Add Helm chart value agentInjector.mutationAware.

Introduce a new configuration option `agentInjector.mutationAware` to
exclude or include changes made by other injectors when injecting the
traffic agent. Defaults to `true`.

Signed-off-by: Thomas Hallgren <thomas@tada.se>

Author: thallgren

CHANGELOG.yml

@@ -27,6 +27,12 @@ items:
   - version: 2.26.0
     date: (TBD)
     notes:
+      - type: feature
+        title: Add ability to exclude or include modifications made by other injectors when injecting the traffic agent.
+        body: >-
+          The Traffic Agent now has a new configuration option `agentInjector.mutationAware` that can be set to `false` to exclude
+          modifications made by other injectors when injecting the traffic agent. Setting `agentInjector.mutationAware=true` requires
+          `agentInjector.webhook.reinvocationPolicy=IfNeeded`. The default setting is `true`.
       - type: feature
         title: Add ability to disable the Traffic Agent's HTTP2/Clear-Text probing.
         body: >-

charts/telepresence-oss/templates/agentInjectorWebhook.yaml

@@ -70,6 +70,10 @@ already managed by some other traffic-manager.
 {{- $genCA := genCA "agent-injector-ca" 365 -}}
 {{- $genCert := genSignedCert "agent-injector" nil $altNames 365 $genCA -}}
 {{- $secretData := (lookup "v1" "Secret" (include "traffic-manager.namespace" $) .Values.agentInjector.secret.name).data -}}
+{{- $reinvocationPolicy := .Values.agentInjector.webhook.reinvocationPolicy }}
+{{- if (and .Values.agentInjector.mutationAware (not (eq $reinvocationPolicy "IfNeeded"))) }}
+   {{- fail (printf "agentInjector.mutationAware=true cannot be combined with reinvocationPolicy=%s" $reinvocationPolicy) }}
+{{- end }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -111,7 +115,7 @@ webhooks:
     - pods
     scope: '*'
   failurePolicy: {{ .Values.agentInjector.webhook.failurePolicy }}
-  reinvocationPolicy: {{ .Values.agentInjector.webhook.reinvocationPolicy }}
+  reinvocationPolicy: {{ $reinvocationPolicy }}
   name: agent-injector-{{ include "traffic-manager.namespace" $ }}.telepresence.io
   sideEffects: {{ .Values.agentInjector.webhook.sideEffects }}
   timeoutSeconds: {{ .Values.agentInjector.webhook.timeoutSeconds }}

charts/telepresence-oss/templates/deployment.yaml

@@ -119,6 +119,8 @@ spec:
             value: {{ .injectPolicy }}
           - name: AGENT_INJECTOR_NAME
             value:  {{ .name | quote }}
+          - name: AGENT_INJECTOR_MUTATION_AWARE
+            value: {{ (default false .mutationAware) | quote }}
           {{- end }}
         {{- /*
         Traffic agent configuration

charts/telepresence-oss/values.schema.yaml

@@ -136,6 +136,9 @@ properties:
         enum:
           - OnDemand
           - WhenEnabled
+      mutationAware:
+        description: Include changes to the pod template that are contributed by other injectors. Implies reinvocationPolicy=IfNeeded
+        type: boolean
       name:
         description: Name to use with objects associated with the agent-injector
         type: string

charts/telepresence-oss/values.yaml

@@ -114,6 +114,7 @@ agentInjector:
         kind: Issuer
 
   injectPolicy: OnDemand
+  mutationAware: true
   webhook:
     name: agent-injector-webhook
     admissionReviewVersions: ["v1"]

cmd/traffic/cmd/manager/managerutil/envconfig.go

@@ -50,24 +50,25 @@ type Env struct {
 	PodCIDRs        []netip.Prefix `env:"POD_CIDRS,         parser=split-ipnet, default="`
 	PodIP           netip.Addr     `env:"POD_IP,            parser=ip"`
 
