hashicorp · narendrapatel · Sep 6, 2022 · Sep 9, 2022 · Sep 9, 2022 · Dec 5, 2022
@@ -92,6 +92,12 @@ const (
 	AnnotationSidecarProxyMemoryLimit   = "consul.hashicorp.com/sidecar-proxy-memory-limit"
 	AnnotationSidecarProxyMemoryRequest = "consul.hashicorp.com/sidecar-proxy-memory-request"
 
+	// annotation makes sidecar shutdown gracefully.
+	AnnotationSidecarProxyGracefulShutdown = "consul.hashicorp.com/sidecar-proxy-graceful-shutdown"
+
+	// annotation to hold starting of app containers till sidecar proxy is started.
+	AnnotationSidecarProxyHoldApplicationUntilProxyStarts = "consul.hashicorp.com/sidecar-hold-app-until-proxy-starts"
+
 	// annotations for sidecar volumes.
 	AnnotationConsulSidecarUserVolume      = "consul.hashicorp.com/consul-sidecar-user-volume"
 	AnnotationConsulSidecarUserVolumeMount = "consul.hashicorp.com/consul-sidecar-user-volume-mount"

@@ -105,6 +105,20 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 		container.VolumeMounts = append(container.VolumeMounts, volumeMounts...)
 	}
 
+	var lifecycle corev1.Lifecycle
+
+	preStop, err := w.envoySidecarGracefulShutdown(pod)
+	if err == nil && preStop != nil {
+		lifecycle.PreStop = preStop
+	}
+
+	postStart, err := w.envoySidecarHoldApplicationUntilProxyStarts(pod)
+	if err == nil && postStart != nil {
+		lifecycle.PostStart = postStart
+	}
+
+	container.Lifecycle = &lifecycle
+
 	tproxyEnabled, err := common.TransparentProxyEnabled(namespace, pod, w.EnableTransparentProxy)
 	if err != nil {
 		return corev1.Container{}, err
@@ -140,6 +154,54 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 	return container, nil
 }
 
+// Configures graceful shut down for the sidecar.
+func (w *MeshWebhook) envoySidecarGracefulShutdown(pod corev1.Pod) (*corev1.Handler, error) {
+
+	grace, err := strconv.ParseBool(pod.Annotations[constants.AnnotationSidecarProxyGracefulShutdown])
+
+	if err != nil || !grace {
+		return nil, err
+	}
+
+	preStop := &corev1.Handler{
+		Exec: &corev1.ExecAction{
+			Command: []string{
+				"/bin/sh",
+				"-c",
+				"while [ $(netstat -plunt | grep tcp | grep -v envoy | grep -v consul-dataplane | wc -l) -ne 0 ]; do sleep 1; done",
+			},
+		},
+	}
+
+	return preStop, nil
+}
+
+// Ensures that the sidecar is the first container to start up.
+func (w *MeshWebhook) envoySidecarHoldApplicationUntilProxyStarts(pod corev1.Pod) (*corev1.Handler, error) {
+
+	hold, err := strconv.ParseBool(pod.Annotations[constants.AnnotationSidecarProxyHoldApplicationUntilProxyStarts])
+
+	if err != nil || !hold {
+		return nil, err
+	}
+	postStart := &corev1.Handler{
+		Exec: &corev1.ExecAction{
+			Command: []string{
+				"/bin/sh",
+				"-c",
+				`total_time=0; until wget --spider localhost:19000;` +
+					`do echo Waiting for Sidecar;` +
+					`sleep 3; total_time=$(($total_time + 3)); echo $total_time;` +
+					`if [ $total_time -gt 120 ]; then echo Sidecar not running, timeout reached. Exiting....; exit 1; fi; done;` +
+					`echo Sidecar available`,
+			},
+		},
+	}
+
+	return postStart, err
+
+}
+
 func (w *MeshWebhook) getContainerSidecarArgs(namespace corev1.Namespace, mpi multiPortInfo, bearerTokenFile string, pod corev1.Pod) ([]string, error) {
 	proxyIDFileName := "/consul/connect-inject/proxyid"
 	if mpi.serviceName != "" {

@@ -303,7 +303,7 @@ func (w *MeshWebhook) Handle(ctx context.Context, req admission.Request) admissi
 			w.Log.Error(err, "error configuring injection sidecar container", "request name", req.Name)
 			return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error configuring injection sidecar container: %s", err))
 		}
-		pod.Spec.Containers = append(pod.Spec.Containers, envoySidecar)
+		pod.Spec.Containers = injectSidecar(pod, pod.Spec.Containers, envoySidecar)
 	} else {
 		// For multi port pods, check for unsupported cases, mount all relevant service account tokens, and mount an init
 		// container and envoy sidecar per port. Tproxy, metrics, and metrics merging are not supported for multi port pods.
@@ -373,7 +373,7 @@ func (w *MeshWebhook) Handle(ctx context.Context, req admission.Request) admissi
 				w.Log.Error(err, "error configuring injection sidecar container", "request name", req.Name)
 				return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error configuring injection sidecar container: %s", err))
 			}
-			pod.Spec.Containers = append(pod.Spec.Containers, envoySidecar)
+			pod.Spec.Containers = injectSidecar(pod, pod.Spec.Containers, envoySidecar)
 		}
 	}
 
@@ -480,6 +480,14 @@ func (w *MeshWebhook) Handle(ctx context.Context, req admission.Request) admissi
 	return admission.Patched(fmt.Sprintf("valid %s request", pod.Kind), patches...)
 }
 
+func injectSidecar(pod corev1.Pod, containers []corev1.Container, sidecar corev1.Container) []corev1.Container {
+	hold, err := strconv.ParseBool(pod.Annotations[constants.AnnotationSidecarProxyHoldApplicationUntilProxyStarts])
+	if err != nil || !hold {
+		return append(containers, sidecar)
+	}
+	return append([]corev1.Container{sidecar}, containers...)
+}
+
 // overwriteProbes overwrites readiness/liveness probes of this pod when
 // both transparent proxy is enabled and overwrite probes is true for the pod.
 func (w *MeshWebhook) overwriteProbes(ns corev1.Namespace, pod *corev1.Pod) error {