Do not inject sidecars if only job and secrets modes are enabled and secrets type is "static" (#45)

Author: asaintsever

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog for Vault Sidecar Injector
 
+## Release v7.1.1 - 2021-04-02
+
+**Fixed**
+
+- [VSI #45](https://github.com/Talend/vault-sidecar-injector/pull/45) - Do not inject sidecars if only job and secrets modes are enabled and secrets type is "static"
+
 ## Release v7.1.0 - 2021-02-09
 
 A new `sidecar.vault.talend.org/vault-image` annotation has been added to override the default injected image. Refer to the [samples](samples) for a [working example](samples/app-dep-10-secrets_custom_image_notify.yaml).

VERSION_CHART

@@ -1 +1 @@
-4.2.0
+4.2.1

VERSION_RELEASE

@@ -1 +1 @@
-7.1.0
+7.1.1

VERSION_VSI

@@ -1 +1 @@
-7.1.0
+7.1.1

doc/Usage.md

@@ -113,7 +113,7 @@ Depending on the modes you decide to enable and whether you opt for static or dy
     <td align="center">X</td><td/><td/><td/><td align="center" bgcolor="grey">X</td><td bgcolor="grey"/>
   </tr>
   <tr>
-    <td align="center">X</td><td/><td/><td align="center">X<b><i>¹</i></b></td><td align="center" bgcolor="grey">X (secrets)</td><td align="center" bgcolor="grey">X (job)</td>
+    <td align="center">X</td><td/><td/><td align="center">X<b><i>¹</i></b></td><td align="center" bgcolor="grey">X (secrets)</td><td align="center" bgcolor="grey"/>
   </tr>
   <tr>
     <td/><td align="center">X</td><td/><td/><td bgcolor="grey"/><td align="center" bgcolor="grey">X</td>
@@ -141,6 +141,6 @@ Depending on the modes you decide to enable and whether you opt for static or dy
   </tr>
 </table>
 
-> **[1]** *on job mode:* if you only set mode annotation's value to "job", `secrets` mode will be enabled automatically and configured to handle dynamic secrets (unless you set `sidecar.vault.talend.org/secrets-type` to "static" but note that in this situation, there is no need, although we do not prevent it, to enable job mode as no Vault Agent will be injected as sidecar).
+> **[1]** *on job mode:* if you only set mode annotation's value to "job", `secrets` mode will be enabled automatically and configured to handle dynamic secrets (unless you set `sidecar.vault.talend.org/secrets-type` to "static" but note that in this situation, there is no need, although we do not prevent it, to enable job mode explicitly as no sidecar will be injected).
 
-> **[2]** *on number of injected sidecars:* for Kubernetes **Deployment** workloads, **only one sidecar container** is added to your pod to handle dynamic secrets and/or proxy. For Kubernetes **Job** workloads, **two sidecars** are injected to achieve the same tasks.
+> **[2]** *on number of injected sidecars:* for Kubernetes **Deployment** workloads, **only one sidecar container** is added to your pod to handle dynamic secrets and/or proxy. For Kubernetes **Job** workloads, **two sidecars** are injected to achieve the same tasks (or 0 in case you only enable job mode with static secrets).

doc/announcements/Static-vs-Dynamic-Secrets.md

@@ -6,7 +6,7 @@ Available with `Vault Sidecar Injector` version **`6.0.0`**, *static secrets* su
 
 A new annotation, `sidecar.vault.talend.org/secrets-type`, is supported to explicitly define what kind of secrets you intend to fetch, default being *dynamic secrets*.
 
-When *static secrets* are set, `Vault Sidecar Injector` will only inject an init container in your workload's pod. Fetched secrets will be stored in a file in a shared memory volume, the same way it is already done for *dynamic secrets*. As a result, if you do not enable other modes (e.g. *proxy*, *job*) no sidecar will be added. It also means that you don't have to leverage hooks or wait for the injected Vault Agent to fetch your secrets: your workload can access the values right after its container is started. The drawback of course is that your secrets **will not be automatically refreshed upon changes**, opt for *dynamic secrets* if this behavior is required.
+When *static secrets* are set, `Vault Sidecar Injector` will only inject an init container in your workload's pod. Fetched secrets will be stored in a file in a shared memory volume, the same way it is already done for *dynamic secrets*. As a result, if you do not enable other modes (e.g. *proxy*) no sidecar will be added (Note that enabling *job* mode with static secrets will not incur any sidecar injection either). It also means that you don't have to leverage hooks or wait for the injected Vault Agent to fetch your secrets: your workload can access the values right after its container is started. The drawback of course is that your secrets **will not be automatically refreshed upon changes**, opt for *dynamic secrets* if this behavior is required.
 
