linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce ExternalWorkload CRD (#11805) 

To support mesh expansion, the control plane needs to read configuration
associated with an external instance (i.e. a VM) for the purpose of
service and inbound authorization policy discovery.

This change introduces a new CRD that supports the required
configuration options. The resource supports:

* a list of workload IPs (with a generic format to support ipv4 now and ipv6
  in the future)
* a set of mesh TLS settings (SNI and identity)
* a set of ports exposed by the workload
* a set of status conditions

---------

Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
This commit is contained in:
Matei David 2024-01-05 11:35:38 +00:00 committed by GitHub
parent cf2999df42
commit 31e1334f9e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 633 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
charts/linkerd-crds/templates/workload/external-workload.yaml Normal file
View File

@ -0,0 +1,157 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalworkloads.workload.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: workload.linkerd.io
names:
categories:
- external
kind: ExternalWorkload
listKind: ExternalWorkloadList
plural: externalworkloads
singular: externalworkload
shortNames: []
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.meshTls.identity
name: Identity
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: >-
An ExternalWorkload describes a single workload (i.e. a deployable unit) external
to the cluster that should be enrolled in the mesh.
type: object
required: [spec]
properties:
apiVerson:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
meshTls:
description: meshTls describes TLS settings associated with an
external workload.
properties:
identity:
type: string
description: identity of the workload. Corresponds to the
identity used in the workload's certificate. It is used
by peers to perform verification in the mTLS handshake.
minLength: 1
maxLength: 253
serverName:
type: string
description: serverName is the name of the workload in DNS
format. It is used by the workload to terminate TLS using
SNI.
minLength: 1
maxLength: 253
type: object
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
description: name must be an IANA_SVC_NAME and unique
within the ports set. Each named port can be referred
to by services.
port:
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: protocol exposed by the port. Must be UDP or
TCP. Defaults to TCP.
type: string
default: "TCP"
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
can be used to send traffic to the workload.
items:
type: object
properties:
ip:
type: string
type: object
required:
- ports
- workloadIPs
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
lastProbeTime:
description: lastProbeTime is the last time the
healthcheck endpoint was probed.
format: date-time
type: string
lastTransitionTime:
description: lastTransitionTime is the last time the
condition transitioned from one status to another.
format: date-time
type: string
status:
description: status of the condition (one of True, False, Unknown)
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of the condition in CamelCase or in
foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last
transition. Producers of specific condition types may
define expected values and meanings for this field, and
whether the values are considered a guaranteed API. The
value should be a CamelCase string. This field may not
be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
message:
description: message is a human readable message
indicating details about the transition. This may be an
empty string.
maxLength: 32768
type: string
required:
- lastTransitionTime
- status
- type
- reason
- message

1
cli/cmd/install.go
View File

@ -55,6 +55,7 @@ var (
"templates/policy/server.yaml",
"templates/serviceprofile.yaml",
"templates/gateway.networking.k8s.io_httproutes.yaml",
"templates/workload/external-workload.yaml",
}
templatesControlPlane = []string{

157
cli/cmd/testdata/install_crds.golden generated vendored
View File

@ -10137,3 +10137,160 @@ status:
plural: ""
conditions: null
storedVersions: null
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalworkloads.workload.linkerd.io
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
helm.sh/chart: linkerd-crds-1.9.1-edge
linkerd.io/control-plane-ns: linkerd
spec:
group: workload.linkerd.io
names:
categories:
- external
kind: ExternalWorkload
listKind: ExternalWorkloadList
plural: externalworkloads
singular: externalworkload
shortNames: []
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.meshTls.identity
name: Identity
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: >-
An ExternalWorkload describes a single workload (i.e. a deployable unit) external
to the cluster that should be enrolled in the mesh.
type: object
required: [spec]
properties:
apiVerson:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
meshTls:
description: meshTls describes TLS settings associated with an
external workload.
properties:
identity:
type: string
description: identity of the workload. Corresponds to the
identity used in the workload's certificate. It is used
by peers to perform verification in the mTLS handshake.
minLength: 1
maxLength: 253
serverName:
type: string
description: serverName is the name of the workload in DNS
format. It is used by the workload to terminate TLS using
SNI.
minLength: 1
maxLength: 253
type: object
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
description: name must be an IANA_SVC_NAME and unique
within the ports set. Each named port can be referred
to by services.
port:
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: protocol exposed by the port. Must be UDP or
TCP. Defaults to TCP.
type: string
default: "TCP"
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
can be used to send traffic to the workload.
items:
type: object
properties:
ip:
type: string
type: object
required:
- ports
- workloadIPs
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
lastProbeTime:
description: lastProbeTime is the last time the
healthcheck endpoint was probed.
format: date-time
type: string
lastTransitionTime:
description: lastTransitionTime is the last time the
condition transitioned from one status to another.
format: date-time
type: string
status:
description: status of the condition (one of True, False, Unknown)
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of the condition in CamelCase or in
foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last
transition. Producers of specific condition types may
define expected values and meanings for this field, and
whether the values are considered a guaranteed API. The
value should be a CamelCase string. This field may not
be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
message:
description: message is a human readable message
indicating details about the transition. This may be an
empty string.
maxLength: 32768
type: string
required:
- lastTransitionTime
- status
- type
- reason
- message

