GitHub Actions has been running unit and integration tests, in parallel
with Travis running those same tests, and also handling master merges
and tags.
This change completes the transtion to GitHub Actions, removing all
references to Travis. Similar to Travis, GitHub Actions now acts on
master merges and tag pushes by pushing Docker images to gcr.io, and
running integration tests against a GKE cluster.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
This PR updates dashboard dependencies and the babel config file to resolve a
Prototype Pollution vulnerability in an older version of `set-package` which is
used by babel, jest and webpack.
This edge release adds traffic splits into the Linkerd dashboard as well as a
variety of other improvements.
* CLI
* Improved the error message when the CLI cannot connect to Kubernetes (thanks
@alenkacz!)
* Added `--address` flag to `linkerd dashboard` (thanks @bmcstdio!)
* Controller
* Fixed an issue where the proxy-injector had insufficient RBAC permissions
* Added support for disabling the heartbeat cronjob (thanks @kevtaylor!)
* Proxy
* Decreased proxy Docker image size by removing bundled debug tools
* Fixed an issue where the incorrect content-length could be set for GET
requests with bodies
* Web UI
* Added trafficsplits as a resource to the dashboard, including a trafficsplit
detail page
* Internal
* Added support for Kubernetes 1.16
Signed-off-by: Alex Leong <alex@buoyant.io>
The controller Docker image included 7 Go binaries (destination,
heartbeat, identity, proxy-injector, public-api, sp-validator, tap),
each roughly 35MB, with similar dependencies.
Change each controller binary into subcommands of a single `controller`
binary, decreasing the controller Docker image size from 315MB to 38MB.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
The `proxy` and `web` Docker images were 161MB and 186MB, respectively.
Most of the space was tools installed into the `linkerd.io/base` image.
Decrease `proxy` and `web` Docker images to 73MB and 90MB, respectively.
Switch these images to be based off of `debian:stretch-20190812-slim`.
Also set `-ldflags "-s -w"` for `proxy-identity` and `web`. Modify
`linkerd.io/base` to also be based off of
`debian:stretch-20190812-slim`, update tag to `2019-09-04.01`.
Fixes#3383
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
* Disable heartbeat by default
Signed-off-by: Kevin Taylor <kevtaylor@expedia.com>
* Address review
Signed-off-by: Kevin Taylor <kevtaylor@expedia.com>
* Remove tabs in values
Signed-off-by: Kevin Taylor <kevtaylor@expedia.com>
GitHub Action secrets are intentionally not available to forked PRs.
This causes the integration tests that require those secrets to fail.
Modify GitHub Actions such that they only run for non-forked PRs.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
* Couple of injection events fixes
When generating events in quick succession against the same target, client-go issues a PATCH request instead of a POST, so we need the extra RBAC permission.
Also we have an informer on pods, so we also need the "watch" permission
for them, whose omission was causing an error entry in the logs.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Fixes#3356
1.16 removes some api groups that were already deprecated. From k8s blog
post (https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/):
```
- PodSecurityPolicy: will no longer be served from extensions/v1beta1 in
v1.16.
Migrate to the policy/v1beta1 API, available since v1.10. Existing
persisted data can be retrieved/updated via the policy/v1beta1 API.
- DaemonSet, Deployment, StatefulSet, and ReplicaSet: will no longer be
served from extensions/v1beta1, apps/v1beta1, or apps/v1beta2 in v1.16.
Migrate to the apps/v1 API, available since v1.9. Existing persisted
data can be retrieved/updated via the apps/v1 API.
```
Previous PRs had already made this change at the Helm templates level,
but we still needed to do it at the API calls and tests.
The integration tests ran fine for k8s 1.12 and 1.15. They fail on 1.16
because the upgrade integration test tries to install linkerd 2.5 which is not
compatible with 1.16.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
The existing Travis CI setup requires additional integrations and
permissions with Github, and also lacks some flexibility around job
dependency management.
