jaegertracing / jaeger-operator

Jaeger Operator for Kubernetes simplifies deploying and running Jaeger on Kubernetes.
https://www.jaegertracing.io/docs/latest/operator/
Apache License 2.0
1.03k stars 345 forks source link

Setting istio annotation on invalid resource #1330

Open xM8WVqaG opened 4 years ago

xM8WVqaG commented 4 years ago

According to the istio annotation docs, the sidecar.istio.io/inject annotation should only be applied to pods - see: https://istio.io/latest/docs/reference/config/annotations/.

$ istioctl analyze -A
Warn [IST0107] (Deployment jaeger-collector.observability) Misplaced annotation: sidecar.istio.io/inject can only be applied to Pod
Warn [IST0107] (Deployment jaeger-query.observability) Misplaced annotation: sidecar.istio.io/inject can only be applied to Pod

Reference error: https://preliminary.istio.io/latest/docs/reference/config/analysis/IST0107/

sidecar.istio.io/inject: false appears on the deployment resources of both jaeger-collector and jaeger-query:

$ kubectl get deployment/jaeger-query -n observability -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "5"
    linkerd.io/inject: disabled
    prometheus.io/port: "16687"
    prometheus.io/scrape: "true"
    sidecar.istio.io/inject: "false"  # invalid
    sidecar.jaegertracing.io/inject: jaeger
  creationTimestamp: "2020-08-14T10:33:11Z"
  generation: 7
  labels:
    app: jaeger
    app.kubernetes.io/component: query
    app.kubernetes.io/instance: jaeger
    app.kubernetes.io/managed-by: jaeger-operator
    app.kubernetes.io/name: jaeger-query
    app.kubernetes.io/part-of: jaeger
    sidecar.jaegertracing.io/injected: jaeger
  name: jaeger-query
  namespace: observability
  ownerReferences:
  - apiVersion: jaegertracing.io/v1
    controller: true
    kind: Jaeger
    name: jaeger
    uid: 805cea96-0541-4207-b47f-f629860b79e8
  resourceVersion: "51586237"
  selfLink: /apis/apps/v1/namespaces/observability/deployments/jaeger-query
  uid: 50677ba3-a156-42eb-9fbf-45ce42919787
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: jaeger
      app.kubernetes.io/component: query
      app.kubernetes.io/instance: jaeger
      app.kubernetes.io/managed-by: jaeger-operator
      app.kubernetes.io/name: jaeger-query
      app.kubernetes.io/part-of: jaeger
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        linkerd.io/inject: disabled
        prometheus.io/port: "16687"
        prometheus.io/scrape: "true"
        sidecar.istio.io/inject: "false"  # valid
        sidecar.jaegertracing.io/inject: jaeger
...
jpkrohling commented 4 years ago

Nice catch. Would you like to contribute a fix?

xM8WVqaG commented 4 years ago

I am not particularly confident with Golang but having looked through the codebase it looks quite straightforward to change if you'd rather take a PR for this. I expect the hardest part of this change is the most appropriate place to add this logic without being disgusting or complicated.

For example, if I just remove the sidecar.istio.io/inject annotation from the deployment on the baseCommonSpec; should I just deepcopy them after they have been merged with commonSpec and then append it there?

Like this:

podAnnotations := make(map[string]string)

for k, v := range commonSpec.Annotations {
  podAnnotations[k] = v
}

podAnnotations["sidecar.istio.io/inject"] = "false"
jpkrohling commented 4 years ago

Yes, something like that would certainly work. Send in a PR and we can check together if it needs to be done before or after the merge of the base common spec with the common spec.

primeroz commented 3 years ago

Hitting this as well, i was wondering if there would be situations where we might want the sidecar to be enabled ?

jpkrohling commented 3 years ago

Is this causing an actual problem? I thought this was mostly a linting issue?

primeroz commented 3 years ago

linting only ... just cleaning up my istioctl analyze and keep having to add exclusion for things ( not just this ;) )

jpkrohling commented 3 years ago

Thanks for the clarification! Would you be able to send us a PR?

xM8WVqaG commented 3 years ago

Apologies for never submitting the PR last year. tl;dr I was struggling to get the development environment installed locally and didn't want to submit a PR without running tests on it first.

