Add link credentials secret to linkerd namespace (#11188)

We update the `multicluster link` command to write a credentials secret into the `linkerd` core control plane namespace in addition to writing one into the `linkerd-multicluster` namespace. This is a prerequisite for the destination controller to be able to connect to linked clusters to do remote service discovery. We also update the `multicluster unlink` command so that these credentials secrets are properly deleted when the cluster is unlinked. Signed-off-by: Alex Leong <alex@buoyant.io>
2023-08-04 11:20:39 -07:00 · 2023-08-04 11:20:39 -07:00 · aebc9a434c
parent 5fe0c0e122
commit aebc9a434c
2 changed files with 34 additions and 0 deletions
--- a/multicluster/cmd/link.go
+++ b/multicluster/cmd/link.go
@ -31,6 +31,8 @@ import (
 	"sigs.k8s.io/yaml"
 )

+const clusterNameLabel = "multicluster.linkerd.io/cluster-name"
+
 type (
 	linkOptions struct {
 		namespace               string
@ -178,6 +180,25 @@ A full list of configurable values can be found at https://github.com/linkerd/li
 				return err
 			}

+			destinationCreds := corev1.Secret{
+				Type:     k8s.MirrorSecretType,
+				TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("cluster-credentials-%s", opts.clusterName),
+					Namespace: controlPlaneNamespace,
+					Labels: map[string]string{
+						clusterNameLabel: opts.clusterName,
+					},
+				},
+				Data: map[string][]byte{
+					k8s.ConfigKeyName: kubeconfig,
+				},
+			}
+			destinationCredsOut, err := yaml.Marshal(destinationCreds)
+			if err != nil {
+				return err
+			}
+
 			gateway, err := k.CoreV1().Services(opts.gatewayNamespace).Get(cmd.Context(), opts.gatewayName, metav1.GetOptions{})
 			if err != nil {
 				return err
@ -280,6 +301,8 @@ A full list of configurable values can be found at https://github.com/linkerd/li

 			stdout.Write(credsOut)
 			stdout.Write([]byte("---\n"))
+			stdout.Write(destinationCredsOut)
+			stdout.Write([]byte("---\n"))
 			stdout.Write(linkOut)
 			stdout.Write([]byte("---\n"))
 			stdout.Write(serviceMirrorOut)
--- a/multicluster/cmd/unlink.go
+++ b/multicluster/cmd/unlink.go
@ -89,6 +89,17 @@ func newUnlinkCommand() *cobra.Command {
 				)
 			}

+			selector = fmt.Sprintf("%s=%s", clusterNameLabel, opts.clusterName)
+			destinationCredentials, err := k.CoreV1().Secrets(controlPlaneNamespace).List(cmd.Context(), metav1.ListOptions{LabelSelector: selector})
+			if err != nil {
+				return err
+			}
+			for _, secret := range destinationCredentials.Items {
+				resources = append(resources,
+					resource.NewNamespaced(corev1.SchemeGroupVersion.String(), "Secret", secret.Name, secret.Namespace),
+				)
+			}
+
 			for _, r := range resources {
 				if err := r.RenderResource(stdout); err != nil {
 					log.Errorf("failed to render resource %s: %s", r.Name, err)