linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

policy: use json encoded string to represent policy token (#11910) 

Currently, the value that is put in the `LINKERD2_PROXY_POLICY_WORKLOAD` env var has the format of `pod_ns:pod_name`. This PR changes the format of the policy token into a json struct, so it can encode the type of workload and not only its location. For now, we add an additional `external_workload` type.


 Zahari Dichev <zaharidichev@gmail.com>
This commit is contained in:
Zahari Dichev 2024-01-11 22:15:29 +02:00 committed by GitHub
parent 3f4925bfdb
commit abb9d819a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 323 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock
View File

@ -1219,6 +1219,8 @@ dependencies = [
"linkerd2-proxy-api",
"maplit",
"prost-types",
"serde",
"serde_json",
"tokio",
"tonic",
"tracing",

3
charts/partials/templates/_proxy.tpl
View File

@ -39,7 +39,8 @@ env:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: {{.Values.proxy.defaultInboundPolicy}}
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml vendored
View File

@ -43,7 +43,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

6
cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml vendored
View File

@ -43,7 +43,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -263,7 +264,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml vendored
View File

@ -43,7 +43,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_contour.golden.yml generated vendored
View File

@ -51,7 +51,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

12
cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -276,7 +277,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -507,7 +509,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -738,7 +741,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_access_log.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml generated vendored
View File

@ -55,7 +55,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

6
cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -276,7 +277,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml generated vendored
View File

@ -98,7 +98,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_opaque_ports.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml generated vendored
View File

@ -47,7 +47,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml generated vendored
View File

@ -45,7 +45,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

6
cli/cmd/testdata/inject_emojivoto_list.golden.yml generated vendored
View File

@ -47,7 +47,8 @@ items:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -277,7 +278,8 @@ items:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

6
cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml generated vendored
View File

@ -47,7 +47,8 @@ items:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -277,7 +278,8 @@ items:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_pod.golden.yml generated vendored
View File

@ -37,7 +37,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_pod_ingress.golden.yml generated vendored
View File

@ -38,7 +38,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml generated vendored
View File

@ -39,7 +39,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml generated vendored
View File

@ -41,7 +41,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml generated vendored
View File

@ -46,7 +46,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

6
cli/cmd/testdata/inject_gettest_deployment.good.golden.yml generated vendored
View File

@ -41,7 +41,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -274,7 +275,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

3
cli/cmd/testdata/inject_tap_deployment_debug.golden.yml generated vendored
View File

@ -62,7 +62,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_controlplane_tracing_output.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -938,7 +938,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1245,7 +1246,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1271,7 +1272,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1678,7 +1680,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1704,7 +1706,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_custom_domain.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_custom_registry.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_default.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_default_override_dst_get_nets.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_default_token.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1235,7 +1236,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1261,7 +1262,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1658,7 +1660,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1684,7 +1686,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

9
cli/cmd/testdata/install_ha_output.golden generated vendored
View File

@ -1014,7 +1014,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1387,7 +1388,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1855,7 +1857,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

9
cli/cmd/testdata/install_ha_with_overrides_output.golden generated vendored
View File

@ -1014,7 +1014,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1387,7 +1388,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1855,7 +1857,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_heartbeat_disabled_output.golden generated vendored
View File

@ -792,7 +792,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -868,7 +868,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1175,7 +1176,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1201,7 +1202,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1547,7 +1549,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1573,7 +1575,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_helm_control_plane_output.golden generated vendored
View File

@ -834,7 +834,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -910,7 +910,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1219,7 +1220,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1245,7 +1246,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1655,7 +1657,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1681,7 +1683,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

9
cli/cmd/testdata/install_helm_control_plane_output_ha.golden generated vendored
View File

@ -987,7 +987,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1362,7 +1363,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1834,7 +1836,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

9
cli/cmd/testdata/install_helm_output_ha_labels.golden generated vendored
View File

@ -995,7 +995,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1374,7 +1375,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1854,7 +1856,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

9
cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden generated vendored
View File

@ -977,7 +977,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1352,7 +1353,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1824,7 +1826,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_no_init_container.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1238,7 +1239,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1264,7 +1265,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1664,7 +1666,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1690,7 +1692,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_output.golden generated vendored
View File

@ -830,7 +830,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -906,7 +906,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1210,7 +1211,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1236,7 +1237,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1646,7 +1648,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1672,7 +1674,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_proxy_ignores.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

15
cli/cmd/testdata/install_values_file.golden generated vendored
View File

@ -861,7 +861,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
@ -937,7 +937,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.example.com.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1244,7 +1245,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1270,7 +1271,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
@ -1676,7 +1678,7 @@ spec:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
@ -1702,7 +1704,8 @@ spec:
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.example.com.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS

2
controller/proxy-injector/fake/data/pod-with-debug.patch.json generated
View File

@ -199,7 +199,7 @@
},
{
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
"value": "{\"ns\":\"$(_pod_ns)\", \"pod\":\"$(_pod_name)\"}\n"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",

2
controller/proxy-injector/fake/data/pod-with-ns-annotations.patch.json generated
View File

@ -185,7 +185,7 @@
},
{
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
"value": "{\"ns\":\"$(_pod_ns)\", \"pod\":\"$(_pod_name)\"}\n"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",

2
controller/proxy-injector/fake/data/pod.patch.json generated
View File

@ -175,7 +175,7 @@
},
{
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
"value": "{\"ns\":\"$(_pod_ns)\", \"pod\":\"$(_pod_name)\"}\n"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",

