update istio

docker/openappsec-waf-webhook/webhook_server.py

@@ -4,6 +4,8 @@ import logging
 import base64
 import secretgen
 import sys
+import re
+import requests
 from kubernetes import client, config
 from flask import Flask, request, jsonify, Response
 
@@ -12,7 +14,12 @@ app = Flask(__name__)
 # Read agent image and tag from environment variables
 AGENT_IMAGE = os.getenv('AGENT_IMAGE', 'ghcr.io/openappsec/agent')
 AGENT_TAG = os.getenv('AGENT_TAG', 'latest')
+AGENT_CPU = os.getenv('AGENT_CPU', '200m')
+INIT_CONTAINER_IMAGE = os.getenv('INIT_CONTAINER_IMAGE', 'ghcr.io/openappsec/openappsec-envoy-filters')
+INIT_CONTAINER_TAG = os.getenv('INIT_CONTAINER_TAG', 'latest')
+ISTIOD_PORT = os.getenv('ISTIOD_PORT', '15014')
 FULL_AGENT_IMAGE = f"{AGENT_IMAGE}:{AGENT_TAG}"
+FULL_INIT_CONTAINER_IMAGE = f"{INIT_CONTAINER_IMAGE}:{INIT_CONTAINER_TAG}"
 
 config.load_incluster_config()
 
@@ -112,7 +119,7 @@ def get_sidecar_container():
         "volumeMounts": volume_mounts,
         "resources": {
             "requests": {
-                "cpu": "200m"
+                "cpu": AGENT_CPU
             }
         },
         "envFrom": [
@@ -138,15 +145,58 @@ def get_sidecar_container():
     app.logger.debug("Exiting get_sidecar_container()")
     return sidecar
 
+def get_istio_version():
+    url = f"http://istiod.istio-system:{ISTIOD_PORT}/version"
+    response = requests.get(url)
+    if response.status_code == 200:
+        return response.text.strip().split('-')[0]  # Extracting version
+    else:
+        raise Exception(f"Failed to get Istio version: {response.status_code}")
+
+def get_envoy_sha(istio_version):
+    url = f"https://raw.githubusercontent.com/istio/proxy/{istio_version}/WORKSPACE"
+    response = requests.get(url)
+    if response.status_code == 200:
+        match = re.search(r'ENVOY_SHA = \"([a-f0-9]+)\"', response.text)
+        if match:
+            return match.group(1)
+        else:
+            raise Exception("Envoy SHA not found in WORKSPACE file")
+    else:
+        raise Exception(f"Failed to get WORKSPACE file: {response.status_code}")
+
+def get_envoy_version(envoy_sha):
+    url = f"https://raw.githubusercontent.com/envoyproxy/envoy/{envoy_sha}/VERSION.txt"
+    response = requests.get(url)
+    if response.status_code == 200:
+        version = response.text.strip()
+        match = re.search(r'(\d+\.\d+)', version)
+        if match:
+            return match.group(1)
+        else:
+            raise Exception("Failed to extract major.minor version")
+    else:
+        raise Exception(f"Failed to get Envoy version: {response.status_code}")
+
+
 def get_init_container():
     # Define the initContainer you want to inject
+    istio_version = get_istio_version()
+    app.logger.debug(f"Istio Version: {istio_version}")
+
+    envoy_sha = get_envoy_sha(istio_version)
+    app.logger.debug(f"Envoy SHA: {envoy_sha}")
+
+    envoy_version = get_envoy_version(envoy_sha)
+    app.logger.info(f"Envoy Version: {envoy_version}")
+
     init_container = {
         "name": "prepare-attachment",
-        "image": FULL_AGENT_IMAGE,
+        "image": FULL_INIT_CONTAINER_IMAGE,
         "imagePullPolicy": "Always",
         "command": [
             "sh", "-c",
-            "mkdir -p /envoy/attachment/shared && cp -r /envoy/attachment/lib* /envoy/attachment/shared"
+            f"mkdir -p /envoy/attachment/shared && cp -r /envoy/attachment/lib* /envoy/attachment/shared && cp /envoy/attachment/versions/{envoy_version}/lib* /envoy/attachment/shared"
         ],
         "volumeMounts": [
             {