From dcffd360e352c661e32c924de6d544921a27906a Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 6 Oct 2023 11:26:20 -0700 Subject: [PATCH 01/22] Add native sidecar support Kubernetes has introduced native sidecar support in version 1.28. This feature improves network proxy sidecar compatability for jobs and initContainers. Introduce a new annotation config.alpha.linkerd.io/proxy-enable-native-sidecar and configuration option Proxy.NativeSidecar that causes the proxy container to run as an init-container. Fixes: #11461 Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 3 + charts/patch/templates/patch.json | 4 +- cli/cmd/inject.go | 4 + cli/cmd/inject_test.go | 13 + cli/cmd/options.go | 6 + ...ivoto_deployment_native_sidecar.golden.yml | 227 ++++++++++++++++++ ...jivoto_deployment_native_sidecar.input.yml | 31 +++ ...emojivoto_deployment_native_sidecar.report | 3 + ...o_deployment_native_sidecar.report.verbose | 10 + ...install_controlplane_tracing_output.golden | 1 + cli/cmd/testdata/install_custom_domain.golden | 1 + .../testdata/install_custom_registry.golden | 1 + cli/cmd/testdata/install_default.golden | 1 + ...stall_default_override_dst_get_nets.golden | 1 + cli/cmd/testdata/install_default_token.golden | 1 + cli/cmd/testdata/install_ha_output.golden | 1 + .../install_ha_with_overrides_output.golden | 1 + .../install_heartbeat_disabled_output.golden | 1 + .../install_helm_control_plane_output.golden | 1 + ...nstall_helm_control_plane_output_ha.golden | 1 + .../install_helm_output_ha_labels.golden | 1 + ...l_helm_output_ha_namespace_selector.golden | 1 + .../testdata/install_no_init_container.golden | 1 + cli/cmd/testdata/install_output.golden | 1 + cli/cmd/testdata/install_proxy_ignores.golden | 1 + cli/cmd/testdata/install_values_file.golden | 1 + pkg/charts/linkerd2/values.go | 1 + pkg/inject/inject.go | 8 + pkg/inject/inject_test.go | 4 + pkg/k8s/labels.go | 3 + 30 files changed, 333 insertions(+), 1 deletion(-) create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report create mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index f5dd4c2cd3338..3ef88f425639a 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -212,4 +212,7 @@ volumeMounts: name: {{.Values.proxy.saMountPath.name}} readOnly: {{.Values.proxy.saMountPath.readOnly}} {{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} {{- end }} diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index ea652aad7eda3..2f1b12b5af405 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -103,7 +103,9 @@ {{- end }} { "op": "add", - {{- if .Values.proxy.await }} + {{- if .Values.proxy.nativeSidecar }} + "path": "{{$prefix}}/spec/initContainers/-", + {{- else if .Values.proxy.await }} "path": "{{$prefix}}/spec/containers/0", {{- else }} "path": "{{$prefix}}/spec/containers/-", diff --git a/cli/cmd/inject.go b/cli/cmd/inject.go index bb92cbdee0049..117f65f9fb8b6 100644 --- a/cli/cmd/inject.go +++ b/cli/cmd/inject.go @@ -491,6 +491,10 @@ func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[ overrideAnnotations[k8s.ProxyShutdownGracePeriodAnnotation] = proxy.ShutdownGracePeriod } + if proxy.NativeSidecar != baseProxy.NativeSidecar { + overrideAnnotations[k8s.ProxyEnableNativeSidecarAnnotation] = strconv.FormatBool(proxy.NativeSidecar) + } + return overrideAnnotations } diff --git a/cli/cmd/inject_test.go b/cli/cmd/inject_test.go index a0bbfccb9c641..3586fc2da97fd 100644 --- a/cli/cmd/inject_test.go +++ b/cli/cmd/inject_test.go @@ -344,6 +344,17 @@ func TestUninjectAndInject(t *testing.T) { return values }(), }, + { + inputFileName: "inject_emojivoto_deployment_native_sidecar.input.yml", + goldenFileName: "inject_emojivoto_deployment_native_sidecar.golden.yml", + reportFileName: "inject_emojivoto_deployment_native_sidecar.report", + injectProxy: true, + testInjectConfig: func() *linkerd2.Values { + values := defaultConfig() + values.Proxy.NativeSidecar = true + return values + }(), + }, } for i, tc := range testCases { @@ -678,6 +689,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { values.Proxy.Await = false