linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Split proxy-init into separate repo (#2824) 

Split proxy-init into separate repo

Fixes #2563

The new repo is https://github.com/linkerd/linkerd2-proxy-init, and I
tagged the latest there `v1.0.0`.

Here, I've removed the `/proxy-init` dir and pinned the injected
proxy-init version to `v1.0.0` in the injector code and tests.

`/cni-plugin` depends on proxy-init, so I updated the import paths
there, and could verify CNI is still working (there is some flakiness
but unrelated to this PR).

For consistency, I added a `--init-image-version` flag to `linkerd
inject` along with its corresponding override config annotation.

Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
This commit is contained in:
Alejandro Pedraza 2019-06-03 16:24:05 -05:00 committed by GitHub
parent 590249c66b
commit 74ca92ea25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
66 changed files with 233 additions and 1291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
BUILD.md
View File

@ -39,8 +39,6 @@ written in Go. The dashboard UI is a React application.
clients such as `cli` and `web`, provides access to and control of the
Linkerd2 service mesh.
- [`tap`](controller/tap): Provides a live pipeline of requests.
- [`proxy-init`](proxy-init): Adds a Kubernetes pod to join the Linkerd2
Service Mesh.
- [`web`](web): Provides a UI dashboard to view and drive the control plane.
This component is written in Go and React.
@ -345,12 +343,8 @@ build_architecture
"controller/Dockerfile" [color=lightblue, style=filled, shape=rect];
"cli/Dockerfile-bin" [color=lightblue, style=filled, shape=rect];
"grafana/Dockerfile" [color=lightblue, style=filled, shape=rect];
"proxy-init/Dockerfile" [color=lightblue, style=filled, shape=rect];
"proxy-init/integration_test/iptables/Dockerfile-tester" [color=lightblue, style=filled, shape=rect];
"web/Dockerfile" [color=lightblue, style=filled, shape=rect];
"proxy-init/integration_test/run_tests.sh" -> "proxy-init/integration_test/iptables/Dockerfile-tester";
"_docker.sh" -> "_log.sh";
"_gcp.sh";
"_log.sh";
@ -367,7 +361,6 @@ build_architecture
"docker-build" -> "docker-build-controller";
"docker-build" -> "docker-build-grafana";
"docker-build" -> "docker-build-proxy";
"docker-build" -> "docker-build-proxy-init";
"docker-build" -> "docker-build-web";
"docker-build-base" -> "_docker.sh";
@ -397,12 +390,6 @@ build_architecture
"docker-build-proxy" -> "_tag.sh";
"docker-build-proxy" -> "Dockerfile-proxy";
"docker-build-proxy-init" -> "_docker.sh";
"docker-build-proxy-init" -> "_tag.sh";
"docker-build-proxy-init" -> "docker-build-base";
"docker-build-proxy-init" -> "docker-build-go-deps";
"docker-build-proxy-init" -> "proxy-init/Dockerfile";
"docker-build-web" -> "_docker.sh";
"docker-build-web" -> "_tag.sh";
"docker-build-web" -> "docker-build-base";
@ -461,7 +448,6 @@ build_architecture
"update-go-deps-shas" -> "cli/Dockerfile-bin";
"update-go-deps-shas" -> "controller/Dockerfile";
"update-go-deps-shas" -> "grafana/Dockerfile";
"update-go-deps-shas" -> "proxy-init/Dockerfile";
"update-go-deps-shas" -> "web/Dockerfile";
"web" -> "go-run";

2
Dockerfile-proxy
View File

@ -11,7 +11,7 @@ RUN (proxy=$(bin/fetch-proxy $PROXY_VERSION) && \
echo "$version" >version.txt)
## compile proxy-identity agent
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
FROM gcr.io/linkerd-io/go-deps:22013b76 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
ENV CGO_ENABLED=0 GOOS=linux
COPY pkg/flags pkg/flags

13
Gopkg.lock
View File

@ -429,6 +429,17 @@
revision = "be7667cfd0cca15b55724949f4e625ddf49f740f"
version = "v0.1.7"
[[projects]]
digest = "1:ee5461d303279aa5cab1f39aa1fd977bcd6072418e343563aa338ec83d5b1491"
name = "github.com/linkerd/linkerd2-proxy-init"
packages = [
"cmd",
"iptables",
]
pruneopts = ""
revision = "458ed04ebd1d23db106200b49afb65fc7f6db47b"
version = "v1.0.0"
[[projects]]
branch = "master"
digest = "1:212bebc561f4f654a653225868b2a97353cd5e160dc0b0bbc7232b06608474ec"
@ -1277,6 +1288,8 @@
"github.com/linkerd/linkerd2-proxy-api/go/identity",
"github.com/linkerd/linkerd2-proxy-api/go/net",
"github.com/linkerd/linkerd2-proxy-api/go/tap",
"github.com/linkerd/linkerd2-proxy-init/cmd",
"github.com/linkerd/linkerd2-proxy-init/iptables",
"github.com/mattn/go-isatty",
"github.com/mattn/go-runewidth",
"github.com/nsf/termbox-go",

5
Gopkg.toml
View File

@ -11,6 +11,11 @@ required = [
name = "github.com/linkerd/linkerd2-proxy-api"
version = "v0.1.7"
[[constraint]]
name = "github.com/linkerd/linkerd2-proxy-init"
# This has to be kept in sync with ProxyInitVersion in pkg/version/version.go
version = "v1.0.0"
[[constraint]]
name = "google.golang.org/grpc"
version = "1.7.0"

