From 5f7867546f0878150e0b41bc029fd35943ad34c6 Mon Sep 17 00:00:00 2001
From: Daniel Eisenberg <danielei@checkpoint.com>
Date: Tue, 8 Apr 2025 20:10:40 +0300
Subject: [PATCH] update istio

---
 .../openappsec-waf-webhook/webhook_server.py  | 68 ++++++++++++++++---
 1 file changed, 59 insertions(+), 9 deletions(-)

diff --git a/docker/openappsec-waf-webhook/webhook_server.py b/docker/openappsec-waf-webhook/webhook_server.py
index 0794a6d..07eda7e 100755
--- a/docker/openappsec-waf-webhook/webhook_server.py
+++ b/docker/openappsec-waf-webhook/webhook_server.py
@@ -4,6 +4,8 @@ import logging
 import base64
 import secretgen
 import sys
+import re
+import requests
 from kubernetes import client, config
 from flask import Flask, request, jsonify, Response
 
@@ -12,7 +14,12 @@ app = Flask(__name__)
 # Read agent image and tag from environment variables
 AGENT_IMAGE = os.getenv('AGENT_IMAGE', 'ghcr.io/openappsec/agent')
 AGENT_TAG = os.getenv('AGENT_TAG', 'latest')
+AGENT_CPU = os.getenv('AGENT_CPU', '200m')
+INIT_CONTAINER_IMAGE = os.getenv('INIT_CONTAINER_IMAGE', 'ghcr.io/openappsec/openappsec-envoy-filters')
+INIT_CONTAINER_TAG = os.getenv('INIT_CONTAINER_TAG', 'latest')
+ISTIOD_PORT = os.getenv('ISTIOD_PORT', '15014')
 FULL_AGENT_IMAGE = f"{AGENT_IMAGE}:{AGENT_TAG}"
+FULL_INIT_CONTAINER_IMAGE = f"{INIT_CONTAINER_IMAGE}:{INIT_CONTAINER_TAG}"
 
 config.load_incluster_config()
 
@@ -67,19 +74,19 @@ def get_sidecar_container():
             {"name": "appsec-conf", "mountPath": "/etc/cp/conf"},
             {"name": "appsec-data", "mountPath": "/etc/cp/data"}
         ])
-    
+
     args = []
     if token:
         args.extend(["--token", token])
     else:
         args.append("--hybrid-mode")
-    
+
     if custom_fog_enabled and fog_address:
         args.extend(["--fog", fog_address])
-    
+
     if appsec_proxy:
         args.extend(["--proxy", appsec_proxy])
-    
+
     optional_env_vars = {
         "AGENT_TOKEN": os.getenv("AGENT_TOKEN"),
         "user_email": os.getenv("user_email"),
@@ -91,12 +98,12 @@ def get_sidecar_container():
         "PLAYGROUND": os.getenv("PLAYGROUND"),
         "CRDS_SCOPE": os.getenv("CRDS_SCOPE"),
     }
-    
+
     # Base environment variables
     env = [
         {"name": "registered_server", "value": "ISTIO Server"}
     ]
-    
+
     # Add optional environment variables if they are set
     for var_name, var_value in optional_env_vars.items():
         if var_value is not None:  # Only add if the variable is set
@@ -112,7 +119,7 @@ def get_sidecar_container():
         "volumeMounts": volume_mounts,
         "resources": {
             "requests": {
-                "cpu": "200m"
+                "cpu": AGENT_CPU
             }
         },
         "envFrom": [
@@ -138,15 +145,58 @@ def get_sidecar_container():
     app.logger.debug("Exiting get_sidecar_container()")
     return sidecar
 
+def get_istio_version():
+    url = f"http://istiod.istio-system:{ISTIOD_PORT}/version"
+    response = requests.get(url)
+    if response.status_code == 200:
+        return response.text.strip().split('-')[0]  # Extracting version
+    else:
+        raise Exception(f"Failed to get Istio version: {response.status_code}")
+
+def get_envoy_sha(istio_version):
+    url = f"https://raw.githubusercontent.com/istio/proxy/{istio_version}/WORKSPACE"
+    response = requests.get(url)
+    if response.status_code == 200:
+        match = re.search(r'ENVOY_SHA = \"([a-f0-9]+)\"', response.text)
+        if match:
+            return match.group(1)
+        else:
+            raise Exception("Envoy SHA not found in WORKSPACE file")
+    else:
+        raise Exception(f"Failed to get WORKSPACE file: {response.status_code}")
+
+def get_envoy_version(envoy_sha):
+    url = f"https://raw.githubusercontent.com/envoyproxy/envoy/{envoy_sha}/VERSION.txt"
+    response = requests.get(url)
+    if response.status_code == 200:
+        version = response.text.strip()
+        match = re.search(r'(\d+\.\d+)', version)
+        if match:
+            return match.group(1)
+        else:
+            raise Exception("Failed to extract major.minor version")
+    else:
+        raise Exception(f"Failed to get Envoy version: {response.status_code}")
+
+
 def get_init_container():
     # Define the initContainer you want to inject
+    istio_version = get_istio_version()
+    app.logger.debug(f"Istio Version: {istio_version}")
+
+    envoy_sha = get_envoy_sha(istio_version)
+    app.logger.debug(f"Envoy SHA: {envoy_sha}")
+
+    envoy_version = get_envoy_version(envoy_sha)
+    app.logger.info(f"Envoy Version: {envoy_version}")
+
     init_container = {
         "name": "prepare-attachment",
-        "image": FULL_AGENT_IMAGE,
+        "image": FULL_INIT_CONTAINER_IMAGE,
         "imagePullPolicy": "Always",
         "command": [
             "sh", "-c",
-            "mkdir -p /envoy/attachment/shared && cp -r /envoy/attachment/lib* /envoy/attachment/shared"
+            f"mkdir -p /envoy/attachment/shared && cp -r /envoy/attachment/lib* /envoy/attachment/shared && cp /envoy/attachment/versions/{envoy_version}/lib* /envoy/attachment/shared"
         ],
         "volumeMounts": [
             {