linkerd2

Commit Graph

Author	SHA1	Message	Date
Cody Vandermyn	906c3cbfc5	WIP: CNI Plugin (#2071 ) * Export RootOptions and BuildFirewallConfiguration so that the cni-plugin can use them. * Created the cni-plugin based on istio-cni implementation * Create skeleton files that need to be filled out. * Create the install scripts and finish up plugin to write iptables * Added in an integration test around the install_cni.sh and updated the script to handle the case where it isn't the only plugin. Removed the istio kubernetes.go file in favor of pkg/k8s; initial usage of this package; found and fixed the typo in the ClusterRole and ClusterRoleBinding; found the docker-build-cni-plugin script * Corrected an incorrect name in the docker build file for cni-plugin * Rename linkerd2-cni to linkerd-cni * Fixup Dockerfile and clean up code a bit as well as logging statements. * Update Gopkg.lock after master merge. * Update test file to remove temporary tag. * Fixed the command to run during the test while building up the docker run. * Added attributions to applicable files; in the test file, use a different container for each test scenario and also print the docker logs to stdout when there is an error; * Add the --no-init-container flag to install and inject. This flag will not output the initContainer and will add an annotation assuming that the cni will be used in this case. * Update .travis.yml to build the cni-plugin docker image before running the tests. * Workaround golint warnings. * Create a new command to install the linkerd-cni plugin. * Add the --no-init-container option to linkerd inject * Use the setup ip tables annotation during the proxy auto inject webhook prevent/allow addition of an init container; move cni-plugin tests to the integration-test section of travis * gate the cni-plugin tests with the -integration-tests flag; remove unnecessary deployment .yaml file. * Incorporate PR Cleanup suggestions. * Remove the SetupIPTablesLabel annotation and use config flags and the presence of the init container to determine whether the cni-plugin writes ip tables. * Fix a logic bug in the cni-plugin code that prevented the iptables from being written; Address PR comments; make tests pass. * Update go deps shas * Changed the single file install-cni plugin filename to be .conf vs .conflist; Incorporated latest PR comments around spacing with the new renderer among others. * Fix an issue with renaming .conf to .conflist when needed. * Renamed some of the variables to try to make it more clear what is going on. * Address final PR comments. * Hide cni flags for the time being. Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>	2019-01-30 11:51:34 -08:00
Ivan Sim	4fba6aca0a	Proxy init and sidecar containers auto-injection (#1714 ) * Support auto sidecar-injection 1. Add proxy-injector deployment spec to cli/install/template.go 2. Inject the Linkerd CA bundle into the MutatingWebhookConfiguration during the webhook's start-up process. 3. Add a new handler to the CA controller to create a new secret for the webhook when a new MutatingWebhookConfiguration is created. 4. Declare a config map to store the proxy and proxy-init container specs used during the auto-inject process. 5. Ignore namespace and pods that are labeled with linkerd.io/auto-inject: disabled or linkerd.io/auto-inject: completed 6. Add new flag to `linkerd install` to enable/disable proxy auto-injection Proposed implementation for #561. * Resolve missing packages errors * Move the auto-inject label to the pod level * PR review items * Move proxy-injector to its own deployment * Ignore pods that already have proxy injected This ensures the webhook doesn't error out due to proxy that are injected using the command * PR review items on creating/updating the MWC on-start * Replace API calls to ConfigMap with file reads * Fixed post-rebase broken tests * Don't mutate the auto-inject label Since we started using healhcheck.HasExistingSidecars() to ensure pods with existing proxies aren't mutated, we don't need to use the auto-inject label as an indicator. This resolves a bug which happens with the kubectl run command where the deployment is also assigned the auto-inject label. The mutation causes the pod auto-inject label to not match the deployment label, causing kubectl run to fail. * Tidy up unit tests * Include proxy resource requests in sidecar config map * Fixes to broken YAML in CLI install config The ignore inbound and outbound ports are changed to string type to avoid broken YAML caused by the string conversion in the uint slice. Also, parameterized the proxy bind timeout option in template.go. Renamed the sidecar config map to 'linkerd-proxy-injector-webhook-config'. Signed-off-by: ihcsim <ihcsim@gmail.com>	2018-10-10 12:09:22 -07:00

Author

SHA1

Message

Date

Cody Vandermyn

906c3cbfc5

WIP: CNI Plugin (#2071 )

* Export RootOptions and BuildFirewallConfiguration so that the cni-plugin can use them.
* Created the cni-plugin based on istio-cni implementation
* Create skeleton files that need to be filled out.
* Create the install scripts and finish up plugin to write iptables
* Added in an integration test around the install_cni.sh and updated the script to handle the case where it isn't the only plugin. Removed the istio kubernetes.go file in favor of pkg/k8s; initial usage of this package; found and fixed the typo in the ClusterRole and ClusterRoleBinding; found the docker-build-cni-plugin script
* Corrected an incorrect name in the docker build file for cni-plugin
* Rename linkerd2-cni to linkerd-cni
* Fixup Dockerfile and clean up code a bit as well as logging statements.
* Update Gopkg.lock after master merge.
* Update test file to remove temporary tag.
* Fixed the command to run during the test while building up the docker run.
* Added attributions to applicable files; in the test file, use a different container for each test scenario and also print the docker logs to stdout when there is an error;
* Add the --no-init-container flag to install and inject. This flag will not output the initContainer and will add an annotation assuming that the cni will be used in this case.
* Update .travis.yml to build the cni-plugin docker image before running the tests.
* Workaround golint warnings.
* Create a new command to install the linkerd-cni plugin.
* Add the --no-init-container option to linkerd inject
* Use the setup ip tables annotation during the proxy auto inject webhook prevent/allow addition of an init container; move cni-plugin tests to the integration-test section of travis
* gate the cni-plugin tests with the -integration-tests flag; remove unnecessary deployment .yaml file.
* Incorporate PR Cleanup suggestions.
* Remove the SetupIPTablesLabel annotation and use config flags and the presence of the init container to determine whether the cni-plugin writes ip tables.
* Fix a logic bug in the cni-plugin code that prevented the iptables from being written; Address PR comments; make tests pass.
* Update go deps shas
* Changed the single file install-cni plugin filename to be .conf vs .conflist; Incorporated latest PR comments around spacing with the new renderer among others.
* Fix an issue with renaming .conf to .conflist when needed.
* Renamed some of the variables to try to make it more clear what is going on.
* Address final PR comments.
* Hide cni flags for the time being.

Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>

2019-01-30 11:51:34 -08:00

Ivan Sim

4fba6aca0a

Proxy init and sidecar containers auto-injection (#1714 )

* Support auto sidecar-injection

1. Add proxy-injector deployment spec to cli/install/template.go
2. Inject the Linkerd CA bundle into the MutatingWebhookConfiguration
during the webhook's start-up process.
3. Add a new handler to the CA controller to create a new secret for the
webhook when a new MutatingWebhookConfiguration is created.
4. Declare a config map to store the proxy and proxy-init container
specs used during the auto-inject process.
5. Ignore namespace and pods that are labeled with
linkerd.io/auto-inject: disabled or linkerd.io/auto-inject: completed
6. Add new flag to `linkerd install` to enable/disable proxy
auto-injection

Proposed implementation for #561.

* Resolve missing packages errors
* Move the auto-inject label to the pod level
* PR review items
* Move proxy-injector to its own deployment
* Ignore pods that already have proxy injected

This ensures the webhook doesn't error out due to proxy that are injected using the command

* PR review items on creating/updating the MWC on-start
* Replace API calls to ConfigMap with file reads
* Fixed post-rebase broken tests
* Don't mutate the auto-inject label

Since we started using healhcheck.HasExistingSidecars() to ensure pods with
existing proxies aren't mutated, we don't need to use the auto-inject label as
an indicator.

This resolves a bug which happens with the kubectl run command where the deployment
is also assigned the auto-inject label. The mutation causes the pod auto-inject
label to not match the deployment label, causing kubectl run to fail.

* Tidy up unit tests
* Include proxy resource requests in sidecar config map
* Fixes to broken YAML in CLI install config

The ignore inbound and outbound ports are changed to string type to
avoid broken YAML caused by the string conversion in the uint slice.

Also, parameterized the proxy bind timeout option in template.go.

Renamed the sidecar config map to
'linkerd-proxy-injector-webhook-config'.

Signed-off-by: ihcsim <ihcsim@gmail.com>

2018-10-10 12:09:22 -07:00

2 Commits