22
TEST.md
View File

@ -17,7 +17,6 @@ of this repo, unless otherwise indicated by a `cd` command.
- [Prerequisites](#prerequisites)
- [Running tests](#running-tests)
- [Writing tests](#writing-tests)
- [Integration tests: proxy-init](#integration-tests-proxy-init)
# Unit tests
@ -297,27 +296,6 @@ your own tests, view the `testutil` package's godoc, with:
$ godoc github.com/linkerd/linkerd2/testutil | less
```
# Integration tests: proxy-init
The `proxy-init/` directory contains a separate set of integration tests, which
can be run in your Kubernetes cluster. The instructions below assume that you
are using [minikube](https://github.com/kubernetes/minikube).
Start by building and tagging the `proxy-init` image required for the test:
```bash
DOCKER_TRACE=1 bin/mkube bin/docker-build-proxy-init
bin/mkube docker tag gcr.io/linkerd-io/proxy-init:`bin/root-tag` gcr.io/linkerd-io/proxy-init:latest
```
The run the tests with:
```bash
cd proxy-init/integration_test
eval $(minikube docker-env)
./run_tests.sh
```
# Scale tests
The scale tests deploy a single Linkerd control-plane, and then scale up

1
bin/docker-build
View File

@ -12,7 +12,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
$bindir/docker-build-proxy
$bindir/docker-build-controller
$bindir/docker-build-web
$bindir/docker-build-proxy-init
$bindir/docker-build-cni-plugin
$bindir/docker-build-debug
if [ -z "${LINKERD_LOCAL_BUILD_CLI:-}" ]; then

25
bin/docker-build-proxy-init
View File

@ -1,25 +0,0 @@
#!/bin/bash
set -eu
if [ $# -ne 0 ]; then
echo "no arguments allowed for $(basename $0), given: $@" >&2
exit 64
fi
bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
rootdir="$( cd $bindir/.. && pwd )"
. $bindir/_docker.sh
. $bindir/_tag.sh
dockerfile=$rootdir/proxy-init/Dockerfile
validate_go_deps_tag $dockerfile
(
$bindir/docker-build-base
$bindir/docker-build-go-deps
) >/dev/null
docker_build proxy-init "$(head_root_tag)" $dockerfile

2
bin/docker-images
View File

@ -16,7 +16,7 @@ docker_image() {
tag=$(head_root_tag)
for img in cli-bin cni-plugin controller debug grafana proxy proxy-init web ; do
for img in cli-bin cni-plugin controller debug grafana proxy web ; do
docker_image "$img" "$tag"
done

2
bin/docker-pull
View File

@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
. $bindir/_docker.sh
for img in cli-bin cni-plugin controller debug grafana proxy proxy-init web ; do
for img in cli-bin cni-plugin controller debug grafana proxy web ; do
docker_pull "$img" "$tag"
done

2
bin/docker-push
View File

@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
. $bindir/_docker.sh
for img in cli-bin cni-plugin controller debug grafana proxy proxy-init web ; do
for img in cli-bin cni-plugin controller debug grafana proxy web ; do
docker_push "$img" "$tag"
done

2
bin/docker-retag-all
View File

@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
. $bindir/_docker.sh
for img in cli-bin cni-plugin controller debug grafana proxy proxy-init web ; do
for img in cli-bin cni-plugin controller debug grafana proxy web ; do
docker_retag "$img" "$from" "$to"
done

2
cli/Dockerfile-bin
View File

@ -1,5 +1,5 @@
## compile binaries
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
FROM gcr.io/linkerd-io/go-deps:22013b76 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
COPY cli cli
COPY chart chart

5
cli/cmd/inject.go
View File

@ -366,6 +366,11 @@ func (options *proxyConfigOptions) overrideConfigs(configs *cfg.All, overrideAnn
overrideAnnotations[k8s.ProxyInitImageAnnotation] = configs.Proxy.ProxyInitImage.ImageName
}
if options.initImageVersion != "" {
configs.Proxy.ProxyInitImageVersion = options.initImageVersion
overrideAnnotations[k8s.ProxyInitImageVersionAnnotation] = configs.Proxy.ProxyInitImageVersion
}
if options.imagePullPolicy != "" {
configs.Proxy.ProxyImage.PullPolicy = options.imagePullPolicy
configs.Proxy.ProxyInitImage.PullPolicy = options.imagePullPolicy

2
cli/cmd/install.go
View File

@ -178,6 +178,7 @@ func newInstallOptionsWithDefaults() *installOptions {
ignoreCluster: false,
proxyImage: defaultDockerRegistry + "/proxy",
initImage: defaultDockerRegistry + "/proxy-init",
initImageVersion: version.ProxyInitVersion,
dockerRegistry: defaultDockerRegistry,
imagePullPolicy: "IfNotPresent",
ignoreInboundPorts: nil,
@ -801,6 +802,7 @@ func (options *installOptions) proxyConfig() *pb.Proxy {
},
DisableExternalProfiles: !options.enableExternalProfiles,
ProxyVersion: options.proxyVersion,
ProxyInitImageVersion: options.initImageVersion,
}
}

6
cli/cmd/root.go
View File

@ -178,6 +178,7 @@ type proxyConfigOptions struct {
proxyVersion string
proxyImage string
initImage string
initImageVersion string
dockerRegistry string
imagePullPolicy string
ignoreInboundPorts []uint
@ -204,6 +205,10 @@ func (options *proxyConfigOptions) validate() error {
return fmt.Errorf("%s is not a valid version", options.proxyVersion)
}
if options.initImageVersion != "" && !alphaNumDashDot.MatchString(options.initImageVersion) {
return fmt.Errorf("%s is not a valid version", options.initImageVersion)
}
if options.dockerRegistry != "" && !alphaNumDashDotSlashColon.MatchString(options.dockerRegistry) {
return fmt.Errorf("%s is not a valid Docker registry. The url can contain only letters, numbers, dash, dot, slash and colon", options.dockerRegistry)
}
@ -269,6 +274,7 @@ func (options *proxyConfigOptions) flagSet(e pflag.ErrorHandling) *pflag.FlagSet
flags.StringVarP(&options.proxyVersion, "proxy-version", "v", options.proxyVersion, "Tag to be used for the Linkerd proxy images")
flags.StringVar(&options.proxyImage, "proxy-image", options.proxyImage, "Linkerd proxy container image name")
flags.StringVar(&options.initImage, "init-image", options.initImage, "Linkerd init container image name")
flags.StringVar(&options.initImageVersion, "init-image-version", options.initImageVersion, "Linkerd init container image version")
flags.StringVar(&options.dockerRegistry, "registry", options.dockerRegistry, "Docker registry to pull images from")
flags.StringVar(&options.imagePullPolicy, "image-pull-policy", options.imagePullPolicy, "Docker image pull policy")
flags.UintVar(&options.proxyInboundPort, "inbound-port", options.proxyInboundPort, "Proxy port to use for inbound traffic")

2
cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml vendored
View File

@ -119,7 +119,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

4
cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml vendored
View File

@ -119,7 +119,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -264,7 +264,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml vendored
View File

@ -119,7 +119,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

8
cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -286,7 +286,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -442,7 +442,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -598,7 +598,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml vendored
View File

@ -149,7 +149,7 @@ spec:
- 7777,8888,4190,9998
- --outbound-ports-to-ignore
- "9999"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

4
cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -286,7 +286,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml vendored
View File

@ -136,7 +136,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_empty_proxy_version_config.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_empty_version_config.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:dev-undefined
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml vendored
View File

@ -131,7 +131,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml vendored
View File

@ -131,7 +131,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,1234
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml vendored
View File

@ -132,7 +132,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

4
cli/cmd/testdata/inject_emojivoto_list.golden.yml vendored
View File

@ -132,7 +132,7 @@ items:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -282,7 +282,7 @@ items:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

4
cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml vendored
View File

@ -132,7 +132,7 @@ items:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -282,7 +282,7 @@ items:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_pod.golden.yml vendored
View File

@ -113,7 +113,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml vendored
View File

@ -119,7 +119,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml vendored
View File

@ -130,7 +130,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:test-inject-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

4
cli/cmd/testdata/inject_gettest_deployment.good.golden.yml vendored
View File

@ -132,7 +132,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -290,7 +290,7 @@ spec:
- "2102"
- --inbound-ports-to-ignore
- 4190,4191
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

18
cli/cmd/testdata/install_control-plane.golden vendored
View File

@ -12,7 +12,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[]}
---
@ -201,7 +201,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -452,7 +452,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -654,7 +654,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -946,7 +946,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1201,7 +1201,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1393,7 +1393,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1613,7 +1613,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1808,7 +1808,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

18
cli/cmd/testdata/install_default.golden vendored
View File

@ -437,7 +437,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[]}
---
