Closes#8916
When a random Pod (meshed or not) is created in the `linkerd`, `linkerd-viz`, or
`linkerd-jaeger` namespaces their respective `check` subcommands can fail.
We parse Pod names for their owning Deployment by assuming the Pod name has a
randomized suffix. For example, the `linkerd-destination` Deployment creates the
`linkerd-destination-58c57dd675-7tthr` Pod. We split the name on `-` and take
the first two parts (`["linkerd", "destination"]`); those first two parts make
up the Deployment name.
Now, if a random Pod is created in the namespace with the name `test`, we apply
that same logic but hit a runtime error when trying to get the first two parts
of the split. `test` did not split at all since it contains no `-` and therefore
we error with `slice bounds out of range`.
To fix this, we now use the fact that all Linkerd components have a
`linkerd.io/control-plane-component` or `component` label with a value that is
the owning Deployment. This allows us to avoid any extra parsing logic and just
look at a single label value.
Additionally, some of these checks get all the Pods in a namespace with the
`GetPodsByNamespace` method but we don't always need something so general. In
the places where we are checking specifically for Linkerd components, we can
narrow this further by using the expected LabelSelector such as
`linkerd.io/extension=viz`.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Fixes: #8308
We add the `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` annotation to all Linkerd extension deployments. This signals that none of these deployments use persistent storage and they are all eligible for eviction if necessary.
Signed-off-by: Alex Leong <alex@buoyant.io>
This release includes a security improvement. When a user manually specified the
`policyValidator.keyPEM` setting, the value was incorrectly included in the
`linkerd-config` configmap. This means that this private key was erroneously
exposed to service accounts with read access to this configmap. Practically,
this means that the Linkerd `proxy-injector`, `identity`, and `heartbeat` pods
could read this value. This should **not** have exposed this private key to
other unauthorized users unless additional role bindings were added outside of
Linkerd. Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.
Additionally, the linkerd-multicluster extensions has several fixes related to
fail fast errors during link watch restarts, improper label matching for
mirrored services, and properly cleaning up mirrored endpoints in certain
situations.
Lastly, the proxy can now retry gRPC requests that have responses with a
TRAILERS frame. A fix to reduce redundant load balancer updates should also
result in less connection churn.
* Changed unit tests to use newly introduced `prommatch` package for asserting
expected metrics (thanks @krzysztofdrys!)
* Fixed Docker container runtime check to only during `linkerd install` rather
than `linkerd check --pre`
* Changed linkerd-multicluster's remote cluster watcher to assume the gateway is
alive when starting—fixing fail fast errors from occurring during restarts
(thanks @chenaoxd!)
* Added `matchLabels` and `matchExpressions` to linkerd-multicluster's Link CRD
* Fixed linkerd-multicluster's label selector to properly select resources that
match the expected label value, rather than just the presence of the label
* Fixed linkerd-multicluster's cluster watcher to properly clean up endpoints
belonging to remote headless services that are no longer mirrored
* Added the HttpRoute CRD which will be used by future policy features
* Fixed CNI plugin event processing where file updates could sometimes be
skipped leading to the update not being acknowledged
* Fixed redundant load balancer updates in the proxy that could cause
unnecessary connection churn
* Fixed gRPC request retries for responses that contain a TRAILERS frame
* Fixed the dashboard's `linkerd check` due to missing RBAC for listing pods in
the cluster
* Fixed API check that ensures access to the Server CRD (thanks @aatarasoff!)
* Changed `linkerd authz` to match the labels of pre-fetched Pods rather than
the multiple API calls it was doing—resulting in significant speed-up (thanks
@aatarasoff!)
* Unset `policyValidtor.keyPEM` in `linkerd-config` ConfigMap
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This edge release bumps the minimum supported Kubernetes version from `v1.20`
to `v1.21`, introduces some new changes, and includes a few bug fixes. Most
notably, a bug has been fixed in the proxy's outbound load balancer that could
cause panics, especially when the balancer would process many service discovery
updates in a short period of time. This release also fixes a panic in the
proxy-injector and introduces a change that will include HTTP probe ports in
the proxy's inbound ports configuration, to be used for policy discovery.
* Fixed a bug in the proxy's outbound load balancer that could cause panics
when many discovery updates were processed in short time periods
* Added `runtimeClassName` options to Linkerd's Helm chart (thanks @jtcarnes!)
* Introduced a change in the proxy-injector that will configure the inbound
ports proxy configuration with the pod's probe ports (HTTPGet)
* Added godoc links in the project README file (thanks @spacewander!)