values.Proxy.AccessLog = "apache" values.Proxy.ShutdownGracePeriod = "60s" + values.Proxy.NativeSidecar = true expectedOverrides := map[string]string{ k8s.ProxyIgnoreInboundPortsAnnotation: "8500-8505", @@ -699,6 +711,7 @@ func TestProxyConfigurationAnnotations(t *testing.T) { k8s.ProxyAwait: "disabled", k8s.ProxyAccessLogAnnotation: "apache", k8s.ProxyShutdownGracePeriodAnnotation: "60s", + k8s.ProxyEnableNativeSidecarAnnotation: "true", } overrides := getOverrideAnnotations(values, baseValues) diff --git a/cli/cmd/options.go b/cli/cmd/options.go index 60539f2ac383d..0805b5cb8b525 100644 --- a/cli/cmd/options.go +++ b/cli/cmd/options.go @@ -441,6 +441,12 @@ func makeInjectFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) { injectFlags := pflag.NewFlagSet("inject", pflag.ExitOnError) flags := []flag.Flag{ + flag.NewBoolFlag(injectFlags, "native-sidecar", false, "Enable native sidecar", + func(values *l5dcharts.Values, value bool) error { + values.Proxy.NativeSidecar = value + return nil + }), + flag.NewInt64Flag(injectFlags, "wait-before-exit-seconds", int64(defaults.Proxy.WaitBeforeExitSeconds), "The period during which the proxy sidecar must stay alive while its pod is terminating. "+ "Must be smaller than terminationGracePeriodSeconds for the pod (default 0)", diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml new file mode 100644 index 0000000000000..ed427015f0096 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -0,0 +1,227 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web + namespace: emojivoto +spec: + replicas: 1 + selector: + matchLabels: + app: web-svc + template: + metadata: + annotations: + config.alpha.linkerd.io/proxy-enable-native-sidecar: "true" + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/proxy-version: test-inject-proxy-version + linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4 + labels: + app: web-svc + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: web + linkerd.io/workload-ns: emojivoto + spec: + containers: + - env: + - name: WEB_PORT + value: "80" + - name: EMOJISVC_HOST + value: emoji-svc.emojivoto:8080 + - name: VOTINGSVC_HOST + value: voting-svc.emojivoto:8080 + - name: INDEX_BUNDLE + value: dist/index_bundle.js + image: buoyantio/emojivoto-web:v10 + name: web-svc + ports: + - containerPort: 80 + name: http + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,4567,4568 + - --outbound-ports-to-ignore + - 4567,4568 + image: cr.l5d.io/linkerd/proxy-init:v2.2.3 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: 100m + memory: 20Mi + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + - env: + - name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info,trust_dns=error + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: linkerd-policy.linkerd.svc.cluster.local.:8090 + - name: LINKERD2_PROXY_POLICY_WORKLOAD + value: $(_pod_ns):$(_pod_name) + - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: all-unauthenticated + - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: 100ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: 1000ms + - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: 5s + - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: 90s + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs + - name: LINKERD2_PROXY_INBOUND_PORTS + value: "80" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: 25,587,3306,4444,5432,6379,9300,11211 + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw + JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 + MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r + ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z + l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 + uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB + /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe + aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC + IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 + vgUC0d2/9FMueIVMb+46WTCOjsqr + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/tokens/linkerd-identity-token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + - name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local + image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port=4191 + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + restartPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2102 + seccompProfile: + type: RuntimeDefault + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + - mountPath: /var/run/secrets/tokens + name: linkerd-identity-token + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: linkerd-identity-token + projected: + sources: + - serviceAccountToken: + audience: identity.l5d.io + expirationSeconds: 86400 + path: linkerd-identity-token +--- diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml new file mode 100644 index 0000000000000..cf20c6963de06 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web + namespace: emojivoto +spec: + replicas: 1 + selector: + matchLabels: + app: web-svc + template: + metadata: + labels: + app: web-svc + spec: + containers: + - env: + - name: WEB_PORT + value: "80" + - name: EMOJISVC_HOST + value: emoji-svc.emojivoto:8080 + - name: VOTINGSVC_HOST + value: voting-svc.emojivoto:8080 + - name: INDEX_BUNDLE + value: dist/index_bundle.js + image: buoyantio/emojivoto-web:v10 + name: web-svc + ports: + - containerPort: 80 + name: http +--- diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report new file mode 100644 index 0000000000000..99851e468c904 --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report @@ -0,0 +1,3 @@ + +deployment "web" injected + diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose new file mode 100644 index 0000000000000..87f93a664175d --- /dev/null +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose @@ -0,0 +1,10 @@ + +√ pods do not use host networking +√ pods do not have a 3rd party proxy or initContainer already injected +√ pods are not annotated to disable injection +√ at least one resource can be injected or annotated +√ pod specs do not include UDP ports +√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled + +deployment "web" injected + diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index ebcd0b21dac44..b22f23c117822 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 0306f1a465e7a..e40079f407d4e 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index cb07eb109bfa0..7c1eb71c210bf 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 0306f1a465e7a..e40079f407d4e 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index a355cf87ffa1c..4a80f030c2299 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 332d1a68874f5..8b756961234b6 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 21162d710c681..829e402987386 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -661,6 +661,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index f1dcae1f530f1..29f8b7d54026b 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -661,6 +661,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index d0ced48d3849f..c86fae9216eeb 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -565,6 +565,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 9ac6c65276378..fc690b7a2460f 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -611,6 +611,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 66f3ef2a3962a..88f7de5ee285b 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -638,6 +638,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index f976a0a4e19b6..0e53d91766ef3 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -642,6 +642,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index f6d39a2a3d938..a24336c815be7 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -633,6 +633,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index fcea6e8714f69..3d4dcdc135c28 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 9d14e1d1a4174..89d0459f71544 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -614,6 +614,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info + nativeSidecar: false opaquePorts: 25,443,587,3306,5432,11211 outboundConnectTimeout: "" outboundDiscoveryCacheUnusedTimeout: "" diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 81dee954ee422..6f46cd5874772 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 6451a20bfd251..78ea5ceadc1de 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -634,6 +634,7 @@ data: isIngress: false logFormat: plain logLevel: warn,linkerd=info,trust_dns=error + nativeSidecar: false opaquePorts: 25,587,3306,4444,5432,6379,9300,11211 outboundConnectTimeout: 1000ms outboundDiscoveryCacheUnusedTimeout: 5s diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 791318a45a61b..b47d6143e975e 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -119,6 +119,7 @@ type ( DefaultInboundPolicy string `json:"defaultInboundPolicy"` AccessLog string `json:"accessLog"` ShutdownGracePeriod string `json:"shutdownGracePeriod"` + NativeSidecar bool `json:"nativeSidecar"` } // ProxyInit contains the fields to set the proxy-init container diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index 31bc0ef2dd12c..a642b6526dcf2 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -82,6 +82,7 @@ var ( // (config.alpha prefix) that can be applied to a pod or namespace. ProxyAlphaConfigAnnotations = []string{ k8s.ProxyWaitBeforeExitSecondsAnnotation, + k8s.ProxyEnableNativeSidecarAnnotation, } ) @@ -1000,6 +1001,13 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) { } } + if override, ok := annotations[k8s.ProxyEnableNativeSidecarAnnotation]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.NativeSidecar = value + } + } + if override, ok := annotations[k8s.ProxyCPURequestAnnotation]; ok { _, err := k8sResource.ParseQuantity(override) if err != nil { diff --git a/pkg/inject/inject_test.go b/pkg/inject/inject_test.go index 41177b8f53b98..b0ddccccaeb93 100644 --- a/pkg/inject/inject_test.go +++ b/pkg/inject/inject_test.go @@ -74,6 +74,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "900s", k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", k8s.ProxyDisableInboundProtocolDetectTimeout: "true", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, }, Spec: corev1.PodSpec{}, @@ -126,6 +127,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundDiscoveryCacheUnusedTimeout = "900s" values.Proxy.DisableOutboundProtocolDetectTimeout = true values.Proxy.DisableInboundProtocolDetectTimeout = true + values.Proxy.NativeSidecar = true return values }, }, @@ -174,6 +176,7 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", k8s.ProxyDisableInboundProtocolDetectTimeout: "false", + k8s.ProxyEnableNativeSidecarAnnotation: "true", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -221,6 +224,7 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundDiscoveryCacheUnusedTimeout = "6s" values.Proxy.DisableOutboundProtocolDetectTimeout = true values.Proxy.DisableInboundProtocolDetectTimeout = false + values.Proxy.NativeSidecar = true return values }, }, diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 00dbfd1709764..d255ef058b3e5 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -264,6 +264,9 @@ const ( // configured for the Pod ProxyWaitBeforeExitSecondsAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-wait-before-exit-seconds" + // ProxyEnableNativeSidecarAnnotation enables the new native initContainer sidecar + ProxyEnableNativeSidecarAnnotation = ProxyConfigAnnotationsPrefixAlpha + "/proxy-enable-native-sidecar" + // ProxyAwait can be used to force the application to wait for the proxy // to be ready. ProxyAwait = ProxyConfigAnnotationsPrefix + "/proxy-await" From 2c1d8a16e2d2e7bd29235b86f8e159a38ff46a27 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 10 Oct 2023 12:24:26 -0700 Subject: [PATCH 02/22] Update viz/jaeger injectors to support native sidecars Signed-off-by: TJ Miller --- controller/webhook/util.go | 19 +++++++++++++------ jaeger/injector/mutator/patch.go | 16 ++++++++-------- jaeger/injector/mutator/webhook.go | 6 +++--- viz/tap/injector/patch.go | 2 +- viz/tap/injector/webhook.go | 6 +++--- 5 files changed, 28 insertions(+), 21 deletions(-) diff --git a/controller/webhook/util.go b/controller/webhook/util.go index c456072ef9582..883e09d217fc3 