diff --git a/bin/test-run b/bin/test-run index e12df2643..d3db03dad 100755 --- a/bin/test-run +++ b/bin/test-run @@ -63,7 +63,7 @@ function run_upgrade_test() { install_edge $edge_namespace printf "Upgrading release [%s] to [%s]\n" "$edge_version" "$linkerd_version" - run_test "$test_directory/install_test.go" --upgrade-from-version=$edge_version --linkerd-namespace=$edge_namespace --proxy-auto-inject || exit_code=$? + run_test "$test_directory/install_test.go" --upgrade-from-version=$edge_version --linkerd-namespace=$edge_namespace || exit_code=$? } linkerd_path=$1 diff --git a/chart/templates/namespace.yaml b/chart/templates/namespace.yaml index 7686ec7a9..689bdcd58 100644 --- a/chart/templates/namespace.yaml +++ b/chart/templates/namespace.yaml @@ -8,8 +8,6 @@ kind: Namespace apiVersion: v1 metadata: name: {{.Namespace}} - {{- if .ProxyAutoInjectEnabled }} annotations: {{.ProxyInjectAnnotation}}: {{.ProxyInjectDisabled}} - {{- end }} {{end -}} diff --git a/chart/templates/proxy_injector-rbac.yaml b/chart/templates/proxy_injector-rbac.yaml index 201f1d886..799fca38d 100644 --- a/chart/templates/proxy_injector-rbac.yaml +++ b/chart/templates/proxy_injector-rbac.yaml @@ -1,5 +1,4 @@ {{with .Values -}} -{{if .ProxyAutoInjectEnabled -}} --- ### ### Proxy Injector RBAC @@ -43,4 +42,3 @@ roleRef: name: linkerd-{{.Namespace}}-proxy-injector apiGroup: rbac.authorization.k8s.io {{end -}} -{{end -}} diff --git a/chart/templates/proxy_injector.yaml b/chart/templates/proxy_injector.yaml index b80eca94f..351a871c3 100644 --- a/chart/templates/proxy_injector.yaml +++ b/chart/templates/proxy_injector.yaml @@ -1,5 +1,4 @@ {{with .Values -}} -{{if .ProxyAutoInjectEnabled -}} --- ### ### Proxy Injector @@ -78,6 +77,4 @@ spec: - name: proxy-injector port: 443 targetPort: proxy-injector ---- -{{end -}} {{end -}} diff --git a/cli/cmd/install.go b/cli/cmd/install.go index d52460a62..fb5a8bc05 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -9,6 +9,7 @@ import ( "io/ioutil" "os" "path" + "strings" "time" "github.com/golang/protobuf/ptypes" @@ -52,7 +53,6 @@ type ( ControllerComponentLabel string CreatedByAnnotation string ProxyContainerName string - ProxyAutoInjectEnabled bool ProxyInjectAnnotation string ProxyInjectDisabled string ControllerUID int64 @@ -108,7 +108,6 @@ type ( controlPlaneVersion string controllerReplicas uint controllerLogLevel string - proxyAutoInject bool highAvailability bool controllerUID int64 disableH2Upgrade bool @@ -158,7 +157,6 @@ func newInstallOptionsWithDefaults() *installOptions { controlPlaneVersion: version.Version, controllerReplicas: defaultControllerReplicas, controllerLogLevel: "info", - proxyAutoInject: false, highAvailability: false, controllerUID: 2103, disableH2Upgrade: false, @@ -308,10 +306,6 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { &options.controllerLogLevel, "controller-log-level", options.controllerLogLevel, "Log level for the controller and web components", ) - flags.BoolVar( - &options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject, - "Enable proxy sidecar auto-injection via a webhook (default false)", - ) flags.BoolVar( &options.highAvailability, "ha", options.highAvailability, "Experimental: Enable HA deployment config for the control plane (default false)", @@ -456,15 +450,14 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins ProxyInjectDisabled: k8s.ProxyInjectDisabled, // Controller configuration: - Namespace: controlPlaneNamespace, - UUID: configs.GetInstall().GetUuid(), - ControllerReplicas: options.controllerReplicas, - ControllerLogLevel: options.controllerLogLevel, - ControllerUID: options.controllerUID, - EnableH2Upgrade: !options.disableH2Upgrade, - NoInitContainer: options.noInitContainer, - ProxyAutoInjectEnabled: options.proxyAutoInject, - PrometheusLogLevel: toPromLogLevel(options.controllerLogLevel), + Namespace: controlPlaneNamespace, + UUID: configs.GetInstall().GetUuid(), + ControllerReplicas: options.controllerReplicas, + ControllerLogLevel: options.controllerLogLevel, + ControllerUID: options.controllerUID, + EnableH2Upgrade: !options.disableH2Upgrade, + NoInitContainer: options.noInitContainer, + PrometheusLogLevel: toPromLogLevel(options.controllerLogLevel), Configs: configJSONs{ Global: globalJSON, @@ -635,17 +628,11 @@ func (options *installOptions) configs(identity *pb.IdentityContext) *pb.All { } func (options *installOptions) globalConfig(identity *pb.IdentityContext) *pb.Global { - var autoInjectContext *pb.AutoInjectContext - if options.proxyAutoInject { - autoInjectContext = &pb.AutoInjectContext{} - } - return &pb.Global{ - LinkerdNamespace: controlPlaneNamespace, - AutoInjectContext: autoInjectContext, - CniEnabled: options.noInitContainer, - Version: options.controlPlaneVersion, - IdentityContext: identity, + LinkerdNamespace: controlPlaneNamespace, + CniEnabled: options.noInitContainer, + Version: options.controlPlaneVersion, + IdentityContext: identity, } } @@ -933,18 +920,14 @@ func validateArgs(args []string, flags *pflag.FlagSet, installOnlyFlags *pflag.F combinedFlags.AddFlagSet(flags) combinedFlags.AddFlagSet(installOnlyFlags) - var err error + invalidFlags := make([]string, 0) combinedFlags.VisitAll(func(f *pflag.Flag) { if f.Changed { - switch f.Name { - // TODO: remove "proxy-auto-inject" when it becomes default - case "proxy-auto-inject": - default: - err = fmt.Errorf("flag not available for config stage: --%s", f.Name) - } + invalidFlags = append(invalidFlags, f.Name) } }) - if err != nil { + if len(invalidFlags) > 0 { + err := fmt.Errorf("flags not available for config stage: --%s", strings.Join(invalidFlags, ", --")) return "", err } } diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 0ee08fc1f..7f52a384b 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -45,7 +45,6 @@ func TestRender(t *testing.T) { ControllerComponentLabel: "ControllerComponentLabel", CreatedByAnnotation: "CreatedByAnnotation", ProxyContainerName: "ProxyContainerName", - ProxyAutoInjectEnabled: true, ProxyInjectAnnotation: "ProxyInjectAnnotation", ProxyInjectDisabled: "ProxyInjectDisabled", ControllerUID: 2103, @@ -83,15 +82,6 @@ func TestRender(t *testing.T) { noInitContainerOptions.noInitContainer = true noInitContainerValues, noInitContainerConfig, _ := noInitContainerOptions.validateAndBuild("", nil) - noInitContainerWithProxyAutoInjectOptions := testInstallOptions() - noInitContainerWithProxyAutoInjectOptions.recordedFlags = []*config.Install_Flag{ - {Name: "linkerd-cni-enabled", Value: "true"}, - {Name: "proxy-auto-inject", Value: "true"}, - } - noInitContainerWithProxyAutoInjectOptions.noInitContainer = true - noInitContainerWithProxyAutoInjectOptions.proxyAutoInject = true - noInitContainerWithProxyAutoInjectValues, noInitContainerWithProxyAutoInjectConfig, _ := noInitContainerWithProxyAutoInjectOptions.validateAndBuild("", nil) - testCases := []struct { values *installValues configs *config.All @@ -104,7 +94,6 @@ func TestRender(t *testing.T) { {haValues, haConfig, "install_ha_output.golden"}, {haWithOverridesValues, haWithOverridesConfig, "install_ha_with_overrides_output.golden"}, {noInitContainerValues, noInitContainerConfig, "install_no_init_container.golden"}, - {noInitContainerWithProxyAutoInjectValues, noInitContainerWithProxyAutoInjectConfig, "install_no_init_container_auto_inject.golden"}, } for i, tc := range testCases { diff --git a/cli/cmd/testdata/install_config.golden b/cli/cmd/testdata/install_config.golden index 39f31fb07..213112f02 100644 --- a/cli/cmd/testdata/install_config.golden +++ b/cli/cmd/testdata/install_config.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- diff --git a/cli/cmd/testdata/install_control-plane.golden b/cli/cmd/testdata/install_control-plane.golden index 29eac239f..04d079932 100644 --- a/cli/cmd/testdata/install_control-plane.golden +++ b/cli/cmd/testdata/install_control-plane.golden @@ -1245,6 +1245,199 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:install-control-plane-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index ed7fee010..c049a2fdf 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- @@ -1416,6 +1460,199 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:install-control-plane-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index f4b21104f..50306d4b6 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- @@ -1452,6 +1496,205 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + requests: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:install-control-plane-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 7965e2016..c415b90f5 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- @@ -1452,6 +1496,205 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + requests: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + requests: + cpu: 400m + memory: 300Mi + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:install-control-plane-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index cc91be02d..b9f969976 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- @@ -1296,6 +1340,175 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/testdata/install_no_init_container_auto_inject.golden b/cli/cmd/testdata/install_no_init_container_auto_inject.golden deleted file mode 100644 index 9e41274ef..000000000 --- a/cli/cmd/testdata/install_no_init_container_auto_inject.golden +++ /dev/null @@ -1,1677 +0,0 @@ ---- -### -### Linkerd Namespace -### ---- -kind: Namespace -apiVersion: v1 -metadata: - name: linkerd - annotations: - linkerd.io/inject: disabled ---- -### -### Identity Controller Service RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-identity -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-identity -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-identity -subjects: -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd ---- -### -### Controller RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-controller -rules: -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["jobs"] - verbs: ["list" , "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-controller -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-controller - namespace: linkerd ---- -### -### Service Profile CRD -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceprofiles.linkerd.io - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - group: linkerd.io - version: v1alpha1 - scope: Namespaced - names: - plural: serviceprofiles - singular: serviceprofile - kind: ServiceProfile - shortNames: - - sp ---- -### -### Prometheus RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-prometheus -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: linkerd-linkerd-prometheus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -### -### Proxy Injector RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["create", "get", "delete"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector -subjects: -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-proxy-injector - apiGroup: rbac.authorization.k8s.io ---- -### -### Service Profile Validator RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["create", "get", "delete"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator -subjects: -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-sp-validator - apiGroup: rbac.authorization.k8s.io ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - global: | - {"linkerdNamespace":"linkerd","cniEnabled":true,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":{}} - proxy: | - {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"} - install: | - {"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[{"name":"linkerd-cni-enabled","value":"true"},{"name":"proxy-auto-inject","value":"true"}]} ---- -### -### Identity Controller Service -### ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-identity-issuer - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z -data: - crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: identity - name: linkerd-identity - namespace: linkerd -spec: - replicas: 1 - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - spec: - containers: - - args: - - identity - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9990 - initialDelaySeconds: 10 - name: identity - ports: - - containerPort: 8080 - name: grpc - - containerPort: 9990 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9990 - resources: {} - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - mountPath: /var/run/linkerd/identity/issuer - name: identity-issuer - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: localhost.:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-identity - volumes: - - configMap: - name: linkerd-config - name: config - - name: identity-issuer - secret: - secretName: linkerd-identity-issuer - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-destination - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: controller - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - containers: - - args: - - public-api - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - resources: {} - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - args: - - destination - - -addr=:8086 - - -controller-namespace=linkerd - - -enable-h2-upgrade=true - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9996 - initialDelaySeconds: 10 - name: destination - ports: - - containerPort: 8086 - name: grpc - - containerPort: 9996 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9996 - resources: {} - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: {} - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: localhost.:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-controller - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -### -### Web -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: web - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: {} - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-web - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - scrape_interval: 10s - scrape_timeout: 10s - evaluation_interval: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: prometheus - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - containers: - - args: - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - image: prom/prometheus:v2.7.1 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: {} - securityContext: - runAsUser: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus - name: prometheus-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY - value: "10000" - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-prometheus - volumes: - - emptyDir: {} - name: data - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -### -### Grafana -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: grafana - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - containers: - - env: - - name: GF_PATHS_DATA - value: /data - image: gcr.io/linkerd-io/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: {} - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -### -### Proxy Injector -### ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: proxy-injector - name: linkerd-proxy-injector - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: proxy-injector - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-proxy-injector - spec: - containers: - - args: - - proxy-injector - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: proxy-injector - ports: - - containerPort: 8443 - name: proxy-injector - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - resources: {} - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-proxy-injector - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: proxy-injector - ports: - - name: proxy-injector - port: 443 - targetPort: proxy-injector ---- ---- -### -### Service Profile Validator -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: sp-validator - ports: - - name: sp-validator - port: 443 - targetPort: sp-validator ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - creationTimestamp: null - labels: - linkerd.io/control-plane-component: sp-validator - name: linkerd-sp-validator - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: sp-validator - strategy: {} - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - creationTimestamp: null - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-sp-validator - spec: - containers: - - args: - - sp-validator - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9997 - initialDelaySeconds: 10 - name: sp-validator - ports: - - containerPort: 8443 - name: sp-validator - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9997 - resources: {} - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd2_proxy=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-destination.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: {} - securityContext: - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-sp-validator - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity -status: {} ---- diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 3797dcdf2..79ff2c07b 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -1442,7 +1442,6 @@ spec: port: 443 targetPort: proxy-injector --- ---- ### ### Service Profile Validator ### diff --git a/cli/cmd/testdata/upgrade_default.golden b/cli/cmd/testdata/upgrade_default.golden index 4ec140440..c330c0650 100644 --- a/cli/cmd/testdata/upgrade_default.golden +++ b/cli/cmd/testdata/upgrade_default.golden @@ -7,6 +7,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd + annotations: + linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC @@ -135,6 +137,48 @@ subjects: namespace: linkerd --- ### +### Proxy Injector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["create", "get", "delete"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +### ### Service Profile Validator RBAC ### --- @@ -1421,6 +1465,200 @@ spec: status: {} --- ### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: {} + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: UPGRADE-PROXY-VERSION + creationTimestamp: null + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:UPGRADE-CONTROL-PLANE-VERSION + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: {} + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 + eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz + MjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j + YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg + EMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw + QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC + MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW + YmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj + +U9K4WlbzA== + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:UPGRADE-PROXY-VERSION + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: {} + securityContext: + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: false + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +status: {} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### ### Service Profile Validator ### --- diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index 4c7ad033a..13606d359 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -138,9 +138,6 @@ func (options *upgradeOptions) validateAndBuild(k kubernetes.Interface, flags *p // Update the configs from the synthesized options. options.overrideConfigs(configs, map[string]string{}) - if options.proxyAutoInject { - configs.GetGlobal().AutoInjectContext = &pb.AutoInjectContext{} - } if options.controlPlaneVersion != "" { configs.GetGlobal().Version = options.controlPlaneVersion } diff --git a/cli/cmd/upgrade_test.go b/cli/cmd/upgrade_test.go index 3b86559cb..6045c0457 100644 --- a/cli/cmd/upgrade_test.go +++ b/cli/cmd/upgrade_test.go @@ -46,7 +46,7 @@ metadata: linkerd.io/created-by: linkerd/cli edge-19.4.1 data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0\neS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz\nMjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j\nYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg\nEMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw\nQDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW\nYmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj\n+U9K4WlbzA==\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0\neS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz\nMjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j\nYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg\nEMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw\nQDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW\nYmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj\n+U9K4WlbzA==\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true} install: | @@ -118,7 +118,7 @@ metadata: linkerd.io/created-by: linkerd/cli edge-19.4.1 data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":null,"autoInjectContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":null} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true} install: | @@ -127,7 +127,6 @@ data: } options := testUpgradeOptions() - options.proxyAutoInject = true flags := options.recordableFlagSet() clientset, _, err := k8s.NewFakeClientSets(k8sConfigs...) @@ -151,9 +150,6 @@ data: if configs.GetGlobal().GetIdentityContext().GetTrustAnchorsPem() == "" { t.Errorf("identity config not generated") } - if configs.GetGlobal().GetAutoInjectContext() == nil { - t.Errorf("autoinject config not generated") - } global := pb.Global{} if err := json.Unmarshal([]byte(values.Configs.Global), &global); err != nil { @@ -162,9 +158,6 @@ data: if configs.GetGlobal().GetIdentityContext().GetTrustAnchorsPem() == "" { t.Errorf("identity config not serialized") } - if configs.GetGlobal().GetAutoInjectContext() == nil { - t.Errorf("autoinject config not serialized") - } } func TestFetchConfigs(t *testing.T) { @@ -188,7 +181,7 @@ metadata: namespace: linkerd data: global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null} + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}} proxy: | {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"} install: | diff --git a/controller/gen/config/config.pb.go b/controller/gen/config/config.pb.go index 798ff0b1e..4ae2b1204 100644 --- a/controller/gen/config/config.pb.go +++ b/controller/gen/config/config.pb.go @@ -32,7 +32,7 @@ func (m *All) Reset() { *m = All{} } func (m *All) String() string { return proto.CompactTextString(m) } func (*All) ProtoMessage() {} func (*All) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{0} + return fileDescriptor_config_42b83b762b43f0a0, []int{0} } func (m *All) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_All.Unmarshal(m, b) @@ -79,10 +79,8 @@ type Global struct { // Control plane and proxy-init version Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"` // If present, configures identity. - IdentityContext *IdentityContext `protobuf:"bytes,4,opt,name=identity_context,json=identityContext,proto3" json:"identity_context,omitempty"` - // If present, indicates that the Mutating Webhook Admission Controller should - // be configured to automatically inject proxies. - AutoInjectContext *AutoInjectContext `protobuf:"bytes,6,opt,name=auto_inject_context,json=autoInjectContext,proto3" json:"auto_inject_context,omitempty"` + IdentityContext *IdentityContext `protobuf:"bytes,4,opt,name=identity_context,json=identityContext,proto3" json:"identity_context,omitempty"` + AutoInjectContext *AutoInjectContext `protobuf:"bytes,6,opt,name=auto_inject_context,json=autoInjectContext,proto3" json:"auto_inject_context,omitempty"` // Deprecated: Do not use. XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -92,7 +90,7 @@ func (m *Global) Reset() { *m = Global{} } func (m *Global) String() string { return proto.CompactTextString(m) } func (*Global) ProtoMessage() {} func (*Global) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{1} + return fileDescriptor_config_42b83b762b43f0a0, []int{1} } func (m *Global) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Global.Unmarshal(m, b) @@ -140,6 +138,7 @@ func (m *Global) GetIdentityContext() *IdentityContext { return nil } +// Deprecated: Do not use. func (m *Global) GetAutoInjectContext() *AutoInjectContext { if m != nil { return m.AutoInjectContext @@ -170,7 +169,7 @@ func (m *Proxy) Reset() { *m = Proxy{} } func (m *Proxy) String() string { return proto.CompactTextString(m) } func (*Proxy) ProtoMessage() {} func (*Proxy) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{2} + return fileDescriptor_config_42b83b762b43f0a0, []int{2} } func (m *Proxy) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Proxy.Unmarshal(m, b) @@ -293,7 +292,7 @@ func (m *Image) Reset() { *m = Image{} } func (m *Image) String() string { return proto.CompactTextString(m) } func (*Image) ProtoMessage() {} func (*Image) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{3} + return fileDescriptor_config_42b83b762b43f0a0, []int{3} } func (m *Image) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Image.Unmarshal(m, b) @@ -338,7 +337,7 @@ func (m *Port) Reset() { *m = Port{} } func (m *Port) String() string { return proto.CompactTextString(m) } func (*Port) ProtoMessage() {} func (*Port) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{4} + return fileDescriptor_config_42b83b762b43f0a0, []int{4} } func (m *Port) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Port.Unmarshal(m, b) @@ -379,7 +378,7 @@ func (m *ResourceRequirements) Reset() { *m = ResourceRequirements{} } func (m *ResourceRequirements) String() string { return proto.CompactTextString(m) } func (*ResourceRequirements) ProtoMessage() {} func (*ResourceRequirements) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{5} + return fileDescriptor_config_42b83b762b43f0a0, []int{5} } func (m *ResourceRequirements) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_ResourceRequirements.Unmarshal(m, b) @@ -427,7 +426,7 @@ func (m *ResourceRequirements) GetLimitMemory() string { return "" } -// Currently, this is basically a boolean. +// Deprecated: Do not use. type AutoInjectContext struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -438,7 +437,7 @@ func (m *AutoInjectContext) Reset() { *m = AutoInjectContext{} } func (m *AutoInjectContext) String() string { return proto.CompactTextString(m) } func (*AutoInjectContext) ProtoMessage() {} func (*AutoInjectContext) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{6} + return fileDescriptor_config_42b83b762b43f0a0, []int{6} } func (m *AutoInjectContext) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_AutoInjectContext.Unmarshal(m, b) @@ -472,7 +471,7 @@ func (m *IdentityContext) Reset() { *m = IdentityContext{} } func (m *IdentityContext) String() string { return proto.CompactTextString(m) } func (*IdentityContext) ProtoMessage() {} func (*IdentityContext) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{7} + return fileDescriptor_config_42b83b762b43f0a0, []int{7} } func (m *IdentityContext) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_IdentityContext.Unmarshal(m, b) @@ -531,7 +530,7 @@ func (m *LogLevel) Reset() { *m = LogLevel{} } func (m *LogLevel) String() string { return proto.CompactTextString(m) } func (*LogLevel) ProtoMessage() {} func (*LogLevel) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{8} + return fileDescriptor_config_42b83b762b43f0a0, []int{8} } func (m *LogLevel) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_LogLevel.Unmarshal(m, b) @@ -578,7 +577,7 @@ func (m *Install) Reset() { *m = Install{} } func (m *Install) String() string { return proto.CompactTextString(m) } func (*Install) ProtoMessage() {} func (*Install) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{9} + return fileDescriptor_config_42b83b762b43f0a0, []int{9} } func (m *Install) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Install.Unmarshal(m, b) @@ -631,7 +630,7 @@ func (m *Install_Flag) Reset() { *m = Install_Flag{} } func (m *Install_Flag) String() string { return proto.CompactTextString(m) } func (*Install_Flag) ProtoMessage() {} func (*Install_Flag) Descriptor() ([]byte, []int) { - return fileDescriptor_config_1dc3723f04bb94b9, []int{9, 0} + return fileDescriptor_config_42b83b762b43f0a0, []int{9, 0} } func (m *Install_Flag) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_Install_Flag.Unmarshal(m, b) @@ -679,67 +678,67 @@ func init() { proto.RegisterType((*Install_Flag)(nil), "linkerd2.config.Install.Flag") } -func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_1dc3723f04bb94b9) } +func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_42b83b762b43f0a0) } -var fileDescriptor_config_1dc3723f04bb94b9 = []byte{ - // 929 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x55, 0xcf, 0x73, 0x1b, 0x35, - 0x14, 0x1e, 0xd7, 0x76, 0x62, 0x3f, 0xdb, 0x4d, 0xac, 0xa4, 0x74, 0x13, 0xa6, 0x60, 0x96, 0xe9, - 0x4c, 0x07, 0x18, 0x1b, 0x12, 0x06, 0x3a, 0x3d, 0x61, 0xfa, 0x23, 0xe3, 0x69, 0x80, 0x8c, 0x18, - 0x38, 0x70, 0xd9, 0x59, 0xef, 0xca, 0x5b, 0x11, 0xad, 0xe4, 0x6a, 0xa5, 0x24, 0xfd, 0x33, 0xb8, - 0x71, 0xe2, 0xc6, 0x9f, 0xc8, 0x9d, 0xd1, 0x93, 0x36, 0xa4, 0x59, 0xe2, 0xd3, 0x4a, 0xdf, 0xfb, - 0xbe, 0x4f, 0x6f, 0xa5, 0xa7, 0x27, 0xd8, 0xcb, 0x94, 0x5c, 0xf1, 0x62, 0xe6, 0x3f, 0xd3, 0xb5, - 0x56, 0x46, 0x91, 0x1d, 0xc1, 0xe5, 0x39, 0xd3, 0xf9, 0xd1, 0xd4, 0xc3, 0x87, 0x1f, 0x15, 0x4a, - 0x15, 0x82, 0xcd, 0x30, 0xbc, 0xb4, 0xab, 0x59, 0x6e, 0x75, 0x6a, 0xb8, 0x92, 0x5e, 0x10, 0xff, - 0xd9, 0x82, 0xf6, 0x5c, 0x08, 0x32, 0x83, 0xad, 0x42, 0xa8, 0x65, 0x2a, 0xa2, 0xd6, 0xa4, 0xf5, - 0x64, 0x70, 0xf4, 0x70, 0x7a, 0xcb, 0x69, 0x7a, 0x82, 0x61, 0x1a, 0x68, 0xe4, 0x0b, 0xe8, 0xae, - 0xb5, 0xba, 0x7a, 0x17, 0xdd, 0x43, 0xfe, 0x07, 0x0d, 0xfe, 0x99, 0x8b, 0x52, 0x4f, 0x22, 0x47, - 0xb0, 0xcd, 0x65, 0x65, 0x52, 0x21, 0xa2, 0x36, 0xf2, 0xa3, 0x06, 0x7f, 0xe1, 0xe3, 