w

Author: programmer04

.config/telepresence/config.yml

@@ -632,7 +632,6 @@ test.api: gotestsum
 _test.integration: gotestsum download.telepresence
 	KUBECONFIG=$(KUBECONFIG) \
 	TELEPRESENCE_BIN=$(TELEPRESENCE) \
-	XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence \
 	GOFLAGS=$(GOFLAGS) \
 	GOTESTSUM_FORMAT=$(GOTESTSUM_FORMAT) \
 	$(GOTESTSUM) -- $(GOTESTFLAGS) \
@@ -676,7 +675,6 @@ PARALLEL := $(if $(PARALLEL),$(PARALLEL),$(NCPU))
 _test.conformance: gotestsum download.telepresence
 		KUBECONFIG=$(KUBECONFIG) \
 		TELEPRESENCE_BIN=$(TELEPRESENCE) \
-		XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence \
 		GOTESTSUM_FORMAT=$(GOTESTSUM_FORMAT) \
 		$(GOTESTSUM) -- $(GOTESTFLAGS) \
 		-timeout $(CONFORMANCE_TEST_TIMEOUT) \
@@ -833,9 +831,9 @@ KUBECONFIG ?= $(HOME)/.kube/config
 # etc didn't change in between the runs.
 .PHONY: _run
 _run:
-	@XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence $(TELEPRESENCE) helm install
-	@XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence $(TELEPRESENCE) connect
-	bash -c "export XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence; trap \
+	@$(TELEPRESENCE) helm install
+	@$(TELEPRESENCE) connect
+	bash -c "trap \
 		'$(TELEPRESENCE) quit -s; $(TELEPRESENCE) helm uninstall; rm -rf $(TMP_KUBECONFIG) || 1' EXIT; \
 		KONG_OPERATOR_KUBECONFIG=$(or $(TMP_KUBECONFIG),$(KUBECONFIG)) \
 		KONG_OPERATOR_ANONYMOUS_REPORTS=false \
@@ -852,7 +850,7 @@ _run:
 		-zap-time-encoding iso8601 \
 		-zap-log-level 2 \
 		-zap-devel true \
-		"
+	"
 
 # Run the operator locally with impersonation of controller-manager service account from kong-system namespace.
 # The operator will use a temporary kubeconfig file and impersonate the real RBACs.
@@ -974,15 +972,15 @@ undeploy:
 # as if it were running inside the cluster itself.
 .PHONY: install.telepresence
 install.telepresence: download.telepresence
-	@XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence $(PROJECT_DIR)/scripts/telepresence-manager.sh install "$(TELEPRESENCE)"
+	@$(PROJECT_DIR)/scripts/telepresence-manager.sh install "$(TELEPRESENCE)"
 
 # Disconnect and uninstall telepresence from the cluster.
 # This target cleans up the telepresence resources created by the install.telepresence target.
 # It should be used when you're done debugging the operator locally to ensure proper
 # cleanup of network connections and cluster resources.
 .PHONY: uninstall.telepresence
 uninstall.telepresence: download.telepresence
-	@XDG_CONFIG_HOME=$(PROJECT_DIR)/.config/telepresence $(PROJECT_DIR)/scripts/telepresence-manager.sh uninstall "$(TELEPRESENCE)"
+	@$(PROJECT_DIR)/scripts/telepresence-manager.sh uninstall "$(TELEPRESENCE)"
 
 .PHONY: lint.api
 lint.api: download.kube-api-linter

Makefile

@@ -3,7 +3,6 @@ package kubernetes
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 	"strconv"
 	"strings"
 )
@@ -32,87 +31,27 @@ func GetSelfNamespace() (string, error) {
 
 // GetSelfPodLabels gets all the labels of the KO pod.
 func GetSelfPodLabels() (map[string]string, error) {
-	var (
-		lastErr   error
-		locations []string
-	)
-
-	// Prefer explicit override first
-	if override := os.Getenv("KONG_OPERATOR_POD_LABELS_FILE"); override != "" {
-		locations = append(locations, override)
-	}
-
-	// Then try TELEPRESENCE_ROOT mounted path
-	if root := os.Getenv("TELEPRESENCE_ROOT"); root != "" {
-		relPath := strings.TrimPrefix(podLabelsFile, "/")
-		locations = append(locations, filepath.Join(root, relPath))
-	}
-
-	// Finally fall back to standard pod labels file
-	locations = append(locations, podLabelsFile)
-
-	for _, path := range locations {
-		buf, err := os.ReadFile(path)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-
-		ret := parsePodLabels(string(buf))
-		if len(ret) > 0 {
-			return ret, nil
-		}
-		lastErr = fmt.Errorf("no valid labels found in %s", path)
-	}
-
-	if lastErr != nil {
-		return nil, fmt.Errorf("cannot find pod labels from %v: %w", locations, lastErr)
+	buf, err := os.ReadFile(podLabelsFile)
+	if err != nil {
+		return nil, fmt.Errorf("cannot find pod labels from file %s: %w", podLabelsFile, err)
 	}
-	return nil, fmt.Errorf("cannot determine pod labels")
-}
 
