-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use same code path for CLI injection and admission controller injection #1748
Comments
@klingerf which of the two options for we want to lean to? Any preferences? |
I think the proxy and proxy-init container specs generated in |
That's right -- when linkerd is installed with Taking this one step further, however, I think an additional improvement could be to stop storing auto-inject YAML in the ConfigMap altogether, and instead store an object containing inject options, which we could then use to produce the YAML at auto-inject time. That would allow us to further standardize with the standard inject code path, by sharing this struct: Lines 133 to 153 in 38dfc53
This would be a pretty sizable change, however. |
What do folks think about putting the entire inject logic into the public-api service? such that the |
@olix0r 👍 That sounds like a great idea to me. As part of this, I'd like for all of the auto-inject defaults to be passed as flags to the public-api service at install time, so that we don't need to store them in a separate configmap that's read by the proxy-injector service. It's also the case the the proxy-injector has to supply its modifications in JSON Patch format. So it might make sense for the public-api endpoint to accept a format param, which dictates whether to return the injected object or the patch. Otherwise the proxy-injector will need to compare the injected YAML to the original YAML to create the patch. |
This means the CLI |
@ihcsim i haven't thought deeply about implications around authorization; but in the short-term, this API is read-only and doesn't betray any private information. this may change depending on how TLS evolves. |
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
- Created the pkg/inject package to hold the new injection shared lib. - Moved patch.go there. - Added the ability to add pod labels and annotations without having to specify the already existing ones. For that purpose, added `patch.addPodLabelsRoot()` and `addPodAnnotationsRoot()`, and repurposed `addPodLabels()` into `addPodLabel()`, and `addPodAnnotations()` into `addPodAnnotation()` - Removed `addDeploymentLabels()` because I couldn't find the need for it. At least `linkerd inject` wasn't setting those labels. Please confirm in case I'm wrong. Still to-do: have `patch_test.go` depend on fixtures separate from the ones under `controller/proxy-injector` Ref #1748 Signed-off-by: Alejandro Pedraza <[email protected]>
- Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` The only network call `/pkg/inject/inject.go` does is inside `shouldInject()` where it retrieves the namespace annotations from kubernetes. I think we need to review how that client is created in there. Caveats: - Currently passing aroung GlobalConfig and ProxyConfig and using their GRPC methods directly, until we come up with an abstraction for all that. - I removed support for parsing yamls with List containing multiple workloads because it was not an easy refactor given the recursion. I'll re-add that later on. - Todo: fix all the tests. - I've made a note to remove later on the bad v1 import alias that VSCode is adding. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
For testing purposes the GlobalConfig and ProxyConfig are currently hard-coded. Ref #1748 and #2289 Signed-off-by: Alejandro Pedraza <[email protected]>
Once #1714 merges, it will be possible to install linkerd with an admission controller that automatically injects new deployments. The admission controller uses a YAML template from template.go to produce the injected sidecar configuration, whereas the CLI inject subcommand builds its configuration using Kubernetes objects. The net result is the same, but these two implementations could drift over time. We should standardize injection to use a single code path. cc @ihcsim.
The text was updated successfully, but these errors were encountered: