From 1b37e1989f4dc511844a2bc1b74ec3c67efa41fd Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Wed, 22 Nov 2023 09:23:24 -0800 Subject: [PATCH] Add native sidecar support (#11465) * Add native sidecar support Kubernetes will be providing beta support for native sidecar containers in version 1.29. This feature improves network proxy sidecar compatibility for jobs and initContainers. Introduce a new annotation config.alpha.linkerd.io/proxy-enable-native-sidecar and configuration option Proxy.NativeSidecar that causes the proxy container to run as an init-container. Fixes: #11461 Signed-off-by: TJ Miller --- charts/linkerd-control-plane/README.md | 2 + .../templates/destination.yaml | 8 + .../templates/identity.yaml | 1 + .../templates/proxy-injector.yaml | 8 + charts/linkerd-control-plane/values.yaml | 9 + charts/partials/templates/_proxy.tpl | 17 +- charts/patch/templates/patch.json | 18 +- cli/cmd/doc.go | 4 + cli/cmd/inject.go | 4 + cli/cmd/inject_test.go | 13 + cli/cmd/options.go | 6 + ...ivoto_deployment_native_sidecar.golden.yml | 226 ++++++++++++++++++ ...install_controlplane_tracing_output.golden | 5 + cli/cmd/testdata/install_custom_domain.golden | 5 + .../testdata/install_custom_registry.golden | 5 + cli/cmd/testdata/install_default.golden | 5 + ...stall_default_override_dst_get_nets.golden | 5 + cli/cmd/testdata/install_default_token.golden | 5 + cli/cmd/testdata/install_ha_output.golden | 5 + .../install_ha_with_overrides_output.golden | 5 + .../install_heartbeat_disabled_output.golden | 5 + .../install_helm_control_plane_output.golden | 5 + ...nstall_helm_control_plane_output_ha.golden | 5 + .../install_helm_output_ha_labels.golden | 5 + ...l_helm_output_ha_namespace_selector.golden | 5 + .../testdata/install_no_init_container.golden | 5 + cli/cmd/testdata/install_output.golden | 4 +- cli/cmd/testdata/install_proxy_ignores.golden | 5 + cli/cmd/testdata/install_values_file.golden | 5 + controller/webhook/util.go | 19 +- jaeger/injector/mutator/patch.go | 16 +- jaeger/injector/mutator/webhook.go | 6 +- pkg/charts/linkerd2/values.go | 9 + pkg/charts/linkerd2/values_test.go | 5 + pkg/inject/inject.go | 8 + pkg/inject/inject_test.go | 4 + pkg/k8s/labels.go | 3 + .../k8s/index/src/inbound/pod.rs | 7 +- viz/tap/injector/patch.go | 2 +- viz/tap/injector/webhook.go | 6 +- 40 files changed, 458 insertions(+), 27 deletions(-) create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index 811941f095a08..940a4f646f956 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -239,6 +239,7 @@ Kubernetes: `>=1.21.0-0` | proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | | proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | | proxy.logLevel | string | `"warn,linkerd=info,trust_dns=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | | proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | | proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | | proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | @@ -254,6 +255,7 @@ Kubernetes: `>=1.21.0-0` | proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | | proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | | proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe | object | `{"failureThreshold":120,"initialDelaySeconds":0,"periodSeconds":1}` | Native sidecar proxy startup probe parameters. | | proxy.uid | int | `2102` | User id under which the proxy runs | | proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | | proxyInit.closeWaitTimeoutSecs | int | `0` | | diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index d9992747f8710..a4081b69101ea 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -190,7 +190,9 @@ spec: */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - destination - -addr=:8086 @@ -341,6 +343,12 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index b22357f019592..d2003a8d471b0 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -206,6 +206,7 @@ spec: {{- $_ := set $tree.Values.proxy "await" false }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} {{- /* The identity controller cannot discover policies, so we configure it with defaults that enforce TLS on the identity service. diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index 89798c06aee9f..4fd044d65ccea 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -70,7 +70,9 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - proxy-injector - -log-level={{.Values.controllerLogLevel}} @@ -127,6 +129,12 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 0fb82cc2f3819..5ae19b7e1820d 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -191,6 +191,15 @@ proxy: # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" # @default -- "all-unauthenticated" defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. + nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 # proxy-init configuration proxyInit: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index f5dd4c2cd3338..da0d10b6c73e8 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -1,4 +1,7 @@ {{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} {{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} env: - name: _pod_name @@ -168,6 +171,15 @@ readinessProbe: path: /ready port: {{.Values.proxy.ports.admin}} initialDelaySeconds: 2 +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} {{- end }} @@ -182,7 +194,7 @@ securityContext: seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError -{{- if or (.Values.proxy.await) (.Values.proxy.waitBeforeExitSeconds) }} +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} lifecycle: {{- if .Values.proxy.await }} postStart: @@ -212,4 +224,7 @@ volumeMounts: name: {{.Values.proxy.saMountPath.name}} readOnly: {{.Values.proxy.saMountPath.readOnly}} {{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} {{- end }} diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index ea652aad7eda3..8f83f59c0c8ed 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -1,4 +1,14 @@ {{ $prefix := .Values.pathPrefix -}} +{{/* +$initIndex represents the patch insertion index of the next initContainer when +proxy.nativeSidecar is true. If enabled, the proxy-init or network-validator +should run first, immediately followed by the proxy. This ordering allows us +to proxy traffic in subsequent initContainers. + +Note: dig is not used directly on .Values because it rejects chartutil.Values +structs. +*/}} +{{- $initIndex := ternary "0" "-" (.Values.proxy | default (dict) | dig "nativeSidecar" false) -}} [ {{- if .Values.addRootMetadata }} { @@ -62,14 +72,14 @@ }, { "op": "add", - "path": "{{$prefix}}/spec/initContainers/-", + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}{{$initIndex = add1 $initIndex}}", "value": {{- include "partials.proxy-init" . | fromYaml | toPrettyJson | nindent 6 }} }, {{- else if and .Values.proxy .Values.cniEnabled }} { "op": "add", - "path": "{{$prefix}}/spec/initContainers/-", + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}{{$initIndex = add1 $initIndex}}", "value": {{- include "partials.network-validator" . | fromYaml | toPrettyJson | nindent 6 }} }, @@ -103,7 +113,9 @@ {{- end }} { "op": "add", - {{- if .Values.proxy.await }} + {{- if .Values.proxy.nativeSidecar }} + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}", + {{- else if .Values.proxy.await }} "path": "{{$prefix}}/spec/containers/0", {{- else }} "path": "{{$prefix}}/spec/containers/-", diff --git a/cli/cmd/doc.go b/cli/cmd/doc.go index 20867238085ea..f60ab24908a6f 100644 --- a/cli/cmd/doc.go +++ b/cli/cmd/doc.go @@ -280,5 +280,9 @@ func generateAnnotationsDocs() []annotationDoc { Name: k8s.ProxyShutdownGracePeriodAnnotation, Description: "Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.", }, + { + Name: k8s.ProxyEnableNativeSidecarAnnotation, + Description: "Enable KEP-753 native sidecars. This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.", + }, } } diff --git a/cli/cmd/inject.go b/cli/cmd/inject.go index bb92cbdee0049..117f65f9fb8b6 100644 --- a/cli/cmd/inject.go +++ b/cli/cmd/inject.go @@ -491,6 +491,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[ overrideAnnotations[k8s.ProxyShutdownGracePeriodAnnotation] = proxy.ShutdownGracePeriod } + if proxy.NativeSidecar != baseProxy.NativeSidecar { + overrideAnnotations[k8s.ProxyEnableNativeSidecarAnnotation] = strconv.FormatBool(proxy.NativeSidecar) + } + return overrideAnnotations } diff --git a/cli/cmd/inject_test.go b/cli/cmd/inject_test.go index a0bbfccb9c641..709526f466d25 100644 --- a/cli/cmd/inject_test.go +++ b/cli/cmd/inject_test.go @@ -344,6 +344,17 @@ func TestUninjectAndInject(t *testing.T) { return values }(), }, + { + inputFileName: "inject_emojivoto_deployment.input.yml", + goldenFileName: "inject_emojivoto_deployment_native_sidecar.golden.yml", + reportFileName: "inject_emojivoto_deployment.report", + injectProxy: true, + testInjectConfig: func() *linkerd2.Values { + values := defaultConfig() + values.Proxy.NativeSidecar = true + return values + }(), + }, } for i, tc := range testCases { @@ -678,6 +689,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { values.Proxy.Await = false values.Proxy.AccessLog = "apache" values.Proxy.ShutdownGracePeriod = "60s" + values.Proxy.NativeSidecar = true expectedOverrides := map[string]string{ k8s.ProxyIgnoreInboundPortsAnnotation: "8500-8505", @@ -699,6 +711,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { k8s.ProxyAwait: "disabled", k8s.ProxyAccessLogAnnotation: "apache", k8s.ProxyShutdownGracePeriodAnnotation: "60s", + k8s.ProxyEnableNativeSidecarAnnotation: "true", } overrides := getOverrideAnnotations(values, baseValues) diff --git a/cli/cmd/options.go b/cli/cmd/options.go index 60539f2ac383d..0805b5cb8b525 100644 --- a/cli/cmd/options.go +++ b/cli/cmd/options.go @@ -441,6 +441,12 @@ func makeInjectFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) { injectFlags := pflag.NewFlagSet("inject", pflag.ExitOnError) flags := []flag.Flag{ + flag.NewBoolFlag(injectFlags, "native-sidecar", false, "Enable native sidecar", + func(values *l5dcharts.Values, value bool) error { + values.Proxy.NativeSidecar = value + return nil + }), + flag.NewInt64Flag(injectFlags, "wait-before-exit-seconds", int64(defaults.Proxy.WaitBeforeExitSeconds), "The period during which the proxy sidecar must stay alive while its pod is terminating. "+ "Must be smaller than terminationGracePeriodSeconds for the pod (default 0)", diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml new file mode 100644 index 0000000000000..9ba6815059764 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -0,0 +1,226 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web + namespace: emojivoto +spec: + replicas: 1 + selector: + matchLabels: + app: web-svc + template: + metadata: + annotations: + config.alpha.linkerd.io/proxy-enable-native-sidecar: "true" + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/proxy-version: test-inject-proxy-version + linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4 + labels: + app: web-svc + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: web + linkerd.io/workload-ns: emojivoto + spec: + containers: + - env: + - name: WEB_PORT + value: "80" + - name: EMOJISVC_HOST + value: emoji-svc.emojivoto:8080 + - name: VOTINGSVC_HOST + value: voting-svc.emojivoto:8080 + - name: INDEX_BUNDLE + value: dist/index_bundle.js + image: buoyantio/emojivoto-web:v10 + name: web-svc + ports: + - containerPort: 80 + name: http + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,4567,4568 + - --outbound-ports-to-ignore + - 4567,4568 + image: cr.l5d.io/linkerd/proxy-init:v2.2.3 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: 100m + memory: 20Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + - env: + - name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info,trust_dns=error + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: linkerd-policy.linkerd.svc.cluster.local.:8090 + - name: LINKERD2_PROXY_POLICY_WORKLOAD + value: $(_pod_ns):$(_pod_name) + - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: all-unauthenticated + - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: 100ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: 1000ms + - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: 5s + - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: 90s + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: LINKERD2_PROXY_INBOUND_PORTS + value: "80" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: 25,587,3306,4444,5432,6379,9300,11211 + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw + JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 + MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r + ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z + l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 + uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB + /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe + aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC + IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 + vgUC0d2/9FMueIVMb+46WTCOjsqr + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/tokens/linkerd-identity-token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + restartPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2102 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 120 + httpGet: + path: /ready + port: 4191 + periodSeconds: 1 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + - mountPath: /var/run/secrets/tokens + name: linkerd-identity-token + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: linkerd-identity-token + projected: + sources: + - serviceAccountToken: + audience: identity.l5d.io + expirationSeconds: 86400 + path: linkerd-identity-token +--- diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index ebcd0b21dac44..8e42b874146ca 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 0306f1a465e7a..e41d54dc7b06e 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index cb07eb109bfa0..99a3e54c89061 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 0306f1a465e7a..e41d54dc7b06e 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index a355cf87ffa1c..6905aee1501ac 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 332d1a68874f5..2180f4ae1554c 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 21162d710c681..deefa97e9b4e3 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -661,6 +661,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -683,6 +684,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index f1dcae1f530f1..b030cbd633d90 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -661,6 +661,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -683,6 +684,10 @@ data: request: 300Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index d0ced48d3849f..f106ceaf35e46 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -565,6 +565,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -587,6 +588,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 9ac6c65276378..cce8440af8e67 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -611,6 +611,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -633,6 +634,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 66f3ef2a3962a..375fc60f39e36 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -638,6 +638,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -660,6 +661,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index f976a0a4e19b6..4455b0267340d 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -642,6 +642,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -664,6 +665,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index f6d39a2a3d938..3345be7a2c9a3 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -633,6 +633,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -655,6 +656,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index fcea6e8714f69..85fc97557f304 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 9d14e1d1a4174..ad8c40b99dcdc 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -614,6 +614,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info + nativeSidecar: false opaquePorts: 25,443,587,3306,5432,11211 outboundConnectTimeout: "" outboundDiscoveryCacheUnusedTimeout: "" @@ -636,6 +637,7 @@ data: request: memory-request saMountPath: null shutdownGracePeriod: "" + startupProbe: null uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: ProxyContainerName @@ -1888,7 +1890,7 @@ spec: --- apiVersion: v1 data: - linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIGluYm91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgbG9nTGV2ZWw6IHdhcm4sbGlua2VyZD1pbmZvCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICBvdXRib3VuZERpc2NvdmVyeUNhY2hlVW51c2VkVGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo= + linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIGluYm91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgbG9nTGV2ZWw6IHdhcm4sbGlua2VyZD1pbmZvCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICBvdXRib3VuZERpc2NvdmVyeUNhY2hlVW51c2VkVGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdAogIHN0YXJ0dXBQcm9iZTogbnVsbApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 81dee954ee422..25bc19143b88f 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 6451a20bfd251..9c3923511a752 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s @@ -656,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/controller/webhook/util.go b/controller/webhook/util.go index c456072ef9582..320b533df5c8f 100644 --- a/controller/webhook/util.go +++ b/controller/webhook/util.go @@ -1,17 +1,24 @@ package webhook import ( + "fmt" + labels "github.com/linkerd/linkerd2/pkg/k8s" corev1 "k8s.io/api/core/v1" ) -// GetProxyContainerIndex gets the proxy container index of a pod; the index -// is required in webhooks because of how patches are created. -func GetProxyContainerIndex(containers []corev1.Container) int { - for i, c := range containers { +// GetProxyContainerPath gets the proxy container jsonpath of a pod relative to spec; +// this path is required in webhooks because of how patches are created. +func GetProxyContainerPath(spec corev1.PodSpec) string { + for i, c := range spec.Containers { + if c.Name == labels.ProxyContainerName { + return fmt.Sprintf("containers/%d", i) + } + } + for i, c := range spec.InitContainers { if c.Name == labels.ProxyContainerName { - return i + return fmt.Sprintf("initContainers/%d", i) } } - return -1 + return "" } diff --git a/jaeger/injector/mutator/patch.go b/jaeger/injector/mutator/patch.go index c21c73374c5b7..7af89466bde15 100644 --- a/jaeger/injector/mutator/patch.go +++ b/jaeger/injector/mutator/patch.go @@ -8,7 +8,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_ATTRIBUTES_PATH", "value": "/var/run/linkerd/podinfo/labels" @@ -16,7 +16,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_COLLECTOR_SVC_ADDR", "value": "{{.CollectorSvcAddr}}" @@ -24,7 +24,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_COLLECTOR_SVC_NAME", "value": "{{.CollectorSvcAccount}}.serviceaccount.identity.{{.LinkerdNamespace}}.{{.ClusterDomain}}" @@ -32,7 +32,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/volumeMounts/-", + "path": "/spec/{{.ProxyPath}}/volumeMounts/-", "value": { "mountPath": "var/run/linkerd/podinfo", "name": "podinfo" @@ -44,13 +44,13 @@ const tpl = `[ "value": { "downwardAPI": { "items": [ - { + { "fieldRef": { "fieldPath": "metadata.labels" - }, + }, "path": "labels" - } - ] + } + ] }, "name": "podinfo" } diff --git a/jaeger/injector/mutator/webhook.go b/jaeger/injector/mutator/webhook.go index fff2cd50ddbd8..de51848732329 100644 --- a/jaeger/injector/mutator/webhook.go +++ b/jaeger/injector/mutator/webhook.go @@ -27,7 +27,7 @@ const ( // Params holds the values used in the patch template type Params struct { - ProxyIndex int + ProxyPath string CollectorSvcAddr string CollectorSvcAccount string ClusterDomain string @@ -59,13 +59,13 @@ func Mutate(collectorSvcAddr, collectorSvcAccount, clusterDomain, linkerdNamespa return nil, err } params := Params{ - ProxyIndex: webhook.GetProxyContainerIndex(pod.Spec.Containers), + ProxyPath: webhook.GetProxyContainerPath(pod.Spec), CollectorSvcAddr: collectorSvcAddr, CollectorSvcAccount: collectorSvcAccount, ClusterDomain: clusterDomain, LinkerdNamespace: linkerdNamespace, } - if params.ProxyIndex < 0 || labels.IsTracingEnabled(pod) { + if params.ProxyPath == "" || labels.IsTracingEnabled(pod) { return admissionResponse, nil } diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 791318a45a61b..a4f107304dc75 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -119,6 +119,8 @@ type ( DefaultInboundPolicy string `json:"defaultInboundPolicy"` AccessLog string `json:"accessLog"` ShutdownGracePeriod string `json:"shutdownGracePeriod"` + NativeSidecar bool `json:"nativeSidecar"` + StartupProbe *StartupProbe `json:"startupProbe"` } // ProxyInit contains the fields to set the proxy-init container @@ -226,6 +228,13 @@ type ( EphemeralStorage Constraints `json:"ephemeral-storage"` } + // StartupProbe represents the initContainer startup probe parameters for the proxy + StartupProbe struct { + InitialDelaySeconds uint `json:"initialDelaySeconds"` + PeriodSeconds uint `json:"periodSeconds"` + FailureThreshold uint `json:"failureThreshold"` + } + // Identity contains the fields to set the identity variables in the proxy // sidecar container Identity struct { diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 91c6b3c6fb020..2cba9d1c66dee 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -134,6 +134,11 @@ func TestNewValues(t *testing.T) { InboundDiscoveryCacheUnusedTimeout: "90s", DisableOutboundProtocolDetectTimeout: false, DisableInboundProtocolDetectTimeout: false, + StartupProbe: &StartupProbe{ + FailureThreshold: 120, + InitialDelaySeconds: 0, + PeriodSeconds: 1, + }, }, ProxyInit: &ProxyInit{ IptablesMode: "legacy", diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index 