CHAOS-188: Consolidate to a single "Chaos namespace" for both injecto…

…r and controller (#452)

* consolidate namespaces

* change docs

api/disruption_kind.go

@@ -21,21 +21,21 @@ type DisruptionKind interface {
 }
 
 type DisruptionArgs struct {
-	AllowedHosts                    []string
-	TargetContainerIDs              []string
-	Level                           chaostypes.DisruptionLevel
-	Kind                            chaostypes.DisruptionKindName
-	TargetPodIP                     string
-	MetricsSink                     string
-	DisruptionName                  string
-	DisruptionNamespace             string
-	TargetName                      string
-	TargetNodeName                  string
-	DNSServer                       string
-	KubeDNS                         string
-	InjectorServiceAccountNamespace string
-	DryRun                          bool
-	OnInit                          bool
+	AllowedHosts        []string
+	TargetContainerIDs  []string
+	Level               chaostypes.DisruptionLevel
+	Kind                chaostypes.DisruptionKindName
+	TargetPodIP         string
+	MetricsSink         string
+	DisruptionName      string
+	DisruptionNamespace string
+	TargetName          string
+	TargetNodeName      string
+	DNSServer           string
+	KubeDNS             string
+	ChaosNamespace      string
+	DryRun              bool
+	OnInit              bool
 }
 
 // AppendArgs is a helper function generating common and global args and appending them to the given args array
@@ -46,7 +46,7 @@ func AppendArgs(args []string, xargs DisruptionArgs) []string {
 		"--level", string(xargs.Level),
 		"--target-container-ids", strings.Join(xargs.TargetContainerIDs, ","),
 		"--target-pod-ip", xargs.TargetPodIP,
-		"--chaos-namespace", xargs.InjectorServiceAccountNamespace,
+		"--chaos-namespace", xargs.ChaosNamespace,
 
 		// log context args
 		"--log-context-disruption-name", xargs.DisruptionName,

chart/templates/configmap.yaml

@@ -43,9 +43,8 @@ data:
         {{ $key }}: {{ $val | quote }}
         {{- end }}
       {{- end }}
-      serviceAccount:
-        name: {{ .Values.injector.serviceAccount | quote }}
-        namespace: {{ .Values.injector.serviceAccountNamespace | quote }}
+      serviceAccount: {{ .Values.injector.serviceAccount | quote }}
+      chaosNamespace: {{ .Values.injector.chaosNamespace | quote }}
       dnsDisruption:
         dnsServer: {{ .Values.injector.dnsDisruption.dnsServer | quote }}
         kubeDns: {{ .Values.injector.dnsDisruption.kubeDns | quote }}

chart/templates/sa.yaml

@@ -12,4 +12,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.injector.serviceAccount }}
-  namespace: {{ .Values.injector.serviceAccountNamespace }}
+  namespace: {{ .Values.injector.chaosNamespace }}

chart/values.yaml

@@ -33,7 +33,7 @@ controller:
 injector:
   annotations: {} # extra annotations passed to the chaos injector pods
   serviceAccount: chaos-injector # service account to use for the chaos injector pods
-  serviceAccountNamespace: chaos-engineering # namespace where the service account can be found (NOTE: changing this will change the namespace in which the chaos pods are created)
+  chaosNamespace: chaos-engineering # namespace where the service account can be found (NOTE: changing this will change the namespace in which the chaos pods are created)
   dnsDisruption: # dns disruption configuration
     dnsServer: "8.8.8.8" # IP address of the upstream dns server
     kubeDns: "off" # whether to use kube-dns for DNS resolution (off, internal, all)

controllers/disruption_controller.go

@@ -53,7 +53,7 @@ type DisruptionReconciler struct {
 	InjectorImage                         string
 	ImagePullSecrets                      string
 	log                                   *zap.SugaredLogger
-	InjectorServiceAccountNamespace       string
+	ChaosNamespace                        string
 	InjectorDNSDisruptionDNSServer        string
 	InjectorDNSDisruptionKubeDNS          string
 	InjectorNetworkDisruptionAllowedHosts []string
@@ -725,7 +725,7 @@ func (r *DisruptionReconciler) getChaosPods(instance *chaosv1beta1.Disruption, l
 