Introduce a new CI workflow based on Github Actions. This initial
workflow performs the same CI work that Travis does, and will iniitially
run in parallel:
- Go unit tests
- JS unit tests
- Go lint
- Validate Go deps
- Integration tests (deep, upgrade, helm)
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
The repo depended on a (recently broken) thrift package:
```
github.com/linkerd/linkerd2
-> contrib.go.opencensus.io/exporter/ocagent@v0.2.0
-> go.opencensus.io@v0.17.0
-> git.apache.org/thrift.git@v0.0.0-20180902110319-2566ecd5d999
```
... via this line in `controller/k8s`:
```go
_ "k8s.io/client-go/plugin/pkg/client/auth"
```
...which created a dependency on go.opencensus.io:
```bash
$ go mod why go.opencensus.io
...
github.com/linkerd/linkerd2/controller/k8s
k8s.io/client-go/plugin/pkg/client/auth
k8s.io/client-go/plugin/pkg/client/auth/azure
github.com/Azure/go-autorest/autorest
github.com/Azure/go-autorest/tracing
contrib.go.opencensus.io/exporter/ocagent
go.opencensus.io
```
Bump contrib.go.opencensus.io/exporter/ocagent from `v0.2.0` to
`v0.6.0`, creating this new dependency chain:
```
github.com/linkerd/linkerd2
-> contrib.go.opencensus.io/exporter/ocagent@v0.6.0
-> google.golang.org/api@v0.7.0
-> go.opencensus.io@v0.21.0
```
Bumping our go.opencensus.io dependency from `v0.17.0` to `v0.21.0`
pulls in this commit:
ed3a3f0bf0 (diff-37aff102a57d3d7b797f152915a6dc16)
...which removes our dependency on github.com/apache/thrift
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
## edge-19.8.7
* CLI
* Added a global `--cluster-domain` flag to `linkerd install` to allow
installing Linkerd into a Kubernetes cluster that uses a base domain other
than `cluster.local.` (thanks @arminbuerkle!)
* Web UI
* Fixed an issue that caused unnecessary Prometheus queries, reducing load on
Prometheus
* Control Plane
* Added Kubernetes events (and log lines) when the proxt injector injects a
deployment, and when injection is skipped
* Proxy
* Changed the proxy to require the `LINKERD2_PROXY_DESTINATION_SVC_ADDR`
environment variable when starting up
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
* Avoid the dashboard requesting stats when not needed
Create an alternative to `urlsForResource` called
`urlsForResourceNoStats` that makes use of the `skip_stats` parameter in
the stats API (created in #1871) that doesn't query Prometheus when not needed.
When testing using the dashboard looking at the linkerd namespace,
queries per second went down from 2874 to 2756, a 4% decrease.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
* Fix auto-injecting pods and integration tests reporting
When creating an Event when auto-injection occurs (#3316) we try to
fetch the parent object to associate the event to it. If the parent
doesn't exist (like in the case of stand-alone pods) the event isn't
created. I had missed dealing with one part where that parent was
expected.
This also adds a new integration test that I verified fails before this
fix.
Finally, I removed from `_test-run.sh` some `|| exit_code=$?` that was
preventing the whole suite to report failure whenever one of the tests
in `/tests` failed.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
The `linkerd upgrade` integration test compares the output from two
commands:
- `linkerd upgrade control-plane`
- `linkerd upgrade control-plane --from-manifests`
The output of these commands include the heartbeat cronjob schedule,
which is generated based on the current time.
Modify the upgrade integration test to retry the manifest comparison one
time, assuming that `linkerd upgrade control-plane` should not take more
than one minute to execute.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
* Set custom cluster domain in GetServiceProfileFor
* Set custom cluster domain in tap server
Move fetching cluster domain for tap server to cmd main
* Handle fetchting cluster domain errors separately
* Use custom cluster domain for traffic split adaptor
Signed-off-by: Armin Buerkle <armin.buerkle@alfatraining.de>
The Linkerd Community Code of Conduct lives in the wiki:
https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct
Per Github's Community Profile checklist
(https://github.com/linkerd/linkerd2/community), it should live at the
root of the repo.
Copy the contents of the wiki to a markdown file in the root of the
repo. Once merged, we will modify the wiki to point to the repo.