-// parsePodLabels parses pod labels from DownwardAPI format.
-// Supports both newline-separated and comma-separated formats.
-func parsePodLabels(content string) map[string]string {
+	labels := strings.SplitSeq(string(buf), "\n")
 	ret := make(map[string]string)
-	content = strings.TrimSpace(content)
-	if content == "" {
-		return ret
-	}
-
-	// Try newline-separated first
-	lines := strings.Split(content, "\n")
-	// If we only have one line and it contains commas, try comma-separated
-	if len(lines) == 1 && strings.Contains(content, ",") {
-		lines = strings.Split(content, ",")
-	}
-
-	for _, label := range lines {
-		label = strings.TrimSpace(label)
-		if label == "" {
-			continue
-		}
-
+	for label := range labels {
 		labelKV := strings.SplitN(label, "=", 2)
 		if len(labelKV) != 2 {
-			continue
+			return nil, fmt.Errorf("invalid label format, should be key=value")
 		}
-
-		key := strings.TrimSpace(labelKV[0])
-		value := strings.TrimSpace(labelKV[1])
-		if key == "" {
+		key := labelKV[0]
+		// The value in labels are escaped, e.g: "ko" => "\"ko\"". So we need to unquote it.
+		value, err := strconv.Unquote(labelKV[1])
+		if err != nil {
 			continue
 		}
-
-		// Try to unquote the value (DownwardAPI escapes values)
-		if unquoted, err := strconv.Unquote(value); err == nil {
-			value = unquoted
-		}
-
 		ret[key] = value
 	}
-
-	return ret
+	return ret, nil
 }
 
 // RunningOnKubernetes returns true if it is running in the kubernetes environment.

pkg/utils/kubernetes/self_metadata.go

@@ -5,12 +5,6 @@
 set -e
 set -o pipefail
 
-# Default XDG_CONFIG_HOME to the project .config/telepresence directory so Telepresence reads config.yml inside it
-PROJECT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-if [ -z "${XDG_CONFIG_HOME:-}" ]; then
-  export XDG_CONFIG_HOME="$PROJECT_DIR/.config/telepresence"
-fi
-
 # Function to log messages with different levels.
 log() {
   local level="$1"

scripts/telepresence-manager.sh

@@ -2,7 +2,6 @@ package helpers
 
 import (
 	"bufio"
-	"bytes"
 	"context"
 	"fmt"
 	"os"
@@ -74,77 +73,46 @@ func SetupNetworkIntercepts(ctx context.Context, clients testutils.K8sClients) (
 		return nil, fmt.Errorf("telepresence intercept deployment not ready: %w", err)
 	}
 
-	envFile, err := os.CreateTemp("", "telepresence-env-*.sh")
+	fmt.Println("INFO: connecting to the cluster with telepresence!!!")
+	// NOTE: We need to specify --manager-namespace to connect to the traffic-manager
+	// installed in kong-system namespace above.
+	connectArgs := []string{"connect", "--manager-namespace", "kong-system", "--namespace", "kong-system"}
+	out, err := exec.CommandContext(ctx, telepresenceExec, connectArgs...).CombinedOutput()
 	if err != nil {
-		return nil, fmt.Errorf("failed creating temporary env file for telepresence: %w", err)
+		return nil, fmt.Errorf("failed to connect to the cluster with telepresence: %w, %s", err, string(out))
 	}
-	envFilePath := envFile.Name()
-	_ = envFile.Close()
+
+	// envFile, err := os.CreateTemp("", "telepresence-env-*.sh")
+	// if err != nil {
+	// 	return nil, fmt.Errorf("failed creating temporary env file for telepresence: %w", err)
+	// }
+	// envFilePath := envFile.Name()
+	// _ = envFile.Close()
 
 	fmt.Println("INFO: establishing telepresence intercept for controller identity")
-	var (
-		labelOverridePath string
-	)
+	// var (
+	// 	labelOverridePath string
+	// )
 	intercept := func(portPair int, svcName string) []string {
 		return []string{
 			"replace",
 			svcName,
 			"--port", fmt.Sprintf("%d:%d", portPair, portPair),
-			"--env-file", envFilePath,
 		}
 	}
 