@ -626,7 +626,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -877,7 +877,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1079,7 +1079,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1371,7 +1371,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1626,7 +1626,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1818,7 +1818,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2038,7 +2038,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2233,7 +2233,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

18
cli/cmd/testdata/install_ha_output.golden vendored
View File

@ -437,7 +437,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"100m","requestMemory":"20Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"100m","requestMemory":"20Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[{"name":"ha","value":"true"}]}
---
@ -632,7 +632,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -892,7 +892,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1100,7 +1100,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1398,7 +1398,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1659,7 +1659,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1857,7 +1857,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2083,7 +2083,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2284,7 +2284,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

18
cli/cmd/testdata/install_ha_with_overrides_output.golden vendored
View File

@ -437,7 +437,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"400m","requestMemory":"300Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"400m","requestMemory":"300Mi","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[{"name":"ha","value":"true"},{"name":"controller-replicas","value":"2"},{"name":"proxy-cpu-request","value":"400m"},{"name":"proxy-memory-request","value":"300Mi"}]}
---
@ -632,7 +632,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -892,7 +892,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1100,7 +1100,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1398,7 +1398,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1659,7 +1659,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1857,7 +1857,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2083,7 +2083,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2284,7 +2284,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/testdata/install_no_init_container.golden vendored
View File

@ -437,7 +437,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":true,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[{"name":"linkerd-cni-enabled","value":"true"}]}
---

16
cli/cmd/testdata/install_output.golden vendored
View File

@ -594,7 +594,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -810,7 +810,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -977,7 +977,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1234,7 +1234,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1454,7 +1454,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1611,7 +1611,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1796,7 +1796,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1956,7 +1956,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

18
cli/cmd/testdata/upgrade_default.golden vendored
View File

@ -437,7 +437,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"UPGRADE-CONTROL-PLANE-VERSION","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0\neS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz\nMjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j\nYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg\nEMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw\nQDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW\nYmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj\n+U9K4WlbzA==\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"UPGRADE-PROXY-VERSION"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"UPGRADE-PROXY-VERSION","proxyInitImageVersion":"v1.0.0"}
install: |
{"uuid":"57af298c-58b0-43fc-8d88-3c338789bfbc","cliVersion":"dev-undefined","flags":[]}
---
@ -627,7 +627,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -879,7 +879,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1082,7 +1082,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1375,7 +1375,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1631,7 +1631,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -1824,7 +1824,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2045,7 +2045,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
@ -2241,7 +2241,7 @@ spec:
- 4190,4191
- --outbound-ports-to-ignore
- "443"
image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
image: gcr.io/linkerd-io/proxy-init:v1.0.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:

2
cli/cmd/upgrade_test.go
View File

@ -187,7 +187,7 @@ data:
global: |
{"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
proxy: |
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
{"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version", "proxy_init_image_version":"v1.0.0"}
install: |
{"uuid":"deaab91a-f4ab-448a-b7d1-c832a2fa0a60","cliVersion":"dev-undefined","flags":[]}`,
},

3
cni-plugin/Dockerfile
View File

@ -1,7 +1,6 @@
## compile cni-plugin utility
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
FROM gcr.io/linkerd-io/go-deps:22013b76 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
COPY proxy-init proxy-init
COPY pkg pkg
COPY controller controller
COPY cni-plugin cni-plugin

4
cni-plugin/main.go
View File

@ -28,9 +28,9 @@ import (
"github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/cni/pkg/version"
"github.com/linkerd/linkerd2-proxy-init/cmd"
"github.com/linkerd/linkerd2-proxy-init/iptables"
"github.com/linkerd/linkerd2/pkg/k8s"
"github.com/linkerd/linkerd2/proxy-init/cmd"
"github.com/linkerd/linkerd2/proxy-init/iptables"
"github.com/projectcalico/libcalico-go/lib/logutils"
"github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

2
controller/Dockerfile
View File

@ -1,5 +1,5 @@
## compile controller services
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
FROM gcr.io/linkerd-io/go-deps:22013b76 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
COPY controller/gen controller/gen
COPY pkg pkg

157
controller/gen/config/config.pb.go generated
View File

@ -32,7 +32,7 @@ func (m *All) Reset() { *m = All{} }
func (m *All) String() string { return proto.CompactTextString(m) }
func (*All) ProtoMessage() {}
func (*All) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{0}
return fileDescriptor_config_aebc9ed7060f39b6, []int{0}
}
func (m *All) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_All.Unmarshal(m, b)
@ -76,7 +76,7 @@ func (m *All) GetInstall() *Install {
type Global struct {
LinkerdNamespace string `protobuf:"bytes,1,opt,name=linkerd_namespace,json=linkerdNamespace,proto3" json:"linkerd_namespace,omitempty"`
CniEnabled bool `protobuf:"varint,2,opt,name=cni_enabled,json=cniEnabled,proto3" json:"cni_enabled,omitempty"`
// Control plane and proxy-init version
// Control plane version
Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
// If present, configures identity.
IdentityContext *IdentityContext `protobuf:"bytes,4,opt,name=identity_context,json=identityContext,proto3" json:"identity_context,omitempty"`
@ -90,7 +90,7 @@ func (m *Global) Reset() { *m = Global{} }
func (m *Global) String() string { return proto.CompactTextString(m) }
func (*Global) ProtoMessage() {}
func (*Global) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{1}
return fileDescriptor_config_aebc9ed7060f39b6, []int{1}
}
func (m *Global) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Global.Unmarshal(m, b)
@ -160,6 +160,7 @@ type Proxy struct {
LogLevel *LogLevel `protobuf:"bytes,11,opt,name=log_level,json=logLevel,proto3" json:"log_level,omitempty"`
DisableExternalProfiles bool `protobuf:"varint,12,opt,name=disable_external_profiles,json=disableExternalProfiles,proto3" json:"disable_external_profiles,omitempty"`
ProxyVersion string `protobuf:"bytes,13,opt,name=proxy_version,json=proxyVersion,proto3" json:"proxy_version,omitempty"`
ProxyInitImageVersion string `protobuf:"bytes,14,opt,name=proxy_init_image_version,json=proxyInitImageVersion,proto3" json:"proxy_init_image_version,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
@ -169,7 +170,7 @@ func (m *Proxy) Reset() { *m = Proxy{} }
func (m *Proxy) String() string { return proto.CompactTextString(m) }
func (*Proxy) ProtoMessage() {}
func (*Proxy) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{2}
return fileDescriptor_config_aebc9ed7060f39b6, []int{2}
}
func (m *Proxy) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Proxy.Unmarshal(m, b)
@ -280,6 +281,13 @@ func (m *Proxy) GetProxyVersion() string {
return ""
}
func (m *Proxy) GetProxyInitImageVersion() string {
if m != nil {
return m.ProxyInitImageVersion
}
return ""
}
type Image struct {
ImageName string `protobuf:"bytes,1,opt,name=image_name,json=imageName,proto3" json:"image_name,omitempty"`
PullPolicy string `protobuf:"bytes,2,opt,name=pull_policy,json=pullPolicy,proto3" json:"pull_policy,omitempty"`
@ -292,7 +300,7 @@ func (m *Image) Reset() { *m = Image{} }
func (m *Image) String() string { return proto.CompactTextString(m) }
func (*Image) ProtoMessage() {}
func (*Image) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{3}
return fileDescriptor_config_aebc9ed7060f39b6, []int{3}
}
func (m *Image) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Image.Unmarshal(m, b)
@ -337,7 +345,7 @@ func (m *Port) Reset() { *m = Port{} }
func (m *Port) String() string { return proto.CompactTextString(m) }
func (*Port) ProtoMessage() {}
func (*Port) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{4}
return fileDescriptor_config_aebc9ed7060f39b6, []int{4}
}
func (m *Port) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Port.Unmarshal(m, b)
@ -378,7 +386,7 @@ func (m *ResourceRequirements) Reset() { *m = ResourceRequirements{} }
func (m *ResourceRequirements) String() string { return proto.CompactTextString(m) }
func (*ResourceRequirements) ProtoMessage() {}