Also update README.md to indicate k8s 1.12+ is required.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
* Stop ignoring client-go log entries
Pipe klog output into logrus. Not doing this avoids us from seeing
client-go log entries, for some reason I don't understand.
To enable, `--controller-log-level` must be `debug`.
This was discovered while trying to debug sending events for #3253.
I added an integration test that fails when this piping is not in place.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
The integration tests under `/test` were run separately via l5d-bot,
lacking the feedback and job management provided by ci.
Enable integration tests in ci, via a docker build and kind clusters
executed on a remote DOCKER_HOST.
CI runs are now broken into two stages, run serially. Each stage is
composed of jobs run in parallel:
- Setup stage
- Validate go deps
- Remote docker build
- Kind cluster setup (deep)
- Kind cluster setup (upgrade)
- Kind cluster setup (helm)
- Test stage
- Go unit tests
- Node.js unit tests
- Kind integration tests (deep)
- Kind integration tests (upgrade)
- Kind integration tests (helm)
This PR also modifies `bin/test-run.sh` to always set `--failfast` for
Go tests.
Also introduce `bin/docker` and `bin/kubectl` scripts, to ensure
cacheable, pinned executables in ci.
The existing integration tests for master merges and docker pushes,
running against GKE, remain in place.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
* Have the proxy-injector emit events upon injection/skipping injection
Fixes#3253
Have the proxy-injector emit an event whenever a injection happens, or
when injection is skipped for some reason (also added that reason into
the proxy-injector logs). The level is associated to the parent workload
(it can't be associated to the pod because at this point the pod hasn't
been persisted).
The event recorder was setup at the `webhook/server.go` level and passed
to the proxy-injector's `Inject` function. The sp-validator thus also
has access to the event recorder, but for now it's not using it.
Related changes:
- Refactored `api.GetOwnerKindAndName()` to have it return a more
generic object.
- Refactored `report.Injectable()` to also have it return the reason why
a workload is not injectable.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
GitHub's community guidelines recommend a pull request template, the repo was
lacking one.
Introduce a `PULL_REQUEST_TEMPLATE.md` file.
Once merged, the
[Community profile checklist](https://github.com/linkerd/linkerd2/community)
should indicate the repo now provides a pull request template.
Fixes#3321
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Fixes#3052.
Adds a unit test for the edges API endpoint. To maintain a consistent order for
testing, the returned rows in api/public/edges.go are now sorted.
The `bin/test-run` script executed upgrade, helm, and deep integration
test in series, but was structured in a way that did not permit running
these tests individually.
Move most of the logic from `bin/test-run` to a supporting library,
`bin/test-run.sh`, which will provide the ability to execute integration
tests individually. `bin/test-run`'s behavior is unchanged, it continues
to run upgrade, helm, and deep integration tests in series.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
`bin/helm` and `bin/protoc` were downloading their binaries into
`./target`, while `bin/lint` was downloading to the root of the repo.
Also travis was caching `./target`, which could become problematic if
that part of the test script relied on `target/cli/linux/linkerd`.
Standardize helm, kind, lint, and protoc to all download into
`./target/bin`, and modify travis to strictly cache that subdirectory.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
In preparation for #3242, the destination controller will need to
support a broader set of valid authorities including IP addresses.
This change modifies the destination controller's authority-parsing code
so that the is-this-a-kubernete-service-name decision is decoupled from
parsing of authorities into their consituent parts.
The `Get` API now explicitly handles IP address names, though it
currently fails all such resolutions.
* Rename template-values.go
* Define new constructor of charts.Values type
* Move all Helm values related code to the pkg/charts package
* Bump dependency
* Use '/' in filepath to remain compatible with VFS requirement
* Add unit test to verify Helm YAML output
* Alejandro's feedback
* Add unit test for Helm YAML validation (HA)
Signed-off-by: Ivan Sim <ivan@buoyant.io>
Andrew Seigner
Carol A. Scott
Alex Leong
Oliver Gould
Andrew Seigner
Kevin Taylor
Bruno M. Custódio
陈谭军
Alena Varkockova
Alejandro Pedraza
dependabot[bot]
Eliza Weisman
arminbuerkle
cpretzer
Ivan Sim
Pascal Bourque
Guangming Wang