Add noop init container when the cni plugin is enabled (#9504)

Add a "noop" init container which uses the proxy image and runs `/bin/sleep 0` to injected pods.  This init container is only added when the linkerd-cni-plugin is enabled.  The idea here is that by running an init container, we trigger kubernetes to update the pod status.  In particular, this ensures that the pod status IP is populated, which is necessary in certain cases where other CNIs such as Calico are involved.

Therefore, this may fix https://github.com/linkerd/linkerd2/issues/9310, but I don't have a reproduction and therefore am not able to verify.

Signed-off-by: Alex Leong <alex@buoyant.io>

charts/linkerd-control-plane/templates/destination.yaml

@@ -302,8 +302,10 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: policy-tls
           readOnly: true
-      {{ if not .Values.cniEnabled -}}
       initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
       {{- /*
         The destination controller needs to connect to the Kubernetes API before the proxy is able
         to proxy requests, so we always skip these connections.

charts/linkerd-control-plane/templates/identity.yaml

@@ -199,8 +199,10 @@ spec:
       {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
       {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
       - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
-      {{ if not .Values.cniEnabled -}}
       initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
       {{- /*
         The identity controller needs to connect to the Kubernetes API before the proxy is able to
         proxy requests, so we always skip these connections. The identity controller makes no other

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -106,8 +106,10 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: tls
           readOnly: true
-      {{ if not .Values.cniEnabled -}}
       initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.noop" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
       - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
       {{ end -}}
       {{- if .Values.priorityClassName -}}

charts/partials/templates/_noop.tpl

@@ -0,0 +1,6 @@
+{{- define "partials.noop" -}}
+args:
+- -v
+image: gcr.io/google_containers/pause:3.2
+name: noop
+{{- end -}}

charts/patch/templates/patch.json

@@ -44,14 +44,14 @@
   },
   {{- end }}
   {{- end}}
-  {{- if and .Values.proxyInit (not .Values.cniEnabled) }}
   {{- if .Values.addRootInitContainers }}
   {
     "op": "add",
     "path": "{{$prefix}}/spec/initContainers",
     "value": []
   },
-  {{- end }}
+  {{- end}}
+  {{- if and .Values.proxyInit (not .Values.cniEnabled) }}
   {
     "op": "add",
     "path": "{{$prefix}}/spec/volumes/-",
@@ -66,6 +66,13 @@
     "value":
       {{- include "partials.proxy-init" . | fromYaml | toPrettyJson | nindent 6 }}
   },
+  {{- else if and .Values.proxy .Values.cniEnabled }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/initContainers/-",
+    "value":
+      {{- include "partials.noop" . | fromYaml | toPrettyJson | nindent 6 }}
+  },
   {{- end }}
   {{- if .Values.debugContainer }}
   {

cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml

@@ -163,6 +163,11 @@ spec:
         ports:
         - containerPort: 80
           name: http
+      initContainers:
+      - args:
+        - -v
+        image: gcr.io/google_containers/pause:3.2
+        name: noop
       volumes:
       - emptyDir:
           medium: Memory

cli/cmd/testdata/install_no_init_container.golden

@@ -900,6 +900,11 @@ spec:
           name: linkerd-identity-end-entity
         - mountPath: /var/run/secrets/tokens
           name: linkerd-identity-token
+      initContainers:
+      - args:
+          - -v
+        image: gcr.io/google_containers/pause:3.2
+        name: noop
       serviceAccountName: linkerd-identity
       volumes:
       - name: identity-issuer
@@ -1283,6 +1288,11 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: policy-tls
           readOnly: true
+      initContainers:
+      - args:
+          - -v
+        image: gcr.io/google_containers/pause:3.2
+        name: noop
       serviceAccountName: linkerd-destination
       volumes:
       - name: sp-tls
@@ -1552,6 +1562,11 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: tls
           readOnly: true
+      initContainers:
+      - args:
+          - -v
+        image: gcr.io/google_containers/pause:3.2
+        name: noop
       serviceAccountName: linkerd-proxy-injector
       volumes:
       - configMap:

pkg/charts/charts.go

@@ -21,21 +21,22 @@ var (
 	// Keep this slice synced with the contents of /charts/partials
 	L5dPartials = []string{
 		"charts/partials/" + chartutil.ChartfileName,
-		"charts/partials/templates/_proxy.tpl",
+		"charts/partials/templates/_affinity.tpl",
+		"charts/partials/templates/_capabilities.tpl",
+		"charts/partials/templates/_debug.tpl",
+		"charts/partials/templates/_helpers.tpl",
+		"charts/partials/templates/_metadata.tpl",
+		"charts/partials/templates/_nodeselector.tpl",
+		"charts/partials/templates/_noop.tpl",
 		"charts/partials/templates/_proxy-config-ann.tpl",
 		"charts/partials/templates/_proxy-init.tpl",
-		"charts/partials/templates/_volumes.tpl",
-		"charts/partials/templates/_resources.tpl",
-		"charts/partials/templates/_metadata.tpl",
-		"charts/partials/templates/_helpers.tpl",
-		"charts/partials/templates/_debug.tpl",
-		"charts/partials/templates/_capabilities.tpl",
-		"charts/partials/templates/_trace.tpl",
-		"charts/partials/templates/_nodeselector.tpl",
-		"charts/partials/templates/_tolerations.tpl",
-		"charts/partials/templates/_affinity.tpl",
-		"charts/partials/templates/_validate.tpl",
+		"charts/partials/templates/_proxy.tpl",
 		"charts/partials/templates/_pull-secrets.tpl",
+		"charts/partials/templates/_resources.tpl",
+		"charts/partials/templates/_tolerations.tpl",
+		"charts/partials/templates/_trace.tpl",
+		"charts/partials/templates/_validate.tpl",
+		"charts/partials/templates/_volumes.tpl",
 	}
 )