linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

install: Introduce the Identity controller (#2526) 

https://github.com/linkerd/linkerd2/pull/2521 introduces an "Identity"
controller, but there is no way to include it in linkerd installation.

This change alters the `install` flow as follows:
- An Identity service is _always_ installed;
- Issuer credentials may be specified via the CLI;
- If no Issuer credentials are provided, they are generated each time `install` is called.
- Proxies are NOT configured to use the identity service.
- It's possible to override the credential generation logic---especially
  for tests---via install options that can be configured via the CLI.
This commit is contained in:
Oliver Gould 2019-03-19 17:04:11 -07:00 committed by GitHub
parent 91c5f07650
commit 0626fa374a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 1644 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chart/templates/controller.yaml
View File

@ -104,7 +104,7 @@ spec:
containerPort: 9995
volumeMounts:
- name: config
mountPath: /var/linkerd-io/config
mountPath: /var/run/linkerd/config
image: {{.Values.ControllerImage}}
imagePullPolicy: {{.Values.ImagePullPolicy}}
args:

134
chart/templates/identity.yaml Normal file
View File

@ -0,0 +1,134 @@
{{with .Values -}}
{{if .Identity -}}
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: {{.Namespace}}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-{{.Namespace}}-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-{{.Namespace}}-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-{{.Namespace}}-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: {{.Namespace}}
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: identity
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
type: ClusterIP
selector:
{{.ControllerComponentLabel}}: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
{{- if .Identity.Issuer}}
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: identity
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
{{- if .Identity.Issuer.CrtExpiryAnnotation}}
{{.Identity.Issuer.CrtExpiryAnnotation}}: {{.Identity.Issuer.CrtExpiry}}
{{- end}}
data:
crt.pem: {{b64enc .Identity.Issuer.CrtPEM}}
key.pem: {{b64enc .Identity.Issuer.KeyPEM}}
{{- end}}
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: linkerd-identity
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: identity
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
replicas: {{.Identity.Replicas}}
template:
metadata:
labels:
{{.ControllerComponentLabel}}: identity
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
serviceAccountName: linkerd-identity
containers:
- name: identity
ports:
- name: grpc
containerPort: 8080
- name: admin-http
containerPort: 9990
image: {{.ControllerImage}}
imagePullPolicy: {{.ImagePullPolicy}}
args:
- "identity"
- "-log-level={{.ControllerLogLevel}}"
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 9990
failureThreshold: 7
{{- if .EnableHA }}
resources:
requests:
cpu: 10m
memory: 50Mi
{{- end }}
securityContext:
runAsUser: {{.ControllerUID}}
volumes:
- name: config
configMap:
name: linkerd-config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
{{end -}}
{{end -}}

2
chart/templates/proxy_injector.yaml
View File

@ -40,7 +40,7 @@ spec:
containerPort: 8443
volumeMounts:
- name: config
mountPath: /var/linkerd-io/config
mountPath: /var/run/linkerd/config
livenessProbe:
httpGet:
path: /ping