func (*ResourceRequirements) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{5}
return fileDescriptor_config_aebc9ed7060f39b6, []int{5}
}
func (m *ResourceRequirements) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_ResourceRequirements.Unmarshal(m, b)
@ -437,7 +445,7 @@ func (m *AutoInjectContext) Reset() { *m = AutoInjectContext{} }
func (m *AutoInjectContext) String() string { return proto.CompactTextString(m) }
func (*AutoInjectContext) ProtoMessage() {}
func (*AutoInjectContext) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{6}
return fileDescriptor_config_aebc9ed7060f39b6, []int{6}
}
func (m *AutoInjectContext) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_AutoInjectContext.Unmarshal(m, b)
@ -471,7 +479,7 @@ func (m *IdentityContext) Reset() { *m = IdentityContext{} }
func (m *IdentityContext) String() string { return proto.CompactTextString(m) }
func (*IdentityContext) ProtoMessage() {}
func (*IdentityContext) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{7}
return fileDescriptor_config_aebc9ed7060f39b6, []int{7}
}
func (m *IdentityContext) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_IdentityContext.Unmarshal(m, b)
@ -530,7 +538,7 @@ func (m *LogLevel) Reset() { *m = LogLevel{} }
func (m *LogLevel) String() string { return proto.CompactTextString(m) }
func (*LogLevel) ProtoMessage() {}
func (*LogLevel) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{8}
return fileDescriptor_config_aebc9ed7060f39b6, []int{8}
}
func (m *LogLevel) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_LogLevel.Unmarshal(m, b)
@ -577,7 +585,7 @@ func (m *Install) Reset() { *m = Install{} }
func (m *Install) String() string { return proto.CompactTextString(m) }
func (*Install) ProtoMessage() {}
func (*Install) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{9}
return fileDescriptor_config_aebc9ed7060f39b6, []int{9}
}
func (m *Install) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Install.Unmarshal(m, b)
@ -630,7 +638,7 @@ func (m *Install_Flag) Reset() { *m = Install_Flag{} }
func (m *Install_Flag) String() string { return proto.CompactTextString(m) }
func (*Install_Flag) ProtoMessage() {}
func (*Install_Flag) Descriptor() ([]byte, []int) {
return fileDescriptor_config_42b83b762b43f0a0, []int{9, 0}
return fileDescriptor_config_aebc9ed7060f39b6, []int{9, 0}
}
func (m *Install_Flag) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_Install_Flag.Unmarshal(m, b)
@ -678,67 +686,68 @@ func init() {
proto.RegisterType((*Install_Flag)(nil), "linkerd2.config.Install.Flag")
}
func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_42b83b762b43f0a0) }
func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_aebc9ed7060f39b6) }
var fileDescriptor_config_42b83b762b43f0a0 = []byte{
// 938 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x55, 0x5d, 0x6f, 0x23, 0x35,
0x14, 0x55, 0xbe, 0xda, 0xe4, 0x26, 0xd9, 0x36, 0x6e, 0x97, 0x4e, 0x8b, 0x16, 0xc2, 0xa0, 0x95,
0x56, 0x80, 0x12, 0x68, 0x11, 0xac, 0xfa, 0x44, 0xf6, 0xab, 0x8a, 0xb6, 0x40, 0x65, 0xc4, 0x3e,
0xf0, 0x32, 0x9a, 0xcc, 0x38, 0xb3, 0xa6, 0x1e, 0x3b, 0xeb, 0xf1, 0xb4, 0xdd, 0x1f, 0x82, 0xc4,
0x13, 0x6f, 0xfc, 0xc4, 0x7d, 0x47, 0xbe, 0xf6, 0x94, 0xb6, 0xb3, 0xcd, 0xd3, 0xd8, 0xe7, 0x9e,
0x73, 0x7c, 0xc7, 0xbe, 0xbe, 0x86, 0x9d, 0x44, 0xc9, 0x25, 0xcf, 0xa6, 0xee, 0x33, 0x59, 0x69,
0x65, 0x14, 0xd9, 0x12, 0x5c, 0x9e, 0x33, 0x9d, 0x1e, 0x4e, 0x1c, 0x7c, 0xf0, 0x59, 0xa6, 0x54,
0x26, 0xd8, 0x14, 0xc3, 0x8b, 0x72, 0x39, 0x4d, 0x4b, 0x1d, 0x1b, 0xae, 0xa4, 0x13, 0x84, 0x7f,
0x37, 0xa0, 0x35, 0x13, 0x82, 0x4c, 0x61, 0x23, 0x13, 0x6a, 0x11, 0x8b, 0xa0, 0x31, 0x6e, 0x3c,
0xe9, 0x1f, 0xee, 0x4d, 0xee, 0x38, 0x4d, 0x4e, 0x30, 0x4c, 0x3d, 0x8d, 0x7c, 0x03, 0x9d, 0x95,
0x56, 0x57, 0xef, 0x83, 0x26, 0xf2, 0x3f, 0xa9, 0xf1, 0xcf, 0x6c, 0x94, 0x3a, 0x12, 0x39, 0x84,
0x4d, 0x2e, 0x0b, 0x13, 0x0b, 0x11, 0xb4, 0x90, 0x1f, 0xd4, 0xf8, 0x73, 0x17, 0xa7, 0x15, 0x31,
0xfc, 0xab, 0x09, 0x1b, 0x6e, 0x51, 0xf2, 0x35, 0x8c, 0x3c, 0x3d, 0x92, 0x71, 0xce, 0x8a, 0x55,
0x9c, 0x30, 0x4c, 0xb4, 0x47, 0xb7, 0x7d, 0xe0, 0x97, 0x0a, 0x27, 0x9f, 0x43, 0x3f, 0x91, 0x3c,
0x62, 0x32, 0x5e, 0x08, 0x96, 0x62, 0x7e, 0x5d, 0x0a, 0x89, 0xe4, 0x2f, 0x1d, 0x42, 0x02, 0xd8,
0xbc, 0x60, 0xba, 0xe0, 0x4a, 0x62, 0x32, 0x3d, 0x5a, 0x4d, 0xc9, 0x6b, 0xd8, 0xe6, 0x29, 0x93,
0x86, 0x9b, 0xf7, 0x51, 0xa2, 0xa4, 0x61, 0x57, 0x26, 0x68, 0x63, 0xbe, 0xe3, 0x7a, 0xbe, 0x9e,
0xf8, 0xdc, 0xf1, 0xe8, 0x16, 0xbf, 0x0d, 0x90, 0x37, 0xb0, 0x13, 0x97, 0x46, 0x45, 0x5c, 0xfe,
0xc9, 0x12, 0x73, 0xed, 0xb7, 0x81, 0x7e, 0x61, 0xcd, 0x6f, 0x56, 0x1a, 0x35, 0x47, 0xaa, 0x37,
0x78, 0xd6, 0x0c, 0x1a, 0x74, 0x14, 0xdf, 0x85, 0xc3, 0x0f, 0x1d, 0xe8, 0xe0, 0xe6, 0x92, 0x1f,
0xa1, 0x8f, 0xdb, 0x1b, 0xf1, 0x3c, 0xce, 0x98, 0x3f, 0xb9, 0xfa, 0x49, 0xcc, 0x6d, 0x94, 0x02,
0x52, 0x71, 0x4c, 0x7e, 0x82, 0x6d, 0x2f, 0x94, 0xdc, 0x78, 0x75, 0x73, 0xad, 0xfa, 0x81, 0x53,
0x4b, 0x6e, 0x9c, 0xc3, 0x53, 0x18, 0xd8, 0x1f, 0xd2, 0x4a, 0x44, 0x2b, 0xa5, 0x8d, 0x3f, 0xd5,
0x87, 0xf5, 0x2a, 0x50, 0xda, 0xd0, 0xbe, 0xa7, 0xda, 0x09, 0x39, 0x81, 0x5d, 0x9e, 0x49, 0xa5,
0x59, 0xc4, 0xe5, 0x42, 0x95, 0x32, 0x45, 0x83, 0x22, 0x68, 0x8f, 0x5b, 0xf7, 0x3b, 0x10, 0x27,
0x99, 0x3b, 0x85, 0x85, 0x0a, 0x32, 0x87, 0x87, 0xde, 0x48, 0x95, 0xe6, 0xa6, 0x53, 0x67, 0x9d,
0xd3, 0x8e, 0xd3, 0xfc, 0xea, 0x25, 0xce, 0xea, 0x29, 0x0c, 0x6e, 0x26, 0xe3, 0xcf, 0xe8, 0xbe,
0xbf, 0xe1, 0xff, 0x67, 0x41, 0xbe, 0x07, 0x88, 0xd3, 0x9c, 0x4b, 0xa7, 0xdb, 0x5c, 0xa7, 0xeb,
0x21, 0x11, 0x55, 0xc7, 0x30, 0xbc, 0x95, 0x73, 0xd0, 0x5d, 0x27, 0x1c, 0xa8, 0x1b, 0xc9, 0x92,
0x19, 0x74, 0x35, 0x2b, 0x54, 0xa9, 0x13, 0x16, 0xf4, 0x50, 0xf6, 0xb8, 0x26, 0xa3, 0x9e, 0x40,
0xd9, 0xbb, 0x92, 0x6b, 0x96, 0x33, 0x69, 0x0a, 0x7a, 0x2d, 0x23, 0x9f, 0x42, 0xcf, 0x1d, 0x7f,
0xc9, 0xd3, 0x00, 0xc6, 0x8d, 0x27, 0x2d, 0xda, 0x45, 0xe0, 0x77, 0x9e, 0x92, 0x1f, 0xa0, 0x27,
0x54, 0x16, 0x09, 0x76, 0xc1, 0x44, 0xd0, 0xc7, 0x05, 0xf6, 0x6b, 0x0b, 0x9c, 0xaa, 0xec, 0xd4,
0x12, 0x68, 0x57, 0xf8, 0x11, 0x39, 0x86, 0xfd, 0x94, 0x17, 0xf6, 0x86, 0x45, 0xec, 0xca, 0x30,
0x2d, 0x63, 0x11, 0xad, 0xb4, 0x5a, 0x72, 0xc1, 0x8a, 0x60, 0x80, 0x97, 0x70, 0xcf, 0x13, 0x5e,
0xfa, 0xf8, 0x99, 0x0f, 0x93, 0x2f, 0x61, 0xe8, 0x12, 0xaa, 0xee, 0xe5, 0x10, 0xef, 0xe5, 0x00,
0xc1, 0x37, 0x0e, 0x0b, 0x4f, 0xa0, 0xe3, 0x6a, 0xef, 0x11, 0x00, 0x96, 0x2c, 0xf6, 0x02, 0xdf,
0x06, 0x7a, 0x88, 0xd8, 0x26, 0x60, 0xef, 0xff, 0xaa, 0x14, 0xb6, 0x2e, 0x05, 0x4f, 0x5c, 0x7f,
0xea, 0x51, 0xb0, 0xd0, 0x19, 0x22, 0xe1, 0x01, 0xb4, 0x71, 0x27, 0x09, 0xb4, 0x71, 0xf3, 0xad,
0xc3, 0x90, 0xe2, 0x38, 0xfc, 0xa7, 0x01, 0xbb, 0x1f, 0xdb, 0x3d, 0xeb, 0xaa, 0xd9, 0xbb, 0x92,
0x15, 0x26, 0x4a, 0x56, 0xa5, 0x5f, 0x15, 0x3c, 0xf4, 0x7c, 0x55, 0x92, 0xc7, 0xf0, 0xa0, 0x22,
0xe4, 0x2c, 0x57, 0xba, 0x5a, 0x79, 0xe8, 0xd1, 0x9f, 0x11, 0xb4, 0x7b, 0x2f, 0x78, 0xce, 0x9d,
0x8b, 0x6b, 0x3f, 0x5d, 0x04, 0xac, 0xc7, 0x17, 0x30, 0x70, 0x41, 0xef, 0xd0, 0xc6, 0x78, 0x1f,
0x31, 0xa7, 0x0f, 0xf7, 0x60, 0x54, 0xeb, 0x14, 0xc7, 0xcd, 0xa0, 0x11, 0x7e, 0x68, 0xc0, 0xd6,
0x9d, 0x9e, 0x64, 0xfd, 0x8c, 0x2e, 0x0b, 0x13, 0xa5, 0x2a, 0x8f, 0xb9, 0xf4, 0x59, 0xf7, 0x11,
0x7b, 0x81, 0x10, 0xf9, 0x0a, 0x46, 0x8e, 0x12, 0xcb, 0xe4, 0xad, 0xd2, 0x45, 0xb4, 0x62, 0xb9,
0xcf, 0x7c, 0x0b, 0x03, 0x33, 0x87, 0x9f, 0xb1, 0x9c, 0xbc, 0x82, 0x11, 0x2f, 0x8a, 0x32, 0x96,
0x09, 0x8b, 0x04, 0x5f, 0x32, 0xc3, 0x73, 0xe6, 0x6f, 0xfe, 0xfe, 0xc4, 0x3d, 0x34, 0x93, 0xea,
0xa1, 0x99, 0xbc, 0xf0, 0x0f, 0x0d, 0xdd, 0xae, 0x34, 0xa7, 0x5e, 0x42, 0x5e, 0xc3, 0x6e, 0x22,
0x54, 0x72, 0x1e, 0x15, 0xe7, 0xec, 0x32, 0x8a, 0x85, 0x50, 0x97, 0x36, 0xee, 0x5b, 0xed, 0x1a,
0x2b, 0x82, 0xb2, 0xdf, 0xce, 0xd9, 0xe5, 0xac, 0x12, 0x85, 0x63, 0xe8, 0x56, 0xd5, 0x48, 0x76,
0xa1, 0xe3, 0xea, 0xd6, 0xfd, 0xa8, 0x9b, 0x84, 0xff, 0x36, 0x60, 0xd3, 0xbf, 0x2e, 0xf6, 0xcc,
0x4b, 0x5b, 0xf5, 0x8e, 0x80, 0x63, 0x7c, 0x30, 0x04, 0xbf, 0xae, 0x3d, 0x5f, 0x30, 0x89, 0xe0,
0xbe, 0xf2, 0xc8, 0x11, 0x74, 0x96, 0x22, 0xce, 0x8a, 0xa0, 0x85, 0x9d, 0xe5, 0xd1, 0x7d, 0x6f,
0xd7, 0xe4, 0x95, 0x88, 0x33, 0xea, 0xb8, 0x07, 0xdf, 0x42, 0xdb, 0x4e, 0xed, 0x8a, 0x37, 0xea,
0x14, 0xc7, 0x36, 0xcf, 0x8b, 0x58, 0x94, 0xcc, 0xaf, 0xe5, 0x26, 0xcf, 0x8e, 0xfe, 0xf8, 0x2e,
0xe3, 0xe6, 0x6d, 0xb9, 0x98, 0x24, 0x2a, 0x9f, 0xfa, 0x35, 0xaa, 0xef, 0xe1, 0xd4, 0x37, 0x51,
0xc1, 0xf4, 0x34, 0x63, 0xd2, 0xbf, 0xfb, 0x8b, 0x0d, 0xdc, 0xa5, 0xa3, 0xff, 0x02, 0x00, 0x00,
0xff, 0xff, 0xd2, 0x4a, 0xdf, 0x3e, 0x0f, 0x08, 0x00, 0x00,
var fileDescriptor_config_aebc9ed7060f39b6 = []byte{
// 954 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x56, 0xcf, 0x6f, 0x23, 0x35,
0x14, 0x56, 0x7e, 0x36, 0x79, 0x49, 0xda, 0xc6, 0x6d, 0xe9, 0xb4, 0x68, 0x21, 0x0c, 0x5a, 0x69,
0x05, 0x28, 0x81, 0x16, 0xb1, 0xab, 0x9e, 0xc8, 0xfe, 0xaa, 0xa2, 0x2d, 0x50, 0x19, 0xb1, 0x07,
0x2e, 0xa3, 0xc9, 0x8c, 0x33, 0x6b, 0xea, 0xb1, 0xb3, 0x1e, 0x4f, 0xdb, 0xfd, 0x43, 0x90, 0x38,
0x71, 0xe3, 0xca, 0x7f, 0xc7, 0x1d, 0xf9, 0xd9, 0x53, 0xda, 0x86, 0xe6, 0x94, 0xf1, 0xf7, 0xbe,
0xef, 0xf3, 0x9b, 0x79, 0xcf, 0xcf, 0x81, 0x9d, 0x44, 0xc9, 0x05, 0xcf, 0x26, 0xee, 0x67, 0xbc,
0xd4, 0xca, 0x28, 0xb2, 0x25, 0xb8, 0xbc, 0x60, 0x3a, 0x3d, 0x1a, 0x3b, 0xf8, 0xf0, 0x93, 0x4c,
0xa9, 0x4c, 0xb0, 0x09, 0x86, 0xe7, 0xe5, 0x62, 0x92, 0x96, 0x3a, 0x36, 0x5c, 0x49, 0x27, 0x08,
0xff, 0xa8, 0x41, 0x63, 0x2a, 0x04, 0x99, 0x40, 0x3b, 0x13, 0x6a, 0x1e, 0x8b, 0xa0, 0x36, 0xaa,
0x3d, 0xe9, 0x1d, 0xed, 0x8f, 0xef, 0x39, 0x8d, 0x4f, 0x31, 0x4c, 0x3d, 0x8d, 0x7c, 0x05, 0xad,
0xa5, 0x56, 0xd7, 0x1f, 0x82, 0x3a, 0xf2, 0x3f, 0x5a, 0xe1, 0x9f, 0xdb, 0x28, 0x75, 0x24, 0x72,
0x04, 0x1b, 0x5c, 0x16, 0x26, 0x16, 0x22, 0x68, 0x20, 0x3f, 0x58, 0xe1, 0xcf, 0x5c, 0x9c, 0x56,
0xc4, 0xf0, 0xf7, 0x3a, 0xb4, 0xdd, 0xa6, 0xe4, 0x4b, 0x18, 0x7a, 0x7a, 0x24, 0xe3, 0x9c, 0x15,
0xcb, 0x38, 0x61, 0x98, 0x68, 0x97, 0x6e, 0xfb, 0xc0, 0x8f, 0x15, 0x4e, 0x3e, 0x85, 0x5e, 0x22,
0x79, 0xc4, 0x64, 0x3c, 0x17, 0x2c, 0xc5, 0xfc, 0x3a, 0x14, 0x12, 0xc9, 0x5f, 0x39, 0x84, 0x04,
0xb0, 0x71, 0xc9, 0x74, 0xc1, 0x95, 0xc4, 0x64, 0xba, 0xb4, 0x5a, 0x92, 0x37, 0xb0, 0xcd, 0x53,
