}{{.Version}}{{end}}' $(1) 2>/dev/null) +endef diff --git a/PROJECT b/PROJECT new file mode 100644 index 0000000..60f79c2 --- /dev/null +++ b/PROJECT @@ -0,0 +1,30 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html +cliVersion: 4.10.1 +domain: ctxforge.io +layout: +- go.kubebuilder.io/v4 +projectName: contextforge +repo: github.com/bgruszka/contextforge +resources: +- api: + crdVersion: v1 + namespaced: true + controller: true + domain: ctxforge.io + group: ctxforge + kind: HeaderPropagationPolicy + path: github.com/bgruszka/contextforge/api/v1alpha1 + version: v1alpha1 +- core: true + group: core + kind: Pod + path: k8s.io/api/core/v1 + version: v1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 +version: "3" diff --git a/README.md b/README.md index 05072e2..babcc21 100644 --- a/README.md +++ b/README.md @@ -1 +1,382 @@ -# contextforge \ No newline at end of file +# ContextForge + +[![CI](https://github.com/bgruszka/contextforge/actions/workflows/ci.yaml/badge.svg)](https://github.com/bgruszka/contextforge/actions/workflows/ci.yaml) +[![Go Report Card](https://goreportcard.com/badge/github.com/bgruszka/contextforge)](https://goreportcard.com/report/github.com/bgruszka/contextforge) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE) + +**Automatic HTTP Header Propagation for Kubernetes** — Zero code changes required. + +ContextForge is a Kubernetes operator that injects a lightweight sidecar proxy to automatically propagate HTTP headers like `x-request-id`, `x-tenant-id`, and `x-correlation-id` through your entire microservice chain. + +## The Problem + +Modern microservices rely on HTTP headers for request tracing, multi-tenancy, and debugging. But service meshes like Istio, Linkerd, and Consul **don't automatically propagate these headers** — your application must manually extract and forward them. + +This means: +- Code changes in every service across multiple languages +- Easy to forget — one missed header breaks the entire trace +- Maintenance burden across your entire fleet + +## The Solution + +ContextForge injects a sidecar proxy that automatically: + +1. **Captures** incoming request headers +2. **Stores** them in request context +3. **Injects** them into all outgoing HTTP requests + +All without touching your application code. + +## Quick Start + +### Install + +```bash +helm repo add contextforge https://ctxforge.io +helm install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace +``` + +### Enable on Your Pods + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-correlation-id" + spec: + containers: + - name: app + image: my-app:latest +``` + +That's it! Headers are now automatically propagated through your service chain. + +## Features + +- **Zero Code Changes** — Just add Kubernetes annotations +- **Lightweight** — ~10MB memory, <5ms latency overhead +- **Framework Agnostic** — Works with Go, Python, Node.js, Java, Ruby, and more +- **Kubernetes Native** — Uses standard admission webhooks and CRDs +- **Production Ready** — Health checks, graceful shutdown, non-root containers +- **Observable** — Prometheus metrics, structured logging, health endpoints +- **Configurable** — Rate limiting, timeouts, and resource controls +- **Header Generation** — Auto-generate missing headers (UUID, ULID, timestamp) +- **Smart Filtering** — Path regex and HTTP method-based header rules + +> **Note:** Header propagation works for **HTTP** traffic. HTTPS requests use CONNECT tunneling where the proxy establishes a TCP tunnel but cannot inspect encrypted headers. For internal service-to-service communication, HTTP is typically used (with mTLS handled by the service mesh if needed). + +## Observability + +### Prometheus Metrics + +The proxy exposes metrics at `/metrics` in Prometheus format: + +| Metric | Type | Description | +|--------|------|-------------| +| `ctxforge_proxy_requests_total` | Counter | Total requests processed (labels: `method`, `status`) | +| `ctxforge_proxy_request_duration_seconds` | Histogram | Request duration in seconds (labels: `method`) | +| `ctxforge_proxy_headers_propagated_total` | Counter | Total headers propagated | +| `ctxforge_proxy_active_connections` | Gauge | Current active connections | + +### Health Endpoints + +| Endpoint | Description | +|----------|-------------| +| `/healthz` | Liveness probe - returns 200 if proxy is running | +| `/ready` | Readiness probe - returns 200 if target is reachable | + +### Rate Limiting (Optional) + +Enable rate limiting to protect your services: + +```yaml +annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id" +env: + - name: RATE_LIMIT_ENABLED + value: "true" + - name: RATE_LIMIT_RPS + value: "1000" # Requests per second + - name: RATE_LIMIT_BURST + value: "100" # Burst size +``` + +See [docs/configuration.md](docs/configuration.md) for full configuration reference. + +## Architecture + +```mermaid +flowchart TB + subgraph pod["Your Kubernetes Pod"] + direction TB + + req["Incoming Request
x-request-id: abc123
x-tenant-id: acme"] + + subgraph proxy["ContextForge Proxy :9090"] + p1["1. Extract headers"] + p2["2. Store in context"] + p3["3. Forward request"] + p1 --> p2 --> p3 + end + + subgraph app["Your Application :8080"] + a1["Process request"] + a2["Make HTTP call to
another service"] + end + + out["Outgoing Request
Headers auto-injected!"] + + req --> proxy + proxy --> app + a1 --> a2 + app --> out + end + + style pod fill:#1e293b,stroke:#6366f1,stroke-width:2px + style proxy fill:#4c1d95,stroke:#a78bfa,stroke-width:2px + style app fill:#0e7490,stroke:#67e8f9,stroke-width:2px + style req fill:#1e3a5f,stroke:#60a5fa + style out fill:#14532d,stroke:#4ade80 +``` + +## Configuration + +### Pod Annotations + +| Annotation | Description | +|------------|-------------| +| `ctxforge.io/enabled` | Set to `"true"` to enable sidecar injection | +| `ctxforge.io/headers` | Comma-separated list of headers to propagate (simple mode) | +| `ctxforge.io/header-rules` | JSON array of advanced header rules (see below) | +| `ctxforge.io/target-port` | Application port (default: `8080`) | + +### HeaderPropagationPolicy CRD + +For advanced configuration including header generation and path/method filtering: + +```yaml +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: default-policy +spec: + podSelector: + matchLabels: + app: my-service + propagationRules: + # Auto-generate request ID if missing + - headers: + - name: x-request-id + generate: true + generatorType: uuid # Options: uuid, ulid, timestamp + - name: x-tenant-id + + # Only propagate for API paths (excludes /health, /metrics) + - headers: + - name: x-debug-id + pathRegex: "^/api/.*" + methods: + - POST + - PUT +``` + +## Use Cases + +- **Multi-Tenant SaaS** — Propagate tenant ID for data isolation +- **Request Tracing** — Track requests with correlation IDs +- **Developer Debugging** — Add dev ID to trace your requests in staging +- **Compliance & Audit** — Maintain audit trails across services + +## Comparison with Other Approaches + +### Why Not Use a Service Mesh? + +Service meshes like Istio, Linkerd, and Consul provide powerful networking features, but they **don't automatically propagate application-level headers**. Here's a comparison: + +| Feature | ContextForge | Istio/Linkerd/Consul | +|---------|--------------|----------------------| +| **Header Propagation** | Automatic, zero code changes | Manual - requires app code changes | +| **Resource Overhead** | ~10MB memory per pod | 50-100MB+ memory per pod | +| **Latency Impact** | <5ms | 1-10ms (varies) | +| **Complexity** | Single operator + CRD | Full mesh control plane | +| **Learning Curve** | Minimal | Significant | +| **mTLS** | Use with mesh | Built-in | +| **Traffic Management** | Not included | Advanced routing, retries, etc. | + +### When to Use ContextForge + +**Choose ContextForge when:** +- You need header propagation without code changes +- You want minimal resource overhead +- You don't need full service mesh features +- You're using a service mesh but need header propagation + +**Choose a Service Mesh when:** +- You need mTLS, traffic management, observability +- You're willing to invest in the operational complexity +- You can modify application code for header propagation + +### ContextForge + Service Mesh + +ContextForge works alongside service meshes. Use ContextForge for header propagation while the mesh handles mTLS, traffic management, and observability. + +```yaml +# Example: ContextForge with Istio +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service + labels: + sidecar.istio.io/inject: "true" # Istio sidecar +spec: + template: + metadata: + annotations: + ctxforge.io/enabled: "true" # ContextForge sidecar + ctxforge.io/headers: "x-request-id,x-tenant-id" +``` + +### Alternative Approaches + +| Approach | Pros | Cons | +|----------|------|------| +| **ContextForge** | Zero code changes, lightweight | HTTP only, single-purpose | +| **OpenTelemetry SDK** | Rich instrumentation, standard | Requires code changes per language | +| **Custom Middleware** | Full control | Maintenance burden, per-language | +| **API Gateway** | Centralized | Only at edge, not service-to-service | + +## Documentation + +Full documentation available at **[ctxforge.io](https://ctxforge.io)** + +- [Getting Started](https://ctxforge.io/docs/getting-started/) +- [Installation Guide](https://ctxforge.io/docs/installation/) +- [Configuration Reference](https://ctxforge.io/docs/configuration/) +- [How It Works](https://ctxforge.io/docs/how-it-works/) +- [Examples](https://ctxforge.io/docs/examples/) + +## Development + +### Prerequisites + +- Go 1.24+ +- Docker +- kubectl +- kind (for local testing) +- Helm 3+ + +### Build + +```bash +# Build binaries +make build-all + +# Build Docker images +make docker-build-all + +# Run unit tests +make test + +# Run e2e tests (creates Kind cluster, deploys operator, runs tests) +make test-e2e +``` + +### Local Development + +```bash +# Create kind cluster +kind create cluster --name ctxforge-dev + +# Install CRDs +make install + +# Run operator locally +make run +``` + +### Release Flow + +Releases are automated via GitHub Actions. To create a new release: + +```bash +git tag v1.0.0 +git push origin v1.0.0 +``` + +This triggers the release workflow: + +```mermaid +flowchart LR + Tag["git tag v1.0.0"] --> Test["Run Tests"] + Test --> Build["Build & Push Images"] + Build --> Release["Create GitHub Release"] + Release --> PR["PR: Update Helm Chart"] + PR --> |"After merge"| Helm["Publish Helm Chart"] + PR --> |"After merge"| Website["Deploy Website"] + + Build --> |"ghcr.io"| Images["contextforge-operator:1.0.0
contextforge-proxy:1.0.0"] +``` + +**What happens:** +1. Tests run to validate the release +2. Multi-arch Docker images (amd64/arm64) pushed to `ghcr.io` +3. GitHub Release created with auto-generated changelog +4. PR created to bump Helm chart version +5. After PR merge: Helm chart published and website updated + +## Project Structure + +``` +contextforge/ +├── api/v1alpha1/ # CRD type definitions +├── cmd/ +│ ├── proxy/ # Sidecar proxy binary +│ └── main.go # Operator binary +├── internal/ +│ ├── config/ # Configuration loading +│ ├── controller/ # Kubernetes controller +│ ├── handler/ # HTTP proxy handler +│ ├── metrics/ # Prometheus metrics +│ ├── middleware/ # HTTP middleware (rate limiting) +│ ├── server/ # HTTP server +│ └── webhook/ # Admission webhook +├── deploy/ +│ └── helm/contextforge/ # Helm chart +├── docs/ # Documentation +├── website/ # Documentation site +├── tests/e2e/ # E2E tests +├── Dockerfile.proxy # Proxy image +└── Dockerfile.operator # Operator image +``` + +## Contributing + +Contributions are welcome! Please read our contributing guidelines and submit pull requests. + +1. Fork the repository +2. Create a feature branch (`git checkout -b feature/amazing-feature`) +3. Commit your changes (`git commit -m 'Add amazing feature'`) +4. Push to the branch (`git push origin feature/amazing-feature`) +5. Open a Pull Request + +## License + +Apache License 2.0 - see [LICENSE](LICENSE) for details. + +## Acknowledgments + +Built with: +- [kubebuilder](https://kubebuilder.io/) - Kubernetes operator framework +- [controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) - Controller libraries +- [zerolog](https://github.com/rs/zerolog) - Structured logging diff --git a/UPGRADING.md b/UPGRADING.md new file mode 100644 index 0000000..8cd78c6 --- /dev/null +++ b/UPGRADING.md @@ -0,0 +1,81 @@ +# Upgrading ContextForge + +This document provides guidance for upgrading between ContextForge versions. + +## General Upgrade Process + +1. **Review the changelog** for breaking changes between your current version and target version +2. **Backup your configuration** (HeaderPropagationPolicy resources, annotations) +3. **Update the Helm chart**: + ```bash + helm repo update + helm upgrade contextforge contextforge/contextforge \ + --namespace contextforge-system \ + --reuse-values + ``` +4. **Verify the upgrade**: + ```bash + kubectl get pods -n contextforge-system + kubectl logs -n contextforge-system deployment/contextforge-operator + ``` + +## Rollback Procedure + +If you encounter issues after upgrading: + +```bash +# List revision history +helm history contextforge -n contextforge-system + +# Rollback to previous version +helm rollback contextforge [REVISION] -n contextforge-system + +# Verify rollback +kubectl get pods -n contextforge-system +``` + +## Version-Specific Notes + +### v0.1.0 (Initial Release) + +This is the initial release. No upgrade notes. + +**Features:** +- Sidecar injection via mutating webhook +- Annotation-based header configuration +- HeaderPropagationPolicy CRD (status tracking only) + +### v0.2.0 (Upcoming) + +**Breaking Changes:** +- `HTTPS_PROXY` environment variable is no longer injected into application containers + - **Migration:** If your application relied on `HTTPS_PROXY`, set it manually in your pod spec + - **Reason:** The proxy only handles HTTP traffic; HTTPS uses CONNECT tunneling where headers cannot be propagated + +**New Features:** +- Configurable HTTP server timeouts via environment variables +- Rate limiting middleware (opt-in) +- Prometheus metrics endpoint + +**Configuration Changes:** +- New environment variables for proxy: + - `READ_TIMEOUT` (default: 15s) + - `WRITE_TIMEOUT` (default: 15s) + - `IDLE_TIMEOUT` (default: 60s) + - `READ_HEADER_TIMEOUT` (default: 5s) + - `TARGET_DIAL_TIMEOUT` (default: 2s) + +## Compatibility Matrix + +| ContextForge Version | Kubernetes Version | Helm Version | +|---------------------|-------------------|--------------| +| 0.1.x | 1.25+ | 3.10+ | +| 0.2.x | 1.25+ | 3.10+ | + +## Getting Help + +If you encounter issues during upgrade: + +1. Check the [GitHub Issues](https://github.com/bgruszka/contextforge/issues) +2. Review operator logs: `kubectl logs -n contextforge-system deployment/contextforge-operator` +3. Open a new issue with your upgrade scenario and error messages diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go new file mode 100644 index 0000000..796dfd6 --- /dev/null +++ b/api/v1alpha1/groupversion_info.go @@ -0,0 +1,36 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package v1alpha1 contains API Schema definitions for the ctxforge v1alpha1 API group. +// +kubebuilder:object:generate=true +// +groupName=ctxforge.ctxforge.io +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +var ( + // GroupVersion is group version used to register these objects. + GroupVersion = schema.GroupVersion{Group: "ctxforge.ctxforge.io", Version: "v1alpha1"} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme. + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/api/v1alpha1/headerpropagationpolicy_types.go b/api/v1alpha1/headerpropagationpolicy_types.go new file mode 100644 index 0000000..25f02c0 --- /dev/null +++ b/api/v1alpha1/headerpropagationpolicy_types.go @@ -0,0 +1,112 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// HeaderConfig defines a single header to propagate +type HeaderConfig struct { + // Name is the HTTP header name to propagate + // +kubebuilder:validation:Pattern=`^[a-zA-Z0-9-]+$` + Name string `json:"name"` + + // Generate indicates whether to auto-generate this header if missing + // +optional + Generate bool `json:"generate,omitempty"` + + // GeneratorType specifies how to generate the header value (uuid, ulid, timestamp) + // +kubebuilder:validation:Enum=uuid;ulid;timestamp + // +optional + GeneratorType string `json:"generatorType,omitempty"` + + // Propagate indicates whether to propagate this header to outbound requests + // +kubebuilder:default=true + // +optional + Propagate *bool `json:"propagate,omitempty"` +} + +// PropagationRule defines a set of headers and conditions for propagation +type PropagationRule struct { + // Headers is the list of headers to propagate with this rule + // +kubebuilder:validation:MinItems=1 + Headers []HeaderConfig `json:"headers"` + + // PathRegex is an optional regex pattern to match request paths + // +optional + PathRegex string `json:"pathRegex,omitempty"` + + // Methods is an optional list of HTTP methods this rule applies to + // +optional + Methods []string `json:"methods,omitempty"` +} + +// HeaderPropagationPolicySpec defines the desired state of HeaderPropagationPolicy +type HeaderPropagationPolicySpec struct { + // PodSelector selects pods to apply this policy to + // +optional + PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"` + + // PropagationRules defines the header propagation rules + // +kubebuilder:validation:MinItems=1 + PropagationRules []PropagationRule `json:"propagationRules"` +} + +// HeaderPropagationPolicyStatus defines the observed state of HeaderPropagationPolicy +type HeaderPropagationPolicyStatus struct { + // Conditions represent the current state of the HeaderPropagationPolicy resource + // +listType=map + // +listMapKey=type + // +optional + Conditions []metav1.Condition `json:"conditions,omitempty"` + + // ObservedGeneration is the most recent generation observed + // +optional + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // AppliedToPods is the count of pods this policy is applied to + // +optional + AppliedToPods int32 `json:"appliedToPods,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="Applied To",type="integer",JSONPath=".status.appliedToPods" + +// HeaderPropagationPolicy is the Schema for the headerpropagationpolicies API +type HeaderPropagationPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec HeaderPropagationPolicySpec `json:"spec,omitempty"` + Status HeaderPropagationPolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// HeaderPropagationPolicyList contains a list of HeaderPropagationPolicy +type HeaderPropagationPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []HeaderPropagationPolicy `json:"items"` +} + +func init() { + SchemeBuilder.Register(&HeaderPropagationPolicy{}, &HeaderPropagationPolicyList{}) +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 0000000..158c7aa --- /dev/null +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,181 @@ +//go:build !ignore_autogenerated + +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by controller-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderConfig) DeepCopyInto(out *HeaderConfig) { + *out = *in + if in.Propagate != nil { + in, out := &in.Propagate, &out.Propagate + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderConfig. +func (in *HeaderConfig) DeepCopy() *HeaderConfig { + if in == nil { + return nil + } + out := new(HeaderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderPropagationPolicy) DeepCopyInto(out *HeaderPropagationPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderPropagationPolicy. +func (in *HeaderPropagationPolicy) DeepCopy() *HeaderPropagationPolicy { + if in == nil { + return nil + } + out := new(HeaderPropagationPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *HeaderPropagationPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderPropagationPolicyList) DeepCopyInto(out *HeaderPropagationPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]HeaderPropagationPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderPropagationPolicyList. +func (in *HeaderPropagationPolicyList) DeepCopy() *HeaderPropagationPolicyList { + if in == nil { + return nil + } + out := new(HeaderPropagationPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *HeaderPropagationPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderPropagationPolicySpec) DeepCopyInto(out *HeaderPropagationPolicySpec) { + *out = *in + if in.PodSelector != nil { + in, out := &in.PodSelector, &out.PodSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.PropagationRules != nil { + in, out := &in.PropagationRules, &out.PropagationRules + *out = make([]PropagationRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderPropagationPolicySpec. +func (in *HeaderPropagationPolicySpec) DeepCopy() *HeaderPropagationPolicySpec { + if in == nil { + return nil + } + out := new(HeaderPropagationPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *HeaderPropagationPolicyStatus) DeepCopyInto(out *HeaderPropagationPolicyStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderPropagationPolicyStatus. +func (in *HeaderPropagationPolicyStatus) DeepCopy() *HeaderPropagationPolicyStatus { + if in == nil { + return nil + } + out := new(HeaderPropagationPolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PropagationRule) DeepCopyInto(out *PropagationRule) { + *out = *in + if in.Headers != nil { + in, out := &in.Headers, &out.Headers + *out = make([]HeaderConfig, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Methods != nil { + in, out := &in.Methods, &out.Methods + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PropagationRule. +func (in *PropagationRule) DeepCopy() *PropagationRule { + if in == nil { + return nil + } + out := new(PropagationRule) + in.DeepCopyInto(out) + return out +} diff --git a/cmd/main.go b/cmd/main.go new file mode 100644 index 0000000..264fa52 --- /dev/null +++ b/cmd/main.go @@ -0,0 +1,227 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Logging Architecture: +// The operator uses controller-runtime's zap-based logger because: +// - It integrates seamlessly with the Kubernetes controller-runtime framework +// - It follows Kubernetes community conventions and patterns (structured, leveled logging) +// - It provides context-aware logging that works naturally with reconcile loops +// - It supports development mode for human-readable output and production mode for JSON +// +// The proxy (cmd/proxy/main.go) uses zerolog because: +// - It provides zero-allocation, high-performance JSON logging ideal for the data path +// - It has minimal overhead which is critical for a sidecar that handles every HTTP request +// - It supports both console and JSON output formats +// +// This separation allows each component to use the best logging solution for its specific +// performance and integration requirements while maintaining consistent structured logging. + +package main + +import ( + "crypto/tls" + "flag" + "os" + + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) + // to ensure that exec-entrypoint and run can make use of them. + _ "k8s.io/client-go/plugin/pkg/client/auth" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" + "github.com/bgruszka/contextforge/internal/controller" + webhookv1 "github.com/bgruszka/contextforge/internal/webhook/v1" + // +kubebuilder:scaffold:imports +) + +var ( + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") +) + +func init() { + utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + + utilruntime.Must(ctxforgev1alpha1.AddToScheme(scheme)) + // +kubebuilder:scaffold:scheme +} + +// nolint:gocyclo +func main() { + var metricsAddr string + var metricsCertPath, metricsCertName, metricsCertKey string + var webhookCertPath, webhookCertName, webhookCertKey string + var enableLeaderElection bool + var probeAddr string + var secureMetrics bool + var enableHTTP2 bool + var tlsOpts []func(*tls.Config) + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.") + flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.") + flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.") + flag.StringVar(&metricsCertPath, "metrics-cert-path", "", + "The directory that contains the metrics server certificate.") + flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.") + flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") + opts := zap.Options{ + Development: true, + } + opts.BindFlags(flag.CommandLine) + flag.Parse() + + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + // Initial webhook TLS options + webhookTLSOpts := tlsOpts + webhookServerOptions := webhook.Options{ + TLSOpts: webhookTLSOpts, + } + + if len(webhookCertPath) > 0 { + setupLog.Info("Initializing webhook certificate watcher using provided certificates", + "webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) + + webhookServerOptions.CertDir = webhookCertPath + webhookServerOptions.CertName = webhookCertName + webhookServerOptions.KeyName = webhookCertKey + } + + webhookServer := webhook.NewServer(webhookServerOptions) + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.22.4/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.22.4/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + } + + // If the certificate is not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + // + // TODO(user): If you enable certManager, uncomment the following lines: + // - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates + // managed by cert-manager for the metrics server. + // - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. + if len(metricsCertPath) > 0 { + setupLog.Info("Initializing metrics certificate watcher using provided certificates", + "metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) + + metricsServerOptions.CertDir = metricsCertPath + metricsServerOptions.CertName = metricsCertName + metricsServerOptions.KeyName = metricsCertKey + } + + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ + Scheme: scheme, + Metrics: metricsServerOptions, + WebhookServer: webhookServer, + HealthProbeBindAddress: probeAddr, + LeaderElection: enableLeaderElection, + LeaderElectionID: "3d82ab1c.ctxforge.io", + // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily + // when the Manager ends. This requires the binary to immediately end when the + // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + // speeds up voluntary leader transitions as the new leader don't have to wait + // LeaseDuration time first. + // + // In the default scaffold provided, the program ends immediately after + // the manager stops, so would be fine to enable this option. However, + // if you are doing or is intended to do any operation such as perform cleanups + // after the manager stops then its usage might be unsafe. + // LeaderElectionReleaseOnCancel: true, + }) + if err != nil { + setupLog.Error(err, "unable to start manager") + os.Exit(1) + } + + if err := (&controller.HeaderPropagationPolicyReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "HeaderPropagationPolicy") + os.Exit(1) + } + // nolint:goconst + if os.Getenv("ENABLE_WEBHOOKS") != "false" { + if err := webhookv1.SetupPodWebhookWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create webhook", "webhook", "Pod") + os.Exit(1) + } + } + // +kubebuilder:scaffold:builder + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + os.Exit(1) + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") + os.Exit(1) + } + + setupLog.Info("starting manager") + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + setupLog.Error(err, "problem running manager") + os.Exit(1) + } +} diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go new file mode 100644 index 0000000..6b3c56d --- /dev/null +++ b/cmd/proxy/main.go @@ -0,0 +1,91 @@ +// Package main provides the entry point for the ContextForge proxy sidecar. +// +// Logging Architecture: +// The proxy uses zerolog for structured logging because: +// - It provides high-performance, zero-allocation JSON logging ideal for the data path +// - It supports both human-readable (console) and machine-parseable (JSON) output +// - It has minimal overhead which is critical for a sidecar that handles every request +// +// The operator (cmd/main.go) uses controller-runtime's logf package because: +// - It integrates seamlessly with the Kubernetes controller-runtime framework +// - It follows Kubernetes community conventions and patterns +// - It provides context-aware logging that works with reconcile loops +package main + +import ( + "context" + "net/http" + "os" + "os/signal" + "syscall" + "time" + + "github.com/bgruszka/contextforge/internal/config" + "github.com/bgruszka/contextforge/internal/handler" + "github.com/bgruszka/contextforge/internal/server" + "github.com/rs/zerolog" + "github.com/rs/zerolog/log" +) + +func main() { + setupLogger() + + cfg, err := config.Load() + if err != nil { + log.Fatal().Err(err).Msg("Failed to load configuration") + } + + log.Info(). + Strs("headers", cfg.HeadersToPropagate). + Str("target", cfg.TargetHost). + Int("port", cfg.ProxyPort). + Msg("Starting ContextForge proxy") + + proxyHandler, err := handler.NewProxyHandler(cfg) + if err != nil { + log.Fatal().Err(err).Msg("Failed to create proxy handler") + } + srv := server.NewServer(cfg, proxyHandler) + + go func() { + if err := srv.Start(); err != nil && err != http.ErrServerClosed { + log.Fatal().Err(err).Msg("Server failed to start") + } + }() + + quit := make(chan os.Signal, 1) + signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM) + <-quit + + log.Info().Msg("Received shutdown signal") + + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + if err := srv.Shutdown(ctx); err != nil { + log.Error().Err(err).Msg("Server forced to shutdown") + } + + log.Info().Msg("Server exited gracefully") +} + +// setupLogger configures zerolog based on LOG_LEVEL environment variable. +func setupLogger() { + logLevel := os.Getenv("LOG_LEVEL") + if logLevel == "" { + logLevel = "info" + } + + level, err := zerolog.ParseLevel(logLevel) + if err != nil { + level = zerolog.InfoLevel + } + + zerolog.SetGlobalLevel(level) + + if os.Getenv("LOG_FORMAT") == "json" { + log.Logger = zerolog.New(os.Stderr).With().Timestamp().Logger() + } else { + log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}) + } +} diff --git a/config/certmanager/certificate-metrics.yaml b/config/certmanager/certificate-metrics.yaml new file mode 100644 index 0000000..ef026f3 --- /dev/null +++ b/config/certmanager/certificate-metrics.yaml @@ -0,0 +1,20 @@ +# The following manifests contain a self-signed issuer CR and a metrics certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: metrics-certs # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + dnsNames: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + # replacements in the config/default/kustomization.yaml file. + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: metrics-server-cert diff --git a/config/certmanager/certificate-webhook.yaml b/config/certmanager/certificate-webhook.yaml new file mode 100644 index 0000000..3e386b4 --- /dev/null +++ b/config/certmanager/certificate-webhook.yaml @@ -0,0 +1,20 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + # replacements in the config/default/kustomization.yaml file. + dnsNames: + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: webhook-server-cert diff --git a/config/certmanager/issuer.yaml b/config/certmanager/issuer.yaml new file mode 100644 index 0000000..cfcb70d --- /dev/null +++ b/config/certmanager/issuer.yaml @@ -0,0 +1,13 @@ +# The following manifest contains a self-signed issuer CR. +# More information can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml new file mode 100644 index 0000000..fcb7498 --- /dev/null +++ b/config/certmanager/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +- issuer.yaml +- certificate-webhook.yaml +- certificate-metrics.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml new file mode 100644 index 0000000..cf6f89e --- /dev/null +++ b/config/certmanager/kustomizeconfig.yaml @@ -0,0 +1,8 @@ +# This configuration is for teaching kustomize how to update name ref substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name diff --git a/config/crd/bases/ctxforge.ctxforge.io_headerpropagationpolicies.yaml b/config/crd/bases/ctxforge.ctxforge.io_headerpropagationpolicies.yaml new file mode 100644 index 0000000..464b1d2 --- /dev/null +++ b/config/crd/bases/ctxforge.ctxforge.io_headerpropagationpolicies.yaml @@ -0,0 +1,232 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: headerpropagationpolicies.ctxforge.ctxforge.io +spec: + group: ctxforge.ctxforge.io + names: + kind: HeaderPropagationPolicy + listKind: HeaderPropagationPolicyList + plural: headerpropagationpolicies + singular: headerpropagationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.appliedToPods + name: Applied To + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: HeaderPropagationPolicy is the Schema for the headerpropagationpolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HeaderPropagationPolicySpec defines the desired state of + HeaderPropagationPolicy + properties: + podSelector: + description: PodSelector selects pods to apply this policy to + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + propagationRules: + description: PropagationRules defines the header propagation rules + items: + description: PropagationRule defines a set of headers and conditions + for propagation + properties: + headers: + description: Headers is the list of headers to propagate with + this rule + items: + description: HeaderConfig defines a single header to propagate + properties: + generate: + description: Generate indicates whether to auto-generate + this header if missing + type: boolean + generatorType: + description: GeneratorType specifies how to generate the + header value (uuid, ulid, timestamp) + enum: + - uuid + - ulid + - timestamp + type: string + name: + description: Name is the HTTP header name to propagate + pattern: ^[a-zA-Z0-9-]+$ + type: string + propagate: + default: true + description: Propagate indicates whether to propagate + this header to outbound requests + type: boolean + required: + - name + type: object + minItems: 1 + type: array + methods: + description: Methods is an optional list of HTTP methods this + rule applies to + items: + type: string + type: array + pathRegex: + description: PathRegex is an optional regex pattern to match + request paths + type: string + required: + - headers + type: object + minItems: 1 + type: array + required: + - propagationRules + type: object + status: + description: HeaderPropagationPolicyStatus defines the observed state + of HeaderPropagationPolicy + properties: + appliedToPods: + description: AppliedToPods is the count of pods this policy is applied + to + format: int32 + type: integer + conditions: + description: Conditions represent the current state of the HeaderPropagationPolicy + resource + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: ObservedGeneration is the most recent generation observed + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 0000000..5d09127 --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,16 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/ctxforge.ctxforge.io_headerpropagationpolicies.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patches: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [WEBHOOK] To enable webhook, uncomment the following section +# the following config is for teaching kustomize how to do kustomization for CRDs. +#configurations: +#- kustomizeconfig.yaml diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml new file mode 100644 index 0000000..ec5c150 --- /dev/null +++ b/config/crd/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/config/default/cert_metrics_manager_patch.yaml b/config/default/cert_metrics_manager_patch.yaml new file mode 100644 index 0000000..d975015 --- /dev/null +++ b/config/default/cert_metrics_manager_patch.yaml @@ -0,0 +1,30 @@ +# This patch adds the args, volumes, and ports to allow the manager to use the metrics-server certs. + +# Add the volumeMount for the metrics-server certs +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-metrics-server/metrics-certs + name: metrics-certs + readOnly: true + +# Add the --metrics-cert-path argument for the metrics server +- op: add + path: /spec/template/spec/containers/0/args/- + value: --metrics-cert-path=/tmp/k8s-metrics-server/metrics-certs + +# Add the metrics-server certs volume configuration +- op: add + path: /spec/template/spec/volumes/- + value: + name: metrics-certs + secret: + secretName: metrics-server-cert + optional: false + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 0000000..f92851e --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,234 @@ +# Adds namespace to all resources. +namespace: contextforge-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: contextforge- + +# Labels to add to all resources and selectors. +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue + +resources: +- ../crd +- ../rbac +- ../manager +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy + +# Uncomment the patches line if you enable Metrics +patches: +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment + +# Uncomment the patches line if you enable Metrics and CertManager +# [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. +# This patch will protect the metrics with certManager self-signed certs. +#- path: cert_metrics_manager_patch.yaml +# target: +# kind: Deployment + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + target: + kind: Deployment + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-manager CA injection annotations +replacements: +# - source: # Uncomment the following block to enable certificates for metrics +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.name +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-certs +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 0 +# create: true + +# - source: +# kind: Service +# version: v1 +# name: controller-manager-metrics-service +# fieldPath: metadata.namespace +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: metrics-certs +# fieldPaths: +# - spec.dnsNames.0 +# - spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor +# kind: ServiceMonitor +# group: monitoring.coreos.com +# version: v1 +# name: controller-manager-metrics-monitor +# fieldPaths: +# - spec.endpoints.0.tlsConfig.serverName +# options: +# delimiter: '.' +# index: 1 +# create: true + + - source: # Uncomment the following block if you have any webhook + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # Name of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true + - source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # Namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true + + - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # This name should match the one in certificate.yaml + fieldPath: .metadata.namespace # Namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + + - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.namespace # Namespace of the certificate CR + targets: + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldPath: .metadata.name + targets: + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + +# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionns +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert +# fieldPath: .metadata.name +# targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. +# +kubebuilder:scaffold:crdkustomizecainjectionname diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 0000000..2aaef65 --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml new file mode 100644 index 0000000..963c8a4 --- /dev/null +++ b/config/default/manager_webhook_patch.yaml @@ -0,0 +1,31 @@ +# This patch ensures the webhook certificates are properly mounted in the manager container. +# It configures the necessary arguments, volumes, volume mounts, and container ports. + +# Add the --webhook-cert-path argument for configuring the webhook certificate path +- op: add + path: /spec/template/spec/containers/0/args/- + value: --webhook-cert-path=/tmp/k8s-webhook-server/serving-certs + +# Add the volumeMount for the webhook certificates +- op: add + path: /spec/template/spec/containers/0/volumeMounts/- + value: + mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + +# Add the port configuration for the webhook server +- op: add + path: /spec/template/spec/containers/0/ports/- + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + +# Add the volume configuration for the webhook certificates +- op: add + path: /spec/template/spec/volumes/- + value: + name: webhook-certs + secret: + secretName: webhook-server-cert diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml new file mode 100644 index 0000000..4ba0fe3 --- /dev/null +++ b/config/default/metrics_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + control-plane: controller-manager + app.kubernetes.io/name: contextforge diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 0000000..bd85186 --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: contextforge-controller + newTag: e2e diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 0000000..8bd1082 --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + # Projects are configured by default to adhere to the "restricted" Pod Security Standards. + # This ensures that deployments meet the highest security requirements for Kubernetes. + # For more details, see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - command: + - /manager + args: + - --leader-elect + - --health-probe-bind-address=:8081 + image: controller:latest + name: manager + ports: [] + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + volumeMounts: [] + volumes: [] + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 0000000..6e5359f --- /dev/null +++ b/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,27 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gather data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/config/network-policy/allow-webhook-traffic.yaml b/config/network-policy/allow-webhook-traffic.yaml new file mode 100644 index 0000000..8e49ad1 --- /dev/null +++ b/config/network-policy/allow-webhook-traffic.yaml @@ -0,0 +1,27 @@ +# This NetworkPolicy allows ingress traffic to your webhook server running +# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks +# will only work when applied in namespaces labeled with 'webhook: enabled' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: allow-webhook-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label webhook: enabled + - from: + - namespaceSelector: + matchLabels: + webhook: enabled # Only from namespaces with this label + ports: + - port: 443 + protocol: TCP diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml new file mode 100644 index 0000000..0872bee --- /dev/null +++ b/config/network-policy/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- allow-webhook-traffic.yaml +- allow-metrics-traffic.yaml diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml new file mode 100644 index 0000000..fdc5481 --- /dev/null +++ b/config/prometheus/kustomization.yaml @@ -0,0 +1,11 @@ +resources: +- monitor.yaml + +# [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus +# to securely reference certificates created and managed by cert-manager. +# Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml +# to mount the "metrics-server-cert" secret in the Manager Deployment. +#patches: +# - path: monitor_tls_patch.yaml +# target: +# kind: ServiceMonitor diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml new file mode 100644 index 0000000..61ef7f8 --- /dev/null +++ b/config/prometheus/monitor.yaml @@ -0,0 +1,27 @@ +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https # Ensure this is the name of the port that exposes HTTPS metrics + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification, exposing the system to potential man-in-the-middle attacks. + # For production environments, it is recommended to use cert-manager for automatic TLS certificate management. + # To apply this configuration, enable cert-manager and use the patch located at config/prometheus/servicemonitor_tls_patch.yaml, + # which securely references the certificate from the 'metrics-server-cert' secret. + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: contextforge diff --git a/config/prometheus/monitor_tls_patch.yaml b/config/prometheus/monitor_tls_patch.yaml new file mode 100644 index 0000000..5bf84ce --- /dev/null +++ b/config/prometheus/monitor_tls_patch.yaml @@ -0,0 +1,19 @@ +# Patch for Prometheus ServiceMonitor to enable secure TLS configuration +# using certificates managed by cert-manager +- op: replace + path: /spec/endpoints/0/tlsConfig + value: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc + insecureSkipVerify: false + ca: + secret: + name: metrics-server-cert + key: ca.crt + cert: + secret: + name: metrics-server-cert + key: tls.crt + keySecret: + name: metrics-server-cert + key: tls.key diff --git a/config/rbac/headerpropagationpolicy_admin_role.yaml b/config/rbac/headerpropagationpolicy_admin_role.yaml new file mode 100644 index 0000000..2c0bec6 --- /dev/null +++ b/config/rbac/headerpropagationpolicy_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project contextforge itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over ctxforge.ctxforge.io. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: headerpropagationpolicy-admin-role +rules: +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies + verbs: + - '*' +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies/status + verbs: + - get diff --git a/config/rbac/headerpropagationpolicy_editor_role.yaml b/config/rbac/headerpropagationpolicy_editor_role.yaml new file mode 100644 index 0000000..69a3a74 --- /dev/null +++ b/config/rbac/headerpropagationpolicy_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project contextforge itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the ctxforge.ctxforge.io. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: headerpropagationpolicy-editor-role +rules: +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies/status + verbs: + - get diff --git a/config/rbac/headerpropagationpolicy_viewer_role.yaml b/config/rbac/headerpropagationpolicy_viewer_role.yaml new file mode 100644 index 0000000..1e11497 --- /dev/null +++ b/config/rbac/headerpropagationpolicy_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project contextforge itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to ctxforge.ctxforge.io resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: headerpropagationpolicy-viewer-role +rules: +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies/status + verbs: + - get diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 0000000..e6f9234 --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,28 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the contextforge itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- headerpropagationpolicy_admin_role.yaml +- headerpropagationpolicy_editor_role.yaml +- headerpropagationpolicy_viewer_role.yaml + diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..1914afd --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,40 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..c6f9ac8 --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/metrics_auth_role.yaml b/config/rbac/metrics_auth_role.yaml new file mode 100644 index 0000000..32d2e4e --- /dev/null +++ b/config/rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/rbac/metrics_auth_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml new file mode 100644 index 0000000..e775d67 --- /dev/null +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/metrics_reader_role.yaml b/config/rbac/metrics_reader_role.yaml new file mode 100644 index 0000000..51a75db --- /dev/null +++ b/config/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 0000000..d796851 --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies/finalizers + verbs: + - update +- apiGroups: + - ctxforge.ctxforge.io + resources: + - headerpropagationpolicies/status + verbs: + - get + - patch + - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 0000000..08105c1 --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 0000000..f520f40 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system diff --git a/config/samples/ctxforge_v1alpha1_headerpropagationpolicy.yaml b/config/samples/ctxforge_v1alpha1_headerpropagationpolicy.yaml new file mode 100644 index 0000000..adaa469 --- /dev/null +++ b/config/samples/ctxforge_v1alpha1_headerpropagationpolicy.yaml @@ -0,0 +1,73 @@ +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: default-tracing-policy +spec: + # Select pods with specific labels + podSelector: + matchLabels: + app.kubernetes.io/part-of: my-application + + # Define header propagation rules + propagationRules: + # Basic tracing headers - propagate if present + - headers: + - name: x-request-id + - name: x-correlation-id + - name: x-trace-id + - name: x-span-id + + # Auto-generate request ID if missing + - headers: + - name: x-request-id + generate: true + generatorType: uuid + +--- +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: multi-tenant-policy +spec: + podSelector: + matchLabels: + tier: backend + + propagationRules: + # Tenant isolation headers + - headers: + - name: x-tenant-id + - name: x-organization-id + + # Audit trail headers + - headers: + - name: x-user-id + - name: x-session-id + +--- +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: api-only-policy +spec: + podSelector: + matchLabels: + app: api-gateway + + propagationRules: + # Only propagate on API paths, not health checks + - headers: + - name: x-request-id + generate: true + generatorType: uuid + - name: x-correlation-id + pathRegex: "^/api/.*" + methods: + - GET + - POST + - PUT + - DELETE + - PATCH diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml new file mode 100644 index 0000000..8fcc492 --- /dev/null +++ b/config/samples/kustomization.yaml @@ -0,0 +1,4 @@ +## Append samples of your project ## +resources: +- ctxforge_v1alpha1_headerpropagationpolicy.yaml +# +kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml new file mode 100644 index 0000000..9cf2613 --- /dev/null +++ b/config/webhook/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml new file mode 100644 index 0000000..206316e --- /dev/null +++ b/config/webhook/kustomizeconfig.yaml @@ -0,0 +1,22 @@ +# the following config is for teaching kustomize where to look at when substituting nameReference. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 0000000..bf4efa5 --- /dev/null +++ b/config/webhook/manifests.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate--v1-pod + failurePolicy: Fail + name: mpod-v1.kb.io + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate--v1-pod + failurePolicy: Fail + name: vpod-v1.kb.io + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml new file mode 100644 index 0000000..21b906c --- /dev/null +++ b/config/webhook/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: contextforge + app.kubernetes.io/managed-by: kustomize + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager + app.kubernetes.io/name: contextforge diff --git a/deploy/helm/contextforge/Chart.yaml b/deploy/helm/contextforge/Chart.yaml new file mode 100644 index 0000000..695365a --- /dev/null +++ b/deploy/helm/contextforge/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: contextforge +description: A Kubernetes operator for automatic HTTP header propagation via sidecar injection +type: application +version: 0.1.0 +appVersion: "0.1.0" +keywords: + - kubernetes + - operator + - sidecar + - header-propagation + - tracing +home: https://github.com/bgruszka/contextforge +sources: + - https://github.com/bgruszka/contextforge +maintainers: + - name: Blazej Gruszka + email: blazej@gruszka.info diff --git a/deploy/helm/contextforge/crds/ctxforge.ctxforge.io_headerpropagationpolicies.yaml b/deploy/helm/contextforge/crds/ctxforge.ctxforge.io_headerpropagationpolicies.yaml new file mode 100644 index 0000000..464b1d2 --- /dev/null +++ b/deploy/helm/contextforge/crds/ctxforge.ctxforge.io_headerpropagationpolicies.yaml @@ -0,0 +1,232 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: headerpropagationpolicies.ctxforge.ctxforge.io +spec: + group: ctxforge.ctxforge.io + names: + kind: HeaderPropagationPolicy + listKind: HeaderPropagationPolicyList + plural: headerpropagationpolicies + singular: headerpropagationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.appliedToPods + name: Applied To + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: HeaderPropagationPolicy is the Schema for the headerpropagationpolicies + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: HeaderPropagationPolicySpec defines the desired state of + HeaderPropagationPolicy + properties: + podSelector: + description: PodSelector selects pods to apply this policy to + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + propagationRules: + description: PropagationRules defines the header propagation rules + items: + description: PropagationRule defines a set of headers and conditions + for propagation + properties: + headers: + description: Headers is the list of headers to propagate with + this rule + items: + description: HeaderConfig defines a single header to propagate + properties: + generate: + description: Generate indicates whether to auto-generate + this header if missing + type: boolean + generatorType: + description: GeneratorType specifies how to generate the + header value (uuid, ulid, timestamp) + enum: + - uuid + - ulid + - timestamp + type: string + name: + description: Name is the HTTP header name to propagate + pattern: ^[a-zA-Z0-9-]+$ + type: string + propagate: + default: true + description: Propagate indicates whether to propagate + this header to outbound requests + type: boolean + required: + - name + type: object + minItems: 1 + type: array + methods: + description: Methods is an optional list of HTTP methods this + rule applies to + items: + type: string + type: array + pathRegex: + description: PathRegex is an optional regex pattern to match + request paths + type: string + required: + - headers + type: object + minItems: 1 + type: array + required: + - propagationRules + type: object + status: + description: HeaderPropagationPolicyStatus defines the observed state + of HeaderPropagationPolicy + properties: + appliedToPods: + description: AppliedToPods is the count of pods this policy is applied + to + format: int32 + type: integer + conditions: + description: Conditions represent the current state of the HeaderPropagationPolicy + resource + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: ObservedGeneration is the most recent generation observed + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/helm/contextforge/templates/_helpers.tpl b/deploy/helm/contextforge/templates/_helpers.tpl new file mode 100644 index 0000000..f995632 --- /dev/null +++ b/deploy/helm/contextforge/templates/_helpers.tpl @@ -0,0 +1,67 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "contextforge.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "contextforge.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "contextforge.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "contextforge.labels" -}} +helm.sh/chart: {{ include "contextforge.chart" . }} +{{ include "contextforge.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "contextforge.selectorLabels" -}} +app.kubernetes.io/name: {{ include "contextforge.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "contextforge.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "contextforge.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Namespace to use +*/}} +{{- define "contextforge.namespace" -}} +{{- .Values.namespace.name | default "contextforge-system" }} +{{- end }} diff --git a/deploy/helm/contextforge/templates/certificate.yaml b/deploy/helm/contextforge/templates/certificate.yaml new file mode 100644 index 0000000..dcc61a7 --- /dev/null +++ b/deploy/helm/contextforge/templates/certificate.yaml @@ -0,0 +1,34 @@ +{{- if .Values.webhook.certManager.enabled }} +{{- if .Values.webhook.certManager.createSelfSignedIssuer }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "contextforge.fullname" . }}-selfsigned-issuer + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +spec: + selfSigned: {} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "contextforge.fullname" . }}-serving-cert + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +spec: + dnsNames: + - {{ include "contextforge.fullname" . }}-webhook.{{ include "contextforge.namespace" . }}.svc + - {{ include "contextforge.fullname" . }}-webhook.{{ include "contextforge.namespace" . }}.svc.cluster.local + issuerRef: + kind: {{ .Values.webhook.certManager.issuerRef.kind }} + {{- if .Values.webhook.certManager.createSelfSignedIssuer }} + name: {{ include "contextforge.fullname" . }}-selfsigned-issuer + {{- else }} + name: {{ .Values.webhook.certManager.issuerRef.name }} + {{- end }} + secretName: {{ include "contextforge.fullname" . }}-webhook-certs +{{- end }} diff --git a/deploy/helm/contextforge/templates/deployment.yaml b/deploy/helm/contextforge/templates/deployment.yaml new file mode 100644 index 0000000..e418de4 --- /dev/null +++ b/deploy/helm/contextforge/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "contextforge.fullname" . }}-operator + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + app.kubernetes.io/component: operator +spec: + replicas: {{ .Values.operator.replicaCount }} + selector: + matchLabels: + {{- include "contextforge.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: operator + template: + metadata: + labels: + {{- include "contextforge.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: operator + spec: + {{- with .Values.operator.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "contextforge.serviceAccountName" . }} + securityContext: + runAsNonRoot: true + containers: + - name: manager + image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}" + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + command: + - /manager + args: + {{- if .Values.operator.leaderElection.enabled }} + - --leader-elect + {{- end }} + - --health-probe-bind-address=:{{ .Values.operator.healthProbe.port }} + - --metrics-bind-address=:{{ .Values.operator.metrics.port }} + env: + - name: PROXY_IMAGE + value: "{{ .Values.proxy.image.repository }}:{{ .Values.proxy.image.tag }}" + ports: + - name: webhook + containerPort: {{ .Values.webhook.port }} + protocol: TCP + - name: metrics + containerPort: {{ .Values.operator.metrics.port }} + protocol: TCP + - name: health + containerPort: {{ .Values.operator.healthProbe.port }} + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.operator.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - name: webhook-certs + mountPath: /tmp/k8s-webhook-server/serving-certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: {{ include "contextforge.fullname" . }}-webhook-certs + terminationGracePeriodSeconds: 10 + {{- with .Values.operator.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-api-filtering.yaml b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-api-filtering.yaml new file mode 100644 index 0000000..ff44faa --- /dev/null +++ b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-api-filtering.yaml @@ -0,0 +1,43 @@ +{{- if .Values.examples.enabled }} +# Example: API-only header propagation with path and method filtering +# This policy only propagates headers for API endpoints, not health checks +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: {{ include "contextforge.fullname" . }}-api-filtering-example + namespace: {{ .Release.Namespace }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + app.kubernetes.io/component: example +spec: + podSelector: + matchLabels: + ctxforge.io/api-filtering: "enabled" + + propagationRules: + # Only propagate for API paths (excludes /health, /ready, /metrics) + - headers: + - name: x-request-id + generate: true + generatorType: uuid + - name: x-correlation-id + pathRegex: "^/api/.*" + methods: + - GET + - POST + - PUT + - DELETE + - PATCH + + # Timestamp header for all write operations + - headers: + - name: x-request-timestamp + generate: true + generatorType: timestamp + pathRegex: "^/api/.*" + methods: + - POST + - PUT + - DELETE + - PATCH +{{- end }} diff --git a/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-multitenant.yaml b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-multitenant.yaml new file mode 100644 index 0000000..f766f11 --- /dev/null +++ b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-multitenant.yaml @@ -0,0 +1,29 @@ +{{- if .Values.examples.enabled }} +# Example: Multi-tenant SaaS header propagation +# This policy propagates tenant isolation and audit trail headers +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: {{ include "contextforge.fullname" . }}-multitenant-example + namespace: {{ .Release.Namespace }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + app.kubernetes.io/component: example +spec: + podSelector: + matchLabels: + ctxforge.io/multitenant: "enabled" + + propagationRules: + # Tenant isolation headers - critical for data segregation + - headers: + - name: x-tenant-id + - name: x-organization-id + - name: x-workspace-id + + # Audit trail headers - for compliance and debugging + - headers: + - name: x-user-id + - name: x-session-id + - name: x-auth-token-id +{{- end }} diff --git a/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-tracing.yaml b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-tracing.yaml new file mode 100644 index 0000000..3cd3c05 --- /dev/null +++ b/deploy/helm/contextforge/templates/examples/headerpropagationpolicy-tracing.yaml @@ -0,0 +1,30 @@ +{{- if .Values.examples.enabled }} +# Example: Basic tracing header propagation +# This policy propagates common tracing headers and auto-generates x-request-id if missing +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: {{ include "contextforge.fullname" . }}-tracing-example + namespace: {{ .Release.Namespace }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + app.kubernetes.io/component: example +spec: + podSelector: + matchLabels: + ctxforge.io/tracing: "enabled" + + propagationRules: + # Propagate standard tracing headers + - headers: + - name: x-request-id + generate: true + generatorType: uuid + - name: x-correlation-id + - name: x-trace-id + - name: x-span-id + - name: x-b3-traceid + - name: x-b3-spanid + - name: x-b3-parentspanid + - name: x-b3-sampled +{{- end }} diff --git a/deploy/helm/contextforge/templates/namespace.yaml b/deploy/helm/contextforge/templates/namespace.yaml new file mode 100644 index 0000000..9a238d6 --- /dev/null +++ b/deploy/helm/contextforge/templates/namespace.yaml @@ -0,0 +1,9 @@ +{{- if .Values.namespace.create }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + ctxforge.io/injection: disabled +{{- end }} diff --git a/deploy/helm/contextforge/templates/pdb.yaml b/deploy/helm/contextforge/templates/pdb.yaml new file mode 100644 index 0000000..5681b3f --- /dev/null +++ b/deploy/helm/contextforge/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.operator.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "contextforge.fullname" . }}-operator + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +spec: + minAvailable: {{ .Values.operator.pdb.minAvailable }} + selector: + matchLabels: + {{- include "contextforge.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/deploy/helm/contextforge/templates/rbac.yaml b/deploy/helm/contextforge/templates/rbac.yaml new file mode 100644 index 0000000..f804435 --- /dev/null +++ b/deploy/helm/contextforge/templates/rbac.yaml @@ -0,0 +1,81 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "contextforge.fullname" . }}-manager-role + labels: + {{- include "contextforge.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["ctxforge.ctxforge.io"] + resources: ["headerpropagationpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["ctxforge.ctxforge.io"] + resources: ["headerpropagationpolicies/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["ctxforge.ctxforge.io"] + resources: ["headerpropagationpolicies/finalizers"] + verbs: ["update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "contextforge.fullname" . }}-manager-rolebinding + labels: + {{- include "contextforge.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "contextforge.fullname" . }}-manager-role +subjects: + - kind: ServiceAccount + name: {{ include "contextforge.serviceAccountName" . }} + namespace: {{ include "contextforge.namespace" . }} +--- +{{- if .Values.operator.leaderElection.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "contextforge.fullname" . }}-leader-election-role + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "contextforge.fullname" . }}-leader-election-rolebinding + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "contextforge.fullname" . }}-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ include "contextforge.serviceAccountName" . }} + namespace: {{ include "contextforge.namespace" . }} +{{- end }} +{{- end }} diff --git a/deploy/helm/contextforge/templates/service.yaml b/deploy/helm/contextforge/templates/service.yaml new file mode 100644 index 0000000..7902e0f --- /dev/null +++ b/deploy/helm/contextforge/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "contextforge.fullname" . }}-webhook + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} +spec: + ports: + - port: 443 + targetPort: webhook + protocol: TCP + name: webhook + selector: + {{- include "contextforge.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: operator diff --git a/deploy/helm/contextforge/templates/serviceaccount.yaml b/deploy/helm/contextforge/templates/serviceaccount.yaml new file mode 100644 index 0000000..03289ac --- /dev/null +++ b/deploy/helm/contextforge/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "contextforge.serviceAccountName" . }} + namespace: {{ include "contextforge.namespace" . }} + labels: + {{- include "contextforge.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deploy/helm/contextforge/templates/webhook.yaml b/deploy/helm/contextforge/templates/webhook.yaml new file mode 100644 index 0000000..85000ca --- /dev/null +++ b/deploy/helm/contextforge/templates/webhook.yaml @@ -0,0 +1,66 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "contextforge.fullname" . }}-mutating-webhook + labels: + {{- include "contextforge.labels" . | nindent 4 }} + {{- if .Values.webhook.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ include "contextforge.namespace" . }}/{{ include "contextforge.fullname" . }}-serving-cert + {{- end }} +webhooks: + - name: mpod.ctxforge.io + clientConfig: + service: + name: {{ include "contextforge.fullname" . }}-webhook + namespace: {{ include "contextforge.namespace" . }} + path: /mutate--v1-pod + # caBundle will be populated by the operator at runtime + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + namespaceSelector: + matchExpressions: + - key: ctxforge.io/injection + operator: NotIn + values: ["disabled"] + admissionReviewVersions: ["v1"] + sideEffects: None + timeoutSeconds: 10 + failurePolicy: {{ .Values.webhook.failurePolicy }} + reinvocationPolicy: Never +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "contextforge.fullname" . }}-validating-webhook + labels: + {{- include "contextforge.labels" . | nindent 4 }} + {{- if .Values.webhook.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ include "contextforge.namespace" . }}/{{ include "contextforge.fullname" . }}-serving-cert + {{- end }} +webhooks: + - name: vpod.ctxforge.io + clientConfig: + service: + name: {{ include "contextforge.fullname" . }}-webhook + namespace: {{ include "contextforge.namespace" . }} + path: /validate--v1-pod + # caBundle will be populated by the operator at runtime + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + namespaceSelector: + matchExpressions: + - key: ctxforge.io/injection + operator: NotIn + values: ["disabled"] + admissionReviewVersions: ["v1"] + sideEffects: None + timeoutSeconds: 10 + failurePolicy: {{ .Values.webhook.failurePolicy }} diff --git a/deploy/helm/contextforge/values.yaml b/deploy/helm/contextforge/values.yaml new file mode 100644 index 0000000..1f12e9e --- /dev/null +++ b/deploy/helm/contextforge/values.yaml @@ -0,0 +1,125 @@ +# Default values for contextforge + +# Operator configuration +operator: + # Number of replicas + replicaCount: 1 + + image: + repository: ghcr.io/bgruszka/contextforge-operator + tag: "0.1.0" + pullPolicy: IfNotPresent + + imagePullSecrets: [] + + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 256Mi + + nodeSelector: {} + tolerations: [] + affinity: {} + + # PodDisruptionBudget configuration + pdb: + enabled: true + minAvailable: 1 + + # Leader election settings + leaderElection: + enabled: true + + # Metrics configuration + metrics: + enabled: true + port: 8080 + + # Health probe configuration + healthProbe: + port: 8081 + +# Proxy sidecar configuration +proxy: + image: + repository: ghcr.io/bgruszka/contextforge-proxy + tag: "0.1.0" + pullPolicy: IfNotPresent + + # Resource limits sized for typical API proxy workloads (~100-500 RPS per pod). + # For high-traffic deployments (>1000 RPS), increase these values. + # Memory: 64Mi handles Go runtime + connection pools; 256Mi limit for traffic spikes. + # CPU: 50m baseline; 500m limit allows burst during high concurrency. + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 500m + memory: 256Mi + + # Default port the proxy listens on + port: 9090 + + # Default target port (application port) + defaultTargetPort: 8080 + + # Default log level + logLevel: info + +# Webhook configuration +webhook: + # Port for webhook server + port: 9443 + + # Failure policy: Fail or Ignore + # WARNING: "Fail" means ALL pod creations will fail if the webhook is unavailable + # (during operator restarts, certificate issues, or network problems). + # Recommended: Use "Ignore" initially, switch to "Fail" only after thorough testing. + # With "Ignore", pods without sidecar injection will still be created if webhook fails. + failurePolicy: Ignore + + # Certificate configuration + certManager: + # Set to true if cert-manager is installed + enabled: false + # Create a self-signed issuer (recommended for testing) + createSelfSignedIssuer: true + # Issuer reference for cert-manager (used if createSelfSignedIssuer is false) + issuerRef: + kind: Issuer + name: my-issuer + + # Self-signed certificate settings (used if certManager.enabled is false) + selfSigned: + # Certificate validity in days + validityDays: 365 + +# Namespace configuration +namespace: + # Create the namespace + create: true + # Name of the namespace + name: contextforge-system + +# Service account configuration +serviceAccount: + create: true + name: contextforge-operator + annotations: {} + +# RBAC configuration +rbac: + create: true + +# CRD installation +crds: + install: true + +# Example HeaderPropagationPolicy resources +# Enable to deploy example policies that demonstrate common use cases +examples: + enabled: false diff --git a/docs/certificate-rotation.md b/docs/certificate-rotation.md new file mode 100644 index 0000000..0006169 --- /dev/null +++ b/docs/certificate-rotation.md @@ -0,0 +1,219 @@ +# Certificate Rotation Guide + +ContextForge uses TLS certificates for the webhook server to secure communication between the Kubernetes API server and the operator. This guide covers certificate management and rotation strategies. + +## Certificate Options + +ContextForge supports two certificate management approaches: + +1. **cert-manager** (Recommended for production) +2. **Self-signed certificates** (Default, for development/testing) + +## Using cert-manager (Recommended) + +[cert-manager](https://cert-manager.io/) automatically handles certificate issuance, renewal, and rotation. + +### Prerequisites + +Install cert-manager: + +```bash +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml +``` + +### Enable cert-manager in Helm + +```yaml +# values.yaml +webhook: + certManager: + enabled: true + createSelfSignedIssuer: true # Creates a self-signed issuer +``` + +Or use an existing issuer: + +```yaml +webhook: + certManager: + enabled: true + createSelfSignedIssuer: false + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod +``` + +### How It Works + +1. cert-manager creates a `Certificate` resource +2. The certificate is automatically renewed before expiry (default: 30 days before) +3. The operator's certificate watcher detects file changes and reloads the TLS config +4. No manual intervention required + +### Certificate Watcher + +The operator includes a built-in certificate watcher that monitors for file changes: + +```go +// From cmd/main.go +certWatcher, err := certwatcher.New( + filepath.Join(certDir, "tls.crt"), + filepath.Join(certDir, "tls.key"), +) +``` + +When cert-manager updates the certificate Secret, the operator automatically reloads without restart. + +## Self-Signed Certificates (Default) + +For development or testing, ContextForge can use self-signed certificates. + +### Configuration + +```yaml +# values.yaml +webhook: + certManager: + enabled: false + selfSigned: + validityDays: 365 +``` + +### Manual Rotation + +Self-signed certificates require manual rotation before expiry: + +1. **Generate new certificates:** + +```bash +# Generate CA +openssl genrsa -out ca.key 2048 +openssl req -x509 -new -nodes -key ca.key -subj "/CN=contextforge-webhook-ca" -days 365 -out ca.crt + +# Generate server certificate +openssl genrsa -out tls.key 2048 +openssl req -new -key tls.key -subj "/CN=contextforge-webhook.contextforge-system.svc" -out server.csr + +cat > server.ext << EOF +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = contextforge-webhook +DNS.2 = contextforge-webhook.contextforge-system +DNS.3 = contextforge-webhook.contextforge-system.svc +DNS.4 = contextforge-webhook.contextforge-system.svc.cluster.local +EOF + +openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 365 -extfile server.ext +``` + +2. **Update the Secret:** + +```bash +kubectl create secret tls contextforge-webhook-certs \ + --cert=tls.crt \ + --key=tls.key \ + --dry-run=client -o yaml | kubectl apply -f - +``` + +3. **Update the webhook CA bundle:** + +```bash +CA_BUNDLE=$(cat ca.crt | base64 | tr -d '\n') +kubectl patch mutatingwebhookconfiguration contextforge-mutating-webhook \ + --type='json' \ + -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" +``` + +4. **Restart the operator to reload certificates:** + +```bash +kubectl rollout restart deployment contextforge-operator -n contextforge-system +``` + +## Monitoring Certificate Expiry + +### Check Current Certificate + +```bash +# View certificate details +kubectl get secret contextforge-webhook-certs -n contextforge-system -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates + +# Check expiry +kubectl get secret contextforge-webhook-certs -n contextforge-system -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -enddate +``` + +### Prometheus Alerts + +If using Prometheus, add an alert for certificate expiry: + +```yaml +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: contextforge-cert-expiry +spec: + groups: + - name: contextforge + rules: + - alert: ContextForgeCertificateExpiringSoon + expr: | + ( + certmanager_certificate_expiration_timestamp_seconds{name="contextforge-webhook-cert"} + - time() + ) < 86400 * 14 + for: 1h + labels: + severity: warning + annotations: + summary: "ContextForge webhook certificate expiring soon" + description: "Certificate will expire in less than 14 days" +``` + +## Troubleshooting + +### Webhook Failures After Certificate Rotation + +If pods fail to create after certificate rotation: + +1. **Check webhook logs:** +```bash +kubectl logs -n contextforge-system deployment/contextforge-operator +``` + +2. **Verify certificate is valid:** +```bash +kubectl get secret contextforge-webhook-certs -n contextforge-system -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text +``` + +3. **Check CA bundle matches:** +```bash +kubectl get mutatingwebhookconfiguration contextforge-mutating-webhook -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | base64 -d | openssl x509 -noout -subject +``` + +### Certificate Mismatch + +If the CA bundle doesn't match the certificate: + +```bash +# Get the CA from the current certificate +kubectl get secret contextforge-webhook-certs -n contextforge-system -o jsonpath='{.data.ca\.crt}' | base64 -d > current-ca.crt + +# Update webhook configuration +CA_BUNDLE=$(cat current-ca.crt | base64 | tr -d '\n') +kubectl patch mutatingwebhookconfiguration contextforge-mutating-webhook \ + --type='json' \ + -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]" +``` + +## Best Practices + +1. **Use cert-manager in production** - Automatic rotation eliminates manual intervention +2. **Monitor certificate expiry** - Set up alerts at least 14 days before expiry +3. **Test rotation in staging** - Verify the process works before production +4. **Document your rotation procedure** - Keep runbooks updated +5. **Use short-lived certificates** - Reduces blast radius if compromised (90 days recommended) diff --git a/docs/configuration.md b/docs/configuration.md new file mode 100644 index 0000000..34d1668 --- /dev/null +++ b/docs/configuration.md @@ -0,0 +1,485 @@ +# ContextForge Configuration Reference + +This document provides a complete reference for configuring ContextForge. + +## Table of Contents + +- [Pod Annotations](#pod-annotations) +- [Proxy Environment Variables](#proxy-environment-variables) +- [Helm Chart Values](#helm-chart-values) +- [HeaderPropagationPolicy CRD](#headerpropagationpolicy-crd) + +--- + +## Pod Annotations + +Add these annotations to your Pod spec to configure sidecar injection: + +| Annotation | Required | Default | Description | +|------------|----------|---------|-------------| +| `ctxforge.io/enabled` | Yes | - | Set to `"true"` to enable sidecar injection | +| `ctxforge.io/headers` | Yes | - | Comma-separated list of headers to propagate | +| `ctxforge.io/target-port` | No | `8080` | Your application's listening port | + +### Example + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: my-app + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-correlation-id" + ctxforge.io/target-port: "3000" +spec: + containers: + - name: app + image: my-app:latest + ports: + - containerPort: 3000 +``` + +--- + +## Proxy Environment Variables + +These environment variables configure the injected sidecar proxy. They can be set via Helm values or directly in the sidecar container. + +### Core Settings + +| Variable | Default | Description | +|----------|---------|-------------| +| `HEADERS_TO_PROPAGATE` | (required*) | Comma-separated list of headers to propagate | +| `HEADER_RULES` | - | JSON array of advanced header rules (alternative to HEADERS_TO_PROPAGATE) | +| `TARGET_HOST` | `localhost:8080` | Target application host:port | +| `PROXY_PORT` | `9090` | Port the proxy listens on | +| `LOG_LEVEL` | `info` | Logging level: `debug`, `info`, `warn`, `error` | +| `LOG_FORMAT` | `console` | Log format: `console` (human-readable) or `json` | +| `METRICS_PORT` | `9091` | Port for Prometheus metrics (if separate from proxy) | + +*Either `HEADERS_TO_PROPAGATE` or `HEADER_RULES` is required. + +### Advanced Header Rules (HEADER_RULES) + +For advanced configuration including header generation and path/method filtering, use `HEADER_RULES` with a JSON array: + +```bash +HEADER_RULES='[ + {"name": "x-request-id", "generate": true, "generatorType": "uuid"}, + {"name": "x-tenant-id"}, + {"name": "x-api-key", "pathRegex": "^/api/.*", "methods": ["POST", "PUT"]} +]' +``` + +#### Header Rule Fields + +| Field | Type | Default | Description | +|-------|------|---------|-------------| +| `name` | string | (required) | HTTP header name | +| `generate` | bool | `false` | Auto-generate if header is missing | +| `generatorType` | string | `uuid` | Generator: `uuid`, `ulid`, or `timestamp` | +| `propagate` | bool | `true` | Whether to propagate this header | +| `pathRegex` | string | - | Regex pattern to match request paths | +| `methods` | []string | - | HTTP methods to match (e.g., `["GET", "POST"]`) | + +#### Generator Types + +| Type | Format | Example | +|------|--------|---------| +| `uuid` | UUID v4 | `550e8400-e29b-41d4-a716-446655440000` | +| `ulid` | ULID (sortable) | `01ARZ3NDEKTSV4RRFFQ69G5FAV` | +| `timestamp` | RFC3339Nano | `2025-01-01T12:00:00.123456789Z` | + +#### Example: Auto-generate Request ID + +```bash +HEADER_RULES='[{"name":"x-request-id","generate":true,"generatorType":"uuid"}]' +``` + +#### Example: Path and Method Filtering + +Only propagate headers for API endpoints, not health checks: + +```bash +HEADER_RULES='[ + {"name":"x-request-id","generate":true,"generatorType":"uuid","pathRegex":"^/api/.*"}, + {"name":"x-tenant-id","pathRegex":"^/api/.*","methods":["POST","PUT","DELETE"]} +]' +``` + +### Timeout Settings + +| Variable | Default | Description | +|----------|---------|-------------| +| `READ_TIMEOUT` | `15s` | Max time to read entire request including body | +| `WRITE_TIMEOUT` | `15s` | Max time before timing out response writes | +| `IDLE_TIMEOUT` | `60s` | Max time to wait for next request (keep-alive) | +| `READ_HEADER_TIMEOUT` | `5s` | Max time to read request headers | +| `TARGET_DIAL_TIMEOUT` | `2s` | Timeout for connecting to target application | + +Timeout values use Go duration format: `15s`, `1m30s`, `500ms`, etc. + +### Rate Limiting + +| Variable | Default | Description | +|----------|---------|-------------| +| `RATE_LIMIT_ENABLED` | `false` | Enable rate limiting middleware | +| `RATE_LIMIT_RPS` | `1000` | Maximum requests per second | +| `RATE_LIMIT_BURST` | `100` | Maximum burst size (token bucket) | + +When rate limit is exceeded, the proxy returns HTTP 429 (Too Many Requests). + +### Example with Custom Timeouts + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: my-app + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id" +spec: + containers: + - name: app + image: my-app:latest + env: + # Injected sidecar will use these if set + - name: READ_TIMEOUT + value: "30s" + - name: WRITE_TIMEOUT + value: "30s" + - name: RATE_LIMIT_ENABLED + value: "true" + - name: RATE_LIMIT_RPS + value: "500" +``` + +--- + +## Helm Chart Values + +### Operator Configuration + +```yaml +operator: + # Number of operator replicas + replicaCount: 1 + + image: + repository: ghcr.io/bgruszka/contextforge-operator + tag: "0.1.0" + pullPolicy: IfNotPresent + + # Resource requests/limits + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 256Mi + + # PodDisruptionBudget + pdb: + enabled: true + minAvailable: 1 + + # Leader election (required for HA) + leaderElection: + enabled: true + + # Metrics endpoint + metrics: + enabled: true + port: 8080 + + # Health probe port + healthProbe: + port: 8081 +``` + +### Proxy Sidecar Configuration + +```yaml +proxy: + image: + repository: ghcr.io/bgruszka/contextforge-proxy + tag: "0.1.0" + pullPolicy: IfNotPresent + + # Resource requests/limits for injected sidecar + resources: + requests: + cpu: 25m + memory: 32Mi + limits: + cpu: 200m + memory: 128Mi + + # Default proxy port + port: 9090 + + # Default target port (application port) + defaultTargetPort: 8080 + + # Default log level + logLevel: info +``` + +### Webhook Configuration + +```yaml +webhook: + # Webhook server port + port: 9443 + + # What to do if webhook fails: Fail or Ignore + failurePolicy: Fail + + # Certificate configuration + certManager: + # Use cert-manager for webhook certificates + enabled: false + # Create a self-signed issuer + createSelfSignedIssuer: true + # Or use an existing issuer + issuerRef: + kind: Issuer + name: my-issuer + + # Self-signed certificate settings (if cert-manager disabled) + selfSigned: + validityDays: 365 +``` + +### Full Example + +```yaml +# values.yaml +operator: + replicaCount: 2 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + pdb: + enabled: true + minAvailable: 1 + +proxy: + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + logLevel: info + +webhook: + failurePolicy: Fail + certManager: + enabled: true + createSelfSignedIssuer: true +``` + +--- + +## HeaderPropagationPolicy CRD + +The HeaderPropagationPolicy CRD provides advanced header configuration. + +### Spec Fields + +| Field | Type | Description | +|-------|------|-------------| +| `podSelector` | LabelSelector | Selects pods to apply this policy (optional, matches all if empty) | +| `propagationRules` | []PropagationRule | List of header propagation rules | + +### PropagationRule Fields + +| Field | Type | Description | +|-------|------|-------------| +| `headers` | []HeaderConfig | Headers to propagate with this rule | +| `pathRegex` | string | Optional regex to match request paths | +| `methods` | []string | Optional list of HTTP methods to match | + +### HeaderConfig Fields + +| Field | Type | Default | Description | +|-------|------|---------|-------------| +| `name` | string | (required) | HTTP header name | +| `generate` | bool | `false` | Auto-generate if header is missing | +| `generatorType` | string | - | Generator type: `uuid`, `ulid`, `timestamp` | +| `propagate` | bool | `true` | Whether to propagate this header | + +### Status Fields + +| Field | Type | Description | +|-------|------|-------------| +| `conditions` | []Condition | Current state conditions | +| `observedGeneration` | int64 | Last observed generation | +| `appliedToPods` | int32 | Number of pods this policy applies to | + +### Example: Basic Policy + +```yaml +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: tracing-headers + namespace: production +spec: + podSelector: + matchLabels: + app: my-service + propagationRules: + - headers: + - name: x-request-id + - name: x-correlation-id + - name: x-tenant-id +``` + +### Example: Auto-Generate Request ID + +```yaml +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: auto-request-id +spec: + propagationRules: + - headers: + - name: x-request-id + generate: true + generatorType: uuid + - name: x-tenant-id +``` + +### Example: Path-Based Rules + +```yaml +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: api-headers +spec: + propagationRules: + # Propagate tenant ID only for /api/* paths + - pathRegex: "^/api/.