345
cli/cmd/install.go
View File

@ -2,16 +2,21 @@ package cmd
import (
"bytes"
"errors"
"fmt"
"io"
"io/ioutil"
"os"
"path"
"time"
"github.com/golang/protobuf/jsonpb"
"github.com/golang/protobuf/ptypes"
"github.com/linkerd/linkerd2/cli/static"
"github.com/linkerd/linkerd2/controller/gen/config"
pb "github.com/linkerd/linkerd2/controller/gen/config"
"github.com/linkerd/linkerd2/pkg/k8s"
"github.com/linkerd/linkerd2/pkg/tls"
uuid "github.com/satori/go.uuid"
log "github.com/sirupsen/logrus"
"github.com/spf13/cobra"
@ -22,55 +27,93 @@ import (
"sigs.k8s.io/yaml"
)
type installConfig struct {
Namespace string
ControllerImage string
WebImage string
PrometheusImage string
PrometheusVolumeName string
GrafanaImage string
GrafanaVolumeName string
ControllerReplicas uint
ImagePullPolicy string
UUID string
CliVersion string
ControllerLogLevel string
PrometheusLogLevel string
ControllerComponentLabel string
CreatedByAnnotation string
ProxyContainerName string
ProxyAutoInjectEnabled bool
ProxyInjectAnnotation string
ProxyInjectDisabled string
EnableHA bool
ControllerUID int64
EnableH2Upgrade bool
NoInitContainer bool
GlobalConfig string
ProxyConfig string
}
type (
installConfig struct {
Namespace string
ControllerImage string
WebImage string
PrometheusImage string
PrometheusVolumeName string
GrafanaImage string
GrafanaVolumeName string
ControllerReplicas uint
ImagePullPolicy string
UUID string
CliVersion string
ControllerLogLevel string
PrometheusLogLevel string
ControllerComponentLabel string
CreatedByAnnotation string
ProxyContainerName string
ProxyAutoInjectEnabled bool
ProxyInjectAnnotation string
ProxyInjectDisabled string
EnableHA bool
ControllerUID int64
EnableH2Upgrade bool
NoInitContainer bool
GlobalConfig string
ProxyConfig string
// installOptions holds values for command line flags that apply to the install
// command. All fields in this struct should have corresponding flags added in
// the newCmdInstall func later in this file. It also embeds proxyConfigOptions
// in order to hold values for command line flags that apply to both inject and
// install.
type installOptions struct {
controllerReplicas uint
controllerLogLevel string
proxyAutoInject bool
highAvailability bool
controllerUID int64
disableH2Upgrade bool
*proxyConfigOptions
}
Identity *installIdentityConfig
}
installIdentityConfig struct {
Replicas uint
TrustDomain string
TrustAnchorsPEM string
Issuer *issuerConfig
}
issuerConfig struct {
ClockSkewAllowance string
IssuanceLifetime string
KeyPEM, CrtPEM string
CrtExpiry time.Time
CrtExpiryAnnotation string
}
// installOptions holds values for command line flags that apply to the install
// command. All fields in this struct should have corresponding flags added in
// the newCmdInstall func later in this file. It also embeds proxyConfigOptions
// in order to hold values for command line flags that apply to both inject and
// install.
installOptions struct {
controllerReplicas uint
controllerLogLevel string
proxyAutoInject bool
highAvailability bool
controllerUID int64
disableH2Upgrade bool
identityOptions *installIdentityOptions
*proxyConfigOptions
}
installIdentityOptions struct {
trustDomain string
issuanceLifetime time.Duration
clockSkewAllowance time.Duration
trustPEMFile, crtPEMFile, keyPEMFile string
}
)
const (
prometheusProxyOutboundCapacity = 10000
defaultControllerReplicas = 1
defaultHAControllerReplicas = 3
prometheusProxyOutboundCapacity = 10000
defaultControllerReplicas = 1
defaultHAControllerReplicas = 3
defaultIdentityTrustDomain = "cluster.local"
defaultIdentityIssuanceLifetime = 24 * time.Hour
defaultIdentityClockSkewAllowance = 20 * time.Second
nsTemplateName = "templates/namespace.yaml"
identityTemplateName = "templates/identity.yaml"
controllerTemplateName = "templates/controller.yaml"
webTemplateName = "templates/web.yaml"
prometheusTemplateName = "templates/prometheus.yaml"
@ -88,6 +131,11 @@ func newInstallOptions() *installOptions {
controllerUID: 2103,
disableH2Upgrade: false,
proxyConfigOptions: newProxyConfigOptions(),
identityOptions: &installIdentityOptions{
trustDomain: defaultIdentityTrustDomain,
issuanceLifetime: defaultIdentityIssuanceLifetime,
clockSkewAllowance: defaultIdentityClockSkewAllowance,
},
}
}
@ -99,6 +147,8 @@ func newCmdInstall() *cobra.Command {
Short: "Output Kubernetes configs to install Linkerd",
Long: "Output Kubernetes configs to install Linkerd.",
RunE: func(cmd *cobra.Command, args []string) error {
// TODO check with a config already exists in the API and fail if it does.
config, err := validateAndBuildConfig(options)
if err != nil {
return err
@ -109,12 +159,56 @@ func newCmdInstall() *cobra.Command {
}
addProxyConfigFlags(cmd, options.proxyConfigOptions)
cmd.PersistentFlags().UintVar(&options.controllerReplicas, "controller-replicas", options.controllerReplicas, "Replicas of the controller to deploy")
cmd.PersistentFlags().StringVar(&options.controllerLogLevel, "controller-log-level", options.controllerLogLevel, "Log level for the controller and web components")
