Add a wait to ensure networking is up. this assumes ztunnel blocks everything, including k8s

ddl-r-abdulaziz · ddl-r-abdulaziz · commit 33651d40be9b · 2025-09-16T12:22:30.000-04:00
diff --git a/deployments/helm/hephaestus/templates/controller/deployment.yaml b/deployments/helm/hephaestus/templates/controller/deployment.yaml
@@ -43,6 +43,38 @@ spec:
       serviceAccountName: {{ include "hephaestus.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+      {{- if .Values.waitForNetworking }}
+      initContainers:
+        - name: wait-for-networking
+          securityContext:
+            {{- toYaml .Values.controller.manager.containerSecurityContext | nindent 12 }}
+          image: {{ .Values.curl_image }}
+          imagePullPolicy: {{ .Values.controller.manager.image.pullPolicy }}
+          command: [ 'sh', '-c' ]
+          args:
+            - |
+              echo "Testing Connections"
+              while true; do
+                echo "AWS Metadata attempt:"
+                if curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" > /dev/null; then
+                  echo "AWS Metadata successful"
+                  exit 0
+                else
+                  echo "error: AWS Metadata failed"
+                fi
+              done
+          {{- with .Values.controller.manager }}
+          {{- if or .extraEnvVars $.Values.podEnv }}
+          env:
+            {{- with .extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 12 }}
+            {{- end }}
+            {{- with $.Values.podEnv }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- end }}
+      {{- end }}
       containers:
         - name: manager
           securityContext:
diff --git a/deployments/helm/hephaestus/values.yaml b/deployments/helm/hephaestus/values.yaml
@@ -402,3 +402,9 @@ buildkit:
                   values:
                     - {{ .Chart.Name }}
             topologyKey: "kubernetes.io/hostname"
+
+# waitForNetworking starts an initContainer that requires a curl_image
+# Set this to true in istio ambient mode to cause Hephaestus Mangaer to start up
+# with networking. We're not sure why this works. See: https://dominodatalab.atlassian.net/browse/DOM-70981
+waitForNetworking: false
+curl_image: curlimages/curl:latest