* Increased minimum supported Kubernetes version to `v1.21` from `v1.20`
* Fixed an issue where the proxy-injector would not emit events for resources
that receive annotation patches but are skipped for injection
* Refactored `PublicIPToString` to handle both IPv4 and IPv6 addresses in a
similar behavior (thanks @zhlsunshine!)
* Replaced the usage of branch with tags, and pinned `cosign-installer` action
to `v1` (thanks @saschagrunert!)
* Fixed an issue where the proxy-injector would panic if resources have an
unsupported owner kind
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Eliza Weisman <eliza@buoyant.io>
Fixes#8592
Increase the minimum supported kubernetes version from 1.20 to 1.21. This allows us to drop support for batch/v1beta1/CronJob and discovery/v1beta1/EndpointSlices, instead using only v1 of those resources. This fixes deprecation warnings about these warnings printed by the CLI.
Signed-off-by: Alex Leong <alex@buoyant.io>
This edge release fixes an issue where Linkerd injected pods could not be
evicted by Cluster Autoscaler. It also adds the `--crds` flag to `linkerd check`
which validates that the Linkerd CRDs have been installed with the proper
versions.
The previously noisy "cluster networks can be verified" check has been replaced
with one that now verifies each running Pod IP is contained within the current
`clusterNetworks` configuration value.
Additionally, linkerd-viz is no longer required for linkerd-multicluster's
`gateways` command — allowing the `Gateways` API to marked as deprecated for
2.12.
Finally, several security issues have been patched in the Docker images now that
the builds are pinned only to minor — rather than patch — versions.
* Replaced manual IP address parsing with functions available in the Go standard
library (thanks @zhlsunshine!)
* Removed linkerd-multicluster's `gateway` command dependency on the linkerd-viz
extension
* Fixed issue where Linkerd injected pods were prevented from being evicted by
Cluster Autoscaler
* Added the `dst_target_cluster` metric to linkerd-multicluster's service-mirror
controller probe traffic
* Added the `--crds` flag to `linkerd check` which validates that the Linkerd
CRDs have been installed
* Removed the Docker image's hardcoded patch versions so that builds pick up
patch releases without manual intervention
* Replaced the "cluster networks can be verified check" check with a "cluster
networks contains all pods" check which ensures that all currently running Pod
IPs are contained by the current `clusterNetworks` configuration
* Added IPv6 compatible IP address generation in certain control plane
components that were only generating IPv4 (thanks @zhlsunshine!)
* Deprecated linkerd-viz's `Gateways` API which is no longer used by
linkerd-multicluster
* Added the `promm` package for making programatic Prometheus assertions in
tests (thanks @krzysztofdrys!)
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Fixes#8606
This adds a configurable `SecurityContext.runAsUser` section to the multicluster
gateway, the tracing deployments, and the `namespace-metadata` jobs in
all the extensions.
Our docker images hardcode a patch version, 1.17.3, which does not
include a variety of important fixes that have been released:
> go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker,
> runtime, and the go/types, net/http, and time packages. See the Go
> 1.17.4 milestone on our issue tracker for details.
> go1.17.5 (released 2021-12-09) includes security fixes to the net/http
> and syscall packages. See the Go 1.17.5 milestone on our issue tracker
> for details.
> go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker,
> runtime, and the crypto/x509, net/http, and reflect packages. See the Go
> 1.17.6 milestone on our issue tracker for details.
> go1.17.7 (released 2022-02-10) includes security fixes to the go
> command, and the crypto/elliptic and math/big packages, as well as bug
> fixes to the compiler, linker, runtime, the go command, and the
> debug/macho, debug/pe, and net/http/httptest packages. See the Go 1.17.7
> milestone on our issue tracker for details.
> go1.17.8 (released 2022-03-03) includes a security fix to the
> regexp/syntax package, as well as bug fixes to the compiler, runtime,
> the go command, and the crypto/x509 and net packages. See the Go 1.17.8
> milestone on our issue tracker for details.
> go1.17.9 (released 2022-04-12) includes security fixes to the
> crypto/elliptic and encoding/pem packages, as well as bug fixes to the
> linker and runtime. See the Go 1.17.9 milestone on our issue tracker for
> details.
> go1.17.10 (released 2022-05-10) includes security fixes to the syscall
> package, as well as bug fixes to the compiler, runtime, and the
> crypto/x509 and net/http/httptest packages. See the Go 1.17.10 milestone
> on our issue tracker for details.
> go1.17.11 (released 2022-06-01) includes security fixes to the
> crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as
> bug fixes to the crypto/tls package. See the Go 1.17.11 milestone on our
> issue tracker for details.
This changes our container configs to use the latest 1.17 release on
each build so that these patch releases are picked up without manual
intervention.