-	AgentRegistry             string                      `env:"AGENT_REGISTRY,                parser=string,         default="`
-	AgentImageName            string                      `env:"AGENT_IMAGE_NAME,              parser=string,         default="`
-	AgentImageTag             string                      `env:"AGENT_IMAGE_TAG,               parser=string,         default="`
-	AgentImagePullPolicy      string                      `env:"AGENT_IMAGE_PULL_POLICY,       parser=string,         default="`
-	AgentImagePullSecrets     []core.LocalObjectReference `env:"AGENT_IMAGE_PULL_SECRETS,      parser=json-local-refs,default="`
-	AgentInjectPolicy         agentconfig.InjectPolicy    `env:"AGENT_INJECT_POLICY,           parser=enable-policy,  default=Never"`
-	AgentLogLevel             string                      `env:"AGENT_LOG_LEVEL,               parser=logLevel,       defaultFrom=LogLevel"`
-	AgentPort                 uint16                      `env:"AGENT_PORT,                    parser=port-number,    default=0"`
-	AgentEnableH2cProbing     bool                        `env:"AGENT_ENABLE_H2C_PROBING,      parser=bool,           default=false"`
-	AgentResources            *core.ResourceRequirements  `env:"AGENT_RESOURCES,               parser=json-resources, default="`
-	AgentMountPolicies        types.MountPolicies         `env:"AGENT_MOUNT_POLICIES,          parser=json-mount-policies, default="`
-	AgentInitResources        *core.ResourceRequirements  `env:"AGENT_INIT_RESOURCES,          parser=json-resources, default="`
-	AgentInjectorName         string                      `env:"AGENT_INJECTOR_NAME,           parser=string,         default="`
-	AgentInjectorSecret       string                      `env:"AGENT_INJECTOR_SECRET,         parser=string,         default="`
-	AgentSecurityContext      *core.SecurityContext       `env:"AGENT_SECURITY_CONTEXT,        parser=json-security-context, default="`
-	AgentInitSecurityContext  *core.SecurityContext       `env:"AGENT_INIT_SECURITY_CONTEXT,   parser=json-security-context, default="`
-	AgentInitContainerEnabled bool                        `env:"AGENT_INIT_CONTAINER_ENABLED,  parser=bool, default=true"`
-	AgentMaxIdleTime          time.Duration               `env:"AGENT_MAX_IDLE_TIME,              		parser=time.ParseDuration, default=0"`
+	AgentRegistry              string                      `env:"AGENT_REGISTRY,                parser=string,         default="`
+	AgentImageName             string                      `env:"AGENT_IMAGE_NAME,              parser=string,         default="`
+	AgentImageTag              string                      `env:"AGENT_IMAGE_TAG,               parser=string,         default="`
+	AgentImagePullPolicy       string                      `env:"AGENT_IMAGE_PULL_POLICY,       parser=string,         default="`
+	AgentImagePullSecrets      []core.LocalObjectReference `env:"AGENT_IMAGE_PULL_SECRETS,      parser=json-local-refs,default="`
+	AgentInjectPolicy          agentconfig.InjectPolicy    `env:"AGENT_INJECT_POLICY,           parser=enable-policy,  default=Never"`
+	AgentLogLevel              string                      `env:"AGENT_LOG_LEVEL,               parser=logLevel,       defaultFrom=LogLevel"`
+	AgentPort                  uint16                      `env:"AGENT_PORT,                    parser=port-number,    default=0"`
+	AgentEnableH2cProbing      bool                        `env:"AGENT_ENABLE_H2C_PROBING,      parser=bool,           default=false"`
+	AgentResources             *core.ResourceRequirements  `env:"AGENT_RESOURCES,               parser=json-resources, default="`
+	AgentMountPolicies         types.MountPolicies         `env:"AGENT_MOUNT_POLICIES,          parser=json-mount-policies, default="`
+	AgentInitResources         *core.ResourceRequirements  `env:"AGENT_INIT_RESOURCES,          parser=json-resources, default="`
+	AgentInjectorName          string                      `env:"AGENT_INJECTOR_NAME,           parser=string,         default="`
+	AgentInjectorSecret        string                      `env:"AGENT_INJECTOR_SECRET,         parser=string,         default="`
+	AgentInjectorMutationAware bool                        `env:"AGENT_INJECTOR_MUTATION_AWARE, parser=bool,           default=false"`
+	AgentSecurityContext       *core.SecurityContext       `env:"AGENT_SECURITY_CONTEXT,        parser=json-security-context, default="`
+	AgentInitSecurityContext   *core.SecurityContext       `env:"AGENT_INIT_SECURITY_CONTEXT,   parser=json-security-context, default="`
+	AgentInitContainerEnabled  bool                        `env:"AGENT_INIT_CONTAINER_ENABLED,  parser=bool, default=true"`
+	AgentMaxIdleTime           time.Duration               `env:"AGENT_MAX_IDLE_TIME,           parser=time.ParseDuration, default=0"`
 