159
cli/cmd/testdata/install_helm_crds_output.golden generated vendored
View File

@ -10153,3 +10153,162 @@ status:
plural: ""
conditions: null
storedVersions: null
---
# Source: linkerd-crds/templates/workload/external-workload.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalworkloads.workload.linkerd.io
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
labels:
helm.sh/chart: linkerd-crds-
linkerd.io/control-plane-ns: linkerd-dev
spec:
group: workload.linkerd.io
names:
categories:
- external
kind: ExternalWorkload
listKind: ExternalWorkloadList
plural: externalworkloads
singular: externalworkload
shortNames: []
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.meshTls.identity
name: Identity
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: >-
An ExternalWorkload describes a single workload (i.e. a deployable unit) external
to the cluster that should be enrolled in the mesh.
type: object
required: [spec]
properties:
apiVerson:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
meshTls:
description: meshTls describes TLS settings associated with an
external workload.
properties:
identity:
type: string
description: identity of the workload. Corresponds to the
identity used in the workload's certificate. It is used
by peers to perform verification in the mTLS handshake.
minLength: 1
maxLength: 253
serverName:
type: string
description: serverName is the name of the workload in DNS
format. It is used by the workload to terminate TLS using
SNI.
minLength: 1
maxLength: 253
type: object
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
description: name must be an IANA_SVC_NAME and unique
within the ports set. Each named port can be referred
to by services.
port:
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: protocol exposed by the port. Must be UDP or
TCP. Defaults to TCP.
type: string
default: "TCP"
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
can be used to send traffic to the workload.
items:
type: object
properties:
ip:
type: string
type: object
required:
- ports
- workloadIPs
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
lastProbeTime:
description: lastProbeTime is the last time the
healthcheck endpoint was probed.
format: date-time
type: string
lastTransitionTime:
description: lastTransitionTime is the last time the
condition transitioned from one status to another.
format: date-time
type: string
status:
description: status of the condition (one of True, False, Unknown)
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of the condition in CamelCase or in
foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last
transition. Producers of specific condition types may
define expected values and meanings for this field, and
whether the values are considered a guaranteed API. The
value should be a CamelCase string. This field may not
be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
message:
description: message is a human readable message
indicating details about the transition. This may be an
empty string.
maxLength: 32768
type: string
required:
- lastTransitionTime
- status
- type
- reason
- message

159
cli/cmd/testdata/install_helm_crds_output_ha.golden generated vendored
View File

@ -10153,3 +10153,162 @@ status:
plural: ""
conditions: null
storedVersions: null
---
# Source: linkerd-crds/templates/workload/external-workload.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalworkloads.workload.linkerd.io
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
labels:
helm.sh/chart: linkerd-crds-
linkerd.io/control-plane-ns: linkerd-dev
spec:
group: workload.linkerd.io
names:
categories:
- external
kind: ExternalWorkload
listKind: ExternalWorkloadList
plural: externalworkloads
singular: externalworkload
shortNames: []
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.meshTls.identity
name: Identity
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: >-
An ExternalWorkload describes a single workload (i.e. a deployable unit) external
to the cluster that should be enrolled in the mesh.
type: object
required: [spec]
properties:
apiVerson:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
meshTls:
description: meshTls describes TLS settings associated with an
external workload.
properties:
identity:
type: string
description: identity of the workload. Corresponds to the
identity used in the workload's certificate. It is used
by peers to perform verification in the mTLS handshake.
minLength: 1
maxLength: 253
serverName:
type: string
description: serverName is the name of the workload in DNS
format. It is used by the workload to terminate TLS using
SNI.
minLength: 1
maxLength: 253
type: object
ports:
type: array
description: ports describes a list of ports exposed by the
workload
items:
type: object
properties:
name:
type: string
description: name must be an IANA_SVC_NAME and unique
within the ports set. Each named port can be referred
to by services.
port:
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
description: protocol exposed by the port. Must be UDP or
TCP. Defaults to TCP.
type: string
default: "TCP"
workloadIPs:
type: array
description: workloadIPs contains a list of IP addresses that
can be used to send traffic to the workload.
items:
type: object
properties:
ip:
type: string
type: object
required:
- ports
- workloadIPs
status:
type: object
properties:
conditions:
type: array
items:
type: object
properties:
lastProbeTime:
description: lastProbeTime is the last time the
healthcheck endpoint was probed.
format: date-time
type: string
lastTransitionTime:
description: lastTransitionTime is the last time the
condition transitioned from one status to another.
format: date-time
type: string
status:
description: status of the condition (one of True, False, Unknown)
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of the condition in CamelCase or in
foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
reason:
description: reason contains a programmatic identifier
indicating the reason for the condition's last
transition. Producers of specific condition types may
define expected values and meanings for this field, and
whether the values are considered a guaranteed API. The
value should be a CamelCase string. This field may not
be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
message:
description: message is a human readable message
indicating details about the transition. This may be an
empty string.
maxLength: 32768
type: string
required:
- lastTransitionTime
- status
- type
- reason
- message