Fix invalid fields copied to NGINX init container (#4627)

* Create nginx instrumentation container from scratch instead of cloning

Build container spec from scratch (as in other instrumentations).
Prevents passing through config that is disallowed
in `initContainers` such as `resizePolicy`

* Amend unit test ensuring incomptatible fields are not copied to init container

* Add changelog entry

* Create apachehttpd instrumentation container from scratch instead of cloning

* Update changelog to mention apache changes

Author: ozzywalsh

.chloggen/fix_nginx-init-container-from-scratch.yaml

@@ -0,0 +1,17 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern
+component: auto-instrumentation
+
+# A brief description of the change.
+note: "Fix NGINX and Apache instrumentation init container creation to avoid copying init-container-incompatible fields."
+
+# One or more tracking issues related to the change
+issues: [3729]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+subtext: |
+  The NGINX and Apache instrumentation init containers are now created from scratch instead of 
+  cloning the main container, preventing probes, lifecycle hooks, and resize policies from being 
+  applied to init containers.

internal/instrumentation/apachehttpd.go

@@ -68,25 +68,23 @@ func injectApacheHttpdagent(_ logr.Logger, apacheSpec v1alpha1.ApacheHttpd, pod
 
 		apacheConfDir := getApacheConfDir(apacheSpec.ConfigPath)
 
-		cloneContainer := container.DeepCopy()
-		cloneContainer.Name = apacheAgentCloneContainerName
-		cloneContainer.Command = []string{"/bin/sh", "-c"}
-		cloneContainer.Args = []string{"cp -r " + apacheConfDir + "/* " + apacheAgentConfDirFull}
-		cloneContainer.VolumeMounts = append(cloneContainer.VolumeMounts, corev1.VolumeMount{
-			Name:      apacheAgentConfigVolume,
-			MountPath: apacheAgentConfDirFull,
-		})
-		// remove resource requirements since those are then reserved for the lifetime of a pod
-		// and we definitely do not need them for the init container for cp command
-		cloneContainer.Resources = apacheSpec.Resources
-		// remove livenessProbe, readinessProbe, and startupProbe, since not supported on init containers
-		cloneContainer.LivenessProbe = nil
-		cloneContainer.ReadinessProbe = nil
-		cloneContainer.StartupProbe = nil
-		// remove lifecycle, since not supported on init containers
-		cloneContainer.Lifecycle = nil
+		cloneContainer := corev1.Container{
+			Name:    apacheAgentCloneContainerName,
+			Image:   container.Image,
+			Command: []string{"/bin/sh", "-c"},
+			Args:    []string{"cp -r " + apacheConfDir + "/* " + apacheAgentConfDirFull},
+			Env:     container.Env,
+			EnvFrom: container.EnvFrom,
+			VolumeMounts: append(container.VolumeMounts, corev1.VolumeMount{
+				Name:      apacheAgentConfigVolume,
+				MountPath: apacheAgentConfDirFull,
+			}),
+			Resources:       apacheSpec.Resources,
+			SecurityContext: container.SecurityContext,
+			ImagePullPolicy: container.ImagePullPolicy,
+		}
 
-		pod.Spec.InitContainers = append(pod.Spec.InitContainers, *cloneContainer)
+		pod.Spec.InitContainers = append(pod.Spec.InitContainers, cloneContainer)
 
 		// drop volume mount with volume-provided Apache config from original container
 		// since it could over-write configuration provided by the injection

internal/instrumentation/apachehttpd_test.go

@@ -206,7 +206,7 @@ func TestInjectApacheHttpdagent(t *testing.T) {
 		},
 		// === Test Removal of probes and lifecycle =============================
 		{
-			name:        "Probes removed on clone init container",
+			name:        "Init-container-incompatible fields not copied",
 			ApacheHttpd: v1alpha1.ApacheHttpd{Image: "foo/bar:1"},
 			pod: corev1.Pod{
 				Spec: corev1.PodSpec{
@@ -216,6 +216,10 @@ func TestInjectApacheHttpdagent(t *testing.T) {
 							StartupProbe:   &corev1.Probe{},
 							LivenessProbe:  &corev1.Probe{},
 							Lifecycle:      &corev1.Lifecycle{},
+							ResizePolicy: []corev1.ContainerResizePolicy{
+								{ResourceName: corev1.ResourceCPU, RestartPolicy: corev1.NotRequired},
+								{ResourceName: corev1.ResourceMemory, RestartPolicy: corev1.NotRequired},
+							},
 						},
 					},
 				},
@@ -298,6 +302,10 @@ func TestInjectApacheHttpdagent(t *testing.T) {
 							StartupProbe:   &corev1.Probe{},
 							LivenessProbe:  &corev1.Probe{},
 							Lifecycle:      &corev1.Lifecycle{},
+							ResizePolicy: []corev1.ContainerResizePolicy{
+								{ResourceName: corev1.ResourceCPU, RestartPolicy: corev1.NotRequired},
+								{ResourceName: corev1.ResourceMemory, RestartPolicy: corev1.NotRequired},
+							},
 						},
 					},
 				},