 	ClientRoutingAlsoProxySubnets        []netip.Prefix `env:"CLIENT_ROUTING_ALSO_PROXY_SUBNETS,  		parser=split-ipnet, default="`
 	ClientRoutingNeverProxySubnets       []netip.Prefix `env:"CLIENT_ROUTING_NEVER_PROXY_SUBNETS, 		parser=split-ipnet, default="`

cmd/traffic/cmd/manager/mutator/agent_injector.go

@@ -111,6 +111,7 @@ func (a *agentInjector) Inject(ctx context.Context, req *admission.AdmissionRequ
 
 	ia := annotation.GetAnnotation(ctx, pod.Annotations, annotation.InjectTrafficAgent, annotation.LegacyInjectTrafficAgent)
 
+	var wl k8sapi.Workload
 	var sc *agentconfig.Sidecar
 	switch ia {
 	case "false", "disabled":
@@ -130,7 +131,7 @@ func (a *agentInjector) Inject(ctx context.Context, req *admission.AdmissionRequ
 			return nil, nil
 		}
 
-		wl, err := agentmap.FindOwnerWorkload(ctx, k8sapi.Pod(pod), env.EnabledWorkloadKinds)
+		wl, err = agentmap.FindOwnerWorkload(ctx, k8sapi.Pod(pod), env.EnabledWorkloadKinds)
 		if err != nil {
 			uwkError := k8sapi.UnsupportedWorkloadKindError("")
 			switch {
@@ -156,13 +157,20 @@ func (a *agentInjector) Inject(ctx context.Context, req *admission.AdmissionRequ
 	default:
 		return nil, fmt.Errorf("invalid value %q for annotation %s", ia, annotation.InjectTrafficAgent)
 	}
-	return createPatch(ctx, sc, pod)
+
+	podTpl := &core.PodTemplateSpec{ObjectMeta: pod.ObjectMeta}
+	if env.AgentInjectorMutationAware {
+		podTpl.Spec = pod.Spec
+	} else {
+		podTpl.Spec = wl.GetPodTemplate().Spec
+	}
+	return createPatch(ctx, sc, pod, podTpl)
 }
 
-func createPatch(ctx context.Context, config *agentconfig.Sidecar, pod *core.Pod) (patches PatchOps, err error) {
+func createPatch(ctx context.Context, config *agentconfig.Sidecar, pod *core.Pod, wlTpl *core.PodTemplateSpec) (patches PatchOps, err error) {
 	var anns map[string]string
 	patches = addInitContainer(ctx, pod, config, patches)
-	patches, anns, err = addAgentContainer(ctx, pod, config, patches)
+	patches, anns, err = addAgentContainer(ctx, pod, wlTpl, config, patches)
 	if err != nil {
 		return nil, err
 	}
@@ -399,12 +407,13 @@ func containerEqual(ctx context.Context, a, b *core.Container) bool {
 func addAgentContainer(
 	ctx context.Context,
 	pod *core.Pod,
+	wlTpl *core.PodTemplateSpec,
 	config *agentconfig.Sidecar,
 	patches PatchOps,
 ) (PatchOps, map[string]string, error) {
 	ab := agentconfig.ContainerBuilder{
 		MountPolicies: managerutil.GetEnv(ctx).AgentMountPolicies,
-		Pod:           pod,
+		Pod:           wlTpl,
 		Config:        config,
 	}
 	acn, replaceAnnotations, err := ab.AgentContainer(ctx)

