diff --git a/chart/templates/controller.yaml b/chart/templates/controller.yaml index f3e5290e1..5f5ba6c17 100644 --- a/chart/templates/controller.yaml +++ b/chart/templates/controller.yaml @@ -104,7 +104,7 @@ spec: containerPort: 9995 volumeMounts: - name: config - mountPath: /var/linkerd-io/config + mountPath: /var/run/linkerd/config image: {{.Values.ControllerImage}} imagePullPolicy: {{.Values.ImagePullPolicy}} args: diff --git a/chart/templates/identity.yaml b/chart/templates/identity.yaml new file mode 100644 index 000000000..420d53349 --- /dev/null +++ b/chart/templates/identity.yaml @@ -0,0 +1,134 @@ +{{with .Values -}} +{{if .Identity -}} +--- +### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-{{.Namespace}}-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + annotations: + {{.CreatedByAnnotation}}: {{.CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +{{- if .Identity.Issuer}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + annotations: + {{.CreatedByAnnotation}}: {{.CliVersion}} + {{- if .Identity.Issuer.CrtExpiryAnnotation}} + {{.Identity.Issuer.CrtExpiryAnnotation}}: {{.Identity.Issuer.CrtExpiry}} + {{- end}} +data: + crt.pem: {{b64enc .Identity.Issuer.CrtPEM}} + key.pem: {{b64enc .Identity.Issuer.KeyPEM}} +{{- end}} +--- +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + annotations: + {{.CreatedByAnnotation}}: {{.CliVersion}} +spec: + replicas: {{.Identity.Replicas}} + template: + metadata: + labels: + {{.ControllerComponentLabel}}: identity + annotations: + {{.CreatedByAnnotation}}: {{.CliVersion}} + spec: + serviceAccountName: linkerd-identity + containers: + - name: identity + ports: + - name: grpc + containerPort: 8080 + - name: admin-http + containerPort: 9990 + image: {{.ControllerImage}} + imagePullPolicy: {{.ImagePullPolicy}} + args: + - "identity" + - "-log-level={{.ControllerLogLevel}}" + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 9990 + failureThreshold: 7 + {{- if .EnableHA }} + resources: + requests: + cpu: 10m + memory: 50Mi + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumes: + - name: config + configMap: + name: linkerd-config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +{{end -}} +{{end -}} diff --git a/chart/templates/proxy_injector.yaml b/chart/templates/proxy_injector.yaml index 5c2627199..105c1c4b3 100644 --- a/chart/templates/proxy_injector.yaml +++ b/chart/templates/proxy_injector.yaml @@ -40,7 +40,7 @@ spec: containerPort: 8443 volumeMounts: - name: config - mountPath: /var/linkerd-io/config + mountPath: /var/run/linkerd/config livenessProbe: httpGet: path: /ping diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 679e3f0d7..853028f33 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -2,16 +2,21 @@ package cmd import ( "bytes" + "errors" "fmt" "io" "io/ioutil" "os" "path" + "time" "github.com/golang/protobuf/jsonpb" + "github.com/golang/protobuf/ptypes" "github.com/linkerd/linkerd2/cli/static" "github.com/linkerd/linkerd2/controller/gen/config" + pb "github.com/linkerd/linkerd2/controller/gen/config" "github.com/linkerd/linkerd2/pkg/k8s" + "github.com/linkerd/linkerd2/pkg/tls" uuid "github.com/satori/go.uuid" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -22,55 +27,93 @@ import ( "sigs.k8s.io/yaml" ) -type installConfig struct { - Namespace string - ControllerImage string - WebImage string - PrometheusImage string - PrometheusVolumeName string - GrafanaImage string - GrafanaVolumeName string - ControllerReplicas uint - ImagePullPolicy string - UUID string - CliVersion string - ControllerLogLevel string - PrometheusLogLevel string - ControllerComponentLabel string - CreatedByAnnotation string - ProxyContainerName string - ProxyAutoInjectEnabled bool - ProxyInjectAnnotation string - ProxyInjectDisabled string - EnableHA bool - ControllerUID int64 - EnableH2Upgrade bool - NoInitContainer bool - GlobalConfig string - ProxyConfig string -} +type ( + installConfig struct { + Namespace string + ControllerImage string + WebImage string + PrometheusImage string + PrometheusVolumeName string + GrafanaImage string + GrafanaVolumeName string + ControllerReplicas uint + ImagePullPolicy string + UUID string + CliVersion string + ControllerLogLevel string + PrometheusLogLevel string + ControllerComponentLabel