From c6ee1e33d54b7226de7babf33c2ea83db525dbac Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 6 Oct 2023 11:26:20 -0700 Subject: [PATCH] Add native sidecar support Kubernetes has introduced native sidecar support in version 1.28. This feature improves network proxy sidecar compatability for jobs and initContainers. Introduce a new annotation config.alpha.linkerd.io/proxy-enable-native-sidecar and configuration option Proxy.NativeSidecar that causes the proxy container to run as an init-container. Fixes: #11461 Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 3 + charts/patch/templates/patch.json | 4 +- cli/cmd/inject.go | 4 + cli/cmd/inject_test.go | 13 + cli/cmd/options.go | 6 + ...ivoto_deployment_native_sidecar.golden.yml | 227 ++++++++++++++++++ ...jivoto_deployment_native_sidecar.input.yml | 31 +++ ...emojivoto_deployment_native_sidecar.report | 3 + ...o_deployment_native_sidecar.report.verbose | 10 + ...install_controlplane_tracing_output.golden | 1 + cli/cmd/testdata/install_custom_domain.golden | 1 + .../testdata/install_custom_registry.golden | 1 + cli/cmd/testdata/install_default.golden | 1 + ...stall_default_override_dst_get_nets.golden | 1 + cli/cmd/testdata/install_default_token.golden | 1 + cli/cmd/testdata/install_ha_output.golden | 1 + .../install_ha_with_overrides_output.golden | 1 + .../install_heartbeat_disabled_output.golden | 1 + .../install_helm_control_plane_output.golden | 1 + ...nstall_helm_control_plane_output_ha.golden | 1 + .../install_helm_output_ha_labels.golden | 1 + ...l_helm_output_ha_namespace_selector.golden | 1 + .../testdata/install_no_init_container.golden | 1 + cli/cmd/testdata/install_output.golden | 1 + cli/cmd/testdata/install_proxy_ignores.golden | 1 + cli/cmd/testdata/install_values_file.golden | 1 + pkg/charts/linkerd2/values.go | 1 + pkg/inject/inject.go | 8 + pkg/inject/inject_test.go | 4 + pkg/k8s/labels.go | 3 + 30 files changed, 333 insertions(+), 1 deletion(-) create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 1f644894b9308..4a95a5c3fbefd 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -204,4 +204,7 @@ volumeMounts: name: {{.Values.proxy.saMountPath.name}} readOnly: {{.Values.proxy.saMountPath.readOnly}} {{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} {{- end }} diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index ea652aad7eda3..2f1b12b5af405 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -103,7 +103,9 @@ {{- end }} { "op": "add", - {{- if .Values.proxy.await }} + {{- if .Values.proxy.nativeSidecar }} + "path": "{{$prefix}}/spec/initContainers/-", + {{- else if .Values.proxy.await }} "path": "{{$prefix}}/spec/containers/0", {{- else }} "path": "{{$prefix}}/spec/containers/-", diff --git a/cli/cmd/inject.go b/cli/cmd/inject.go index bb92cbdee0049..117f65f9fb8b6 100644 --- a/cli/cmd/inject.go +++ b/cli/cmd/inject.go @@ -491,6 +491,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[ overrideAnnotations[k8s.ProxyShutdownGracePeriodAnnotation] = proxy.ShutdownGracePeriod } + if proxy.NativeSidecar != baseProxy.NativeSidecar { + overrideAnnotations[k8s.ProxyEnableNativeSidecarAnnotation] = strconv.FormatBool(proxy.NativeSidecar) + } + return overrideAnnotations } diff --git a/cli/cmd/inject_test.go b/cli/cmd/inject_test.go index a0bbfccb9c641..3586fc2da97fd 100644 --- a/cli/cmd/inject_test.go +++ b/cli/cmd/inject_test.go @@ -344,6 +344,17 @@ func TestUninjectAndInject(t *testing.T) { return values }(), }, + { + inputFileName: "inject_emojivoto_deployment_native_sidecar.input.yml", + goldenFileName: "inject_emojivoto_deployment_native_sidecar.golden.yml", + reportFileName: "inject_emojivoto_deployment_native_sidecar.report", + injectProxy: true, + testInjectConfig: func() *linkerd2.Values { + values := defaultConfig() + values.Proxy.NativeSidecar = true + return values + }(), + }, } for i, tc := range testCases { @@ -678,6 +689,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { values.Proxy.Await = false values.Proxy.AccessLog = "apache" values.Proxy.ShutdownGracePeriod = "60s" + values.Proxy.NativeSidecar = true expectedOverrides := map[string]string{ k8s.ProxyIgnoreInboundPortsAnnotation: "8500-8505", @@ -699,6 +711,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { k8s.ProxyAwait: "disabled", k8s.ProxyAccessLogAnnotation: "apache", k8s.ProxyShutdownGracePeriodAnnotation: "60s", + k8s.ProxyEnableNativeSidecarAnnotation: "true", } overrides := getOverrideAnnotations(values, baseValues) diff --git a/cli/cmd/options.go b/cli/cmd/options.go index 60539f2ac383d..0805b5cb8b525 100644 --- a/cli/cmd/options.go +++ b/cli/cmd/options.go @@ -441,6 +441,12 @@ func makeInjectFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) { injectFlags := pflag.NewFlagSet("inject", pflag.ExitOnError) flags := []flag.Flag{ + flag.NewBoolFlag(injectFlags, "native-sidecar", false, "Enable native sidecar", + func(values *l5dcharts.Values, value bool) error { + values.Proxy.NativeSidecar = value + return nil + }), + flag.NewInt64Flag(injectFlags, "wait-before-exit-seconds", int64(defaults.Proxy.WaitBeforeExitSeconds), "The period during which the proxy sidecar must stay alive while its pod is terminating. "+ "Must be smaller than terminationGracePeriodSeconds for the pod (default 0)", diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml new file mode 100644 index 0000000000000..63520a28400ac --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -0,0 +1,227 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web + namespace: emojivoto +spec: + replicas: 1 + selector: + matchLabels: + app: web-svc + template: + metadata: + annotations: + config.alpha.linkerd.io/proxy-enable-native-sidecar: "true" + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/proxy-version: test-inject-proxy-version + linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4 + labels: + app: web-svc + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: web + linkerd.io/workload-ns: emojivoto + spec: + containers: + - env: + - name: WEB_PORT + value: "80" + - name: EMOJISVC_HOST + value: emoji-svc.emojivoto:8080 + - name: VOTINGSVC_HOST + value: voting-svc.emojivoto:8080 + - name: INDEX_BUNDLE + value: dist/index_bundle.js + image: buoyantio/emojivoto-web:v10 + name: web-svc + ports: + - containerPort: 80 + name: http + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,4567,4568 + - --outbound-ports-to-ignore + - 4567,4568 + image: cr.l5d.io/linkerd/proxy-init:v2.2.3 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: 100m + memory: 20Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + - env: + - name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info,trust_dns=error + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: linkerd-policy.linkerd.svc.cluster.local.:8090 + - name: LINKERD2_PROXY_POLICY_WORKLOAD + value: $(_pod_ns):$(_pod_name) + - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: all-unauthenticated + - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: 100ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: 1000ms + - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: 5s + - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: 90s + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: LINKERD2_PROXY_INBOUND_PORTS + value: "80" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: 25,587,3306,4444,5432,6379,9300,11211 + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw + JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 + MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r + ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z + l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 + uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB + /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe + aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC + IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 + vgUC0d2/9FMueIVMb+46WTCOjsqr + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/tokens/linkerd-identity-token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port=4191 + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + restartPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2102 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + - mountPath: /var/run/secrets/tokens + name: linkerd-identity-token + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: linkerd-identity-token + projected: + sources: + - serviceAccountToken: + audience: identity.l5d.io + expirationSeconds: 86400 + path: linkerd-identity-token +--- diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml new file mode 100644 index 0000000000000..cf20c6963de06 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web + namespace: emojivoto +spec: + replicas: 1 + selector: + matchLabels: + app: web-svc + template: + metadata: + labels: + app: web-svc + spec: + containers: + - env: + - name: WEB_PORT + value: "80" + - name: EMOJISVC_HOST + value: emoji-svc.emojivoto:8080 + - name: VOTINGSVC_HOST + value: voting-svc.emojivoto:8080 + - name: INDEX_BUNDLE + value: dist/index_bundle.js + image: buoyantio/emojivoto-web:v10 + name: web-svc + ports: + - containerPort: 80 + name: http +--- diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report new file mode 100644 index 0000000000000..99851e468c904 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report @@ -0,0 +1,3 @@ + +deployment "web" injected + diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose new file mode 100644 index 0000000000000..87f93a664175d --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose @@ -0,0 +1,10 @@ + +√ pods do not use host networking +√ pods do not have a 3rd party proxy or initContainer already injected +√ pods are not annotated to disable injection +√ at least one resource can be injected or annotated +√ pod specs do not include UDP ports +√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled + +deployment "web" injected + diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index e904bf56fd485..12e39ad50905b 