 	// list pods in the defined namespace and for the given target
 	listOptions := &client.ListOptions{
-		Namespace:     r.InjectorServiceAccountNamespace,
+		Namespace:     r.ChaosNamespace,
 		LabelSelector: labels.SelectorFromValidatedSet(ls),
 	}
 
@@ -937,7 +937,7 @@ func (r *DisruptionReconciler) generatePod(instance *chaosv1beta1.Disruption, ta
 	pod := corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: fmt.Sprintf("chaos-%s-", instance.Name), // generate the pod name automatically with a prefix
-			Namespace:    r.InjectorServiceAccountNamespace,       // chaos pods need to be in the same namespace as their service account to run
+			Namespace:    r.ChaosNamespace,                        // chaos pods need to be in the same namespace as their service account to run
 			Annotations:  r.InjectorAnnotations,                   // add extra annotations passed to the controller
 			Labels: map[string]string{
 				chaostypes.TargetLabel:              targetName,         // target name label
@@ -994,21 +994,21 @@ func (r *DisruptionReconciler) generateChaosPods(instance *chaosv1beta1.Disrupti
 		}
 
 		xargs := chaosapi.DisruptionArgs{
-			Level:                           level,
-			Kind:                            kind,
-			TargetContainerIDs:              targetContainerIDs,
-			TargetName:                      targetName,
-			TargetNodeName:                  targetNodeName,
-			TargetPodIP:                     targetPodIP,
-			DryRun:                          instance.Spec.DryRun,
-			DisruptionName:                  instance.Name,
-			DisruptionNamespace:             instance.Namespace,
-			OnInit:                          instance.Spec.OnInit,
-			MetricsSink:                     r.MetricsSink.GetSinkName(),
-			AllowedHosts:                    r.InjectorNetworkDisruptionAllowedHosts,
-			DNSServer:                       r.InjectorDNSDisruptionDNSServer,
-			KubeDNS:                         r.InjectorDNSDisruptionKubeDNS,
-			InjectorServiceAccountNamespace: r.InjectorServiceAccountNamespace,
+			Level:               level,
+			Kind:                kind,
+			TargetContainerIDs:  targetContainerIDs,
+			TargetName:          targetName,
+			TargetNodeName:      targetNodeName,
+			TargetPodIP:         targetPodIP,
+			DryRun:              instance.Spec.DryRun,
+			DisruptionName:      instance.Name,
+			DisruptionNamespace: instance.Namespace,
+			OnInit:              instance.Spec.OnInit,
+			MetricsSink:         r.MetricsSink.GetSinkName(),
+			AllowedHosts:        r.InjectorNetworkDisruptionAllowedHosts,
+			DNSServer:           r.InjectorDNSDisruptionDNSServer,
+			KubeDNS:             r.InjectorDNSDisruptionKubeDNS,
+			ChaosNamespace:      r.ChaosNamespace,
 		}
 
 		// generate args for pod

docs/faq.md

@@ -3,7 +3,7 @@
 ## Where can I find the chaos pods for my disruption?
 
 In order to ensure that chaos pods have access to the ClusterRole they need, all chaos pods are created in the same namespace as the `chaos-injector`
- service account. This is configured with a flag when starting the chaos-controller. By default, this is the "chaos-engineering" namespace.
+ service account. This is configured with the `--chaos-namespace` flag when starting the chaos-controller, or by setting `injector.chaosNamespace` in the controller's config map. By default, this is the "chaos-engineering" namespace.
 
 ## Is there any specific tooling that can help me create/understand my disruptions?
 
@@ -23,7 +23,7 @@ A disruption has an `Injection Status` field in its status that you can see by d
 