string + CreatedByAnnotation string + ProxyContainerName string + ProxyAutoInjectEnabled bool + ProxyInjectAnnotation string + ProxyInjectDisabled string + EnableHA bool + ControllerUID int64 + EnableH2Upgrade bool + NoInitContainer bool + GlobalConfig string + ProxyConfig string -// installOptions holds values for command line flags that apply to the install -// command. All fields in this struct should have corresponding flags added in -// the newCmdInstall func later in this file. It also embeds proxyConfigOptions -// in order to hold values for command line flags that apply to both inject and -// install. -type installOptions struct { - controllerReplicas uint - controllerLogLevel string - proxyAutoInject bool - highAvailability bool - controllerUID int64 - disableH2Upgrade bool - *proxyConfigOptions -} + Identity *installIdentityConfig + } + + installIdentityConfig struct { + Replicas uint + + TrustDomain string + TrustAnchorsPEM string + + Issuer *issuerConfig + } + + issuerConfig struct { + ClockSkewAllowance string + IssuanceLifetime string + + KeyPEM, CrtPEM string + + CrtExpiry time.Time + + CrtExpiryAnnotation string + } + + // installOptions holds values for command line flags that apply to the install + // command. All fields in this struct should have corresponding flags added in + // the newCmdInstall func later in this file. It also embeds proxyConfigOptions + // in order to hold values for command line flags that apply to both inject and + // install. + installOptions struct { + controllerReplicas uint + controllerLogLevel string + proxyAutoInject bool + highAvailability bool + controllerUID int64 + disableH2Upgrade bool + identityOptions *installIdentityOptions + *proxyConfigOptions + } + + installIdentityOptions struct { + trustDomain string + + issuanceLifetime time.Duration + clockSkewAllowance time.Duration + + trustPEMFile, crtPEMFile, keyPEMFile string + } +) const ( - prometheusProxyOutboundCapacity = 10000 - defaultControllerReplicas = 1 - defaultHAControllerReplicas = 3 + prometheusProxyOutboundCapacity = 10000 + defaultControllerReplicas = 1 + defaultHAControllerReplicas = 3 + defaultIdentityTrustDomain = "cluster.local" + defaultIdentityIssuanceLifetime = 24 * time.Hour + defaultIdentityClockSkewAllowance = 20 * time.Second nsTemplateName = "templates/namespace.yaml" + identityTemplateName = "templates/identity.yaml" controllerTemplateName = "templates/controller.yaml" webTemplateName = "templates/web.yaml" prometheusTemplateName = "templates/prometheus.yaml" @@ -88,6 +131,11 @@ func newInstallOptions() *installOptions { controllerUID: 2103, disableH2Upgrade: false, proxyConfigOptions: newProxyConfigOptions(), + identityOptions: &installIdentityOptions{ + trustDomain: defaultIdentityTrustDomain, + issuanceLifetime: defaultIdentityIssuanceLifetime, + clockSkewAllowance: defaultIdentityClockSkewAllowance, + }, } } @@ -99,6 +147,8 @@ func newCmdInstall() *cobra.Command { Short: "Output Kubernetes configs to install Linkerd", Long: "Output Kubernetes configs to install Linkerd.", RunE: func(cmd *cobra.Command, args []string) error { + // TODO check with a config already exists in the API and fail if it does. + config, err := validateAndBuildConfig(options) if err != nil { return err @@ -109,12 +159,56 @@ func newCmdInstall() *cobra.Command { } addProxyConfigFlags(cmd, options.proxyConfigOptions) - cmd.PersistentFlags().UintVar(&options.controllerReplicas, "controller-replicas", options.controllerReplicas, "Replicas of the controller to deploy") - cmd.PersistentFlags().StringVar(&options.controllerLogLevel, "controller-log-level", options.controllerLogLevel, "Log level for the controller and web components") - cmd.PersistentFlags().BoolVar(&options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject, "Enable proxy sidecar auto-injection via a webhook (default false)") - cmd.PersistentFlags().BoolVar(&options.highAvailability, "ha", options.highAvailability, "Experimental: Enable HA deployment config for the control plane (default false)") - cmd.PersistentFlags().Int64Var(&options.controllerUID, "controller-uid", options.controllerUID, "Run the control plane components under this user