Parameterize PodDisruptionBudget config for Linkerd Control Plane components (#11687)

Parameterize PodDisruptionBudget config for Linkerd Control Plane components

The maxUnavailable setting for all Linkerd Control Plane components is hardcoded to 1

Parameterize PodDisruptionBudget config in templates, which is currently hardcoded (maxUnavailable), so that it can be configured from values.

Fixes #11321 

Signed-off-by: Cemal Y. Dalar <cemal@dalar.net>

charts/linkerd-control-plane/README.md

@@ -146,6 +146,8 @@ Kubernetes: `>=1.22.0-0`
 | commonLabels | object | `{}` | Labels to apply to all resources |
 | controlPlaneTracing | bool | `false` | enables control plane tracing |
 | controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to |
+| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments |
+| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption |
 | controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components |
 | controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. |
 | controllerLogFormat | string | `"plain"` | Log format for the control plane components |

charts/linkerd-control-plane/templates/destination.yaml

@@ -115,7 +115,7 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  maxUnavailable: 1
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
   selector:
     matchLabels:
       linkerd.io/control-plane-component: destination

charts/linkerd-control-plane/templates/identity.yaml

@@ -90,7 +90,7 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  maxUnavailable: 1
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
   selector:
     matchLabels:
       linkerd.io/control-plane-component: identity

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -203,7 +203,7 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  maxUnavailable: 1
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
   selector:
     matchLabels:
       linkerd.io/control-plane-component: proxy-injector

charts/linkerd-control-plane/values-ha.yaml

@@ -5,6 +5,12 @@
 # -- Create PodDisruptionBudget resources for each control plane workload
 enablePodDisruptionBudget: true
 
+controller:
+  # -- sets pod disruption budget parameter for all deployments
+  podDisruptionBudget:
+    # -- Maximum number of pods that can be unavailable during disruption
+    maxUnavailable: 1
+
 # -- Specify a deployment strategy for each control plane workload
 deploymentStrategy:
   rollingUpdate:

charts/linkerd-control-plane/values.yaml

@@ -39,6 +39,12 @@ enablePodAntiAffinity: false
 enablePprof: false
 # -- enables the creation of pod disruption budgets for control plane components
 enablePodDisruptionBudget: false
+
+controller:
+  # -- sets pod disruption budget parameter for all deployments
+  podDisruptionBudget:
+    # -- Maximum number of pods that can be unavailable during disruption
+    maxUnavailable: 1
 # -- enabling this omits the NET_ADMIN capability in the PSP
 # and the proxy-init container when injecting the proxy;
 # requires the linkerd-cni plugin to already be installed

cli/cmd/testdata/install_controlplane_tracing_output.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: true
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_custom_domain.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_custom_registry.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: my.custom.registry/linkerd-io/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_default.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_default_override_dst_get_nets.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_default_token.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_ha_output.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_ha_with_overrides_output.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_heartbeat_disabled_output.golden

@@ -427,6 +427,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_helm_control_plane_output.golden

@@ -497,6 +497,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_helm_control_plane_output_ha.golden

@@ -497,6 +497,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_helm_output_ha_labels.golden

@@ -497,6 +497,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden

@@ -492,6 +492,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_no_init_container.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: true
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_proxy_ignores.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

cli/cmd/testdata/install_values_file.golden

@@ -496,6 +496,9 @@ data:
     cniEnabled: false
     controlPlaneTracing: false
     controlPlaneTracingNamespace: linkerd-jaeger
+    controller:
+      podDisruptionBudget:
+        maxUnavailable: 1
     controllerImage: cr.l5d.io/linkerd/controller
     controllerLogFormat: plain
     controllerLogLevel: info

pkg/charts/linkerd2/values.go

@@ -33,6 +33,7 @@ type (
 		EnablePodAntiAffinity        bool                   `json:"enablePodAntiAffinity"`
 		NodeAffinity                 map[string]interface{} `json:"nodeAffinity"`
 		EnablePodDisruptionBudget    bool                   `json:"enablePodDisruptionBudget"`
+		Controller                   *Controller            `json:"controller"`
 		WebhookFailurePolicy         string                 `json:"webhookFailurePolicy"`
 		DeploymentStrategy           map[string]interface{} `json:"deploymentStrategy,omitempty"`
 		DisableHeartBeat             bool                   `json:"disableHeartBeat"`
@@ -83,6 +84,16 @@ type (
 		ProxyInjectorProxyResources *Resources `json:"proxyInjectorProxyResources"`
 	}
 
+	// Controller contains the fields to set the controller container
+	Controller struct {
+		PodDisruptionBudget *PodDisruptionBudget `json:"podDisruptionBudget"`
+	}
+
+	// PodDisruptionBudget contains the fields to set the PDB
+	PodDisruptionBudget struct {
+		MaxUnavailable int `json:"maxUnavailable"`
+	}
+
 	// ConfigJSONs is the JSON encoding of the Linkerd configuration
 	ConfigJSONs struct {
 		Global  string `json:"global"`

pkg/charts/linkerd2/values_test.go

@@ -67,6 +67,11 @@ func TestNewValues(t *testing.T) {
 		PodLabels:                    map[string]string{},
 		EnableEndpointSlices:         true,
 		EnablePodDisruptionBudget:    false,
+		Controller: &Controller{
+			PodDisruptionBudget: &PodDisruptionBudget{
+				MaxUnavailable: 1,
+			},
+		},
 		PodMonitor: &PodMonitor{
 			Enabled:        false,
 			ScrapeInterval: "10s",
@@ -250,6 +255,9 @@ func TestNewValues(t *testing.T) {
 		expected.ControllerReplicas = 3
 		expected.EnablePodAntiAffinity = true
 		expected.EnablePodDisruptionBudget = true
+		expected.Controller.PodDisruptionBudget = &PodDisruptionBudget{
+			MaxUnavailable: 1,
+		}
 		expected.DeploymentStrategy = haDeploymentStrategy
 		expected.WebhookFailurePolicy = "Fail"
 
@@ -304,6 +312,8 @@ func TestNewValues(t *testing.T) {
 func TestHAValuesParsing(t *testing.T) {
 	yml := `
 enablePodDisruptionBudget: true
+PodDisruptionBudget:
+  maxUnavailable: 1
 deploymentStrategy:
   rollingUpdate:
     maxUnavailable: 1