Signed-off-by: Oliver Gould <ver@buoyant.io>
This edge release fixes a few proxy issues, improves the upgrade process, and
introduces proto retries to Service Profiles. Also included are updates to the
bash scripts to ensure that they follow best practices.
* Polished the shell scripts (thanks @joakimr-axis)
* Introduced retries to Service Profiles by adding an isRetryable function to
the proto definition (thanks @mahlunar)
* Fixed proxy responses to CONNECT requests by removing the content-length
and/or transfer-encoding headers from the response
* Fixed DNS lookups in the proxy to consistently use A records when SRV records
cannot be resolved
* Added dynamic policy discovery to the proxy by evaluating traffic on ports
not included in the LINKERD2_PROXY_INBOUND_PORTS environment variable
* Added logic to require that the linkerd CRDs are installed when running
the `linkerd upgrade` command
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* edge-22.5.2
This edge release ships a few changes to the chart values, a fix for
multicluster headless services, and notable proxy features. HA functionality,
such as PDBs, deployment strategies, and pod anti-affinity, have been split
from the HA values and are now configurable for the control plane. On the proxy
side, non-HTTP traffic will now be forwarded on the outbound side within the
cluster when the proxy runs in ingress mode.
a multicluster fix for headless services,
This release updates "ingress-mode" proxies to be able to forward
non-HTTP traffic within the cluster. Protocol detection is always
attempted for outbound connections, however, when in ingress mode.
* Updated `ingress-mode` proxies to forward non-HTTP traffic within the cluster
(protocol detection will always be attempted for outbound connections)
* Added a new proxy metric `process_uptime_seconds_total` to keep track of the
number of seconds since the proxy started
* Fixed an issue with multicluster headless service mirroring, where exported
endpoints would be mirrored with a delay, or when changes to the export label
would be ignored
* Split HA functionality, such as PodDisruptionBudgets, into multiple
configurable values (thanks @evan-hines-firebolt for the initial work)
Signed-off-by: Matei David <matei@buoyant.io>
* Clean up CHANGES.md
Signed-off-by: Matei David <matei@buoyant.io>
* Update Helm docs
Signed-off-by: Matei David <matei@buoyant.io>
When we compare generated manifests against fixtures, we do a simple
string comparison to compare output. The diffed data can be pretty hard
to understand.
This change adds a new test helper, `DiffTestYAML` that parses strings
as arbitrary YAML data structures and uses `deep.Equal` to generate a
diff of the datastructures.
Now, when a test fails, we'll get output like:
```
install_test.go:244: YAML mismatches install_output.golden:
slice[32].map[spec].map[template].map[spec].map[containers].slice[3].map[image]: PolicyControllerImageName:PolicyControllerVersion != SomeOtherImage:PolicyControllerVersion
```
While testing this, it became apparent that several of our generated
golden files were not actually valid YAML, due to the `LinkerdVersion`
value being unset. This has been fixed.
Signed-off-by: Oliver Gould <ver@buoyant.io>
This edge release adds more flexibility to the MeshTLSAuthentication and
AuthorizationPolicy policy resources by allowing them to target entire
namespaces. It also fixes a race condition when multiple CNI plugins are
installed together as well as a number of other bug fixes.
* Added support for MeshTLSAuthentication resources to target an entire
namespace, authenticating all ServiceAccounts in that namespace
* Fixed a panic in `linkerd install` when the `--ignore-cluster` flag is passed
* Fixed issue where pods would fail to start when `enablePSP` and
`proxyInit.runAsRoot` are set
* Added support for AuthorizationPolicy resources to target namespaces, applying
to all Servers in that namespace
* Fixed a race condition where the Linkerd CNI configuration could be overwritten
when multiple CNI plugins are installed
* Added test for opaque ports using Service and Pod IPs (thanks @krzysztofdrys!)
* Fixed an error in the linkerd-viz Helm chart in HA mode
Signed-off-by: Alex Leong <alex@buoyant.io>
## edge-22.4.1
In order to support having custom resources in the default Linkerd installation,
the CLI install flow is now always a 2-step process where `linkerd install
--crds` must be run first to install CRDs only and then `linkerd install` is run
to install everything else. This more closely aligns the CLI install flow with
the Helm install flow where the CRDs are a separate chart. This also applies to
`linkerd upgrade`. Also, the `config` and `control-plane` sub-commands have been
removed from both `linkerd install` and `linkerd upgrade`.
On the proxy side, this release fixes an issue where proxies would not honor the
cluster's opaqueness settings for non-pod/service addresses. This could cause
protocol detection to be peformed, for instance, when using off-cluster
databases.