 	cmd := exec.CommandContext(ctx, telepresenceExec, intercept(telepresenceInterceptPort, telepresenceInterceptName)...)
 	cmd.Env = os.Environ()
 	output, err := cmd.CombinedOutput()
 	if err != nil {
-		if !bytes.Contains(output, []byte("already exists")) {
-			_ = os.Remove(envFilePath)
-			return nil, fmt.Errorf("failed to create telepresence intercept: %w, %s", err, string(output))
-		}
+		// if !bytes.Contains(output, []byte("already exists")) {
+		// 	_ = os.Remove(envFilePath)
+		// 	return nil, fmt.Errorf("failed to create telepresence intercept: %w, %s", err, string(output))
+		// }
 		fmt.Println("WARN: telepresence intercept already exists, reusing the existing session")
 	}
 	fmt.Println(">>>\n", string(output), "\n<<<")
 
-	// const svc = "gateway-operator-webhook-service"
-	// cmd = exec.CommandContext(ctx, telepresenceExec, intercept(433, svc)...)
-	// cmd.Env = os.Environ()
-	// output, err = cmd.CombinedOutput()
-	// if err != nil {
-	// 	if !bytes.Contains(output, []byte("already exists")) {
-	// 		_ = os.Remove(envFilePath)
-	// 		return nil, fmt.Errorf("failed to create telepresence intercept: %w, %s", err, string(output))
-	// 	}
-	// 	fmt.Println("WARN: telepresence intercept already exists, reusing the existing session")
-	// }
-
-	// cmd = exec.CommandContext(ctx, telepresenceExec, intercept(5433, svc)...)
-	// cmd.Env = os.Environ()
-	// output, err = cmd.CombinedOutput()
-	// if err != nil {
-	// 	if !bytes.Contains(output, []byte("already exists")) {
-	// 		_ = os.Remove(envFilePath)
-	// 		return nil, fmt.Errorf("failed to create telepresence intercept: %w, %s", err, string(output))
-	// 	}
-	// 	fmt.Println("WARN: telepresence intercept already exists, reusing the existing session")
-	// }
-
-	if err := applyTelepresenceEnvFile(envFilePath); err != nil {
-		leaveCmd := exec.CommandContext(ctx, telepresenceExec, "leave", telepresenceInterceptName)
-		_ = leaveCmd.Run()
-		_ = os.Remove(envFilePath)
-		return nil, fmt.Errorf("failed to apply telepresence environment: %w", err)
-	}
-
-	overridePath, err := writePodLabelsOverride(interceptPodLabels())
-	if err != nil {
-		return nil, fmt.Errorf("failed to prepare pod labels override: %w", err)
-	}
-	labelOverridePath = overridePath
-	if err := os.Setenv("KONG_OPERATOR_POD_LABELS_FILE", overridePath); err != nil {
-		return nil, fmt.Errorf("failed to set pod labels override env: %w", err)
-	}
-
 	if err := ensureAdmissionRegistration(ctx, clients.K8sClient, k8stypes.NamespacedName{
 		Namespace: controllerNamespace,
 		Name:      "gateway-operator-webhook-service",
@@ -166,14 +134,14 @@ func SetupNetworkIntercepts(ctx context.Context, clients testutils.K8sClients) (
 			fmt.Printf("WARN: failed to delete intercept service %s/%s: %v\n", controllerNamespace, telepresenceInterceptDeploymentName, err)
 		}
 
-		if err := os.Remove(envFilePath); err != nil && !os.IsNotExist(err) {
-			fmt.Printf("WARN: failed to remove telepresence env file %q: %v\n", envFilePath, err)
-		}
-		if labelOverridePath != "" {
-			if err := os.Remove(labelOverridePath); err != nil && !os.IsNotExist(err) {
-				fmt.Printf("WARN: failed to remove pod labels override file %q: %v\n", labelOverridePath, err)
-			}
-		}
+		// if err := os.Remove(envFilePath); err != nil && !os.IsNotExist(err) {
+		// 	fmt.Printf("WARN: failed to remove telepresence env file %q: %v\n", envFilePath, err)
+		// }
+		// if labelOverridePath != "" {
+		// 	if err := os.Remove(labelOverridePath); err != nil && !os.IsNotExist(err) {
+		// 		fmt.Printf("WARN: failed to remove pod labels override file %q: %v\n", labelOverridePath, err)
+		// 	}
+		// }
 	}
 
