Depends on https://github.com/linkerd/linkerd2/pull/13801
Adds support for excluding certain labels and annotations from being copied onto mirror and federated services. This makes use of the `excludedLabels` and `excludedAnnoations` fields in the Link resource. These fields take a list of strings which may be literal label/annotation names or they may be group globs of the form `<group>/*` which will match all labels/annotations beginning with `<group>/`. Any matching labels or annotations will not be copied.
We also add corresponding flags to the `mc link` command: `--excluded-labels` and `--excluded-annotations` for setting these fields on the Link resource.
Followup to #13770, #13781 and #13782, based off of branch alpeb/multicluster-chart-manage-smc-cli-install
Addresses test task in #13768
This introduces a new boolean flag `multicluster-target-context` to the multicluster tests, that when set to true:
- the multicluster extension is installed in both clusters passing a config for a `controllers` entry.
- the `linkerd mc link` command is run with `--service-mirror=false` so it only outputs the Link CR and the credentials secrets.
This is used in a new test triggered in parallel in the test-multicluster integration test job.
We keep track of our proxy-init and CNI plugin versions in two exported
variables in `pkg/version/version.go`. As part of our release process,
we require these versions to be bumped when the iptables dependencies
are bumped.
In our multicluster test, we provide a proxy-init version that's
hardcoded. Instead of relying on the release coordinator to bump the
image in the test (which can be easily missed), use the already exported
version.
Signed-off-by: Matei David <matei@buoyant.io>
The multicluster extension has always allowed the extension to be
installed without a gateway; the idea being that users would provide
their own. With p2p, we extended this to allow links that do not specify
a gateway at all, but in the process we missed changing a key check
-- `multicluster-gateways-endpoints` -- that asserts all links have a
probe service.
Without a gateway on the other end, a link will not have a probe spec
(or a gateway address) so it makes no sense to run this check, there
will never be a probe service created in the source cluster. To fix this
issue, we skip the check when the link misses either a gateway address
or a probe spec.
Fixes#11428
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
* Bump CNI plugin to v1.2.1
* Bump proxy-init to v2.2.2
Both dependencies include a fix for CVE-2023-2603. Since alpine is used
as the runtime image, there is a security vulnerability detected in the
produced images (due to an issue with libcap). The alpine images have
been bumped to address the CVE.
Signed-off-by: Matei David <matei@buoyant.io>
Add an integration test that exercises the direct pod-to-pod multicluster mode.
Signed-off-by: Alex Leong <alex@buoyant.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
proxy-init v2.2.1:
* Sanitize `subnets-to-ignore` flag
* Dep bumps
cni-plugin v1.1.0:
* Add support for the `config.linkerd.io/skip-subnets` annotation
* Dep bumps
validator v0.1.2:
* Dep bumps
Also, `linkerd-network-validator` is now released wrapped in a tar file, so this PR also amends `Dockerfile-proxy` to account for that.
Our multicluster integration tests used to depend on viz. Viz was used
to check the state of the gateways (`linkerd multicluster gateways`
required it). Since this is no longer the case, we can remove this
dependency to get back a few seconds of execution times (multicluster
tests are famously slow).
---------
Signed-off-by: Matei David <matei@buoyant.io>
* Refactor `linkerd check` calls in the integration tests
Extracted logic into the new file `testutil/test_helper_check.go` which exposes the functions `TestCheckPre`, `TestCheck` and `TestCheckProxy`.
`linkerd check --output json` is called so its output is properly captured without the need of golden files.
Besides checking that there are no errors (although warnings are allowed), we check that the expected check categories are returned.
The plan is to leverage this in #9856 when re-enabling the helm-upgrade test.
Fixes: #8173
In order to support having custom resources in the default Linkerd installation, it is necessary to add a separate install step to install CRDs before the core install. The Linkerd Helm charts already accomplish this by having CRDs in a separate chart.
We add this functionality to the CLI by adding a `--crds` flag to `linkerd install` and `linkerd upgrade` which outputs manifests for the CRDs only and remove the CRD manifests when the `--crds` flag is not set. To avoid a compounding of complexity, we remove the `config` and `control-plane` stages from install/upgrade. The effect of this is that we drop support for splitting up an install by privilege level (cluster admin vs Linkerd admin).
The Linkerd install flow is now always a 2-step process where `linkerd install --crds` must be run first to install CRDs only and then `linkerd install` is run to install everything else. This more closely aligns the CLI install flow with the Helm install flow where the CRDs are a separate chart. Attempting to run `linkerd install` before the CRDs are installed will result in a helpful error message.
Similarly, upgrade is also a 2-step process of `linkerd upgrade --crds` follow by `linkerd upgrade`.
Signed-off-by: Alex Leong <alex@buoyant.io>
This change continues the work from #7403 by refactoring the
multicluster tests in order to install components programatically.
As part of this change, we now generate certificates (a CA and a shared
issuer) in code, and add a few utilities to manage different Kubernetes
contexts; a few examples are `KubectlApplyWithContext` and a function to
re-initialise the clientset with an arbitrary context.
Few bits and pieces have also been changed as I went through this, such
as applying entire files as opposed to reading manifests in memory
before piping them to kubectl.
Some other changes:
* remove logic from test runner script that set-up multicluster
* add a more rigurous check test after linking source to target cluster
* remove `target1`, `source` and `target_statefulset` tests
* consolidated previous tests in one file
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Co-authored-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Fixes mirrored headless services being disabled after the `repairEndpoints` function kicks-in, by just ignoring in this function the auxiliary services created to support mirrored headless services (given the `Endpoints` for these auxiliary services aren't really mirroring any `Endpoints` in the target cluster).
Supersedes #7733
## Tests
- Removed the `multicluster/target-statefulset` suite, and instead created the nginx SS as part of the `target1` suite. Then moved the tests for checking the nginx connections into the `target2` suite.
- Added two `linkerd mc check` tests in the `source` suite, the second triggered a minute after the first, in order to test things out after the `RepairEndoints` function has been triggered.
- Also `TestMulticlusterCheck()` in `install_test.go` got a condition removed that is no longer necessary.
Co-authored-by: Aaron Friel
Since Go 1.13, errors may "wrap" other errors. [`errorlint`][el] checks
that error formatting and inspection is wrapping-aware.
This change enables `errorlint` in golangci-lint and updates all error
handling code to pass the lint. Some comparisons in tests have been left
unchanged (using `//nolint:errorlint` comments).
[el]: https://github.com/polyfloyd/go-errorlint
Signed-off-by: Oliver Gould <ver@buoyant.io>
Go's test runner (`go test`) can be non-deterministic with the order in
which it runs the tests. Tests in Go seem to be always
run in parallel, but the specifics here differ depending on the
available CPU.
We can take advantage of parallelism here to get better timing on our
tests, however, we need to block the start of each test until the
control plane (or extension) pods are ready. In each `TestMain`, we
block until the pods are ready.
Signed-off-by: Matei David <matei@buoyant.io>
Alex Leong
Alejandro Pedraza
Matei David
Arnaud Beun
dependabot[bot]
Dima
Ujjwal Goyal
Oliver Gould