This release also disables the use of regexes in Linkerd log filters (i.e., as
set by `LINKERD2_PROXY_LOG`). Malformed log directives could, in theory, cause a
proxy to stop responding.
The `helm.sh/chart` label in some of the CRDs had its formatting fixed, which
avoids issues when installing/upgrading through external tools that make use of
it, such as recent versions of Flux.
* Added `--crds` flag to install/upgrade and remove config/control-plane stages
* Allowed the `AuthorizationPolicy` CRD to have an empty
`requiredAuthenticationRefs` entry that allows all traffic
* Introduced `nodeAffinity` config in all the charts for enhanced control on the
pods scheduling (thanks @michalrom089!)
* Introduced `resources`, `nodeSelector` and `tolerations` configs in the
`linkerd-multicluster-link` chart for enhanced control on the service mirror
deployment (thanks @utay!)
* Fixed formatting of the `helm.sh/chart` label in CRDs
* Updated container base images from buster to bullseye
* Added support for spaces in the `config.linkerd.io/opaque-ports` annotation
This edge release introduces new policy CRDs that allow for more generalized
authorization policies.
The `AuthorizationPolicy` CRD authorizes clients that satisfy all the required
authentications to communicate with the Linkerd `Server` that it targets.
Required authentications are specified through the new `MeshTLSAuthentication`
and `NetworkAuthentication` CRDs.
A `MeshTLSAuthentication` defines a list of authenticated client IDs—specified
directly by proxy identity strings or referencing resources such as
`ServiceAccount`s.
A `NetworkAuthentication` defines a list of client networks that will be
authenticated.
Additionally, to support the new CRDs, policy-related labels have been changed
to better categorize policy metrics. A `srv_kind` label has been introduced
which splits the current `srv_name` value—formatted as `kind:name`—into separate
labels. The `saz_name` label has been removed and is replaced by the new
`authz_kind` and `authz_name` labels.
* Introduced the `srv_kind` label which allowed splitting the value of the
current `srv_name` label
* Removed the `saz_name` label and replaced it with the new `authz_kind` and
`authz_name` labels
* Fixed an issue in the destination controller where an update would not be sent
after an endpoint was discovered for a currently empty service
* Introduced the following custom resource types to support generalized
authorization policies: `AuthorizationPolicy`, `MeshTLSAuthentication`,
`NetworkAuthentication`
* Deprecated the `--proxy-version` flag (thanks @importhuman!)
* Updated linkerd-viz to use new policy CRDs
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* Disabled pprof endpoints on Linkerd control plane components by default
* Fixed an issue where mirror service endpoints of headless services were always
ready regardless of gateway liveness
* Added server side validation for ServerAuthorization resources
* Fixed an "origin not allowed" issue when using the latest Grafana with the
Linkerd Viz extension
Signed-off-by: Alex Leong <alex@buoyant.io>
Follow-up to #8087 that allows pprof to be enabled via the `--set
enablePprof=true` flag.
Each control plane components spawns its own admin server, so each of these
received it's own `enable-pprof` flag. When `enablePprof=true`, it is passed
through to each component so that when it launches its admin server, its pprof
endpoints are enabled.
A note on the templating: `-enable-pprof={{.Values.enablePprof | default
false}}`. `false` values are not rendered by Helm so without the `... | default
false}}`, it tries to pass the flag as `-enable-pprof=""` which results in an
error. Inlining this felt better than conditionally passing the flag with
```yaml {{ if .Values.enablePprof -}} -enable-pprof={{.Values.enablePprof}} {{
end -}} ```
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This edge release ensures that in multicluster installations, mirror service
endpoints have their readiness tied to gateway liveness. When the gateway for a
target cluster is not alive, the endpoints that point to it on a source cluster
will properly indicate that they are not ready.
* Fixed tap controller logging errors that were succeptible to log forgery by
ensuring special characters are escaped
* Fixed issue where mirror service endpoints were always ready regardless of
gateway liveness
* Removed unused `namespace` entry in `linkerd-control-plane` chart
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* edge-22.3.2
This edge release includes a few fixes and quality of life improvements. An
issue has been fixed in the proxy allowing HTTP Upgrade requests to work
through multi-cluster gateways, and the init container's resource limits and
requests have been revised. Additionally, more Go linters have been enabled and
improvements have been made to the devcontainer.
* Changed `linkerd-init` resource (CPU/memory) limits and requests to ensure by
default the init container does not break a pod's `Guaranteed` QOS class
* Added a new check condition to skip pods whose status is `NodeShutdown`
during validation as they will not have a proxy container
* Fixed an issue that would prevent proxies from sending HTTP Upgrade requests
(used in websockets) through multi-cluster gateways
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
## edge-22.3.1
This edge release includes updates to dependencies, CI, and rust 1.59.0. It also
includes changes to the `linkerd-jaeger` chart to ensure that namespace labels
are preserved and adds support for `imagePullSecrets`, along with improvements
to the multicluster and policy functionality.