0x26, 0x0d, 0x37, 0x1f, 0xa2, 0x44, 0x49, 0xc3, 0xae, 0x4d, 0xd0, 0xc4, 0x7c, 0x47, 0xab, 0xf9,
0x7a, 0xe2, 0x0b, 0xc7, 0xa3, 0x5b, 0xfc, 0x2e, 0x40, 0xde, 0xc2, 0x4e, 0x5c, 0x1a, 0x15, 0x71,
0xf9, 0x1b, 0x4b, 0xcc, 0x8d, 0x5f, 0x1b, 0xfd, 0xc2, 0x15, 0xbf, 0x69, 0x69, 0xd4, 0x0c, 0xa9,
0xde, 0xe0, 0x79, 0x3d, 0xa8, 0xd1, 0x61, 0x7c, 0x1f, 0x0e, 0xff, 0x6e, 0x43, 0x0b, 0x3f, 0x2e,
0x79, 0x0a, 0x3d, 0xfc, 0xbc, 0x11, 0xcf, 0xe3, 0x8c, 0xf9, 0xca, 0xad, 0x56, 0x62, 0x66, 0xa3,
0x14, 0x90, 0x8a, 0xcf, 0xe4, 0x7b, 0xd8, 0xf6, 0x42, 0xc9, 0x8d, 0x57, 0xd7, 0xd7, 0xaa, 0x37,
0x9d, 0x5a, 0x72, 0xe3, 0x1c, 0x9e, 0x41, 0xdf, 0xbe, 0x90, 0x56, 0x22, 0x5a, 0x2a, 0x6d, 0x7c,
0x55, 0xf7, 0x56, 0xbb, 0x40, 0x69, 0x43, 0x7b, 0x9e, 0x6a, 0x17, 0xe4, 0x14, 0x76, 0x79, 0x26,
0x95, 0x66, 0x11, 0x97, 0x73, 0x55, 0xca, 0x14, 0x0d, 0x8a, 0xa0, 0x39, 0x6a, 0x3c, 0xec, 0x40,
0x9c, 0x64, 0xe6, 0x14, 0x16, 0x2a, 0xc8, 0x0c, 0xf6, 0xbc, 0x91, 0x2a, 0xcd, 0x6d, 0xa7, 0xd6,
0x3a, 0xa7, 0x1d, 0xa7, 0xf9, 0xc9, 0x4b, 0x9c, 0xd5, 0x33, 0xe8, 0xdf, 0x4e, 0xc6, 0xd7, 0xe8,
0xa1, 0xb7, 0xe1, 0xff, 0x65, 0x41, 0xbe, 0x05, 0x88, 0xd3, 0x9c, 0x4b, 0xa7, 0xdb, 0x58, 0xa7,
0xeb, 0x22, 0x11, 0x55, 0x27, 0x30, 0xb8, 0x93, 0x73, 0xd0, 0x59, 0x27, 0xec, 0xab, 0x5b, 0xc9,
0x92, 0x29, 0x74, 0x34, 0x2b, 0x54, 0xa9, 0x13, 0x16, 0x74, 0x51, 0xf6, 0x78, 0x45, 0x46, 0x3d,
0x81, 0xb2, 0xf7, 0x25, 0xd7, 0x2c, 0x67, 0xd2, 0x14, 0xf4, 0x46, 0x46, 0x3e, 0x86, 0xae, 0x2b,
0x7f, 0xc9, 0xd3, 0x00, 0x46, 0xb5, 0x27, 0x0d, 0xda, 0x41, 0xe0, 0x17, 0x9e, 0x92, 0xef, 0xa0,
0x2b, 0x54, 0x16, 0x09, 0x76, 0xc9, 0x44, 0xd0, 0xc3, 0x0d, 0x0e, 0x56, 0x36, 0x38, 0x53, 0xd9,
0x99, 0x25, 0xd0, 0x8e, 0xf0, 0x4f, 0xe4, 0x04, 0x0e, 0x52, 0x5e, 0xd8, 0x13, 0x16, 0xb1, 0x6b,
0xc3, 0xb4, 0x8c, 0x45, 0xb4, 0xd4, 0x6a, 0xc1, 0x05, 0x2b, 0x82, 0x3e, 0x1e, 0xc2, 0x7d, 0x4f,
0x78, 0xe5, 0xe3, 0xe7, 0x3e, 0x4c, 0x3e, 0x87, 0x81, 0x4b, 0xa8, 0x3a, 0x97, 0x03, 0x3c, 0x97,
0x7d, 0x04, 0xdf, 0xfa, 0xc3, 0xf9, 0x14, 0x82, 0xfb, 0x4d, 0x7b, 0xc3, 0xdf, 0x44, 0xfe, 0xde,
0xdd, 0x26, 0xf5, 0xc2, 0xf0, 0x14, 0x5a, 0xae, 0x69, 0x1f, 0x01, 0x38, 0x99, 0x1d, 0x22, 0x7e,
0x7e, 0x74, 0x11, 0xb1, 0xd3, 0xc3, 0x0e, 0x8e, 0x65, 0x29, 0x6c, 0x43, 0x0b, 0x9e, 0xb8, 0xc1,
0xd6, 0xa5, 0x60, 0xa1, 0x73, 0x44, 0xc2, 0x43, 0x68, 0x62, 0x09, 0x08, 0x34, 0xb1, 0x6a, 0xd6,
0x61, 0x40, 0xf1, 0x39, 0xfc, 0xb3, 0x06, 0xbb, 0xff, 0xf7, 0xd9, 0xad, 0xab, 0x66, 0xef, 0x4b,
0x56, 0x98, 0x28, 0x59, 0x96, 0x7e, 0x57, 0xf0, 0xd0, 0x8b, 0x65, 0x49, 0x1e, 0xc3, 0x66, 0x45,
0xc8, 0x59, 0xae, 0x74, 0xb5, 0xf3, 0xc0, 0xa3, 0x3f, 0x20, 0x68, 0x8b, 0x26, 0x78, 0xce, 0x9d,
0x8b, 0x9b, 0x5b, 0x1d, 0x04, 0xac, 0xc7, 0x67, 0xd0, 0x77, 0x41, 0xef, 0xd0, 0xc4, 0x78, 0x0f,
0x31, 0xa7, 0x0f, 0xf7, 0x61, 0xb8, 0x32, 0x62, 0x4e, 0xea, 0x41, 0x2d, 0xfc, 0xa7, 0x06, 0x5b,
0xf7, 0x86, 0x99, 0xf5, 0x33, 0xba, 0x2c, 0x4c, 0x94, 0xaa, 0x3c, 0xe6, 0xd2, 0x67, 0xdd, 0x43,
0xec, 0x25, 0x42, 0xe4, 0x0b, 0x18, 0x3a, 0x4a, 0x2c, 0x93, 0x77, 0x4a, 0x17, 0xd1, 0x92, 0xe5,
0x3e, 0xf3, 0x2d, 0x0c, 0x4c, 0x1d, 0x7e, 0xce, 0x72, 0xf2, 0x1a, 0x86, 0xbc, 0x28, 0xca, 0x58,
0x26, 0x2c, 0x12, 0x7c, 0xc1, 0x0c, 0xcf, 0x99, 0x1f, 0x19, 0x07, 0x63, 0x77, 0x43, 0x8d, 0xab,
0x1b, 0x6a, 0xfc, 0xd2, 0xdf, 0x50, 0x74, 0xbb, 0xd2, 0x9c, 0x79, 0x09, 0x79, 0x03, 0xbb, 0x89,
0x50, 0xc9, 0x45, 0x54, 0x5c, 0xb0, 0xab, 0x28, 0x16, 0x42, 0x5d, 0xd9, 0xb8, 0x9f, 0xd1, 0x6b,
0xac, 0x08, 0xca, 0x7e, 0xbe, 0x60, 0x57, 0xd3, 0x4a, 0x14, 0x8e, 0xa0, 0x53, 0xb5, 0x31, 0xd9,
0x85, 0x96, 0x6b, 0x78, 0xf7, 0xa2, 0x6e, 0x11, 0xfe, 0x55, 0x83, 0x0d, 0x7f, 0x2d, 0xd9, 0x9a,
0x97, 0xf6, 0xb8, 0x38, 0x02, 0x3e, 0xe3, 0x4d, 0x23, 0xf8, 0x4d, 0x13, 0xfa, 0x86, 0x49, 0x04,
0xaf, 0x5a, 0xf6, 0x18, 0x5a, 0x0b, 0x11, 0x67, 0x45, 0xd0, 0xc0, 0x91, 0xf4, 0xe8, 0xa1, 0x4b,
0x6f, 0xfc, 0x5a, 0xc4, 0x19, 0x75, 0xdc, 0xc3, 0xaf, 0xa1, 0x69, 0x97, 0x76, 0xc7, 0x5b, 0x7d,
0x8a, 0xcf, 0x36, 0xcf, 0xcb, 0x58, 0x94, 0xcc, 0xef, 0xe5, 0x16, 0xcf, 0x8f, 0x7f, 0xfd, 0x26,
0xe3, 0xe6, 0x5d, 0x39, 0x1f, 0x27, 0x2a, 0x9f, 0xf8, 0x3d, 0xaa, 0xdf, 0xa3, 0x89, 0x9f, 0xbe,
0x82, 0xe9, 0x49, 0xc6, 0xa4, 0xff, 0xc3, 0x30, 0x6f, 0xe3, 0x57, 0x3a, 0xfe, 0x37, 0x00, 0x00,
0xff, 0xff, 0xba, 0x3f, 0xcd, 0xf2, 0x48, 0x08, 0x00, 0x00,
}

2
controller/proxy-injector/fake/data/pod.patch.json
View File

@ -29,7 +29,7 @@
"path": "/spec/initContainers/-",
"value": {
"name": "linkerd-init",
"image": "gcr.io/linkerd-io/proxy-init:dev-undefined",
"image": "gcr.io/linkerd-io/proxy-init:v1.0.0",
"args": [
"--incoming-proxy-port",
"4143",

9
pkg/inject/inject.go
View File

@ -723,10 +723,13 @@ func (conf *ResourceConfig) proxyVersion() string {
}
func (conf *ResourceConfig) proxyInitVersion() string {
if version := conf.configs.GetGlobal().GetVersion(); version != "" {
return version
if override := conf.getOverride(k8s.ProxyInitImageVersionAnnotation); override != "" {
return override
}
return version.Version
if v := conf.configs.GetProxy().GetProxyInitImageVersion(); v != "" {
return v
}
return version.ProxyInitVersion
}
func (conf *ResourceConfig) proxyControlPort() int32 {

5
pkg/inject/inject_test.go
View File

@ -6,6 +6,7 @@ import (
"github.com/linkerd/linkerd2/controller/gen/config"
"github.com/linkerd/linkerd2/pkg/k8s"
"github.com/linkerd/linkerd2/pkg/version"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
k8sResource "k8s.io/apimachinery/pkg/api/resource"
@ -161,7 +162,7 @@ func TestConfigAccessors(t *testing.T) {
destinationProfileSuffixes: "svc.cluster.local.",
initImage: "gcr.io/linkerd-io/proxy-init",
initImagePullPolicy: corev1.PullPolicy("Always"),
initVersion: controlPlaneVersion,
initVersion: version.ProxyInitVersion,
initArgs: []string{
"--incoming-proxy-port", "5000",
"--outgoing-proxy-port", "5002",
@ -227,7 +228,7 @@ func TestConfigAccessors(t *testing.T) {
destinationProfileSuffixes: ".",
initImage: "gcr.io/linkerd-io/proxy-init",
initImagePullPolicy: corev1.PullPolicy("IfNotPresent"),
initVersion: controlPlaneVersion,
initVersion: version.ProxyInitVersion,
initArgs: []string{
"--incoming-proxy-port", "6000",
"--outgoing-proxy-port", "6002",

3
pkg/k8s/labels.go
View File

@ -105,6 +105,9 @@ const (
// config.
ProxyInitImageAnnotation = ProxyConfigAnnotationsPrefix + "/init-image"
// ProxyInitImageVersionAnnotation can be used to overrided the proxy-init image version
ProxyInitImageVersionAnnotation = ProxyConfigAnnotationsPrefix + "/init-image-version"
// ProxyControlPortAnnotation can be used to override the controlPort config.
ProxyControlPortAnnotation = ProxyConfigAnnotationsPrefix + "/control-port"

6
pkg/version/version.go
View File

@ -12,6 +12,12 @@ import (
// DO NOT EDIT
var Version = undefinedVersion
// ProxyInitVersion is the pinned version of the proxy-init, from
// https://github.com/linkerd/linkerd2-proxy-init
// This has to be kept in sync with the constraint version for
// github.com/linkerd/linkerd2-proxy-init in /Gopkg.toml
var ProxyInitVersion = "v1.0.0"
const (
// undefinedVersion should take the form `channel-version` to conform to
// channelVersion functions.

4
proto/config/config.proto
View File

@ -16,7 +16,7 @@ message Global {
string linkerd_namespace = 1;
bool cni_enabled = 2;
// Control plane and proxy-init version
// Control plane version
string version = 3;
// If present, configures identity.
@ -43,6 +43,8 @@ message Proxy {
bool disable_external_profiles = 12;
string proxy_version = 13;
string proxy_init_image_version = 14;
}
message Image {

11
proxy-init/Dockerfile
View File

@ -1,11 +0,0 @@
## compile proxy-init utility
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
COPY ./proxy-init ./proxy-init
RUN CGO_ENABLED=0 GOOS=linux go install -v ./proxy-init/
## package runtime
FROM gcr.io/linkerd-io/base:2019-02-19.01
COPY LICENSE /linkerd/LICENSE
COPY --from=golang /go/bin/proxy-init /usr/local/bin/proxy-init
ENTRYPOINT ["/usr/local/bin/proxy-init"]

93
proxy-init/cmd/root.go
View File

@ -1,93 +0,0 @@
package cmd
import (
"fmt"
"github.com/linkerd/linkerd2/proxy-init/iptables"
"github.com/spf13/cobra"
)
// RootOptions provides the information that will be used to build a firewall configuration.
type RootOptions struct {
IncomingProxyPort int
OutgoingProxyPort int
ProxyUserID int
PortsToRedirect []int
InboundPortsToIgnore []int
OutboundPortsToIgnore []int
SimulateOnly bool
NetNs string
}
func newRootOptions() *RootOptions {
return &RootOptions{
IncomingProxyPort: -1,
OutgoingProxyPort: -1,
ProxyUserID: -1,
PortsToRedirect: make([]int, 0),
InboundPortsToIgnore: make([]int, 0),
OutboundPortsToIgnore: make([]int, 0),
SimulateOnly: false,
NetNs: "",
}
}
// NewRootCmd returns a configured cobra.Command for the `proxy-init` command.
// TODO: consider moving this to `/proxy-init/main.go`
func NewRootCmd() *cobra.Command {
options := newRootOptions()
cmd := &cobra.Command{
Use: "proxy-init",
Short: "proxy-init adds a Kubernetes pod to the Linkerd service mesh",
Long: "proxy-init adds a Kubernetes pod to the Linkerd service mesh.",
RunE: func(cmd *cobra.Command, args []string) error {
config, err := BuildFirewallConfiguration(options)
if err != nil {
return err
}
return iptables.ConfigureFirewall(*config)
},
}
cmd.PersistentFlags().IntVarP(&options.IncomingProxyPort, "incoming-proxy-port", "p", options.IncomingProxyPort, "Port to redirect incoming traffic")
cmd.PersistentFlags().IntVarP(&options.OutgoingProxyPort, "outgoing-proxy-port", "o", options.OutgoingProxyPort, "Port to redirect outgoing traffic")
cmd.PersistentFlags().IntVarP(&options.ProxyUserID, "proxy-uid", "u", options.ProxyUserID, "User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops.")
cmd.PersistentFlags().IntSliceVarP(&options.PortsToRedirect, "ports-to-redirect", "r", options.PortsToRedirect, "Port to redirect to proxy, if no port is specified then ALL ports are redirected")
cmd.PersistentFlags().IntSliceVar(&options.InboundPortsToIgnore, "inbound-ports-to-ignore", options.InboundPortsToIgnore, "Inbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
