diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index 0668f8b033a37..d7032113a3aa3 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -163,6 +163,7 @@ Kubernetes: `>=1.22.0-0` | destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` | | | destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` | | | destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` | | +| destinationController.podAnnotations | object | `{}` | Additional annotations to add to destination pods | | destinationController.readinessProbe.timeoutSeconds | int | `1` | | | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | | disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) | @@ -183,6 +184,7 @@ Kubernetes: `>=1.22.0-0` | identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | | identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | | identity.livenessProbe.timeoutSeconds | int | `1` | | +| identity.podAnnotations | object | `{}` | Additional annotations to add to identity pods | | identity.readinessProbe.timeoutSeconds | int | `1` | | | identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token | | identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | @@ -311,6 +313,7 @@ Kubernetes: `>=1.22.0-0` | proxyInjector.livenessProbe.timeoutSeconds | int | `1` | | | proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | | proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.podAnnotations | object | `{}` | Additional annotations to add to proxy-injector pods | | proxyInjector.readinessProbe.timeoutSeconds | int | `1` | | | proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. | | revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index 21132ce9de85e..45e7813530b6a 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -163,7 +163,7 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }} {{ include "partials.annotations.created-by" . }} {{- include "partials.proxy.annotations" . | nindent 8}} - {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.destinationController.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }} config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: destination diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index 960cd93399bdf..42e08bc109d26 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -136,7 +136,7 @@ spec: annotations: {{ include "partials.annotations.created-by" . }} {{- include "partials.proxy.annotations" . | nindent 8}} - {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }} config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: identity diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index 7d514dbf06cfd..9a947458fb012 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -42,7 +42,7 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }} {{ include "partials.annotations.created-by" . }} {{- include "partials.proxy.annotations" . | nindent 8}} - {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }} config.linkerd.io/opaque-ports: "8443" config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 543be4bdfe2a4..5914a963a97ae 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -384,6 +384,8 @@ destinationController: timeout: seconds: 3 while_idle: true + # -- Additional annotations to add to destination pods + podAnnotations: {} livenessProbe: timeoutSeconds: 1 readinessProbe: @@ -428,6 +430,9 @@ identity: kubeAPI: *kubeapi + # -- Additional annotations to add to identity pods + podAnnotations: {} + livenessProbe: timeoutSeconds: 1 readinessProbe: @@ -505,6 +510,9 @@ proxyInjector: # for more information. injectCaFromSecret: "" + # -- Additional annotations to add to proxy-injector pods + podAnnotations: {} + livenessProbe: timeoutSeconds: 1 readinessProbe: @@ -668,4 +676,3 @@ podMonitor: egress: # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster globalEgressNetworkNamespace: linkerd-egress - \ No newline at end of file diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 717acd340d764..6209f7ad78545 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -60,7 +60,7 @@ func TestRender(t *testing.T) { CNIEnabled: false, IdentityTrustDomain: defaultValues.IdentityTrustDomain, IdentityTrustAnchorsPEM: defaultValues.IdentityTrustAnchorsPEM, - DestinationController: map[string]any{}, + DestinationController: defaultValues.DestinationController, PodAnnotations: map[string]string{}, PodLabels: map[string]string{}, PriorityClassName: "PriorityClassName", diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index 979a25c059055..db88a53d33800 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1542,7 +1541,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1554,7 +1552,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 37b70e25b82f5..62f0e8be52673 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 5ab51fe05a1d6..2ccb5ad94598e 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 37b70e25b82f5..62f0e8be52673 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 44bf8b012cc7e..7ef5b93fc31dd 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 8ead61c0efa0f..ff86cfdd5ee29 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: false identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1529,7 +1528,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1541,7 +1539,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_gid_output.golden b/cli/cmd/testdata/install_gid_output.golden index baa7e0ed5f31e..586beaba99ab1 100755 --- a/cli/cmd/testdata/install_gid_output.golden +++ b/cli/cmd/testdata/install_gid_output.