Add Namespace Source instrumentation

[damemi]

This adds instrumentation+uninstrumentation for Namespace-wide resources with Source objects. A namespace Source looks like so:

apiVersion: odigos.io/v1alpha1
kind: Source
metadata:
  name: default
  namespace: default
  labels:
    odigos.io/e2e: source
spec:
  workload:
    name: default
    namespace: default
    kind: Namespace

With name and namespace matching the name of the Namespace, and kind set to Namespace. These 3 fields are required because we're have the entire PodWorkload field marked required, so this can probably be simplified.

What this does:

• When calling GetSourceListForWorkload, check for inherited instrumentation from Namespace.
• In startlangdetection, if the Source is for a Namespace, loop through all potential workloads in that Namespace (similar to how we do label based namespace instrumentation today)
  • Exclude any workloads that are explicitly excluded (by setting odigos.io/excluded on a Source for that workload -- TODO add a test for this)
• In deleteinstrumentedapplication, do something similar to what we do today by looping through the workloads again, re-using most of the check functions.
  • TODO some of these functions still rely on the label, like isInheritingInstrumentationFromNs in syncGenericWorkloadListToNs
• Add e2e for Namespace instrumentation and test steps for uninstrumentation

[damemi]

@tamirdavid1 looks like the tests are failing the 2nd time I instrument the apps (by namespace) with this diff:

    | 18:42:17 | source | Assert Runtime Detected                          | ASSERT    | ERROR | odigos.io/v1alpha1/InstrumentationConfig @ default/deployment-inventory
        === ERROR
        ---------------------------------------------------------------------
        odigos.io/v1alpha1/InstrumentationConfig/default/deployment-inventory
        ---------------------------------------------------------------------
        * status.runtimeDetailsByContainer[0].envVars[0].value: Invalid value: "/bar:/var/odigos/python:/var/odigos/python/opentelemetry/instrumentation/auto_instrumentation": Expected value: "/bar"
        
        --- expected
        +++ actual
        @@ -9,12 +9,14 @@
             controller: true
             kind: Deployment
             name: inventory
        +    uid: df8406f5-5dd0-4d7d-bf09-44516da27ed3
         status:
           runtimeDetailsByContainer:
           - containerName: inventory
             envVars:
             - name: PYTHONPATH
        -      value: /bar
        +      value: /bar:/var/odigos/python:/var/odigos/python/opentelemetry/instrumentation/auto_instrumentation
             language: python
        +    runtimeUpdateState: Skipped
             runtimeVersion: 3.11.9

I'm just curious if you think this could be related to #2082? If so is there anything I should update to react to that?

For reference, this test is trying to:

• Instrument individual deployments
  • Assert the instrumentationconfigs/instrumentedapplications match this file
• Un-instrument the deployments
  • Verify that the instrumentationconfigs and instrumentedapplications are deleted
• Instrument the namespace
  • Assert the same IC/IA check from earlier <--- fails here with the above diff

[damemi]

@tamirdavid1 doing more trials it looks like this doesn't happen the first time the workload is instrumented, only on subsequent attempts

[notion-workspace]

Bug: workloads uninstrumented when namespace Source CRD deleted, but deployment Source CRDs still exist

[blumamir]

s in this case can also be a source of kind Namespace, this gives a specific semantic to this check (excluded namespaces will also trigger the workload to be considered as not instrumented. Not sure I covered all cases in my head, but if the Namespace is excluded, and the workload source is not, I think it might not get instrumented when it should.

[damemi]

I wasn't aware that we could have an excluded namespace with an included workload inside of it. I thought it was only the other way around (ie, you can instrument a namespace and specify certain workloads to exclude). If both are the case I'll update

[blumamir]

I think it's not officially something that we suggest people to do, but no one will stop users from populating the label on a namespace. In this case it might be worth making sure we still instrument correctly :)

[damemi]

note: blocked on #2107 for tests to pass

[damemi]

@blumamir @RonFed I think I got to all the feedback, ptal.

One thing I realized this was missing was the case where someone creates or deletes and excluded Source in a namespace that's already instrumented. That's added along with tests in 7295ac9.

There are basically 4 cases:

• If a normal Source is created, the startlangdetection should instrument
• If a normal Source is deleted, the deleteinstrumentationconfig should uninstrument
• If an excluded Source is created, the deleteinstrumentationconfig should check if it needs to be uninstrumented (ie, if it's in an instrumented namespace)
• If an excluded Source is deleted, the startlangdetection should check if it needs to be instrumented (ie, if it's in an instrumented namespace)

This requires 2 finalizers. I'm planning to move the finalizer creation to the same mutating webhook we'll use for label defaulting. But for now, this will work.

If it's helpful, I had to draw it out to understand:

[damemi]

Also, I'm pulling the commits from #2122 into this branch to get the tests to pass. Will resolve with #2107 when we merge into main

[blumamir]

if the workload has a source CR, then it's not inheriting it's instrumentation from the ns, but this function can return true here instead of false

[damemi]

like we talked about offline, this function and its use will be refactored in the backend label clean-up. Keeping this open as a reminder to do that

[blumamir]

Do we want to also write the kind here? so it's not ambiguous

[damemi]

This log line just refers to the Source object itself, so the kind is always Source. A Source can be named differently from the workload, for example:

apiVersion: odigos.io/v1alpha1
kind: Source
metadata:
  name: my-source # <--- source name
  namespace: default
spec:
  workload:
    name: coupone # <--- workload name
    namespace: default
    kind: Deployment

[blumamir]

this check only says if a workload instrumentation is inherited from ns. not if it's effectively instrumented or not.

It used to be ok because of this which guaranteed that this function is called after we already know the namespace is not labeled.

I think that the changes in this PR renders this assumption invalid, and we can now deleteWorkloadInstrumentationConfig and removeReportedNameAnnotation below even for instrumented workloads.

[damemi]

Same as #2105 (comment)