cmd.PersistentFlags().IntSliceVar(&options.OutboundPortsToIgnore, "outbound-ports-to-ignore", options.OutboundPortsToIgnore, "Outbound ports to ignore and not redirect to proxy. This has higher precedence than any other parameters.")
cmd.PersistentFlags().BoolVar(&options.SimulateOnly, "simulate", options.SimulateOnly, "Don't execute any command, just print what would be executed")
cmd.PersistentFlags().StringVar(&options.NetNs, "netns", options.NetNs, "Optional network namespace in which to run the iptables commands")
return cmd
}
// BuildFirewallConfiguration returns an iptables FirewallConfiguration suitable to use to configure iptables.
func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfiguration, error) {
if options.IncomingProxyPort < 0 || options.IncomingProxyPort > 65535 {
return nil, fmt.Errorf("--incoming-proxy-port must be a valid TCP port number")
}
if options.OutgoingProxyPort < 0 || options.OutgoingProxyPort > 65535 {
return nil, fmt.Errorf("--outgoing-proxy-port must be a valid TCP port number")
}
firewallConfiguration := &iptables.FirewallConfiguration{
ProxyInboundPort: options.IncomingProxyPort,
ProxyOutgoingPort: options.OutgoingProxyPort,
ProxyUID: options.ProxyUserID,
PortsToRedirectInbound: options.PortsToRedirect,
InboundPortsToIgnore: options.InboundPortsToIgnore,
OutboundPortsToIgnore: options.OutboundPortsToIgnore,
SimulateOnly: options.SimulateOnly,
NetNs: options.NetNs,
}
if len(options.PortsToRedirect) > 0 {
firewallConfiguration.Mode = iptables.RedirectListedMode
} else {
firewallConfiguration.Mode = iptables.RedirectAllMode
}
return firewallConfiguration, nil
}

85
proxy-init/cmd/root_test.go
View File

@ -1,85 +0,0 @@
package cmd
import (
"reflect"
"testing"
"github.com/linkerd/linkerd2/proxy-init/iptables"
)
func TestBuildFirewallConfiguration(t *testing.T) {
t.Run("It produces a FirewallConfiguration for the default config", func(t *testing.T) {
expectedIncomingProxyPort := 1234
expectedOutgoingProxyPort := 2345
expectedProxyUserID := 33
expectedConfig := &iptables.FirewallConfiguration{
Mode: iptables.RedirectAllMode,
PortsToRedirectInbound: make([]int, 0),
InboundPortsToIgnore: make([]int, 0),
OutboundPortsToIgnore: make([]int, 0),
ProxyInboundPort: expectedIncomingProxyPort,
ProxyOutgoingPort: expectedOutgoingProxyPort,
ProxyUID: expectedProxyUserID,
SimulateOnly: false,
}
options := newRootOptions()
options.IncomingProxyPort = expectedIncomingProxyPort
options.OutgoingProxyPort = expectedOutgoingProxyPort
options.ProxyUserID = expectedProxyUserID
config, err := BuildFirewallConfiguration(options)
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
if !reflect.DeepEqual(config, expectedConfig) {
t.Fatalf("Expected config [%v] but got [%v]", expectedConfig, config)
}
})
t.Run("It rejects invalid config options", func(t *testing.T) {
for _, tt := range []struct {
options *RootOptions
errorMessage string
}{
{
options: &RootOptions{
IncomingProxyPort: -1,
OutgoingProxyPort: 1234,
},
errorMessage: "--incoming-proxy-port must be a valid TCP port number",
},
{
options: &RootOptions{
IncomingProxyPort: 100000,
OutgoingProxyPort: 1234,
},
errorMessage: "--incoming-proxy-port must be a valid TCP port number",
},
{
options: &RootOptions{
IncomingProxyPort: 1234,
OutgoingProxyPort: -1,
},
errorMessage: "--outgoing-proxy-port must be a valid TCP port number",
},
{
options: &RootOptions{
IncomingProxyPort: 1234,
OutgoingProxyPort: 100000,
},
errorMessage: "--outgoing-proxy-port must be a valid TCP port number",
},
} {
_, err := BuildFirewallConfiguration(tt.options)
if err == nil {
t.Fatalf("Expected error for config [%v], got nil", tt.options)
}
if err.Error() != tt.errorMessage {
t.Fatalf("Expected error [%s] for config [%v], got [%s]",
tt.errorMessage, tt.options, err.Error())
}
}
})
}

7
proxy-init/integration_test/iptables/Dockerfile-tester
View File

@ -1,7 +0,0 @@
FROM golang:1.11.5
ADD iptables/ /go
# Kubernetes Jobs will be retried until they return status 0,
# so we need to output the status for processing but make sure
# that the container exits with 0
ENTRYPOINT cd /go && (go test -v -integration-tests; echo "status:$?")

216
proxy-init/integration_test/iptables/http_test.go
View File

@ -1,216 +0,0 @@
package iptablestest
import (
"flag"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
"testing"
)
const (
ignoredContainerPort = "7070"
proxyContainerPort = "8080"
notTheProxyContainerPort = "9090"
)
func TestMain(m *testing.M) {
runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests")
flag.Parse()
if !*runTests {
fmt.Fprintln(os.Stderr, "integration tests not enabled: enable with -integration-tests")
os.Exit(0)
}
os.Exit(m.Run())
}
func TestPodWithNoRules(t *testing.T) {
t.Parallel()
podWithNoRulesIP := os.Getenv("POD_WITH_NO_RULES_IP")
svcName := "svc-pod-with-no-rules"
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podWithNoRulesIP, proxyContainerPort)
})
t.Run("fails to connect to pod directly through any port that isn't the container's exposed port", func(t *testing.T) {
expectCannotConnectGetRequestTo(t, podWithNoRulesIP, "8088")
expectCannotConnectGetRequestTo(t, podWithNoRulesIP, "8888")
expectCannotConnectGetRequestTo(t, podWithNoRulesIP, "8988")
})
t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort)
})
t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) {
expectCannotConnectGetRequestTo(t, svcName, "8088")
expectCannotConnectGetRequestTo(t, svcName, "8888")
expectCannotConnectGetRequestTo(t, svcName, "8988")
})
}
func TestPodRedirectsAllPorts(t *testing.T) {
t.Parallel()
podRedirectsAllPortsIP := os.Getenv("POD_REDIRECTS_ALL_PORTS_IP")
svcName := "svc-pod-redirects-all-ports"
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIP, proxyContainerPort)
})
t.Run("succeeds connecting to pod directly through any port that isn't the container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIP, "8088")
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIP, "8888")
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIP, "8988")
})
t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort)
})
t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) {
expectCannotConnectGetRequestTo(t, svcName, "8088")
expectCannotConnectGetRequestTo(t, svcName, "8888")
expectCannotConnectGetRequestTo(t, svcName, "8988")
})
}
func TestPodWithSomePortsRedirected(t *testing.T) {
t.Parallel()
podRedirectsSomePortsIP := os.Getenv("POD_REDIRECTS_WHITELISTED_IP")
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIP, proxyContainerPort)
})
t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIP, "9090")
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIP, "9099")
})
t.Run("fails to connect to pod via through any port that isn't configured to redirect", func(t *testing.T) {
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIP, "8088")
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIP, "8888")
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIP, "8988")
})
}
func TestPodWithSomePortsIgnored(t *testing.T) {
t.Parallel()
podIgnoredSomePortsIP := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP")
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIP, proxyContainerPort)
})
t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) {
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIP, "9090")
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIP, "9099")
})
t.Run("doesnt redirect when through port that is ignored", func(t *testing.T) {
response := expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIP, ignoredContainerPort)
if response == "proxy" {
t.Fatalf("Expected connection through ignored port to directly hit service, but hit [%s]", response)
}
if !strings.Contains(response, ignoredContainerPort) {
t.Fatalf("Expected to be able to connect to %s without redirects, but got back %s", ignoredContainerPort, response)
}
})
}
func TestPodMakesOutboundConnection(t *testing.T) {
t.Parallel()
podIgnoredSomePortsIP := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP")
podWithNoRulesIP := os.Getenv("POD_WITH_NO_RULES_IP")
podWithNoRulesName := "pod-with-no-rules"
proxyPodName := "pod-doesnt-redirect-blacklisted"
proxyPodIP := podIgnoredSomePortsIP
t.Run("connecting to another pod from non-proxy container gets redirected to proxy", func(t *testing.T) {
portOfContainerToMAkeTheRequest := ignoredContainerPort
targetPodIP := podWithNoRulesIP
targetPort := ignoredContainerPort
response := makeCallFromContainerToAnother(t, proxyPodIP, portOfContainerToMAkeTheRequest, targetPodIP, targetPort)
expectedDownstreamResponse := fmt.Sprintf("me:[%s:%s]downstream:[proxy]", proxyPodName, portOfContainerToMAkeTheRequest)
if !strings.Contains(response, expectedDownstreamResponse) {
t.Fatalf("Expected response to be redirected to the proxy, expected %s but it was %s", expectedDownstreamResponse, response)
}
})
t.Run("connecting to another pod from proxy container does not get redirected to proxy", func(t *testing.T) {
targetPodName := podWithNoRulesName
targetPodIP := podWithNoRulesIP
response := makeCallFromContainerToAnother(t, proxyPodIP, proxyContainerPort, targetPodIP, notTheProxyContainerPort)
expectedDownstreamResponse := fmt.Sprintf("me:[proxy]downstream:[%s:%s]", targetPodName, notTheProxyContainerPort)
if !strings.Contains(response, expectedDownstreamResponse) {
t.Fatalf("Expected response not to be redirected to the proxy, expected %s but it was %s", expectedDownstreamResponse, response)
}
})
t.Run("connecting to loopback from non-proxy container does not get redirected to proxy", func(t *testing.T) {
response := makeCallFromContainerToAnother(t, proxyPodIP, ignoredContainerPort, "127.0.0.1", notTheProxyContainerPort)
expectedDownstreamResponse := fmt.Sprintf("me:[%s:%s]downstream:[%s:%s]", proxyPodName, ignoredContainerPort, proxyPodName, notTheProxyContainerPort)
if !strings.Contains(response, expectedDownstreamResponse) {