2
policy-controller/grpc/Cargo.toml
View File

@ -18,6 +18,8 @@ prost-types = "0.11.9"
tokio = { version = "1", features = ["macros"] }
tonic = { version = "0.8", default-features = false }
tracing = "0.1"
serde = { version = "1", features = ["derive"] }
serde_json = "1"
[dependencies.linkerd2-proxy-api]
version = "0.11"

28
policy-controller/grpc/src/inbound.rs
View File

@ -1,4 +1,4 @@
use crate::http_route;
use crate::{http_route, workload::Kind, workload::Workload};
use futures::prelude::*;
use linkerd2_proxy_api::{
self as api,
@ -17,7 +17,7 @@ use linkerd_policy_controller_core::{
IdentityMatch, IpNet, NetworkMatch,
};
use maplit::*;
use std::{num::NonZeroU16, sync::Arc};
use std::{num::NonZeroU16, str::FromStr, sync::Arc};
use tracing::trace;
#[derive(Clone, Debug)]
@ -49,21 +49,17 @@ where
&self,
proto::PortSpec { workload, port }: proto::PortSpec,
) -> Result<(String, String, NonZeroU16), tonic::Status> {
// Parse a workload name in the form namespace:name.
let (ns, name) = match workload.split_once(':') {
None => {
return Err(tonic::Status::invalid_argument(format!(
"Invalid workload: {}",
workload
)));
let (ns, name) = match Workload::from_str(&workload)? {
Workload {
namespace,
kind: Kind::Pod(pod),
} => (namespace, pod),
_ => {
// TODO: handle external workloads
return Err(tonic::Status::invalid_argument(
"only pod workload supported at the moment",
));
}
Some((ns, pod)) if ns.is_empty() || pod.is_empty() => {
return Err(tonic::Status::invalid_argument(format!(
"Invalid workload: {}",
workload
)));
}
Some((ns, pod)) => (ns, pod),
};
// Ensure that the port is in the valid range.

1
policy-controller/grpc/src/lib.rs
View File

@ -2,6 +2,7 @@
#![forbid(unsafe_code)]
mod http_route;
mod workload;
pub mod inbound;
pub mod outbound;

16
policy-controller/grpc/src/outbound.rs
View File

@ -1,4 +1,4 @@
use crate::http_route;
use crate::{http_route, workload};
use futures::prelude::*;
use linkerd2_proxy_api::{
self as api, destination,
@ -15,7 +15,7 @@ use linkerd_policy_controller_core::{
OutboundPolicy, OutboundPolicyStream,
},
};
use std::{net::SocketAddr, num::NonZeroU16, sync::Arc, time};
use std::{net::SocketAddr, num::NonZeroU16, str::FromStr, sync::Arc, time};
#[derive(Clone, Debug)]
pub struct OutboundPolicyServer<T> {
@ -45,17 +45,7 @@ where
let target = spec
.target
.ok_or_else(|| tonic::Status::invalid_argument("target is required"))?;
let source_namespace = spec
.source_workload
.split_once(':')
.ok_or_else(|| {
tonic::Status::invalid_argument(format!(
"failed to parse source workload: {}",
spec.source_workload
))
})?
.0
.to_string();
let source_namespace = workload::Workload::from_str(&spec.source_workload)?.namespace;
let target = match target {
outbound::traffic_spec::Target::Addr(target) => target,
outbound::traffic_spec::Target::Authority(auth) => {

86
policy-controller/grpc/src/workload.rs Normal file
View File

@ -0,0 +1,86 @@
use serde::{Deserialize, Serialize};
use std::str::FromStr;
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
pub enum Kind {
#[serde(rename = "external_workload")]
External(String),
#[serde(rename = "pod")]
Pod(String),
}
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
pub struct Workload {
#[serde(flatten)]
pub kind: Kind,
#[serde(rename = "ns")]
pub namespace: String,
}
impl FromStr for Workload {
type Err = tonic::Status;
fn from_str(s: &str) -> Result<Self, tonic::Status> {
if s.starts_with('{') {
return serde_json::from_str(s).map_err(|error| {
tracing::error!(%error, "Invalid {s} workload string");
tonic::Status::invalid_argument(format!("Invalid workload: {}", s))
});
}
match s.split_once(':') {
None => Err(tonic::Status::invalid_argument(format!(
"Invalid workload: {}",
s
))),
Some((ns, pod)) if ns.is_empty() || pod.is_empty() => Err(
tonic::Status::invalid_argument(format!("Invalid workload: {}", s)),
),
Some((ns, pod)) => Ok(Workload {
namespace: ns.to_string(),
kind: Kind::Pod(pod.to_string()),
}),
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_old_format() {
let input = "my-namespace:my-pod";
let expected: Workload = Workload {
namespace: "my-namespace".to_string(),
kind: Kind::Pod("my-pod".to_string()),
};
assert_eq!(expected, Workload::from_str(input).expect("should parse"));
}
#[test]
fn parse_new_format_pod() {
let input = r#"{"ns":"my-namespace", "pod":"my-pod"}"#;
let expected: Workload = Workload {
namespace: "my-namespace".to_string(),
kind: Kind::Pod("my-pod".to_string()),
};
assert_eq!(expected, Workload::from_str(input).expect("should parse"));
}
#[test]
fn parse_new_format_external() {
let input = r#"{"ns":"my-namespace", "external_workload":"my-external"}"#;
let expected: Workload = Workload {
namespace: "my-namespace".to_string(),
kind: Kind::External("my-external".to_string()),
};
assert_eq!(expected, Workload::from_str(input).expect("should parse"));
}
#[test]
fn errors_invalid_new_format() {
let input = r#"{"ns":"my-namespace", "nonsense":"my-external"}"#;
assert!(Workload::from_str(input).is_err());
}
}