linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

proxy-injector: always add the `opaque-ports` annotation (#6719) 

In order to discover how a workload is configured without knowing the global defaults, the `opaque-ports` annotation is now added by the proxy injector to workloads, regardless of the list being the default or user-specified.

Closes #6689

#### core
Because core control plane components do not go through the proxy injector the annotation is added to the `destination`, `identity`, and `proxy-injector` templates.

The `linkerd-destination` and `linkerd-proxy-injector` deployments both now just have the `opaque-ports: "8443"` annotation. The `linkerd-identity` deployment and service doesn't need this annotation since it doesn't expose anything in the default list.

#### non-core
All other resources go through the proxy injector; it decides whether or not services or pods (the two resources that it can add annotations to) should get the default list.

Workloads get the default list of opaque ports added if they and their namespace do not have the annotation already. So this boils down to:
1. If the workload already has the annotation, no patch is created
2. If the namespace has the annotation but the workload does not, a patch is generated
3. If the workload and namespace do not have the annotation, a patch is generated

#### tests
A unit test has been added and I performed the following manual tests:
1. Injected a pod with the annotation: a patch is generated but there is no change to opaque ports
2. Injected a pod with the namespace annotation: a patch is genereted and opaque ports are copied down to the pod
3. Injected a pod with no annotation on it or the namespace: a patch is generated and the default opaque ports are added
4. Created a pod (not injected): a patch is generated (without the proxy) that adds the annotation (this holds true for if the pod having the annotation or the namespace having the annotation)

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This commit is contained in:
Kevin Leimkuhler 2021-08-26 11:38:40 -06:00 committed by GitHub
parent f8af17c444
commit c7d54bb826
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 170 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/linkerd2/templates/destination.yaml
View File

@ -50,6 +50,7 @@ metadata:
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -131,6 +132,7 @@ spec:
{{ include "partials.annotations.created-by" . }}
{{- include "partials.proxy.annotations" . | nindent 8}}
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Values.namespace}}

2
charts/linkerd2/templates/proxy-injector.yaml
View File

@ -38,6 +38,7 @@ spec:
{{ include "partials.annotations.created-by" . }}
{{- include "partials.proxy.annotations" . | nindent 8}}
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: {{.Values.namespace}}
@ -130,6 +131,7 @@ metadata:
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_controlplane_tracing_output.golden generated vendored
View File

@ -1504,6 +1504,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1558,6 +1559,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1895,6 +1897,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2112,6 +2115,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_custom_domain.golden generated vendored
View File

@ -1503,6 +1503,7 @@ metadata:
linkerd.io/control-plane-ns: l5d
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1557,6 +1558,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: l5d
@ -1893,6 +1895,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: l5d
@ -2110,6 +2113,7 @@ metadata:
linkerd.io/control-plane-ns: l5d
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_custom_registry.golden generated vendored
View File

@ -1503,6 +1503,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1557,6 +1558,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1893,6 +1895,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2110,6 +2113,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_default.golden generated vendored
View File

@ -1503,6 +1503,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1557,6 +1558,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1893,6 +1895,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2110,6 +2113,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_default_override_dst_get_nets.golden generated vendored
View File

@ -1503,6 +1503,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1557,6 +1558,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1893,6 +1895,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2110,6 +2113,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_ha_output.golden generated vendored
View File

@ -1577,6 +1577,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1650,6 +1651,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -2026,6 +2028,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2274,6 +2277,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_ha_with_overrides_output.golden generated vendored
View File

@ -1577,6 +1577,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1650,6 +1651,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -2026,6 +2028,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2274,6 +2277,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_heartbeat_disabled_output.golden generated vendored
View File

@ -1434,6 +1434,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1488,6 +1489,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1775,6 +1777,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -1992,6 +1995,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_helm_output.golden generated vendored
View File

@ -1496,6 +1496,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1550,6 +1551,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1890,6 +1892,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2107,6 +2110,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_helm_output_ha.golden generated vendored
View File

@ -1570,6 +1570,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1643,6 +1644,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -2023,6 +2025,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2271,6 +2274,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_helm_output_ha_labels.golden generated vendored
View File