cmd.PersistentFlags().BoolVar(&options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject, "Enable proxy sidecar auto-injection via a webhook (default false)")
cmd.PersistentFlags().BoolVar(&options.highAvailability, "ha", options.highAvailability, "Experimental: Enable HA deployment config for the control plane (default false)")
cmd.PersistentFlags().Int64Var(&options.controllerUID, "controller-uid", options.controllerUID, "Run the control plane components under this user ID")
cmd.PersistentFlags().BoolVar(&options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade, "Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)")
cmd.PersistentFlags().UintVar(
&options.controllerReplicas, "controller-replicas", options.controllerReplicas,
"Replicas of the controller to deploy",
)
cmd.PersistentFlags().StringVar(
&options.controllerLogLevel, "controller-log-level", options.controllerLogLevel,
"Log level for the controller and web components",
)
cmd.PersistentFlags().BoolVar(
&options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject,
"Enable proxy sidecar auto-injection via a webhook (default false)",
)
cmd.PersistentFlags().BoolVar(
&options.highAvailability, "ha", options.highAvailability,
"Experimental: Enable HA deployment config for the control plane (default false)",
)
cmd.PersistentFlags().Int64Var(
&options.controllerUID, "controller-uid", options.controllerUID,
"Run the control plane components under this user ID",
)
cmd.PersistentFlags().BoolVar(
&options.disableH2Upgrade, "disable-h2-upgrade", options.disableH2Upgrade,
"Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)",
)
cmd.PersistentFlags().StringVar(
&options.identityOptions.trustDomain, "identity-trust-domain", options.identityOptions.trustDomain,
"Configures the name suffix used for identities.",
)
cmd.PersistentFlags().StringVar(
&options.identityOptions.trustPEMFile, "identity-trust-anchors-file", options.identityOptions.trustPEMFile,
"A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)",
)
cmd.PersistentFlags().StringVar(
&options.identityOptions.crtPEMFile, "identity-issuer-certificate-file", options.identityOptions.crtPEMFile,
"A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)",
)
cmd.PersistentFlags().StringVar(
&options.identityOptions.keyPEMFile, "identity-issuer-key-file", options.identityOptions.keyPEMFile,
"A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)",
)
cmd.PersistentFlags().DurationVar(
&options.identityOptions.clockSkewAllowance, "identity-clock-skew-allowance", options.identityOptions.clockSkewAllowance,
"The amount of time to allow for clock skew within a Linkerd cluster",
)
cmd.PersistentFlags().DurationVar(
&options.identityOptions.issuanceLifetime, "identity-issuance-lifetime", options.identityOptions.issuanceLifetime,
"The amount of time for which the Identity issuer should certify identity",
)
return cmd
}
@ -135,8 +229,93 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) {
options.proxyMemoryRequest = "20Mi"
}
var identity *installIdentityConfig
if idopts := options.identityOptions; idopts != nil {
trustDomain := idopts.trustDomain
if trustDomain == "" {
return nil, errors.New("Trust domain must be specified")
}
issuerName := fmt.Sprintf("identity.%s.%s", controlPlaneNamespace, trustDomain)
identityReplicas := uint(1)
if options.highAvailability {
identityReplicas = 3
}
// Load signing material from options...
if idopts.trustPEMFile != "" || idopts.crtPEMFile != "" || idopts.keyPEMFile != "" {
if idopts.trustPEMFile == "" {
return nil, errors.New("a trust anchors file must be specified if other credentials are provided")
}
if idopts.crtPEMFile == "" {
return nil, errors.New("a certificate file must be specified if other credentials are provided")
}
if idopts.keyPEMFile == "" {
return nil, errors.New("a private key file must be specified if other credentials are provided")
}
// Validate credentials...
creds, err := tls.ReadPEMCreds(idopts.keyPEMFile, idopts.crtPEMFile)
if err != nil {
return nil, err
}
trustb, err := ioutil.ReadFile(idopts.trustPEMFile)
if err != nil {
return nil, err
}
trustAnchorsPEM := string(trustb)
roots, err := tls.DecodePEMCertPool(trustAnchorsPEM)
if err != nil {
return nil, err
}
issuerName := "" // TODO restrict issuer name?
if err := creds.Verify(roots, issuerName); err != nil {
return nil, fmt.Errorf("Credentials cannot be validated: %s", err)
}
identity = &installIdentityConfig{
Replicas: identityReplicas,
TrustDomain: idopts.trustDomain,
TrustAnchorsPEM: trustAnchorsPEM,
Issuer: &issuerConfig{
ClockSkewAllowance: idopts.clockSkewAllowance.String(),
IssuanceLifetime: idopts.issuanceLifetime.String(),
CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation,
KeyPEM: creds.EncodePrivateKeyPEM(),
CrtPEM: creds.EncodeCertificatePEM(),
CrtExpiry: creds.Crt.Certificate.NotAfter,
},
}
} else {
// Generate new signing material...
