Auto-detect Istio and don't attempt to create AuthorizationPolicy if …

…Istio is not found (#167)

.github/workflows/netpol-e2e-test.yaml

@@ -27,7 +27,7 @@ env:
 
 jobs:
   e2e-test:
-    timeout-minutes: 5
+    timeout-minutes: 10
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -80,8 +80,9 @@ jobs:
 
       - name: Wait for Otterize
         run: |-
-          kubectl wait pods -n otterize-system -l app=intents-operator --for condition=Ready --timeout=180s
-          kubectl wait pods -n otterize-system -l app=otterize-watcher --for condition=Ready --timeout=180s
+          kubectl wait pods -n otterize-system -l app=intents-operator --for condition=Ready --timeout=360s
+          kubectl wait pods -n otterize-system -l app=otterize-watcher --for condition=Ready --timeout=360s
+
 
       - name: Wait for Tutorial services
         run: |-

src/operator/controllers/intents_reconcilers/istio_policy.go

@@ -3,7 +3,7 @@ package intents_reconcilers
 import (
 	"context"
 	otterizev1alpha2 "github.com/otterize/intents-operator/src/operator/api/v1alpha2"
-	istiopolicy2 "github.com/otterize/intents-operator/src/operator/controllers/istiopolicy"
+	istiopolicy "github.com/otterize/intents-operator/src/operator/controllers/istiopolicy"
 	"github.com/otterize/intents-operator/src/shared/injectablerecorder"
 	"github.com/otterize/intents-operator/src/shared/serviceidresolver"
 	"github.com/sirupsen/logrus"
@@ -29,7 +29,7 @@ type IstioPolicyReconciler struct {
 	enforcementEnabledGlobally bool
 	injectablerecorder.InjectableRecorder
 	serviceIdResolver *serviceidresolver.Resolver
-	policyCreator     *istiopolicy2.Creator
+	policyCreator     *istiopolicy.Creator
 }
 
 func NewIstioPolicyReconciler(
@@ -47,14 +47,23 @@ func NewIstioPolicyReconciler(
 		serviceIdResolver:          serviceidresolver.NewResolver(c),
 	}
 
-	reconciler.policyCreator = istiopolicy2.NewCreator(c, &reconciler.InjectableRecorder, restrictToNamespaces)
+	reconciler.policyCreator = istiopolicy.NewCreator(c, &reconciler.InjectableRecorder, restrictToNamespaces)
 
 	return reconciler
 }
 
 func (r *IstioPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	isIstioInstalled, err := istiopolicy.IsIstioInstalled(ctx, r.Client)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if !isIstioInstalled {
+		return ctrl.Result{}, nil
+	}
+
 	intents := &otterizev1alpha2.ClientIntents{}
-	err := r.Get(ctx, req.NamespacedName, intents)
+	err = r.Get(ctx, req.NamespacedName, intents)
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
 			return ctrl.Result{}, nil
@@ -115,7 +124,7 @@ func (r *IstioPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	clientServiceAccountName := pod.Spec.ServiceAccountName
-	missingSideCar := !istiopolicy2.IsPodPartOfIstioMesh(pod)
+	missingSideCar := !istiopolicy.IsPodPartOfIstioMesh(pod)
 
 	err = r.policyCreator.UpdateIntentsStatus(ctx, intents, clientServiceAccountName, missingSideCar)
 	if err != nil {
@@ -128,7 +137,7 @@ func (r *IstioPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	if missingSideCar {
-		r.RecordWarningEvent(intents, istiopolicy2.ReasonMissingSidecar, "Client pod missing sidecar, will not create policies")
+		r.RecordWarningEvent(intents, istiopolicy.ReasonMissingSidecar, "Client pod missing sidecar, will not create policies")
 		logrus.Infof("Pod %s/%s does not have a sidecar, skipping Istio policy creation", pod.Namespace, pod.Name)
 		return ctrl.Result{}, nil
 	}
@@ -155,7 +164,7 @@ func (r *IstioPolicyReconciler) updateServerSidecarStatus(ctx context.Context, i
 			return err
 		}
 
