(args *PilotArgs)
| 41 | var injectionEnabled = env.Register("INJECT_ENABLED", true, "Enable mutating webhook handler.") |
| 42 | |
| 43 | func (s *Server) initSidecarInjector(args *PilotArgs) (*inject.Webhook, error) { |
| 44 | // currently the constant: "./var/lib/istio/inject" |
| 45 | injectPath := args.InjectionOptions.InjectionDirectory |
| 46 | if injectPath == "" || !injectionEnabled.Get() { |
| 47 | log.Infof("Skipping sidecar injector, injection path is missing or disabled.") |
| 48 | return nil, nil |
| 49 | } |
| 50 | |
| 51 | // If the injection config exists either locally or remotely, we will set up injection. |
| 52 | var watcher inject.Watcher |
| 53 | if _, err := os.Stat(filepath.Join(injectPath, "config")); !os.IsNotExist(err) { |
| 54 | configFile := filepath.Join(injectPath, "config") |
| 55 | valuesFile := filepath.Join(injectPath, "values") |
| 56 | watcher, err = inject.NewFileWatcher(configFile, valuesFile) |
| 57 | if err != nil { |
| 58 | return nil, err |
| 59 | } |
| 60 | } else if s.kubeClient != nil { |
| 61 | configMapName := getInjectorConfigMapName(args.Revision) |
| 62 | cms := s.kubeClient.Kube().CoreV1().ConfigMaps(args.Namespace) |
| 63 | if _, err := cms.Get(context.TODO(), configMapName, metav1.GetOptions{}); err != nil { |
| 64 | if errors.IsNotFound(err) { |
| 65 | log.Infof("Skipping sidecar injector, template not found") |
| 66 | return nil, nil |
| 67 | } |
| 68 | return nil, err |
| 69 | } |
| 70 | watcher = inject.NewConfigMapWatcher(s.kubeClient, args.Namespace, configMapName, "config", "values") |
| 71 | } else { |
| 72 | log.Infof("Skipping sidecar injector, template not found") |
| 73 | return nil, nil |
| 74 | } |
| 75 | |
| 76 | log.Info("initializing sidecar injector") |
| 77 | |
| 78 | parameters := inject.WebhookParameters{ |
| 79 | Watcher: watcher, |
| 80 | Env: s.environment, |
| 81 | Mux: s.httpsMux, |
| 82 | Revision: args.Revision, |
| 83 | MultiCluster: s.multiclusterController, |
| 84 | } |
| 85 | |
| 86 | wh, err := inject.NewWebhook(parameters) |
| 87 | if err != nil { |
| 88 | return nil, fmt.Errorf("failed to create injection webhook: %v", err) |
| 89 | } |
| 90 | // Patch cert if a webhook config name is provided. |
| 91 | // This requires RBAC permissions - a low-priv Istiod should not attempt to patch but rely on |
| 92 | // operator or CI/CD |
| 93 | if features.InjectionWebhookConfigName != "" { |
| 94 | s.addStartFunc("injection patcher", func(stop <-chan struct{}) error { |
| 95 | // No leader election - different istiod revisions will patch their own cert. |
| 96 | // update webhook configuration by watching the cabundle |
| 97 | patcher, err := webhooks.NewWebhookCertPatcher(s.kubeClient, args.Revision, webhookName, s.istiodCertBundleWatcher) |
| 98 | if err != nil { |
| 99 | log.Errorf("failed to create webhook cert patcher: %v", err) |
| 100 | return nil |
no test coverage detected