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1545,7 +1544,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1557,7 +1555,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 25cf9963980a0..eb558f3495cb3 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -599,6 +596,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -817,6 +815,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1667,7 +1666,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1679,7 +1677,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 2ad9179a6cece..e3cbff07ef50e 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -599,6 +596,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -817,6 +815,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1667,7 +1666,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1679,7 +1677,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index bca4ca14549d7..ae09905c49a8f 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -462,8 +462,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -471,8 +469,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: true @@ -512,6 +509,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -721,6 +719,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1471,7 +1470,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1483,7 +1481,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 75d874b89aad0..1aca19232608a 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -532,8 +532,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -541,8 +539,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -570,6 +567,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -767,6 +765,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1515,7 +1514,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1527,7 +1525,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 467b1382acfde..af481987a9120 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -532,8 +532,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -541,8 +539,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -588,6 +585,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -794,6 +792,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1642,7 +1641,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1654,7 +1652,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden index 8bce77649f584..9c131ee68f83a 100755 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden @@ -532,8 +532,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -541,8 +539,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -588,6 +585,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -794,6 +792,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1647,7 +1646,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1659,7 +1657,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index e3b98933ca284..42674f4743a2c 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -532,8 +532,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -541,8 +539,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -588,6 +585,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -798,6 +796,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1654,7 +1653,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1666,7 +1664,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 718418ab03142..bd9bae20f90f1 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -527,8 +527,6 @@ data: maxSurge: 25% maxUnavailable: 1 destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -536,8 +534,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: cpu: @@ -583,6 +580,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: @@ -784,6 +782,7 @@ data: operator: In values: - enabled + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -1632,7 +1631,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1644,7 +1642,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 resources: limits: memory: "250Mi" diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index e7a85011fdc00..fa0b8594c10c6 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1533,7 +1532,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1545,7 +1543,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 8c04dc7281c72..c3a593272b9ea 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -521,7 +521,15 @@ data: name: DebugImageName pullPolicy: DebugImagePullPolicy version: DebugVersion - destinationController: {} + destinationController: + meshedHttp2ClientProtobuf: + keep_alive: + interval: + seconds: 10 + timeout: + seconds: 3 + while_idle: true + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -561,6 +569,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -739,6 +748,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1466,6 +1476,7 @@ spec: - -default-opaque-ports=25,443,587,3306,5432,11211 - -enable-ipv6=true - -enable-pprof=false + - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}} image: ControllerImage:LinkerdVersion imagePullPolicy: ImagePullPolicy livenessProbe: diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index c4ff08aa1e86e..df3ff2cd628f1 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index d49da99e773d3..a551c7a300221 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -531,8 +531,6 @@ data: maxSurge: 25% maxUnavailable: 25% destinationController: - livenessProbe: - timeoutSeconds: 1 meshedHttp2ClientProtobuf: keep_alive: interval: @@ -540,8 +538,7 @@ data: timeout: seconds: 3 while_idle: true - readinessProbe: - timeoutSeconds: 1 + podAnnotations: {} destinationProxyResources: null destinationResources: null disableHeartBeat: false @@ -581,6 +578,7 @@ data: kubeAPI: clientBurst: 200 clientQPS: 100 + podAnnotations: {} serviceAccountTokenProjection: true identityProxyResources: null identityResources: null @@ -790,6 +788,7 @@ data: values: - kube-system - cert-manager + podAnnotations: {} proxyInjectorProxyResources: null proxyInjectorResources: null revisionHistoryLimit: 10 @@ -1540,7 +1539,6 @@ spec: path: /ping port: 9996 initialDelaySeconds: 10 - timeoutSeconds: 1 name: destination ports: - containerPort: 8086 @@ -1552,7 +1550,6 @@ spec: httpGet: path: /ready port: 9996 - timeoutSeconds: 1 securityContext: capabilities: drop: diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 8f3533a3c3e42..83f49407efb25 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -60,7 +60,7 @@ type ( LinkerdVersion string `json:"linkerdVersion"` RevisionHistoryLimit uint `json:"revisionHistoryLimit"` - DestinationController map[string]interface{} `json:"destinationController"` + DestinationController *DestinationController `json:"destinationController"` Heartbeat map[string]interface{} `json:"heartbeat"` SPValidator map[string]interface{} `json:"spValidator"` @@ -102,6 +102,11 @@ type ( PodDisruptionBudget *PodDisruptionBudget `json:"podDisruptionBudget"` } + DestinationController struct { + MeshedHttp2ClientProtobuf map[string]interface{} `json:"meshedHttp2ClientProtobuf"` + PodAnnotations map[string]string `json:"podAnnotations"` + } + // PodDisruptionBudget contains the fields to set the PDB PodDisruptionBudget struct { MaxUnavailable int `json:"maxUnavailable"` @@ -295,10 +300,11 @@ type ( // Identity contains the fields to set the identity variables in the proxy // sidecar container Identity struct { - ExternalCA bool `json:"externalCA"` - ServiceAccountTokenProjection bool `json:"serviceAccountTokenProjection"` - Issuer *Issuer `json:"issuer"` - KubeAPI *KubeAPI `json:"kubeAPI"` + ExternalCA bool `json:"externalCA"` + ServiceAccountTokenProjection bool `json:"serviceAccountTokenProjection"` + Issuer *Issuer `json:"issuer"` + KubeAPI *KubeAPI `json:"kubeAPI"` + PodAnnotations map[string]string `json:"podAnnotations"` AdditionalEnv []corev1.EnvVar `json:"additionalEnv"` ExperimentalEnv []corev1.EnvVar `json:"experimentalEnv"` @@ -321,8 +327,9 @@ type ( // ProxyInjector configures the proxy-injector webhook ProxyInjector struct { Webhook - AdditionalEnv []corev1.EnvVar `json:"additionalEnv"` - ExperimentalEnv []corev1.EnvVar `json:"experimentalEnv"` + PodAnnotations map[string]string `json:"podAnnotations"` + AdditionalEnv []corev1.EnvVar `json:"additionalEnv"` + ExperimentalEnv []corev1.EnvVar `json:"experimentalEnv"` } // Webhook Helm variables for a webhook diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index c63f04c8026d4..c9de063264088 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -90,16 +90,15 @@ func TestNewValues(t *testing.T) { ServiceMirror: &PodMonitorComponent{Enabled: true}, Proxy: &PodMonitorComponent{Enabled: true}, }, - DestinationController: map[string]interface{}{ - "meshedHttp2ClientProtobuf": map[string]interface{}{ + DestinationController: &DestinationController{ + MeshedHttp2ClientProtobuf: map[string]interface{}{ "keep_alive": map[string]interface{}{ "interval": map[string]interface{}{"seconds": 10.0}, "timeout": map[string]interface{}{"seconds": 3.0}, "while_idle": true, }, }, - "livenessProbe": map[string]interface{}{"timeoutSeconds": 1.0}, - "readinessProbe": map[string]interface{}{"timeoutSeconds": 1.0}, + PodAnnotations: map[string]string{}, }, SPValidator: map[string]interface{}{ "livenessProbe": map[string]interface{}{"timeoutSeconds": 1.0}, @@ -235,6 +234,7 @@ func TestNewValues(t *testing.T) { ClientQPS: 100, ClientBurst: 200, }, + PodAnnotations: map[string]string{}, }, NodeSelector: map[string]string{ "kubernetes.io/os": "linux", @@ -246,7 +246,10 @@ func TestNewValues(t *testing.T) { }, }, - ProxyInjector: &ProxyInjector{Webhook: Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorInjector}}, + ProxyInjector: &ProxyInjector{ + Webhook: Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorInjector}, + PodAnnotations: map[string]string{}, + }, ProfileValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple}, PolicyValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple}, Egress: &Egress{GlobalEgressNetworkNamespace: "linkerd-egress"},