cmd/traffic/cmd/manager/mutator/agent_injector_test.go

@@ -1960,15 +1960,15 @@ matchExpressions:
 				ServerHost: "tel-example",
 				ServerPort: 8081,
 
-				ManagerNamespace:  "default",
-				AgentRegistry:     "ghcr.io/telepresenceio",
-				AgentImageName:    "tel2",
-				AgentImageTag:     "2.13.3",
-				AgentPort:         9900,
-				AgentInjectPolicy: agentconfig.WhenEnabled,
-
-				EnabledWorkloadKinds:      k8sapi.Kinds{k8sapi.DeploymentKind, k8sapi.StatefulSetKind, k8sapi.ReplicaSetKind},
-				AgentInitContainerEnabled: true,
+				ManagerNamespace:           "default",
+				AgentRegistry:              "ghcr.io/telepresenceio",
+				AgentImageName:             "tel2",
+				AgentImageTag:              "2.13.3",
+				AgentPort:                  9900,
+				AgentInjectPolicy:          agentconfig.WhenEnabled,
+				AgentInjectorMutationAware: true,
+				AgentInitContainerEnabled:  true,
+				EnabledWorkloadKinds:       k8sapi.Kinds{k8sapi.DeploymentKind, k8sapi.StatefulSetKind, k8sapi.ReplicaSetKind},
 			}
 			ctx = managerutil.WithEnv(ctx, env)
 			if test.envAdditions != nil {

docs/release-notes.md

@@ -2,6 +2,12 @@
 [comment]: # (Code generated by relnotesgen. DO NOT EDIT.)
 # <img src="images/logo.png" height="64px"/> Telepresence Release Notes
 ## Version 2.26.0
+## <div style="display:flex;"><img src="images/feature.png" alt="feature" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Add ability to exclude or include modifications made by other injectors when injecting the traffic agent.</div></div>
+<div style="margin-left: 15px">
+
+The Traffic Agent now has a new configuration option `agentInjector.mutationAware` that can be set to `false` to exclude modifications made by other injectors when injecting the traffic agent. Setting `agentInjector.mutationAware=true` requires `agentInjector.webhook.reinvocationPolicy=IfNeeded`. The default setting is `true`.
+</div>
+
 ## <div style="display:flex;"><img src="images/feature.png" alt="feature" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Add ability to disable the Traffic Agent's HTTP2/Clear-Text probing.</div></div>
 <div style="margin-left: 15px">
 

docs/release-notes.mdx

@@ -8,6 +8,12 @@ import { Note, Title, Body } from '@site/src/components/ReleaseNotes'
 
 # Telepresence Release Notes
 ## Version 2.26.0
+<Note>
+	<Title type="feature">Add ability to exclude or include modifications made by other injectors when injecting the traffic agent.</Title>
+	<Body>
+The Traffic Agent now has a new configuration option `agentInjector.mutationAware` that can be set to `false` to exclude modifications made by other injectors when injecting the traffic agent. Setting `agentInjector.mutationAware=true` requires `agentInjector.webhook.reinvocationPolicy=IfNeeded`. The default setting is `true`.
+  </Body>
+</Note>
 <Note>
 	<Title type="feature">Add ability to disable the Traffic Agent's HTTP2/Clear-Text probing.</Title>
 	<Body>