* Added note to `multicluster link` command to clarify that the link is
one-direction
* Introduced `imagePullSecrets` to Jaeger Helm chart
* Updated Rust to v1.59.0
* Fixed a bug where labels can be overwritten in the `linkerd-jaeger` chart
* Fix broken mirrored headles services after `repairEndpoints` runs
* Updated `Server` CRD to handle an empty `PodSelector`
Signed-off-by: Charles Pretzer <charles@buoyant.io>
Fetching docker images from private repositories requires image pull secret to be present.
Add new list to values file called `imagePullSecrets` it will default to an empty list.
The image pull secrets will be added to the respective service accounts.
The change is tested on a private AKS cluster and using `Helm lint` as well as `Helm template`
Signed-off-by: Jacob Lorenzen <jacob@lorenzen.me>
This fixes the if condition in the namespace-metadata Job which is part of the extension charts.
Currently, the Job will always reset a namespace's labels back to empty before adding the needed Linkerd label needed for the extension's `check` command. This means that if the namespace was created with any additional labels, they are removed as part of the job.
With this fix, we only add the `labels` field if it is not already present—therefore not overwriting any existing value.
Signed-off-by: Naveen Nalam <nnalam@gmail.com>
## edge-22.2.4
This edge release continues to address several security related lints and
ensures they are checked by CI.
* Add `linkerd check` warning for clusters that cannot verify their
`clusterNetworks` due to Nodes missing the `podCIDR` field
* Changed `Server` CRD to allow having an empty `PodSelector`
* Modified `linkerd inject` to only support `https` URLs to mitigate security
risks
* Fixed potential goroutine leak in the port forwarding used by several CLI
commands and control plane components
* Fixed timeouts in the policiy validator which could lead to failures if
`failurePolicy` was set to `Fail`
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This edge release fixes some `Instant`-related proxy panics that occur on Amazon
Linux. It also includes many behind the scenes improvements to the project's
CI and linting.
* Removed the `--controller-image-version` install flag to simplify the way that
image versions are handled. The controller image version can be set using the
`--set linkerdVersion` flag or Helm value
* Lowercased logs and removed redundant lines from the Linkerd2 proxy init
container
* Prevented the proxy from logging spurious errors when its pod does not define
any container ports
* Added workarounds to reduce the likelihood of `Instant`-related proxy panics
that occur on Amazon Linux
Signed-off-by: Alex Leong <alex@buoyant.io>
Since Go 1.13, errors may "wrap" other errors. [`errorlint`][el] checks
that error formatting and inspection is wrapping-aware.
This change enables `errorlint` in golangci-lint and updates all error
handling code to pass the lint. Some comparisons in tests have been left
unchanged (using `//nolint:errorlint` comments).
[el]: https://github.com/polyfloyd/go-errorlint
Signed-off-by: Oliver Gould <ver@buoyant.io>
* Edge-22.2.2 change notes
## edge-22.2.2
This edge release updates the jaeger extension to be available in ARM
architectures as well, and applies some security-oriented amendments.
* Upgraded jaeger and the opentelemetry-collector to their latest versions,
which now support ARM architectures
* Fixed `linkerd multicluster check` which was reporting false warnings
* Started enforcing TLS v1.2 as a minimum in the webhook servers
* Had the identity controller emit SHA256 certificate fingerprints in its
logs/events, instead of MD5
* Upgrade jaeger and ot-collector
Fixes#7793
Their latest images are multi-arch, so now the jaeger extension supports
ARM as well.
The Collector config required a minimal change.
Also updated the tracing integration test golden file to account for
#7750.
* Update golden files and chart README
Various methods check if an error is `nil` before returning it, however
continuing down the code path returns a `nil`. This can be reduced to
just returning the error whether it is `nil` or not.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Fixes#7663
The `linkerd jaeger check` command checks that jaeger and the opencensus-collector are installed and that all of the associated resources such as configmaps and service accounts exist. However, the linkerd-jaeger extension allows users to skip installing jaeger and the oc-collector by using the `jaeger.enabled=false` and `collector.enabled=false` values respectively. This is to support the BYO jaeger or BYO collector use-cases. However, if either jaeger or the collector is not installed, check will fail.
Since it is valid for these resources to not exist, we remove these checks. There isn't an easy way to know at runtime which values the extension was installed with, so it is difficult to know if these resources should exist or not.