t.Fatalf("Expected response not to be redirected to the proxy, expected %s but it was %s", expectedDownstreamResponse, response)
}
})
}
func makeCallFromContainerToAnother(t *testing.T, fromPodNamed string, fromContainerAtPort string, podIWantToReachName string, containerPortIWantToReach string) string {
downstreamURL := fmt.Sprintf("http://%s:%s", podIWantToReachName, containerPortIWantToReach)
//Make request asking target to make a back-end request
targetURL := fmt.Sprintf("http://%s:%s/call?url=%s", fromPodNamed, fromContainerAtPort, url.QueryEscape(downstreamURL))
return expectSuccessfulGetRequestToURL(t, targetURL)
}
func expectCannotConnectGetRequestTo(t *testing.T, host string, port string) {
targetURL := fmt.Sprintf("http://%s:%s/", host, port)
fmt.Printf("Expecting failed GET to %s\n", targetURL)
resp, err := http.Get(targetURL)
if err == nil {
t.Fatalf("Expected error when connecting to %s, got:\n%+v", targetURL, resp)
}
}
func expectSuccessfulGetRequestTo(t *testing.T, host string, port string) string {
targetURL := fmt.Sprintf("http://%s:%s/", host, port)
return expectSuccessfulGetRequestToURL(t, targetURL)
}
func expectSuccessfulGetRequestToURL(t *testing.T, url string) string {
fmt.Printf("Expecting successful GET to %s\n", url)
resp, err := http.Get(url)
if err != nil {
t.Fatalf("failed to send HTTP GET to %s:\n%v", url, err)
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatalf("failed reading GET response from %s:\n%v", url, err)
}
response := string(body)
fmt.Printf("Response from %s: %s", url, response)
return response
}

181
proxy-init/integration_test/iptables/iptablestest-lab.yaml
View File

@ -1,181 +0,0 @@
---
apiVersion: v1
kind: Pod
metadata:
name: pod-with-no-rules
labels:
app: pod-with-no-rules
spec:
containers:
- name: webserver
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "8080"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 8080
- name: other-container
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "9090"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 9090
---
apiVersion: v1
kind: Service
metadata:
name: svc-pod-with-no-rules
spec:
selector:
app: pod-with-no-rules
ports:
- name: http
port: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: pod-redirects-all-ports
labels:
app: pod-redirects-all-ports
spec:
containers:
- name: other-container
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "9090"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 9090
- name: proxy-stub
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "8080"
- name: AM_I_THE_PROXY
value: "yes"
command: ["go", "run", "/go/test_service/test_service.go"]
securityContext:
privileged: false
runAsUser: 2102
ports:
- name: http
containerPort: 8080
initContainers:
- name: linkerd-init
image: gcr.io/linkerd-io/proxy-init:latest
imagePullPolicy: Never
args: ["-p", "8080", "-o", "8080", "-u", "2102"]
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
---
apiVersion: v1
kind: Service
metadata:
name: svc-pod-redirects-all-ports
spec:
selector:
app: pod-redirects-all-ports
ports:
- name: http
port: 8080
---
apiVersion: v1
kind: Pod
metadata:
name: pod-redirects-whitelisted
labels:
app: pod-redirects-whitelisted
spec:
containers:
- name: proxy-stub
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "8080"
- name: AM_I_THE_PROXY
value: "yes"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 8080
securityContext:
privileged: false
runAsUser: 2102
initContainers:
- name: linkerd-init
image: gcr.io/linkerd-io/proxy-init:latest
imagePullPolicy: Never
args: ["-p", "8080", "-o", "8080", "-u", "2102", "-r", "9090", "-r", "9099"]
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
---
apiVersion: v1
kind: Pod
metadata:
name: pod-doesnt-redirect-blacklisted
labels:
app: pod-doesnt-redirect-blacklisted
spec:
containers:
- name: proxy-stub
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "8080"
- name: AM_I_THE_PROXY
value: "yes"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 8080
securityContext:
privileged: false
runAsUser: 2102
- name: other-container
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "9090"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 9090
- name: blacklisted-container
image: buoyantio/iptables-tester:v1
env:
- name: PORT
value: "7070"
command: ["go", "run", "/go/test_service/test_service.go"]
ports:
- name: http
containerPort: 7070
initContainers:
- name: linkerd-init
image: gcr.io/linkerd-io/proxy-init:latest
imagePullPolicy: Never
args: ["-p", "8080", "-o", "8080", "-u", "2102", "--inbound-ports-to-ignore", "7070"]
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0

58
proxy-init/integration_test/iptables/test_service/test_service.go
View File

@ -1,58 +0,0 @@
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"strings"
)
var (
port = os.Getenv("PORT")
_, amITheProxy = os.LookupEnv("AM_I_THE_PROXY")
hostname, _ = os.Hostname()
defaultResponse = fmt.Sprintf("%s:%s", hostname, port)
)
func returnHostAndPortHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("Got request [%v] returning [%s]", r, response())
fmt.Fprintln(w, response())
}
func callOtherServiceHandler(w http.ResponseWriter, r *http.Request) {
url := r.FormValue("url")
log.Printf("Got request [%v] making HTTP call to [%s]", r, url)
downstreamResp, err := http.Get(url)
if err != nil {
http.Error(w, err.Error(), 500)
} else {
body, err := ioutil.ReadAll(downstreamResp.Body)
if err != nil {
http.Error(w, err.Error(), 500)
} else {
response := fmt.Sprintf("me:[%s]downstream:[%s]", response(), strings.TrimSpace(string(body)))
fmt.Fprintln(w, response)
}
}
}
func response() string {
if amITheProxy {
return "proxy"
}
return defaultResponse
}
func main() {
fmt.Printf("Starting stub HTTP server on port [%s] will serve [%s] proxy [%t]", port, hostname, amITheProxy)
http.HandleFunc("/", returnHostAndPortHandler)
http.HandleFunc("/call", callOtherServiceHandler)
err := http.ListenAndServe(fmt.Sprintf(":%s", port), nil)
if err != nil {
panic(err)
}
}

102
proxy-init/integration_test/run_tests.sh
View File

@ -1,102 +0,0 @@
#!/bin/bash
# define some colors to use for output
BLACK=$(tput setaf 0)
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
LIME_YELLOW=$(tput setaf 190)
POWDER_BLUE=$(tput setaf 153)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BRIGHT=$(tput bold)
NORMAL=$(tput sgr0)
BLINK=$(tput blink)
REVERSE=$(tput smso)
UNDERLINE=$(tput smul)
function get_ip_for_pod(){
local pod_name=$1
until kubectl get pod ${pod_name} -o jsonpath='{.status.phase}' | grep Running > /dev/null ; do sleep 1 ; done
local pod_ip=`kubectl get pod ${pod_name} --template={{.status.podIP}}`
echo "${pod_ip}"
}
function wait_for_k8s_job_completion(){
local job_name=$1
until kubectl get jobs ${job_name} -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep True ; do printf "." && sleep 1 ; done
}
function header(){
local msg=$1
printf "\n${REVERSE}${msg}${NORMAL}\n"
}
function log(){
local msg=$1
printf "${WHITE}${msg}${NORMAL}\n"
}
TESTER_JOB_NAME=iptables-tester
LAB_YAML_FILE=iptables/iptablestest-lab.yaml
header "Deleting any existing objects from previous test runs..."
kubectl delete -f ${LAB_YAML_FILE}
kubectl delete jobs/${TESTER_JOB_NAME}
header "Building the image used in tests..."
docker build . -f iptables/Dockerfile-tester --tag buoyantio/iptables-tester:v1
sleep 10
header "Creating the test lab..."
kubectl create -f ${LAB_YAML_FILE}
POD_WITH_NO_RULES_IP=$(get_ip_for_pod "pod-with-no-rules")
log "POD_WITH_NO_RULES_IP=${POD_WITH_NO_RULES_IP}"
POD_REDIRECTS_ALL_PORTS_IP=$(get_ip_for_pod "pod-redirects-all-ports")
log "POD_REDIRECTS_ALL_PORTS_IP=${POD_REDIRECTS_ALL_PORTS_IP}"
POD_REDIRECTS_WHITELISTED_IP=$(get_ip_for_pod "pod-redirects-whitelisted")
log "POD_REDIRECTS_WHITELISTED_IP=${POD_REDIRECTS_WHITELISTED_IP}"
POD_DOEST_REDIRECT_BLACKLISTED_IP=$(get_ip_for_pod "pod-doesnt-redirect-blacklisted")
log "POD_DOEST_REDIRECT_BLACKLISTED_IP=${POD_DOEST_REDIRECT_BLACKLISTED_IP}"
header "Running tester..."
cat <<EOF | kubectl create -f -
apiVersion: batch/v1
kind: Job
metadata:
name: ${TESTER_JOB_NAME}
spec:
template:
metadata:
name: ${TESTER_JOB_NAME}
spec:
containers:
- name: tester
image: buoyantio/iptables-tester:v1
env:
- name: POD_REDIRECTS_ALL_PORTS_IP
value: ${POD_REDIRECTS_ALL_PORTS_IP}
- name: POD_WITH_NO_RULES_IP
value: ${POD_WITH_NO_RULES_IP}
- name: POD_REDIRECTS_WHITELISTED_IP
value: ${POD_REDIRECTS_WHITELISTED_IP}
- name: POD_DOEST_REDIRECT_BLACKLISTED_IP
value: ${POD_DOEST_REDIRECT_BLACKLISTED_IP}
restartPolicy: Never
EOF
wait_for_k8s_job_completion $TESTER_JOB_NAME
header "Test output:"
kubectl logs jobs/${TESTER_JOB_NAME}
# Makes this script return status 0 if the test returned status 0
kubectl logs jobs/${TESTER_JOB_NAME} 2>&1 | grep "status:0" > /dev/null

285
proxy-init/iptables/iptables.go
View File

@ -1,285 +0,0 @@
package iptables
import (
"fmt"
"log"
"os/exec"
"strconv"
"strings"
"time"
)
const (
// RedirectAllMode indicates redirecting all ports.
RedirectAllMode = "redirect-all"
// RedirectListedMode indicates redirecting a given list of ports.
RedirectListedMode = "redirect-listed"
// IptablesPreroutingChainName specifies an iptables `PREROUTING` chain,
// responsible for packets that just arrived at the network interface.
IptablesPreroutingChainName = "PREROUTING"
// IptablesOutputChainName specifies an iptables `OUTPUT` chain.
IptablesOutputChainName = "OUTPUT"
)
var (
// ExecutionTraceID provides a unique identifier for this script's execution.
ExecutionTraceID = strconv.Itoa(int(time.Now().Unix()))
)
// FirewallConfiguration specifies how to configure a pod's iptables.
type FirewallConfiguration struct {
Mode string
PortsToRedirectInbound []int
InboundPortsToIgnore []int
OutboundPortsToIgnore []int
ProxyInboundPort int
ProxyOutgoingPort int
ProxyUID int
SimulateOnly bool
NetNs string
}
//ConfigureFirewall configures a pod's internal iptables to redirect all desired traffic through the proxy, allowing for
