[SCB-1584] Implement the sidecar injector of kubernetes

cmd/injector/injector.go

@@ -0,0 +1,43 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package main
+
+import (
+	"os"
+
+	"github.com/apache/servicecomb-mesher/injection/cmd"
+	"github.com/go-mesh/openlogging"
+	"github.com/urfave/cli"
+)
+
+func main() {
+	app := cli.NewApp()
+	app.HideVersion = true
+	app.Name = "injector"
+	app.Usage = "Kubernetes webhook for automatic ServiceComb mesher injection."
+	app.Commands = []cli.Command{
+		cmd.GetCmdStart(),
+		cmd.GetCmdVersion(),
+	}
+
+	err := app.Run(os.Args)
+	if err != nil {
+		openlogging.Error("run app command line failed: " + err.Error())
+	}
+	return
+}

deployments/kubernetes/injector/mesher-injector.yaml

@@ -0,0 +1,153 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# svccomb-mesher-injector configmap
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: svccomb-system
+  name: svccomb-mesher-injector-configmap
+data:
+  injectorconfig.yaml: |
+    mesher:
+      image: servicecomb/mesher-sidecar
+      tag: 1.6.3
+    serviceCenter:
+      name: servicecenter
+      namespace: servicecomb
+  injectortemplate.yaml: |
+    apiVersion: v1
+    kind: Pod
+    spec:
+      containers:
+      - env:
+        - name: http_proxy
+          value: http://127.0.0.1:{{.Mesher.HTTPPort}}
+        name: {{.App.Name}}
+      - env:
+        - name: SPECIFIC_ADDR
+          value: 127.0.0.1:{{.App.Port}}
+        - name: SERVICE_NAME
+          value: {{.App.Name}}
+        - name: VERSION
+          value: {{.App.Version}}
+        - name: CSE_REGISTRY_ADDR
+          value: {{.ServiceCenter.Address}}
+        image: {{.Mesher.Image}}:{{.Mesher.Tag}}
+        imagePullPolicy: IfNotPresent
+        name: {{.Mesher.Name}}
+        ports:
+        - containerport: {{.Mesher.GRPCPort}}
+          name: grpc
+          protocol: TCP
+        - containerport: {{.Mesher.HTTPPort}}
+          name: http
+          protocol: TCP
+        - containerport: {{.Mesher.AdminPort}}
+          name: rest-admin
+          protocol: TCP
+---
+# svccomb-mesher-injector webhook
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: svccomb-mesher-injector
+  labels:
+    app: mesherInjectorWebhook
+    chart: mesherInjectorWebhook
+webhooks:
+  - name: servicecomb.apache.org
+    clientConfig:
+      service:
+        name: svccomb-mesher-injector
+        namespace: svccomb-system
+        path: "/v1/mesher/inject"
+      caBundle: ${CA_BUNDLE}
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    failurePolicy: Fail
+    namespaceSelector:
+      matchLabels:
+        svccomb-injection: enabled
+---
+# svccomb-mesher-injector service
+apiVersion: v1
+kind: Service
+metadata:
+  name: svccomb-mesher-injector
+  namespace: svccomb-system
+  labels:
+    app: mesherInjectorWebhook
+    chart: mesherInjectorWebhook
+    svccomb: mesher-injector
+spec:
+  ports:
+    - port: 443
+      name: https
+  selector:
+    svccomb: mesher-injector
+---
+# svccomb-mesher-injector deployment
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: svccomb-mesher-injector
+  namespace: svccomb-system
+  labels:
+    app: mesherInjectorWebhook
+    chart: mesherInjectorWebhook
+    svccomb: mesher-injector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      svccomb: mesher-injector
+  template:
+    metadata:
+      labels:
+        app: mesherInjectorWebhook
+        chart: mesherInjectorWebhook
+        svccomb: mesher-injector
+    spec:
+      containers:
+        - name: mesher-injector-webhook
+          image: servicecomb/mesher-injector
+          args:
+            - --tlsCertPath=/etc/certs/cert.pem
+            - --tlsKeyPath=/etc/certs/key.pem
+            - --configPath=/etc/configs/injectorconfig.yaml
+            - --templatePath=/etc/configs/injectortemplate.yaml
+          imagePullPolicy: IfNotPresent #Always
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: certs
+              mountPath: /etc/certs
+              readOnly: true
+            - name: configs
+              mountPath: /etc/configs
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: svccomb-mesher-injector-service-account
+        - name: configs
+          configMap:
+            name: svccomb-mesher-injector-configmap
+