0xb4, 0x26, - 0xc6, 0x7f, 0xdc, 0x83, 0x2d, 0xbf, 0x28, 0xf9, 0x1c, 0xc6, 0x81, 0x9e, 0xc8, 0xb4, 0x64, 0xd5, - 0x3a, 0xcd, 0x18, 0x26, 0xda, 0xa7, 0xbb, 0x21, 0xf0, 0x63, 0x8d, 0x93, 0x8f, 0x61, 0x90, 0x49, - 0x9e, 0x30, 0x99, 0x2e, 0x05, 0xcb, 0x31, 0xbf, 0x1e, 0x85, 0x4c, 0xf2, 0x97, 0x1e, 0x21, 0x11, - 0x6c, 0x5f, 0x30, 0x5d, 0x71, 0x25, 0x31, 0x99, 0x3e, 0xad, 0xa7, 0xe4, 0x35, 0xec, 0xf2, 0x9c, - 0x49, 0xc3, 0xcd, 0xbb, 0x24, 0x53, 0xd2, 0xb0, 0x2b, 0x13, 0x75, 0x30, 0xdf, 0x49, 0x33, 0xdf, - 0x40, 0x7c, 0xee, 0x79, 0x74, 0x87, 0xbf, 0x0f, 0x10, 0x0a, 0x7b, 0xa9, 0x35, 0x2a, 0xe1, 0xf2, - 0x77, 0x96, 0x99, 0x6b, 0xbf, 0x2d, 0xf4, 0x8b, 0x1b, 0x7e, 0x73, 0x6b, 0xd4, 0x02, 0xa9, 0xb5, - 0xe3, 0x38, 0xbd, 0x0d, 0xc5, 0xff, 0x74, 0xa1, 0x8b, 0x1b, 0x4b, 0xbe, 0x85, 0x01, 0x6e, 0x6d, - 0xc2, 0xcb, 0xb4, 0x60, 0xe1, 0xd4, 0x9a, 0xa7, 0xb0, 0x70, 0x51, 0x0a, 0x48, 0xc5, 0x31, 0xf9, - 0x0e, 0x76, 0x83, 0x50, 0x72, 0x13, 0xd4, 0xf7, 0x36, 0xaa, 0xef, 0x7b, 0xb5, 0xe4, 0xc6, 0x3b, - 0x3c, 0x85, 0xa1, 0xfb, 0x19, 0xad, 0x44, 0xb2, 0x56, 0xda, 0x84, 0x13, 0x7d, 0xd0, 0xac, 0x00, - 0xa5, 0x0d, 0x1d, 0x04, 0xaa, 0x9b, 0x90, 0x13, 0xd8, 0xe7, 0x85, 0x54, 0x9a, 0x25, 0x5c, 0x2e, - 0x95, 0x95, 0x39, 0x1a, 0x54, 0x51, 0x67, 0xd2, 0xbe, 0xdb, 0x81, 0x78, 0xc9, 0xc2, 0x2b, 0x1c, - 0x54, 0x91, 0x05, 0x3c, 0x08, 0x46, 0xca, 0x9a, 0x9b, 0x4e, 0xdd, 0x4d, 0x4e, 0x7b, 0x5e, 0xf3, - 0x53, 0x90, 0x78, 0xab, 0xa7, 0x30, 0xbc, 0x99, 0x4c, 0x38, 0x9f, 0xbb, 0xfe, 0x86, 0xff, 0x97, - 0x05, 0xf9, 0x1a, 0x20, 0xcd, 0x4b, 0x2e, 0xbd, 0x6e, 0x7b, 0x93, 0xae, 0x8f, 0x44, 0x54, 0x3d, - 0x83, 0xd1, 0x7b, 0x39, 0x47, 0xbd, 0x4d, 0xc2, 0xa1, 0xba, 0x91, 0x2c, 0x99, 0x43, 0x4f, 0xb3, - 0x4a, 0x59, 0x9d, 0xb1, 0xa8, 0x8f, 0xb2, 0xc7, 0x0d, 0x19, 0x0d, 0x04, 0xca, 0xde, 0x5a, 0xae, - 0x59, 0xc9, 0xa4, 0xa9, 0xe8, 0xb5, 0x8c, 0x7c, 0x08, 0x7d, 0x7f, 0xfc, 0x96, 0xe7, 0x11, 0x4c, - 0x5a, 0x4f, 0xda, 0xb4, 0x87, 0xc0, 0x2f, 0x3c, 0x27, 0xdf, 0x40, 0x5f, 0xa8, 0x22, 0x11, 0xec, - 0x82, 0x89, 0x68, 0x80, 0x0b, 0x1c, 0x34, 0x16, 0x38, 0x55, 0xc5, 0xa9, 0x23, 0xd0, 0x9e, 0x08, - 0x23, 0xf2, 0x0c, 0x0e, 0x72, 0x5e, 0xb9, 0xdb, 0x95, 0xb0, 0x2b, 0xc3, 0xb4, 0x4c, 0x45, 0xb2, - 0xd6, 0x6a, 0xc5, 0x05, 0xab, 0xa2, 0x21, 0x5e, 0xc0, 0x87, 0x81, 0xf0, 0x32, 0xc4, 0xcf, 0x42, - 0x98, 0x7c, 0x0a, 0x23, 0x9f, 0x50, 0x7d, 0x27, 0x47, 0x78, 0x27, 0x87, 0x08, 0xfe, 0xea, 0xb1, - 0xf8, 0x04, 0xba, 0xbe, 0xf6, 0x1e, 0x01, 0x60, 0xc9, 0x62, 0x1f, 0x08, 0x2d, 0xa0, 0x8f, 0x88, - 0x6b, 0x00, 0xee, 0xee, 0xaf, 0xad, 0x70, 0x75, 0x29, 0x78, 0xe6, 0x7b, 0x53, 0x9f, 0x82, 0x83, - 0xce, 0x10, 0x89, 0x0f, 0xa1, 0x83, 0x3b, 0x49, 0xa0, 0x83, 0x9b, 0xef, 0x1c, 0x46, 0x14, 0xc7, - 0xf1, 0x5f, 0x2d, 0xd8, 0xff, 0xbf, 0xdd, 0x73, 0xae, 0x9a, 0xbd, 0xb5, 0xac, 0x32, 0x49, 0xb6, - 0xb6, 0x61, 0x55, 0x08, 0xd0, 0xf3, 0xb5, 0x25, 0x8f, 0xe1, 0x7e, 0x4d, 0x28, 0x59, 0xa9, 0x74, - 0xbd, 0xf2, 0x28, 0xa0, 0x3f, 0x20, 0xe8, 0xf6, 0x5e, 0xf0, 0x92, 0x7b, 0x17, 0xdf, 0x7a, 0x7a, - 0x08, 0x38, 0x8f, 0x4f, 0x60, 0xe8, 0x83, 0xc1, 0xa1, 0x83, 0xf1, 0x01, 0x62, 0x5e, 0x1f, 0xef, - 0xc1, 0x78, 0xde, 0x6c, 0x09, 0x2d, 0xd8, 0xb9, 0xd5, 0x8b, 0x9c, 0x97, 0xd1, 0xb6, 0x32, 0x49, - 0xae, 0xca, 0x94, 0xcb, 0x90, 0xf1, 0x00, 0xb1, 0x17, 0x08, 0x91, 0xcf, 0x60, 0xec, 0x29, 0xa9, - 0xcc, 0xde, 0x28, 0x5d, 0x25, 0x6b, 0x56, 0x86, 0xac, 0x77, 0x30, 0x30, 0xf7, 0xf8, 0x19, 0x2b, - 0xc9, 0x2b, 0x18, 0xf3, 0xaa, 0xb2, 0xa9, 0xcc, 0x58, 0x22, 0xf8, 0x8a, 0x19, 0x5e, 0xb2, 0x70, - 0xeb, 0x0f, 0xa6, 0xfe, 0x81, 0x99, 0xd6, 0x0f, 0xcc, 0xf4, 0x45, 0x78, 0x60, 0xe8, 0x6e, 0xad, - 0x39, 0x0d, 0x12, 0xf2, 0x1a, 0xf6, 0x33, 0xa1, 0xb2, 0xf3, 0xa4, 0x3a, 0x67, 0x97, 0x49, 0x2a, - 0x84, 0xba, 0x74, 0xf1, 0xd0, 0x62, 0x37, 0x58, 0x11, 0x94, 0xfd, 0x7c, 0xce, 0x2e, 0xe7, 0xb5, - 0x28, 0x9e, 0x40, 0xaf, 0xae, 0x44, 0xb2, 0x0f, 0x5d, 0x5f, 0xb3, 0xfe, 0x47, 0xfd, 0x24, 0xfe, - 0xbb, 0x05, 0xdb, 0xe1, 0x55, 0x71, 0xe7, 0x6d, 0x5d, 0xc5, 0x7b, 0x02, 0x8e, 0xf1, 0xa1, 0x10, - 0xfc, 0xba, 0xee, 0x42, 0xb1, 0x64, 0x82, 0x87, 0xaa, 0x23, 0xc7, 0xd0, 0x5d, 0x89, 0xb4, 0xa8, - 0xa2, 0x36, 0x76, 0x95, 0x47, 0x77, 0xbd, 0x59, 0xd3, 0x57, 0x22, 0x2d, 0xa8, 0xe7, 0x1e, 0x7e, - 0x09, 0x1d, 0x37, 0x75, 0x2b, 0xde, 0xa8, 0x51, 0x1c, 0xbb, 0x3c, 0x2f, 0x52, 0x61, 0x59, 0x58, - 0xcb, 0x4f, 0xbe, 0x3f, 0xfe, 0xed, 0xab, 0x82, 0x9b, 0x37, 0x76, 0x39, 0xcd, 0x54, 0x39, 0x0b, - 0x6b, 0xd4, 0xdf, 0xa3, 0x59, 0x68, 0xa0, 0x82, 0xe9, 0x59, 0xc1, 0x64, 0x78, 0xef, 0x97, 0x5b, - 0xb8, 0x4b, 0xc7, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xa2, 0x59, 0xbd, 0x38, 0x07, 0x08, 0x00, - 0x00, +var fileDescriptor_config_42b83b762b43f0a0 = []byte{ + // 938 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x55, 0x5d, 0x6f, 0x23, 0x35, + 0x14, 0x55, 0xbe, 0xda, 0xe4, 0x26, 0xd9, 0x36, 0x6e, 0x97, 0x4e, 0x8b, 0x16, 0xc2, 0xa0, 0x95, + 0x56, 0x80, 0x12, 0x68, 0x11, 0xac, 0xfa, 0x44, 0xf6, 0xab, 0x8a, 0xb6, 0x40, 0x65, 0xc4, 0x3e, + 0xf0, 0x32, 0x9a, 0xcc, 0x38, 0xb3, 0xa6, 0x1e, 0x3b, 0xeb, 0xf1, 0xb4, 0xdd, 0x1f, 0x82, 0xc4, + 0x13, 0x6f, 0xfc, 0xc4, 0x7d, 0x47, 0xbe, 0xf6, 0x94, 0xb6, 0xb3, 0xcd, 0xd3, 0xd8, 0xe7, 0x9e, + 0x73, 0x7c, 0xc7, 0xbe, 0xbe, 0x86, 0x9d, 0x44, 0xc9, 0x25, 0xcf, 0xa6, 0xee, 0x33, 0x59, 0x69, + 0x65, 0x14, 0xd9, 0x12, 0x5c, 0x9e, 0x33, 0x9d, 0x1e, 0x4e, 0x1c, 0x7c, 0xf0, 0x59, 0xa6, 0x54, + 0x26, 0xd8, 0x14, 0xc3, 0x8b, 0x72, 0x39, 0x4d, 0x4b, 0x1d, 0x1b, 0xae, 0xa4, 0x13, 0x84, 0x7f, + 0x37, 0xa0, 0x35, 0x13, 0x82, 0x4c, 0x61, 0x23, 0x13, 0x6a, 0x11, 0x8b, 0xa0, 0x31, 0x6e, 0x3c, + 0xe9, 0x1f, 0xee, 0x4d, 0xee, 0x38, 0x4d, 0x4e, 0x30, 0x4c, 0x3d, 0x8d, 0x7c, 0x03, 0x9d, 0x95, + 0x56, 0x57, 0xef, 0x83, 0x26, 0xf2, 0x3f, 0xa9, 0xf1, 0xcf, 0x6c, 0x94, 0x3a, 0x12, 0x39, 0x84, + 0x4d, 0x2e, 0x0b, 0x13, 0x0b, 0x11, 0xb4, 0x90, 0x1f, 0xd4, 0xf8, 0x73, 0x17, 0xa7, 0x15, 0x31, + 0xfc, 0xab, 0x09, 0x1b, 0x6e, 0x51, 0xf2, 0x35, 0x8c, 0x3c, 0x3d, 0x92, 0x71, 0xce, 0x8a, 0x55, + 0x9c, 0x30, 0x4c, 0xb4, 0x47, 0xb7, 0x7d, 0xe0, 0x97, 0x0a, 0x27, 0x9f, 0x43, 0x3f, 