@ -1578,6 +1578,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1653,6 +1654,7 @@ spec:
linkerd.io/proxy-version: test-proxy-version
asda: fasda
bingo: bongo
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -2041,6 +2043,7 @@ spec:
linkerd.io/proxy-version: test-proxy-version
asda: fasda
bingo: bongo
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2291,6 +2294,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden generated vendored
View File

@ -1570,6 +1570,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1643,6 +1644,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -2023,6 +2025,7 @@ spec:
linkerd.io/created-by: linkerd/helm linkerd-version
linkerd.io/identity-mode: default
linkerd.io/proxy-version: test-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2271,6 +2274,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/helm linkerd-version
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_no_init_container.golden generated vendored
View File

@ -1465,6 +1465,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1519,6 +1520,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1817,6 +1819,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -1996,6 +1999,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_output.golden generated vendored
View File

@ -1505,6 +1505,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1559,6 +1560,7 @@ spec:
linkerd.io/created-by: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1903,6 +1905,7 @@ spec:
linkerd.io/created-by: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2122,6 +2125,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_proxy_ignores.golden generated vendored
View File

@ -1503,6 +1503,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1557,6 +1558,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
@ -1893,6 +1895,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
@ -2110,6 +2113,7 @@ metadata:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

4
cli/cmd/testdata/install_values_file.golden generated vendored
View File

@ -1489,6 +1489,7 @@ metadata:
linkerd.io/control-plane-ns: l5d
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
@ -1543,6 +1544,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: l5d
@ -1879,6 +1881,7 @@ spec:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
config.linkerd.io/opaque-ports: "8443"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: l5d
@ -2096,6 +2099,7 @@ metadata:
linkerd.io/control-plane-ns: l5d
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:

12
controller/proxy-injector/fake/data/default-op-annotation.patch.json Normal file
View File

@ -0,0 +1,12 @@
[
{
"op": "add",
"path": "/metadata/annotations",
"value": {}
},
{
"op": "add",
"path": "/metadata/annotations/config.linkerd.io~1opaque-ports",
"value": "25,443,587,3306,4444,5432,6379,9300,11211"
}
]

22
controller/proxy-injector/webhook.go
View File

@ -93,6 +93,16 @@ func Inject(
// If namespace has annotations that do not exist on pod then copy them
// over to pod's template.
resourceConfig.AppendNamespaceAnnotations()
// If the pod did not inherit the opaque ports annotation from the
// namespace, then add the default value from the config values. This
// ensures that the generated patch always sets the opaue ports
// annotation.
if !resourceConfig.HasWorkloadAnnotation(pkgK8s.ProxyOpaquePortsAnnotation) {
opaquePorts := resourceConfig.GetValues().Proxy.OpaquePorts
resourceConfig.AppendPodAnnotation(pkgK8s.ProxyOpaquePortsAnnotation, opaquePorts)
}
patchJSON, err := resourceConfig.GetPodPatch(true)
if err != nil {
return nil, err
@ -112,14 +122,16 @@ func Inject(
}, nil
}
// If the resource is not injectable but does need the opaque ports
// annotation added, then admit it after creating a patch that adds the
// annotation.
if opaquePorts, opaquePortsOk := resourceConfig.GetConfigAnnotation(pkgK8s.ProxyOpaquePortsAnnotation); opaquePortsOk {
patchJSON, err := resourceConfig.CreateAnnotationPatch(opaquePorts)
// Create an annotation patch that would set the list of default opaque
// ports if is needed.
patchJSON, err := resourceConfig.CreateDefaultOpaquePortsPatch()
if err != nil {
return nil, err
}
// If patchJSON holds a patch after checking the workload annotations,
// then we admit the request.
if len(patchJSON) != 0 {
log.Infof("annotation patch generated for: %s", report.ResName())
log.Debugf("annotation patch: %s", patchJSON)
proxyInjectionAdmissionResponses.With(admissionResponseLabels(ownerKind, request.Namespace, "false", "", report.InjectAnnotationAt, configLabels)).Inc()