Signed-off-by: Alex Leong <alex@buoyant.io>
## edge-22.1.5
This edge release adds support for per-request Access Logging for HTTP inbound
requests in Linkerd. A new annotation i.e. `config.linkerd.io/access-log` is added,
which configures the proxies to emit access logs to stderr. `apache` and `json`
are the supported configuration options, emitting access logs in Apache Common
Log Format and JSON respectively.
Special thanks to @tustvold for all the initial work around this!
* Updated injector to support the new `config.linkerd.io/access-log` annotation
* Added a new `LINKERD2_PROXY_ACCESS_LOG` proxy environment variable to configure
the access log format (thanks @tustvold)
* Updated service mirror controller to emit relevant events when
mirroring is skipped for a service
* Updated various dependencies across the project (thanks @dependabot)
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
## edge-22.1.4
This edge release features a new configuration annotation, support for
externally hosted Grafana instances, and other improvements in the CLI,
dashboard and Helm charts. To learn more about using an external Grafana
instance with Linkerd, you can refer to our
[docs](0c3c5cd5ae/linkerd.io/content/2.12/tasks/grafana.md).
* Added a new annotation to configure skipping subnets in the init container
(`config.linkerd.io/skip-subnets`). This configuration option is ideal for
Docker-in-Docker (dind) workloads (thanks @michaellzc!)
* Added support in the dashboard for externally hosted Grafana instances
(thanks @jackgill!)
* Introduced resource block to `linkerd-jaeger` Helm chart (thanks
@yuriydzobak!)
* Introduced parametrized datasource (`DS_PROMETHEUS`) in all Grafana
dashboards. This allows pointing to the right Prometheus datasource when
importing a dashboard
* Introduced a consistent `--ignore-cluster` flag in the CLI for the base
installation and extensions; manifests will now be rendered even if there is
an existing installation in the current Kubernetes context (thanks
@krzysztofdrys!)
* Updated the service mirror controller to skip mirroring services whose
namespaces do not yet exist in the source cluster; previously, the service
mirror would create the namespace itself.
Signed-off-by: Matei David <matei@buoyant.io>
* release notes for `edge-22.1.3`
## edge-22.1.3
This release removes the Grafana component in the linkerd-viz extension.
Users can now import linkerd dashboards into Grafana from the [Linkerd org](https://grafana.com/orgs/linkerd)
in Grafana. Users can also follow the instructions in the [docs](https://github.com/linkerd/website/pull/1273)
to install a separate Grafana that can be integrated with the Linkerd Dashboard.
* Stopped shipping grafana-based image in the linkerd-viz extension
* Removed `repair` sub-command in the CLI
* Updated various dependencies across the project (thanks @dependabot)
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
#7568 divorced Helm chart versions (`version`) from `appVersion` in the
extension charts, following suit to what we did for the core
`linkerd-crds` and `linkerd-control-plane` charts. But since the charts
are still the same, their `version` has to be greater than previous
releases, in order to be able to upgrade to releases using the new
version scheme. Therefore, we're resetting version at `30.0.0-edge`.
This follows up the the versioning scheme used for `linkerd-crds` and
`linkerd-control-plane` but for extension charts. So no longer will
a chart's `version` just mimic `appVersion`'s value, but instead it'll
change depending on how the chart changes on each realease.
Unfortunately this means a bit more of manual work during releases, but
we should be able to automate some of it at some point.
* Adding support for injecting Webhook CA bundles with cert-manager CA Injector (#7353)
Currently, users need to pass in the caBundle when doing a helm/CLI install. If the user is already using cert-manager to generate webhook certs, they can use the cert-manager CA injector to populate the caBundle for the Webhooks.
Adding inectCaFrom and injectCaFromSecret options to every webhook alongside every caBundle option gives users the ability to add the cert-manager.io/inject-ca-from or cert-manager.io/inject-ca-from-secret annotations to the Webhooks specifying the Certificate or Secret to pull the CA from to accomplish ca bundle injection.
Signed-off-by: Brian Dunnigan <bdun1013dev@gmail.com>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Fixes#6740
\#6711 removed the usage of unnecessary reference variables
in the proxy template, as they are not needed. Their definations
were left as there were race conditions with extension installs.
As `2.11` was released with that change, Now its a good time to
remove the definations too as no usages should be present from a
`2.11` upgrade.
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
Fixes#6584#6620#7405
# Namespace Removal
With this change, the `namespace.yaml` template is rendered only for CLI installs and not Helm, and likewise the `namespace:` entry in the namespace-level objects (using a new `partials.namespace` helper).
The `installNamespace` and `namespace` entries in `values.yaml` have been removed.
