Merge pull request #1408 from pikasTech/fix/1400-webui-trigger-egress
fix(web-sentinel): allow dashboard trigger apiserver egress
This commit is contained in:
@@ -34,6 +34,11 @@ baselines:
|
||||
tracesEndpoint: http://otel-collector.platform-infra.svc.cluster.local:4318/v1/traces
|
||||
sampler: parentbased_traceidratio
|
||||
samplerArg: "1"
|
||||
kubernetesApi:
|
||||
egress:
|
||||
enabled: true
|
||||
cidr: 10.43.0.1/32
|
||||
port: 443
|
||||
scheduler15m: &scheduler-15m
|
||||
intervalMs: 900000
|
||||
heartbeatStaleSeconds: 900
|
||||
|
||||
@@ -1075,6 +1075,7 @@ function renderSentinelManifests(
|
||||
const pvcStorage = stringAt(runtime, "pvcStorage");
|
||||
const stateRoot = stringAt(runtime, "stateRoot");
|
||||
const sentinelEnv = sentinelContainerEnv(sentinelId, runtime, cicd, secrets);
|
||||
const kubernetesApiEgress = sentinelKubernetesApiEgress(runtime);
|
||||
const cadenceJob = sentinelCadenceCronJobPlan(spec, sentinelId, runtime, cicd, scenarios, image.ref, sentinelEnv);
|
||||
if (cadenceJob !== null) {
|
||||
emitWebProbeSentinelSpan({
|
||||
@@ -1221,7 +1222,10 @@ function renderSentinelManifests(
|
||||
podSelector: { matchLabels: { "app.kubernetes.io/name": deploymentName } },
|
||||
policyTypes: ["Ingress", "Egress"],
|
||||
ingress: [{ from: [{ namespaceSelector: {} }], ports: [{ protocol: "TCP", port: servicePort }] }],
|
||||
egress: [{ to: [{ namespaceSelector: {} }] }],
|
||||
egress: [
|
||||
{ to: [{ namespaceSelector: {} }] },
|
||||
...kubernetesApiEgress,
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -1242,6 +1246,14 @@ function renderSentinelManifests(
|
||||
];
|
||||
}
|
||||
|
||||
function sentinelKubernetesApiEgress(runtime: Record<string, unknown>): readonly Record<string, unknown>[] {
|
||||
if (booleanAtNullable(runtime, "kubernetesApi.egress.enabled") !== true) return [];
|
||||
return [{
|
||||
to: [{ ipBlock: { cidr: stringAt(runtime, "kubernetesApi.egress.cidr") } }],
|
||||
ports: [{ protocol: "TCP", port: numberAt(runtime, "kubernetesApi.egress.port") }],
|
||||
}];
|
||||
}
|
||||
|
||||
function sentinelContainerEnv(sentinelId: string, runtime: Record<string, unknown>, cicd: Record<string, unknown>, secrets: Record<string, unknown>): readonly Record<string, unknown>[] {
|
||||
const env: Record<string, unknown>[] = [{ name: "UNIDESK_WEB_PROBE_SENTINEL_ID", value: sentinelId }];
|
||||
const otelEnabled = booleanAtNullable(runtime, "observability.otel.enabled") ?? booleanAtNullable(cicd, "observability.otel.enabled") ?? false;
|
||||
|
||||
Reference in New Issue
Block a user