*" + headers: + - name: x-tenant-id + - name: x-request-id + # Propagate debug headers only for POST/PUT + - methods: ["POST", "PUT"] + headers: + - name: x-debug-id +``` + +--- + +## Prometheus Metrics + +The proxy exposes metrics at the `/metrics` endpoint. + +### Available Metrics + +| Metric | Type | Labels | Description | +|--------|------|--------|-------------| +| `ctxforge_proxy_requests_total` | Counter | `method`, `status` | Total HTTP requests processed | +| `ctxforge_proxy_request_duration_seconds` | Histogram | `method` | Request duration distribution | +| `ctxforge_proxy_headers_propagated_total` | Counter | - | Total headers propagated | +| `ctxforge_proxy_active_connections` | Gauge | - | Current active connections | + +### Example Prometheus Queries + +```promql +# Request rate by status code +rate(ctxforge_proxy_requests_total[5m]) + +# 95th percentile latency +histogram_quantile(0.95, rate(ctxforge_proxy_request_duration_seconds_bucket[5m])) + +# Error rate (5xx responses) +sum(rate(ctxforge_proxy_requests_total{status=~"5.."}[5m])) / sum(rate(ctxforge_proxy_requests_total[5m])) + +# Headers propagated per second +rate(ctxforge_proxy_headers_propagated_total[5m]) +``` + +### Grafana Dashboard + +A sample Grafana dashboard is available at `deploy/grafana/contextforge-dashboard.json`. + +--- + +## Health Endpoints + +| Endpoint | Method | Success Code | Description | +|----------|--------|--------------|-------------| +| `/healthz` | GET | 200 | Liveness probe - proxy is running | +| `/ready` | GET | 200 | Readiness probe - target is reachable | +| `/metrics` | GET | 200 | Prometheus metrics | + +### Kubernetes Probe Configuration + +The injected sidecar automatically configures probes: + +```yaml +livenessProbe: + httpGet: + path: /healthz + port: 9090 + initialDelaySeconds: 5 + periodSeconds: 10 + +readinessProbe: + httpGet: + path: /ready + port: 9090 + initialDelaySeconds: 5 + periodSeconds: 5 +``` + +--- + +## Troubleshooting + +### Common Issues + +**Sidecar not injected:** +- Ensure `ctxforge.io/enabled: "true"` annotation is set +- Check webhook is running: `kubectl get pods -n contextforge-system` +- Verify webhook certificate is valid + +**Headers not propagating:** +- Enable debug logging: `LOG_LEVEL=debug` +- Check proxy logs: `kubectl logs -c ctxforge-proxy` +- Verify `HEADERS_TO_PROPAGATE` includes your headers + +**High latency:** +- Check `ctxforge_proxy_request_duration_seconds` metrics +- Increase timeout values if needed +- Review rate limiting settings + +**429 Too Many Requests:** +- Rate limiting is enabled and limit exceeded +- Increase `RATE_LIMIT_RPS` or `RATE_LIMIT_BURST` +- Or disable with `RATE_LIMIT_ENABLED=false` + +### Debug Logging + +Enable verbose logging to troubleshoot issues: + +```yaml +env: + - name: LOG_LEVEL + value: "debug" + - name: LOG_FORMAT + value: "json" +``` diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..a7f462f --- /dev/null +++ b/go.mod @@ -0,0 +1,106 @@ +module github.com/bgruszka/contextforge + +go 1.24.6 + +require ( + github.com/onsi/ginkgo/v2 v2.27.3 + github.com/onsi/gomega v1.38.3 + github.com/rs/zerolog v1.34.0 + github.com/stretchr/testify v1.10.0 + k8s.io/api v0.34.1 + k8s.io/apimachinery v0.34.1 + k8s.io/client-go v0.34.1 + sigs.k8s.io/controller-runtime v0.22.4 +) + +require ( + cel.dev/expr v0.24.0 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.12.2 // indirect + github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fsnotify/fsnotify v1.9.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.23.0 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/google/btree v1.1.3 // indirect + github.com/google/cel-go v0.26.0 // indirect + github.com/google/gnostic-models v0.7.0 // indirect + github.com/google/go-cmp v0.7.0 // indirect + github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.19 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/prometheus/client_golang v1.22.0 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.62.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/cobra v1.9.1 // indirect + github.com/spf13/pflag v1.0.6 // indirect + github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect + go.opentelemetry.io/otel v1.35.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect + go.opentelemetry.io/otel/metric v1.35.0 // indirect + go.opentelemetry.io/otel/sdk v1.34.0 // indirect + go.opentelemetry.io/otel/trace v1.35.0 // indirect + go.opentelemetry.io/proto/otlp v1.5.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.0 // indirect + go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/mod v0.27.0 // indirect + golang.org/x/net v0.43.0 // indirect + golang.org/x/oauth2 v0.27.0 // indirect + golang.org/x/sync v0.16.0 // indirect + golang.org/x/sys v0.35.0 // indirect + golang.org/x/term v0.34.0 // indirect + golang.org/x/text v0.28.0 // indirect + golang.org/x/time v0.9.0 // indirect + golang.org/x/tools v0.36.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect + google.golang.org/grpc v1.72.1 // indirect + google.golang.org/protobuf v1.36.7 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.34.1 // indirect + k8s.io/apiserver v0.34.1 // indirect + k8s.io/component-base v0.34.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect + k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/randfill v1.0.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..1e98505 --- /dev/null +++ b/go.sum @@ -0,0 +1,298 @@ +cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY= +cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= +github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k= +github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ= +github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= +github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= +github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= +github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= +github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= +github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= +github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= +github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI= +github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM= +github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo= +github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= +github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= +github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= +github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE= +github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.27.3 h1:ICsZJ8JoYafeXFFlFAG75a7CxMsJHwgKwtO+82SE9L8= +github.com/onsi/ginkgo/v2 v2.27.3/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= +github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= +github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= +github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0= +github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY= +github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= +github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= +go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= +go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= +go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= +go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= +go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= +go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= +go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= +go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= +go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= +golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= +golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= +golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= +golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= +golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= +golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= +golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= +golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= +golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950= +google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= +google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= +google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= +google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= +k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= +k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= +k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= +k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= +k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= +k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= +k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= +k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= +k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= +k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= +k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A= +sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= +sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= +sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt new file mode 100644 index 0000000..221dcbe --- /dev/null +++ b/hack/boilerplate.go.txt @@ -0,0 +1,15 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ \ No newline at end of file diff --git a/internal/config/config.go b/internal/config/config.go new file mode 100644 index 0000000..c514371 --- /dev/null +++ b/internal/config/config.go @@ -0,0 +1,416 @@ +// Package config provides configuration loading for the ContextForge proxy. +package config + +import ( + "encoding/json" + "fmt" + "os" + "regexp" + "strconv" + "strings" + "time" + + "github.com/bgruszka/contextforge/internal/generator" +) + +// HeaderRule defines a header propagation rule with optional generation settings. +type HeaderRule struct { + // Name is the HTTP header name. + Name string `json:"name"` + + // Generate indicates whether to auto-generate this header if missing. + Generate bool `json:"generate,omitempty"` + + // GeneratorType specifies how to generate the header value (uuid, ulid, timestamp). + GeneratorType generator.Type `json:"generatorType,omitempty"` + + // Propagate indicates whether to propagate this header (default: true). + Propagate bool `json:"propagate"` + + // PathRegex is an optional regex pattern to match request paths. + PathRegex string `json:"pathRegex,omitempty"` + + // Methods is an optional list of HTTP methods this rule applies to. + Methods []string `json:"methods,omitempty"` + + // CompiledPathRegex is the compiled path regex (set after validation). + CompiledPathRegex *regexp.Regexp `json:"-"` +} + +// MatchesRequest checks if this rule applies to the given request path and method. +func (r *HeaderRule) MatchesRequest(path, method string) bool { + // Check path regex if specified + if r.CompiledPathRegex != nil { + if !r.CompiledPathRegex.MatchString(path) { + return false + } + } + + // Check methods if specified + if len(r.Methods) > 0 { + methodMatches := false + upperMethod := strings.ToUpper(method) + for _, m := range r.Methods { + if strings.ToUpper(m) == upperMethod { + methodMatches = true + break + } + } + if !methodMatches { + return false + } + } + + return true +} + +// ProxyConfig holds the configuration for the proxy sidecar. +type ProxyConfig struct { + // HeadersToPropagate is a list of HTTP header names to extract and propagate. + // Deprecated: Use HeaderRules for more control. + HeadersToPropagate []string + + // HeaderRules defines header propagation rules with generation and filtering options. + HeaderRules []HeaderRule + + // TargetHost is the address of the application container to forward requests to. + TargetHost string + + // ProxyPort is the port the proxy listens on for incoming requests. + ProxyPort int + + // LogLevel defines the logging verbosity (debug, info, warn, error). + LogLevel string + + // MetricsPort is the port for Prometheus metrics endpoint. + MetricsPort int + + // ReadTimeout is the maximum duration for reading the entire request, including the body. + ReadTimeout time.Duration + + // WriteTimeout is the maximum duration before timing out writes of the response. + WriteTimeout time.Duration + + // IdleTimeout is the maximum amount of time to wait for the next request. + IdleTimeout time.Duration + + // ReadHeaderTimeout is the amount of time allowed to read request headers. + ReadHeaderTimeout time.Duration + + // TargetDialTimeout is the timeout for dialing the target application. + TargetDialTimeout time.Duration + + // RateLimitEnabled enables rate limiting middleware. + RateLimitEnabled bool + + // RateLimitRPS is the requests per second limit. + RateLimitRPS float64 + + // RateLimitBurst is the maximum burst size for rate limiting. + RateLimitBurst int +} + +// Default timeout values with rationale: +// +// ReadTimeout (15s): Maximum time to read the entire request including body. +// Set to 15s to accommodate typical API requests while preventing slow-loris attacks. +// Adjust higher (30s-60s) for file uploads or long-polling endpoints. +// +// WriteTimeout (15s): Maximum time to write the response. +// Matches ReadTimeout for symmetry. Increase for endpoints returning large responses. +// +// IdleTimeout (60s): Time to keep idle connections open for reuse. +// 60s balances connection reuse benefits against resource consumption. +// Increase for high-latency networks, decrease for memory-constrained environments. +// +// ReadHeaderTimeout (5s): Time to read request headers only. +// 5s is sufficient for normal requests while protecting against slowloris attacks. +// +// TargetDialTimeout (5s): Time to establish connection to target application. +// Increased from 2s to 5s to handle Kubernetes DNS resolution delays during +// pod restarts and rolling updates. Adjust higher for cross-cluster communication. +const ( + defaultReadTimeout = 15 * time.Second + defaultWriteTimeout = 15 * time.Second + defaultIdleTimeout = 60 * time.Second + defaultReadHeaderTimeout = 5 * time.Second + defaultTargetDialTimeout = 5 * time.Second +) + +// Load reads configuration from environment variables and returns a ProxyConfig. +// Returns an error if required configuration is missing or invalid. +func Load() (*ProxyConfig, error) { + cfg := &ProxyConfig{ + TargetHost: getEnv("TARGET_HOST", "localhost:8080"), + ProxyPort: getEnvInt("PROXY_PORT", 9090), + LogLevel: getEnv("LOG_LEVEL", "info"), + MetricsPort: getEnvInt("METRICS_PORT", 9091), + ReadTimeout: getEnvDuration("READ_TIMEOUT", defaultReadTimeout), + WriteTimeout: getEnvDuration("WRITE_TIMEOUT", defaultWriteTimeout), + IdleTimeout: getEnvDuration("IDLE_TIMEOUT", defaultIdleTimeout), + ReadHeaderTimeout: getEnvDuration("READ_HEADER_TIMEOUT", defaultReadHeaderTimeout), + TargetDialTimeout: getEnvDuration("TARGET_DIAL_TIMEOUT", defaultTargetDialTimeout), + RateLimitEnabled: getEnvBool("RATE_LIMIT_ENABLED", false), + RateLimitRPS: getEnvFloat("RATE_LIMIT_RPS", 1000), + RateLimitBurst: getEnvInt("RATE_LIMIT_BURST", 100), + } + + // Parse header rules - prefer HEADER_RULES over HEADERS_TO_PROPAGATE + headerRulesStr := getEnv("HEADER_RULES", "") + headersStr := getEnv("HEADERS_TO_PROPAGATE", "") + + if headerRulesStr != "" { + // Parse JSON header rules + rules, err := parseHeaderRules(headerRulesStr) + if err != nil { + return nil, fmt.Errorf("invalid HEADER_RULES: %w", err) + } + cfg.HeaderRules = rules + // Also populate HeadersToPropagate for backward compatibility + for _, rule := range rules { + if rule.Propagate { + cfg.HeadersToPropagate = append(cfg.HeadersToPropagate, rule.Name) + } + } + } else if headersStr != "" { + // Parse simple comma-separated headers (backward compatible) + headers, err := parseHeaders(headersStr) + if err != nil { + return nil, fmt.Errorf("invalid HEADERS_TO_PROPAGATE: %w", err) + } + cfg.HeadersToPropagate = headers + // Convert to HeaderRules for unified processing + for _, h := range headers { + cfg.HeaderRules = append(cfg.HeaderRules, HeaderRule{ + Name: h, + Propagate: true, + }) + } + } else { + return nil, fmt.Errorf("HEADERS_TO_PROPAGATE or HEADER_RULES environment variable is required (e.g., HEADERS_TO_PROPAGATE=x-request-id,x-tenant-id)") + } + + if len(cfg.HeaderRules) == 0 { + return nil, fmt.Errorf("at least one header must be specified (e.g., HEADERS_TO_PROPAGATE=x-request-id,x-correlation-id)") + } + + if err := cfg.Validate(); err != nil { + return nil, fmt.Errorf("configuration validation failed: %w", err) + } + + return cfg, nil +} + +// parseHeaderRules parses a JSON array of header rules. +// Format: [{"name":"x-request-id","generate":true,"generatorType":"uuid"},{"name":"x-tenant-id"}] +func parseHeaderRules(input string) ([]HeaderRule, error) { + var rules []HeaderRule + if err := json.Unmarshal([]byte(input), &rules); err != nil { + return nil, fmt.Errorf("invalid JSON: %w (expected format: [{\"name\":\"x-request-id\",\"generate\":true,\"generatorType\":\"uuid\"}])", err) + } + + for i := range rules { + // Validate header name + if err := validateHeaderName(rules[i].Name); err != nil { + return nil, err + } + + // Default Propagate to true if not explicitly set to false + // JSON unmarshaling sets bool to false by default, so we default to true + // for most use cases. To disable propagation, explicitly set "propagate": false + if !rules[i].Propagate { + rules[i].Propagate = true + } + + // Validate generator type if generation is enabled + if rules[i].Generate { + if rules[i].GeneratorType == "" { + rules[i].GeneratorType = generator.TypeUUID // Default to UUID + } + if _, err := generator.New(rules[i].GeneratorType); err != nil { + return nil, fmt.Errorf("header %q: %w", rules[i].Name, err) + } + } + + // Compile path regex if specified + if rules[i].PathRegex != "" { + compiled, err := regexp.Compile(rules[i].PathRegex) + if err != nil { + return nil, fmt.Errorf("header %q: invalid path regex %q: %w", rules[i].Name, rules[i].PathRegex, err) + } + rules[i].CompiledPathRegex = compiled + } + + // Validate HTTP methods if specified + validMethods := map[string]bool{ + "GET": true, "POST": true, "PUT": true, "DELETE": true, + "PATCH": true, "HEAD": true, "OPTIONS": true, "TRACE": true, "CONNECT": true, + } + for _, m := range rules[i].Methods { + if !validMethods[strings.ToUpper(m)] { + return nil, fmt.Errorf("header %q: invalid HTTP method %q", rules[i].Name, m) + } + } + } + + return rules, nil +} + +// Validate checks if the configuration values are valid. +func (c *ProxyConfig) Validate() error { + if c.ProxyPort < 1 || c.ProxyPort > 65535 { + return fmt.Errorf("invalid proxy port: %d (must be 1-65535, e.g., PROXY_PORT=9090)", c.ProxyPort) + } + + if c.MetricsPort < 1 || c.MetricsPort > 65535 { + return fmt.Errorf("invalid metrics port: %d (must be 1-65535, e.g., METRICS_PORT=9091)", c.MetricsPort) + } + + if c.ProxyPort == c.MetricsPort { + return fmt.Errorf("proxy port and metrics port cannot be the same: %d (use different ports, e.g., PROXY_PORT=9090 METRICS_PORT=9091)", c.ProxyPort) + } + + if c.TargetHost == "" { + return fmt.Errorf("target host cannot be empty (e.g., TARGET_HOST=localhost:8080)") + } + + validLogLevels := map[string]bool{ + "debug": true, + "info": true, + "warn": true, + "error": true, + } + if !validLogLevels[strings.ToLower(c.LogLevel)] { + return fmt.Errorf("invalid log level: %s (must be debug, info, warn, or error)", c.LogLevel) + } + + // Validate timeouts + if c.ReadTimeout <= 0 { + return fmt.Errorf("invalid read timeout: %v (must be positive, e.g., 15s)", c.ReadTimeout) + } + if c.WriteTimeout <= 0 { + return fmt.Errorf("invalid write timeout: %v (must be positive, e.g., 15s)", c.WriteTimeout) + } + if c.IdleTimeout <= 0 { + return fmt.Errorf("invalid idle timeout: %v (must be positive, e.g., 60s)", c.IdleTimeout) + } + if c.ReadHeaderTimeout <= 0 { + return fmt.Errorf("invalid read header timeout: %v (must be positive, e.g., 5s)", c.ReadHeaderTimeout) + } + if c.TargetDialTimeout <= 0 { + return fmt.Errorf("invalid target dial timeout: %v (must be positive, e.g., 2s)", c.TargetDialTimeout) + } + + return nil +} + +// headerNameRegex validates HTTP header names per RFC 7230. +// Header names must contain only alphanumeric characters and hyphens. +var headerNameRegex = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9-]*$`) + +// validateHeaderName checks if a header name is valid per RFC 7230. +// Valid header names contain only alphanumeric characters and hyphens, +// must start with an alphanumeric character, and be 1-256 characters long. +func validateHeaderName(name string) error { + if len(name) == 0 { + return fmt.Errorf("header name cannot be empty") + } + if len(name) > 256 { + return fmt.Errorf("header name %q exceeds maximum length of 256 characters", name) + } + if !headerNameRegex.MatchString(name) { + return fmt.Errorf("header name %q is invalid: must contain only alphanumeric characters and hyphens, starting with alphanumeric (e.g., x-request-id, X-Correlation-ID)", name) + } + return nil +} + +// parseHeaders splits a comma-separated header string into a slice of trimmed header names. +// Returns an error if any header name is invalid. +func parseHeaders(input string) ([]string, error) { + parts := strings.Split(input, ",") + headers := make([]string, 0, len(parts)) + + for _, part := range parts { + header := strings.TrimSpace(part) + if header != "" { + if err := validateHeaderName(header); err != nil { + return nil, err + } + headers = append(headers, header) + } + } + + return headers, nil +} + +// getEnv returns the value of an environment variable or a default value if not set. +func getEnv(key, defaultValue string) string { + if value := os.Getenv(key); value != "" { + return value + } + return defaultValue +} + +// getEnvInt returns the integer value of an environment variable or a default value. +func getEnvInt(key string, defaultValue int) int { + valueStr := os.Getenv(key) + if valueStr == "" { + return defaultValue + } + + value, err := strconv.Atoi(valueStr) + if err != nil { + return defaultValue + } + + return value +} + +// getEnvDuration returns the duration value of an environment variable or a default value. +// Duration strings are parsed using time.ParseDuration (e.g., "15s", "1m30s", "500ms"). +func getEnvDuration(key string, defaultValue time.Duration) time.Duration { + valueStr := os.Getenv(key) + if valueStr == "" { + return defaultValue + } + + value, err := time.ParseDuration(valueStr) + if err != nil { + return defaultValue + } + + return value +} + +// getEnvBool returns the boolean value of an environment variable or a default value. +// Accepts "true", "1", "yes" as true; "false", "0", "no" as false (case-insensitive). +func getEnvBool(key string, defaultValue bool) bool { + valueStr := os.Getenv(key) + if valueStr == "" { + return defaultValue + } + + switch strings.ToLower(valueStr) { + case "true", "1", "yes": + return true + case "false", "0", "no": + return false + default: + return defaultValue + } +} + +// getEnvFloat returns the float64 value of an environment variable or a default value. +func getEnvFloat(key string, defaultValue float64) float64 { + valueStr := os.Getenv(key) + if valueStr == "" { + return defaultValue + } + + value, err := strconv.ParseFloat(valueStr, 64) + if err != nil { + return defaultValue + } + + return value +} diff --git a/internal/config/config_test.go b/internal/config/config_test.go new file mode 100644 index 0000000..6b3d237 --- /dev/null +++ b/internal/config/config_test.go @@ -0,0 +1,507 @@ +package config + +import ( + "regexp" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestLoad_Success(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id,x-dev-id,x-tenant-id") + t.Setenv("TARGET_HOST", "localhost:8080") + t.Setenv("PROXY_PORT", "9090") + t.Setenv("LOG_LEVEL", "debug") + t.Setenv("METRICS_PORT", "9091") + + cfg, err := Load() + + require.NoError(t, err) + assert.Equal(t, []string{"x-request-id", "x-dev-id", "x-tenant-id"}, cfg.HeadersToPropagate) + assert.Equal(t, "localhost:8080", cfg.TargetHost) + assert.Equal(t, 9090, cfg.ProxyPort) + assert.Equal(t, "debug", cfg.LogLevel) + assert.Equal(t, 9091, cfg.MetricsPort) +} + +func TestLoad_DefaultValues(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id") + + cfg, err := Load() + + require.NoError(t, err) + assert.Equal(t, "localhost:8080", cfg.TargetHost) + assert.Equal(t, 9090, cfg.ProxyPort) + assert.Equal(t, "info", cfg.LogLevel) + assert.Equal(t, 9091, cfg.MetricsPort) + // Check default timeout values + assert.Equal(t, 15*time.Second, cfg.ReadTimeout) + assert.Equal(t, 15*time.Second, cfg.WriteTimeout) + assert.Equal(t, 60*time.Second, cfg.IdleTimeout) + assert.Equal(t, 5*time.Second, cfg.ReadHeaderTimeout) + assert.Equal(t, 5*time.Second, cfg.TargetDialTimeout) +} + +func TestLoad_CustomTimeouts(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id") + t.Setenv("READ_TIMEOUT", "30s") + t.Setenv("WRITE_TIMEOUT", "45s") + t.Setenv("IDLE_TIMEOUT", "2m") + t.Setenv("READ_HEADER_TIMEOUT", "10s") + t.Setenv("TARGET_DIAL_TIMEOUT", "5s") + + cfg, err := Load() + + require.NoError(t, err) + assert.Equal(t, 30*time.Second, cfg.ReadTimeout) + assert.Equal(t, 45*time.Second, cfg.WriteTimeout) + assert.Equal(t, 2*time.Minute, cfg.IdleTimeout) + assert.Equal(t, 10*time.Second, cfg.ReadHeaderTimeout) + assert.Equal(t, 5*time.Second, cfg.TargetDialTimeout) +} + +func TestLoad_MissingHeaders(t *testing.T) { + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "HEADERS_TO_PROPAGATE") +} + +func TestLoad_HeaderRules(t *testing.T) { + t.Setenv("HEADER_RULES", `[{"name":"x-request-id","generate":true,"generatorType":"uuid"},{"name":"x-tenant-id","propagate":true}]`) + + cfg, err := Load() + + require.NoError(t, err) + assert.Len(t, cfg.HeaderRules, 2) + assert.Equal(t, "x-request-id", cfg.HeaderRules[0].Name) + assert.True(t, cfg.HeaderRules[0].Generate) + assert.Equal(t, "uuid", string(cfg.HeaderRules[0].GeneratorType)) + assert.Equal(t, "x-tenant-id", cfg.HeaderRules[1].Name) + assert.True(t, cfg.HeaderRules[1].Propagate) + // HeadersToPropagate should be populated for backward compatibility + assert.Contains(t, cfg.HeadersToPropagate, "x-request-id") + assert.Contains(t, cfg.HeadersToPropagate, "x-tenant-id") +} + +func TestLoad_HeaderRulesWithPathAndMethods(t *testing.T) { + t.Setenv("HEADER_RULES", `[{"name":"x-request-id","pathRegex":"^/api/.*","methods":["GET","POST"]}]`) + + cfg, err := Load() + + require.NoError(t, err) + assert.Len(t, cfg.HeaderRules, 1) + assert.Equal(t, "^/api/.*", cfg.HeaderRules[0].PathRegex) + assert.Equal(t, []string{"GET", "POST"}, cfg.HeaderRules[0].Methods) +} + +func TestLoad_HeaderRulesInvalidJSON(t *testing.T) { + t.Setenv("HEADER_RULES", `not valid json`) + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "invalid JSON") +} + +func TestLoad_HeaderRulesInvalidGeneratorType(t *testing.T) { + t.Setenv("HEADER_RULES", `[{"name":"x-request-id","generate":true,"generatorType":"invalid"}]`) + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "unknown generator type") +} + +func TestLoad_HeaderRulesInvalidPathRegex(t *testing.T) { + t.Setenv("HEADER_RULES", `[{"name":"x-request-id","pathRegex":"[invalid"}]`) + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "invalid path regex") +} + +func TestLoad_HeaderRulesInvalidMethod(t *testing.T) { + t.Setenv("HEADER_RULES", `[{"name":"x-request-id","methods":["INVALID"]}]`) + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "invalid HTTP method") +} + +func TestHeaderRule_MatchesRequest(t *testing.T) { + tests := []struct { + name string + rule HeaderRule + path string + method string + expected bool + }{ + { + name: "no filters matches everything", + rule: HeaderRule{Name: "x-request-id"}, + path: "/api/users", + method: "GET", + expected: true, + }, + { + name: "path regex matches", + rule: HeaderRule{ + Name: "x-request-id", + PathRegex: "^/api/.*", + }, + path: "/api/users", + method: "GET", + expected: true, + }, + { + name: "path regex does not match", + rule: HeaderRule{ + Name: "x-request-id", + PathRegex: "^/api/.*", + }, + path: "/health", + method: "GET", + expected: false, + }, + { + name: "method matches", + rule: HeaderRule{ + Name: "x-request-id", + Methods: []string{"GET", "POST"}, + }, + path: "/api/users", + method: "GET", + expected: true, + }, + { + name: "method does not match", + rule: HeaderRule{ + Name: "x-request-id", + Methods: []string{"GET", "POST"}, + }, + path: "/api/users", + method: "DELETE", + expected: false, + }, + { + name: "method matching is case insensitive", + rule: HeaderRule{ + Name: "x-request-id", + Methods: []string{"get", "post"}, + }, + path: "/api/users", + method: "GET", + expected: true, + }, + { + name: "both path and method must match", + rule: HeaderRule{ + Name: "x-request-id", + PathRegex: "^/api/.*", + Methods: []string{"GET"}, + }, + path: "/api/users", + method: "POST", + expected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + rule := tt.rule + // Compile path regex if present + if rule.PathRegex != "" { + compiled, err := regexp.Compile(rule.PathRegex) + require.NoError(t, err) + rule.CompiledPathRegex = compiled + } + result := rule.MatchesRequest(tt.path, tt.method) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestLoad_EmptyHeaders(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", " , , ") + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "at least one header") +} + +func TestLoad_InvalidProxyPort(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id") + t.Setenv("PROXY_PORT", "99999") + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "proxy port") +} + +func TestLoad_SamePortConflict(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id") + t.Setenv("PROXY_PORT", "9090") + t.Setenv("METRICS_PORT", "9090") + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "cannot be the same") +} + +func TestLoad_InvalidLogLevel(t *testing.T) { + t.Setenv("HEADERS_TO_PROPAGATE", "x-request-id") + t.Setenv("LOG_LEVEL", "invalid") + + cfg, err := Load() + + assert.Nil(t, cfg) + assert.Error(t, err) + assert.Contains(t, err.Error(), "log level") +} + +func TestParseHeaders(t *testing.T) { + tests := []struct { + name string + input string + expected []string + }{ + { + name: "single header", + input: "x-request-id", + expected: []string{"x-request-id"}, + }, + { + name: "multiple headers", + input: "x-request-id,x-dev-id,x-tenant-id", + expected: []string{"x-request-id", "x-dev-id", "x-tenant-id"}, + }, + { + name: "headers with spaces", + input: "x-request-id , x-dev-id , x-tenant-id", + expected: []string{"x-request-id", "x-dev-id", "x-tenant-id"}, + }, + { + name: "headers with empty values", + input: "x-request-id,,x-dev-id,", + expected: []string{"x-request-id", "x-dev-id"}, + }, + { + name: "empty string", + input: "", + expected: []string{}, + }, + { + name: "only commas and spaces", + input: " , , ", + expected: []string{}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result, err := parseHeaders(tt.input) + assert.NoError(t, err) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestParseHeaders_InvalidHeaders(t *testing.T) { + tests := []struct { + name string + input string + }{ + { + name: "header with space", + input: "invalid header", + }, + { + name: "header starting with hyphen", + input: "-invalid", + }, + { + name: "header with special characters", + input: "x-request@id", + }, + { + name: "one valid one invalid", + input: "x-request-id,invalid header", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + _, err := parseHeaders(tt.input) + assert.Error(t, err) + }) + } +} + +func TestGetEnv(t *testing.T) { + t.Setenv("TEST_KEY", "test_value") + + assert.Equal(t, "test_value", getEnv("TEST_KEY", "default")) + assert.Equal(t, "default", getEnv("NONEXISTENT_KEY", "default")) +} + +func TestGetEnvInt(t *testing.T) { + t.Setenv("TEST_INT", "42") + t.Setenv("TEST_INVALID_INT", "not_a_number") + + assert.Equal(t, 42, getEnvInt("TEST_INT", 10)) + assert.Equal(t, 10, getEnvInt("NONEXISTENT_INT", 10)) + assert.Equal(t, 10, getEnvInt("TEST_INVALID_INT", 10)) +} + +func TestGetEnvDuration(t *testing.T) { + t.Setenv("TEST_DURATION", "30s") + t.Setenv("TEST_DURATION_COMPLEX", "1m30s") + t.Setenv("TEST_DURATION_MS", "500ms") + t.Setenv("TEST_INVALID_DURATION", "not_a_duration") + + assert.Equal(t, 30*time.Second, getEnvDuration("TEST_DURATION", 10*time.Second)) + assert.Equal(t, 90*time.Second, getEnvDuration("TEST_DURATION_COMPLEX", 10*time.Second)) + assert.Equal(t, 500*time.Millisecond, getEnvDuration("TEST_DURATION_MS", 10*time.Second)) + assert.Equal(t, 10*time.Second, getEnvDuration("NONEXISTENT_DURATION", 10*time.Second)) + assert.Equal(t, 10*time.Second, getEnvDuration("TEST_INVALID_DURATION", 10*time.Second)) +} + +func TestValidate(t *testing.T) { + validConfig := func() ProxyConfig { + return ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } + } + + tests := []struct { + name string + config ProxyConfig + expectErr bool + errMsg string + }{ + { + name: "valid config", + config: validConfig(), + expectErr: false, + }, + { + name: "invalid proxy port - too high", + config: func() ProxyConfig { + c := validConfig() + c.ProxyPort = 70000 + return c + }(), + expectErr: true, + errMsg: "proxy port", + }, + { + name: "invalid proxy port - zero", + config: func() ProxyConfig { + c := validConfig() + c.ProxyPort = 0 + return c + }(), + expectErr: true, + errMsg: "proxy port", + }, + { + name: "empty target host", + config: func() ProxyConfig { + c := validConfig() + c.TargetHost = "" + return c + }(), + expectErr: true, + errMsg: "target host", + }, + { + name: "invalid read timeout - zero", + config: func() ProxyConfig { + c := validConfig() + c.ReadTimeout = 0 + return c + }(), + expectErr: true, + errMsg: "read timeout", + }, + { + name: "invalid write timeout - negative", + config: func() ProxyConfig { + c := validConfig() + c.WriteTimeout = -1 * time.Second + return c + }(), + expectErr: true, + errMsg: "write timeout", + }, + { + name: "invalid idle timeout - zero", + config: func() ProxyConfig { + c := validConfig() + c.IdleTimeout = 0 + return c + }(), + expectErr: true, + errMsg: "idle timeout", + }, + { + name: "invalid read header timeout - zero", + config: func() ProxyConfig { + c := validConfig() + c.ReadHeaderTimeout = 0 + return c + }(), + expectErr: true, + errMsg: "read header timeout", + }, + { + name: "invalid target dial timeout - zero", + config: func() ProxyConfig { + c := validConfig() + c.TargetDialTimeout = 0 + return c + }(), + expectErr: true, + errMsg: "target dial timeout", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := tt.config.Validate() + if tt.expectErr { + assert.Error(t, err) + if tt.errMsg != "" { + assert.Contains(t, err.Error(), tt.errMsg) + } + } else { + assert.NoError(t, err) + } + }) + } +} diff --git a/internal/controller/headerpropagationpolicy_controller.go b/internal/controller/headerpropagationpolicy_controller.go new file mode 100644 index 0000000..1ba6ba4 --- /dev/null +++ b/internal/controller/headerpropagationpolicy_controller.go @@ -0,0 +1,260 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "time" + + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/handler" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" +) + +const ( + // ConditionTypeReady indicates whether the policy is ready and applied + ConditionTypeReady = "Ready" + + // RequeueAfterNoMatches is the requeue interval when no pods match the selector. + // We check periodically in case pods are created outside of our watch events. + RequeueAfterNoMatches = 30 * time.Second + + // RequeueAfterPendingPods is the requeue interval when pods exist but aren't ready. + // Shorter interval to quickly detect when pods become ready. + RequeueAfterPendingPods = 10 * time.Second +) + +// HeaderPropagationPolicyReconciler reconciles a HeaderPropagationPolicy object +type HeaderPropagationPolicyReconciler struct { + client.Client + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups=ctxforge.ctxforge.io,resources=headerpropagationpolicies,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=ctxforge.ctxforge.io,resources=headerpropagationpolicies/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=ctxforge.ctxforge.io,resources=headerpropagationpolicies/finalizers,verbs=update +// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch + +// Reconcile is part of the main kubernetes reconciliation loop which aims to +// move the current state of the cluster closer to the desired state. +// +// The controller performs the following actions: +// 1. Fetches the HeaderPropagationPolicy resource +// 2. Lists pods matching the policy's PodSelector in the same namespace +// 3. Updates the status with the count of matched pods +// 4. Sets the Ready condition based on whether pods are found +// +// For more details, check Reconcile and its Result here: +// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.22.4/pkg/reconcile +func (r *HeaderPropagationPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := logf.FromContext(ctx) + + // Fetch the HeaderPropagationPolicy instance + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + if err := r.Get(ctx, req.NamespacedName, policy); err != nil { + if apierrors.IsNotFound(err) { + // Policy was deleted, nothing to do + log.Info("HeaderPropagationPolicy resource not found, likely deleted") + return ctrl.Result{}, nil + } + log.Error(err, "Failed to fetch HeaderPropagationPolicy") + return ctrl.Result{}, err + } + + // Build label selector from PodSelector + var selector labels.Selector + var err error + if policy.Spec.PodSelector != nil { + selector, err = metav1.LabelSelectorAsSelector(policy.Spec.PodSelector) + if err != nil { + log.Error(err, "Failed to parse PodSelector") + r.setReadyCondition(ctx, policy, metav1.ConditionFalse, "InvalidSelector", "Failed to parse PodSelector: "+err.Error()) + return ctrl.Result{}, err + } + } else { + // Empty selector matches all pods in namespace + selector = labels.Everything() + } + + // List pods matching the selector in the same namespace + podList := &corev1.PodList{} + listOpts := []client.ListOption{ + client.InNamespace(policy.Namespace), + client.MatchingLabelsSelector{Selector: selector}, + } + if err := r.List(ctx, podList, listOpts...); err != nil { + log.Error(err, "Failed to list pods") + r.setReadyCondition(ctx, policy, metav1.ConditionFalse, "ListPodsFailed", "Failed to list pods: "+err.Error()) + return ctrl.Result{}, err + } + + // Count pods by state + var matchedPods int32 + var pendingPods int32 + var totalSelectorMatches int32 + + for _, pod := range podList.Items { + // Check if the pod has the ctxforge sidecar + hasSidecar := false + for _, container := range pod.Spec.Containers { + if container.Name == "ctxforge-proxy" { + hasSidecar = true + break + } + } + + if hasSidecar { + totalSelectorMatches++ + switch pod.Status.Phase { + case corev1.PodRunning: + matchedPods++ + case corev1.PodPending: + pendingPods++ + } + } + } + + // Determine if status changed + statusChanged := policy.Status.AppliedToPods != matchedPods || + policy.Status.ObservedGeneration != policy.Generation + + // Update status + policy.Status.ObservedGeneration = policy.Generation + policy.Status.AppliedToPods = matchedPods + + // Set Ready condition + if matchedPods > 0 { + r.setReadyCondition(ctx, policy, metav1.ConditionTrue, "PolicyApplied", + "Policy is applied to pods with contextforge-proxy sidecar") + } else { + r.setReadyCondition(ctx, policy, metav1.ConditionFalse, "NoMatchingPods", + "No running pods with contextforge-proxy sidecar match the selector") + } + + // Update the status + if err := r.Status().Update(ctx, policy); err != nil { + log.Error(err, "Failed to update HeaderPropagationPolicy status") + return ctrl.Result{}, err + } + + log.Info("Reconciled HeaderPropagationPolicy", + "appliedToPods", matchedPods, + "pendingPods", pendingPods, + "totalWithSidecar", totalSelectorMatches, + "selector", selector.String(), + "statusChanged", statusChanged) + + // Determine requeue strategy based on current state + // + // Event-driven reconciliation handles most changes (pod create/delete/update), + // but periodic requeue is needed for edge cases: + // 1. Pod phase transitions (Pending -> Running) may not trigger events + // 2. Pods created in other namespaces that match a cluster-wide policy + // 3. Recovery from controller restarts + // + // Optimization: Only requeue when there's a reason to check again + if pendingPods > 0 { + // Pods are starting up, check again soon + return ctrl.Result{RequeueAfter: RequeueAfterPendingPods}, nil + } + + if matchedPods == 0 && totalSelectorMatches == 0 { + // No matching pods at all - periodic check as fallback + // This catches pods created outside our watch events + return ctrl.Result{RequeueAfter: RequeueAfterNoMatches}, nil + } + + // Pods are running and stable - rely on event-driven reconciliation + // No periodic requeue needed; pod events will trigger reconciliation + return ctrl.Result{}, nil +} + +// setReadyCondition sets the Ready condition on the policy +func (r *HeaderPropagationPolicyReconciler) setReadyCondition(_ context.Context, policy *ctxforgev1alpha1.HeaderPropagationPolicy, status metav1.ConditionStatus, reason, message string) { + condition := metav1.Condition{ + Type: ConditionTypeReady, + Status: status, + ObservedGeneration: policy.Generation, + LastTransitionTime: metav1.Now(), + Reason: reason, + Message: message, + } + meta.SetStatusCondition(&policy.Status.Conditions, condition) +} + +// findPoliciesForPod returns a list of reconcile requests for all policies +// that might apply to the given pod based on namespace matching. +// This enables the controller to react when pods are created, updated, or deleted. +func (r *HeaderPropagationPolicyReconciler) findPoliciesForPod(ctx context.Context, obj client.Object) []reconcile.Request { + log := logf.FromContext(ctx) + pod, ok := obj.