Restart destination, proxy-injector controllers on config change. (#11440)

Fixes #6940

Added a `checksum/config` annotation into the destination, proxy-injector and tap-injector workloads, whose value is calculated as the SHA256 of the template file containing the TLS cert they depend on. This is necessary so that every time those other files change (they get re-generated on every upgrade or config update via `linkerd upgrade`), the workloads change as well. 
We had this in place before, but with the 2.12 helm charts migrations we dropped it by mistake.

Signed-off-by: Cameron Boulton <cameron.boulton@calm.com>

charts/linkerd-control-plane/templates/destination.yaml

@@ -153,6 +153,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }}
         {{ include "partials.annotations.created-by" . }}
         {{- include "partials.proxy.annotations" . | nindent 8}}
         {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -32,6 +32,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
         {{ include "partials.annotations.created-by" . }}
         {{- include "partials.proxy.annotations" . | nindent 8}}
         {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}

cli/cmd/testdata/install_controlplane_tracing_output.golden

@@ -1207,6 +1207,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1632,6 +1633,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_custom_domain.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_custom_registry.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_default.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_default_override_dst_get_nets.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_default_token.golden

@@ -1197,6 +1197,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1612,6 +1613,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_ha_output.golden

@@ -1304,6 +1304,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d678d93a3ae6be52fc98976b988d287fb3f8bc41d1eb9cc5f06d63fc3a3b9ee7
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1764,6 +1765,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 50d2a15c6f1cfe62df76480d599b55b3ffe8c134b92f527f74e9c80640114dca
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_ha_with_overrides_output.golden

@@ -1304,6 +1304,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d678d93a3ae6be52fc98976b988d287fb3f8bc41d1eb9cc5f06d63fc3a3b9ee7
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1764,6 +1765,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 50d2a15c6f1cfe62df76480d599b55b3ffe8c134b92f527f74e9c80640114dca
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_heartbeat_disabled_output.golden

@@ -1137,6 +1137,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1501,6 +1502,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_helm_control_plane_output.golden

@@ -1181,6 +1181,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 387ff1ed65e66e400e556c47490d20187adcb885526d44d9f0aa75dc97f23223
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1609,6 +1610,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 27486d27c2df3e0123d3ae33c32dd419e9dedb66f03495501f4e8127961b299e
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_helm_control_plane_output_ha.golden

@@ -1279,6 +1279,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: ff01f9fed5a80929d1215ebec514a25888ac7fed762a5a753bd896928e26b951
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1743,6 +1744,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 9a5539dd6fc3fb72bf39d6be47b21a2c0ff97c286c4ee144548d7268c17d3fd4
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_helm_output_ha_labels.golden

@@ -1287,6 +1287,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: ff01f9fed5a80929d1215ebec514a25888ac7fed762a5a753bd896928e26b951
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1759,6 +1760,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 9a5539dd6fc3fb72bf39d6be47b21a2c0ff97c286c4ee144548d7268c17d3fd4
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden

@@ -1269,6 +1269,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: cf05a64f720a18752cb8e0e759cb4cd6e22602eb0129a2144a2093ac6ea87659
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1733,6 +1734,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 4c9f5797be5821da5f47cf2a5f30d44656c3cfcd7e30cff8c1f67f9a71b705fe
         linkerd.io/created-by: linkerd/helm linkerd-version
         linkerd.io/proxy-version: test-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_no_init_container.golden

@@ -1200,6 +1200,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1618,6 +1619,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_output.golden

@@ -1179,6 +1179,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d3eac3abc6cf5f1943e0f005fd15ad0107229283fa6f8db72f9ccb4766bb2228
         linkerd.io/created-by: CliVersion
         linkerd.io/proxy-version: ProxyVersion
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1607,6 +1608,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 543c65ff6faff4112a64971371380e01188b1bbc583fef84c7b50844cb1a896d
         linkerd.io/created-by: CliVersion
         linkerd.io/proxy-version: ProxyVersion
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_proxy_ignores.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

cli/cmd/testdata/install_values_file.golden

@@ -1206,6 +1206,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: 6c6be36634a1edea1ebcad1c3981959c48eb6b78684e7093058a50eca6ba2f97
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
@@ -1630,6 +1631,7 @@ spec:
   template:
     metadata:
       annotations:
+        checksum/config: d0a59489b5026951c56c51a6307d7dbab88c3b2fae24a84d2a115fbf5ac75db4
         linkerd.io/created-by: linkerd/cli dev-undefined
         linkerd.io/proxy-version: install-proxy-version
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"