root, err := tls.GenerateRootCAWithDefaults(issuerName)
if err != nil {
return nil, fmt.Errorf("Failed to create root certificate for identity: %s", err)
}
identity = &installIdentityConfig{
Replicas: identityReplicas,
TrustDomain: trustDomain,
TrustAnchorsPEM: root.Cred.Crt.EncodeCertificatePEM(),
Issuer: &issuerConfig{
ClockSkewAllowance: idopts.clockSkewAllowance.String(),
IssuanceLifetime: idopts.issuanceLifetime.String(),
CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation,
KeyPEM: root.Cred.EncodePrivateKeyPEM(),
CrtPEM: root.Cred.Crt.EncodeCertificatePEM(),
CrtExpiry: root.Cred.Crt.Certificate.NotAfter,
},
}
}
}
jsonMarshaler := jsonpb.Marshaler{EmitDefaults: true}
globalConfig, err := jsonMarshaler.MarshalToString(globalConfig(options))
globalConfig, err := jsonMarshaler.MarshalToString(globalConfig(options, identity))
if err != nil {
return nil, err
}
@ -177,6 +356,7 @@ func validateAndBuildConfig(options *installOptions) (*installConfig, error) {
NoInitContainer: options.noInitContainer,
GlobalConfig: globalConfig,
ProxyConfig: proxyConfig,
Identity: identity,
}, nil
}
@ -191,6 +371,7 @@ func render(config installConfig, w io.Writer, options *installOptions) error {
files := []*chartutil.BufferedFile{
{Name: chartutil.ChartfileName},
{Name: nsTemplateName},
{Name: identityTemplateName},
{Name: controllerTemplateName},
{Name: serviceprofileTemplateName},
{Name: webTemplateName},
@ -251,6 +432,11 @@ func render(config installConfig, w io.Writer, options *installOptions) error {
// TODO: Fetch GlobalConfig and ProxyConfig from the ConfigMap/API
pbConfig := injectOptionsToConfigs(injectOptions)
// injectOptionsToConfigs does NOT set an identity context if none exists,
// since it can't be enabled at inject-time if it's not enabled at
// install-time.
pbConfig.global.IdentityContext = config.Identity.toIdentityContext()
return processYAML(&buf, w, ioutil.Discard, resourceTransformerInject{
configs: pbConfig,
proxyOutboundCapacity: map[string]uint{
@ -280,61 +466,82 @@ func readIntoBytes(filename string) ([]byte, error) {
return buf.Bytes(), nil
}
func globalConfig(options *installOptions) *config.Global {
var identityContext *config.IdentityContext
return &config.Global{
func globalConfig(options *installOptions, id *installIdentityConfig) *pb.Global {
return &pb.Global{
LinkerdNamespace: controlPlaneNamespace,
CniEnabled: options.noInitContainer,
Version: options.linkerdVersion,
IdentityContext: identityContext,
IdentityContext: id.toIdentityContext(),
}
}
func proxyConfig(options *installOptions) *config.Proxy {
ignoreInboundPorts := []*config.Port{}
func proxyConfig(options *installOptions) *pb.Proxy {
ignoreInboundPorts := []*pb.Port{}
for _, port := range options.ignoreInboundPorts {
ignoreInboundPorts = append(ignoreInboundPorts, &config.Port{Port: uint32(port)})
ignoreInboundPorts = append(ignoreInboundPorts, &pb.Port{Port: uint32(port)})
}
ignoreOutboundPorts := []*config.Port{}
ignoreOutboundPorts := []*pb.Port{}
for _, port := range options.ignoreOutboundPorts {
ignoreOutboundPorts = append(ignoreOutboundPorts, &config.Port{Port: uint32(port)})
ignoreOutboundPorts = append(ignoreOutboundPorts, &pb.Port{Port: uint32(port)})
}
return &config.Proxy{
ProxyImage: &config.Image{
return &pb.Proxy{
ProxyImage: &pb.Image{
ImageName: registryOverride(options.proxyImage, options.dockerRegistry),
PullPolicy: options.imagePullPolicy,
},
ProxyInitImage: &config.Image{
ProxyInitImage: &pb.Image{
ImageName: registryOverride(options.initImage, options.dockerRegistry),
PullPolicy: options.imagePullPolicy,
},
ControlPort: &config.Port{
ControlPort: &pb.Port{
Port: uint32(options.proxyControlPort),
},
IgnoreInboundPorts: ignoreInboundPorts,
IgnoreOutboundPorts: ignoreOutboundPorts,
InboundPort: &config.Port{
InboundPort: &pb.Port{
Port: uint32(options.inboundPort),
},
AdminPort: &config.Port{
Port: uint32(options.proxyAdminPort),
},
OutboundPort: &config.Port{
OutboundPort: &pb.Port{
Port: uint32(options.outboundPort),
},
Resource: &config.ResourceRequirements{
Resource: &pb.ResourceRequirements{
RequestCpu: options.proxyCPURequest,
RequestMemory: options.proxyMemoryRequest,
LimitCpu: options.proxyCPULimit,
LimitMemory: options.proxyMemoryLimit,
},
ProxyUid: options.proxyUID,
LogLevel: &config.LogLevel{
LogLevel: &pb.LogLevel{
Level: options.proxyLogLevel,
},
DisableExternalProfiles: options.disableExternalProfiles,
}
}
func (id *installIdentityConfig) toIdentityContext() *pb.IdentityContext {
if id == nil {
return nil
}
il, err := time.ParseDuration(id.Issuer.IssuanceLifetime)
if err != nil {
il = defaultIdentityIssuanceLifetime
}
csa, err := time.ParseDuration(id.Issuer.ClockSkewAllowance)
if err != nil {
csa = defaultIdentityClockSkewAllowance
}
return &pb.IdentityContext{
TrustDomain: id.TrustDomain,
TrustAnchorsPem: id.TrustAnchorsPEM,
IssuanceLifetime: ptypes.DurationProto(il),
ClockSkewAllowance: ptypes.DurationProto(csa),
}
}