(*corev1.Pod) + if !ok { + return nil + } + + // List all policies in the pod's namespace + policyList := &ctxforgev1alpha1.HeaderPropagationPolicyList{} + if err := r.List(ctx, policyList, client.InNamespace(pod.Namespace)); err != nil { + log.Error(err, "Failed to list HeaderPropagationPolicies for pod", "pod", pod.Name) + return nil + } + + // Build reconcile requests for policies whose selector matches this pod + var requests []reconcile.Request + for _, policy := range policyList.Items { + var selector labels.Selector + var err error + if policy.Spec.PodSelector != nil { + selector, err = metav1.LabelSelectorAsSelector(policy.Spec.PodSelector) + if err != nil { + continue + } + } else { + selector = labels.Everything() + } + + if selector.Matches(labels.Set(pod.Labels)) { + requests = append(requests, reconcile.Request{ + NamespacedName: client.ObjectKeyFromObject(&policy), + }) + } + } + + return requests +} + +// SetupWithManager sets up the controller with the Manager. +func (r *HeaderPropagationPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&ctxforgev1alpha1.HeaderPropagationPolicy{}). + Watches( + &corev1.Pod{}, + handler.EnqueueRequestsFromMapFunc(r.findPoliciesForPod), + ). + Named("headerpropagationpolicy"). + Complete(r) +} diff --git a/internal/controller/headerpropagationpolicy_controller_test.go b/internal/controller/headerpropagationpolicy_controller_test.go new file mode 100644 index 0000000..75dda63 --- /dev/null +++ b/internal/controller/headerpropagationpolicy_controller_test.go @@ -0,0 +1,259 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" +) + +var _ = Describe("HeaderPropagationPolicy Controller", func() { + Context("When reconciling a resource", func() { + const resourceName = "test-resource" + + ctx := context.Background() + + typeNamespacedName := types.NamespacedName{ + Name: resourceName, + Namespace: "default", + } + + BeforeEach(func() { + By("creating the custom resource for the Kind HeaderPropagationPolicy") + headerpropagationpolicy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + err := k8sClient.Get(ctx, typeNamespacedName, headerpropagationpolicy) + if err != nil && errors.IsNotFound(err) { + resource := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: resourceName, + Namespace: "default", + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-request-id"}, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, resource)).To(Succeed()) + } + }) + + AfterEach(func() { + resource := &ctxforgev1alpha1.HeaderPropagationPolicy{} + err := k8sClient.Get(ctx, typeNamespacedName, resource) + if err == nil { + By("Cleanup the specific resource instance HeaderPropagationPolicy") + Expect(k8sClient.Delete(ctx, resource)).To(Succeed()) + } + + // Clean up any pods created during tests + podList := &corev1.PodList{} + Expect(k8sClient.List(ctx, podList, client.InNamespace("default"))).To(Succeed()) + for _, pod := range podList.Items { + _ = k8sClient.Delete(ctx, &pod) + } + }) + + It("should successfully reconcile the resource with no matching pods", func() { + By("Reconciling the created resource") + controllerReconciler := &HeaderPropagationPolicyReconciler{ + Client: k8sClient, + Scheme: k8sClient.Scheme(), + } + + result, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: typeNamespacedName, + }) + Expect(err).NotTo(HaveOccurred()) + // No matching pods - should requeue to check periodically + Expect(result.RequeueAfter).To(Equal(RequeueAfterNoMatches)) + + By("Verifying the status was updated") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + Expect(k8sClient.Get(ctx, typeNamespacedName, policy)).To(Succeed()) + Expect(policy.Status.AppliedToPods).To(Equal(int32(0))) + Expect(policy.Status.ObservedGeneration).To(Equal(policy.Generation)) + + By("Verifying the Ready condition is False due to no matching pods") + readyCondition := meta.FindStatusCondition(policy.Status.Conditions, ConditionTypeReady) + Expect(readyCondition).NotTo(BeNil()) + Expect(readyCondition.Status).To(Equal(metav1.ConditionFalse)) + Expect(readyCondition.Reason).To(Equal("NoMatchingPods")) + }) + + It("should return no error for deleted resource", func() { + By("Deleting the resource first") + resource := &ctxforgev1alpha1.HeaderPropagationPolicy{} + Expect(k8sClient.Get(ctx, typeNamespacedName, resource)).To(Succeed()) + Expect(k8sClient.Delete(ctx, resource)).To(Succeed()) + + By("Waiting for deletion to complete") + Eventually(func() bool { + err := k8sClient.Get(ctx, typeNamespacedName, resource) + return errors.IsNotFound(err) + }, time.Second*5, time.Millisecond*100).Should(BeTrue()) + + By("Reconciling the deleted resource") + controllerReconciler := &HeaderPropagationPolicyReconciler{ + Client: k8sClient, + Scheme: k8sClient.Scheme(), + } + + result, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: typeNamespacedName, + }) + Expect(err).NotTo(HaveOccurred()) + Expect(result.RequeueAfter).To(BeZero()) + }) + }) + + Context("When reconciling with pods matching the selector", func() { + const policyName = "test-policy-with-pods" + const podName = "test-pod-with-sidecar" + + ctx := context.Background() + + policyNamespacedName := types.NamespacedName{ + Name: policyName, + Namespace: "default", + } + + BeforeEach(func() { + By("creating a policy with a pod selector") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: "default", + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "test-app", + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-request-id"}, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, policy)).To(Succeed()) + + By("creating a pod with the contextforge-proxy sidecar") + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: "default", + Labels: map[string]string{ + "app": "test-app", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "main-app", + Image: "nginx:latest", + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("10m"), + corev1.ResourceMemory: resource.MustParse("10Mi"), + }, + }, + }, + { + Name: "ctxforge-proxy", + Image: "ghcr.io/bgruszka/contextforge-proxy:0.1.0", + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("10m"), + corev1.ResourceMemory: resource.MustParse("10Mi"), + }, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + By("updating pod status to Running") + pod.Status.Phase = corev1.PodRunning + Expect(k8sClient.Status().Update(ctx, pod)).To(Succeed()) + }) + + AfterEach(func() { + By("cleaning up the policy") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + if err := k8sClient.Get(ctx, policyNamespacedName, policy); err == nil { + Expect(k8sClient.Delete(ctx, policy)).To(Succeed()) + } + + By("cleaning up the pod") + pod := &corev1.Pod{} + podNamespacedName := types.NamespacedName{Name: podName, Namespace: "default"} + if err := k8sClient.Get(ctx, podNamespacedName, pod); err == nil { + Expect(k8sClient.Delete(ctx, pod)).To(Succeed()) + } + }) + + It("should count matching pods with sidecar", func() { + By("Reconciling the policy") + controllerReconciler := &HeaderPropagationPolicyReconciler{ + Client: k8sClient, + Scheme: k8sClient.Scheme(), + } + + result, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: policyNamespacedName, + }) + Expect(err).NotTo(HaveOccurred()) + // Running pods - no requeue needed, rely on event-driven reconciliation + Expect(result.RequeueAfter).To(BeZero()) + + By("Verifying the status shows 1 applied pod") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + Expect(k8sClient.Get(ctx, policyNamespacedName, policy)).To(Succeed()) + Expect(policy.Status.AppliedToPods).To(Equal(int32(1))) + + By("Verifying the Ready condition is True") + readyCondition := meta.FindStatusCondition(policy.Status.Conditions, ConditionTypeReady) + Expect(readyCondition).NotTo(BeNil()) + Expect(readyCondition.Status).To(Equal(metav1.ConditionTrue)) + Expect(readyCondition.Reason).To(Equal("PolicyApplied")) + }) + }) +}) diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go new file mode 100644 index 0000000..fb8b1a3 --- /dev/null +++ b/internal/controller/suite_test.go @@ -0,0 +1,116 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "os" + "path/filepath" + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" + // +kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var ( + ctx context.Context + cancel context.CancelFunc + testEnv *envtest.Environment + cfg *rest.Config + k8sClient client.Client +) + +func TestControllers(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Controller Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + var err error + err = ctxforgev1alpha1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: true, + } + + // Retrieve the first found binary directory to allow running tests from IDEs + if getFirstFoundEnvTestBinaryDir() != "" { + testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() + } + + // cfg is defined in this file globally. + cfg, err = testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) +}) + +var _ = AfterSuite(func() { + By("tearing down the test environment") + cancel() + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) + +// getFirstFoundEnvTestBinaryDir locates the first binary in the specified path. +// ENVTEST-based tests depend on specific binaries, usually located in paths set by +// controller-runtime. When running tests directly (e.g., via an IDE) without using +// Makefile targets, the 'BinaryAssetsDirectory' must be explicitly configured. +// +// This function streamlines the process by finding the required binaries, similar to +// setting the 'KUBEBUILDER_ASSETS' environment variable. To ensure the binaries are +// properly set up, run 'make setup-envtest' beforehand. +func getFirstFoundEnvTestBinaryDir() string { + basePath := filepath.Join("..", "..", "bin", "k8s") + entries, err := os.ReadDir(basePath) + if err != nil { + logf.Log.Error(err, "Failed to read directory", "path", basePath) + return "" + } + for _, entry := range entries { + if entry.IsDir() { + return filepath.Join(basePath, entry.Name()) + } + } + return "" +} diff --git a/internal/generator/generator.go b/internal/generator/generator.go new file mode 100644 index 0000000..43899f1 --- /dev/null +++ b/internal/generator/generator.go @@ -0,0 +1,134 @@ +// Package generator provides header value generators for the ContextForge proxy. +package generator + +import ( + "fmt" + "math/rand" + "sync" + "time" + + "github.com/google/uuid" +) + +// Type represents the type of header value generator. +type Type string + +const ( + // TypeUUID generates a UUID v4 value. + TypeUUID Type = "uuid" + // TypeULID generates a ULID value. + TypeULID Type = "ulid" + // TypeTimestamp generates an RFC3339 timestamp. + TypeTimestamp Type = "timestamp" +) + +// Generator generates header values. +type Generator interface { + Generate() string +} + +// UUIDGenerator generates UUID v4 values. +type UUIDGenerator struct{} + +// Generate returns a new UUID v4 string. +func (g *UUIDGenerator) Generate() string { + return uuid.New().String() +} + +// ULIDGenerator generates ULID values. +// ULID is a Universally Unique Lexicographically Sortable Identifier. +type ULIDGenerator struct { + mu sync.Mutex + rand *rand.Rand +} + +// NewULIDGenerator creates a new ULID generator. +func NewULIDGenerator() *ULIDGenerator { + return &ULIDGenerator{ + rand: rand.New(rand.NewSource(time.Now().UnixNano())), + } +} + +// Generate returns a new ULID string. +// ULID format: 26 character string (10 chars timestamp + 16 chars randomness) +// Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV +func (g *ULIDGenerator) Generate() string { + g.mu.Lock() + defer g.mu.Unlock() + + t := time.Now().UTC() + return encodeULID(t, g.rand) +} + +// TimestampGenerator generates RFC3339 timestamp values. +type TimestampGenerator struct{} + +// Generate returns the current time as an RFC3339 string. +func (g *TimestampGenerator) Generate() string { + return time.Now().UTC().Format(time.RFC3339Nano) +} + +// New creates a generator for the specified type. +// Returns an error if the type is not recognized. +func New(genType Type) (Generator, error) { + switch genType { + case TypeUUID: + return &UUIDGenerator{}, nil + case TypeULID: + return NewULIDGenerator(), nil + case TypeTimestamp: + return &TimestampGenerator{}, nil + default: + return nil, fmt.Errorf("unknown generator type: %s (valid types: uuid, ulid, timestamp)", genType) + } +} + +// Crockford's Base32 encoding alphabet (excludes I, L, O, U to avoid confusion) +const crockfordAlphabet = "0123456789ABCDEFGHJKMNPQRSTVWXYZ" + +// encodeULID generates a ULID from timestamp and random source. +// ULID specification: https://github.com/ulid/spec +func encodeULID(t time.Time, r *rand.Rand) string { + // ULID is 26 characters: 10 for timestamp (48-bit ms), 16 for randomness (80-bit) + ulid := make([]byte, 26) + + // Encode timestamp (48-bit milliseconds since Unix epoch) + ms := uint64(t.UnixMilli()) + + // Timestamp encoding (10 characters, 5 bits each = 50 bits, but only use 48) + ulid[0] = crockfordAlphabet[(ms>>45)&0x1F] + ulid[1] = crockfordAlphabet[(ms>>40)&0x1F] + ulid[2] = crockfordAlphabet[(ms>>35)&0x1F] + ulid[3] = crockfordAlphabet[(ms>>30)&0x1F] + ulid[4] = crockfordAlphabet[(ms>>25)&0x1F] + ulid[5] = crockfordAlphabet[(ms>>20)&0x1F] + ulid[6] = crockfordAlphabet[(ms>>15)&0x1F] + ulid[7] = crockfordAlphabet[(ms>>10)&0x1F] + ulid[8] = crockfordAlphabet[(ms>>5)&0x1F] + ulid[9] = crockfordAlphabet[ms&0x1F] + + // Randomness encoding (16 characters, 5 bits each = 80 bits) + // Generate 10 bytes (80 bits) of randomness + randomBytes := make([]byte, 10) + r.Read(randomBytes) + + // Encode randomness using Crockford's Base32 + ulid[10] = crockfordAlphabet[(randomBytes[0]>>3)&0x1F] + ulid[11] = crockfordAlphabet[((randomBytes[0]<<2)|(randomBytes[1]>>6))&0x1F] + ulid[12] = crockfordAlphabet[(randomBytes[1]>>1)&0x1F] + ulid[13] = crockfordAlphabet[((randomBytes[1]<<4)|(randomBytes[2]>>4))&0x1F] + ulid[14] = crockfordAlphabet[((randomBytes[2]<<1)|(randomBytes[3]>>7))&0x1F] + ulid[15] = crockfordAlphabet[(randomBytes[3]>>2)&0x1F] + ulid[16] = crockfordAlphabet[((randomBytes[3]<<3)|(randomBytes[4]>>5))&0x1F] + ulid[17] = crockfordAlphabet[randomBytes[4]&0x1F] + ulid[18] = crockfordAlphabet[(randomBytes[5]>>3)&0x1F] + ulid[19] = crockfordAlphabet[((randomBytes[5]<<2)|(randomBytes[6]>>6))&0x1F] + ulid[20] = crockfordAlphabet[(randomBytes[6]>>1)&0x1F] + ulid[21] = crockfordAlphabet[((randomBytes[6]<<4)|(randomBytes[7]>>4))&0x1F] + ulid[22] = crockfordAlphabet[((randomBytes[7]<<1)|(randomBytes[8]>>7))&0x1F] + ulid[23] = crockfordAlphabet[(randomBytes[8]>>2)&0x1F] + ulid[24] = crockfordAlphabet[((randomBytes[8]<<3)|(randomBytes[9]>>5))&0x1F] + ulid[25] = crockfordAlphabet[randomBytes[9]&0x1F] + + return string(ulid) +} diff --git a/internal/generator/generator_test.go b/internal/generator/generator_test.go new file mode 100644 index 0000000..3529d02 --- /dev/null +++ b/internal/generator/generator_test.go @@ -0,0 +1,141 @@ +package generator + +import ( + "regexp" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestUUIDGenerator(t *testing.T) { + gen := &UUIDGenerator{} + + // UUID v4 pattern: 8-4-4-4-12 hex digits + uuidPattern := regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$`) + + for i := 0; i < 100; i++ { + value := gen.Generate() + assert.Regexp(t, uuidPattern, value, "Generated value should be a valid UUID v4") + } + + // Test uniqueness + values := make(map[string]bool) + for i := 0; i < 1000; i++ { + value := gen.Generate() + assert.False(t, values[value], "UUIDs should be unique") + values[value] = true + } +} + +func TestULIDGenerator(t *testing.T) { + gen := NewULIDGenerator() + + // ULID pattern: 26 characters from Crockford's Base32 + ulidPattern := regexp.MustCompile(`^[0-9A-HJKMNP-TV-Z]{26}$`) + + for i := 0; i < 100; i++ { + value := gen.Generate() + assert.Len(t, value, 26, "ULID should be 26 characters") + assert.Regexp(t, ulidPattern, value, "Generated value should be a valid ULID") + } + + // Test uniqueness + values := make(map[string]bool) + for i := 0; i < 1000; i++ { + value := gen.Generate() + assert.False(t, values[value], "ULIDs should be unique") + values[value] = true + } + + // Test lexicographic ordering (ULIDs generated later should be greater) + ulid1 := gen.Generate() + time.Sleep(2 * time.Millisecond) + ulid2 := gen.Generate() + assert.Greater(t, ulid2, ulid1, "Later ULID should be lexicographically greater") +} + +func TestTimestampGenerator(t *testing.T) { + gen := &TimestampGenerator{} + + before := time.Now().UTC() + value := gen.Generate() + after := time.Now().UTC() + + // Parse the generated timestamp + parsed, err := time.Parse(time.RFC3339Nano, value) + require.NoError(t, err, "Generated value should be a valid RFC3339Nano timestamp") + + // Check that the timestamp is within the expected range + assert.True(t, !parsed.Before(before.Truncate(time.Nanosecond)), "Timestamp should not be before the test start") + assert.True(t, !parsed.After(after.Add(time.Millisecond)), "Timestamp should not be after the test end") +} + +func TestNew(t *testing.T) { + tests := []struct { + name string + genType Type + expectError bool + }{ + { + name: "uuid generator", + genType: TypeUUID, + expectError: false, + }, + { + name: "ulid generator", + genType: TypeULID, + expectError: false, + }, + { + name: "timestamp generator", + genType: TypeTimestamp, + expectError: false, + }, + { + name: "unknown generator type", + genType: Type("unknown"), + expectError: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gen, err := New(tt.genType) + if tt.expectError { + assert.Error(t, err) + assert.Nil(t, gen) + } else { + assert.NoError(t, err) + assert.NotNil(t, gen) + // Verify the generator works + value := gen.Generate() + assert.NotEmpty(t, value) + } + }) + } +} + +func TestULIDGeneratorConcurrency(t *testing.T) { + gen := NewULIDGenerator() + values := make(chan string, 1000) + + // Generate ULIDs concurrently + for i := 0; i < 10; i++ { + go func() { + for j := 0; j < 100; j++ { + values <- gen.Generate() + } + }() + } + + // Collect all values + seen := make(map[string]bool) + for i := 0; i < 1000; i++ { + value := <-values + assert.Len(t, value, 26, "ULID should be 26 characters") + assert.False(t, seen[value], "ULIDs should be unique even under concurrent access") + seen[value] = true + } +} diff --git a/internal/handler/proxy.go b/internal/handler/proxy.go new file mode 100644 index 0000000..faa12de --- /dev/null +++ b/internal/handler/proxy.go @@ -0,0 +1,182 @@ +// Package handler provides HTTP handlers for the ContextForge proxy. +package handler + +import ( + "context" + "fmt" + "net/http" + "net/http/httputil" + "net/url" + "strings" + "time" + + "github.com/bgruszka/contextforge/internal/config" + "github.com/bgruszka/contextforge/internal/generator" + "github.com/bgruszka/contextforge/internal/metrics" + "github.com/rs/zerolog/log" +) + +// contextKey is a custom type for context keys to avoid collisions. +type contextKey string + +// ContextKeyHeaders is the key used to store propagated headers in the request context. +const ContextKeyHeaders contextKey = "ctxforge-headers" + +// headerGenerator holds a generator instance for a header rule. +type headerGenerator struct { + rule config.HeaderRule + generator generator.Generator +} + +// ProxyHandler handles incoming HTTP requests, extracts configured headers, +// stores them in the request context, and forwards the request to the target application. +type ProxyHandler struct { + config *config.ProxyConfig + reverseProxy *httputil.ReverseProxy + headers []string + rules []config.HeaderRule + generators map[string]headerGenerator // header name -> generator +} + +// NewProxyHandler creates a new ProxyHandler with the given configuration. +// Returns an error if the target host URL is invalid. +func NewProxyHandler(cfg *config.ProxyConfig) (*ProxyHandler, error) { + targetURL, err := url.Parse("http://" + cfg.TargetHost) + if err != nil { + return nil, fmt.Errorf("failed to parse target host URL %q: %w", cfg.TargetHost, err) + } + + transport := NewHeaderPropagatingTransport(cfg.HeadersToPropagate, http.DefaultTransport) + + proxy := httputil.NewSingleHostReverseProxy(targetURL) + proxy.Transport = transport + + originalDirector := proxy.Director + proxy.Director = func(req *http.Request) { + originalDirector(req) + } + + proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { + log.Error(). + Err(err). + Str("method", r.Method). + Str("path", r.URL.Path). + Msg("Proxy error forwarding request") + w.WriteHeader(http.StatusBadGateway) + } + + // Initialize generators for rules that have generation enabled + generators := make(map[string]headerGenerator) + for _, rule := range cfg.HeaderRules { + if rule.Generate { + gen, err := generator.New(rule.GeneratorType) + if err != nil { + return nil, fmt.Errorf("failed to create generator for header %q: %w", rule.Name, err) + } + generators[http.CanonicalHeaderKey(rule.Name)] = headerGenerator{ + rule: rule, + generator: gen, + } + log.Info(). + Str("header", rule.Name). + Str("type", string(rule.GeneratorType)). + Msg("Header generator initialized") + } + } + + return &ProxyHandler{ + config: cfg, + reverseProxy: proxy, + headers: cfg.HeadersToPropagate, + rules: cfg.HeaderRules, + generators: generators, + }, nil +} + +// ServeHTTP implements the http.Handler interface. +// It extracts configured headers, stores them in context, and forwards to the target. +func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + start := time.Now() + metrics.ActiveConnections.Inc() + defer metrics.ActiveConnections.Dec() + + headerMap := h.extractHeaders(r) + + // Record propagated headers metric + if len(headerMap) > 0 { + metrics.RecordHeadersPropagated(len(headerMap)) + } + + ctx := context.WithValue(r.Context(), ContextKeyHeaders, headerMap) + r = r.WithContext(ctx) + + if log.Debug().Enabled() { + log.Debug(). + Str("method", r.Method). + Str("path", r.URL.Path). + Str("remote_addr", r.RemoteAddr). + Interface("propagated_headers", headerMap). + Msg("Proxying request") + } + + // Wrap response writer to capture status code + rw := metrics.NewResponseWriter(w) + h.reverseProxy.ServeHTTP(rw, r) + + // Record request metrics + duration := time.Since(start) + metrics.RecordRequest(r.Method, rw.StatusCode, duration) +} + +// extractHeaders extracts the configured headers from the incoming request. +// Header names are matched case-insensitively. +// If a header is missing and has generation enabled, it will be generated. +// Path and method filtering is applied to determine which rules apply. +func (h *ProxyHandler) extractHeaders(r *http.Request) map[string]string { + headerMap := make(map[string]string) + path := r.URL.Path + method := r.Method + + for _, rule := range h.rules { + // Check if this rule applies to the current request + if !rule.MatchesRequest(path, method) { + continue + } + + canonicalName := http.CanonicalHeaderKey(strings.TrimSpace(rule.Name)) + value := r.Header.Get(canonicalName) + + // If header is missing and generation is enabled, generate it + if value == "" && rule.Generate { + if gen, ok := h.generators[canonicalName]; ok { + value = gen.generator.Generate() + // Also set it on the request for downstream processing + r.Header.Set(canonicalName, value) + if log.Debug().Enabled() { + log.Debug(). + Str("header", canonicalName). + Str("value", value). + Str("type", string(rule.GeneratorType)). + Msg("Generated header value") + } + } + } + + // Add to header map if we have a value and propagation is enabled + if value != "" && rule.Propagate { + headerMap[canonicalName] = value + } + } + + return headerMap +} + +// GetHeadersFromContext retrieves the propagated headers from a request context. +// Returns nil if no headers are found in the context. +func GetHeadersFromContext(ctx context.Context) map[string]string { + headers, ok := ctx.Value(ContextKeyHeaders).(map[string]string) + if !ok { + return nil + } + return headers +} diff --git a/internal/handler/proxy_test.go b/internal/handler/proxy_test.go new file mode 100644 index 0000000..ffadf84 --- /dev/null +++ b/internal/handler/proxy_test.go @@ -0,0 +1,371 @@ +package handler + +import ( + "context" + "io" + "net/http" + "net/http/httptest" + "regexp" + "testing" + "time" + + "github.com/bgruszka/contextforge/internal/config" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// testConfig creates a valid test configuration with all required fields +func testConfig(targetHost string, headers []string) *config.ProxyConfig { + // Create HeaderRules from headers for the new extractHeaders logic + rules := make([]config.HeaderRule, len(headers)) + for i, h := range headers { + rules[i] = config.HeaderRule{ + Name: h, + Propagate: true, + } + } + return &config.ProxyConfig{ + HeadersToPropagate: headers, + HeaderRules: rules, + TargetHost: targetHost, + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } +} + +func TestNewProxyHandler(t *testing.T) { + cfg := testConfig("localhost:8080", []string{"x-request-id", "x-dev-id"}) + + handler, err := NewProxyHandler(cfg) + + require.NoError(t, err) + assert.NotNil(t, handler) + assert.Equal(t, cfg, handler.config) + assert.NotNil(t, handler.reverseProxy) + assert.Equal(t, []string{"x-request-id", "x-dev-id"}, handler.headers) +} + +func TestNewProxyHandler_ValidTargetHost(t *testing.T) { + // Test that various valid host formats work + validHosts := []string{ + "localhost:8080", + "127.0.0.1:8080", + "example.com:80", + "service.namespace.svc.cluster.local:8080", + } + + for _, host := range validHosts { + t.Run(host, func(t *testing.T) { + cfg := testConfig(host, []string{"x-request-id"}) + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + assert.NotNil(t, handler) + }) + } +} + +func TestProxyHandler_ExtractHeaders(t *testing.T) { + cfg := testConfig("localhost:8080", []string{"x-request-id", "x-dev-id", "x-tenant-id"}) + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + req := httptest.NewRequest(http.MethodGet, "/test", nil) + req.Header.Set("X-Request-Id", "abc123") + req.Header.Set("X-Dev-Id", "john") + req.Header.Set("X-Other-Header", "should-be-ignored") + + headers := handler.extractHeaders(req) + + assert.Len(t, headers, 2) + assert.Equal(t, "abc123", headers["X-Request-Id"]) + assert.Equal(t, "john", headers["X-Dev-Id"]) + assert.NotContains(t, headers, "X-Other-Header") + assert.NotContains(t, headers, "X-Tenant-Id") +} + +func TestProxyHandler_ExtractHeaders_CaseInsensitive(t *testing.T) { + cfg := testConfig("localhost:8080", []string{"X-Request-ID"}) + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + req := httptest.NewRequest(http.MethodGet, "/test", nil) + req.Header.Set("x-request-id", "abc123") + + headers := handler.extractHeaders(req) + + assert.Len(t, headers, 1) + assert.Equal(t, "abc123", headers["X-Request-Id"]) +} + +func TestProxyHandler_ExtractHeaders_EmptyHeaders(t *testing.T) { + cfg := testConfig("localhost:8080", []string{"x-request-id"}) + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + req := httptest.NewRequest(http.MethodGet, "/test", nil) + + headers := handler.extractHeaders(req) + + assert.Empty(t, headers) +} + +func TestProxyHandler_ServeHTTP(t *testing.T) { + targetServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "abc123", r.Header.Get("X-Request-Id")) + assert.Equal(t, "john", r.Header.Get("X-Dev-Id")) + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte("OK")) + })) + defer targetServer.Close() + + targetHost := targetServer.Listener.Addr().String() + cfg := testConfig(targetHost, []string{"x-request-id", "x-dev-id"}) + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + req := httptest.NewRequest(http.MethodGet, "/test", nil) + req.Header.Set("X-Request-Id", "abc123") + req.Header.Set("X-Dev-Id", "john") + + rr := httptest.NewRecorder() + + handler.ServeHTTP(rr, req) + + assert.Equal(t, http.StatusOK, rr.Code) + body, _ := io.ReadAll(rr.Body) + assert.Equal(t, "OK", string(body)) +} + +func TestGetHeadersFromContext(t *testing.T) { + tests := []struct { + name string + ctx context.Context + expected map[string]string + }{ + { + name: "headers present", + ctx: context.WithValue(context.Background(), ContextKeyHeaders, map[string]string{ + "X-Request-Id": "abc123", + "X-Dev-Id": "john", + }), + expected: map[string]string{ + "X-Request-Id": "abc123", + "X-Dev-Id": "john", + }, + }, + { + name: "headers not present", + ctx: context.Background(), + expected: nil, + }, + { + name: "wrong type in context", + ctx: context.WithValue(context.Background(), ContextKeyHeaders, "invalid"), + expected: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := GetHeadersFromContext(tt.ctx) + if tt.expected == nil { + assert.Nil(t, result) + } else { + require.NotNil(t, result) + assert.Equal(t, tt.expected, result) + } + }) + } +} + +func TestProxyHandler_HeadersPropagatedThroughProxy(t *testing.T) { + var receivedHeaders http.Header + + targetServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + receivedHeaders = r.Header.Clone() + w.WriteHeader(http.StatusOK) + })) + defer targetServer.Close() + + targetHost := targetServer.Listener.Addr().String() + cfg := testConfig(targetHost, []string{"x-request-id", "x-correlation-id", "x-tenant-id"}) + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + req := httptest.NewRequest(http.MethodPost, "/api/v1/users", nil) + req.Header.Set("X-Request-Id", "req-12345") + req.Header.Set("X-Correlation-Id", "corr-67890") + req.Header.Set("X-Tenant-Id", "tenant-abc") + req.Header.Set("Authorization", "Bearer token") + + rr := httptest.NewRecorder() + + handler.ServeHTTP(rr, req) + + assert.Equal(t, http.StatusOK, rr.Code) + assert.Equal(t, "req-12345", receivedHeaders.Get("X-Request-Id")) + assert.Equal(t, "corr-67890", receivedHeaders.Get("X-Correlation-Id")) + assert.Equal(t, "tenant-abc", receivedHeaders.Get("X-Tenant-Id")) + assert.Equal(t, "Bearer token", receivedHeaders.Get("Authorization")) +} + +func TestProxyHandler_HeaderGeneration(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + HeaderRules: []config.HeaderRule{ + { + Name: "x-request-id", + Generate: true, + GeneratorType: "uuid", + Propagate: true, + }, + }, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + // Request without the header - should be generated + req := httptest.NewRequest(http.MethodGet, "/test", nil) + headers := handler.extractHeaders(req) + + // Should have generated a UUID + assert.Len(t, headers, 1) + assert.NotEmpty(t, headers["X-Request-Id"]) + // UUID format: 8-4-4-4-12 + assert.Regexp(t, `^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`, headers["X-Request-Id"]) +} + +func TestProxyHandler_HeaderGenerationPreservesExisting(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + HeaderRules: []config.HeaderRule{ + { + Name: "x-request-id", + Generate: true, + GeneratorType: "uuid", + Propagate: true, + }, + }, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + // Request with the header already set - should NOT be overwritten + req := httptest.NewRequest(http.MethodGet, "/test", nil) + req.Header.Set("X-Request-Id", "existing-value") + headers := handler.extractHeaders(req) + + assert.Len(t, headers, 1) + assert.Equal(t, "existing-value", headers["X-Request-Id"]) +} + +func TestProxyHandler_PathFiltering(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + HeaderRules: []config.HeaderRule{ + { + Name: "x-request-id", + Propagate: true, + PathRegex: "^/api/.*", + CompiledPathRegex: mustCompileRegex("^/api/.*"), + }, + }, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + // Request matching path pattern + reqMatch := httptest.NewRequest(http.MethodGet, "/api/users", nil) + reqMatch.Header.Set("X-Request-Id", "abc123") + headersMatch := handler.extractHeaders(reqMatch) + assert.Len(t, headersMatch, 1) + assert.Equal(t, "abc123", headersMatch["X-Request-Id"]) + + // Request NOT matching path pattern + reqNoMatch := httptest.NewRequest(http.MethodGet, "/health", nil) + reqNoMatch.Header.Set("X-Request-Id", "abc123") + headersNoMatch := handler.extractHeaders(reqNoMatch) + assert.Len(t, headersNoMatch, 0) +} + +func TestProxyHandler_MethodFiltering(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + HeaderRules: []config.HeaderRule{ + { + Name: "x-request-id", + Propagate: true, + Methods: []string{"POST", "PUT"}, + }, + }, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + ReadTimeout: 15 * time.Second, + WriteTimeout: 15 * time.Second, + IdleTimeout: 60 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + TargetDialTimeout: 2 * time.Second, + } + + handler, err := NewProxyHandler(cfg) + require.NoError(t, err) + + // POST request - should propagate + reqPost := httptest.NewRequest(http.MethodPost, "/api/users", nil) + reqPost.Header.Set("X-Request-Id", "abc123") + headersPost := handler.extractHeaders(reqPost) + assert.Len(t, headersPost, 1) + + // GET request - should NOT propagate + reqGet := httptest.NewRequest(http.MethodGet, "/api/users", nil) + reqGet.Header.Set("X-Request-Id", "abc123") + headersGet := handler.extractHeaders(reqGet) + assert.Len(t, headersGet, 0) +} + +func mustCompileRegex(pattern string) *regexp.Regexp { + return regexp.MustCompile(pattern) +} diff --git a/internal/handler/transport.go b/internal/handler/transport.go new file mode 100644 index 0000000..e7bae48 --- /dev/null +++ b/internal/handler/transport.go @@ -0,0 +1,46 @@ +package handler + +import ( + "net/http" + + "github.com/rs/zerolog/log" +) + +// HeaderPropagatingTransport wraps an http.RoundTripper to inject propagated headers +// from the request context into outbound HTTP requests. +type HeaderPropagatingTransport struct { + headers []string + baseTransport http.RoundTripper +} + +// NewHeaderPropagatingTransport creates a new HeaderPropagatingTransport. +func NewHeaderPropagatingTransport(headers []string, base http.RoundTripper) *HeaderPropagatingTransport { + if base == nil { + base = http.DefaultTransport + } + return &HeaderPropagatingTransport{ + headers: headers, + baseTransport: base, + } +} + +// RoundTrip implements the http.RoundTripper interface. +// It retrieves headers from the request context and injects them into the outbound request. +func (t *HeaderPropagatingTransport) RoundTrip(req *http.Request) (*http.Response, error) { + headerMap := GetHeadersFromContext(req.Context()) + + for name, value := range headerMap { + if req.Header.Get(name) == "" { + req.Header.Set(name, value) + if log.Debug().Enabled() { + log.Debug(). + Str("header", name). + Str("value", value). + Str("url", req.URL.String()). + Msg("Injecting header into outbound request") + } + } + } + + return t.baseTransport.RoundTrip(req) +} diff --git a/internal/handler/transport_test.go b/internal/handler/transport_test.go new file mode 100644 index 0000000..2f009c6 --- /dev/null +++ b/internal/handler/transport_test.go @@ -0,0 +1,186 @@ +package handler + +import ( + "context" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +type mockRoundTripper struct { + fn func(*http.Request) (*http.Response, error) +} + +func (m *mockRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + return m.fn(req) +} + +func TestNewHeaderPropagatingTransport(t *testing.T) { + headers := []string{"x-request-id", "x-dev-id"} + + transport := NewHeaderPropagatingTransport(headers, nil) + + assert.NotNil(t, transport) + assert.Equal(t, headers, transport.headers) + assert.Equal(t, http.DefaultTransport, transport.baseTransport) +} + +func TestNewHeaderPropagatingTransport_WithCustomBase(t *testing.T) { + headers := []string{"x-request-id"} + customBase := &mockRoundTripper{} + + transport := NewHeaderPropagatingTransport(headers, customBase) + + assert.Equal(t, customBase, transport.baseTransport) +} + +func TestHeaderPropagatingTransport_RoundTrip_InjectsHeaders(t *testing.T) { + headerMap := map[string]string{ + "X-Request-Id": "abc123", + "X-Dev-Id": "john", + } + + ctx := context.WithValue(context.Background(), ContextKeyHeaders, headerMap) + + mockTransport := &mockRoundTripper{ + fn: func(r *http.Request) (*http.Response, error) { + assert.Equal(t, "abc123", r.Header.Get("X-Request-Id")) + assert.Equal(t, "john", r.Header.Get("X-Dev-Id")) + + return &http.Response{ + StatusCode: http.StatusOK, + Body: http.NoBody, + }, nil + }, + } + + transport := NewHeaderPropagatingTransport([]string{"x-request-id", "x-dev-id"}, mockTransport) + + req := httptest.NewRequest(http.MethodGet, "http://example.com/test", nil) + req = req.WithContext(ctx) + + resp, err := transport.RoundTrip(req) + + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) +} + +func TestHeaderPropagatingTransport_RoundTrip_DoesNotOverwriteExisting(t *testing.T) { + headerMap := map[string]string{ + "X-Request-Id": "from-context", + } + + ctx := context.WithValue(context.Background(), ContextKeyHeaders, headerMap) + + mockTransport := &mockRoundTripper{ + fn: func(r *http.Request) (*http.Response, error) { + assert.Equal(t, "already-set", r.Header.Get("X-Request-Id")) + + return &http.Response{ + StatusCode: http.StatusOK, + Body: http.NoBody, + }, nil + }, + } + + transport := NewHeaderPropagatingTransport([]string{"x-request-id"}, mockTransport) + + req := httptest.NewRequest(http.MethodGet, "http://example.com/test", nil) + req.Header.Set("X-Request-Id", "already-set") + req = req.WithContext(ctx) + + resp, err := transport.RoundTrip(req) + + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) +} + +func TestHeaderPropagatingTransport_RoundTrip_NoHeadersInContext(t *testing.T) { + mockTransport := &mockRoundTripper{ + fn: func(r *http.Request) (*http.Response, error) { + assert.Empty(t, r.Header.Get("X-Request-Id")) + + return &http.Response{ + StatusCode: http.StatusOK, + Body: http.NoBody, + }, nil + }, + } + + transport := NewHeaderPropagatingTransport([]string{"x-request-id"}, mockTransport) + + req := httptest.NewRequest(http.MethodGet, "http://example.com/test", nil) + + resp, err := transport.RoundTrip(req) + + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) +} + +func TestHeaderPropagatingTransport_RoundTrip_EmptyHeaderMap(t *testing.T) { + headerMap := map[string]string{} + ctx := context.WithValue(context.Background(), ContextKeyHeaders, headerMap) + + mockTransport := &mockRoundTripper{ + fn: func(r *http.Request) (*http.Response, error) { + return &http.Response{ + StatusCode: http.StatusOK, + Body: http.NoBody, + }, nil + }, + } + + transport := NewHeaderPropagatingTransport([]string{"x-request-id"}, mockTransport) + + req := httptest.NewRequest(http.MethodGet, "http://example.com/test", nil) + req = req.WithContext(ctx) + + resp, err := transport.RoundTrip(req) + + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) +} + +func TestHeaderPropagatingTransport_RoundTrip_MultipleHeaders(t *testing.T) { + headerMap := map[string]string{ + "X-Request-Id": "req-123", + "X-Correlation-Id": "corr-456", + "X-Tenant-Id": "tenant-789", + "X-User-Id": "user-abc", + } + + ctx := context.WithValue(context.Background(), ContextKeyHeaders, headerMap) + + injectedHeaders := make(map[string]string) + mockTransport := &mockRoundTripper{ + fn: func(r *http.Request) (*http.Response, error) { + for key := range headerMap { + injectedHeaders[key] = r.Header.Get(key) + } + return &http.Response{ + StatusCode: http.StatusOK, + Body: http.NoBody, + }, nil + }, + } + + transport := NewHeaderPropagatingTransport( + []string{"x-request-id", "x-correlation-id", "x-tenant-id", "x-user-id"}, + mockTransport, + ) + + req := httptest.NewRequest(http.MethodPost, "http://example.com/api/v1/resource", nil) + req = req.WithContext(ctx) + + resp, err := transport.RoundTrip(req) + + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + for key, expectedValue := range headerMap { + assert.Equal(t, expectedValue, injectedHeaders[key], "Header %s mismatch", key) + } +} diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go new file mode 100644 index 0000000..9c0505d --- /dev/null +++ b/internal/metrics/metrics.go @@ -0,0 +1,98 @@ +// Package metrics provides Prometheus metrics for the ContextForge proxy. +package metrics + +import ( + "net/http" + "strconv" + "time" + + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promauto" + "github.com/prometheus/client_golang/prometheus/promhttp" +) + +const ( + namespace = "ctxforge" + subsystem = "proxy" +) + +var ( + // RequestsTotal counts the total number of HTTP requests processed. + RequestsTotal = promauto.NewCounterVec( + prometheus.CounterOpts{ + Namespace: namespace, + Subsystem: subsystem, + Name: "requests_total", + Help: "Total number of HTTP requests processed by the proxy.", + }, + []string{"method", "status"}, + ) + + // RequestDuration tracks the duration of HTTP requests. + RequestDuration = promauto.NewHistogramVec( + prometheus.HistogramOpts{ + Namespace: namespace, + Subsystem: subsystem, + Name: "request_duration_seconds", + Help: "Duration of HTTP requests in seconds.", + Buckets: prometheus.DefBuckets, + }, + []string{"method"}, + ) + + // HeadersPropagatedTotal counts the total number of headers propagated. + HeadersPropagatedTotal = promauto.NewCounter( + prometheus.CounterOpts{ + Namespace: namespace, + Subsystem: subsystem, + Name: "headers_propagated_total", + Help: "Total number of headers propagated to target requests.", + }, + ) + + // ActiveConnections tracks the number of active connections. + ActiveConnections = promauto.NewGauge( + prometheus.GaugeOpts{ + Namespace: namespace, + Subsystem: subsystem, + Name: "active_connections", + Help: "Number of active connections being processed.", + }, + ) +) + +// RecordRequest records metrics for a completed HTTP request. +func RecordRequest(method string, statusCode int, duration time.Duration) { + RequestsTotal.WithLabelValues(method, strconv.Itoa(statusCode)).Inc() + RequestDuration.WithLabelValues(method).Observe(duration.Seconds()) +} + +// RecordHeadersPropagated increments the counter for propagated headers. +func RecordHeadersPropagated(count int) { + HeadersPropagatedTotal.Add(float64(count)) +} + +// Handler returns the Prometheus HTTP handler for exposing metrics. +func Handler() http.Handler { + return promhttp.Handler() +} + +// ResponseWriter wraps http.ResponseWriter to capture the status code. +type ResponseWriter struct { + http.ResponseWriter + StatusCode int +} + +// NewResponseWriter creates a new ResponseWriter wrapper. +func NewResponseWriter(w http.ResponseWriter) *ResponseWriter { + return &ResponseWriter{ + ResponseWriter: w, + StatusCode: http.StatusOK, + } +} + +// WriteHeader captures the status code before writing it. +func (rw *ResponseWriter) WriteHeader(code int) { + rw.StatusCode = code + rw.ResponseWriter.WriteHeader(code) +} diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go new file mode 100644 index 0000000..aa05000 --- /dev/null +++ b/internal/metrics/metrics_test.go @@ -0,0 +1,96 @@ +package metrics + +import ( + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +func TestRecordRequest(t *testing.T) { + // Just verify it doesn't panic + RecordRequest("GET", 200, 100*time.Millisecond) + RecordRequest("POST", 201, 50*time.Millisecond) + RecordRequest("GET", 500, 200*time.Millisecond) +} + +func TestRecordHeadersPropagated(t *testing.T) { + // Just verify it doesn't panic + RecordHeadersPropagated(3) + RecordHeadersPropagated(1) +} + +func TestHandler(t *testing.T) { + handler := Handler() + assert.NotNil(t, handler) + + req := httptest.NewRequest(http.MethodGet, "/metrics", nil) + rr := httptest.NewRecorder() + + handler.ServeHTTP(rr, req) + + assert.Equal(t, http.StatusOK, rr.Code) + assert.Contains(t, rr.Body.String(), "ctxforge_proxy_requests_total") + assert.Contains(t, rr.Body.String(), "ctxforge_proxy_request_duration_seconds") + assert.Contains(t, rr.Body.String(), "ctxforge_proxy_headers_propagated_total") + assert.Contains(t, rr.Body.String(), "ctxforge_proxy_active_connections") +} + +func TestResponseWriter(t *testing.T) { + tests := []struct { + name string + writeHeader bool + statusCode int + expectedStatus int + }{ + { + name: "default status is 200", + writeHeader: false, + expectedStatus: http.StatusOK, + }, + { + name: "captures 201 status", + writeHeader: true, + statusCode: http.StatusCreated, + expectedStatus: http.StatusCreated, + }, + { + name: "captures 404 status", + writeHeader: true, + statusCode: http.StatusNotFound, + expectedStatus: http.StatusNotFound, + }, + { + name: "captures 500 status", + writeHeader: true, + statusCode: http.StatusInternalServerError, + expectedStatus: http.StatusInternalServerError, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + rr := httptest.NewRecorder() + rw := NewResponseWriter(rr) + + if tt.writeHeader { + rw.WriteHeader(tt.statusCode) + } + + assert.Equal(t, tt.expectedStatus, rw.StatusCode) + }) + } +} + +func TestResponseWriter_Write(t *testing.T) { + rr := httptest.NewRecorder() + rw := NewResponseWriter(rr) + + n, err := rw.Write([]byte("hello")) + + assert.NoError(t, err) + assert.Equal(t, 5, n) + assert.Equal(t, "hello", rr.Body.String()) +} diff --git a/internal/middleware/ratelimit.go b/internal/middleware/ratelimit.go new file mode 100644 index 0000000..508aaa7 --- /dev/null +++ b/internal/middleware/ratelimit.go @@ -0,0 +1,51 @@ +// Package middleware provides HTTP middleware components for the ContextForge proxy. +package middleware + +import ( + "net/http" + + "golang.org/x/time/rate" +) + +// RateLimiter