 	return cleanup, nil
@@ -205,10 +173,11 @@ func ensureInterceptDeployment(ctx context.Context, clients testutils.K8sClients
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: labels,
 					Annotations: map[string]string{
-						"telepresence.getambassador.io/inject-traffic-agent": "enabled",
+						"telepresence.io/inject-traffic-agent": "enabled",
 					},
 				},
 				Spec: corev1.PodSpec{
+					PriorityClassName: "system-cluster-critical",
 					Containers: []corev1.Container{
 						{
 							Name:  "identity",

test/integration/helpers/network_intercept.go

@@ -54,39 +54,46 @@ func SetupTelepresence(ctx context.Context) (func(), error) {
 	}
 
 	fmt.Println("INFO: installing telepresence traffic manager in the cluster")
-	telepresenceExec, err := resolveTelepresenceExecutable()
+	telepresenceExecutable, err := resolveTelepresenceExecutable()
 	if err != nil {
 		return nil, err
 	}
-	fmt.Printf("INFO: using telepresence binary at %s\n", telepresenceExec)
 
-	// Ensure any stale daemons are terminated so that binary and daemon versions match.
-	if out, err := exec.CommandContext(ctx, telepresenceExec, "quit", "-s").CombinedOutput(); err != nil && len(out) > 0 {
-		fmt.Printf("WARN: telepresence quit -s reported: %s\n", string(out))
-	}
+	// Set pod labels on traffic-manager to match the labels expected by NetworkPolicy.
+	// This allows traffic from the local test process (via telepresence) to be allowed
+	// by the DataPlane's NetworkPolicy which restricts admin API access.
+	// NOTE: We use "app.kubernetes.io/name" instead of "app" because "app" conflicts
+	// with telepresence's deployment selector.
+	// NOTE: We install traffic-manager in kong-system namespace to match the NetworkPolicy
+	// rules which only allow traffic from kong-system namespace.
+	fmt.Printf("INFO: path to telepresence is %s\n", telepresenceExecutable)
 
-	out, err := exec.CommandContext(ctx, telepresenceExec, "helm", "install").CombinedOutput()
+	// Set pod labels on traffic-manager to match the labels expected by NetworkPolicy.
+	// This allows traffic from the local test process (via telepresence) to be allowed
+	// by the DataPlane's NetworkPolicy which restricts admin API access.
+	// NOTE: We use "app.kubernetes.io/name" instead of "app" because "app" conflicts
+	// with telepresence's deployment selector.
+	// NOTE: We install traffic-manager in kong-system namespace to match the NetworkPolicy
+	// rules which only allow traffic from kong-system namespace.
+	// See: https://github.com/Kong/kong-operator/issues/2074
+	commonHelmFlags := []string{
+		"--manager-namespace", "kong-system",
+		"--set", "podLabels.app\\.kubernetes\\.io/name=kong-operator",
+	}
+	helmInstallArgs := append([]string{"helm", "install"}, commonHelmFlags...)
+	out, err := exec.CommandContext(ctx, telepresenceExecutable, helmInstallArgs...).CombinedOutput()
 	if err != nil && bytes.Contains(out, []byte("use 'telepresence helm upgrade' instead to replace it")) {
-		if out, err := exec.CommandContext(ctx, telepresenceExec, "helm", "upgrade").CombinedOutput(); err != nil {
+		helmUpgradeArgs := append([]string{"helm", "upgrade"}, commonHelmFlags...)
+		if out, err := exec.CommandContext(ctx, telepresenceExecutable, helmUpgradeArgs...).CombinedOutput(); err != nil {
 			return nil, fmt.Errorf("failed to upgrade telepresence traffic manager: %w, %s", err, string(out))
 		}
 	} else if err != nil {
 		return nil, fmt.Errorf("failed to install telepresence traffic manager: %w, %s", err, string(out))
 	}
 
-	fmt.Println("INFO: connecting to the cluster with telepresence")
-	connectArgs := []string{"connect"}
-	if ns := os.Getenv("POD_NAMESPACE"); ns != "" {
-		connectArgs = append(connectArgs, "--namespace", ns)
-	}
-	out, err = exec.CommandContext(ctx, telepresenceExec, connectArgs...).CombinedOutput()
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to the cluster with telepresence: %w, %s", err, string(out))
-	}
-
 	return func() {
 		fmt.Println("INFO: quitting telepresence daemons")
-		out, err := exec.CommandContext(ctx, telepresenceExec, "quit").CombinedOutput()
+		out, err := exec.CommandContext(ctx, telepresenceExecutable, "quit").CombinedOutput()
 		if err != nil {
 			fmt.Printf("ERROR: failed to quit telepresence daemons: %s\n", string(out))
 		}