 If you enable several modes, you may end up with both init container and sidecar(s) in your workload. A comprehensive table is provided in the main documention in section [Modes and Injection Config Overview](../Usage.md#modes-and-injection-config-overview).
 

pkg/mode/constants.go

@@ -0,0 +1,22 @@
+// Copyright © 2019-2021 Talend - www.talend.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mode
+
+const (
+	//--- Vault Sidecar Injector supported modes
+	VaultInjectorModeSecrets = "secrets" // Enable fetching of secrets from Vault store
+	VaultInjectorModeProxy   = "proxy"   // Enable local Vault proxy
+	VaultInjectorModeJob     = "job"     // Enable handling of Kubernetes Job
+)

pkg/mode/job/constants.go

@@ -25,8 +25,3 @@ const (
 	jobContainerNameEnv = "VSI_JOB_CNT_NAME" // Env var for name of the app job's container
 	jobWorkloadEnv      = "VSI_JOB_WORKLOAD" // Env var set to "true" if submitted workload is a k8s job
 )
-
-const (
-	//--- Vault Sidecar Injector supported modes
-	VaultInjectorModeJob = "job" // Enable handling of Kubernetes Job
-)

pkg/mode/job/job-func-inject.go

@@ -1,4 +1,4 @@
-// Copyright © 2019-2020 Talend - www.talend.com
+// Copyright © 2019-2021 Talend - www.talend.com
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@ package job
 import (
 	"errors"
 	ctx "talend/vault-sidecar-injector/pkg/context"
+	m "talend/vault-sidecar-injector/pkg/mode"
+	"talend/vault-sidecar-injector/pkg/mode/secrets"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog"
@@ -25,13 +27,21 @@ import (
 func jobModeInject(containerBasePath string, podContainers []corev1.Container, containerName string, env []corev1.EnvVar, context *ctx.InjectionContext) (bool, error) {
 	if (containerBasePath == ctx.JsonPathContainers) && (len(podContainers) != 1) {
 		err := errors.New("Submitted pod should contain only one container")
-		klog.Errorf("[%s] %s", VaultInjectorModeJob, err.Error())
+		klog.Errorf("[%s] %s", m.VaultInjectorModeJob, err.Error())
 		return false, err
 	}
 
+	// If static secrets and job (+ secrets as it'll be enabled also) are the only enabled modes then do not inject job containers as sidecars (no need for job babysitter nor Vault Agent)
+	if (containerBasePath == ctx.JsonPathContainers) &&
+		m.IsEnabledModes(context.ModesStatus, []string{m.VaultInjectorModeSecrets, m.VaultInjectorModeJob}) &&
+		secrets.IsSecretsStatic(context) {
+		klog.Infof("[%s] Static secrets in use and only enabled modes are '%s' and '%s': skip injecting job container %s (path: %s)", m.VaultInjectorModeJob, m.VaultInjectorModeJob, m.VaultInjectorModeSecrets, containerName, containerBasePath)
+		return false, nil
+	}
+
 	for _, cntName := range jobContainerNames[containerBasePath] {
 		if cntName == containerName {
-			klog.Infof("[%s] Injecting container %s (path: %s)", VaultInjectorModeJob, containerName, containerBasePath)
+			klog.Infof("[%s] Injecting container %s (path: %s)", m.VaultInjectorModeJob, containerName, containerBasePath)
 
 			// Resolve job env vars
 			for envIdx := range env {

pkg/mode/job/job.go

@@ -1,4 +1,4 @@
-// Copyright © 2019-2020 Talend - www.talend.com
+// Copyright © 2019-2021 Talend - www.talend.com
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ func init() {
 	// Register mode
 	m.RegisterMode(
 		m.VaultInjectorModeInfo{
-			Key:                 VaultInjectorModeJob,
+			Key:                 m.VaultInjectorModeJob,
 			DefaultMode:         false,
 			EnableDefaultMode:   true, // Default mode will also be enabled if job is **the only mode on** (as it does not make sense to have only this mode)
 			InjectContainerFunc: jobModeInject,