Here is the diff if you want to take this over. I don't expect I will have the time to try and get this working again for a few weeks.

diff --git a/pkg/deployment/collector.go b/pkg/deployment/collector.go
index 672f07e8..fec1410d 100644
--- a/pkg/deployment/collector.go
+++ b/pkg/deployment/collector.go
@@ -46,16 +46,23 @@ func (c *Collector) Get() *appsv1.Deployment {

    baseCommonSpec := v1.JaegerCommonSpec{
        Annotations: map[string]string{
-           "prometheus.io/scrape":    "true",
-           "prometheus.io/port":      strconv.Itoa(int(adminPort)),
-           "sidecar.istio.io/inject": "false",
-           "linkerd.io/inject":       "disabled",
+           "prometheus.io/scrape": "true",
+           "prometheus.io/port":   strconv.Itoa(int(adminPort)),
+           "linkerd.io/inject":    "disabled",
        },
        Labels: labels,
    }

    commonSpec := util.Merge([]v1.JaegerCommonSpec{c.jaeger.Spec.Collector.JaegerCommonSpec, c.jaeger.Spec.JaegerCommonSpec, baseCommonSpec})

+   podAnnotations := make(map[string]string)
+
+   for k, v := range commonSpec.Annotations {
+       podAnnotations[k] = v
+   }
+
+   podAnnotations["sidecar.istio.io/inject"] = "false"
+
    var envFromSource []corev1.EnvFromSource
    if len(c.jaeger.Spec.Storage.SecretName) > 0 {
        envFromSource = append(envFromSource, corev1.EnvFromSource{
@@ -119,7 +126,7 @@ func (c *Collector) Get() *appsv1.Deployment {
            Template: corev1.PodTemplateSpec{
                ObjectMeta: metav1.ObjectMeta{
                    Labels:      commonSpec.Labels,
-                   Annotations: commonSpec.Annotations,
+                   Annotations: podAnnotations,
                },
                Spec: corev1.PodSpec{
                    Containers: []corev1.Container{{
diff --git a/pkg/deployment/query.go b/pkg/deployment/query.go
index fdb9ce51..0da6491b 100644
--- a/pkg/deployment/query.go
+++ b/pkg/deployment/query.go
@@ -41,10 +41,9 @@ func (q *Query) Get() *appsv1.Deployment {

    baseCommonSpec := v1.JaegerCommonSpec{
        Annotations: map[string]string{
-           "prometheus.io/scrape":    "true",
-           "prometheus.io/port":      strconv.Itoa(int(adminPort)),
-           "sidecar.istio.io/inject": "false",
-           "linkerd.io/inject":       "disabled",
+           "prometheus.io/scrape": "true",
+           "prometheus.io/port":   strconv.Itoa(int(adminPort)),
+           "linkerd.io/inject":    "disabled",
        },
        Labels: labels,
    }
@@ -63,6 +62,14 @@ func (q *Query) Get() *appsv1.Deployment {

    commonSpec := util.Merge([]v1.JaegerCommonSpec{q.jaeger.Spec.Query.JaegerCommonSpec, q.jaeger.Spec.JaegerCommonSpec, baseCommonSpec})

+   podAnnotations := make(map[string]string)
+
+   for k, v := range commonSpec.Annotations {
+       podAnnotations[k] = v
+   }
+
+   podAnnotations["sidecar.istio.io/inject"] = "false"
+
    options := allArgs(q.jaeger.Spec.Query.Options,
        q.jaeger.Spec.Storage.Options.Filter(q.jaeger.Spec.Storage.Type.OptionsPrefix()))

@@ -110,7 +117,7 @@ func (q *Query) Get() *appsv1.Deployment {
            Template: corev1.PodTemplateSpec{
                ObjectMeta: metav1.ObjectMeta{
                    Labels:      commonSpec.Labels,
-                   Annotations: commonSpec.Annotations,
+                   Annotations: podAnnotations,
                },
                Spec: corev1.PodSpec{
                    Containers: []corev1.Container{{
primeroz commented 3 years ago

I can have a look at it and send a pr

Thanks !

Kirial commented 3 years ago

This seems to still be an issue. What is the status of this PR @primeroz

primeroz commented 3 years ago

I am moved onto other things in the meantime so not really looking at doing 5his anytime soon