account for terminating sidecar

defenseunicorns · Nov 6, 2024 · fdb9303 · fdb9303
1 parent f399681
commit fdb9303
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 67 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,7 +29,7 @@
     "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'"
   },
   "dependencies": {
-    "pepr": "0.38.3"
+    "pepr": "0.37.2"
   },
   "devDependencies": {
     "@jest/globals": "29.7.0",

diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts
@@ -50,16 +50,22 @@ When(a.Pod)
         log.error(pod, `Invalid container status in Pod`);
         return;
       }
-      const shouldTerminate = pod.status.containerStatuses
-        // Ignore the istio-proxy container
-        .filter(c => c.name != "istio-proxy")
-        // and if ALL are terminated AND restartPolicy is Never or is OnFailure with a 0 exit code then shouldTerminate is true
-        .every(
-          c =>
-            c.state?.terminated &&
-            (pod.spec?.restartPolicy == "Never" ||
-              (pod.spec?.restartPolicy == "OnFailure" && c.state.terminated.exitCode == 0)),
+
+      // if ALL (non istio-proxy) are terminated AND restartPolicy is Never
+      // or is OnFailure with a 0 exit code
+      // and istio-proxy is not already terminated then shouldTerminate is true
+      const shouldTerminate = pod.status.containerStatuses.every(c => {
+        // handle scenario where proxy was already terminated
+        if (c.name == "istio-proxy") {
+          return c.state?.terminated == undefined;
+        }
+
+        return (
+          c.state?.terminated &&
+          (pod.spec?.restartPolicy == "Never" ||
+            (pod.spec?.restartPolicy == "OnFailure" && c.state.terminated.exitCode == 0))
         );
+      });
 
       if (shouldTerminate) {
         // Mark the pod as seen

diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts
@@ -40,7 +40,6 @@ export async function startExemptionWatch() {
       relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS
         ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10)
         : 1800,
-      useHTTP2: process.env.PEPR_HTTP2_WATCH === "true",
     };
     const watcher = K8s(UDSExemption).Watch(async (exemption, phase) => {
       log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`);