10
cli/cmd/install_test.go
View File

@ -3,6 +3,7 @@ package cmd
import (
"bytes"
"fmt"
"path/filepath"
"testing"
)
@ -11,6 +12,10 @@ func TestRender(t *testing.T) {
// value to facilitate testing.
defaultControlPlaneNamespace := controlPlaneNamespace
defaultOptions := newInstallOptions()
defaultOptions.identityOptions.crtPEMFile = filepath.Join("testdata", "crt.pem")
defaultOptions.identityOptions.keyPEMFile = filepath.Join("testdata", "key.pem")
defaultOptions.identityOptions.trustPEMFile = filepath.Join("testdata", "trust-anchors.pem")
defaultConfig, err := validateAndBuildConfig(defaultOptions)
if err != nil {
t.Fatalf("Unexpected error from validateAndBuildConfig(): %v", err)
@ -45,14 +50,17 @@ func TestRender(t *testing.T) {
NoInitContainer: false,
GlobalConfig: "GlobalConfig",
ProxyConfig: "ProxyConfig",
Identity: defaultConfig.Identity,
}
haOptions := newInstallOptions()
haOptions.highAvailability = true
*haOptions.identityOptions = *defaultOptions.identityOptions
haConfig, _ := validateAndBuildConfig(haOptions)
haConfig.UUID = defaultConfig.UUID
haWithOverridesOptions := newInstallOptions()
*haWithOverridesOptions.identityOptions = *defaultOptions.identityOptions
haWithOverridesOptions.highAvailability = true
haWithOverridesOptions.controllerReplicas = 2
haWithOverridesOptions.proxyCPURequest = "400m"
@ -61,11 +69,13 @@ func TestRender(t *testing.T) {
haWithOverridesConfig.UUID = defaultConfig.UUID
noInitContainerOptions := newInstallOptions()
*noInitContainerOptions.identityOptions = *defaultOptions.identityOptions
noInitContainerOptions.noInitContainer = true
noInitContainerConfig, _ := validateAndBuildConfig(noInitContainerOptions)
noInitContainerConfig.UUID = defaultConfig.UUID
noInitContainerWithProxyAutoInjectOptions := newInstallOptions()
*noInitContainerWithProxyAutoInjectOptions.identityOptions = *defaultOptions.identityOptions
noInitContainerWithProxyAutoInjectOptions.noInitContainer = true
noInitContainerWithProxyAutoInjectOptions.proxyAutoInject = true
noInitContainerWithProxyAutoInjectConfig, _ := validateAndBuildConfig(noInitContainerWithProxyAutoInjectOptions)