There in the templates where the namespace is required, we moved from `.Values.namespace` to `.Release.Namespace` which is filled-in automatically by Helm. For the CLI, `install.go` now explicitly defines the contents of the `Release` map alongside `Values`.
The proxy-injector has a new `linkerd-namespace` argument given the namespace is no longer persisted in the `linkerd-config` ConfigMap, so it has to be passed in. To pass it further down to `injector.Inject()` without modifying the `Handler` signature, a closure was used.
------------
Update: Merged-in #6638: Similar changes for the `linkerd-viz` chart:
Stop rendering `namespace.yaml` in the `linkerd-viz` chart.
The additional change here is the addition of the `namespace-metadata.yaml` template (and its RBAC), _not_ rendered in CLI installs, which is a Helm `post-install` hook, consisting on a Job that executes a script adding the required annotations and labels to the viz namespace using a PATCH request against kube-api. The script first checks if the namespace doesn't already have an annotations/labels entries, in which case it has to add extra ops in that patch.
---------
Update: Merged-in the approved #6643, #6665 and #6669 which address the `linkerd2-cni`, `linkerd-multicluster` and `linkerd-jaeger` charts.
Additional changes from what's already mentioned above:
- Removes the install-namespace option from `linkerd install-cni`, which isn't found in `linkerd install` nor `linkerd viz install` anyways, and it would add some complexity to support.
- Added a dependency on the `partials` chart to the `linkerd-multicluster-link` chart, so that we can tap on the `partials.namespace` helper.
- We don't have any more the restriction on having the muticluster objects live in a separate namespace than linkerd. It's still good practice, and that's the default for the CLI install, but I removed that validation.
Finally, as a side-effect, the `linkerd mc allow` subcommand was fixed; it has been broken for a while apparently:
```console
$ linkerd mc allow --service-account-name foobar
Error: template: linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml:16:7: executing "linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml" at <include "partials.annotations.created-by" $>: error calling include: template: no template "partials.annotations.created-by" associated with template "gotpl"
```
---------
Update: see helm/helm#5465 describing the current best-practice
# Core Helm Charts Split
This removes the `linkerd2` chart, and replaces it with the `linkerd-crds` and `linkerd-control-plane` charts. Note that the viz and other extension charts are not concerned by this change.
Also note the original `values.yaml` file has been split into both charts accordingly.
### UX
```console
$ helm install linkerd-crds --namespace linkerd --create-namespace linkerd/linkerd-crds
...
# certs.yaml should contain identityTrustAnchorsPEM and the identity issuer values
$ helm install linkerd-control-plane --namespace linkerd -f certs.yaml linkerd/linkerd-control-plane
```
### Upgrade
As explained in #6635, this is a breaking change. Users will have to uninstall the `linkerd2` chart and install these two, and eventually rollout the proxies (they should continue to work during the transition anyway).
### CLI
The CLI install/upgrade code was updated to be able to pick the templates from these new charts, but the CLI UX remains identical as before.
### Other changes
- The `linkerd-crds` and `linkerd-control-plane` charts now carry a version scheme independent of linkerd's own versioning, as explained in #7405.
- These charts are Helm v3, which is reflected in the `Chart.yaml` entries and in the removal of the `requirements.yaml` files.
- In the integration tests, replaced the `helm-chart` arg with `helm-charts` containing the path `./charts`, used to build the paths for both charts.
### Followups
- Now it's possible to add a `ServiceProfile` instance for Destination in the `linkerd-control-plane` chart.
`validateDataPlanePods` and `CheckPodsRunning` both check that for a given list of Pods, each Pod is running and has a `linkerd-proxy` container that is ready.
Aside from the error message returned when there are no Pods given, these functions do the same thing. This change merges the two in favor for `CheckPodsRunning` which is used by other packages.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Fixes#7385
If an extension pod is not running, this does not necessarily mean that the extension is unable to function since there may be other replicas which are healthy. We want to be conservative about only blocking CLI functionality when we are absolutely sure that it won't work. Thus, we relax these checks to the warning level so that they don't block access to CLI functionality.
Signed-off-by: Alex Leong <alex@buoyant.io>
#7371 upgraded the Go version which included using the new formats for [build constraints](https://pkg.go.dev/cmd/go#hdr-Build_constraints). This removes the old ones that are no longer used.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
When running `linkerd check -o short` there can still be formatting issues:
- When there are no core warnings but there are extension warnings, a newline is printed at the start of the output
- When there are warnings, there is no newline printed between the warnings and the result
Below you can see the extra newline (before `Linkerd extensions checks`) and the lack of a newline on line before `Status check results ...`.
Old:
```shell
$ linkerd check -o short
Linkerd extensions checks
=========================
linkerd-viz
-----------
...
