Skip to content

Use container UUID instead of IP address for tracking agent #4470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sjberman merged 2 commits into from
Dec 16, 2025
Merged

Use container UUID instead of IP address for tracking agent #4470

sjberman merged 2 commits into from
Dec 16, 2025
+56 −129

Conversation

@sjberman
Copy link
Collaborator

@sjberman sjberman commented Dec 16, 2025
edited
Loading

Problem: In some cases, a Pod's IP address may not actually be the IP of the Pod. It could be the IP of the node it's running on. This makes verification and tracking difficult to impossible.

Solution: Use the UUID of the container instead of the IP address, and loosen the validation to not care about the address that connects to the control plane.

Also needed to fix the agent's ability to identify us as a container, because otherwise the UUId was of the node, not the container. This involved reverting a previous fix that was added after removing the default service account directory, which agent looked for.

Testing: Verified that everything still works when not using the IP address as the key.

Partially addresses #4426

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Fix issue where agent's Pod IP cannot be used to track the connecting data plane Pod

@sjberman
Use UUID instead of IP address for tracking agent
c4e2045 
Problem: In some cases, a Pod's IP address may not actually be the IP of the Pod. It could be the IP of the node it's running on. This makes verification and tracking difficult to impossible.

Solution: Use the UUID of the Pod instead of the IP address, and loosen the validation to not care about the address that connects to the control plane.

Also needed to fix the agent's ability to identify us as a container, because otherwise the UUId was of the node, not the container. This involved reverting a previous fix that was added after removing the default service account directory, which agent looked for.
@sjberman sjberman requested a review from a team as a code owner December 16, 2025 17:25
@github-actions github-actions bot added the bug Something isn't working label Dec 16, 2025
@sjberman sjberman requested a review from Copilot December 16, 2025 17:26
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR changes the agent tracking mechanism from using Pod IP addresses to using Pod UUIDs to address scenarios where a Pod's IP address may not accurately represent the Pod (e.g., when it's actually the node's IP). The change relaxes validation requirements and fixes the agent's container identification by creating an empty /run/.containerenv file in Docker images.

  • Replaced IP-based tracking with UUID-based tracking across the gRPC interceptor and command/file services
  • Removed IP address validation logic in favor of UUID validation
  • Added /run/.containerenv file creation in Dockerfiles to ensure proper container identification

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/controller/nginx/agent/grpc/interceptor/interceptor.go Replaced IP address extraction from peer data with UUID from metadata; removed IP-based pod filtering
internal/controller/nginx/agent/grpc/interceptor/interceptor_test.go Updated tests to remove peer/IP validation and use UUID-based tracking
internal/controller/nginx/agent/grpc/context/context.go Changed GrpcInfo struct to use UUID field instead of IPAddress
internal/controller/nginx/agent/grpc/context/context_test.go Updated test to use Token field instead of IPAddress
internal/controller/nginx/agent/command.go Replaced all IPAddress references with UUID for connection tracking
internal/controller/nginx/agent/command_test.go Updated tests to use UUID-based tracking and removed hostname fallback test
internal/controller/nginx/agent/file.go Changed file service methods to use UUID instead of IPAddress
internal/controller/nginx/agent/file_test.go Updated all test contexts to use UUID instead of IPAddress
build/Dockerfile.nginx Added creation of /run/.containerenv file for container identification
build/Dockerfile.nginxplus Added creation of /run/.containerenv file for container identification
build/ubi/Dockerfile.nginx Added creation of /run/.containerenv file for container identification
build/ubi/Dockerfile.nginxplus Added creation of /run/.containerenv file for container identification

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov
Copy link

codecov bot commented Dec 16, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.23%. Comparing base (c2f7394) to head (ebf34be).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4470      +/-   ##
==========================================
- Coverage   86.24%   86.23%   -0.01%     
==========================================
  Files         132      132              
  Lines       14566    14557       -9     
  Branches       35       35              
==========================================
- Hits        12562    12553       -9     
  Misses       1791     1791              
  Partials      213      213

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sjberman sjberman mentioned this pull request Dec 16, 2025
Closed
bjee19
bjee19 reviewed Dec 16, 2025
View reviewed changes
@sjberman sjberman changed the title Use UUID instead of IP address for tracking agent Use agent UUID instead of IP address for tracking agent Dec 16, 2025
@sjberman sjberman changed the title Use agent UUID instead of IP address for tracking agent Use container UUID instead of IP address for tracking agent Dec 16, 2025
@sjberman sjberman enabled auto-merge (squash) December 16, 2025 19:35
@sjberman sjberman merged commit 3424d94 into main Dec 16, 2025
98 of 101 checks passed
@sjberman sjberman deleted the fix/wrong-ip branch December 16, 2025 20:23
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Dec 16, 2025
sjberman added a commit that referenced this pull request Dec 16, 2025
@sjberman
Use UUID instead of IP address for tracking agent (#4470)
aef57a6 
Problem: In some cases, a Pod's IP address may not actually be the IP of the Pod. It could be the IP of the node it's running on. This makes verification and tracking difficult to impossible.

Solution: Use the UUID of the container instead of the IP address, and loosen the validation to not care about the address that connects to the control plane.

Also needed to fix the agent's ability to identify us as a container, because otherwise the UUID was of the node, not the container. This involved reverting a previous fix that was added after removing the default service account directory, which agent looked for.
@sjberman sjberman mentioned this pull request Dec 16, 2025
Merged
6 tasks
sjberman added a commit that referenced this pull request Dec 16, 2025
@sjberman
Use UUID instead of IP address for tracking agent (#4470) (#4472)
0cd966b 
Problem: In some cases, a Pod's IP address may not actually be the IP of the Pod. It could be the IP of the node it's running on. This makes verification and tracking difficult to impossible.

Solution: Use the UUID of the container instead of the IP address, and loosen the validation to not care about the address that connects to the control plane.

Also needed to fix the agent's ability to identify us as a container, because otherwise the UUID was of the node, not the container. This involved reverting a previous fix that was added after removing the default service account directory, which agent looked for.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bjee19 bjee19 bjee19 approved these changes

@salonichf5 salonichf5 salonichf5 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working release-notes

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sjberman @bjee19 @salonichf5