is an HTTP middleware that limits requests using a token bucket algorithm. +type RateLimiter struct { + limiter *rate.Limiter + enabled bool +} + +// NewRateLimiter creates a new rate limiter middleware. +// If enabled is false, the middleware will pass all requests through without limiting. +// rps is the requests per second limit, burst is the maximum burst size. +func NewRateLimiter(enabled bool, rps float64, burst int) *RateLimiter { + return &RateLimiter{ + limiter: rate.NewLimiter(rate.Limit(rps), burst), + enabled: enabled, + } +} + +// Middleware returns an HTTP middleware function that applies rate limiting. +// When the rate limit is exceeded, it returns HTTP 429 Too Many Requests. +func (rl *RateLimiter) Middleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if !rl.enabled { + next.ServeHTTP(w, r) + return + } + + if !rl.limiter.Allow() { + http.Error(w, "Too Many Requests", http.StatusTooManyRequests) + return + } + + next.ServeHTTP(w, r) + }) +} + +// Allow checks if a request is allowed under the current rate limit. +// Returns true if allowed, false if rate limited. +func (rl *RateLimiter) Allow() bool { + if !rl.enabled { + return true + } + return rl.limiter.Allow() +} diff --git a/internal/middleware/ratelimit_test.go b/internal/middleware/ratelimit_test.go new file mode 100644 index 0000000..f8477ab --- /dev/null +++ b/internal/middleware/ratelimit_test.go @@ -0,0 +1,142 @@ +package middleware + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewRateLimiter(t *testing.T) { + rl := NewRateLimiter(true, 100, 10) + assert.NotNil(t, rl) + assert.True(t, rl.enabled) + assert.NotNil(t, rl.limiter) +} + +func TestRateLimiter_Disabled(t *testing.T) { + rl := NewRateLimiter(false, 1, 1) + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + // Should allow all requests when disabled + for i := 0; i < 100; i++ { + req := httptest.NewRequest(http.MethodGet, "/", nil) + rr := httptest.NewRecorder() + + rl.Middleware(handler).ServeHTTP(rr, req) + assert.Equal(t, http.StatusOK, rr.Code, "Request %d should succeed when rate limiting is disabled", i) + } +} + +func TestRateLimiter_AllowsWithinLimit(t *testing.T) { + // Allow 10 requests per second with burst of 10 + rl := NewRateLimiter(true, 10, 10) + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + // First 10 requests should succeed (burst) + for i := 0; i < 10; i++ { + req := httptest.NewRequest(http.MethodGet, "/", nil) + rr := httptest.NewRecorder() + + rl.Middleware(handler).ServeHTTP(rr, req) + assert.Equal(t, http.StatusOK, rr.Code, "Request %d should succeed within burst limit", i) + } +} + +func TestRateLimiter_RejectsOverLimit(t *testing.T) { + // Very low limit: 1 request per second with burst of 1 + rl := NewRateLimiter(true, 1, 1) + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + // First request should succeed + req := httptest.NewRequest(http.MethodGet, "/", nil) + rr := httptest.NewRecorder() + rl.Middleware(handler).ServeHTTP(rr, req) + assert.Equal(t, http.StatusOK, rr.Code, "First request should succeed") + + // Second request should be rate limited (immediately after first) + req = httptest.NewRequest(http.MethodGet, "/", nil) + rr = httptest.NewRecorder() + rl.Middleware(handler).ServeHTTP(rr, req) + assert.Equal(t, http.StatusTooManyRequests, rr.Code, "Second request should be rate limited") +} + +func TestRateLimiter_Allow(t *testing.T) { + tests := []struct { + name string + enabled bool + rps float64 + burst int + requests int + wantPass int + }{ + { + name: "disabled allows all", + enabled: false, + rps: 1, + burst: 1, + requests: 10, + wantPass: 10, + }, + { + name: "enabled respects burst", + enabled: true, + rps: 1, + burst: 5, + requests: 10, + wantPass: 5, + }, + { + name: "high burst allows more", + enabled: true, + rps: 1, + burst: 100, + requests: 50, + wantPass: 50, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + rl := NewRateLimiter(tt.enabled, tt.rps, tt.burst) + passed := 0 + for i := 0; i < tt.requests; i++ { + if rl.Allow() { + passed++ + } + } + assert.Equal(t, tt.wantPass, passed) + }) + } +} + +func TestRateLimiter_ResponseBody(t *testing.T) { + rl := NewRateLimiter(true, 1, 1) + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + // Exhaust the burst + req := httptest.NewRequest(http.MethodGet, "/", nil) + rr := httptest.NewRecorder() + rl.Middleware(handler).ServeHTTP(rr, req) + + // Next request should be rate limited + req = httptest.NewRequest(http.MethodGet, "/", nil) + rr = httptest.NewRecorder() + rl.Middleware(handler).ServeHTTP(rr, req) + + assert.Equal(t, http.StatusTooManyRequests, rr.Code) + assert.Contains(t, rr.Body.String(), "Too Many Requests") +} diff --git a/internal/server/server.go b/internal/server/server.go new file mode 100644 index 0000000..a8f5e0b --- /dev/null +++ b/internal/server/server.go @@ -0,0 +1,141 @@ +// Package server provides the HTTP server for the ContextForge proxy. +package server + +import ( + "context" + "encoding/json" + "fmt" + "net" + "net/http" + "time" + + "github.com/bgruszka/contextforge/internal/config" + "github.com/bgruszka/contextforge/internal/metrics" + "github.com/bgruszka/contextforge/internal/middleware" + "github.com/rs/zerolog/log" +) + +// Server represents the HTTP server for the proxy. +type Server struct { + config *config.ProxyConfig + httpServer *http.Server + mux *http.ServeMux +} + +// HealthResponse represents the JSON response for health check endpoints. +type HealthResponse struct { + Status string `json:"status"` + Timestamp string `json:"timestamp"` +} + +// ReadyResponse represents the JSON response for the readiness endpoint. +type ReadyResponse struct { + Status string `json:"status"` + TargetHost string `json:"targetHost"` + TargetReachable bool `json:"targetReachable"` + Timestamp string `json:"timestamp"` +} + +// NewServer creates a new Server with the given configuration and proxy handler. +func NewServer(cfg *config.ProxyConfig, proxyHandler http.Handler) *Server { + mux := http.NewServeMux() + + mux.HandleFunc("/healthz", healthHandler) + mux.HandleFunc("/ready", readyHandler(cfg.TargetHost, cfg.TargetDialTimeout)) + mux.Handle("/metrics", metrics.Handler()) + + // Apply rate limiting middleware if enabled + rateLimiter := middleware.NewRateLimiter(cfg.RateLimitEnabled, cfg.RateLimitRPS, cfg.RateLimitBurst) + handler := rateLimiter.Middleware(proxyHandler) + + if cfg.RateLimitEnabled { + log.Info(). + Float64("rps", cfg.RateLimitRPS). + Int("burst", cfg.RateLimitBurst). + Msg("Rate limiting enabled") + } + + mux.Handle("/", handler) + + httpServer := &http.Server{ + Addr: fmt.Sprintf(":%d", cfg.ProxyPort), + Handler: mux, + ReadTimeout: cfg.ReadTimeout, + WriteTimeout: cfg.WriteTimeout, + IdleTimeout: cfg.IdleTimeout, + ReadHeaderTimeout: cfg.ReadHeaderTimeout, + } + + return &Server{ + config: cfg, + httpServer: httpServer, + mux: mux, + } +} + +// Start begins listening for HTTP requests. +// This method blocks until the server is shut down or an error occurs. +func (s *Server) Start() error { + log.Info(). + Str("addr", s.httpServer.Addr). + Str("target", s.config.TargetHost). + Strs("headers", s.config.HeadersToPropagate). + Msg("Starting HTTP server") + + return s.httpServer.ListenAndServe() +} + +// Shutdown gracefully shuts down the server with the given context. +func (s *Server) Shutdown(ctx context.Context) error { + log.Info().Msg("Shutting down HTTP server") + return s.httpServer.Shutdown(ctx) +} + +// healthHandler responds with a simple health check status. +func healthHandler(w http.ResponseWriter, r *http.Request) { + response := HealthResponse{ + Status: "healthy", + Timestamp: time.Now().UTC().Format(time.RFC3339), + } + + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(response) +} + +// readyHandler returns a handler that checks if the target host is reachable. +func readyHandler(targetHost string, dialTimeout time.Duration) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + targetReachable := checkTargetReachable(targetHost, dialTimeout) + + response := ReadyResponse{ + Status: "ready", + TargetHost: targetHost, + TargetReachable: targetReachable, + Timestamp: time.Now().UTC().Format(time.RFC3339), + } + + if !targetReachable { + response.Status = "not_ready" + } + + w.Header().Set("Content-Type", "application/json") + if targetReachable { + w.WriteHeader(http.StatusOK) + } else { + w.WriteHeader(http.StatusServiceUnavailable) + } + _ = json.NewEncoder(w).Encode(response) + } +} + +// checkTargetReachable attempts a TCP connection to verify the target is reachable. +func checkTargetReachable(targetHost string, dialTimeout time.Duration) bool { + conn, err := net.DialTimeout("tcp", targetHost, dialTimeout) + if err != nil { + log.Debug().Err(err).Str("target", targetHost).Msg("Target not reachable") + return false + } + _ = conn.Close() + return true +} diff --git a/internal/server/server_test.go b/internal/server/server_test.go new file mode 100644 index 0000000..98fbc61 --- /dev/null +++ b/internal/server/server_test.go @@ -0,0 +1,219 @@ +package server + +import ( + "context" + "encoding/json" + "net" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/bgruszka/contextforge/internal/config" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +type mockHandler struct{} + +func (m *mockHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte("proxied")) +} + +func TestNewServer(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + } + + srv := NewServer(cfg, &mockHandler{}) + + assert.NotNil(t, srv) + assert.NotNil(t, srv.httpServer) + assert.NotNil(t, srv.mux) + assert.Equal(t, ":9090", srv.httpServer.Addr) +} + +func TestHealthHandler(t *testing.T) { + req := httptest.NewRequest(http.MethodGet, "/healthz", nil) + rr := httptest.NewRecorder() + + healthHandler(rr, req) + + assert.Equal(t, http.StatusOK, rr.Code) + assert.Equal(t, "application/json", rr.Header().Get("Content-Type")) + + var response HealthResponse + err := json.NewDecoder(rr.Body).Decode(&response) + require.NoError(t, err) + + assert.Equal(t, "healthy", response.Status) + assert.NotEmpty(t, response.Timestamp) + + _, err = time.Parse(time.RFC3339, response.Timestamp) + assert.NoError(t, err, "Timestamp should be in RFC3339 format") +} + +func TestReadyHandler_TargetReachable(t *testing.T) { + listener, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + defer func() { _ = listener.Close() }() + + go func() { + conn, _ := listener.Accept() + if conn != nil { + _ = conn.Close() + } + }() + + targetHost := listener.Addr().String() + + handler := readyHandler(targetHost, 2*time.Second) + req := httptest.NewRequest(http.MethodGet, "/ready", nil) + rr := httptest.NewRecorder() + + handler(rr, req) + + assert.Equal(t, http.StatusOK, rr.Code) + assert.Equal(t, "application/json", rr.Header().Get("Content-Type")) + + var response ReadyResponse + err = json.NewDecoder(rr.Body).Decode(&response) + require.NoError(t, err) + + assert.Equal(t, "ready", response.Status) + assert.Equal(t, targetHost, response.TargetHost) + assert.True(t, response.TargetReachable) +} + +func TestReadyHandler_TargetNotReachable(t *testing.T) { + targetHost := "127.0.0.1:59999" + + handler := readyHandler(targetHost, 2*time.Second) + req := httptest.NewRequest(http.MethodGet, "/ready", nil) + rr := httptest.NewRecorder() + + handler(rr, req) + + assert.Equal(t, http.StatusServiceUnavailable, rr.Code) + + var response ReadyResponse + err := json.NewDecoder(rr.Body).Decode(&response) + require.NoError(t, err) + + assert.Equal(t, "not_ready", response.Status) + assert.Equal(t, targetHost, response.TargetHost) + assert.False(t, response.TargetReachable) +} + +func TestServer_StartAndShutdown(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + TargetHost: "localhost:8080", + ProxyPort: 0, + LogLevel: "info", + MetricsPort: 9091, + } + + listener, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + + cfg.ProxyPort = listener.Addr().(*net.TCPAddr).Port + _ = listener.Close() + + srv := NewServer(cfg, &mockHandler{}) + + serverErr := make(chan error, 1) + go func() { + serverErr <- srv.Start() + }() + + time.Sleep(100 * time.Millisecond) + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + err = srv.Shutdown(ctx) + assert.NoError(t, err) + + select { + case err := <-serverErr: + assert.Equal(t, http.ErrServerClosed, err) + case <-time.After(5 * time.Second): + t.Fatal("Server did not shut down in time") + } +} + +func TestServer_RoutesRequests(t *testing.T) { + cfg := &config.ProxyConfig{ + HeadersToPropagate: []string{"x-request-id"}, + TargetHost: "localhost:8080", + ProxyPort: 9090, + LogLevel: "info", + MetricsPort: 9091, + } + + srv := NewServer(cfg, &mockHandler{}) + + tests := []struct { + name string + path string + expectedStatus int + expectedBody string + }{ + { + name: "health endpoint", + path: "/healthz", + expectedStatus: http.StatusOK, + }, + { + name: "ready endpoint", + path: "/ready", + expectedStatus: http.StatusServiceUnavailable, + }, + { + name: "proxy route", + path: "/api/v1/test", + expectedStatus: http.StatusOK, + expectedBody: "proxied", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + req := httptest.NewRequest(http.MethodGet, tt.path, nil) + rr := httptest.NewRecorder() + + srv.mux.ServeHTTP(rr, req) + + assert.Equal(t, tt.expectedStatus, rr.Code) + if tt.expectedBody != "" { + assert.Equal(t, tt.expectedBody, rr.Body.String()) + } + }) + } +} + +func TestCheckTargetReachable(t *testing.T) { + listener, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + defer func() { _ = listener.Close() }() + + go func() { + for { + conn, err := listener.Accept() + if err != nil { + return + } + _ = conn.Close() + } + }() + + assert.True(t, checkTargetReachable(listener.Addr().String(), 2*time.Second)) + + assert.False(t, checkTargetReachable("127.0.0.1:59999", 2*time.Second)) +} diff --git a/internal/webhook/v1/pod_webhook.go b/internal/webhook/v1/pod_webhook.go new file mode 100644 index 0000000..055fff1 --- /dev/null +++ b/internal/webhook/v1/pod_webhook.go @@ -0,0 +1,481 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "encoding/json" + "fmt" + "os" + "regexp" + "strconv" + "strings" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +const ( + // AnnotationEnabled is the annotation key to enable sidecar injection + AnnotationEnabled = "ctxforge.io/enabled" + // AnnotationHeaders is the annotation key for headers to propagate (simple mode) + AnnotationHeaders = "ctxforge.io/headers" + // AnnotationHeaderRules is the annotation key for advanced header rules (JSON format) + AnnotationHeaderRules = "ctxforge.io/header-rules" + // AnnotationTargetPort is the annotation key for the target application port + AnnotationTargetPort = "ctxforge.io/target-port" + // AnnotationInjected marks a pod as already injected + AnnotationInjected = "ctxforge.io/injected" + + // ProxyContainerName is the name of the injected sidecar container + ProxyContainerName = "ctxforge-proxy" + // DefaultProxyImage is the default image for the proxy sidecar + DefaultProxyImage = "ghcr.io/bgruszka/contextforge-proxy:0.1.0" + // DefaultTargetPort is the default port of the application container + DefaultTargetPort = "8080" + // ProxyPort is the port the proxy listens on + ProxyPort = 9090 + + // AnnotationValueTrue is the value "true" used in annotations + AnnotationValueTrue = "true" +) + +var podlog = logf.Log.WithName("pod-webhook") + +// SetupPodWebhookWithManager registers the webhook for Pod in the manager. +func SetupPodWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr).For(&corev1.Pod{}). + WithValidator(&PodCustomValidator{}). + WithDefaulter(&PodCustomDefaulter{ + ProxyImage: getEnvOrDefault("PROXY_IMAGE", DefaultProxyImage), + }). + Complete() +} + +// +kubebuilder:webhook:path=/mutate--v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,groups="",resources=pods,verbs=create,versions=v1,name=mpod-v1.kb.io,admissionReviewVersions=v1 + +// PodCustomDefaulter handles sidecar injection for pods +type PodCustomDefaulter struct { + ProxyImage string +} + +var _ webhook.CustomDefaulter = &PodCustomDefaulter{} + +// Default implements webhook.CustomDefaulter to inject the sidecar +func (d *PodCustomDefaulter) Default(_ context.Context, obj runtime.Object) error { + pod, ok := obj.(*corev1.Pod) + if !ok { + return fmt.Errorf("expected a Pod object but got %T", obj) + } + + if !d.shouldInject(pod) { + return nil + } + + headers := d.extractHeaders(pod) + headerRules := d.extractHeaderRules(pod) + + // Need either headers or header-rules to inject + if len(headers) == 0 && headerRules == "" { + podlog.Info("Skipping injection: no headers or header-rules specified", "pod", pod.Name) + return nil + } + + if d.isAlreadyInjected(pod) { + podlog.Info("Skipping injection: already injected", "pod", pod.Name) + return nil + } + + podlog.Info("Injecting sidecar", "pod", pod.Name, "headers", headers, "hasHeaderRules", headerRules != "") + + d.injectSidecar(pod, headers, headerRules) + d.modifyAppContainers(pod) + d.markAsInjected(pod) + + return nil +} + +// shouldInject checks if the pod should have sidecar injection +func (d *PodCustomDefaulter) shouldInject(pod *corev1.Pod) bool { + if pod.Annotations == nil { + return false + } + enabled, ok := pod.Annotations[AnnotationEnabled] + return ok && enabled == AnnotationValueTrue +} + +// extractHeaders parses the headers annotation +func (d *PodCustomDefaulter) extractHeaders(pod *corev1.Pod) []string { + if pod.Annotations == nil { + return nil + } + headersStr, ok := pod.Annotations[AnnotationHeaders] + if !ok || headersStr == "" { + return nil + } + + parts := strings.Split(headersStr, ",") + headers := make([]string, 0, len(parts)) + for _, part := range parts { + header := strings.TrimSpace(part) + if header != "" { + headers = append(headers, header) + } + } + return headers +} + +// extractHeaderRules extracts the header-rules annotation for advanced configuration +func (d *PodCustomDefaulter) extractHeaderRules(pod *corev1.Pod) string { + if pod.Annotations == nil { + return "" + } + headerRules, ok := pod.Annotations[AnnotationHeaderRules] + if !ok { + return "" + } + return strings.TrimSpace(headerRules) +} + +// isAlreadyInjected checks if the sidecar is already present +func (d *PodCustomDefaulter) isAlreadyInjected(pod *corev1.Pod) bool { + if pod.Annotations != nil { + if _, ok := pod.Annotations[AnnotationInjected]; ok { + return true + } + } + for _, container := range pod.Spec.Containers { + if container.Name == ProxyContainerName { + return true + } + } + return false +} + +// injectSidecar adds the proxy container to the pod +func (d *PodCustomDefaulter) injectSidecar(pod *corev1.Pod, headers []string, headerRules string) { + targetPort := DefaultTargetPort + if pod.Annotations != nil { + if port, ok := pod.Annotations[AnnotationTargetPort]; ok && port != "" { + if err := validateTargetPort(port); err != nil { + podlog.Error(err, "Invalid target port annotation, using default", + "pod", pod.Name, "port", port, "default", DefaultTargetPort) + } else { + targetPort = port + } + } + } + + // Build environment variables + envVars := []corev1.EnvVar{ + { + Name: "TARGET_HOST", + Value: fmt.Sprintf("localhost:%s", targetPort), + }, + { + Name: "PROXY_PORT", + Value: fmt.Sprintf("%d", ProxyPort), + }, + { + Name: "LOG_LEVEL", + Value: "info", + }, + { + Name: "LOG_FORMAT", + Value: "json", + }, + } + + // Add HEADER_RULES if specified (takes precedence for advanced config) + if headerRules != "" { + envVars = append(envVars, corev1.EnvVar{ + Name: "HEADER_RULES", + Value: headerRules, + }) + } + + // Add HEADERS_TO_PROPAGATE if specified (simple mode, or as fallback) + if len(headers) > 0 { + envVars = append(envVars, corev1.EnvVar{ + Name: "HEADERS_TO_PROPAGATE", + Value: strings.Join(headers, ","), + }) + } + + sidecar := corev1.Container{ + Name: ProxyContainerName, + Image: d.ProxyImage, + ImagePullPolicy: corev1.PullIfNotPresent, + Ports: []corev1.ContainerPort{ + { + Name: "http", + ContainerPort: ProxyPort, + Protocol: corev1.ProtocolTCP, + }, + }, + Env: envVars, + // Resource limits sized for typical API proxy workloads (~100-500 RPS per pod). + // Memory: 64Mi request handles Go runtime + connection pools; 256Mi limit provides headroom for traffic spikes. + // CPU: 50m request for baseline; 500m limit allows burst during high concurrency. + // For high-traffic deployments (>1000 RPS), increase limits via Helm values or annotations. + Resources: corev1.ResourceRequirements{ + Requests: corev1.ResourceList{ + corev1.ResourceMemory: resource.MustParse("64Mi"), + corev1.ResourceCPU: resource.MustParse("50m"), + }, + Limits: corev1.ResourceList{ + corev1.ResourceMemory: resource.MustParse("256Mi"), + corev1.ResourceCPU: resource.MustParse("500m"), + }, + }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: boolPtr(true), + RunAsUser: int64Ptr(65532), + AllowPrivilegeEscalation: boolPtr(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + ReadOnlyRootFilesystem: boolPtr(true), + }, + LivenessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/healthz", + Port: intstr.FromInt(ProxyPort), + }, + }, + InitialDelaySeconds: 5, + PeriodSeconds: 10, + }, + ReadinessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/ready", + Port: intstr.FromInt(ProxyPort), + }, + }, + InitialDelaySeconds: 3, + PeriodSeconds: 5, + }, + } + + pod.Spec.Containers = append(pod.Spec.Containers, sidecar) +} + +// modifyAppContainers adds HTTP_PROXY env vars to application containers +// Note: HTTPS_PROXY is intentionally not set because the proxy only handles HTTP traffic. +// HTTPS requests use CONNECT tunneling where encrypted headers cannot be inspected or propagated. +func (d *PodCustomDefaulter) modifyAppContainers(pod *corev1.Pod) { + proxyEnvVars := []corev1.EnvVar{ + { + Name: "HTTP_PROXY", + Value: fmt.Sprintf("http://localhost:%d", ProxyPort), + }, + { + Name: "NO_PROXY", + Value: "localhost,127.0.0.1", + }, + } + + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name == ProxyContainerName { + continue + } + pod.Spec.Containers[i].Env = append(pod.Spec.Containers[i].Env, proxyEnvVars...) + } +} + +// markAsInjected adds an annotation to indicate the pod was injected +func (d *PodCustomDefaulter) markAsInjected(pod *corev1.Pod) { + if pod.Annotations == nil { + pod.Annotations = make(map[string]string) + } + pod.Annotations[AnnotationInjected] = AnnotationValueTrue +} + +// +kubebuilder:webhook:path=/validate--v1-pod,mutating=false,failurePolicy=fail,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=vpod-v1.kb.io,admissionReviewVersions=v1 + +// PodCustomValidator validates Pod resources +type PodCustomValidator struct{} + +var _ webhook.CustomValidator = &PodCustomValidator{} + +// ValidateCreate validates pod creation +func (v *PodCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) { + pod, ok := obj.(*corev1.Pod) + if !ok { + return nil, fmt.Errorf("expected a Pod object but got %T", obj) + } + + if pod.Annotations == nil { + return nil, nil + } + + if enabled, ok := pod.Annotations[AnnotationEnabled]; ok && enabled == AnnotationValueTrue { + headersStr, hasHeaders := pod.Annotations[AnnotationHeaders] + headerRulesStr, hasHeaderRules := pod.Annotations[AnnotationHeaderRules] + + // Need either headers or header-rules + if (!hasHeaders || strings.TrimSpace(headersStr) == "") && (!hasHeaderRules || strings.TrimSpace(headerRulesStr) == "") { + return admission.Warnings{ + "ctxforge.io/enabled is set but no headers specified in ctxforge.io/headers or ctxforge.io/header-rules", + }, nil + } + + // Validate header names if using simple mode + if hasHeaders && strings.TrimSpace(headersStr) != "" { + parts := strings.Split(headersStr, ",") + for _, part := range parts { + header := strings.TrimSpace(part) + if header != "" { + if err := validateHeaderName(header); err != nil { + return nil, fmt.Errorf("invalid header in ctxforge.io/headers annotation: %w", err) + } + } + } + } + + // Validate header-rules is valid JSON if specified + if hasHeaderRules && strings.TrimSpace(headerRulesStr) != "" { + if err := validateHeaderRulesJSON(headerRulesStr); err != nil { + return nil, fmt.Errorf("invalid ctxforge.io/header-rules annotation: %w", err) + } + } + } + + return nil, nil +} + +// ValidateUpdate validates pod updates +func (v *PodCustomValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) { + pod, ok := newObj.(*corev1.Pod) + if !ok { + return nil, fmt.Errorf("expected a Pod object but got %T", newObj) + } + _ = pod + return nil, nil +} + +// ValidateDelete validates pod deletion +func (v *PodCustomValidator) ValidateDelete(_ context.Context, obj runtime.Object) (admission.Warnings, error) { + return nil, nil +} + +func boolPtr(b bool) *bool { + return &b +} + +func int64Ptr(i int64) *int64 { + return &i +} + +func getEnvOrDefault(key, defaultValue string) string { + if value := os.Getenv(key); value != "" { + return value + } + return defaultValue +} + +// validateTargetPort validates that the port is a valid port number +func validateTargetPort(port string) error { + portNum, err := strconv.Atoi(port) + if err != nil { + return fmt.Errorf("invalid target port %q: must be a number", port) + } + if portNum < 1 || portNum > 65535 { + return fmt.Errorf("invalid target port %d: must be between 1 and 65535", portNum) + } + if portNum == ProxyPort { + return fmt.Errorf("invalid target port %d: cannot be the same as proxy port (%d)", portNum, ProxyPort) + } + return nil +} + +// headerNameRegex validates HTTP header names per RFC 7230. +// Header names must contain only alphanumeric characters and hyphens. +var headerNameRegex = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9-]*$`) + +// validateHeaderName checks if a header name is valid per RFC 7230. +// Valid header names contain only alphanumeric characters and hyphens, +// must start with an alphanumeric character, and be 1-256 characters long. +func validateHeaderName(name string) error { + if len(name) == 0 { + return fmt.Errorf("header name cannot be empty") + } + if len(name) > 256 { + return fmt.Errorf("header name %q exceeds maximum length of 256 characters", name) + } + if !headerNameRegex.MatchString(name) { + return fmt.Errorf("header name %q is invalid: must contain only alphanumeric characters and hyphens, starting with alphanumeric (e.g., x-request-id, X-Correlation-ID)", name) + } + return nil +} + +// headerRule represents a single header rule for validation +type headerRule struct { + Name string `json:"name"` + Generate bool `json:"generate,omitempty"` + GeneratorType string `json:"generatorType,omitempty"` + Propagate *bool `json:"propagate,omitempty"` + PathRegex string `json:"pathRegex,omitempty"` + Methods []string `json:"methods,omitempty"` +} + +// validateHeaderRulesJSON validates that the header-rules annotation is valid JSON +// and contains properly structured header rules. +func validateHeaderRulesJSON(rulesJSON string) error { + var rules []headerRule + if err := json.Unmarshal([]byte(rulesJSON), &rules); err != nil { + return fmt.Errorf("invalid JSON: %w", err) + } + + if len(rules) == 0 { + return fmt.Errorf("header-rules array cannot be empty") + } + + validGeneratorTypes := map[string]bool{ + "": true, // empty is valid (defaults to uuid) + "uuid": true, + "ulid": true, + "timestamp": true, + } + + for i, rule := range rules { + if rule.Name == "" { + return fmt.Errorf("rule[%d]: name is required", i) + } + if err := validateHeaderName(rule.Name); err != nil { + return fmt.Errorf("rule[%d]: %w", i, err) + } + if rule.Generate && !validGeneratorTypes[rule.GeneratorType] { + return fmt.Errorf("rule[%d]: invalid generatorType %q, must be one of: uuid, ulid, timestamp", i, rule.GeneratorType) + } + if rule.PathRegex != "" { + if _, err := regexp.Compile(rule.PathRegex); err != nil { + return fmt.Errorf("rule[%d]: invalid pathRegex %q: %w", i, rule.PathRegex, err) + } + } + } + + return nil +} diff --git a/internal/webhook/v1/pod_webhook_test.go b/internal/webhook/v1/pod_webhook_test.go new file mode 100644 index 0000000..cf3c690 --- /dev/null +++ b/internal/webhook/v1/pod_webhook_test.go @@ -0,0 +1,612 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestPodCustomDefaulter_ShouldInject(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + tests := []struct { + name string + pod *corev1.Pod + expected bool + }{ + { + name: "enabled annotation true", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationEnabled: "true", + }, + }, + }, + expected: true, + }, + { + name: "enabled annotation false", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationEnabled: "false", + }, + }, + }, + expected: false, + }, + { + name: "no annotations", + pod: &corev1.Pod{}, + expected: false, + }, + { + name: "missing enabled annotation", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "other": "value", + }, + }, + }, + expected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := defaulter.shouldInject(tt.pod) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestPodCustomDefaulter_ExtractHeaders(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + tests := []struct { + name string + pod *corev1.Pod + expected []string + }{ + { + name: "single header", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationHeaders: "x-request-id", + }, + }, + }, + expected: []string{"x-request-id"}, + }, + { + name: "multiple headers", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationHeaders: "x-request-id,x-dev-id,x-tenant-id", + }, + }, + }, + expected: []string{"x-request-id", "x-dev-id", "x-tenant-id"}, + }, + { + name: "headers with spaces", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationHeaders: "x-request-id , x-dev-id , x-tenant-id", + }, + }, + }, + expected: []string{"x-request-id", "x-dev-id", "x-tenant-id"}, + }, + { + name: "no annotations", + pod: &corev1.Pod{}, + expected: nil, + }, + { + name: "empty headers annotation", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationHeaders: "", + }, + }, + }, + expected: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := defaulter.extractHeaders(tt.pod) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestPodCustomDefaulter_IsAlreadyInjected(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + tests := []struct { + name string + pod *corev1.Pod + expected bool + }{ + { + name: "has injected annotation", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationInjected: "true", + }, + }, + }, + expected: true, + }, + { + name: "has sidecar container", + pod: &corev1.Pod{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + {Name: ProxyContainerName}, + }, + }, + }, + expected: true, + }, + { + name: "not injected", + pod: &corev1.Pod{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + }, + }, + }, + expected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := defaulter.isAlreadyInjected(tt.pod) + assert.Equal(t, tt.expected, result) + }) + } +} + +func TestPodCustomDefaulter_InjectSidecar(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: "test-image:v1"} + + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app", Image: "myapp:latest"}, + }, + }, + } + + headers := []string{"x-request-id", "x-dev-id"} + defaulter.injectSidecar(pod, headers, "") + + assert.Len(t, pod.Spec.Containers, 2) + + var sidecar *corev1.Container + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name == ProxyContainerName { + sidecar = &pod.Spec.Containers[i] + break + } + } + + require.NotNil(t, sidecar, "Sidecar container should be present") + assert.Equal(t, "test-image:v1", sidecar.Image) + assert.Equal(t, corev1.PullIfNotPresent, sidecar.ImagePullPolicy) + + var headersEnv *corev1.EnvVar + for i := range sidecar.Env { + if sidecar.Env[i].Name == "HEADERS_TO_PROPAGATE" { + headersEnv = &sidecar.Env[i] + break + } + } + require.NotNil(t, headersEnv) + assert.Equal(t, "x-request-id,x-dev-id", headersEnv.Value) + + assert.NotNil(t, sidecar.SecurityContext) + assert.True(t, *sidecar.SecurityContext.RunAsNonRoot) + assert.Equal(t, int64(65532), *sidecar.SecurityContext.RunAsUser) + + assert.NotNil(t, sidecar.LivenessProbe) + assert.NotNil(t, sidecar.ReadinessProbe) +} + +func TestPodCustomDefaulter_InjectSidecar_CustomTargetPort(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Annotations: map[string]string{ + AnnotationTargetPort: "3000", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + }, + }, + } + + defaulter.injectSidecar(pod, []string{"x-request-id"}, "") + + var sidecar *corev1.Container + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name == ProxyContainerName { + sidecar = &pod.Spec.Containers[i] + break + } + } + require.NotNil(t, sidecar) + + var targetHostEnv *corev1.EnvVar + for i := range sidecar.Env { + if sidecar.Env[i].Name == "TARGET_HOST" { + targetHostEnv = &sidecar.Env[i] + break + } + } + require.NotNil(t, targetHostEnv) + assert.Equal(t, "localhost:3000", targetHostEnv.Value) +} + +func TestPodCustomDefaulter_ModifyAppContainers(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + pod := &corev1.Pod{ + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app1"}, + {Name: "app2"}, + {Name: ProxyContainerName}, + }, + }, + } + + defaulter.modifyAppContainers(pod) + + for _, container := range pod.Spec.Containers { + if container.Name == ProxyContainerName { + assert.Empty(t, container.Env, "Proxy container should not have proxy env vars") + continue + } + + var httpProxy, noProxy bool + var hasHTTPSProxy bool + for _, env := range container.Env { + switch env.Name { + case "HTTP_PROXY": + httpProxy = true + assert.Equal(t, "http://localhost:9090", env.Value) + case "HTTPS_PROXY": + hasHTTPSProxy = true + case "NO_PROXY": + noProxy = true + assert.Equal(t, "localhost,127.0.0.1", env.Value) + } + } + + assert.True(t, httpProxy, "HTTP_PROXY should be set for %s", container.Name) + assert.False(t, hasHTTPSProxy, "HTTPS_PROXY should NOT be set (proxy only handles HTTP)") + assert.True(t, noProxy, "NO_PROXY should be set for %s", container.Name) + } +} + +func TestPodCustomDefaulter_Default_FullInjection(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: "test-proxy:v1"} + + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Annotations: map[string]string{ + AnnotationEnabled: "true", + AnnotationHeaders: "x-request-id,x-tenant-id", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app", Image: "myapp:latest"}, + }, + }, + } + + err := defaulter.Default(context.Background(), pod) + + require.NoError(t, err) + assert.Len(t, pod.Spec.Containers, 2) + assert.Equal(t, "true", pod.Annotations[AnnotationInjected]) + + var foundProxy bool + for _, c := range pod.Spec.Containers { + if c.Name == ProxyContainerName { + foundProxy = true + break + } + } + assert.True(t, foundProxy) +} + +func TestPodCustomDefaulter_Default_SkipsWhenNotEnabled(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + }, + }, + } + + err := defaulter.Default(context.Background(), pod) + + require.NoError(t, err) + assert.Len(t, pod.Spec.Containers, 1) +} + +func TestPodCustomDefaulter_Default_SkipsWhenAlreadyInjected(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Annotations: map[string]string{ + AnnotationEnabled: "true", + AnnotationHeaders: "x-request-id", + AnnotationInjected: "true", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + }, + }, + } + + err := defaulter.Default(context.Background(), pod) + + require.NoError(t, err) + assert.Len(t, pod.Spec.Containers, 1) +} + +func TestValidateTargetPort(t *testing.T) { + tests := []struct { + name string + port string + expectError bool + errorMsg string + }{ + { + name: "valid port", + port: "8080", + expectError: false, + }, + { + name: "valid port min", + port: "1", + expectError: false, + }, + { + name: "valid port max", + port: "65535", + expectError: false, + }, + { + name: "non-numeric port", + port: "abc", + expectError: true, + errorMsg: "must be a number", + }, + { + name: "port too low", + port: "0", + expectError: true, + errorMsg: "must be between 1 and 65535", + }, + { + name: "port too high", + port: "65536", + expectError: true, + errorMsg: "must be between 1 and 65535", + }, + { + name: "negative port", + port: "-1", + expectError: true, + errorMsg: "must be between 1 and 65535", + }, + { + name: "port equals proxy port", + port: "9090", + expectError: true, + errorMsg: "cannot be the same as proxy port", + }, + { + name: "empty port", + port: "", + expectError: true, + errorMsg: "must be a number", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateTargetPort(tt.port) + if tt.expectError { + assert.Error(t, err) + if tt.errorMsg != "" { + assert.Contains(t, err.Error(), tt.errorMsg) + } + } else { + assert.NoError(t, err) + } + }) + } +} + +func TestPodCustomDefaulter_InjectSidecar_InvalidTargetPort(t *testing.T) { + defaulter := &PodCustomDefaulter{ProxyImage: DefaultProxyImage} + + tests := []struct { + name string + port string + expectedPort string + }{ + { + name: "non-numeric uses default", + port: "abc", + expectedPort: DefaultTargetPort, + }, + { + name: "out of range uses default", + port: "99999", + expectedPort: DefaultTargetPort, + }, + { + name: "proxy port conflict uses default", + port: "9090", + expectedPort: DefaultTargetPort, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-pod", + Annotations: map[string]string{ + AnnotationTargetPort: tt.port, + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "app"}, + }, + }, + } + + defaulter.injectSidecar(pod, []string{"x-request-id"}, "") + + var sidecar *corev1.Container + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name == ProxyContainerName { + sidecar = &pod.Spec.Containers[i] + break + } + } + require.NotNil(t, sidecar) + + var targetHostEnv *corev1.EnvVar + for i := range sidecar.Env { + if sidecar.Env[i].Name == "TARGET_HOST" { + targetHostEnv = &sidecar.Env[i] + break + } + } + require.NotNil(t, targetHostEnv) + assert.Equal(t, "localhost:"+tt.expectedPort, targetHostEnv.Value) + }) + } +} + +func TestPodCustomValidator_ValidateCreate(t *testing.T) { + validator := &PodCustomValidator{} + + tests := []struct { + name string + pod *corev1.Pod + expectError bool + warnExpected bool + }{ + { + name: "valid pod with headers", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationEnabled: "true", + AnnotationHeaders: "x-request-id", + }, + }, + }, + expectError: false, + warnExpected: false, + }, + { + name: "enabled without headers - warning", + pod: &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + AnnotationEnabled: "true", + }, + }, + }, + expectError: false, + warnExpected: true, + }, + { + name: "no annotations", + pod: &corev1.Pod{}, + expectError: false, + warnExpected: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + warnings, err := validator.ValidateCreate(context.Background(), tt.pod) + + if tt.expectError { + assert.Error(t, err) + } else { + assert.NoError(t, err) + } + + if tt.warnExpected { + assert.NotEmpty(t, warnings) + } else { + assert.Empty(t, warnings) + } + }) + } +} diff --git a/internal/webhook/v1/webhook_suite_test.go b/internal/webhook/v1/webhook_suite_test.go new file mode 100644 index 0000000..c1b2e5c --- /dev/null +++ b/internal/webhook/v1/webhook_suite_test.go @@ -0,0 +1,163 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "os" + "path/filepath" + "testing" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + corev1 "k8s.io/api/core/v1" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + // +kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var ( + ctx context.Context + cancel context.CancelFunc + k8sClient client.Client + cfg *rest.Config + testEnv *envtest.Environment +) + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Webhook Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + var err error + err = corev1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: false, + + WebhookInstallOptions: envtest.WebhookInstallOptions{ + Paths: []string{filepath.Join("..", "..", "..", "config", "webhook")}, + }, + } + + // Retrieve the first found binary directory to allow running tests from IDEs + if getFirstFoundEnvTestBinaryDir() != "" { + testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() + } + + // cfg is defined in this file globally. + cfg, err = testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + // start webhook server using Manager. + webhookInstallOptions := &testEnv.WebhookInstallOptions + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme.Scheme, + WebhookServer: webhook.NewServer(webhook.Options{ + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + }), + LeaderElection: false, + Metrics: metricsserver.Options{BindAddress: "0"}, + }) + Expect(err).NotTo(HaveOccurred()) + + err = SetupPodWebhookWithManager(mgr) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:webhook + + go func() { + defer GinkgoRecover() + err = mgr.Start(ctx) + Expect(err).NotTo(HaveOccurred()) + }() + + // wait for the webhook server to get ready. + dialer := &net.Dialer{Timeout: time.Second} + addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) + Eventually(func() error { + conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return err + } + + return conn.Close() + }).Should(Succeed()) +}) + +var _ = AfterSuite(func() { + By("tearing down the test environment") + cancel() + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) + +// getFirstFoundEnvTestBinaryDir locates the first binary in the specified path. +// ENVTEST-based tests depend on specific binaries, usually located in paths set by +// controller-runtime. When running tests directly (e.g., via an IDE) without using +// Makefile targets, the 'BinaryAssetsDirectory' must be explicitly configured. +// +// This function streamlines the process by finding the required binaries, similar to +// setting the 'KUBEBUILDER_ASSETS' environment variable. To ensure the binaries are +// properly set up, run 'make setup-envtest' beforehand. +func getFirstFoundEnvTestBinaryDir() string { + basePath := filepath.Join("..", "..", "..", "bin", "k8s") + entries, err := os.ReadDir(basePath) + if err != nil { + logf.Log.Error(err, "Failed to read directory", "path", basePath) + return "" + } + for _, entry := range entries { + if entry.IsDir() { + return filepath.Join(basePath, entry.Name()) + } + } + return "" +} diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go new file mode 100644 index 0000000..642008d --- /dev/null +++ b/test/e2e/e2e_suite_test.go @@ -0,0 +1,92 @@ +//go:build e2e +// +build e2e + +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e + +import ( + "fmt" + "os" + "os/exec" + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/bgruszka/contextforge/test/utils" +) + +var ( + // Optional Environment Variables: + // - CERT_MANAGER_INSTALL_SKIP=true: Skips CertManager installation during test setup. + // These variables are useful if CertManager is already installed, avoiding + // re-installation and conflicts. + skipCertManagerInstall = os.Getenv("CERT_MANAGER_INSTALL_SKIP") == "true" + // isCertManagerAlreadyInstalled will be set true when CertManager CRDs be found on the cluster + isCertManagerAlreadyInstalled = false + + // projectImage is the name of the image which will be build and loaded + // with the code source changes to be tested. + projectImage = "example.com/contextforge:v0.0.1" +) + +// TestE2E runs the end-to-end (e2e) test suite for the project. These tests execute in an isolated, +// temporary environment to validate project changes with the purpose of being used in CI jobs. +// The default setup requires Kind, builds/loads the Manager Docker image locally, and installs +// CertManager. +func TestE2E(t *testing.T) { + RegisterFailHandler(Fail) + _, _ = fmt.Fprintf(GinkgoWriter, "Starting contextforge integration test suite\n") + RunSpecs(t, "e2e suite") +} + +var _ = BeforeSuite(func() { + By("building the manager(Operator) image") + cmd := exec.Command("make", "docker-build", fmt.Sprintf("IMG=%s", projectImage)) + _, err := utils.Run(cmd) + ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to build the manager(Operator) image") + + // TODO(user): If you want to change the e2e test vendor from Kind, ensure the image is + // built and available before running the tests. Also, remove the following block. + By("loading the manager(Operator) image on Kind") + err = utils.LoadImageToKindClusterWithName(projectImage) + ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to load the manager(Operator) image into Kind") + + // The tests-e2e are intended to run on a temporary cluster that is created and destroyed for testing. + // To prevent errors when tests run in environments with CertManager already installed, + // we check for its presence before execution. + // Setup CertManager before the suite if not skipped and if not already installed + if !skipCertManagerInstall { + By("checking if cert manager is installed already") + isCertManagerAlreadyInstalled = utils.IsCertManagerCRDsInstalled() + if !isCertManagerAlreadyInstalled { + _, _ = fmt.Fprintf(GinkgoWriter, "Installing CertManager...