Status check results are √
```
New:
```shell
$ linkerd check -o short
Linkerd extensions checks
=========================
linkerd-viz
-----------
...
Status check results are √
```
---
This fixes the above issues by moving the newline printing to the end of a category—which right now is Core and Extension.
If there is no output for either, then no newline is printed. This results in no stray newlines when running in short output and there are no warnings.
```shell
$ linkerd check -o short
Status check results are √
```
If there is output for a category, then the category handles the newline printing itself meaning we don't need to track if a newline needs to be printed _before_ a category or _before_ the results.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* build: upgrade to Go 1.17
This commit introduces three changes:
1. Update the `go` directive in `go.mod` to 1.17
2. Update all Dockerfiles from `golang:1.16.2` to
`golang:1.17.3`
3. Update all CI to use Go 1.17
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* chore: run `go fmt ./...`
This commit synchronizes `//go:build` lines with `// +build` lines.
Reference: https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
In our chart values and (some) integration tests, we're using a deprecated
label for node selection. According to the warning messages we get during
installation, the label has been deprecated since k8s `v1.14`:
```
Warning: spec.template.spec.nodeSelector[beta.kubernetes.io/os]: deprecated since v1.14; use "kubernetes.io/os" instead
Warning: spec.jobTemplate.spec.template.spec.nodeSelector[beta.kubernetes.io/os]: deprecated since v1.14; use "kubernetes.io/os" instead
```
This PR changes all occurrences of `beta.kubernetes.io/node` with
`kubernetes.io/node`.
Fixes#7225
The resource configuration does not support `ephemeral-storage`.
The [partials.resources](main/charts/partials/templates/_resources.tpl) named template should be updated to support such configuration.
The change can be validated by running under `linkerd2/viz/charts/linkerd-viz` directory
```bash
helm template --set prometheus.resources.ephemeral-storage.limit=4Gi .
```
```bash
helm template --set prometheus.resources.ephemeral-storage.request=4Gi .
```
```bash
helm template \
--set prometheus.resources.ephemeral-storage.limit=4Gi \
--set prometheus.resources.ephemeral-storage.request=4Gi .
```
Make sure it doesn't affect existing resources configuration
```bash
helm template --set prometheus.resources.cpu.limit=4Gi .
```
Fixes#3307
Signed-off-by: Michael Lin <mlzc@hey.com>
Kubernetes v1.19 is reaching its end-of-life date on 2021-10-28. In
anticipation of this, we should explicitly update our minimum supported
version to v1.20. This allows us keep our dependencies up-to-date and
ensures that we can actually test against our minimum supported version.
Fixes#7171
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Fixes#7032
This PR adds the support for `-oshort` flag for the `viz`, `multicluster`
and `jaeger` extensions which used to fail previously with an invalid
error.
Signed-off-by: Sankalp Rangare <sankalprangare786@gmail.com>
Fixes#6827
We upgrade the Server and ServerAuthorization CRD versions from v1alpha1 to v1beta1. This version update does not change the schema at all and the v1alpha1 versions will continue to be served for now. We also update the CLI and control plane to use the v1beta1 versions.
Signed-off-by: Alex Leong <alex@buoyant.io>
Ref #6813
This adds the necessary Server and ServerAuthorization resources to the
viz, multicluster and jaeger extensions, for them to properly work when
using a default-deny policy (installing linkerd with `--set
policyController.defaultAllowPolicy=deny`).
This includes adding the policy for the admin servers (for k8s liveness
and readiness probes) that require granting all unauthenticated access.
When the a component shares its main service port with its admin server
port (e.g. Grafana and Prometheus), this means we can't properly lock
down the main service access, unfortunately.
Also note traffic coming from the kube-api (for the tap api-server and
the webhooks (tap-injector, jaeger-injector)) also requires leaving
those ports wide open.
The multicluster gateway has a policy to only allow traffic into the
`linkerd-proxy` port with a meshed identity. The source cluster also
hits the gateway in the probe port, but the proxy's `linkerd-admin` port
doesn't support policy at the moment.
Other changes:
- Added missing `containerPort` entry in jaeger's `tracing.yaml`
template.
- Added policy for smoke-test-terminus in the install integration
tests, that'll serve for the default-deny integration test that'll
followup.
Kevin Leimkuhler
Alex Leong
Matei David
Alejandro Pedraza
Oliver Gould
cpretzer
Jacob Lorenzen
Naveen Nalam
Tarun Pothulapati
Krzysztof Dryś
Yurii Dzobak
Brian Dunnigan
Kevin Leimkuhler
Eng Zer Jun
Takumi Sue
Michael Lin
Sankalp Rangare