0x91, 0x3c, + 0x62, 0x32, 0x5e, 0x08, 0x96, 0x62, 0x7e, 0x5d, 0x0a, 0x89, 0xe4, 0x2f, 0x1d, 0x42, 0x02, 0xd8, + 0xbc, 0x60, 0xba, 0xe0, 0x4a, 0x62, 0x32, 0x3d, 0x5a, 0x4d, 0xc9, 0x6b, 0xd8, 0xe6, 0x29, 0x93, + 0x86, 0x9b, 0xf7, 0x51, 0xa2, 0xa4, 0x61, 0x57, 0x26, 0x68, 0x63, 0xbe, 0xe3, 0x7a, 0xbe, 0x9e, + 0xf8, 0xdc, 0xf1, 0xe8, 0x16, 0xbf, 0x0d, 0x90, 0x37, 0xb0, 0x13, 0x97, 0x46, 0x45, 0x5c, 0xfe, + 0xc9, 0x12, 0x73, 0xed, 0xb7, 0x81, 0x7e, 0x61, 0xcd, 0x6f, 0x56, 0x1a, 0x35, 0x47, 0xaa, 0x37, + 0x78, 0xd6, 0x0c, 0x1a, 0x74, 0x14, 0xdf, 0x85, 0xc3, 0x0f, 0x1d, 0xe8, 0xe0, 0xe6, 0x92, 0x1f, + 0xa1, 0x8f, 0xdb, 0x1b, 0xf1, 0x3c, 0xce, 0x98, 0x3f, 0xb9, 0xfa, 0x49, 0xcc, 0x6d, 0x94, 0x02, + 0x52, 0x71, 0x4c, 0x7e, 0x82, 0x6d, 0x2f, 0x94, 0xdc, 0x78, 0x75, 0x73, 0xad, 0xfa, 0x81, 0x53, + 0x4b, 0x6e, 0x9c, 0xc3, 0x53, 0x18, 0xd8, 0x1f, 0xd2, 0x4a, 0x44, 0x2b, 0xa5, 0x8d, 0x3f, 0xd5, + 0x87, 0xf5, 0x2a, 0x50, 0xda, 0xd0, 0xbe, 0xa7, 0xda, 0x09, 0x39, 0x81, 0x5d, 0x9e, 0x49, 0xa5, + 0x59, 0xc4, 0xe5, 0x42, 0x95, 0x32, 0x45, 0x83, 0x22, 0x68, 0x8f, 0x5b, 0xf7, 0x3b, 0x10, 0x27, + 0x99, 0x3b, 0x85, 0x85, 0x0a, 0x32, 0x87, 0x87, 0xde, 0x48, 0x95, 0xe6, 0xa6, 0x53, 0x67, 0x9d, + 0xd3, 0x8e, 0xd3, 0xfc, 0xea, 0x25, 0xce, 0xea, 0x29, 0x0c, 0x6e, 0x26, 0xe3, 0xcf, 0xe8, 0xbe, + 0xbf, 0xe1, 0xff, 0x67, 0x41, 0xbe, 0x07, 0x88, 0xd3, 0x9c, 0x4b, 0xa7, 0xdb, 0x5c, 0xa7, 0xeb, + 0x21, 0x11, 0x55, 0xc7, 0x30, 0xbc, 0x95, 0x73, 0xd0, 0x5d, 0x27, 0x1c, 0xa8, 0x1b, 0xc9, 0x92, + 0x19, 0x74, 0x35, 0x2b, 0x54, 0xa9, 0x13, 0x16, 0xf4, 0x50, 0xf6, 0xb8, 0x26, 0xa3, 0x9e, 0x40, + 0xd9, 0xbb, 0x92, 0x6b, 0x96, 0x33, 0x69, 0x0a, 0x7a, 0x2d, 0x23, 0x9f, 0x42, 0xcf, 0x1d, 0x7f, + 0xc9, 0xd3, 0x00, 0xc6, 0x8d, 0x27, 0x2d, 0xda, 0x45, 0xe0, 0x77, 0x9e, 0x92, 0x1f, 0xa0, 0x27, + 0x54, 0x16, 0x09, 0x76, 0xc1, 0x44, 0xd0, 0xc7, 0x05, 0xf6, 0x6b, 0x0b, 0x9c, 0xaa, 0xec, 0xd4, + 0x12, 0x68, 0x57, 0xf8, 0x11, 0x39, 0x86, 0xfd, 0x94, 0x17, 0xf6, 0x86, 0x45, 0xec, 0xca, 0x30, + 0x2d, 0x63, 0x11, 0xad, 0xb4, 0x5a, 0x72, 0xc1, 0x8a, 0x60, 0x80, 0x97, 0x70, 0xcf, 0x13, 0x5e, + 0xfa, 0xf8, 0x99, 0x0f, 0x93, 0x2f, 0x61, 0xe8, 0x12, 0xaa, 0xee, 0xe5, 0x10, 0xef, 0xe5, 0x00, + 0xc1, 0x37, 0x0e, 0x0b, 0x4f, 0xa0, 0xe3, 0x6a, 0xef, 0x11, 0x00, 0x96, 0x2c, 0xf6, 0x02, 0xdf, + 0x06, 0x7a, 0x88, 0xd8, 0x26, 0x60, 0xef, 0xff, 0xaa, 0x14, 0xb6, 0x2e, 0x05, 0x4f, 0x5c, 0x7f, + 0xea, 0x51, 0xb0, 0xd0, 0x19, 0x22, 0xe1, 0x01, 0xb4, 0x71, 0x27, 0x09, 0xb4, 0x71, 0xf3, 0xad, + 0xc3, 0x90, 0xe2, 0x38, 0xfc, 0xa7, 0x01, 0xbb, 0x1f, 0xdb, 0x3d, 0xeb, 0xaa, 0xd9, 0xbb, 0x92, + 0x15, 0x26, 0x4a, 0x56, 0xa5, 0x5f, 0x15, 0x3c, 0xf4, 0x7c, 0x55, 0x92, 0xc7, 0xf0, 0xa0, 0x22, + 0xe4, 0x2c, 0x57, 0xba, 0x5a, 0x79, 0xe8, 0xd1, 0x9f, 0x11, 0xb4, 0x7b, 0x2f, 0x78, 0xce, 0x9d, + 0x8b, 0x6b, 0x3f, 0x5d, 0x04, 0xac, 0xc7, 0x17, 0x30, 0x70, 0x41, 0xef, 0xd0, 0xc6, 0x78, 0x1f, + 0x31, 0xa7, 0x0f, 0xf7, 0x60, 0x54, 0xeb, 0x14, 0xc7, 0xcd, 0xa0, 0x11, 0x7e, 0x68, 0xc0, 0xd6, + 0x9d, 0x9e, 0x64, 0xfd, 0x8c, 0x2e, 0x0b, 0x13, 0xa5, 0x2a, 0x8f, 0xb9, 0xf4, 0x59, 0xf7, 0x11, + 0x7b, 0x81, 0x10, 0xf9, 0x0a, 0x46, 0x8e, 0x12, 0xcb, 0xe4, 0xad, 0xd2, 0x45, 0xb4, 0x62, 0xb9, + 0xcf, 0x7c, 0x0b, 0x03, 0x33, 0x87, 0x9f, 0xb1, 0x9c, 0xbc, 0x82, 0x11, 0x2f, 0x8a, 0x32, 0x96, + 0x09, 0x8b, 0x04, 0x5f, 0x32, 0xc3, 0x73, 0xe6, 0x6f, 0xfe, 0xfe, 0xc4, 0x3d, 0x34, 0x93, 0xea, + 0xa1, 0x99, 0xbc, 0xf0, 0x0f, 0x0d, 0xdd, 0xae, 0x34, 0xa7, 0x5e, 0x42, 0x5e, 0xc3, 0x6e, 0x22, + 0x54, 0x72, 0x1e, 0x15, 0xe7, 0xec, 0x32, 0x8a, 0x85, 0x50, 0x97, 0x36, 0xee, 0x5b, 0xed, 0x1a, + 0x2b, 0x82, 0xb2, 0xdf, 0xce, 0xd9, 0xe5, 0xac, 0x12, 0x85, 0x63, 0xe8, 0x56, 0xd5, 0x48, 0x76, + 0xa1, 0xe3, 0xea, 0xd6, 0xfd, 0xa8, 0x9b, 0x84, 0xff, 0x36, 0x60, 0xd3, 0xbf, 0x2e, 0xf6, 0xcc, + 0x4b, 0x5b, 0xf5, 0x8e, 0x80, 0x63, 0x7c, 0x30, 0x04, 0xbf, 0xae, 0x3d, 0x5f, 0x30, 0x89, 0xe0, + 0xbe, 0xf2, 0xc8, 0x11, 0x74, 0x96, 0x22, 0xce, 0x8a, 0xa0, 0x85, 0x9d, 0xe5, 0xd1, 0x7d, 0x6f, + 0xd7, 0xe4, 0x95, 0x88, 0x33, 0xea, 0xb8, 0x07, 0xdf, 0x42, 0xdb, 0x4e, 0xed, 0x8a, 0x37, 0xea, + 0x14, 0xc7, 0x36, 0xcf, 0x8b, 0x58, 0x94, 0xcc, 0xaf, 0xe5, 0x26, 0xcf, 0x8e, 0xfe, 0xf8, 0x2e, + 0xe3, 0xe6, 0x6d, 0xb9, 0x98, 0x24, 0x2a, 0x9f, 0xfa, 0x35, 0xaa, 0xef, 0xe1, 0xd4, 0x37, 0x51, + 0xc1, 0xf4, 0x34, 0x63, 0xd2, 0xbf, 0xfb, 0x8b, 0x0d, 0xdc, 0xa5, 0xa3, 0xff, 0x02, 0x00, 0x00, + 0xff, 0xff, 0xd2, 0x4a, 0xdf, 0x3e, 0x0f, 0x08, 0x00, 0x00, } diff --git a/proto/config/config.proto b/proto/config/config.proto index 7424e8fe2..af5ab896d 100644 --- a/proto/config/config.proto +++ b/proto/config/config.proto @@ -22,9 +22,7 @@ message Global { // If present, configures identity. IdentityContext identity_context = 4; - // If present, indicates that the Mutating Webhook Admission Controller should - // be configured to automatically inject proxies. - AutoInjectContext auto_inject_context = 6; + AutoInjectContext auto_inject_context = 6 [deprecated=true]; } message Proxy { @@ -63,8 +61,7 @@ message ResourceRequirements { string limit_memory = 4; } -// Currently, this is basically a boolean. -message AutoInjectContext {} +message AutoInjectContext { option deprecated = true; } message IdentityContext { string trust_domain = 1; diff --git a/test/get/get_test.go b/test/get/get_test.go index 1f7d08ae2..bfe543fcb 100644 --- a/test/get/get_test.go +++ b/test/get/get_test.go @@ -33,12 +33,13 @@ var ( } linkerdPods = map[string]int{ - "linkerd-controller": 1, - "linkerd-grafana": 1, - "linkerd-identity": 1, - "linkerd-prometheus": 1, - "linkerd-sp-validator": 1, - "linkerd-web": 1, + "linkerd-controller": 1, + "linkerd-grafana": 1, + "linkerd-identity": 1, + "linkerd-prometheus": 1, + "linkerd-proxy-injector": 1, + "linkerd-sp-validator": 1, + "linkerd-web": 1, } ) diff --git a/test/inject/inject_test.go b/test/inject/inject_test.go index 37b6a53d9..7865296c2 100644 --- a/test/inject/inject_test.go +++ b/test/inject/inject_test.go @@ -87,8 +87,6 @@ func TestInjectParams(t *testing.T) { } } -// TestAnnotationPermutations assumes a control-plane installed with -// `--proxy-auto-inject` was installed via `install_test.go`. func TestAnnotationPermutations(t *testing.T) { injectYAML, err := testutil.ReadFile("testdata/inject_test.yaml") if err != nil { diff --git a/test/install_test.go b/test/install_test.go index b0b0b6c58..43b9ac3d8 100644 --- a/test/install_test.go +++ b/test/install_test.go @@ -40,12 +40,13 @@ var ( } linkerdDeployReplicas = map[string]deploySpec{ - "linkerd-controller": {1, []string{"destination", "public-api", "tap"}}, - "linkerd-grafana": {1, []string{}}, - "linkerd-identity": {1, []string{"identity"}}, - "linkerd-prometheus": {1, []string{}}, - "linkerd-sp-validator": {1, []string{"sp-validator"}}, - "linkerd-web": {1, []string{"web"}}, + "linkerd-controller": {1, []string{"destination", "public-api", "tap"}}, + "linkerd-grafana": {1, []string{}}, + "linkerd-identity": {1, []string{"identity"}}, + "linkerd-prometheus": {1, []string{}}, + "linkerd-sp-validator": {1, []string{"sp-validator"}}, + "linkerd-web": {1, []string{"web"}}, + "linkerd-proxy-injector": {1, []string{"proxy-injector"}}, } // Linkerd commonly logs these errors during testing, remove these once @@ -125,11 +126,6 @@ func TestInstallOrUpgrade(t *testing.T) { cmd = "upgrade" } - if TestHelper.AutoInject() { - args = append(args, "--proxy-auto-inject") - linkerdDeployReplicas["linkerd-proxy-injector"] = deploySpec{1, []string{"proxy-injector"}} - } - exec := append([]string{cmd}, args...) out, _, err := TestHelper.LinkerdRun(exec...) if err != nil { @@ -268,30 +264,15 @@ func TestInject(t *testing.T) { prefixedNs := TestHelper.GetTestNamespace("smoke-test") - if TestHelper.AutoInject() { - out, err = testutil.ReadFile("testdata/smoke_test.yaml") - if err != nil { - t.Fatalf("failed to read smoke test file: %s", err) - } - err = TestHelper.CreateNamespaceIfNotExists(prefixedNs, map[string]string{ - k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, - }) - if err != nil { - t.Fatalf("failed to create %s namespace with auto inject enabled: %s", prefixedNs, err) - } - } else { - cmd := []string{"inject", "--manual", "testdata/smoke_test.yaml"} - - var injectReport string - out, injectReport, err = TestHelper.LinkerdRun(cmd...) - if err != nil { - t.Fatalf("linkerd inject command failed: %s\n%s", err, out) - } - - err = TestHelper.ValidateOutput(injectReport, "inject.report.golden") - if err != nil { - t.Fatalf("Received unexpected output\n%s", err.Error()) - } + out, err = testutil.ReadFile("testdata/smoke_test.yaml") + if err != nil { + t.Fatalf("failed to read smoke test file: %s", err) + } + err = TestHelper.CreateNamespaceIfNotExists(prefixedNs, map[string]string{ + k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, + }) + if err != nil { + t.Fatalf("failed to create %s namespace: %s", prefixedNs, err) } out, err = TestHelper.KubectlApply(out, prefixedNs) diff --git a/test/stat/stat_test.go b/test/stat/stat_test.go index df5c50971..f0edcf901 100644 --- a/test/stat/stat_test.go +++ b/test/stat/stat_test.go @@ -72,12 +72,13 @@ func TestCliStatForLinkerdNamespace(t *testing.T) { { args: []string{"stat", "deploy", "-n", TestHelper.GetLinkerdNamespace()}, expectedRows: map[string]string{ - "linkerd-controller": "1/1", - "linkerd-grafana": "1/1", - "linkerd-identity": "1/1", - "linkerd-prometheus": "1/1", - "linkerd-sp-validator": "1/1", - "linkerd-web": "1/1", + "linkerd-controller": "1/1", + "linkerd-grafana": "1/1", + "linkerd-identity": "1/1", + "linkerd-prometheus": "1/1", + "linkerd-proxy-injector": "1/1", + "linkerd-sp-validator": "1/1", + "linkerd-web": "1/1", }, }, { @@ -107,7 +108,7 @@ func TestCliStatForLinkerdNamespace(t *testing.T) { { args: []string{"stat", "ns", TestHelper.GetLinkerdNamespace()}, expectedRows: map[string]string{ - TestHelper.GetLinkerdNamespace(): "6/6", + TestHelper.GetLinkerdNamespace(): "7/7", }, }, { diff --git a/test/testdata/inject.report.golden b/test/testdata/inject.report.golden deleted file mode 100644 index c7c5928fd..000000000 --- a/test/testdata/inject.report.golden +++ /dev/null @@ -1,6 +0,0 @@ - -deployment "smoke-test-terminus" injected -service "smoke-test-terminus-svc" skipped -deployment "smoke-test-gateway" injected -service "smoke-test-gateway-svc" skipped - diff --git a/testutil/test_helper.go b/testutil/test_helper.go index db6fd28ab..a9927a1e1 100644 --- a/testutil/test_helper.go +++ b/testutil/test_helper.go @@ -20,7 +20,6 @@ type TestHelper struct { linkerd string version string namespace string - autoInject bool upgradeFromVersion string httpClient http.Client KubernetesHelper @@ -37,7 +36,6 @@ func NewTestHelper() *TestHelper { k8sContext := flag.String("k8s-context", "", "kubernetes context associated with the test cluster") linkerd := flag.String("linkerd", "", "path to the linkerd binary to test") namespace := flag.String("linkerd-namespace", "l5d-integration", "the namespace where linkerd is installed") - autoInject := flag.Bool("proxy-auto-inject", false, "enable proxy sidecar auto-injection in tests") upgradeFromVersion := flag.String("upgrade-from-version", "", "when specified, the upgrade test uses it as the base version of the upgrade") runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests") verbose := flag.Bool("verbose", false, "turn on debug logging") @@ -69,7 +67,6 @@ func NewTestHelper() *TestHelper { testHelper := &TestHelper{ linkerd: *linkerd, namespace: *namespace, - autoInject: *autoInject, upgradeFromVersion: *upgradeFromVersion, } @@ -111,12 +108,6 @@ func (h *TestHelper) GetTestNamespace(testName string) string { return h.namespace + "-" + testName } -// AutoInject returns whether or not Proxy Auto Inject is enabled for the given -// test. -func (h *TestHelper) AutoInject() bool { - return h.autoInject -} - // UpgradeFromVersion returns the base version of the upgrade test. func (h *TestHelper) UpgradeFromVersion() string { return h.upgradeFromVersion