A Mutating Admission Webhook adding an environment variable containing the Node IP to Knative Pods using the Downward API:
spec:
containers:
- env:
- name: DD_AGENT_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
Datadog instrumentation library needs to communicate with the Datadog Agent located on the same node, see documentation. Unfortunately, Knative doesn't support the Downward API (yet). Dynamically injecting the environment variable is a workaround.
[Update] Datadog now provides a Webhook doing exactly this: https://docs.datadoghq.com/agent/cluster_agent/admission_controller/
The Webhook intercepts Pod CREATE calls to the Kubernetes API Server and inserts the environment variable in the Pod Spec. This is the easy part and is defined in cmd/webhook/main.go.
Webhooks must expose an HTTPS endpoint, therefore a TLS certificate must be used. Manual provisionning is possible but not recommended. This projects contains different components automating the process:
- pkg/controller/secret/controller.go: a controller ensuring that there is a Kubernetes Secret containing a valid self-signed TLS certficate at all time: creates it if it doesn't exist, refreshes it when it is about to expire, etc...
- pkg/controller/webhook/controller.go: a controller ensuring that there is a
mutatingwebhookconfigurations.admissionregistration.k8s.ioconfigured such that itswebhooks.admissionReviewVersions.clientConfig.caBundlematches the Kubernetes Secret described above. - cmd/webhook/main.go: exposes an HTTPS endpoints with a TLS certificate matching the Kubernetes Secret described above.
Using ko:
ko apply -f config
Everything (except the MutatingWebhookConfiguration which is cluster scoped) is installed under the node-ip-webhook namespace and can be uninstalled via:
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io node-ip-webhook
kubectl delete namespace node-ip-webhook