// the pod to join the service mesh. A lot of this logic was based on
// https://github.com/istio/istio/blob/e83411e/pilot/docker/prepare_proxy.sh
func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error {
log.Printf("Tracing this script execution as [%s]\n", ExecutionTraceID)
log.Println("State of iptables rules before run:")
err := executeCommand(firewallConfiguration, makeShowAllRules())
if err != nil {
log.Println("Aborting firewall configuration")
return err
}
commands := make([]*exec.Cmd, 0)
commands = addIncomingTrafficRules(commands, firewallConfiguration)
commands = addOutgoingTrafficRules(commands, firewallConfiguration)
commands = append(commands, makeShowAllRules())
log.Println("Executing commands:")
for _, cmd := range commands {
err := executeCommand(firewallConfiguration, cmd)
if err != nil {
log.Println("Aborting firewall configuration")
return err
}
}
return nil
}
//formatComment is used to format iptables comments in such way that it is possible to identify when the rules were added.
// This helps debug when iptables has some stale rules from previous runs, something that can happen frequently on minikube.
func formatComment(text string) string {
return fmt.Sprintf("proxy-init/%s/%s", text, ExecutionTraceID)
}
func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd {
outputChainName := "PROXY_INIT_OUTPUT"
redirectChainName := "PROXY_INIT_REDIRECT"
executeCommand(firewallConfiguration, makeFlushChain(outputChainName))
executeCommand(firewallConfiguration, makeDeleteChain(outputChainName))
commands = append(commands, makeCreateNewChain(outputChainName, "redirect-common-chain"))
// Ignore traffic from the proxy
if firewallConfiguration.ProxyUID > 0 {
log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUID)
// Redirect calls originating from the proxy destined for an app container e.g. app -> proxy(outbound) -> proxy(inbound) -> app
commands = append(commands, makeRedirectChainForOutgoingTraffic(outputChainName, redirectChainName, firewallConfiguration.ProxyUID, "redirect-non-loopback-local-traffic"))
commands = append(commands, makeIgnoreUserID(outputChainName, firewallConfiguration.ProxyUID, "ignore-proxy-user-id"))
} else {
log.Println("Not ignoring any uid")
}
// Ignore loopback
commands = append(commands, makeIgnoreLoopback(outputChainName, "ignore-loopback"))
// Ignore ports
commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, outputChainName, commands)
log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort)
commands = append(commands, makeRedirectChainToPort(outputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port"))
//Redirect all remaining outbound traffic to the proxy.
commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, outputChainName, "install-proxy-init-output"))
return commands
}
func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd {
redirectChainName := "PROXY_INIT_REDIRECT"
executeCommand(firewallConfiguration, makeFlushChain(redirectChainName))
executeCommand(firewallConfiguration, makeDeleteChain(redirectChainName))
commands = append(commands, makeCreateNewChain(redirectChainName, "redirect-common-chain"))
commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, redirectChainName, commands)
commands = addRulesForInboundPortRedirect(firewallConfiguration, redirectChainName, commands)
//Redirect all remaining inbound traffic to the proxy.
commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, redirectChainName, "install-proxy-init-prerouting"))
return commands
}
func addRulesForInboundPortRedirect(firewallConfiguration FirewallConfiguration, chainName string, commands []*exec.Cmd) []*exec.Cmd {
if firewallConfiguration.Mode == RedirectAllMode {
log.Print("Will redirect all INPUT ports to proxy")
//Create a new chain for redirecting inbound and outbound traffic to the proxy port.
commands = append(commands, makeRedirectChainToPort(chainName,
firewallConfiguration.ProxyInboundPort,
"redirect-all-incoming-to-proxy-port"))
} else if firewallConfiguration.Mode == RedirectListedMode {
log.Printf("Will redirect some INPUT ports to proxy: %v", firewallConfiguration.PortsToRedirectInbound)
for _, port := range firewallConfiguration.PortsToRedirectInbound {
commands = append(commands, makeRedirectChainToPortBasedOnDestinationPort(chainName,
port,
firewallConfiguration.ProxyInboundPort,
fmt.Sprintf("redirect-port-%d-to-proxy-port", port)))
}
}
return commands
}
func addRulesForIgnoredPorts(portsToIgnore []int, chainName string, commands []*exec.Cmd) []*exec.Cmd {
for _, ignoredPort := range portsToIgnore {
log.Printf("Will ignore port %d on chain %s", ignoredPort, chainName)
commands = append(commands, makeIgnorePort(chainName, ignoredPort, fmt.Sprintf("ignore-port-%d", ignoredPort)))
}
return commands
}
func executeCommand(firewallConfiguration FirewallConfiguration, cmd *exec.Cmd) error {
originalCmd := strings.Trim(fmt.Sprintf("%v", cmd.Args), "[]")
log.Printf("> %s", originalCmd)
if !firewallConfiguration.SimulateOnly {
// wrap up the cmd with nsenter if we were givin a netns
if len(firewallConfiguration.NetNs) > 0 {
netnsArg := fmt.Sprintf("--net=%s", firewallConfiguration.NetNs)
originalCmdAsArgs := strings.Split(originalCmd, " ")
nsenterArgs := []string{
netnsArg,
}
finalArgs := append(nsenterArgs, originalCmdAsArgs...)
log.Printf(">> nsenter %v", finalArgs)
cmd = exec.Command("nsenter", finalArgs...)
}
out, err := cmd.CombinedOutput()
log.Printf("< %s\n", string(out))
if err != nil {
return err
}
}
return nil
}
func makeIgnoreUserID(chainName string, uid int, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-m", "owner",
"--uid-owner", strconv.Itoa(uid),
"-j", "RETURN",
"-m", "comment",
"--comment", formatComment(comment))
}
func makeCreateNewChain(name string, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-N", name,
"-m", "comment",
"--comment", formatComment(comment))
}
func makeFlushChain(name string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-F", name)
}
func makeDeleteChain(name string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-X", name)
}
func makeRedirectChainToPort(chainName string, portToRedirect int, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-p", "tcp",
"-j", "REDIRECT",
"--to-port", strconv.Itoa(portToRedirect),
"-m", "comment",
"--comment", formatComment(comment))
}
func makeIgnorePort(chainName string, portToIgnore int, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-p", "tcp",
"--destination-port", strconv.Itoa(portToIgnore),
"-j", "RETURN",
"-m", "comment",
"--comment", formatComment(comment))
}
func makeIgnoreLoopback(chainName string, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-o", "lo",
"-j", "RETURN",
"-m", "comment",
"--comment", formatComment(comment))
}
func makeRedirectChainToPortBasedOnDestinationPort(chainName string, destinationPort int, portToRedirect int, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-p", "tcp",
"--destination-port", strconv.Itoa(destinationPort),
"-j", "REDIRECT",
"--to-port", strconv.Itoa(portToRedirect),
"-m", "comment",
"--comment", formatComment(comment))
}
func makeJumpFromChainToAnotherForAllProtocols(chainName string, targetChain string, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-j", targetChain,
"-m", "comment",
"--comment", formatComment(comment))
}
func makeRedirectChainForOutgoingTraffic(chainName string, redirectChainName string, uid int, comment string) *exec.Cmd {
return exec.Command("iptables",
"-t", "nat",
"-A", chainName,
"-m", "owner",
"--uid-owner", strconv.Itoa(uid),
"-o", "lo",
"!", "-d 127.0.0.1/32",
"-j", redirectChainName,
"-m", "comment",
"--comment", formatComment(comment))
}
func makeShowAllRules() *exec.Cmd {
return exec.Command("iptables", "-t", "nat", "-vnL")
}

13
proxy-init/main.go
View File

@ -1,13 +0,0 @@
package main
import (
"os"
"github.com/linkerd/linkerd2/proxy-init/cmd"
)
func main() {
if err := cmd.NewRootCmd().Execute(); err != nil {
os.Exit(1)
}
}

3
test/inject/inject_test.go
View File

@ -8,6 +8,7 @@ import (
jsonpatch "github.com/evanphx/json-patch"
"github.com/linkerd/linkerd2/pkg/k8s"
"github.com/linkerd/linkerd2/pkg/version"
"github.com/linkerd/linkerd2/testutil"
"sigs.k8s.io/yaml"
)
@ -254,7 +255,7 @@ func useTestImageTag(in string) (string, error) {
patchOps := []string{
fmt.Sprintf(`{"op": "replace", "path": "/spec/template/metadata/annotations/linkerd.io~1created-by", "value": "linkerd/cli %s"}`, TestHelper.GetVersion()),
fmt.Sprintf(`{"op": "replace", "path": "/spec/template/metadata/annotations/linkerd.io~1proxy-version", "value": "%s"}`, TestHelper.GetVersion()),
fmt.Sprintf(`{"op": "replace", "path": "/spec/template/spec/initContainers/0/image", "value": "init-image:%s"}`, TestHelper.GetVersion()),
fmt.Sprintf(`{"op": "replace", "path": "/spec/template/spec/initContainers/0/image", "value": "init-image:%s"}`, version.ProxyInitVersion),
}
patchJSON := fmt.Sprintf("[%s]", strings.Join(patchOps, ","))

2
test/install_test.go
View File

@ -81,7 +81,7 @@ var (
knownEventWarningsRegex = regexp.MustCompile(strings.Join([]string{
`MountVolume.SetUp failed for volume .* : couldn't propagate object cache: timed out waiting for the condition`,
`Readiness probe failed: HTTP probe failed with statuscode: 50(2|3)`,
`(Liveness|Readiness) probe failed: HTTP probe failed with statuscode: 50(2|3)`,
`(Liveness|Readiness) probe failed: Get http://.*: dial tcp .*: connect: connection refused`,
`(Liveness|Readiness) probe failed: Get http://.*: read tcp .*: read: connection reset by peer`,
`(Liveness|Readiness) probe failed: Get http://.*: net/http: request canceled \(Client\.Timeout exceeded while awaiting headers\)`,

2
web/Dockerfile
View File

@ -26,7 +26,7 @@ COPY web/app .
RUN $ROOT/bin/web build
## compile go server
FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang
FROM gcr.io/linkerd-io/go-deps:22013b76 as golang
WORKDIR /go/src/github.com/linkerd/linkerd2
RUN mkdir -p web
COPY web/main.go web