10
cli/cmd/testdata/crt.pem vendored Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBcjCCARigAwIBAgIBAjAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowKTEnMCUGA1UE
AxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEISg0CmJNBWLxJTsKt7+bz8As1YfqZFuTq2FnYo016NKVv70e
QC3T6tOpaj9xuKsXflU6ZkuiVRiihw+tV2isq6NCMEAwDgYDVR0PAQH/BAQDAgEG
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/
MAoGCCqGSM49BAMCA0gAMEUCIF+aM0Bw2PdMFDq/KtaBQvHdAYaUPVx8vf3jn+M4
AaD4AiEA9HBdjyWyiKeKxlA8CoOvUAwI95xc6XUMoDxRSXjnpXg=
-----END CERTIFICATE-----

206
cli/cmd/testdata/install_default.golden vendored
View File

@ -5,6 +5,208 @@ metadata:
name: linkerd
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=info
image: gcr.io/linkerd-io/controller:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources: {}
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources: {}
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:dev-undefined
imagePullPolicy: IfNotPresent
name: linkerd-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -134,7 +336,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -279,7 +481,7 @@ metadata:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null}
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false}
---

212
cli/cmd/testdata/install_ha_output.golden vendored
View File

@ -5,6 +5,214 @@ metadata:
name: linkerd
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
name: linkerd-identity
namespace: linkerd
spec:
replicas: 3
strategy: {}
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=info
image: gcr.io/linkerd-io/controller:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
requests:
cpu: 10m
memory: 20Mi
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:dev-undefined
imagePullPolicy: IfNotPresent
name: linkerd-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -137,7 +345,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -291,7 +499,7 @@ metadata:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null}
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"10m","requestMemory":"20Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false}
---

212
cli/cmd/testdata/install_ha_with_overrides_output.golden vendored
View File

@ -5,6 +5,214 @@ metadata:
name: linkerd
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
name: linkerd-identity
namespace: linkerd
spec:
replicas: 3
strategy: {}
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=info
image: gcr.io/linkerd-io/controller:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
requests:
cpu: 400m
memory: 300Mi
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:dev-undefined
imagePullPolicy: IfNotPresent
name: linkerd-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -137,7 +345,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -291,7 +499,7 @@ metadata:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":null}
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"400m","requestMemory":"300Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false}
---

182
cli/cmd/testdata/install_no_init_container.golden vendored
View File

@ -5,6 +5,184 @@ metadata:
name: linkerd
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=info
image: gcr.io/linkerd-io/controller:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources: {}
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources: {}
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -134,7 +312,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -255,7 +433,7 @@ metadata:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":null}
{"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false}
---

184
cli/cmd/testdata/install_no_init_container_auto_inject.golden vendored
View File

@ -7,6 +7,184 @@ metadata:
linkerd.io/inject: disabled
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-linkerd-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=info
image: gcr.io/linkerd-io/controller:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources: {}
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources: {}
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -136,7 +314,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -257,7 +435,7 @@ metadata:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":null}
{"linkerdNamespace":"linkerd","cniEnabled":true,"version":"dev-undefined","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":false}
---
@ -1019,7 +1197,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- env:
- name: LINKERD2_PROXY_LOG