 ## How can I debug a disruption?
 
-Applying a disruption creates a bunch of pods to inject and clean it. Those are typically created in the same namespace as the chaos-controller. You can look at the logs of those pods to understand what happened.
+Applying a disruption creates a bunch of pods to inject and clean it. Those must be in the same namespace as the chaos-controller. You can look at the logs of those pods to understand what happened.
 
 ```sh
 kubectl -n <NAMESPACE> get pods -l chaos.datadoghq.com/disruption-name=<DISRUPTION_NAME> -l chaos.datadoghq.com/disruption-namespace=<DISRUPTION_NAMESPACE>

main.go

@@ -87,16 +87,12 @@ type controllerWebhookConfig struct {
 type injectorConfig struct {
 	Image             string                          `json:"image"`
 	Annotations       map[string]string               `json:"annotations"`
-	ServiceAccount    injectorServiceAccountConfig    `json:"serviceAccount"`
+	ChaosNamespace    string                          `json:"namespace"`
+	ServiceAccount    string                          `json:"serviceAccount"`
 	DNSDisruption     injectorDNSDisruptionConfig     `json:"dnsDisruption"`
 	NetworkDisruption injectorNetworkDisruptionConfig `json:"networkDisruption"`
 }
 
-type injectorServiceAccountConfig struct {
-	Name      string `json:"name"`
-	Namespace string `json:"namespace"`
-}
-
 type injectorDNSDisruptionConfig struct {
 	DNSServer string `json:"dnsServer"`
 	KubeDNS   string `json:"kubeDns"`
@@ -161,11 +157,11 @@ func main() {
 	pflag.StringToStringVar(&cfg.Injector.Annotations, "injector-annotations", map[string]string{}, "Annotations added to the generated injector pods")
 	handleFatalError(viper.BindPFlag("injector.annotations", pflag.Lookup("injector-annotations")))
 
-	pflag.StringVar(&cfg.Injector.ServiceAccount.Name, "injector-service-account", "chaos-injector", "Service account to use for the generated injector pods")
+	pflag.StringVar(&cfg.Injector.ServiceAccount, "injector-service-account", "chaos-injector", "Service account to use for the generated injector pods")
 	handleFatalError(viper.BindPFlag("injector.serviceAccount.name", pflag.Lookup("injector-service-account")))
 
-	pflag.StringVar(&cfg.Injector.ServiceAccount.Namespace, "injector-service-account-namespace", "chaos-engineering", "Namespace of the service account to use for the generated injector pods. Should also host the controller.")
-	handleFatalError(viper.BindPFlag("injector.serviceAccount.namespace", pflag.Lookup("injector-service-account-namespace")))
+	pflag.StringVar(&cfg.Injector.ChaosNamespace, "chaos-namespace", "chaos-engineering", "Namespace of the service account to use for the generated injector pods. Must also host the controller.")
+	handleFatalError(viper.BindPFlag("injector.chaosNamespace", pflag.Lookup("chaos-namespace")))
 
 	pflag.StringVar(&cfg.Injector.Image, "injector-image", "chaos-injector", "Image to pull for the injector pods")
 	handleFatalError(viper.BindPFlag("injector.image", pflag.Lookup("injector-image")))
@@ -286,9 +282,9 @@ func main() {
 		MetricsSink:                           ms,
 		TargetSelector:                        targetSelector,
 		InjectorAnnotations:                   cfg.Injector.Annotations,
-		InjectorServiceAccount:                cfg.Injector.ServiceAccount.Name,
+		InjectorServiceAccount:                cfg.Injector.ServiceAccount,
 		InjectorImage:                         cfg.Injector.Image,
-		InjectorServiceAccountNamespace:       cfg.Injector.ServiceAccount.Namespace,
+		ChaosNamespace:                        cfg.Injector.ChaosNamespace,
 		InjectorDNSDisruptionDNSServer:        cfg.Injector.DNSDisruption.DNSServer,
 		InjectorDNSDisruptionKubeDNS:          cfg.Injector.DNSDisruption.KubeDNS,
 		InjectorNetworkDisruptionAllowedHosts: cfg.Injector.NetworkDisruption.AllowedHosts,
@@ -297,7 +293,7 @@ func main() {
 	}
 
 	informerClient := kubernetes.NewForConfigOrDie(ctrl.GetConfigOrDie())
-	kubeInformerFactory := kubeinformers.NewSharedInformerFactoryWithOptions(informerClient, time.Minute*5, kubeinformers.WithNamespace(cfg.Injector.ServiceAccount.Namespace))
+	kubeInformerFactory := kubeinformers.NewSharedInformerFactoryWithOptions(informerClient, time.Minute*5, kubeinformers.WithNamespace(cfg.Injector.ChaosNamespace))
 
 	if err := r.SetupWithManager(mgr, kubeInformerFactory); err != nil {
 		logger.Errorw("unable to create controller", "controller", "Disruption", "error", err)