ID") - cmd.PersistentFlags().BoolVar(&options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade, "Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)") + cmd.PersistentFlags().UintVar( + &options.controllerReplicas, "controller-replicas", options.controllerReplicas, + "Replicas of the controller to deploy", + ) + cmd.PersistentFlags().StringVar( + &options.controllerLogLevel, "controller-log-level", options.controllerLogLevel, + "Log level for the controller and web components", + ) + cmd.PersistentFlags().BoolVar( + &options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject, + "Enable proxy sidecar auto-injection via a webhook (default false)", + ) + cmd.PersistentFlags().BoolVar( + &options.highAvailability, "ha", options.highAvailability, + "Experimental: Enable HA deployment config for the control plane (default false)", + ) + cmd.PersistentFlags().Int64Var( + &options.controllerUID, "controller-uid", options.controllerUID, + "Run the control plane components under this user ID", + ) + cmd.PersistentFlags().BoolVar( + &options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade, + "Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)", + ) + + cmd.PersistentFlags().StringVar( + &options.identityOptions.trustDomain, "identity-trust-domain", options.identityOptions.trustDomain, + "Configures the name suffix used for identities.", + ) + cmd.PersistentFlags().StringVar( + &options.identityOptions.trustPEMFile, "identity-trust-anchors-file", options.identityOptions.trustPEMFile, + "A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)", + ) + cmd.PersistentFlags().StringVar( + &options.identityOptions.crtPEMFile, "identity-issuer-certificate-file", options.identityOptions.crtPEMFile, + "A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)", + ) + cmd.PersistentFlags().StringVar( + &options.identityOptions.keyPEMFile, "identity-issuer-key-file", options.identityOptions.keyPEMFile, + "A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)", + ) + cmd.PersistentFlags().DurationVar( + &options.identityOptions.clockSkewAllowance, "identity-clock-skew-allowance", options.identityOptions.clockSkewAllowance, + "The amount of time to allow for clock skew within a Linkerd cluster", + ) + cmd.PersistentFlags().DurationVar( + &options.identityOptions.issuanceLifetime, "identity-issuance-lifetime", options.identityOptions.issuanceLifetime, + "The amount of time for which the Identity issuer should certify identity", + ) + return cmd } @@ -135,8 +229,93 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) { options.proxyMemoryRequest = "20Mi" } + var identity *installIdentityConfig + if idopts := options.identityOptions; idopts != nil { + trustDomain := idopts.trustDomain + if trustDomain == "" { + return nil, errors.New("Trust domain must be specified") + } + issuerName := fmt.Sprintf("identity.%s.%s", controlPlaneNamespace, trustDomain) + + identityReplicas := uint(1) + if options.highAvailability { + identityReplicas = 3 + } + + // Load signing material from options... + if idopts.trustPEMFile != "" || idopts.crtPEMFile != "" || idopts.keyPEMFile != "" { + if idopts.trustPEMFile == "" { + return nil, errors.New("a trust anchors file must be specified if other credentials are provided") + } + if idopts.crtPEMFile == "" { + return nil, errors.New("a certificate file must be specified if other credentials are provided") + } + if idopts.keyPEMFile == "" { + return nil, errors.New("a private key file must be specified if other credentials are provided") + } + + // Validate credentials... + creds, err := tls.ReadPEMCreds(idopts.keyPEMFile, idopts.crtPEMFile) + if err != nil { + return nil, err + } + + trustb, err := ioutil.ReadFile(idopts.trustPEMFile) + if err != nil { + return nil, err + } + trustAnchorsPEM := string(trustb) + roots, err := tls.DecodePEMCertPool(trustAnchorsPEM) + if err != nil { + return nil, err + } + + issuerName := "" // TODO restrict issuer name? + if err := creds.Verify(roots, issuerName); err != nil { + return nil, fmt.Errorf("Credentials cannot be validated: %s", err) + } + + identity = &installIdentityConfig{ + Replicas: identityReplicas, + TrustDomain: idopts.trustDomain, + TrustAnchorsPEM: trustAnchorsPEM, + Issuer: &issuerConfig{ + ClockSkewAllowance: idopts.clockSkewAllowance.String(), + IssuanceLifetime: idopts.issuanceLifetime.String(), + CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation, + + KeyPEM: creds.EncodePrivateKeyPEM(), + CrtPEM: creds.EncodeCertificatePEM(), + CrtExpiry: creds.Crt.Certificate.NotAfter, + }, + } + } else { + // Generate new signing material... + + root, err := tls.GenerateRootCAWithDefaults(issuerName) + if err != nil { + return nil, fmt.Errorf("Failed to create root certificate for identity: %s", err) + } + + identity = &installIdentityConfig{ + Replicas: identityReplicas, + TrustDomain: trustDomain, + TrustAnchorsPEM: root.Cred.Crt.EncodeCertificatePEM(), + Issuer: &issuerConfig{ + ClockSkewAllowance: idopts.clockSkewAllowance.String(), + IssuanceLifetime: idopts.issuanceLifetime.String(), + CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation, + + KeyPEM: root.Cred.EncodePrivateKeyPEM(), + CrtPEM: root.Cred.Crt.EncodeCertificatePEM(), + CrtExpiry: root.Cred.Crt.Certificate.NotAfter, + }, + } + } + } + jsonMarshaler := jsonpb.Marshaler{EmitDefaults: true} - globalConfig, err := jsonMarshaler.MarshalToString(globalConfig(options)) + globalConfig, err := jsonMarshaler.MarshalToString(globalConfig(options, identity)) if err != nil { return nil, err } @@ -177,6 +356,7 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) { NoInitContainer: options.noInitContainer, GlobalConfig: globalConfig, ProxyConfig: proxyConfig, + Identity: identity, }, nil } @@ -191,6 +371,7 @@ func render(config installConfig, w io.Writer, options *installOptions) error { files := []*chartutil.BufferedFile{ {Name: chartutil.ChartfileName}, {Name: nsTemplateName}, + {Name: identityTemplateName}, {Name: controllerTemplateName}, {Name: serviceprofileTemplateName}, {Name: webTemplateName}, @@ -251,6 +432,11 @@ func render(config installConfig, w io.Writer, options *installOptions) error { // TODO: Fetch GlobalConfig and ProxyConfig from the ConfigMap/API pbConfig := injectOptionsToConfigs(injectOptions) + // injectOptionsToConfigs does NOT set an identity context if none exists, + // since it can't be enabled at inject-time if it's not enabled at + // install-time. + pbConfig.global.IdentityContext = config.Identity.toIdentityContext() + return processYAML(&buf, w, ioutil.Discard, resourceTransformerInject{ configs: pbConfig, proxyOutboundCapacity: map[string]uint{ @@ -280,61 +466,82 @@ func readIntoBytes(filename string) ([]byte, error) { return buf.Bytes(), nil } -func globalConfig(options *installOptions) *config.Global { - var identityContext *config.IdentityContext - - return &config.Global{ +func globalConfig(options *installOptions, id *installIdentityConfig) *pb.Global { + return &pb.Global{ LinkerdNamespace: controlPlaneNamespace, CniEnabled: options.noInitContainer, Version: options.linkerdVersion, - IdentityContext: identityContext, + IdentityContext: id.toIdentityContext(), } } -func proxyConfig(options *installOptions) *config.Proxy { - ignoreInboundPorts := []*config.Port{} +func proxyConfig(options *installOptions) *pb.Proxy { + ignoreInboundPorts := []*pb.Port{} for _, port := range options.ignoreInboundPorts { - ignoreInboundPorts = append(ignoreInboundPorts, &config.Port{Port: uint32(port)}) + ignoreInboundPorts = append(ignoreInboundPorts, &pb.Port{Port: uint32(port)}) } - ignoreOutboundPorts := []*config.Port{} + ignoreOutboundPorts := []*pb.Port{} for _, port := range options.ignoreOutboundPorts { - ignoreOutboundPorts = append(ignoreOutboundPorts, &config.Port{Port: uint32(port)}) + ignoreOutboundPorts = append(ignoreOutboundPorts, &pb.Port{Port: uint32(port)}) } - return &config.Proxy{ - ProxyImage: &config.Image{ + return &pb.Proxy{ + ProxyImage: &pb.Image{ ImageName: registryOverride(options.proxyImage, options.dockerRegistry), PullPolicy: options.imagePullPolicy, }, - ProxyInitImage: &config.Image{ + ProxyInitImage: &pb.Image{ ImageName: registryOverride(options.initImage, options.dockerRegistry), PullPolicy: options.imagePullPolicy, }, - ControlPort: &config.Port{ + ControlPort: &pb.Port{ Port: uint32(options.proxyControlPort), }, IgnoreInboundPorts: ignoreInboundPorts, IgnoreOutboundPorts: ignoreOutboundPorts, - InboundPort: &config.Port{ + InboundPort: &pb.Port{ Port: uint32(options.inboundPort), }, AdminPort: &config.Port{ Port: uint32(options.proxyAdminPort), }, - OutboundPort: &config.Port{ + OutboundPort: &pb.Port{ Port: uint32(options.outboundPort), }, - Resource: &config.ResourceRequirements{ + Resource: &pb.ResourceRequirements{ RequestCpu: options.proxyCPURequest, RequestMemory: options.proxyMemoryRequest, LimitCpu: options.proxyCPULimit, LimitMemory: options.proxyMemoryLimit, }, ProxyUid: options.proxyUID, - LogLevel: &config.LogLevel{ + LogLevel: &pb.LogLevel{ Level: options.proxyLogLevel, }, DisableExternalProfiles: options.disableExternalProfiles, } } + +func (id *installIdentityConfig) toIdentityContext() *pb.IdentityContext { + if id == nil { + return nil + } + + il, err := time.ParseDuration(id.Issuer.IssuanceLifetime) + if err != nil { + il = defaultIdentityIssuanceLifetime + } + + csa, err := time.ParseDuration(id.Issuer.ClockSkewAllowance) + if err != nil { + csa = defaultIdentityClockSkewAllowance + } + + return &pb.IdentityContext{ + TrustDomain: id.TrustDomain, + TrustAnchorsPem: id.TrustAnchorsPEM, + IssuanceLifetime: ptypes.DurationProto(il), + ClockSkewAllowance: ptypes.DurationProto(csa), + } +} diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 916e37524..cfeada969 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -3,6 +3,7 @@ package cmd import ( "bytes" "fmt" + "path/filepath" "testing" ) @@ -11,6 +12,10 @@ func TestRender(t *testing.T) { // value to facilitate testing. defaultControlPlaneNamespace := controlPlaneNamespace defaultOptions := newInstallOptions() + defaultOptions.identityOptions.crtPEMFile = filepath.Join("testdata", "crt.pem") + defaultOptions.identityOptions.keyPEMFile = filepath.Join("testdata", "key.pem") + defaultOptions.identityOptions.trustPEMFile = filepath.Join("testdata", "trust-anchors.pem") + defaultConfig, err := validateAndBuildConfig(defaultOptions) if err != nil { t.Fatalf("Unexpected error from validateAndBuildConfig(): %v", err) @@ -45,14 +50,17 @@ func TestRender(t *testing.T) { NoInitContainer: false, GlobalConfig: "GlobalConfig", ProxyConfig: "ProxyConfig", + Identity: defaultConfig.Identity, } haOptions := newInstallOptions() haOptions.highAvailability = true + *haOptions.identityOptions = *defaultOptions.identityOptions haConfig, _ := validateAndBuildConfig(haOptions) haConfig.UUID = defaultConfig.UUID haWithOverridesOptions := newInstallOptions() + *haWithOverridesOptions.identityOptions = *defaultOptions.identityOptions haWithOverridesOptions.highAvailability = true haWithOverridesOptions.controllerReplicas = 2 haWithOverridesOptions.proxyCPURequest = "400m" @@ -61,11 +69,13 @@ func TestRender(t *testing.T) { haWithOverridesConfig.UUID = defaultConfig.UUID noInitContainerOptions := newInstallOptions() + *noInitContainerOptions.identityOptions = *defaultOptions.identityOptions noInitContainerOptions.noInitContainer = true noInitContainerConfig, _ := validateAndBuildConfig(noInitContainerOptions) noInitContainerConfig.UUID = defaultConfig.UUID noInitContainerWithProxyAutoInjectOptions := newInstallOptions() + *noInitContainerWithProxyAutoInjectOptions.identityOptions = *defaultOptions.identityOptions noInitContainerWithProxyAutoInjectOptions.noInitContainer = true noInitContainerWithProxyAutoInjectOptions.proxyAutoInject = true noInitContainerWithProxyAutoInjectConfig, _ := validateAndBuildConfig(noInitContainerWithProxyAutoInjectOptions) diff --git a/cli/cmd/testdata/crt.pem b/cli/cmd/testdata/crt.pem new file mode 100644 index 000000000..f98d3c780 --- /dev/null +++ b/cli/cmd/testdata/crt.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcjCCARigAwIBAgIBAjAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy +LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowKTEnMCUGA1UE +AxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEISg0CmJNBWLxJTsKt7+bz8As1YfqZFuTq2FnYo016NKVv70e +QC3T6tOpaj9xuKsXflU6ZkuiVRiihw+tV2isq6NCMEAwDgYDVR0PAQH/BAQDAgEG +MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/ +MAoGCCqGSM49BAMCA0gAMEUCIF+aM0Bw2PdMFDq/KtaBQvHdAYaUPVx8vf3jn+M4 +AaD4AiEA9HBdjyWyiKeKxlA8CoOvUAwI95xc6XUMoDxRSXjnpXg= +-----END CERTIFICATE----- diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index fe2a4f78b..865d8b846 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -5,6 +5,208 @@ metadata: name: linkerd --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:dev-undefined + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -134,7 +336,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -279,7 +481,7 @@ metadata: linkerd.io/created-by: linkerd/cli dev-undefined data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false} --- diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index d20d6edbd..f19b88548 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -5,6 +5,214 @@ metadata: name: linkerd --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + name: linkerd-identity + namespace: linkerd +spec: + replicas: 3 + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: + requests: + cpu: 10m + memory: 50Mi + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + requests: + cpu: 10m + memory: 20Mi + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:dev-undefined + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -137,7 +345,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -291,7 +499,7 @@ metadata: linkerd.io/created-by: linkerd/cli dev-undefined data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"10m","requestMemory":"20Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false} --- diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 4c0121f9c..0019e90dc 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -5,6 +5,214 @@ metadata: name: linkerd --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + name: linkerd-identity + namespace: linkerd +spec: + replicas: 3 + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: + requests: + cpu: 10m + memory: 50Mi + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + requests: + cpu: 400m + memory: 300Mi + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:dev-undefined + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -137,7 +345,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -291,7 +499,7 @@ metadata: linkerd.io/created-by: linkerd/cli dev-undefined data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"400m","requestMemory":"300Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false} --- diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 94d868bdc..261e07ea6 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -5,6 +5,184 @@ metadata: name: linkerd --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -134,7 +312,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -255,7 +433,7 @@ metadata: linkerd.io/created-by: linkerd/cli dev-undefined data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false} --- diff --git a/cli/cmd/testdata/install_no_init_container_auto_inject.golden b/cli/cmd/testdata/install_no_init_container_auto_inject.golden index 80d159942..bad6d7709 100644 --- a/cli/cmd/testdata/install_no_init_container_auto_inject.golden +++ b/cli/cmd/testdata/install_no_init_container_auto_inject.golden @@ -7,6 +7,184 @@ metadata: linkerd.io/inject: disabled --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-linkerd-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -136,7 +314,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -257,7 +435,7 @@ metadata: linkerd.io/created-by: linkerd/cli dev-undefined data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false} --- @@ -1019,7 +1197,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - env: - name: LINKERD2_PROXY_LOG diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 1e2fe58c1..f8f5efdc6 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -7,6 +7,209 @@ metadata: ProxyInjectAnnotation: ProxyInjectDisabled --- ### +### Identity Controller Service +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: Namespace +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-Namespace-identity +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: linkerd-Namespace-identity +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-Namespace-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: Namespace +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: Namespace + labels: + ControllerComponentLabel: identity + annotations: + CreatedByAnnotation: CliVersion +spec: + type: ClusterIP + selector: + ControllerComponentLabel: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: Namespace + labels: + ControllerComponentLabel: identity + annotations: + CreatedByAnnotation: CliVersion + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + annotations: + CreatedByAnnotation: CliVersion + creationTimestamp: null + labels: + ControllerComponentLabel: identity + name: linkerd-identity + namespace: Namespace +spec: + replicas: 1 + strategy: {} + template: + metadata: + annotations: + CreatedByAnnotation: CliVersion + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: disabled + linkerd.io/proxy-version: dev-undefined + creationTimestamp: null + labels: + ControllerComponentLabel: identity + linkerd.io/control-plane-ns: Namespace + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=ControllerLogLevel + image: ControllerImage + imagePullPolicy: ImagePullPolicy + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.Namespace.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: . + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DISABLED + value: Identity is not yet available + image: gcr.io/linkerd-io/proxy:dev-undefined + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:dev-undefined + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer +status: {} +--- +### ### Controller ### --- @@ -137,7 +340,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - args: - destination @@ -1120,7 +1323,7 @@ spec: securityContext: runAsUser: 2103 volumeMounts: - - mountPath: /var/linkerd-io/config + - mountPath: /var/run/linkerd/config name: config - env: - name: LINKERD2_PROXY_LOG diff --git a/cli/cmd/testdata/key.pem b/cli/cmd/testdata/key.pem new file mode 100644 index 000000000..c25b6f129 --- /dev/null +++ b/cli/cmd/testdata/key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMIJymekYz+kkCLPkFlrUyAu/cHJYRTywfmAURKKRXdzoAoGCCqGSM49 +AwEHoUQDQgAEISg0CmJNBWLxJTsKt7+bz8As1YfqZFuTq2FnYo016NKVv70eQC3T +6tOpaj9xuKsXflU6ZkuiVRiihw+tV2isqw== +-----END EC PRIVATE KEY----- diff --git a/cli/cmd/testdata/trust-anchors.pem b/cli/cmd/testdata/trust-anchors.pem new file mode 100644 index 000000000..8fe36ec22 --- /dev/null +++ b/cli/cmd/testdata/trust-anchors.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy +LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE +AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 +xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 +6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE +AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv +OLO4Zsk1XrGZHGsmyiEyvYF9lpY= +-----END CERTIFICATE----- diff --git a/controller/cmd/identity/main.go b/controller/cmd/identity/main.go index ef9ce176a..198f57fc4 100644 --- a/controller/cmd/identity/main.go +++ b/controller/cmd/identity/main.go @@ -26,8 +26,8 @@ import ( // TODO watch issuerPath for changes // TODO restrict servicetoken audiences (and lifetimes) func main() { - addr := flag.String("addr", ":8083", "address to serve on") - adminAddr := flag.String("admin-addr", ":9996", "address of HTTP admin server") + addr := flag.String("addr", ":8080", "address to serve on") + adminAddr := flag.String("admin-addr", ":9990", "address of HTTP admin server") kubeConfigPath := flag.String("kubeconfig", "", "path to kube config") issuerPath := flag.String("issuer", "/var/run/linkerd/identity/issuer", diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index f1e253e73..1ce760423 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -61,6 +61,10 @@ const ( // (e.g. linkerd/cli v2.0.0). CreatedByAnnotation = Prefix + "/created-by" + // IdentityIssuerExpiryAnnotation indicates the time at which this set of identity + // issuer credentials will cease to be valid. + IdentityIssuerExpiryAnnotation = "linkerd.io/identity-issuer-expiry" + // ProxyVersionAnnotation indicates the version of the injected data plane // (e.g. v0.1.3). ProxyVersionAnnotation = Prefix + "/proxy-version" diff --git a/pkg/tls/codec.go b/pkg/tls/codec.go index bd046777d..91cac1138 100644 --- a/pkg/tls/codec.go +++ b/pkg/tls/codec.go @@ -99,7 +99,7 @@ func DecodePEMCertPool(txt string) (pool *x509.CertPool, err error) { func decodeCertificatePEM(crtb []byte) (*x509.Certificate, []byte, error) { block, crtb := pem.Decode(crtb) if block == nil { - return nil, crtb, nil + return nil, crtb, errors.New("not a PEM certificate") } if block.Type != "CERTIFICATE" { return nil, nil, nil