31bc0ef2dd12c..a642b6526dcf2 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -82,6 +82,7 @@ var ( // (config.alpha prefix) that can be applied to a pod or namespace. ProxyAlphaConfigAnnotations = []string{ k8s.ProxyWaitBeforeExitSecondsAnnotation, + k8s.ProxyEnableNativeSidecarAnnotation, } ) @@ -1000,6 +1001,13 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) { } } + if override, ok := annotations[k8s.ProxyEnableNativeSidecarAnnotation]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.NativeSidecar = value + } + } + if override, ok := annotations[k8s.ProxyCPURequestAnnotation]; ok { _, err := k8sResource.ParseQuantity(override) if err != nil { diff --git a/pkg/inject/inject_test.go b/pkg/inject/inject_test.go index 41177b8f53b98..b0ddccccaeb93 100644 --- a/pkg/inject/inject_test.go +++ b/pkg/inject/inject_test.go @@ -74,6 +74,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "900s", k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", k8s.ProxyDisableInboundProtocolDetectTimeout: "true", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, }, Spec: corev1.PodSpec{}, @@ -126,6 +127,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundDiscoveryCacheUnusedTimeout = "900s" values.Proxy.DisableOutboundProtocolDetectTimeout = true values.Proxy.DisableInboundProtocolDetectTimeout = true + values.Proxy.NativeSidecar = true return values }, }, @@ -174,6 +176,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", k8s.ProxyDisableInboundProtocolDetectTimeout: "false", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -221,6 +224,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundDiscoveryCacheUnusedTimeout = "6s" values.Proxy.DisableOutboundProtocolDetectTimeout = true values.Proxy.DisableInboundProtocolDetectTimeout = false + values.Proxy.NativeSidecar = true return values }, }, diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 00dbfd1709764..d255ef058b3e5 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -264,6 +264,9 @@ const ( // configured for the Pod ProxyWaitBeforeExitSecondsAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-wait-before-exit-seconds" + // ProxyEnableNativeSidecarAnnotation enables the new native initContainer sidecar + ProxyEnableNativeSidecarAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-enable-native-sidecar" + // ProxyAwait can be used to force the application to wait for the proxy // to be ready. ProxyAwait = ProxyConfigAnnotationsPrefix + "/proxy-await" diff --git a/policy-controller/k8s/index/src/inbound/pod.rs b/policy-controller/k8s/index/src/inbound/pod.rs index 61130c7f8e480..0aa5f37ee0c7d 100644 --- a/policy-controller/k8s/index/src/inbound/pod.rs +++ b/policy-controller/k8s/index/src/inbound/pod.rs @@ -43,7 +43,12 @@ pub(crate) fn tcp_ports_by_name(spec: &k8s::PodSpec) -> HashMap /// Pod and the paths for which probes are expected. pub(crate) fn pod_http_probes(pod: &k8s::PodSpec) -> PortMap> { let mut probes = PortMap::>::default(); - for (port, path) in pod.containers.iter().flat_map(container_http_probe_paths) { + for (port, path) in pod + .containers + .iter() + .chain(pod.init_containers.iter().flatten()) + .flat_map(container_http_probe_paths) + { probes.entry(port).or_default().insert(path); } probes diff --git a/viz/tap/injector/patch.go b/viz/tap/injector/patch.go index 5205d3b93e650..5a9d65b6e4e5b 100644 --- a/viz/tap/injector/patch.go +++ b/viz/tap/injector/patch.go @@ -8,7 +8,7 @@ var tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TAP_SVC_NAME", "value": "{{.ProxyTapSvcName}}" diff --git a/viz/tap/injector/webhook.go b/viz/tap/injector/webhook.go index 5d6a0419af8ad..bd65406b59c82 100644 --- a/viz/tap/injector/webhook.go +++ b/viz/tap/injector/webhook.go @@ -17,7 +17,7 @@ import ( // Params holds the values used in the patch template. type Params struct { - ProxyIndex int + ProxyPath string ProxyTapSvcName string } @@ -41,10 +41,10 @@ func Mutate(tapSvcName string) webhook.Handler { return nil, err } params := Params{ - ProxyIndex: webhook.GetProxyContainerIndex(pod.Spec.Containers), + ProxyPath: webhook.GetProxyContainerPath(pod.Spec), ProxyTapSvcName: tapSvcName, } - if params.ProxyIndex < 0 || vizLabels.IsTapEnabled(pod) { + if params.ProxyPath == "" || vizLabels.IsTapEnabled(pod) { return admissionResponse, nil } namespace, err := k8sAPI.Get(k8s.NS, request.Namespace)