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 114085c313b91..51e103282b05c 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index ae1fbef6d9b21..71b71558ee2f2 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 114085c313b91..51e103282b05c 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 4f7d34d33dc05..ab298e6d2b275 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 956d3a7b0d243..ecdc8b037b859 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 05d5afe2b6848..c582e575d22ae 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -659,6 +659,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index c77874625ff67..575ee0121de8f 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -659,6 +659,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 2869e266883c5..21bd737c7a629 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -563,6 +563,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index e3c7893fbc4cf..5089bb7f7f03d 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -609,6 +609,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index e1c64ec0dc5f9..cf07939ce26f4 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -636,6 +636,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 6a4a23d20638c..549134a838b6e 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -640,6 +640,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 7ee60963c2a08..268509c3d6010 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -631,6 +631,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index e05c098d7f5dc..94cfef078b2f2 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 9b3d4a0428acf..400d4cdafe1e2 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -612,6 +612,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info + nativeSidecar: false opaquePorts: 25,443,587,3306,5432,11211 outboundConnectTimeout: "" outboundDiscoveryCacheUnusedTimeout: "" diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 1f26400ad54e2..da1fccf786784 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 4a3598760c734..5ae52a21c8b1f 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -632,6 +632,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index a219ce29e88f0..36640b80d8500 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -117,6 +117,7 @@ type ( DefaultInboundPolicy string `json:"defaultInboundPolicy"` AccessLog string `json:"accessLog"` ShutdownGracePeriod string `json:"shutdownGracePeriod"` + NativeSidecar bool `json:"nativeSidecar"` } // ProxyInit contains the fields to set the proxy-init container diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index edf7f54616904..d8c5f8d8f51e0 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -80,6 +80,7 @@ var ( // (config.alpha prefix) that can be applied to a pod or namespace. ProxyAlphaConfigAnnotations = []string{ k8s.ProxyWaitBeforeExitSecondsAnnotation, + k8s.ProxyEnableNativeSidecarAnnotation, } ) @@ -980,6 +981,13 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) { } } + if override, ok := annotations[k8s.ProxyEnableNativeSidecarAnnotation]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.NativeSidecar = value + } + } + if override, ok := annotations[k8s.ProxyCPURequestAnnotation]; ok { _, err := k8sResource.ParseQuantity(override) if err != nil { diff --git a/pkg/inject/inject_test.go b/pkg/inject/inject_test.go index 3f8599c07ff79..73e9b24d08c38 100644 --- a/pkg/inject/inject_test.go +++ b/pkg/inject/inject_test.go @@ -72,6 +72,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyShutdownGracePeriodAnnotation: "30s", k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50000ms", k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "900s", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, }, Spec: corev1.PodSpec{}, @@ -122,6 +123,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.ShutdownGracePeriod = "30000ms" values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "900s" + values.Proxy.NativeSidecar = true return values }, }, @@ -168,6 +170,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyInjectAnnotation: "ingress", k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50s", k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -213,6 +216,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.IsIngress = true values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "6s" + values.Proxy.NativeSidecar = true return values }, }, diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 64c62b0132460..2e1265dbb71dd 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -254,6 +254,9 @@ const ( // configured for the Pod ProxyWaitBeforeExitSecondsAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-wait-before-exit-seconds" + // ProxyEnableNativeSidecarAnnotation enables the new native initContainer sidecar + ProxyEnableNativeSidecarAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-enable-native-sidecar" + // ProxyAwait can be used to force the application to wait for the proxy // to be ready. ProxyAwait = ProxyConfigAnnotationsPrefix + "/proxy-await"