27
controller/proxy-injector/webhook_test.go
View File

@ -267,6 +267,14 @@ func TestGetAnnotationPatch(t *testing.T) {
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
defaultOPBytes, err := factory.FileContents("default-op-annotation.patch.json")
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
defaultOPPatch, err := unmarshalPatch(defaultOPBytes)
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
var testCases = []struct {
name string
filename string
@ -300,6 +308,8 @@ func TestGetAnnotationPatch(t *testing.T) {
filename: "service-without-opaque-ports.yaml",
ns: nsWithoutOpaquePorts,
conf: confNsWithoutOpaquePorts(),
expectedPatchBytes: defaultOPBytes,
expectedPatch: defaultOPPatch,
},
{
name: "pod without opaque ports and namespace with",
@ -321,6 +331,14 @@ func TestGetAnnotationPatch(t *testing.T) {
ns: nsWithoutOpaquePorts,
conf: confNsWithoutOpaquePorts(),
},
{
name: "pod without opaque ports and namespace without",
filename: "pod-without-opaque-ports.yaml",
ns: nsWithoutOpaquePorts,
conf: confNsWithoutOpaquePorts(),
expectedPatchBytes: defaultOPBytes,
expectedPatch: defaultOPPatch,
},
}
for _, testCase := range testCases {
testCase := testCase // pin
@ -337,14 +355,9 @@ func TestGetAnnotationPatch(t *testing.T) {
if err != nil {
t.Fatal(err)
}
var patchJSON []byte
opaquePorts, ok := fullConf.GetConfigAnnotation(pkgK8s.ProxyOpaquePortsAnnotation)
if ok {
fullConf.AppendPodAnnotation(pkgK8s.ProxyOpaquePortsAnnotation, opaquePorts)
patchJSON, err = fullConf.CreateAnnotationPatch(opaquePorts)
patchJSON, err := fullConf.CreateDefaultOpaquePortsPatch()
if err != nil {
t.Fatalf("Unexpected PatchForAdmissionRequest error: %s", err)
}
t.Fatalf("Unexpected error creating default opaque ports patch: %s", err)
}
if len(testCase.expectedPatchBytes) != 0 && len(patchJSON) == 0 {
t.Fatalf("There was no patch, but one was expected: %s", testCase.expectedPatchBytes)

45
pkg/inject/inject.go
View File

@ -248,6 +248,11 @@ func (conf *ResourceConfig) ParseMetaAndYAML(bytes []byte) (*Report, error) {
return newReport(conf), nil
}
// GetValues returns the values used for rendering patches.
func (conf *ResourceConfig) GetValues() *linkerd2.Values {
return conf.values
}
// GetOverriddenValues returns the final Values struct which is created
// by overriding annotated configuration on top of default Values
func (conf *ResourceConfig) GetOverriddenValues() (*linkerd2.Values, error) {
@ -360,6 +365,46 @@ func (conf *ResourceConfig) GetConfigAnnotation(annotationKey string) (string, b
return "", false
}
// CreateDefaultOpaquePortsPatch creates a patch that will add the default
// list of opaque ports.
// 1. Check if the annotation should be copied down from the namespace.
// If ok is true, then we know the namespace has the annotation and the
// workload does not.
// 2. If ok is false, we know either the workload has the annotation or both
// the workload and the namespace does not have annotation. In the case of
// the latter, we must add a default value to the pod.
func (conf *ResourceConfig) CreateDefaultOpaquePortsPatch() ([]byte, error) {
var patch []byte
var err error
opaquePorts, ok := conf.GetConfigAnnotation(k8s.ProxyOpaquePortsAnnotation)
if ok {
patch, err = conf.CreateAnnotationPatch(opaquePorts)
if err != nil {
return nil, err
}
} else if !conf.HasWorkloadAnnotation(k8s.ProxyOpaquePortsAnnotation) {
opaquePorts := conf.GetValues().Proxy.OpaquePorts
patch, err = conf.CreateAnnotationPatch(opaquePorts)
if err != nil {
return nil, err
}
}
return patch, nil
}
// HasWorkloadAnnotation returns true if the workload has the annotation set
// by the resource config or its metadata.
func (conf *ResourceConfig) HasWorkloadAnnotation(annotation string) bool {
if _, ok := conf.pod.meta.Annotations[annotation]; ok {
return true
}
if _, ok := conf.workload.Meta.Annotations[annotation]; ok {
return true
}
_, ok := conf.pod.annotations[annotation]
return ok
}
// CreateAnnotationPatch returns a json patch which adds the opaque ports
// annotation with the `opaquePorts` value.
func (conf *ResourceConfig) CreateAnnotationPatch(opaquePorts string) ([]byte, error) {