From 29dc3b3364d91b35ed8b716c05ecc13a5eb7ce9d Mon Sep 17 00:00:00 2001 From: anjal Date: Mon, 18 Aug 2025 20:13:27 +0530 Subject: [PATCH] Update annotations for application pods to bypass mTLS while communicating with NSM manager in Strict mode Signed-off-by: anjal --- controllers/slice/app_pod.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/controllers/slice/app_pod.go b/controllers/slice/app_pod.go index 1b142406a..7deff6abf 100644 --- a/controllers/slice/app_pod.go +++ b/controllers/slice/app_pod.go @@ -207,6 +207,12 @@ func (r *SliceReconciler) labelAppPodWithNsmIp(ctx context.Context, slice *kubes if labels == nil { labels = make(map[string]string) } + + annotations := pod.GetAnnotations() + if annotations == nil { + annotations = make(map[string]string) + } + _, ok := labels[controllers.NSMIPLabelSelectorKey] if !ok { updateNeeded = true @@ -218,14 +224,22 @@ func (r *SliceReconciler) labelAppPodWithNsmIp(ctx context.Context, slice *kubes } } + // Add Istio exclusion for NSM communication + expectedExcludePort := "5000" + if annotations["traffic.sidecar.istio.io/excludeOutboundPorts"] != expectedExcludePort { + updateNeeded = true + annotations["traffic.sidecar.istio.io/excludeOutboundPorts"] = expectedExcludePort + } + if updateNeeded { pod.SetLabels(labels) + pod.SetAnnotations(annotations) err := r.Update(ctx, &pod) if err != nil { - log.Error(err, "Failed to update NSM IP label for app pod", "pod", pod.Name) + log.Error(err, "Failed to update NSM IP label and Istio annotations for app pod", "pod", pod.Name) return err } - debugLog.Info("App pod label added/updated", "pod", pod.Name, "nsmIP", podInSlice.NsmIP) + debugLog.Info("App pod label and Istio exclusion added/updated", "pod", pod.Name, "nsmIP", podInSlice.NsmIP) } }