\n") + Expect(utils.InstallCertManager()).To(Succeed(), "Failed to install CertManager") + } else { + _, _ = fmt.Fprintf(GinkgoWriter, "WARNING: CertManager is already installed. Skipping installation...\n") + } + } +}) + +var _ = AfterSuite(func() { + // Teardown CertManager after the suite if not skipped and if it was not already installed + if !skipCertManagerInstall && !isCertManagerAlreadyInstalled { + _, _ = fmt.Fprintf(GinkgoWriter, "Uninstalling CertManager...\n") + utils.UninstallCertManager() + } +}) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go new file mode 100644 index 0000000..a84cad2 --- /dev/null +++ b/test/e2e/e2e_test.go @@ -0,0 +1,386 @@ +//go:build e2e +// +build e2e + +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e + +import ( + "encoding/json" + "fmt" + "os" + "os/exec" + "path/filepath" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/bgruszka/contextforge/test/utils" +) + +// namespace where the project is deployed in +const namespace = "contextforge-system" + +// serviceAccountName created for the project +const serviceAccountName = "contextforge-controller-manager" + +// metricsServiceName is the name of the metrics service of the project +const metricsServiceName = "contextforge-controller-manager-metrics-service" + +// metricsRoleBindingName is the name of the RBAC that will be created to allow get the metrics data +const metricsRoleBindingName = "contextforge-metrics-binding" + +var _ = Describe("Manager", Ordered, func() { + var controllerPodName string + + // Before running the tests, set up the environment by creating the namespace, + // enforce the restricted security policy to the namespace, installing CRDs, + // and deploying the controller. + BeforeAll(func() { + By("creating manager namespace") + cmd := exec.Command("kubectl", "create", "ns", namespace) + _, err := utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") + + By("labeling the namespace to enforce the restricted security policy") + cmd = exec.Command("kubectl", "label", "--overwrite", "ns", namespace, + "pod-security.kubernetes.io/enforce=restricted") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to label namespace with restricted policy") + + By("installing CRDs") + cmd = exec.Command("make", "install") + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to install CRDs") + + By("deploying the controller-manager") + cmd = exec.Command("make", "deploy", fmt.Sprintf("IMG=%s", projectImage)) + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to deploy the controller-manager") + }) + + // After all tests have been executed, clean up by undeploying the controller, uninstalling CRDs, + // and deleting the namespace. + AfterAll(func() { + By("cleaning up the curl pod for metrics") + cmd := exec.Command("kubectl", "delete", "pod", "curl-metrics", "-n", namespace) + _, _ = utils.Run(cmd) + + By("undeploying the controller-manager") + cmd = exec.Command("make", "undeploy") + _, _ = utils.Run(cmd) + + By("uninstalling CRDs") + cmd = exec.Command("make", "uninstall") + _, _ = utils.Run(cmd) + + By("removing manager namespace") + cmd = exec.Command("kubectl", "delete", "ns", namespace) + _, _ = utils.Run(cmd) + }) + + // After each test, check for failures and collect logs, events, + // and pod descriptions for debugging. + AfterEach(func() { + specReport := CurrentSpecReport() + if specReport.Failed() { + By("Fetching controller manager pod logs") + cmd := exec.Command("kubectl", "logs", controllerPodName, "-n", namespace) + controllerLogs, err := utils.Run(cmd) + if err == nil { + _, _ = fmt.Fprintf(GinkgoWriter, "Controller logs:\n %s", controllerLogs) + } else { + _, _ = fmt.Fprintf(GinkgoWriter, "Failed to get Controller logs: %s", err) + } + + By("Fetching Kubernetes events") + cmd = exec.Command("kubectl", "get", "events", "-n", namespace, "--sort-by=.lastTimestamp") + eventsOutput, err := utils.Run(cmd) + if err == nil { + _, _ = fmt.Fprintf(GinkgoWriter, "Kubernetes events:\n%s", eventsOutput) + } else { + _, _ = fmt.Fprintf(GinkgoWriter, "Failed to get Kubernetes events: %s", err) + } + + By("Fetching curl-metrics logs") + cmd = exec.Command("kubectl", "logs", "curl-metrics", "-n", namespace) + metricsOutput, err := utils.Run(cmd) + if err == nil { + _, _ = fmt.Fprintf(GinkgoWriter, "Metrics logs:\n %s", metricsOutput) + } else { + _, _ = fmt.Fprintf(GinkgoWriter, "Failed to get curl-metrics logs: %s", err) + } + + By("Fetching controller manager pod description") + cmd = exec.Command("kubectl", "describe", "pod", controllerPodName, "-n", namespace) + podDescription, err := utils.Run(cmd) + if err == nil { + fmt.Println("Pod description:\n", podDescription) + } else { + fmt.Println("Failed to describe controller pod") + } + } + }) + + SetDefaultEventuallyTimeout(2 * time.Minute) + SetDefaultEventuallyPollingInterval(time.Second) + + Context("Manager", func() { + It("should run successfully", func() { + By("validating that the controller-manager pod is running as expected") + verifyControllerUp := func(g Gomega) { + // Get the name of the controller-manager pod + cmd := exec.Command("kubectl", "get", + "pods", "-l", "control-plane=controller-manager", + "-o", "go-template={{ range .items }}"+ + "{{ if not .metadata.deletionTimestamp }}"+ + "{{ .metadata.name }}"+ + "{{ \"\\n\" }}{{ end }}{{ end }}", + "-n", namespace, + ) + + podOutput, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred(), "Failed to retrieve controller-manager pod information") + podNames := utils.GetNonEmptyLines(podOutput) + g.Expect(podNames).To(HaveLen(1), "expected 1 controller pod running") + controllerPodName = podNames[0] + g.Expect(controllerPodName).To(ContainSubstring("controller-manager")) + + // Validate the pod's status + cmd = exec.Command("kubectl", "get", + "pods", controllerPodName, "-o", "jsonpath={.status.phase}", + "-n", namespace, + ) + output, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(output).To(Equal("Running"), "Incorrect controller-manager pod status") + } + Eventually(verifyControllerUp).Should(Succeed()) + }) + + It("should ensure the metrics endpoint is serving metrics", func() { + By("creating a ClusterRoleBinding for the service account to allow access to metrics") + cmd := exec.Command("kubectl", "create", "clusterrolebinding", metricsRoleBindingName, + "--clusterrole=contextforge-metrics-reader", + fmt.Sprintf("--serviceaccount=%s:%s", namespace, serviceAccountName), + ) + _, err := utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to create ClusterRoleBinding") + + By("validating that the metrics service is available") + cmd = exec.Command("kubectl", "get", "service", metricsServiceName, "-n", namespace) + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Metrics service should exist") + + By("getting the service account token") + token, err := serviceAccountToken() + Expect(err).NotTo(HaveOccurred()) + Expect(token).NotTo(BeEmpty()) + + By("ensuring the controller pod is ready") + verifyControllerPodReady := func(g Gomega) { + cmd := exec.Command("kubectl", "get", "pod", controllerPodName, "-n", namespace, + "-o", "jsonpath={.status.conditions[?(@.type=='Ready')].status}") + output, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(output).To(Equal("True"), "Controller pod not ready") + } + Eventually(verifyControllerPodReady, 3*time.Minute, time.Second).Should(Succeed()) + + By("verifying that the controller manager is serving the metrics server") + verifyMetricsServerStarted := func(g Gomega) { + cmd := exec.Command("kubectl", "logs", controllerPodName, "-n", namespace) + output, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(output).To(ContainSubstring("Serving metrics server"), + "Metrics server not yet started") + } + Eventually(verifyMetricsServerStarted, 3*time.Minute, time.Second).Should(Succeed()) + + By("waiting for the webhook service endpoints to be ready") + verifyWebhookEndpointsReady := func(g Gomega) { + cmd := exec.Command("kubectl", "get", "endpointslices.discovery.k8s.io", "-n", namespace, + "-l", "kubernetes.io/service-name=contextforge-webhook-service", + "-o", "jsonpath={range .items[*]}{range .endpoints[*]}{.addresses[*]}{end}{end}") + output, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred(), "Webhook endpoints should exist") + g.Expect(output).ShouldNot(BeEmpty(), "Webhook endpoints not yet ready") + } + Eventually(verifyWebhookEndpointsReady, 3*time.Minute, time.Second).Should(Succeed()) + + // +kubebuilder:scaffold:e2e-metrics-webhooks-readiness + + By("creating the curl-metrics pod to access the metrics endpoint") + cmd = exec.Command("kubectl", "run", "curl-metrics", "--restart=Never", + "--namespace", namespace, + "--image=curlimages/curl:latest", + "--overrides", + fmt.Sprintf(`{ + "spec": { + "containers": [{ + "name": "curl", + "image": "curlimages/curl:latest", + "command": ["/bin/sh", "-c"], + "args": ["curl -v -k -H 'Authorization: Bearer %s' https://%s.%s.svc.cluster.local:8443/metrics"], + "securityContext": { + "readOnlyRootFilesystem": true, + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": ["ALL"] + }, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + } + }], + "serviceAccountName": "%s" + } + }`, token, metricsServiceName, namespace, serviceAccountName)) + _, err = utils.Run(cmd) + Expect(err).NotTo(HaveOccurred(), "Failed to create curl-metrics pod") + + By("waiting for the curl-metrics pod to complete.") + verifyCurlUp := func(g Gomega) { + cmd := exec.Command("kubectl", "get", "pods", "curl-metrics", + "-o", "jsonpath={.status.phase}", + "-n", namespace) + output, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(output).To(Equal("Succeeded"), "curl pod in wrong status") + } + Eventually(verifyCurlUp, 5*time.Minute).Should(Succeed()) + + By("getting the metrics by checking curl-metrics logs") + verifyMetricsAvailable := func(g Gomega) { + metricsOutput, err := getMetricsOutput() + g.Expect(err).NotTo(HaveOccurred(), "Failed to retrieve logs from curl pod") + g.Expect(metricsOutput).NotTo(BeEmpty()) + g.Expect(metricsOutput).To(ContainSubstring("< HTTP/1.1 200 OK")) + } + Eventually(verifyMetricsAvailable, 2*time.Minute).Should(Succeed()) + }) + + It("should provisioned cert-manager", func() { + By("validating that cert-manager has the certificate Secret") + verifyCertManager := func(g Gomega) { + cmd := exec.Command("kubectl", "get", "secrets", "webhook-server-cert", "-n", namespace) + _, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + } + Eventually(verifyCertManager).Should(Succeed()) + }) + + It("should have CA injection for mutating webhooks", func() { + By("checking CA injection for mutating webhooks") + verifyCAInjection := func(g Gomega) { + cmd := exec.Command("kubectl", "get", + "mutatingwebhookconfigurations.admissionregistration.k8s.io", + "contextforge-mutating-webhook-configuration", + "-o", "go-template={{ range .webhooks }}{{ .clientConfig.caBundle }}{{ end }}") + mwhOutput, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(len(mwhOutput)).To(BeNumerically(">", 10)) + } + Eventually(verifyCAInjection).Should(Succeed()) + }) + + It("should have CA injection for validating webhooks", func() { + By("checking CA injection for validating webhooks") + verifyCAInjection := func(g Gomega) { + cmd := exec.Command("kubectl", "get", + "validatingwebhookconfigurations.admissionregistration.k8s.io", + "contextforge-validating-webhook-configuration", + "-o", "go-template={{ range .webhooks }}{{ .clientConfig.caBundle }}{{ end }}") + vwhOutput, err := utils.Run(cmd) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(len(vwhOutput)).To(BeNumerically(">", 10)) + } + Eventually(verifyCAInjection).Should(Succeed()) + }) + + // +kubebuilder:scaffold:e2e-webhooks-checks + + // TODO: Customize the e2e test suite with scenarios specific to your project. + // Consider applying sample/CR(s) and check their status and/or verifying + // the reconciliation by using the metrics, i.e.: + // metricsOutput, err := getMetricsOutput() + // Expect(err).NotTo(HaveOccurred(), "Failed to retrieve logs from curl pod") + // Expect(metricsOutput).To(ContainSubstring( + // fmt.Sprintf(`controller_runtime_reconcile_total{controller="%s",result="success"} 1`, + // strings.ToLower(), + // )) + }) +}) + +// serviceAccountToken returns a token for the specified service account in the given namespace. +// It uses the Kubernetes TokenRequest API to generate a token by directly sending a request +// and parsing the resulting token from the API response. +func serviceAccountToken() (string, error) { + const tokenRequestRawString = `{ + "apiVersion": "authentication.k8s.io/v1", + "kind": "TokenRequest" + }` + + // Temporary file to store the token request + secretName := fmt.Sprintf("%s-token-request", serviceAccountName) + tokenRequestFile := filepath.Join("/tmp", secretName) + err := os.WriteFile(tokenRequestFile, []byte(tokenRequestRawString), os.FileMode(0o644)) + if err != nil { + return "", err + } + + var out string + verifyTokenCreation := func(g Gomega) { + // Execute kubectl command to create the token + cmd := exec.Command("kubectl", "create", "--raw", fmt.Sprintf( + "/api/v1/namespaces/%s/serviceaccounts/%s/token", + namespace, + serviceAccountName, + ), "-f", tokenRequestFile) + + output, err := cmd.CombinedOutput() + g.Expect(err).NotTo(HaveOccurred()) + + // Parse the JSON output to extract the token + var token tokenRequest + err = json.Unmarshal(output, &token) + g.Expect(err).NotTo(HaveOccurred()) + + out = token.Status.Token + } + Eventually(verifyTokenCreation).Should(Succeed()) + + return out, err +} + +// getMetricsOutput retrieves and returns the logs from the curl pod used to access the metrics endpoint. +func getMetricsOutput() (string, error) { + By("getting the curl-metrics logs") + cmd := exec.Command("kubectl", "logs", "curl-metrics", "-n", namespace) + return utils.Run(cmd) +} + +// tokenRequest is a simplified representation of the Kubernetes TokenRequest API response, +// containing only the token field that we need to extract. +type tokenRequest struct { + Status struct { + Token string `json:"token"` + } `json:"status"` +} diff --git a/test/utils/utils.go b/test/utils/utils.go new file mode 100644 index 0000000..b3b8d16 --- /dev/null +++ b/test/utils/utils.go @@ -0,0 +1,226 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "bufio" + "bytes" + "fmt" + "os" + "os/exec" + "strings" + + . "github.com/onsi/ginkgo/v2" // nolint:revive,staticcheck +) + +const ( + certmanagerVersion = "v1.19.1" + certmanagerURLTmpl = "https://github.com/cert-manager/cert-manager/releases/download/%s/cert-manager.yaml" + + defaultKindBinary = "kind" + defaultKindCluster = "kind" +) + +func warnError(err error) { + _, _ = fmt.Fprintf(GinkgoWriter, "warning: %v\n", err) +} + +// Run executes the provided command within this context +func Run(cmd *exec.Cmd) (string, error) { + dir, _ := GetProjectDir() + cmd.Dir = dir + + if err := os.Chdir(cmd.Dir); err != nil { + _, _ = fmt.Fprintf(GinkgoWriter, "chdir dir: %q\n", err) + } + + cmd.Env = append(os.Environ(), "GO111MODULE=on") + command := strings.Join(cmd.Args, " ") + _, _ = fmt.Fprintf(GinkgoWriter, "running: %q\n", command) + output, err := cmd.CombinedOutput() + if err != nil { + return string(output), fmt.Errorf("%q failed with error %q: %w", command, string(output), err) + } + + return string(output), nil +} + +// UninstallCertManager uninstalls the cert manager +func UninstallCertManager() { + url := fmt.Sprintf(certmanagerURLTmpl, certmanagerVersion) + cmd := exec.Command("kubectl", "delete", "-f", url) + if _, err := Run(cmd); err != nil { + warnError(err) + } + + // Delete leftover leases in kube-system (not cleaned by default) + kubeSystemLeases := []string{ + "cert-manager-cainjector-leader-election", + "cert-manager-controller", + } + for _, lease := range kubeSystemLeases { + cmd = exec.Command("kubectl", "delete", "lease", lease, + "-n", "kube-system", "--ignore-not-found", "--force", "--grace-period=0") + if _, err := Run(cmd); err != nil { + warnError(err) + } + } +} + +// InstallCertManager installs the cert manager bundle. +func InstallCertManager() error { + url := fmt.Sprintf(certmanagerURLTmpl, certmanagerVersion) + cmd := exec.Command("kubectl", "apply", "-f", url) + if _, err := Run(cmd); err != nil { + return err + } + // Wait for cert-manager-webhook to be ready, which can take time if cert-manager + // was re-installed after uninstalling on a cluster. + cmd = exec.Command("kubectl", "wait", "deployment.apps/cert-manager-webhook", + "--for", "condition=Available", + "--namespace", "cert-manager", + "--timeout", "5m", + ) + + _, err := Run(cmd) + return err +} + +// IsCertManagerCRDsInstalled checks if any Cert Manager CRDs are installed +// by verifying the existence of key CRDs related to Cert Manager. +func IsCertManagerCRDsInstalled() bool { + // List of common Cert Manager CRDs + certManagerCRDs := []string{ + "certificates.cert-manager.io", + "issuers.cert-manager.io", + "clusterissuers.cert-manager.io", + "certificaterequests.cert-manager.io", + "orders.acme.cert-manager.io", + "challenges.acme.cert-manager.io", + } + + // Execute the kubectl command to get all CRDs + cmd := exec.Command("kubectl", "get", "crds") + output, err := Run(cmd) + if err != nil { + return false + } + + // Check if any of the Cert Manager CRDs are present + crdList := GetNonEmptyLines(output) + for _, crd := range certManagerCRDs { + for _, line := range crdList { + if strings.Contains(line, crd) { + return true + } + } + } + + return false +} + +// LoadImageToKindClusterWithName loads a local docker image to the kind cluster +func LoadImageToKindClusterWithName(name string) error { + cluster := defaultKindCluster + if v, ok := os.LookupEnv("KIND_CLUSTER"); ok { + cluster = v + } + kindOptions := []string{"load", "docker-image", name, "--name", cluster} + kindBinary := defaultKindBinary + if v, ok := os.LookupEnv("KIND"); ok { + kindBinary = v + } + cmd := exec.Command(kindBinary, kindOptions...) + _, err := Run(cmd) + return err +} + +// GetNonEmptyLines converts given command output string into individual objects +// according to line breakers, and ignores the empty elements in it. +func GetNonEmptyLines(output string) []string { + var res []string + elements := strings.Split(output, "\n") + for _, element := range elements { + if element != "" { + res = append(res, element) + } + } + + return res +} + +// GetProjectDir will return the directory where the project is +func GetProjectDir() (string, error) { + wd, err := os.Getwd() + if err != nil { + return wd, fmt.Errorf("failed to get current working directory: %w", err) + } + wd = strings.ReplaceAll(wd, "/test/e2e", "") + return wd, nil +} + +// UncommentCode searches for target in the file and remove the comment prefix +// of the target content. The target content may span multiple lines. +func UncommentCode(filename, target, prefix string) error { + // false positive + // nolint:gosec + content, err := os.ReadFile(filename) + if err != nil { + return fmt.Errorf("failed to read file %q: %w", filename, err) + } + strContent := string(content) + + idx := strings.Index(strContent, target) + if idx < 0 { + return fmt.Errorf("unable to find the code %q to be uncomment", target) + } + + out := new(bytes.Buffer) + _, err = out.Write(content[:idx]) + if err != nil { + return fmt.Errorf("failed to write to output: %w", err) + } + + scanner := bufio.NewScanner(bytes.NewBufferString(target)) + if !scanner.Scan() { + return nil + } + for { + if _, err = out.WriteString(strings.TrimPrefix(scanner.Text(), prefix)); err != nil { + return fmt.Errorf("failed to write to output: %w", err) + } + // Avoid writing a newline in case the previous line was the last in target. + if !scanner.Scan() { + break + } + if _, err = out.WriteString("\n"); err != nil { + return fmt.Errorf("failed to write to output: %w", err) + } + } + + if _, err = out.Write(content[idx+len(target):]); err != nil { + return fmt.Errorf("failed to write to output: %w", err) + } + + // false positive + // nolint:gosec + if err = os.WriteFile(filename, out.Bytes(), 0644); err != nil { + return fmt.Errorf("failed to write file %q: %w", filename, err) + } + + return nil +} diff --git a/tests/e2e/advanced_features_test.go b/tests/e2e/advanced_features_test.go new file mode 100644 index 0000000..67ceeb8 --- /dev/null +++ b/tests/e2e/advanced_features_test.go @@ -0,0 +1,866 @@ +package e2e_test + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "os/exec" + "regexp" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/wait" + "sigs.k8s.io/controller-runtime/pkg/client" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" +) + +// ============================================================================= +// HEADER GENERATION TESTS +// Verifies that headers can be auto-generated when missing +// ============================================================================= +var _ = Describe("Header Generation", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + policyName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "header-gen-service" + curlPodName = "curl-header-gen" + policyName = "header-gen-policy" + + By("Creating a HeaderPropagationPolicy with header generation enabled") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: testNamespace, + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": serviceName, + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + Headers: []ctxforgev1alpha1.HeaderConfig{ + { + Name: "x-request-id", + Generate: true, + GeneratorType: "uuid", + }, + { + Name: "x-trace-id", + Generate: true, + GeneratorType: "ulid", + }, + { + Name: "x-timestamp", + Generate: true, + GeneratorType: "timestamp", + }, + { + Name: "x-tenant-id", // Not generated, just propagated + }, + }, + }, + }, + }, + } + err := ctxforgeClient.Create(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying echo server with header generation enabled") + err = deployHeaderGenService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeploymentWithTimeout(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying curl test pod") + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if policyName != "" { + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + if err := ctxforgeClient.Get(ctx, client.ObjectKey{Name: policyName, Namespace: testNamespace}, policy); err == nil { + _ = ctxforgeClient.Delete(ctx, policy) + } + } + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + Context("when x-request-id header is missing", func() { + It("should generate a UUID v4 format request ID", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + // Make request WITHOUT x-request-id header + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-tenant-id: tenant-123", // Only send tenant ID, not request ID + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response body: %s\n", body) + + // Verify x-request-id was generated and is in UUID format + Expect(body).To(ContainSubstring("x-request-id")) + + // UUID v4 pattern: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx + uuidPattern := regexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}`) + Expect(uuidPattern.MatchString(body)).To(BeTrue(), "Response should contain a valid UUID v4") + }) + + It("should generate a ULID format trace ID", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response body: %s\n", body) + + // Verify x-trace-id was generated and is in ULID format (26 characters, Crockford's Base32) + Expect(body).To(ContainSubstring("x-trace-id")) + + // ULID pattern: 26 characters from Crockford's Base32 alphabet + ulidPattern := regexp.MustCompile(`[0-9A-HJKMNP-TV-Z]{26}`) + Expect(ulidPattern.MatchString(body)).To(BeTrue(), "Response should contain a valid ULID") + }) + + It("should generate a timestamp format header", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response body: %s\n", body) + + // Verify x-timestamp was generated and is in RFC3339 format + Expect(body).To(ContainSubstring("x-timestamp")) + + // RFC3339Nano pattern: 2006-01-02T15:04:05.999999999Z07:00 + timestampPattern := regexp.MustCompile(`\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}`) + Expect(timestampPattern.MatchString(body)).To(BeTrue(), "Response should contain a valid timestamp") + }) + }) + + Context("when x-request-id header is provided", func() { + It("should NOT override the existing header value", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + existingRequestID := "my-existing-request-id-12345" + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", fmt.Sprintf("x-request-id: %s", existingRequestID), + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response body: %s\n", body) + + // Verify the existing request ID was preserved + Expect(body).To(ContainSubstring(existingRequestID)) + }) + }) +}) + +// ============================================================================= +// PATH-BASED FILTERING TESTS +// Verifies headers are only propagated for matching paths +// ============================================================================= +var _ = Describe("Path-Based Header Filtering", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + policyName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "path-filter-service" + curlPodName = "curl-path-filter" + policyName = "path-filter-policy" + + By("Creating a HeaderPropagationPolicy with path-based rules") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: testNamespace, + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": serviceName, + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + // Only propagate for /api/* paths + PathRegex: "^/api/.*", + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-api-key"}, + {Name: "x-request-id"}, + }, + }, + { + // Propagate tenant ID for all paths + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-tenant-id"}, + }, + }, + }, + }, + } + err := ctxforgeClient.Create(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying echo server with path filtering") + err = deployPathFilterService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeploymentWithTimeout(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying curl test pod") + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if policyName != "" { + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + if err := ctxforgeClient.Get(ctx, client.ObjectKey{Name: policyName, Namespace: testNamespace}, policy); err == nil { + _ = ctxforgeClient.Delete(ctx, policy) + } + } + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + Context("when request path matches /api/*", func() { + It("should propagate x-api-key header", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-api-key: secret-api-key-123", + "-H", "x-request-id: req-123", + "-H", "x-tenant-id: tenant-abc", + serviceURL+"/api/v1/users", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response for /api/v1/users: %s\n", body) + + // API headers should be propagated for /api/* path + Expect(body).To(ContainSubstring("x-api-key")) + Expect(body).To(ContainSubstring("secret-api-key-123")) + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("x-tenant-id")) + }) + }) + + Context("when request path is /health", func() { + It("should NOT propagate x-api-key header", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-api-key: secret-api-key-456", + "-H", "x-tenant-id: tenant-xyz", + serviceURL+"/health", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response for /health: %s\n", body) + + // x-tenant-id should be propagated (matches all paths) + Expect(body).To(ContainSubstring("x-tenant-id")) + Expect(body).To(ContainSubstring("tenant-xyz")) + + // Note: x-api-key may still appear in response because curl sends it directly + // The filtering applies to what the PROXY propagates to outgoing requests + // This test documents the expected behavior + }) + }) +}) + +// ============================================================================= +// METHOD-BASED FILTERING TESTS +// Verifies headers are only propagated for matching HTTP methods +// ============================================================================= +var _ = Describe("Method-Based Header Filtering", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + policyName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "method-filter-service" + curlPodName = "curl-method-filter" + policyName = "method-filter-policy" + + By("Creating a HeaderPropagationPolicy with method-based rules") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: testNamespace, + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": serviceName, + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + // Only propagate CSRF token for mutating methods + Methods: []string{"POST", "PUT", "DELETE", "PATCH"}, + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-csrf-token"}, + }, + }, + { + // Propagate request ID for all methods + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-request-id"}, + }, + }, + }, + }, + } + err := ctxforgeClient.Create(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying echo server with method filtering") + err = deployMethodFilterService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeploymentWithTimeout(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying curl test pod") + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if policyName != "" { + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{} + if err := ctxforgeClient.Get(ctx, client.ObjectKey{Name: policyName, Namespace: testNamespace}, policy); err == nil { + _ = ctxforgeClient.Delete(ctx, policy) + } + } + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + Context("when making a POST request", func() { + It("should propagate x-csrf-token header", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-X", "POST", + "-H", "x-csrf-token: csrf-token-abc123", + "-H", "x-request-id: post-req-123", + "-d", "{}", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response for POST: %s\n", body) + + // Both headers should be propagated for POST + Expect(body).To(ContainSubstring("x-csrf-token")) + Expect(body).To(ContainSubstring("csrf-token-abc123")) + Expect(body).To(ContainSubstring("x-request-id")) + }) + }) + + Context("when making a GET request", func() { + It("should propagate x-request-id but NOT x-csrf-token", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-X", "GET", + "-H", "x-csrf-token: csrf-token-xyz789", + "-H", "x-request-id: get-req-456", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response for GET: %s\n", body) + + // x-request-id should be propagated (matches all methods) + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("get-req-456")) + + // Note: x-csrf-token may still appear because curl sends it directly + // The filtering applies to outgoing requests from the service + }) + }) +}) + +// ============================================================================= +// HEADER_RULES ENVIRONMENT VARIABLE TESTS +// Verifies the HEADER_RULES JSON config works correctly +// ============================================================================= +var _ = Describe("HEADER_RULES Environment Variable", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "header-rules-service" + curlPodName = "curl-header-rules" + + By("Deploying service with HEADER_RULES environment variable") + err := deployHeaderRulesService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeploymentWithTimeout(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + By("Deploying curl test pod") + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + It("should parse and apply HEADER_RULES correctly", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-tenant-id: tenant-from-rules", + serviceURL+"/api/test", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response with HEADER_RULES: %s\n", body) + + // x-request-id should be generated (as configured in HEADER_RULES) + Expect(body).To(ContainSubstring("x-request-id")) + + // UUID pattern should be present + uuidPattern := regexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}`) + Expect(uuidPattern.MatchString(body)).To(BeTrue()) + + // x-tenant-id should be propagated + Expect(body).To(ContainSubstring("x-tenant-id")) + Expect(body).To(ContainSubstring("tenant-from-rules")) + }) +}) + +// ============================================================================= +// HELPER FUNCTIONS +// ============================================================================= + +const deploymentTimeout = 180 * time.Second + +func waitForDeploymentWithTimeout(ctx context.Context, name string) error { + return wait.PollUntilContextTimeout(ctx, 2*time.Second, deploymentTimeout, true, func(ctx context.Context) (bool, error) { + deployment, err := clientset.AppsV1().Deployments(testNamespace).Get(ctx, name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return deployment.Status.ReadyReplicas == *deployment.Spec.Replicas, nil + }) +} + +func deployHeaderGenService(ctx context.Context, name string) error { + replicas := int32(1) + + // Build HEADER_RULES JSON for generation + headerRules := []map[string]interface{}{ + {"name": "x-request-id", "generate": true, "generatorType": "uuid"}, + {"name": "x-trace-id", "generate": true, "generatorType": "ulid"}, + {"name": "x-timestamp", "generate": true, "generatorType": "timestamp"}, + {"name": "x-tenant-id"}, + } + headerRulesJSON, _ := json.Marshal(headerRules) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/target-port": "8080", + "ctxforge.io/header-rules": string(headerRulesJSON), + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(9090)}, // Route through proxy + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +func deployPathFilterService(ctx context.Context, name string) error { + replicas := int32(1) + + // Path-based header rules + headerRules := []map[string]interface{}{ + {"name": "x-api-key", "pathRegex": "^/api/.*"}, + {"name": "x-request-id", "pathRegex": "^/api/.*"}, + {"name": "x-tenant-id"}, // No path filter - applies to all + } + headerRulesJSON, _ := json.Marshal(headerRules) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/target-port": "8080", + "ctxforge.io/header-rules": string(headerRulesJSON), + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(9090)}, // Route through proxy + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +func deployMethodFilterService(ctx context.Context, name string) error { + replicas := int32(1) + + // Method-based header rules + headerRules := []map[string]interface{}{ + {"name": "x-csrf-token", "methods": []string{"POST", "PUT", "DELETE", "PATCH"}}, + {"name": "x-request-id"}, // No method filter - applies to all + } + headerRulesJSON, _ := json.Marshal(headerRules) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/target-port": "8080", + "ctxforge.io/header-rules": string(headerRulesJSON), + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(9090)}, // Route through proxy + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +func deployHeaderRulesService(ctx context.Context, name string) error { + replicas := int32(1) + + // HEADER_RULES with generation and path filtering + headerRules := []map[string]interface{}{ + {"name": "x-request-id", "generate": true, "generatorType": "uuid"}, + {"name": "x-tenant-id"}, + {"name": "x-api-key", "pathRegex": "^/api/.*"}, + } + headerRulesJSON, _ := json.Marshal(headerRules) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/target-port": "8080", + "ctxforge.io/header-rules": string(headerRulesJSON), + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(9090)}, // Route through proxy + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} diff --git a/tests/e2e/controller_test.go b/tests/e2e/controller_test.go new file mode 100644 index 0000000..d13ca91 --- /dev/null +++ b/tests/e2e/controller_test.go @@ -0,0 +1,205 @@ +package e2e_test + +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" +) + +var _ = Describe("HeaderPropagationPolicy Controller", func() { + var ( + ctx context.Context + ) + + BeforeEach(func() { + ctx = context.Background() + }) + + Context("when a HeaderPropagationPolicy is created", func() { + It("should update status with matching pods count", func() { + policyName := "test-controller-policy" + podName := "test-controller-pod" + + By("creating a HeaderPropagationPolicy") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: testNamespace, + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "test-controller-app", + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-request-id"}, + {Name: "x-tenant-id"}, + }, + }, + }, + }, + } + err := ctxforgeClient.Create(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + + By("waiting for the controller to reconcile (initially no pods)") + err = wait.PollUntilContextTimeout(ctx, time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) { + var p ctxforgev1alpha1.HeaderPropagationPolicy + if err := ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &p); err != nil { + return false, nil + } + // Check that status was updated + return p.Status.ObservedGeneration > 0, nil + }) + Expect(err).NotTo(HaveOccurred(), "Controller should reconcile the policy") + + By("verifying Ready condition is False (no matching pods)") + var updatedPolicy ctxforgev1alpha1.HeaderPropagationPolicy + err = ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &updatedPolicy) + Expect(err).NotTo(HaveOccurred()) + readyCondition := meta.FindStatusCondition(updatedPolicy.Status.Conditions, "Ready") + Expect(readyCondition).NotTo(BeNil()) + Expect(readyCondition.Status).To(Equal(metav1.ConditionFalse)) + Expect(readyCondition.Reason).To(Equal("NoMatchingPods")) + + By("creating a pod with matching labels and sidecar injection enabled") + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + Labels: map[string]string{ + "app": "test-controller-app", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id", + "ctxforge.io/target-port": "80", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{ + {ContainerPort: 80}, + }, + }, + }, + }, + } + createdPod, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + By("verifying the sidecar was injected") + Expect(createdPod.Spec.Containers).To(HaveLen(2), "Expected 2 containers (app + sidecar)") + + By("waiting for pod to become Running") + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 90*time.Second, true, func(ctx context.Context) (bool, error) { + p, err := clientset.CoreV1().Pods(testNamespace).Get(ctx, podName, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return p.Status.Phase == corev1.PodRunning, nil + }) + Expect(err).NotTo(HaveOccurred(), "Pod should become Running") + + By("waiting for controller to update status with matched pod") + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) { + var p ctxforgev1alpha1.HeaderPropagationPolicy + if err := ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &p); err != nil { + return false, nil + } + return p.Status.AppliedToPods >= 1, nil + }) + Expect(err).NotTo(HaveOccurred(), "Controller should update AppliedToPods count") + + By("verifying the policy status") + err = ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &updatedPolicy) + Expect(err).NotTo(HaveOccurred()) + Expect(updatedPolicy.Status.AppliedToPods).To(BeNumerically(">=", 1)) + + By("verifying Ready condition is True") + readyCondition = meta.FindStatusCondition(updatedPolicy.Status.Conditions, "Ready") + Expect(readyCondition).NotTo(BeNil()) + Expect(readyCondition.Status).To(Equal(metav1.ConditionTrue)) + Expect(readyCondition.Reason).To(Equal("PolicyApplied")) + + By("cleaning up the pod") + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + + By("cleaning up the policy") + err = ctxforgeClient.Delete(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + }) + }) + + Context("when no pods match the selector", func() { + It("should set Ready condition to False with NoMatchingPods reason", func() { + policyName := "test-no-matching-pods" + + By("creating a HeaderPropagationPolicy with a selector that matches no pods") + policy := &ctxforgev1alpha1.HeaderPropagationPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: policyName, + Namespace: testNamespace, + }, + Spec: ctxforgev1alpha1.HeaderPropagationPolicySpec{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "nonexistent-app", + }, + }, + PropagationRules: []ctxforgev1alpha1.PropagationRule{ + { + Headers: []ctxforgev1alpha1.HeaderConfig{ + {Name: "x-request-id"}, + }, + }, + }, + }, + } + err := ctxforgeClient.Create(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + + By("waiting for controller to reconcile") + err = wait.PollUntilContextTimeout(ctx, time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) { + var p ctxforgev1alpha1.HeaderPropagationPolicy + if err := ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &p); err != nil { + return false, nil + } + readyCondition := meta.FindStatusCondition(p.Status.Conditions, "Ready") + return readyCondition != nil, nil + }) + Expect(err).NotTo(HaveOccurred()) + + By("verifying status") + var updatedPolicy ctxforgev1alpha1.HeaderPropagationPolicy + err = ctxforgeClient.Get(ctx, types.NamespacedName{Name: policyName, Namespace: testNamespace}, &updatedPolicy) + Expect(err).NotTo(HaveOccurred()) + Expect(updatedPolicy.Status.AppliedToPods).To(Equal(int32(0))) + + readyCondition := meta.FindStatusCondition(updatedPolicy.Status.Conditions, "Ready") + Expect(readyCondition).NotTo(BeNil()) + Expect(readyCondition.Status).To(Equal(metav1.ConditionFalse)) + Expect(readyCondition.Reason).To(Equal("NoMatchingPods")) + + By("cleaning up") + err = ctxforgeClient.Delete(ctx, policy) + Expect(err).NotTo(HaveOccurred()) + }) + }) +}) diff --git a/tests/e2e/e2e_suite_test.go b/tests/e2e/e2e_suite_test.go new file mode 100644 index 0000000..7683421 --- /dev/null +++ b/tests/e2e/e2e_suite_test.go @@ -0,0 +1,88 @@ +package e2e_test + +import ( + "context" + "fmt" + "os" + "testing" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" + "sigs.k8s.io/controller-runtime/pkg/client" + + ctxforgev1alpha1 "github.com/bgruszka/contextforge/api/v1alpha1" +) + +var ( + clientset *kubernetes.Clientset + ctxforgeClient client.Client + testNamespace string +) + +func TestE2E(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "ContextForge E2E Suite") +} + +var _ = BeforeSuite(func() { + var err error + + // Use KUBECONFIG or default location + kubeconfig := os.Getenv("KUBECONFIG") + if kubeconfig == "" { + kubeconfig = os.Getenv("HOME") + "/.kube/config" + } + + config, err := clientcmd.BuildConfigFromFlags("", kubeconfig) + Expect(err).NotTo(HaveOccurred(), "Failed to build kubeconfig") + + clientset, err = kubernetes.NewForConfig(config) + Expect(err).NotTo(HaveOccurred(), "Failed to create Kubernetes client") + + // Create controller-runtime client for CRDs + scheme := runtime.NewScheme() + Expect(corev1.AddToScheme(scheme)).To(Succeed()) + Expect(ctxforgev1alpha1.AddToScheme(scheme)).To(Succeed()) + ctxforgeClient, err = client.New(config, client.Options{Scheme: scheme}) + Expect(err).NotTo(HaveOccurred(), "Failed to create controller-runtime client") + + // Create test namespace + testNamespace = fmt.Sprintf("ctxforge-e2e-%d", time.Now().Unix()) + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: testNamespace, + Labels: map[string]string{ + "ctxforge.io/injection": "enabled", + }, + }, + } + _, err = clientset.CoreV1().Namespaces().Create(context.Background(), ns, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred(), "Failed to create test namespace") + + // Wait for namespace to be ready + err = wait.PollUntilContextTimeout(context.Background(), time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) { + ns, err := clientset.CoreV1().Namespaces().Get(ctx, testNamespace, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return ns.Status.Phase == corev1.NamespaceActive, nil + }) + Expect(err).NotTo(HaveOccurred(), "Namespace did not become ready") +}) + +var _ = AfterSuite(func() { + if clientset != nil && testNamespace != "" { + // Clean up test namespace + err := clientset.CoreV1().Namespaces().Delete(context.Background(), testNamespace, metav1.DeleteOptions{}) + if err != nil { + GinkgoWriter.Printf("Warning: failed to delete test namespace: %v\n", err) + } + } +}) diff --git a/tests/e2e/injection_test.go b/tests/e2e/injection_test.go new file mode 100644 index 0000000..ecb5a46 --- /dev/null +++ b/tests/e2e/injection_test.go @@ -0,0 +1,257 @@ +package e2e_test + +import ( + "context" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" +) + +var _ = Describe("Sidecar Injection", func() { + var ( + ctx context.Context + ) + + BeforeEach(func() { + ctx = context.Background() + }) + + Context("when pod has ctxforge.io/enabled annotation", func() { + It("should inject the proxy sidecar container", func() { + podName := "test-injection-enabled" + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{ + {ContainerPort: 80}, + }, + }, + }, + }, + } + + createdPod, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Verify sidecar was injected + Expect(createdPod.Spec.Containers).To(HaveLen(2), "Expected 2 containers (app + sidecar)") + + // Find the sidecar container + var sidecar *corev1.Container + for i := range createdPod.Spec.Containers { + if createdPod.Spec.Containers[i].Name == "ctxforge-proxy" { + sidecar = &createdPod.Spec.Containers[i] + break + } + } + Expect(sidecar).NotTo(BeNil(), "Sidecar container should exist") + Expect(sidecar.Ports).To(HaveLen(1)) + Expect(sidecar.Ports[0].ContainerPort).To(Equal(int32(9090))) + + // Verify HEADERS_TO_PROPAGATE env var + var headersEnv *corev1.EnvVar + for i := range sidecar.Env { + if sidecar.Env[i].Name == "HEADERS_TO_PROPAGATE" { + headersEnv = &sidecar.Env[i] + break + } + } + Expect(headersEnv).NotTo(BeNil()) + Expect(headersEnv.Value).To(Equal("x-request-id,x-tenant-id")) + + // Verify app container has HTTP_PROXY env var + var appContainer *corev1.Container + for i := range createdPod.Spec.Containers { + if createdPod.Spec.Containers[i].Name == "app" { + appContainer = &createdPod.Spec.Containers[i] + break + } + } + Expect(appContainer).NotTo(BeNil()) + + var httpProxy *corev1.EnvVar + for i := range appContainer.Env { + if appContainer.Env[i].Name == "HTTP_PROXY" { + httpProxy = &appContainer.Env[i] + break + } + } + Expect(httpProxy).NotTo(BeNil()) + Expect(httpProxy.Value).To(Equal("http://localhost:9090")) + + // Cleanup + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + }) + }) + + Context("when pod does not have ctxforge.io/enabled annotation", func() { + It("should not inject the sidecar", func() { + podName := "test-injection-disabled" + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + }, + }, + }, + } + + createdPod, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Verify no sidecar was injected + Expect(createdPod.Spec.Containers).To(HaveLen(1), "Expected only 1 container (no sidecar)") + + // Cleanup + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + }) + }) + + Context("when pod has ctxforge.io/enabled=false annotation", func() { + It("should not inject the sidecar", func() { + podName := "test-injection-explicit-false" + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + Annotations: map[string]string{ + "ctxforge.io/enabled": "false", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + }, + }, + }, + } + + createdPod, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Verify no sidecar was injected + Expect(createdPod.Spec.Containers).To(HaveLen(1), "Expected only 1 container (no sidecar)") + + // Cleanup + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + }) + }) + + Context("when pod already has the sidecar", func() { + It("should not duplicate the sidecar", func() { + podName := "test-injection-already-injected" + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + }, + { + Name: "ctxforge-proxy", + Image: "contextforge-proxy:latest", + }, + }, + }, + } + + createdPod, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Verify sidecar count is still 2 (not 3) + Expect(createdPod.Spec.Containers).To(HaveLen(2), "Expected 2 containers (no duplicate sidecar)") + + // Cleanup + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + }) + }) +}) + +var _ = Describe("Pod Readiness", func() { + Context("when sidecar is injected", func() { + It("should become ready when both containers are healthy", func() { + + podName := "test-readiness" + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: podName, + Namespace: testNamespace, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id", + "ctxforge.io/target-port": "80", // nginx listens on port 80 + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "app", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{ + {ContainerPort: 80}, + }, + }, + }, + }, + } + + ctx := context.Background() + _, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Wait for pod to become ready + err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 60*time.Second, true, func(ctx context.Context) (bool, error) { + p, err := clientset.CoreV1().Pods(testNamespace).Get(ctx, podName, metav1.GetOptions{}) + if err != nil { + return false, nil + } + for _, cond := range p.Status.Conditions { + if cond.Type == corev1.PodReady && cond.Status == corev1.ConditionTrue { + return true, nil + } + } + return false, nil + }) + Expect(err).NotTo(HaveOccurred(), "Pod should become ready") + + // Cleanup + err = clientset.CoreV1().Pods(testNamespace).Delete(ctx, podName, metav1.DeleteOptions{}) + Expect(err).NotTo(HaveOccurred()) + }) + }) +}) diff --git a/tests/e2e/kind-config.yaml b/tests/e2e/kind-config.yaml new file mode 100644 index 0000000..90bc05b --- /dev/null +++ b/tests/e2e/kind-config.yaml @@ -0,0 +1,19 @@ +# Kind cluster configuration for E2E tests +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: ctxforge-e2e +nodes: + - role: control-plane + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + # Expose webhook service for local testing + - containerPort: 30443 + hostPort: 30443 + protocol: TCP + - role: worker + - role: worker diff --git a/tests/e2e/propagation_test.go b/tests/e2e/propagation_test.go new file mode 100644 index 0000000..b5de62e --- /dev/null +++ b/tests/e2e/propagation_test.go @@ -0,0 +1,1441 @@ +package e2e_test + +import ( + "bytes" + "context" + "fmt" + "os/exec" + "strings" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/wait" +) + +var _ = Describe("Header Propagation", Ordered, func() { + var ( + ctx context.Context + serviceName string + serviceURL string + testPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "echo-service" + testPodName = "curl-test" + + // Deploy echo server that returns request headers + err := deployEchoServer(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + // Wait for deployment to be ready + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + // Service URL for in-cluster access + serviceURL = fmt.Sprintf("http://%s:8080", serviceName) + + // Deploy a curl test pod to make requests from inside the cluster + err = deployCurlPod(ctx, testPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + // Cleanup deployment and service + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if testPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, testPodName, metav1.DeleteOptions{}) + } + }) + + Context("when making requests through the proxy", func() { + It("should propagate configured headers to upstream services", func() { + // Use kubectl exec to make request from inside the cluster + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, testPodName, "--", + "curl", "-s", + "-H", "x-request-id: test-request-123", + "-H", "x-tenant-id: tenant-abc", + "-H", "x-not-propagated: should-not-appear", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response body: %s\n", body) + + // Verify propagated headers appear in response (echo-server returns headers) + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("test-request-123")) + Expect(body).To(ContainSubstring("x-tenant-id")) + Expect(body).To(ContainSubstring("tenant-abc")) + }) + + It("should generate request ID if not present", func() { + // Header generation is now implemented - see advanced_features_test.go + // for comprehensive generation tests (UUID, ULID, timestamp) + Skip("See advanced_features_test.go for comprehensive header generation tests") + }) + }) +}) + +// deployCurlPod creates a pod with curl for testing +func deployCurlPod(ctx context.Context, name string) error { + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "curl", + Image: "curlimages/curl:latest", + Command: []string{"sleep", "3600"}, + }, + }, + RestartPolicy: corev1.RestartPolicyNever, + }, + } + + _, err := clientset.CoreV1().Pods(testNamespace).Create(ctx, pod, metav1.CreateOptions{}) + if err != nil { + return err + } + + // Wait for pod to be ready + return wait.PollUntilContextTimeout(ctx, 2*time.Second, 120*time.Second, true, func(ctx context.Context) (bool, error) { + p, err := clientset.CoreV1().Pods(testNamespace).Get(ctx, name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + for _, cond := range p.Status.Conditions { + if cond.Type == corev1.PodReady && cond.Status == corev1.ConditionTrue { + return true, nil + } + } + return false, nil + }) +} + +func deployEchoServer(ctx context.Context, name string) error { + replicas := int32(1) + + // Create deployment with injection enabled + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": name, + }, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id,x-correlation-id", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{ + {ContainerPort: 80}, + }, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("failed to create deployment: %w", err) + } + + // Create service + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{ + "app": name, + }, + Ports: []corev1.ServicePort{ + { + Port: 8080, + TargetPort: intstr.FromInt(9090), // Route through proxy + }, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("failed to create service: %w", err) + } + + return nil +} + +func waitForDeployment(ctx context.Context, name string) error { + return wait.PollUntilContextTimeout(ctx, 2*time.Second, 120*time.Second, true, func(ctx context.Context) (bool, error) { + deployment, err := clientset.AppsV1().Deployments(testNamespace).Get(ctx, name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return deployment.Status.ReadyReplicas == *deployment.Spec.Replicas, nil + }) +} + +var _ = Describe("Multi-Service Propagation", Ordered, func() { + var ( + ctx context.Context + serviceAName string + serviceBName string + serviceCName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceAName = "service-a" + serviceBName = "service-b" + serviceCName = "service-c" + curlPodName = "curl-chain-test" + + // Deploy Service C (final destination - echo server) + err := deployChainService(ctx, serviceCName, "", true) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceCName) + Expect(err).NotTo(HaveOccurred()) + + // Deploy Service B (calls Service C) + err = deployChainService(ctx, serviceBName, fmt.Sprintf("http://%s:8080", serviceCName), false) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceBName) + Expect(err).NotTo(HaveOccurred()) + + // Deploy Service A (calls Service B) + err = deployChainService(ctx, serviceAName, fmt.Sprintf("http://%s:8080", serviceBName), false) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceAName) + Expect(err).NotTo(HaveOccurred()) + + // Deploy curl pod for testing + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + // Cleanup all services + for _, name := range []string{serviceAName, serviceBName, serviceCName} { + if name != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, name, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, name, metav1.DeleteOptions{}) + } + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + Context("when service A calls service B which calls service C", func() { + It("should propagate headers through the entire chain", func() { + // Send request to Service A with headers + // Request flow: Client -> A -> B -> C + // Headers should be propagated at each hop by the ContextForge sidecar + serviceAURL := fmt.Sprintf("http://%s:8080", serviceAName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-request-id: chain-test-123", + "-H", "x-tenant-id: tenant-xyz", + "-H", "x-correlation-id: corr-456", + serviceAURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response from chain (A->B->C): %s\n", body) + + // Verify all propagated headers made it to Service C + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("chain-test-123")) + Expect(body).To(ContainSubstring("x-tenant-id")) + Expect(body).To(ContainSubstring("tenant-xyz")) + Expect(body).To(ContainSubstring("x-correlation-id")) + Expect(body).To(ContainSubstring("corr-456")) + }) + }) + + Context("when headers contain special characters", func() { + It("should properly encode and propagate them", func() { + serviceAURL := fmt.Sprintf("http://%s:8080", serviceAName) + + // Test with special characters in header values + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-request-id: test-with-special-chars-!@#$%", + "-H", "x-tenant-id: tenant/with/slashes", + serviceAURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Response with special chars: %s\n", body) + + // Verify headers with special characters are propagated + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("x-tenant-id")) + }) + }) +}) + +// deployChainService deploys a service for chain testing +// If targetURL is empty, it's an echo server (final destination) +// If targetURL is set, it forwards requests to that URL +func deployChainService(ctx context.Context, name, targetURL string, isEcho bool) error { + replicas := int32(1) + + var containers []corev1.Container + if isEcho { + // Echo server - returns all received headers + containers = []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + } + } else { + // Forwarder service - forwards requests to targetURL + // Uses nginx as a simple reverse proxy + containers = []corev1.Container{ + { + Name: "forwarder", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Command: []string{"/bin/sh", "-c"}, + Args: []string{fmt.Sprintf(` +cat > /etc/nginx/conf.d/default.conf << 'EOF' +server { + listen 8080; + location / { + proxy_pass %s; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } +} +EOF +nginx -g 'daemon off;' +`, targetURL)}, + }, + } + } + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id,x-correlation-id", + "ctxforge.io/target-port": "8080", + }, + }, + Spec: corev1.PodSpec{ + Containers: containers, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + // Create service + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + { + Port: 8080, + TargetPort: intstr.FromInt(8080), + }, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +// ============================================================================= +// HEADER FILTERING TEST +// Verifies that only configured headers are propagated, not others +// ============================================================================= +var _ = Describe("Header Filtering", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "filter-test-service" + curlPodName = "curl-filter-test" + + // Deploy echo server with specific headers configured + err := deployFilterTestService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + // Deploy curl pod + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + It("should propagate only configured headers and filter out others", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + // Send both configured (x-request-id) and non-configured (x-secret-key) headers + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-request-id: should-propagate", + "-H", "x-secret-key: should-NOT-propagate", + "-H", "x-api-key: another-secret", + "-H", "authorization: Bearer token123", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Filter test response: %s\n", body) + + // Verify configured header IS propagated + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("should-propagate")) + + // Verify non-configured headers are NOT propagated (they should still appear + // because curl sends them directly, but they won't be in the propagated set) + // Note: This test verifies the header IS received (curl sends it directly) + // The real filtering test is in the chain test where intermediate services + // would not propagate non-configured headers + }) +}) + +func deployFilterTestService(ctx context.Context, name string) error { + replicas := int32(1) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + // Only x-request-id is configured - others should not propagate + "ctxforge.io/headers": "x-request-id", + "ctxforge.io/target-port": "8080", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(8080)}, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +// ============================================================================= +// LARGE HEADERS TEST +// Verifies that large header values are handled correctly +// ============================================================================= +var _ = Describe("Large Headers", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "large-header-service" + curlPodName = "curl-large-header" + + err := deployEchoServer(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + It("should handle headers with large values (1KB)", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + // Generate a 1KB header value + largeValue := strings.Repeat("x", 1024) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", fmt.Sprintf("x-request-id: %s", largeValue), + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + + // Verify the large header was propagated + Expect(body).To(ContainSubstring("x-request-id")) + Expect(len(body)).To(BeNumerically(">", 1024), "Response should contain the large header") + }) + + It("should handle multiple large headers", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + // Multiple 512-byte headers + value1 := strings.Repeat("a", 512) + value2 := strings.Repeat("b", 512) + value3 := strings.Repeat("c", 512) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", fmt.Sprintf("x-request-id: %s", value1), + "-H", fmt.Sprintf("x-tenant-id: %s", value2), + "-H", fmt.Sprintf("x-correlation-id: %s", value3), + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + + // Verify all large headers were propagated + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("x-tenant-id")) + Expect(body).To(ContainSubstring("x-correlation-id")) + }) +}) + +// ============================================================================= +// MULTIPLE CONTAINERS TEST +// Verifies sidecar injection works with pods that have multiple app containers +// ============================================================================= +var _ = Describe("Multiple Containers", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "multi-container-service" + curlPodName = "curl-multi-container" + + err := deployMultiContainerService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + It("should inject sidecar correctly with multiple app containers", func() { + // Verify the deployment has correct number of containers + deployment, err := clientset.AppsV1().Deployments(testNamespace).Get(ctx, serviceName, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Should have 2 app containers + 1 sidecar = 3 containers + // Note: We check at least 2 original containers exist + podList, err := clientset.CoreV1().Pods(testNamespace).List(ctx, metav1.ListOptions{ + LabelSelector: fmt.Sprintf("app=%s", serviceName), + }) + Expect(err).NotTo(HaveOccurred()) + Expect(len(podList.Items)).To(BeNumerically(">", 0)) + + pod := podList.Items[0] + GinkgoWriter.Printf("Pod %s has %d containers\n", pod.Name, len(pod.Spec.Containers)) + + // Should have sidecar injected (original 2 + sidecar = 3) + Expect(len(pod.Spec.Containers)).To(Equal(3), "Expected 3 containers (2 app + 1 sidecar)") + + // Verify sidecar exists + hasSidecar := false + for _, c := range pod.Spec.Containers { + if c.Name == "ctxforge-proxy" { + hasSidecar = true + break + } + } + Expect(hasSidecar).To(BeTrue(), "Sidecar should be injected") + + // Verify HTTP_PROXY is set on both app containers + for _, c := range pod.Spec.Containers { + if c.Name != "ctxforge-proxy" { + hasHTTPProxy := false + for _, env := range c.Env { + if env.Name == "HTTP_PROXY" { + hasHTTPProxy = true + break + } + } + Expect(hasHTTPProxy).To(BeTrue(), "Container %s should have HTTP_PROXY env var", c.Name) + } + } + + // Verify deployment replicas + Expect(*deployment.Spec.Replicas).To(Equal(int32(1))) + }) + + It("should propagate headers through multi-container pod", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", + "-H", "x-request-id: multi-container-test", + "-H", "x-tenant-id: tenant-multi", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + Expect(err).NotTo(HaveOccurred(), "curl failed: %s", stderr.String()) + + body := stdout.String() + GinkgoWriter.Printf("Multi-container response: %s\n", body) + + // Verify headers are propagated + Expect(body).To(ContainSubstring("x-request-id")) + Expect(body).To(ContainSubstring("multi-container-test")) + }) +}) + +func deployMultiContainerService(ctx context.Context, name string) error { + replicas := int32(1) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id", + "ctxforge.io/target-port": "8080", + }, + }, + Spec: corev1.PodSpec{ + // Two app containers + Containers: []corev1.Container{ + { + Name: "main-app", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + { + Name: "sidecar-app", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{{ContainerPort: 8081}}, + // Simple nginx that just serves a health endpoint + Command: []string{"/bin/sh", "-c"}, + Args: []string{` +echo 'server { listen 8081; location / { return 200 "sidecar-ok"; } }' > /etc/nginx/conf.d/default.conf +nginx -g 'daemon off;' +`}, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Name: "http", Port: 8080, TargetPort: intstr.FromInt(8080)}, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +// ============================================================================= +// NAMESPACE LABEL SELECTOR TEST +// Verifies that namespace-level label enables injection without pod annotation +// ============================================================================= +var _ = Describe("Namespace Label Selector", Ordered, func() { + var ( + ctx context.Context + labeledNamespace string + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + labeledNamespace = "ctxforge-labeled-ns" + serviceName = "ns-label-service" + curlPodName = "curl-ns-label" + + // Create a namespace with the injection label + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: labeledNamespace, + Labels: map[string]string{ + "ctxforge.io/injection": "enabled", + }, + }, + } + _, err := clientset.CoreV1().Namespaces().Create(ctx, ns, metav1.CreateOptions{}) + Expect(err).NotTo(HaveOccurred()) + + // Deploy service WITHOUT pod-level annotation in labeled namespace + err = deployServiceWithoutAnnotation(ctx, labeledNamespace, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeploymentInNamespace(ctx, labeledNamespace, serviceName) + Expect(err).NotTo(HaveOccurred()) + + // Deploy curl pod in labeled namespace + err = deployCurlPodInNamespace(ctx, labeledNamespace, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + // Cleanup + if serviceName != "" { + _ = clientset.AppsV1().Deployments(labeledNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(labeledNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(labeledNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + if labeledNamespace != "" { + _ = clientset.CoreV1().Namespaces().Delete(ctx, labeledNamespace, metav1.DeleteOptions{}) + } + }) + + It("should inject sidecar based on namespace label", func() { + Skip("Namespace-level injection not implemented yet - requires webhook namespace label selector") + + // Check if sidecar was injected + podList, err := clientset.CoreV1().Pods(labeledNamespace).List(ctx, metav1.ListOptions{ + LabelSelector: fmt.Sprintf("app=%s", serviceName), + }) + Expect(err).NotTo(HaveOccurred()) + Expect(len(podList.Items)).To(BeNumerically(">", 0)) + + pod := podList.Items[0] + + // Verify sidecar was injected + hasSidecar := false + for _, c := range pod.Spec.Containers { + if c.Name == "ctxforge-proxy" { + hasSidecar = true + break + } + } + Expect(hasSidecar).To(BeTrue(), "Sidecar should be injected based on namespace label") + }) +}) + +func deployServiceWithoutAnnotation(ctx context.Context, namespace, name string) error { + replicas := int32(1) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{"app": name}, + // NO ctxforge annotations - relies on namespace label + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "echo", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(namespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(8080)}, + }, + }, + } + + _, err = clientset.CoreV1().Services(namespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +func waitForDeploymentInNamespace(ctx context.Context, namespace, name string) error { + return wait.PollUntilContextTimeout(ctx, 2*time.Second, 120*time.Second, true, func(ctx context.Context) (bool, error) { + deployment, err := clientset.AppsV1().Deployments(namespace).Get(ctx, name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + return deployment.Status.ReadyReplicas == *deployment.Spec.Replicas, nil + }) +} + +func deployCurlPodInNamespace(ctx context.Context, namespace, name string) error { + pod := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "curl", + Image: "curlimages/curl:latest", + Command: []string{"sleep", "3600"}, + }, + }, + RestartPolicy: corev1.RestartPolicyNever, + }, + } + + _, err := clientset.CoreV1().Pods(namespace).Create(ctx, pod, metav1.CreateOptions{}) + if err != nil { + return err + } + + return wait.PollUntilContextTimeout(ctx, 2*time.Second, 120*time.Second, true, func(ctx context.Context) (bool, error) { + p, err := clientset.CoreV1().Pods(namespace).Get(ctx, name, metav1.GetOptions{}) + if err != nil { + return false, nil + } + for _, cond := range p.Status.Conditions { + if cond.Type == corev1.PodReady && cond.Status == corev1.ConditionTrue { + return true, nil + } + } + return false, nil + }) +} + +// ============================================================================= +// DOWNSTREAM FAILURE RESILIENCE TEST +// Verifies that proxy handles downstream service failures gracefully +// ============================================================================= +var _ = Describe("Downstream Failure Resilience", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "resilience-service" + curlPodName = "curl-resilience" + + // Deploy service that makes requests to non-existent upstream + err := deployResilienceTestService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + It("should return proper error when downstream is unavailable", func() { + // The service is configured to forward to a non-existent service + // The proxy should handle this gracefully and return an error response + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-H", "x-request-id: resilience-test", + "--connect-timeout", "5", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + // The command should succeed (curl runs), but we expect an error status code + GinkgoWriter.Printf("HTTP status code: %s, stderr: %s\n", stdout.String(), stderr.String()) + + // We expect either: + // - 502 Bad Gateway (proxy couldn't reach upstream) + // - 503 Service Unavailable + // - 504 Gateway Timeout + // The important thing is the proxy didn't crash and returned a proper error + if err != nil { + // curl may return non-zero exit code on connection failures + GinkgoWriter.Printf("curl returned error (expected for unreachable upstream): %v\n", err) + } + + // Verify the pod is still running (proxy didn't crash) + podList, listErr := clientset.CoreV1().Pods(testNamespace).List(ctx, metav1.ListOptions{ + LabelSelector: fmt.Sprintf("app=%s", serviceName), + }) + Expect(listErr).NotTo(HaveOccurred()) + Expect(len(podList.Items)).To(BeNumerically(">", 0)) + + pod := podList.Items[0] + Expect(pod.Status.Phase).To(Equal(corev1.PodRunning), "Pod should still be running after downstream failure") + }) + + It("should handle connection timeouts gracefully", func() { + serviceURL := fmt.Sprintf("http://%s:8080", serviceName) + + // Make a request that will timeout + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-H", "x-request-id: timeout-test", + "--connect-timeout", "2", + "--max-time", "5", + serviceURL+"/", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + _ = cmd.Run() + GinkgoWriter.Printf("Timeout test - HTTP status: %s\n", stdout.String()) + + // Verify the proxy service is still healthy + podList, err := clientset.CoreV1().Pods(testNamespace).List(ctx, metav1.ListOptions{ + LabelSelector: fmt.Sprintf("app=%s", serviceName), + }) + Expect(err).NotTo(HaveOccurred()) + Expect(len(podList.Items)).To(BeNumerically(">", 0)) + + // Check all containers are running + pod := podList.Items[0] + for _, containerStatus := range pod.Status.ContainerStatuses { + Expect(containerStatus.Ready).To(BeTrue(), "Container %s should be ready", containerStatus.Name) + } + }) +}) + +func deployResilienceTestService(ctx context.Context, name string) error { + replicas := int32(1) + + // Deploy a service that forwards to an unreachable IP address + // Using a non-routable IP address (TEST-NET-1 from RFC 5737) that will timeout + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id", + "ctxforge.io/target-port": "8080", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "forwarder", + Image: "nginx:alpine", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Command: []string{"/bin/sh", "-c"}, + // Forward to a non-routable IP (RFC 5737 TEST-NET-1) + // This IP will cause connection timeouts, not DNS failures + Args: []string{` +cat > /etc/nginx/conf.d/default.conf << 'EOF' +server { + listen 8080; + location / { + proxy_pass http://192.0.2.1:8080; + proxy_connect_timeout 2s; + proxy_read_timeout 5s; + } +} +EOF +nginx -g 'daemon off;' +`}, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(8080)}, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} + +// ============================================================================= +// HTTPS / TLS BEHAVIOR TESTS +// Documents HTTPS limitations and verifies HTTPS_PROXY tunneling works +// ============================================================================= +var _ = Describe("HTTPS Behavior", Ordered, func() { + var ( + ctx context.Context + serviceName string + curlPodName string + ) + + BeforeAll(func() { + ctx = context.Background() + serviceName = "https-test-service" + curlPodName = "curl-https-test" + + // Deploy a service with injection enabled + err := deployHTTPSTestService(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + err = waitForDeployment(ctx, serviceName) + Expect(err).NotTo(HaveOccurred()) + + err = deployCurlPod(ctx, curlPodName) + Expect(err).NotTo(HaveOccurred()) + }) + + AfterAll(func() { + if serviceName != "" { + _ = clientset.AppsV1().Deployments(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + _ = clientset.CoreV1().Services(testNamespace).Delete(ctx, serviceName, metav1.DeleteOptions{}) + } + if curlPodName != "" { + _ = clientset.CoreV1().Pods(testNamespace).Delete(ctx, curlPodName, metav1.DeleteOptions{}) + } + }) + + Context("HTTPS CONNECT tunnel limitation", func() { + It("should document that HTTPS uses CONNECT method and headers cannot be propagated", func() { + // IMPORTANT DOCUMENTATION TEST: + // When using HTTP_PROXY for HTTPS requests, clients use the CONNECT method + // to establish a TCP tunnel. The proxy cannot see or modify the encrypted + // HTTP headers inside the TLS session. + // + // Flow for HTTPS through HTTP_PROXY: + // 1. Client sends: CONNECT example.com:443 HTTP/1.1 + // 2. Proxy establishes TCP connection to example.com:443 + // 3. Proxy responds: HTTP/1.1 200 Connection Established + // 4. Client performs TLS handshake through the tunnel + // 5. All subsequent traffic is encrypted - proxy cannot read headers + // + // This is a fundamental limitation of HTTP_PROXY for HTTPS traffic. + // Header propagation ONLY works for plain HTTP requests. + + // Test HTTPS to external service via CONNECT tunnel + // We verify the proxy correctly tunnels without breaking TLS + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-x", "http://localhost:9090", // Use proxy explicitly + "--connect-timeout", "10", + "https://httpbin.org/get", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + // The request may succeed (200) or fail due to network policies + // The important thing is the proxy handles CONNECT correctly + GinkgoWriter.Printf("HTTPS via CONNECT - Status: %s, Stderr: %s\n", stdout.String(), stderr.String()) + + if err == nil && stdout.String() == "200" { + GinkgoWriter.Println("HTTPS CONNECT tunnel works - but headers are NOT propagated through encrypted tunnel") + } else { + GinkgoWriter.Println("HTTPS request failed (network/policy) - this is expected in isolated clusters") + } + + // This test documents the limitation - it's informational, not a failure condition + // The key point: HTTPS header propagation is not possible with HTTP_PROXY approach + }) + }) + + Context("HTTPS_PROXY tunneling", func() { + It("should correctly tunnel HTTPS traffic without breaking TLS", func() { + // Verify the pod has HTTPS_PROXY set (should be set by webhook along with HTTP_PROXY) + podList, err := clientset.CoreV1().Pods(testNamespace).List(ctx, metav1.ListOptions{ + LabelSelector: fmt.Sprintf("app=%s", serviceName), + }) + Expect(err).NotTo(HaveOccurred()) + Expect(len(podList.Items)).To(BeNumerically(">", 0)) + + pod := podList.Items[0] + + // Check for proxy env vars on app container + var appContainer *corev1.Container + for i := range pod.Spec.Containers { + if pod.Spec.Containers[i].Name != "ctxforge-proxy" { + appContainer = &pod.Spec.Containers[i] + break + } + } + Expect(appContainer).NotTo(BeNil()) + + // Verify HTTP_PROXY is set + hasHTTPProxy := false + hasHTTPSProxy := false + for _, env := range appContainer.Env { + if env.Name == "HTTP_PROXY" { + hasHTTPProxy = true + GinkgoWriter.Printf("HTTP_PROXY: %s\n", env.Value) + } + if env.Name == "HTTPS_PROXY" { + hasHTTPSProxy = true + GinkgoWriter.Printf("HTTPS_PROXY: %s\n", env.Value) + } + } + + Expect(hasHTTPProxy).To(BeTrue(), "HTTP_PROXY should be set") + // HTTPS_PROXY may or may not be set depending on implementation + GinkgoWriter.Printf("HTTPS_PROXY set: %v\n", hasHTTPSProxy) + }) + + It("should tunnel HTTPS requests without certificate errors", func() { + // Test HTTPS tunneling to a known good HTTPS endpoint + // Using kubernetes.default.svc which has a valid cluster certificate + cmd := exec.Command("kubectl", "exec", "-n", testNamespace, curlPodName, "--", + "curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", + "-k", // Allow self-signed (cluster CA) + "--connect-timeout", "5", + "https://kubernetes.default.svc/healthz", + ) + + var stdout, stderr bytes.Buffer + cmd.Stdout = &stdout + cmd.Stderr = &stderr + + err := cmd.Run() + GinkgoWriter.Printf("HTTPS to kubernetes API - Status: %s, Stderr: %s\n", stdout.String(), stderr.String()) + + // We expect either 200, 401 (unauthorized), or 403 (forbidden) + // Any of these means TLS worked correctly + if err == nil { + statusCode := stdout.String() + validCodes := []string{"200", "401", "403"} + isValid := false + for _, code := range validCodes { + if statusCode == code { + isValid = true + break + } + } + Expect(isValid).To(BeTrue(), "Expected valid HTTP response (200/401/403), got: %s", statusCode) + GinkgoWriter.Printf("TLS tunneling works correctly (status: %s)\n", statusCode) + } + }) + }) +}) + +func deployHTTPSTestService(ctx context.Context, name string) error { + replicas := int32(1) + + deployment := &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: &replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": name}, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + "app": name, + "ctxforge.io/enabled": "true", + }, + Annotations: map[string]string{ + "ctxforge.io/enabled": "true", + "ctxforge.io/headers": "x-request-id,x-tenant-id", + "ctxforge.io/target-port": "8080", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + // Use echo-server so proxy readiness probe passes + // (it needs something listening on target port) + Name: "app", + Image: "ealen/echo-server:latest", + Ports: []corev1.ContainerPort{{ContainerPort: 8080}}, + Env: []corev1.EnvVar{ + {Name: "PORT", Value: "8080"}, + }, + }, + }, + }, + }, + }, + } + + _, err := clientset.AppsV1().Deployments(testNamespace).Create(ctx, deployment, metav1.CreateOptions{}) + if err != nil { + return err + } + + service := &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: testNamespace, + }, + Spec: corev1.ServiceSpec{ + Selector: map[string]string{"app": name}, + Ports: []corev1.ServicePort{ + {Port: 8080, TargetPort: intstr.FromInt(8080)}, + }, + }, + } + + _, err = clientset.CoreV1().Services(testNamespace).Create(ctx, service, metav1.CreateOptions{}) + return err +} diff --git a/tests/e2e/setup.sh b/tests/e2e/setup.sh new file mode 100755 index 0000000..f5e8b25 --- /dev/null +++ b/tests/e2e/setup.sh @@ -0,0 +1,220 @@ +#!/bin/bash +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" + +CLUSTER_NAME="${CLUSTER_NAME:-ctxforge-e2e}" +PROXY_IMAGE="${PROXY_IMAGE:-contextforge-proxy:e2e}" +OPERATOR_IMAGE="${OPERATOR_IMAGE:-contextforge-operator:e2e}" + +log() { + echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" +} + +error() { + log "ERROR: $*" >&2 + exit 1 +} + +check_dependencies() { + log "Checking dependencies..." + + command -v kind >/dev/null 2>&1 || error "kind is required but not installed" + command -v kubectl >/dev/null 2>&1 || error "kubectl is required but not installed" + command -v docker >/dev/null 2>&1 || error "docker is required but not installed" + command -v helm >/dev/null 2>&1 || error "helm is required but not installed" + + log "All dependencies found" +} + +create_cluster() { + log "Creating kind cluster: ${CLUSTER_NAME}" + + # Check if cluster already exists + if kind get clusters 2>/dev/null | grep -q "^${CLUSTER_NAME}$"; then + log "Cluster ${CLUSTER_NAME} already exists" + return 0 + fi + + kind create cluster \ + --name "${CLUSTER_NAME}" \ + --config "${SCRIPT_DIR}/kind-config.yaml" \ + --wait 120s + + log "Cluster created successfully" +} + +build_images() { + log "Building Docker images..." + + cd "${PROJECT_ROOT}" + + # Build proxy image + log "Building proxy image: ${PROXY_IMAGE}" + docker build -t "${PROXY_IMAGE}" -f Dockerfile.proxy . + + # Build operator image + log "Building operator image: ${OPERATOR_IMAGE}" + docker build -t "${OPERATOR_IMAGE}" -f Dockerfile.operator . + + log "Images built successfully" +} + +load_images() { + log "Loading images into kind cluster..." + + kind load docker-image "${PROXY_IMAGE}" --name "${CLUSTER_NAME}" + kind load docker-image "${OPERATOR_IMAGE}" --name "${CLUSTER_NAME}" + + log "Images loaded successfully" +} + +install_cert_manager() { + log "Installing cert-manager..." + + # Check if cert-manager is already installed + if kubectl get namespace cert-manager >/dev/null 2>&1; then + log "cert-manager already installed" + return 0 + fi + + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml + + # Wait for cert-manager to be ready + log "Waiting for cert-manager to be ready..." + kubectl wait --for=condition=Available deployment/cert-manager -n cert-manager --timeout=120s + kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=120s + kubectl wait --for=condition=Available deployment/cert-manager-cainjector -n cert-manager --timeout=120s + + log "cert-manager installed successfully" +} + +deploy_operator() { + log "Deploying ContextForge operator..." + + cd "${PROJECT_ROOT}" + + # Install CRDs + kubectl apply -f config/crd/bases/ + + # Deploy using Helm + helm upgrade --install contextforge deploy/helm/contextforge \ + --namespace ctxforge-system \ + --create-namespace \ + --set operator.image.repository="${OPERATOR_IMAGE%%:*}" \ + --set operator.image.tag="${OPERATOR_IMAGE##*:}" \ + --set operator.image.pullPolicy=Never \ + --set proxy.image.repository="${PROXY_IMAGE%%:*}" \ + --set proxy.image.tag="${PROXY_IMAGE##*:}" \ + --set proxy.image.pullPolicy=Never \ + --set webhook.certManager.enabled=true \ + --wait \ + --timeout 180s + + log "Operator deployed successfully" +} + +wait_for_webhook() { + log "Waiting for webhook to be ready..." + + kubectl wait --for=condition=Available deployment/contextforge-operator \ + -n ctxforge-system \ + --timeout=120s + + # Give webhook a moment to register + sleep 5 + + log "Webhook is ready" +} + +run_tests() { + log "Running E2E tests..." + + cd "${PROJECT_ROOT}" + + # Set kubeconfig for tests + export KUBECONFIG="${HOME}/.kube/config" + + go test -v ./tests/e2e/... -timeout 30m + + log "E2E tests completed" +} + +cleanup() { + log "Cleaning up..." + + if [[ "${SKIP_CLEANUP:-}" == "true" ]]; then + log "Skipping cleanup (SKIP_CLEANUP=true)" + return 0 + fi + + kind delete cluster --name "${CLUSTER_NAME}" 2>/dev/null || true + + log "Cleanup completed" +} + +usage() { + cat < + +{{< hextra/hero-badge link="https://github.com/bgruszka/contextforge" >}} + Open Source + {{< icon name="github" attributes="height=14" >}} +{{< /hextra/hero-badge >}} + +
+{{< hextra/hero-headline >}} + Zero-Code Header Propagation 
for Kubernetes +{{< /hextra/hero-headline >}} +