207
cli/cmd/testdata/install_output.golden vendored
View File

@ -7,6 +7,209 @@ metadata:
ProxyInjectAnnotation: ProxyInjectDisabled
---
###
### Identity Controller Service
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: Namespace
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-Namespace-identity
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: linkerd-Namespace-identity
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-Namespace-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: Namespace
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: Namespace
labels:
ControllerComponentLabel: identity
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: Namespace
labels:
ControllerComponentLabel: identity
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
creationTimestamp: null
labels:
ControllerComponentLabel: identity
name: linkerd-identity
namespace: Namespace
spec:
replicas: 1
strategy: {}
template:
metadata:
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: disabled
linkerd.io/proxy-version: dev-undefined
creationTimestamp: null
labels:
ControllerComponentLabel: identity
linkerd.io/control-plane-ns: Namespace
linkerd.io/proxy-deployment: linkerd-identity
spec:
containers:
- args:
- identity
- -log-level=ControllerLogLevel
image: ControllerImage
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources: {}
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd2_proxy=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-destination.Namespace.svc.cluster.local:8086
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: .
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: ns:$(_pod_ns)
- name: LINKERD2_PROXY_IDENTITY_DISABLED
value: Identity is not yet available
image: gcr.io/linkerd-io/proxy:dev-undefined
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources: {}
securityContext:
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:dev-undefined
imagePullPolicy: IfNotPresent
name: linkerd-init
resources: {}
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: linkerd-identity
volumes:
- configMap:
name: linkerd-config
name: config
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
status: {}
---
###
### Controller
###
---
@ -137,7 +340,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- args:
- destination
@ -1120,7 +1323,7 @@ spec:
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/linkerd-io/config
- mountPath: /var/run/linkerd/config
name: config
- env:
- name: LINKERD2_PROXY_LOG

5
cli/cmd/testdata/key.pem vendored Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMIJymekYz+kkCLPkFlrUyAu/cHJYRTywfmAURKKRXdzoAoGCCqGSM49
AwEHoUQDQgAEISg0CmJNBWLxJTsKt7+bz8As1YfqZFuTq2FnYo016NKVv70eQC3T
6tOpaj9xuKsXflU6ZkuiVRiihw+tV2isqw==
-----END EC PRIVATE KEY-----

10
cli/cmd/testdata/trust-anchors.pem vendored Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
-----END CERTIFICATE-----

4
controller/cmd/identity/main.go
View File

@ -26,8 +26,8 @@ import (
// TODO watch issuerPath for changes
// TODO restrict servicetoken audiences (and lifetimes)
func main() {
addr := flag.String("addr", ":8083", "address to serve on")
adminAddr := flag.String("admin-addr", ":9996", "address of HTTP admin server")
addr := flag.String("addr", ":8080", "address to serve on")
adminAddr := flag.String("admin-addr", ":9990", "address of HTTP admin server")
kubeConfigPath := flag.String("kubeconfig", "", "path to kube config")
issuerPath := flag.String("issuer",
"/var/run/linkerd/identity/issuer",

4
pkg/k8s/labels.go
View File

@ -61,6 +61,10 @@ const (
// (e.g. linkerd/cli v2.0.0).
CreatedByAnnotation = Prefix + "/created-by"
// IdentityIssuerExpiryAnnotation indicates the time at which this set of identity
// issuer credentials will cease to be valid.
IdentityIssuerExpiryAnnotation = "linkerd.io/identity-issuer-expiry"
// ProxyVersionAnnotation indicates the version of the injected data plane
// (e.g. v0.1.3).
ProxyVersionAnnotation = Prefix + "/proxy-version"

2
pkg/tls/codec.go
View File

@ -99,7 +99,7 @@ func DecodePEMCertPool(txt string) (pool *x509.CertPool, err error) {
func decodeCertificatePEM(crtb []byte) (*x509.Certificate, []byte, error) {
block, crtb := pem.Decode(crtb)
if block == nil {
return nil, crtb, nil
return nil, crtb, errors.New("not a PEM certificate")
}
if block.Type != "CERTIFICATE" {
return nil, nil, nil