internal/instrumentation/nginx.go

@@ -85,25 +85,23 @@ export %[4]s="$( { nginx -v ; } 2>&1 )" && echo ${%[4]s##*/} > %[3]s/version.txt
 			nginxVersionEnvVar,
 		)
 
-		cloneContainer := container.DeepCopy()
-		cloneContainer.Name = nginxAgentCloneContainerName
-		cloneContainer.Command = []string{"/bin/sh", "-c"}
-		cloneContainer.Args = []string{nginxAgentCommands}
-		cloneContainer.VolumeMounts = append(cloneContainer.VolumeMounts, corev1.VolumeMount{
-			Name:      nginxAgentConfigVolume,
-			MountPath: nginxAgentConfDirFull,
-		})
-		// remove resource requirements since those are then reserved for the lifetime of a pod
-		// and we definitely do not need them for the init container for cp command
-		cloneContainer.Resources = nginxSpec.Resources
-		// remove livenessProbe, readinessProbe, and startupProbe, since not supported on init containers
-		cloneContainer.LivenessProbe = nil
-		cloneContainer.ReadinessProbe = nil
-		cloneContainer.StartupProbe = nil
-		// remove lifecycle, since not supported on init containers
-		cloneContainer.Lifecycle = nil
-
-		pod.Spec.InitContainers = append(pod.Spec.InitContainers, *cloneContainer)
+		cloneContainer := corev1.Container{
+			Name:    nginxAgentCloneContainerName,
+			Image:   container.Image,
+			Command: []string{"/bin/sh", "-c"},
+			Args:    []string{nginxAgentCommands},
+			Env:     container.Env,
+			EnvFrom: container.EnvFrom,
+			VolumeMounts: append(container.VolumeMounts, corev1.VolumeMount{
+				Name:      nginxAgentConfigVolume,
+				MountPath: nginxAgentConfDirFull,
+			}),
+			Resources:       nginxSpec.Resources,
+			SecurityContext: container.SecurityContext,
+			ImagePullPolicy: container.ImagePullPolicy,
+		}
+
+		pod.Spec.InitContainers = append(pod.Spec.InitContainers, cloneContainer)
 
 		// drop volume mount with volume-provided Nginx config from original container
 		// since it could over-write configuration provided by the injection

internal/instrumentation/nginx_test.go

@@ -240,9 +240,9 @@ func TestInjectNginxSDK(t *testing.T) {
 					},
 				},
 			}},
-		// === Test Removal of probes and lifecycle =============================
+		// === Test init-container-incompatible fields not copied =============================
 		{
-			name: "Probes removed on clone init container",
+			name: "Init-container-incompatible fields not copied",
 			Nginx: v1alpha1.Nginx{
 				Image: "foo/bar:1",
 			},
@@ -257,6 +257,10 @@ func TestInjectNginxSDK(t *testing.T) {
 							StartupProbe:   &corev1.Probe{},
 							LivenessProbe:  &corev1.Probe{},
 							Lifecycle:      &corev1.Lifecycle{},
+							ResizePolicy: []corev1.ContainerResizePolicy{
+								{ResourceName: corev1.ResourceCPU, RestartPolicy: corev1.NotRequired},
+								{ResourceName: corev1.ResourceMemory, RestartPolicy: corev1.NotRequired},
+							},
 						},
 					},
 				},
@@ -342,6 +346,10 @@ func TestInjectNginxSDK(t *testing.T) {
 							StartupProbe:   &corev1.Probe{},
 							LivenessProbe:  &corev1.Probe{},
 							Lifecycle:      &corev1.Lifecycle{},
+							ResizePolicy: []corev1.ContainerResizePolicy{
+								{ResourceName: corev1.ResourceCPU, RestartPolicy: corev1.NotRequired},
+								{ResourceName: corev1.ResourceMemory, RestartPolicy: corev1.NotRequired},
+							},
 							Env: []corev1.EnvVar{
 								{
 									Name:  "LD_LIBRARY_PATH",