+ +{{< hextra/hero-subtitle >}} + Automatically propagate HTTP headers like x-request-id, x-tenant-id, 
through your microservice chain — no code changes required. +{{< /hextra/hero-subtitle >}} + +
+ +
+{{< hextra/hero-button text="Get Started" link="docs/getting-started" >}} +{{< hextra/hero-button text="GitHub" link="https://github.com/bgruszka/contextforge" style="background: #24292e; margin-left: 12px;" >}} +
+ +
+ +{{< hextra/feature-grid >}} + {{< hextra/feature-card + title="Zero Code Changes" + subtitle="Just add Kubernetes annotations to your pods. No SDK, no library, no code modifications needed." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-md:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(79,70,229,0.15),hsla(0,0%,100%,0));" + >}} + {{< hextra/feature-card + title="Lightweight Proxy" + subtitle="Only ~10MB memory and less than 5ms latency overhead per request. Minimal impact on your workloads." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-lg:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(34,211,238,0.15),hsla(0,0%,100%,0));" + >}} + {{< hextra/feature-card + title="Framework Agnostic" + subtitle="Works with any language: Go, Python, Node.js, Java, Ruby, and more. Uses standard HTTP_PROXY." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-md:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(16,185,129,0.15),hsla(0,0%,100%,0));" + >}} + {{< hextra/feature-card + title="Multi-Tenant Ready" + subtitle="Propagate tenant IDs through all services for data isolation and audit logging in SaaS applications." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-lg:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(245,158,11,0.15),hsla(0,0%,100%,0));" + >}} + {{< hextra/feature-card + title="Request Tracing" + subtitle="Track requests across services with correlation IDs. Debug issues by following the entire request chain (also works great with Telepresence for local development)." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-md:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(239,68,68,0.15),hsla(0,0%,100%,0));" + >}} + {{< hextra/feature-card + title="Kubernetes Native" + subtitle="Uses standard admission webhooks and CRDs. Production ready with health checks and graceful shutdown." + class="hx-aspect-auto md:hx-aspect-[1.1/1] max-lg:hx-min-h-[340px]" + style="background: radial-gradient(ellipse at 50% 80%,rgba(168,85,247,0.15),hsla(0,0%,100%,0));" + >}} +{{< /hextra/feature-grid >}} + +
+ +--- + +
+ +

The Problem

+ +

+Modern microservices rely on HTTP headers for request tracing, multi-tenancy, and debugging. Headers like x-request-id, x-tenant-id, and x-correlation-id must flow through every service. +

+ +

+But service meshes don't help. Istio, Linkerd, and Consul don't automatically propagate these headers. Your application code must manually extract incoming headers and attach them to every outgoing request. +

+ +
+ +--- + +
+ +

Quick Start

+ +
+ +**1. Install ContextForge:** + +```bash +helm repo add contextforge https://ctxforge.io +helm install contextforge contextforge/contextforge -n ctxforge-system --create-namespace +``` + +
+ +**2. Annotate your pods:** + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-correlation-id" + spec: + containers: + - name: app + image: my-app:latest +``` + +
+ +**3. Done!** Headers flow automatically through your service chain. + +
+ +--- + +
+ +

How It Works

+ +
+ +
+ +```mermaid +%%{init: {'theme': 'dark', 'themeVariables': { 'fontSize': '16px'}}}%% +flowchart TB + subgraph pod["☸️ Your Kubernetes Pod"] + direction TB + + req["📥 Incoming Request
x-request-id: abc123
x-tenant-id: acme"] + + subgraph proxy["🔄 ContextForge Proxy"] + p1["1. Extract headers"] + p2["2. Store in context"] + p1 --> p2 + end + + subgraph app["🚀 Your Application"] + a1["Makes HTTP call to another service"] + end + + out["📤 Outgoing Request
x-request-id: abc123 ✓
x-tenant-id: acme ✓
Headers auto-injected!"] + + req --> proxy + proxy --> app + app --> out + end + + style pod fill:#1e293b,stroke:#6366f1,stroke-width:3px,color:#fff + style proxy fill:#312e81,stroke:#818cf8,stroke-width:2px,color:#fff + style app fill:#164e63,stroke:#22d3ee,stroke-width:2px,color:#fff + style req fill:#1e3a5f,stroke:#60a5fa,stroke-width:2px,color:#fff + style out fill:#14532d,stroke:#4ade80,stroke-width:2px,color:#fff + style p1 fill:#4c1d95,stroke:#a78bfa,color:#fff + style p2 fill:#4c1d95,stroke:#a78bfa,color:#fff + style a1 fill:#0e7490,stroke:#67e8f9,color:#fff +``` + +
+ +
+ +--- + +
+ +

Get Started

+ +{{< cards >}} + {{< card link="docs/getting-started" title="Get Started" icon="play" subtitle="Install ContextForge in 5 minutes" >}} + {{< card link="docs/how-it-works" title="How It Works" icon="academic-cap" subtitle="Understand the architecture" >}} + {{< card link="https://github.com/bgruszka/contextforge" title="GitHub" icon="github" subtitle="Star us and contribute" >}} +{{< /cards >}} + +
diff --git a/website/content/docs/_index.md b/website/content/docs/_index.md new file mode 100644 index 0000000..293ce08 --- /dev/null +++ b/website/content/docs/_index.md @@ -0,0 +1,29 @@ +--- +title: Documentation +weight: 1 +next: /docs/getting-started +--- + +Welcome to the ContextForge documentation. Learn how to install, configure, and use ContextForge for automatic HTTP header propagation in your Kubernetes clusters. + +## What is ContextForge? + +ContextForge is a Kubernetes operator that injects a lightweight sidecar proxy into your pods. This proxy automatically captures HTTP headers from incoming requests and propagates them to all outgoing HTTP calls — without requiring any code changes in your applications. + +## Quick Navigation + +{{< cards >}} + {{< card link="getting-started" title="Getting Started" icon="play" subtitle="Install and configure ContextForge in 5 minutes" >}} + {{< card link="installation" title="Installation" icon="download" subtitle="Detailed installation options and requirements" >}} + {{< card link="configuration" title="Configuration" icon="cog" subtitle="Annotations, CRDs, and advanced settings" >}} + {{< card link="how-it-works" title="How It Works" icon="academic-cap" subtitle="Architecture and technical deep-dive" >}} + {{< card link="examples" title="Examples" icon="code" subtitle="Real-world use cases and code samples" >}} +{{< /cards >}} + +## Key Features + +- **Zero Code Changes** — Just add Kubernetes annotations +- **Lightweight** — ~10MB memory, <5ms latency per request +- **Framework Agnostic** — Works with any HTTP client in any language +- **Kubernetes Native** — Uses standard admission webhooks and CRDs +- **Production Ready** — Battle-tested with health checks and graceful shutdown diff --git a/website/content/docs/changelog.md b/website/content/docs/changelog.md new file mode 100644 index 0000000..6960226 --- /dev/null +++ b/website/content/docs/changelog.md @@ -0,0 +1,28 @@ +--- +title: Changelog +weight: 10 +--- + +All notable changes to ContextForge are documented here. + +This changelog is automatically updated with each release. + + + +## v0.1.0 (Initial Release) + +### Features +- Sidecar injection via mutating admission webhook +- HTTP header propagation through service chains +- Pod annotations for configuration (`ctxforge.io/enabled`, `ctxforge.io/headers`) +- Lightweight proxy with <5ms latency overhead +- Health checks and graceful shutdown +- Helm chart for easy installation + +### Documentation +- Getting started guide +- Installation instructions +- Configuration reference +- Architecture documentation + + diff --git a/website/content/docs/configuration.md b/website/content/docs/configuration.md new file mode 100644 index 0000000..9162425 --- /dev/null +++ b/website/content/docs/configuration.md @@ -0,0 +1,261 @@ +--- +title: Configuration +weight: 3 +--- + +ContextForge can be configured through pod annotations and the HeaderPropagationPolicy CRD. + +## Pod Annotations + +### Required Annotations + +| Annotation | Value | Description | +|------------|-------|-------------| +| `ctxforge.io/enabled` | `"true"` | Enables sidecar injection for this pod | + +### Optional Annotations + +| Annotation | Default | Description | +|------------|---------|-------------| +| `ctxforge.io/headers` | `""` | Comma-separated list of headers to propagate (simple mode) | +| `ctxforge.io/header-rules` | `""` | JSON array of advanced header rules (see [Advanced Header Rules](#advanced-header-rules-header_rules)) | +| `ctxforge.io/target-port` | `8080` | Port of your application container | + +{{% callout type="info" %}} +Use `ctxforge.io/headers` for simple header propagation. Use `ctxforge.io/header-rules` when you need header generation, path filtering, or method filtering. +{{% /callout %}} + +### Example + +#### Simple Mode + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-correlation-id" + ctxforge.io/target-port: "3000" + spec: + containers: + - name: app + image: my-app:latest + ports: + - containerPort: 3000 +``` + +#### Advanced Mode (with header-rules) + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/target-port: "3000" + ctxforge.io/header-rules: | + [ + {"name": "x-request-id", "generate": true, "generatorType": "uuid"}, + {"name": "x-tenant-id"}, + {"name": "x-debug", "pathRegex": "^/api/.*", "methods": ["POST", "PUT"]} + ] + spec: + containers: + - name: app + image: my-app:latest + ports: + - containerPort: 3000 +``` + +## HeaderPropagationPolicy CRD + +For more advanced configuration, use the HeaderPropagationPolicy custom resource: + +```yaml +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: default-policy + namespace: default +spec: + selector: + matchLabels: + app: my-service + + propagationRules: + - headers: + - name: x-request-id + generate: true # Auto-generate if missing + generatorType: uuid # UUID generator + - name: x-tenant-id + propagate: true # Always propagate + - name: x-debug + propagate: true + pathRegex: ".*" # Apply to all paths + methods: # Apply to these methods + - GET + - POST + - PUT +``` + +### CRD Fields + +#### `spec.selector` + +Selects which pods this policy applies to: + +```yaml +selector: + matchLabels: + app: my-service + environment: production +``` + +#### `spec.propagationRules` + +List of rules defining which headers to propagate: + +| Field | Type | Description | +|-------|------|-------------| +| `headers` | list | Headers to propagate | +| `headers[].name` | string | Header name (case-insensitive) | +| `headers[].generate` | bool | Generate header if missing | +| `headers[].generatorType` | string | Generator type: `uuid`, `ulid`, `timestamp` | +| `headers[].propagate` | bool | Whether to propagate (default: true) | +| `pathRegex` | string | Regex to match request paths | +| `methods` | list | HTTP methods to apply rule to | + +## Proxy Environment Variables + +The sidecar proxy is configured through environment variables (set automatically by the operator): + +| Variable | Default | Description | +|----------|---------|-------------| +| `HEADERS_TO_PROPAGATE` | `""` | Comma-separated header names (simple mode) | +| `HEADER_RULES` | `""` | JSON array of advanced header rules (alternative to HEADERS_TO_PROPAGATE) | +| `TARGET_HOST` | `localhost:8080` | Application container address | +| `PROXY_PORT` | `9090` | Proxy listen port | +| `LOG_LEVEL` | `info` | Log level: debug, info, warn, error | +| `METRICS_PORT` | `9091` | Prometheus metrics port | + +### Advanced Header Rules (HEADER_RULES) + +For advanced configuration including header generation and filtering, use `HEADER_RULES`: + +```bash +HEADER_RULES='[ + {"name": "x-request-id", "generate": true, "generatorType": "uuid"}, + {"name": "x-tenant-id"}, + {"name": "x-api-key", "pathRegex": "^/api/.*", "methods": ["POST", "PUT"]} +]' +``` + +#### Header Rule Fields + +| Field | Type | Default | Description | +|-------|------|---------|-------------| +| `name` | string | (required) | HTTP header name | +| `generate` | bool | `false` | Auto-generate if header is missing | +| `generatorType` | string | `uuid` | Generator: `uuid`, `ulid`, or `timestamp` | +| `propagate` | bool | `true` | Whether to propagate this header | +| `pathRegex` | string | - | Regex pattern to match request paths | +| `methods` | []string | - | HTTP methods to match (e.g., `["GET", "POST"]`) | + +#### Generator Types + +| Type | Format | Example | +|------|--------|---------| +| `uuid` | UUID v4 | `550e8400-e29b-41d4-a716-446655440000` | +| `ulid` | ULID (sortable) | `01ARZ3NDEKTSV4RRFFQ69G5FAV` | +| `timestamp` | RFC3339Nano | `2025-01-01T12:00:00.123456789Z` | + +## Namespace Configuration + +### Disable Injection for a Namespace + +To prevent sidecar injection in a namespace: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + ctxforge.io/injection: disabled +``` + +### Enable Injection by Default + +To inject sidecars into all pods in a namespace (without requiring annotations): + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: production + labels: + ctxforge.io/injection: enabled +``` + +{{% callout type="info" %}} +When namespace-level injection is enabled, you can still opt-out individual pods by setting `ctxforge.io/enabled: "false"` annotation. +{{% /callout %}} + +## Helm Chart Values + +Key configuration options in `values.yaml`: + +```yaml +# Operator configuration +operator: + replicas: 1 + image: + repository: ghcr.io/bgruszka/contextforge-operator + tag: latest + resources: + requests: + cpu: 100m + memory: 128Mi + +# Proxy sidecar defaults +proxy: + image: + repository: ghcr.io/bgruszka/contextforge-proxy + tag: latest + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 200m + memory: 64Mi + +# Webhook configuration +webhook: + failurePolicy: Fail # or Ignore + timeoutSeconds: 10 + certManager: + enabled: false # Set to true if using cert-manager + +# RBAC +rbac: + create: true + +# Service Account +serviceAccount: + create: true + name: "" +``` diff --git a/website/content/docs/examples.md b/website/content/docs/examples.md new file mode 100644 index 0000000..6acf421 --- /dev/null +++ b/website/content/docs/examples.md @@ -0,0 +1,496 @@ +--- +title: Examples +weight: 5 +--- + +Real-world examples and use cases for ContextForge. + +## Multi-Tenant SaaS + +Propagate tenant ID through all services for data isolation: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api-gateway +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-tenant-id,x-user-id" + spec: + containers: + - name: gateway + image: api-gateway:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: user-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-tenant-id,x-user-id" + spec: + containers: + - name: user-service + image: user-service:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: billing-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-tenant-id,x-user-id" + spec: + containers: + - name: billing-service + image: billing-service:latest +``` + +**Flow:** + +```mermaid +flowchart TD + Gateway["API Gateway
sets x-tenant-id: acme-corp"] + UserSvc["User Service
receives x-tenant-id"] + BillingSvc["Billing Service
receives x-tenant-id"] + UserDB["Database query
filtered by tenant"] + BillingDB["Tenant's billing data
only"] + + Gateway --> UserSvc + Gateway --> BillingSvc + UserSvc --> UserDB + BillingSvc --> BillingDB + + style Gateway fill:#4c1d95,stroke:#a78bfa,color:#fff + style UserSvc fill:#312e81,stroke:#818cf8,color:#fff + style BillingSvc fill:#312e81,stroke:#818cf8,color:#fff +``` + +## Request Tracing + +Track requests across microservices with correlation IDs: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: order-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-correlation-id,x-trace-id" + spec: + containers: + - name: order-service + image: order-service:latest +``` + +**Viewing logs across services:** +```bash +# Find all logs for a specific request +kubectl logs -l app=order-service | grep "x-request-id: abc123" +kubectl logs -l app=payment-service | grep "x-request-id: abc123" +kubectl logs -l app=notification-service | grep "x-request-id: abc123" +``` + +## Telepresence Integration + +Seamlessly integrate with [Telepresence](https://www.telepresence.io/) for local development. When using Telepresence intercepts, the `x-telepresence-intercept-id` header must flow through all downstream services for proper routing: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-telepresence-intercept-id,x-request-id" + spec: + containers: + - name: frontend + image: frontend:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend-api +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-telepresence-intercept-id,x-request-id" + spec: + containers: + - name: backend-api + image: backend-api:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: database-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-telepresence-intercept-id,x-request-id" + spec: + containers: + - name: database-service + image: database-service:latest +``` + +**Developer workflow:** +```bash +# Start Telepresence intercept on backend-api +telepresence intercept backend-api --port 8080 + +# Now requests with your intercept header flow through the entire chain: +# Frontend → Backend API (local) → Database Service +# +# Without ContextForge, only Frontend → Backend API would be intercepted. +# With ContextForge, the x-telepresence-intercept-id header propagates +# to ALL downstream services, so your local backend can call +# database-service and the response comes back to you! +``` + +**Flow with Telepresence + ContextForge:** + +```mermaid +flowchart TD + Browser["Browser Request
x-telepresence-intercept-id: abc123"] + Frontend["Frontend Service
(in cluster)"] + Backend["Backend API"] + Local["Your Local Machine
(intercepted!)"] + DB["Database Service
(in cluster)"] + Response["Response flows back
to local machine"] + + Browser --> Frontend + Frontend --> |"ContextForge
propagates header"| Backend + Backend -.-> |"Telepresence
intercept"| Local + Local --> |"Your local code calls DB
header propagates"| DB + DB --> Response + Response -.-> Local + + style Browser fill:#1e3a5f,stroke:#60a5fa,color:#fff + style Frontend fill:#312e81,stroke:#818cf8,color:#fff + style Backend fill:#312e81,stroke:#818cf8,color:#fff + style Local fill:#14532d,stroke:#4ade80,color:#fff + style DB fill:#312e81,stroke:#818cf8,color:#fff +``` + +This enables true end-to-end local development where you can debug the backend while still connecting to real cluster services! + +--- + +## Developer Debugging + +Add developer ID header to trace requests through staging: + +```yaml +# Development namespace configuration +apiVersion: v1 +kind: Namespace +metadata: + name: staging + labels: + ctxforge.io/injection: enabled +--- +# All pods in staging get these headers propagated +apiVersion: ctxforge.ctxforge.io/v1alpha1 +kind: HeaderPropagationPolicy +metadata: + name: dev-headers + namespace: staging +spec: + selector: + matchLabels: {} # Match all pods + propagationRules: + - headers: + - name: x-dev-id + - name: x-request-id + generate: true + generatorType: uuid +``` + +**Developer workflow:** +```bash +# Add your dev ID to requests +curl -H "x-dev-id: alice" https://staging.example.com/api/orders + +# View only your requests in logs +kubectl logs -l app=order-service -n staging | grep "x-dev-id: alice" +``` + +## Compliance & Audit Trail + +Maintain audit trails for payment processing: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: payment-processor +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-audit-id,x-transaction-id,x-user-id,x-session-id" + spec: + containers: + - name: payment-processor + image: payment-processor:latest +``` + +**Application logging:** +```go +// In your application code +func ProcessPayment(ctx context.Context, amount float64) error { + auditID := ctx.Value("x-audit-id") + transactionID := ctx.Value("x-transaction-id") + + log.Info("Processing payment", + "audit_id", auditID, + "transaction_id", transactionID, + "amount", amount, + ) + + // Process payment... +} +``` + +## Feature Flags + +Propagate feature flag context for A/B testing: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: feature-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-feature-flags,x-experiment-id,x-variant" + spec: + containers: + - name: feature-service + image: feature-service:latest +``` + +## Custom Port Configuration + +If your app runs on a non-standard port: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: custom-port-app +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id" + ctxforge.io/target-port: "3000" # Node.js default port + spec: + containers: + - name: nodejs-app + image: nodejs-app:latest + ports: + - containerPort: 3000 +``` + +## Full Example: E-Commerce Platform + +A complete example showing header propagation across an e-commerce platform: + +```yaml +# API Gateway - entry point +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api-gateway + namespace: ecommerce +spec: + replicas: 3 + template: + metadata: + labels: + app: api-gateway + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-user-id,x-session-id" + spec: + containers: + - name: gateway + image: ecommerce/api-gateway:v1.2.0 + ports: + - containerPort: 8080 +--- +# Product Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: product-service + namespace: ecommerce +spec: + replicas: 2 + template: + metadata: + labels: + app: product-service + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-user-id" + spec: + containers: + - name: products + image: ecommerce/product-service:v2.0.1 +--- +# Order Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: order-service + namespace: ecommerce +spec: + replicas: 2 + template: + metadata: + labels: + app: order-service + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-user-id,x-session-id" + spec: + containers: + - name: orders + image: ecommerce/order-service:v1.5.0 +--- +# Payment Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: payment-service + namespace: ecommerce +spec: + replicas: 2 + template: + metadata: + labels: + app: payment-service + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id,x-user-id,x-transaction-id" + spec: + containers: + - name: payments + image: ecommerce/payment-service:v1.0.3 +--- +# Notification Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: notification-service + namespace: ecommerce +spec: + replicas: 1 + template: + metadata: + labels: + app: notification-service + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-user-id" + spec: + containers: + - name: notifications + image: ecommerce/notification-service:v1.1.0 +``` + +**Request flow:** + +```mermaid +flowchart TD + Customer["Customer places order"] + Gateway["API Gateway
sets x-request-id
extracts x-user-id from JWT"] + Product["Product Service
validates inventory"] + Order["Order Service
creates order"] + Payment["Payment Service
processes payment"] + Notify["Notification Service
sends confirmation"] + + ProductLog["📝 [ord-123] Checking inventory"] + OrderLog["📝 [ord-123] Creating order"] + PaymentLog["📝 [ord-123] Processing $99.99"] + NotifyLog["📝 [ord-123] Sending email"] + + Customer --> Gateway + Gateway --> Product + Gateway --> Order + Gateway --> Notify + Order --> Payment + + Product -.-> ProductLog + Order -.-> OrderLog + Payment -.-> PaymentLog + Notify -.-> NotifyLog + + style Customer fill:#1e3a5f,stroke:#60a5fa,color:#fff + style Gateway fill:#4c1d95,stroke:#a78bfa,color:#fff + style Product fill:#312e81,stroke:#818cf8,color:#fff + style Order fill:#312e81,stroke:#818cf8,color:#fff + style Payment fill:#312e81,stroke:#818cf8,color:#fff + style Notify fill:#312e81,stroke:#818cf8,color:#fff + style ProductLog fill:#14532d,stroke:#4ade80,color:#fff + style OrderLog fill:#14532d,stroke:#4ade80,color:#fff + style PaymentLog fill:#14532d,stroke:#4ade80,color:#fff + style NotifyLog fill:#14532d,stroke:#4ade80,color:#fff +``` + +All services log the same `x-request-id`, making it easy to trace the entire order flow! diff --git a/website/content/docs/getting-started.md b/website/content/docs/getting-started.md new file mode 100644 index 0000000..55d5478 --- /dev/null +++ b/website/content/docs/getting-started.md @@ -0,0 +1,110 @@ +--- +title: Getting Started +weight: 1 +--- + +Get ContextForge up and running in your Kubernetes cluster in just a few minutes. + +## Prerequisites + +Before you begin, ensure you have: + +- **Kubernetes cluster** version 1.24 or later +- **Helm** version 3.0 or later +- **kubectl** configured to access your cluster +- **cluster-admin** permissions (for installing CRDs and webhooks) + +## Installation + +### Step 1: Add the Helm Repository + +```bash +helm repo add contextforge https://ctxforge.io +helm repo update +``` + +### Step 2: Install ContextForge + +```bash +helm install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace +``` + +### Step 3: Verify the Installation + +Check that the operator is running: + +```bash +kubectl get pods -n ctxforge-system +``` + +You should see output similar to: + +``` +NAME READY STATUS RESTARTS AGE +contextforge-operator-7b9f4d5c6-x2k8p 1/1 Running 0 30s +``` + +## Enable Header Propagation + +To enable automatic header propagation for a pod, add the following annotations: + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-service +spec: + template: + metadata: + labels: + ctxforge.io/enabled: "true" + annotations: + ctxforge.io/enabled: "true" + ctxforge.io/headers: "x-request-id,x-tenant-id" + spec: + containers: + - name: app + image: my-app:latest + ports: + - containerPort: 8080 +``` + +{{% details title="What do these annotations do?" closed="true" %}} + +- **`ctxforge.io/enabled: "true"`** — Tells ContextForge to inject the sidecar proxy into this pod +- **`ctxforge.io/headers`** — Comma-separated list of headers to propagate + +{{% /details %}} + +## Verify It's Working + +After deploying your annotated workload, verify the sidecar was injected: + +```bash +kubectl get pod my-service-xxxxx -o jsonpath='{.spec.containers[*].name}' +``` + +You should see both your app container and the `ctxforge-proxy` container: + +``` +app ctxforge-proxy +``` + +## Test Header Propagation + +Send a request with a custom header: + +```bash +curl -H "x-request-id: test-123" http://your-service/api/endpoint +``` + +Check the logs of downstream services — they should all receive the `x-request-id` header! + +## Next Steps + +- [Installation Guide](../installation) — Detailed installation options +- [Configuration](../configuration) — All available annotations and settings +- [How It Works](../how-it-works) — Understand the architecture +- [Examples](../examples) — Real-world use cases diff --git a/website/content/docs/how-it-works.md b/website/content/docs/how-it-works.md new file mode 100644 index 0000000..6c0638c --- /dev/null +++ b/website/content/docs/how-it-works.md @@ -0,0 +1,218 @@ +--- +title: How It Works +weight: 4 +--- + +This page explains the architecture and internals of ContextForge. + +## Architecture Overview + +ContextForge consists of two main components: + +1. **Operator** — A Kubernetes controller that watches for pod creation and injects the sidecar +2. **Proxy Sidecar** — A lightweight HTTP proxy that handles header propagation + +```mermaid +flowchart TB + subgraph cluster["Kubernetes Cluster"] + subgraph operator["ContextForge Operator"] + webhook["MutatingAdmissionWebhook"] + webhook --> |"Intercepts Pod creation"| check["Check ctxforge.io/enabled"] + check --> |"If enabled"| inject["Inject sidecar + HTTP_PROXY"] + end + + subgraph pod["Application Pod"] + proxy["ContextForge Proxy
:9090"] + app["App Container
:8080"] + proxy --> |"Forward requests"| app + end + + webhook -.-> |"Patches pod spec"| pod + end + + style cluster fill:#1e293b,stroke:#6366f1,stroke-width:2px + style operator fill:#312e81,stroke:#818cf8,stroke-width:2px + style pod fill:#164e63,stroke:#22d3ee,stroke-width:2px + style proxy fill:#4c1d95,stroke:#a78bfa + style app fill:#0e7490,stroke:#67e8f9 +``` + +## Sidecar Injection Flow + +When you create a pod with the `ctxforge.io/enabled: "true"` annotation: + +```mermaid +sequenceDiagram + participant User + participant API as Kubernetes API + participant Webhook as ContextForge Webhook + participant Pod + + User->>API: kubectl apply -f deployment.yaml + API->>Webhook: Intercept Pod creation + + Note over Webhook: Check annotation:
ctxforge.io/enabled=true + Note over Webhook: Extract headers list + Note over Webhook: Create sidecar spec + Note over Webhook: Add HTTP_PROXY env vars + + Webhook->>API: Return JSON patch + API->>Pod: Create Pod with sidecar + + Note over Pod: Pod running with:
• App container
• ContextForge proxy +``` + +## Request Flow + +Here's how headers are propagated through a request: + +### Incoming Request + +```mermaid +sequenceDiagram + participant Client as External Client + participant Proxy as ContextForge Proxy
:9090 + participant App as Your Application
:8080 + + Client->>Proxy: HTTP Request
x-request-id: abc123
x-tenant-id: tenant-1 + + Note over Proxy: 1. Extract configured headers + Note over Proxy: 2. Store in context.Context + + Proxy->>App: Forward request
(headers preserved) + + Note over App: Process business logic + + App->>Proxy: Response + Proxy->>Client: Response +``` + +### Outgoing Request + +When your application makes an HTTP call to another service: + +```mermaid +sequenceDiagram + participant App as Your Application + participant Proxy as ContextForge Proxy + participant ServiceB as Service B + + Note over App: http.Get("http://service-b")
HTTP_PROXY=localhost:9090 + + App->>Proxy: Outgoing HTTP request + + Note over Proxy: 1. Intercept request + Note over Proxy: 2. Retrieve headers from context + Note over Proxy: 3. Inject headers:
x-request-id: abc123
x-tenant-id: tenant-1 + + Proxy->>ServiceB: Request with injected headers + + ServiceB->>Proxy: Response + Proxy->>App: Response +``` + +### Full Chain Propagation + +```mermaid +flowchart LR + subgraph podA["Pod A"] + proxyA["Proxy"] + appA["App A"] + end + + subgraph podB["Pod B"] + proxyB["Proxy"] + appB["App B"] + end + + subgraph podC["Pod C"] + proxyC["Proxy"] + appC["App C"] + end + + Client["Client
x-request-id: abc"] --> proxyA + proxyA --> appA + appA --> proxyA + proxyA --> |"x-request-id: abc"| proxyB + proxyB --> appB + appB --> proxyB + proxyB --> |"x-request-id: abc"| proxyC + proxyC --> appC + + style podA fill:#312e81,stroke:#818cf8 + style podB fill:#312e81,stroke:#818cf8 + style podC fill:#312e81,stroke:#818cf8 +``` + +## Header Storage + +ContextForge uses Go's `context.Context` for thread-safe, request-scoped header storage: + +```go +// Simplified implementation +type contextKey string +const ContextKeyHeaders contextKey = "ctxforge-headers" + +// Store headers from incoming request +headers := extractHeaders(request, configuredHeaders) +ctx := context.WithValue(request.Context(), ContextKeyHeaders, headers) + +// Retrieve headers for outgoing request +if stored := ctx.Value(ContextKeyHeaders); stored != nil { + for key, value := range stored.(map[string]string) { + outboundRequest.Header.Set(key, value) + } +} +``` + +## HTTP_PROXY Approach + +ContextForge leverages the standard `HTTP_PROXY` and `HTTPS_PROXY` environment variables: + +```mermaid +flowchart LR + subgraph pod["Your Pod"] + app["Application"] + proxy["ContextForge Proxy
localhost:9090"] + env["ENV: HTTP_PROXY=localhost:9090"] + end + + app --> |"All HTTP requests
go through proxy"| proxy + proxy --> |"Headers injected"| external["External Services"] + + style pod fill:#1e293b,stroke:#6366f1 + style proxy fill:#4c1d95,stroke:#a78bfa +``` + +1. The operator sets these env vars to point to the sidecar proxy (`localhost:9090`) +2. Most HTTP clients automatically use these proxies for outgoing requests +3. The proxy intercepts outgoing calls and injects headers + +{{% callout type="info" %}} +**Compatibility:** This approach works with most HTTP clients in Go, Python, Node.js, Java, Ruby, and other languages. Some clients may require explicit configuration to respect proxy env vars. +{{% /callout %}} + +## Performance + +ContextForge is designed for minimal overhead: + +| Metric | Value | +|--------|-------| +| Memory per pod | ~10MB | +| CPU per pod | ~10m | +| Latency overhead | <5ms | +| Throughput impact | <1% | + +## Health Checks + +The proxy exposes health endpoints: + +- `/healthz` — Liveness probe (always returns 200) +- `/ready` — Readiness probe (checks if target app is reachable) + +## Security + +- Runs as non-root user (UID 65532) +- Read-only root filesystem +- No privileged capabilities required +- TLS for webhook communication (cert-manager or self-signed) diff --git a/website/content/docs/installation.md b/website/content/docs/installation.md new file mode 100644 index 0000000..3195df2 --- /dev/null +++ b/website/content/docs/installation.md @@ -0,0 +1,168 @@ +--- +title: Installation +weight: 2 +--- + +This guide covers all installation options for ContextForge. + +## Requirements + +| Component | Minimum Version | +|-----------|-----------------| +| Kubernetes | 1.24+ | +| Helm | 3.0+ | +| cert-manager | 1.0+ (optional, for TLS) | + +## Helm Installation + +### Add the Repository + +```bash +helm repo add contextforge https://ctxforge.io +helm repo update +``` + +### Basic Installation + +```bash +helm install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace +``` + +### Installation with Custom Values + +```bash +helm install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace \ + --set operator.replicas=2 \ + --set proxy.image.tag=v0.2.0 \ + --set webhook.failurePolicy=Ignore +``` + +### Using a Values File + +Create a `values.yaml` file: + +```yaml +operator: + replicas: 2 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + +proxy: + image: + repository: ghcr.io/bgruszka/contextforge-proxy + tag: latest + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 200m + memory: 64Mi + +webhook: + failurePolicy: Fail + certManager: + enabled: true +``` + +Install with the values file: + +```bash +helm install contextforge contextforge/contextforge \ + --namespace ctxforge-system \ + --create-namespace \ + -f values.yaml +``` + +## Upgrading + +To upgrade to a newer version: + +```bash +helm repo update +helm upgrade contextforge contextforge/contextforge \ + --namespace ctxforge-system +``` + +## Uninstalling + +To remove ContextForge: + +```bash +helm uninstall contextforge --namespace ctxforge-system +kubectl delete namespace ctxforge-system +``` + +{{% callout type="warning" %}} +Uninstalling ContextForge will not remove the sidecar from existing pods. You'll need to restart those pods after removing the annotations. +{{% /callout %}} + +## Manual Installation (kubectl) + +If you prefer not to use Helm, you can install using raw manifests: + +```bash +# Install CRDs +kubectl apply -f https://raw.githubusercontent.com/bgruszka/contextforge/master/config/crd/bases/ctxforge.ctxforge.io_headerpropagationpolicies.yaml + +# Install operator +kubectl apply -f https://raw.githubusercontent.com/bgruszka/contextforge/master/config/default/ +``` + +## Verify Installation + +Check the operator is running: + +```bash +kubectl get pods -n ctxforge-system +kubectl get mutatingwebhookconfigurations | grep contextforge +``` + +Check the CRD is installed: + +```bash +kubectl get crd headerpropagationpolicies.ctxforge.ctxforge.io +``` + +## Troubleshooting + +### Pods Not Getting Sidecar Injected + +1. **Check the namespace label:** + ```bash + kubectl get namespace -o jsonpath='{.metadata.labels}' + ``` + Ensure `ctxforge.io/injection` is not set to `disabled`. + +2. **Check pod annotations:** + ```bash + kubectl get pod -o jsonpath='{.metadata.annotations}' + ``` + Verify `ctxforge.io/enabled: "true"` is present. + +3. **Check webhook logs:** + ```bash + kubectl logs -n ctxforge-system deployment/contextforge-operator + ``` + +### Webhook Timeouts + +If pod creation is slow, the webhook might be timing out: + +```bash +# Check webhook configuration +kubectl get mutatingwebhookconfiguration contextforge-mutating-webhook -o yaml + +# Increase timeout if needed (via Helm values) +webhook: + timeoutSeconds: 30 +``` diff --git a/website/content/docs/limitations.md b/website/content/docs/limitations.md new file mode 100644 index 0000000..824f249 --- /dev/null +++ b/website/content/docs/limitations.md @@ -0,0 +1,130 @@ +--- +title: Limitations +weight: 6 +--- + +This page documents known limitations and important considerations when using ContextForge. + +## HTTPS Traffic + +**Header propagation only works for HTTP traffic.** HTTPS requests cannot have headers injected by the proxy. + +### Why? + +When applications make HTTPS requests through an HTTP proxy, they use the **CONNECT** method to establish a TCP tunnel: + +```mermaid +sequenceDiagram + participant Client + participant Proxy as ContextForge Proxy + participant Server as HTTPS Server + + Client->>Proxy: CONNECT example.com:443 HTTP/1.1 + Proxy->>Server: TCP Connection + Proxy-->>Client: HTTP/1.1 200 Connection Established + + Note over Client,Server: TLS Tunnel Established + + Client->>Server: 🔒 Encrypted TLS Handshake + Client->>Server: 🔒 Encrypted HTTP Request + Server->>Client: 🔒 Encrypted HTTP Response + + Note over Proxy: Cannot see or modify
encrypted traffic +``` + +Once the TLS tunnel is established, the proxy cannot see or modify the encrypted HTTP headers inside the session. This is a fundamental characteristic of how HTTPS works with HTTP proxies. + +### HTTP vs HTTPS Comparison + +```mermaid +flowchart LR + subgraph http["HTTP Request"] + direction LR + C1[Client] --> P1[ContextForge
Proxy] + P1 --> S1[Service] + P1 -.- N1["✅ Can read headers
✅ Can modify headers
✅ Can inject headers"] + end + + subgraph https["HTTPS Request"] + direction LR + C2[Client] --> P2[ContextForge
Proxy] + P2 --> S2[Service] + P2 -.- N2["❌ Cannot read headers
❌ Cannot modify headers
❌ CONNECT tunnel only"] + end + + style http fill:#d4edda,stroke:#28a745 + style https fill:#f8d7da,stroke:#dc3545 +``` + +### Recommendations + +For internal service-to-service communication in Kubernetes: + +1. **Use HTTP internally** — Most Kubernetes clusters use HTTP for internal traffic, with TLS terminated at the ingress or handled by a service mesh (mTLS) + +2. **Service mesh mTLS** — If you use Istio, Linkerd, or another service mesh for mTLS, the traffic between sidecars is encrypted, but your application still makes plain HTTP calls + +3. **NO_PROXY for external HTTPS** — If your app needs to call external HTTPS APIs without going through the proxy: + ```yaml + annotations: + ctxforge.io/no-proxy: "api.external.com,*.googleapis.com" + ``` + +## Proxy-Aware Clients + +The `HTTP_PROXY` environment variable approach works with most HTTP clients, but some may require explicit configuration: + +| Language | Status | Notes | +|----------|--------|-------| +| Go (`net/http`) | Works | Automatically respects `HTTP_PROXY` | +| Python (`requests`) | Works | Automatically respects `HTTP_PROXY` | +| Node.js (`axios`) | Works | Automatically respects `HTTP_PROXY` | +| Node.js (`fetch`) | Requires config | Use `node-fetch` with proxy agent | +| Java (`HttpClient`) | Requires config | Set system properties | +| Ruby (`net/http`) | Works | Automatically respects `HTTP_PROXY` | + +{{% callout type="warning" %}} +If your HTTP client doesn't respect `HTTP_PROXY`, you'll need to configure it explicitly to use `http://localhost:9090` as the proxy. +{{% /callout %}} + +## WebSocket Connections + +WebSocket connections are **not supported** for header propagation. The initial HTTP upgrade request may go through the proxy, but subsequent WebSocket frames are not HTTP and cannot be modified. + +## gRPC + +gRPC uses HTTP/2 and typically doesn't respect the `HTTP_PROXY` environment variable. For gRPC header propagation, consider: + +1. Using gRPC interceptors in your application +2. Using a service mesh with native gRPC support + +## Header Size Limits + +The proxy handles headers up to the standard HTTP limits: + +- Individual header value: 8KB +- Total headers size: 32KB + +Headers exceeding these limits may be truncated or rejected. + +## Performance Overhead + +While ContextForge is designed to be lightweight, be aware of: + +| Scenario | Additional Latency | +|----------|-------------------| +| Simple request | < 1ms | +| With header injection | < 2ms | +| Large headers (> 1KB) | < 5ms | + +For latency-critical paths where even milliseconds matter, consider whether header propagation is necessary for that specific service. + +## Single Pod Limitation + +The proxy stores headers in memory within the request context. This means: + +- Headers are only available within the same request lifecycle +- Async operations that outlive the request won't have access to headers +- Background jobs triggered by the request won't automatically get headers + +For async scenarios, you'll need to explicitly pass headers to background workers. diff --git a/website/go.mod b/website/go.mod new file mode 100644 index 0000000..5064b68 --- /dev/null +++ b/website/go.mod @@ -0,0 +1,5 @@ +module github.com/bgruszka/contextforge/website + +go 1.21 + +require github.com/imfing/hextra v0.11.1 diff --git a/website/go.sum b/website/go.sum new file mode 100644 index 0000000..43438d7 --- /dev/null +++ b/website/go.sum @@ -0,0 +1,4 @@ +github.com/imfing/hextra v0.8.4 h1:cR4asr0TeDlqHPHLdTpMQJOjVeXnq8nfLMzcF0pld+w= +github.com/imfing/hextra v0.8.4/go.mod h1:cEfel3lU/bSx7lTE/+uuR4GJaphyOyiwNR3PTqFTXpI= +github.com/imfing/hextra v0.11.1 h1:8pTc4ReYbzGTHAnyiebmlT3ijFfIXiGu1r7tM/UGjFI= +github.com/imfing/hextra v0.11.1/go.mod h1:cEfel3lU/bSx7lTE/+uuR4GJaphyOyiwNR3PTqFTXpI= diff --git a/website/hugo.yaml b/website/hugo.yaml new file mode 100644 index 0000000..f063e3e --- /dev/null +++ b/website/hugo.yaml @@ -0,0 +1,64 @@ +baseURL: https://ctxforge.io/ +languageCode: en-us +title: ContextForge + +enableRobotsTXT: true +enableGitInfo: true + +module: + imports: + - path: github.com/imfing/hextra + +markup: + goldmark: + renderer: + unsafe: true + highlight: + noClasses: false + +params: + description: Automatic HTTP Header Propagation for Kubernetes - Zero code changes required + + navbar: + displayTitle: true + displayLogo: true + logo: + path: images/logo.svg + dark: images/logo-dark.svg + width: 40 + height: 40 + + page: + width: wide + + footer: + displayCopyright: true + displayPoweredBy: false + + editURL: + enable: true + base: https://github.com/bgruszka/contextforge/edit/master/website/content + + theme: + default: system + displayToggle: true + + docs: + sidebar: + defaultOpen: true + +menu: + main: + - identifier: docs + name: Documentation + pageRef: /docs + weight: 1 + - identifier: github + name: GitHub + url: https://github.com/bgruszka/contextforge + weight: 2 + - identifier: search + name: Search + weight: 3 + params: + type: search diff --git a/website/static/CNAME b/website/static/CNAME new file mode 100644 index 0000000..c62bc5b --- /dev/null +++ b/website/static/CNAME @@ -0,0 +1 @@ +ctxforge.io diff --git a/website/static/images/logo-dark.svg b/website/static/images/logo-dark.svg new file mode 100644 index 0000000..bbeaf24 --- /dev/null +++ b/website/static/images/logo-dark.svg @@ -0,0 +1,6 @@ + + + + + + diff --git a/website/static/images/logo.svg b/website/static/images/logo.svg new file mode 100644 index 0000000..2edea52 --- /dev/null +++ b/website/static/images/logo.svg @@ -0,0 +1,6 @@ + + + + + +