-		missingSideCar := !istiopolicy2.IsPodPartOfIstioMesh(pod)
+		missingSideCar := !istiopolicy.IsPodPartOfIstioMesh(pod)
 		formattedTargetServer := otterizev1alpha2.GetFormattedOtterizeIdentity(intent.GetServerName(), serverNamespace)
 		err = r.policyCreator.UpdateServerSidecar(ctx, intents, formattedTargetServer, missingSideCar)
 		if err != nil {

src/operator/controllers/istiopolicy/tools.go

@@ -1,6 +1,16 @@
 package istiopolicy
 
-import corev1 "k8s.io/api/core/v1"
+import (
+	"context"
+	"fmt"
+	"istio.io/client-go/pkg/apis/security/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"strings"
+)
 
 const (
 	IstioProxyContainerName = "istio-proxy"
@@ -14,3 +24,22 @@ func IsPodPartOfIstioMesh(pod corev1.Pod) bool {
 	}
 	return false
 }
+
+func IsIstioInstalled(ctx context.Context, client client.Client) (bool, error) {
+	gvks, _, err := client.Scheme().ObjectKinds(&v1beta1.AuthorizationPolicy{})
+	if err != nil {
+		return false, err
+	}
+	istioCRDName := fmt.Sprintf("%s.%s", strings.ToLower(gvks[0].Kind), gvks[0].Group)
+	crd := apiextensionsv1.CustomResourceDefinition{}
+	err = client.Get(ctx, types.NamespacedName{Name: istioCRDName}, &crd)
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return false, err
+	}
+
+	if k8serrors.IsNotFound(err) {
+		return false, nil
+	}
+
+	return true, nil
+}

src/operator/main.go

@@ -30,6 +30,7 @@ import (
 	"github.com/otterize/intents-operator/src/shared/otterizecloud/otterizecloudclient"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/viper"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -49,6 +50,7 @@ var (
 )
 
 func init() {
+	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(istiosecurityscheme.AddToScheme(scheme))
 	utilruntime.Must(otterizev1alpha2.AddToScheme(scheme))

src/shared/operatorconfig/config.go

@@ -10,9 +10,9 @@ import (
 
 const (
 	MetricsAddrKey                                     = "metrics-bind-address" // The address the metric endpoint binds to
-	MetricsAddrDefault                                 = ":8080"
+	MetricsAddrDefault                                 = ":8180"
 	ProbeAddrKey                                       = "health-probe-bind-address" // The address the probe endpoint binds to
-	ProbeAddrDefault                                   = ":8081"
+	ProbeAddrDefault                                   = ":8181"
 	EnableLeaderElectionKey                            = "leader-elect" // Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager
 	EnableLeaderElectionDefault                        = false
 	WatchedNamespacesKey                               = "watched-namespaces"    // Namespaces that will be watched by the operator. Specify multiple values by specifying multiple times or separate with commas

src/watcher/reconcilers/pods.go

@@ -80,7 +80,16 @@ func (p *PodWatcher) handleIstioPolicy(ctx context.Context, pod v1.Pod, serviceI
 		return nil
 	}
 
-	err := p.updateServerSideCar(ctx, pod, serviceID)
+	isIstioInstalled, err := istiopolicy.IsIstioInstalled(ctx, p.Client)
+	if err != nil {
+		return err
+	}
+
+	if !isIstioInstalled {
+		return nil
+	}
+
+	err = p.updateServerSideCar(ctx, pod, serviceID)
 	if err != nil {
 		return err
 	}
@@ -248,7 +257,7 @@ func (p *PodWatcher) InitIntentsClientIndices(mgr manager.Manager) error {
 	return nil
 }
 
-func (r *PodWatcher) InitIntentsServerIndices(mgr ctrl.Manager) error {
+func (p *PodWatcher) InitIntentsServerIndices(mgr ctrl.Manager) error {
 	err := mgr.GetCache().IndexField(
 		context.Background(),
 		&otterizev1alpha2.ClientIntents{},