deployments/kubernetes/injector/svccomb-system.yaml

@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: svccomb-system
+  labels:
+    svccomb-injection: disabled

docker/injector/Dockerfile

@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.12.10 as builder
+
+COPY . /go/src/github.com/apache/servicecomb-mesher/ 
+WORKDIR /go/src/github.com/apache/servicecomb-mesher/
+ENV GOPROXY=https://goproxy.io \
+    GO111MODULE=on
+RUN go build -a github.com/apache/servicecomb-mesher/cmd/injector
+
+FROM frolvlad/alpine-glibc:latest
+WORKDIR /home
+COPY --from=builder /go/src/github.com/apache/servicecomb-mesher/injector /home
+ENTRYPOINT ["./injector", "start"]

docs/injection/injection.md

@@ -0,0 +1,70 @@
+# Masher injection
+
+Mesher can be used with any application language on any infrastructure. On Kubernetes, we inject Mesher into Pods, and applications can take advantage of all its features. Below we introduce the use of Mesher injector by example. 
+
+## Before
+1. Install Servcicecomb [service-center](http://servicecomb.apache.org/docs/service-center/install/#deployment-with-kubernetes)  
+
+
+2. Download the example of quick_start
+```bash
+$ git clone https://github.com/apache/servicecomb-mesher.git
+$ cd ./servicecomb-mesher/examples/quick_start
+```
+
+3. Build docker images
+```bash
+$ cd ./mesher_injection
+$ bash build_images.sh
+```
+
+## Automatic Mesher injection  
+Meshers can be automatically added to applicable Kubernetes pods using a mutating webhook admission controller provided by Mesher Injector.  
+
+1. Create namespace "svccomb-system"
+   ```bash
+   cp ../../../deployments/kubernetes/injector/*.yaml .
+   $ kubectl apply -f svccomb-system.yaml
+   namespace/svccomb-system created
+   ```
+2. Generate Injector's certificatesigningrequest and secret
+   ```bash
+   $ wget https://raw.githubusercontent.com/morvencao/kube-mutating-webhook-tutorial/master/deployment/webhook-create-signed-cert.sh
+
+   $ bash webhook-create-signed-cert.sh --service svccomb-mesher-injector --namespace svccomb-system --secret svccomb-mesher-injector-service-account
+   ```
+3. Query caBundle and fill it into "mesher-injector.yaml"
+   ```bash
+   $ CA_BUNDLE=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
+
+   $ sed -i "s|\${CA_BUNDLE}|${CA_BUNDLE}|g" mesher-injector.yaml
+   ```
+4. Deploy mesher injecter
+   ```bash
+   $ kubectl apply -f mesher-injector.yaml
+   mutatingwebhookconfiguration.admissionregistration.k8s.io/svccomb-mesher-injector configured
+   service/svccomb-mesher-injector created
+   deployment.extensions/svccomb-mesher-injector created
+   ```
+5. Deploy examples to Kubernetes  
+   ```bash
+   $ kubectl apply -f svccomb-test.yaml
+   namespace/svccomb-test created
+
+   $ kubectl -n svccomb-test apply -f calculator.yaml
+   service/calculator created
+   deployment.extensions/calculator-python created
+
+   $ kubectl -n svccomb-test apply -f webapp.yaml
+   service/webapp created
+   deployment.extensions/webapp-node created
+   ```
+6. Validated results
+   ```bash
+   $ kubectl get svc 
+   NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
+   calculator   ClusterIP   10.104.2.143     <none>        5000/TCP         3m43s
+   kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP          42d
+   webapp       NodePort    10.104.134.148   <none>        5001:30062/TCP   3m35s
+   ```
+   Open the page "http://127.0.0.1:30062" in your browser, enter your height and weight in the input boxes, and click the submit button, you can see the BMI results about you. 

examples/quick_start/mesher_injection/Dockerfile_calculator

@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM python:2
+
+WORKDIR /usr/src/app
+
+COPY httpserver_calculator/ ./
+
+CMD [ "python", "httpserver_calculator.py" ]

examples/quick_start/mesher_injection/Dockerfile_webapp

@@ -0,0 +1,24 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM node:10.16.2
+
+WORKDIR /home
+
+COPY httpserver_webapp/ ./
+
+RUN npm install
+
+CMD [ "node", "httpserver_webapp.js" ]