100644 --- a/controller/webhook/util.go +++ b/controller/webhook/util.go @@ -1,17 +1,24 @@ package webhook import ( + "fmt" + labels "github.com/linkerd/linkerd2/pkg/k8s" corev1 "k8s.io/api/core/v1" ) -// GetProxyContainerIndex gets the proxy container index of a pod; the index -// is required in webhooks because of how patches are created. -func GetProxyContainerIndex(containers []corev1.Container) int { - for i, c := range containers { +// GetProxyContainerPath gets the proxy container jsonpath of a pod relative to spec; +// this path is required in webhooks because of how patches are created. +func GetProxyContainerPath(spec corev1.PodSpec) string { + for i, c := range spec.Containers { + if c.Name == labels.ProxyContainerName { + return fmt.Sprintf("containers/%d", i) + } + } + for i, c := range spec.InitContainers { if c.Name == labels.ProxyContainerName { - return i + return fmt.Sprintf("initContainers/%d", i) } } - return -1 + return "notfound" } diff --git a/jaeger/injector/mutator/patch.go b/jaeger/injector/mutator/patch.go index c21c73374c5b7..7af89466bde15 100644 --- a/jaeger/injector/mutator/patch.go +++ b/jaeger/injector/mutator/patch.go @@ -8,7 +8,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_ATTRIBUTES_PATH", "value": "/var/run/linkerd/podinfo/labels" @@ -16,7 +16,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_COLLECTOR_SVC_ADDR", "value": "{{.CollectorSvcAddr}}" @@ -24,7 +24,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TRACE_COLLECTOR_SVC_NAME", "value": "{{.CollectorSvcAccount}}.serviceaccount.identity.{{.LinkerdNamespace}}.{{.ClusterDomain}}" @@ -32,7 +32,7 @@ const tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/volumeMounts/-", + "path": "/spec/{{.ProxyPath}}/volumeMounts/-", "value": { "mountPath": "var/run/linkerd/podinfo", "name": "podinfo" @@ -44,13 +44,13 @@ const tpl = `[ "value": { "downwardAPI": { "items": [ - { + { "fieldRef": { "fieldPath": "metadata.labels" - }, + }, "path": "labels" - } - ] + } + ] }, "name": "podinfo" } diff --git a/jaeger/injector/mutator/webhook.go b/jaeger/injector/mutator/webhook.go index fff2cd50ddbd8..c823609e354bc 100644 --- a/jaeger/injector/mutator/webhook.go +++ b/jaeger/injector/mutator/webhook.go @@ -27,7 +27,7 @@ const ( // Params holds the values used in the patch template type Params struct { - ProxyIndex int + ProxyPath string CollectorSvcAddr string CollectorSvcAccount string ClusterDomain string @@ -59,13 +59,13 @@ func Mutate(collectorSvcAddr, collectorSvcAccount, clusterDomain, linkerdNamespa return nil, err } params := Params{ - ProxyIndex: webhook.GetProxyContainerIndex(pod.Spec.Containers), + ProxyPath: webhook.GetProxyContainerPath(pod.Spec), CollectorSvcAddr: collectorSvcAddr, CollectorSvcAccount: collectorSvcAccount, ClusterDomain: clusterDomain, LinkerdNamespace: linkerdNamespace, } - if params.ProxyIndex < 0 || labels.IsTracingEnabled(pod) { + if params.ProxyPath == "notfound" || labels.IsTracingEnabled(pod) { return admissionResponse, nil } diff --git a/viz/tap/injector/patch.go b/viz/tap/injector/patch.go index 5205d3b93e650..5a9d65b6e4e5b 100644 --- a/viz/tap/injector/patch.go +++ b/viz/tap/injector/patch.go @@ -8,7 +8,7 @@ var tpl = `[ }, { "op": "add", - "path": "/spec/containers/{{.ProxyIndex}}/env/-", + "path": "/spec/{{.ProxyPath}}/env/-", "value": { "name": "LINKERD2_PROXY_TAP_SVC_NAME", "value": "{{.ProxyTapSvcName}}" diff --git a/viz/tap/injector/webhook.go b/viz/tap/injector/webhook.go index 5d6a0419af8ad..305a7a97b12fe 100644 --- a/viz/tap/injector/webhook.go +++ b/viz/tap/injector/webhook.go @@ -17,7 +17,7 @@ import ( // Params holds the values used in the patch template. type Params struct { - ProxyIndex int + ProxyPath string ProxyTapSvcName string } @@ -41,10 +41,10 @@ func Mutate(tapSvcName string) webhook.Handler { return nil, err } params := Params{ - ProxyIndex: webhook.GetProxyContainerIndex(pod.Spec.Containers), + ProxyPath: webhook.GetProxyContainerPath(pod.Spec), ProxyTapSvcName: tapSvcName, } - if params.ProxyIndex < 0 || vizLabels.IsTapEnabled(pod) { + if params.ProxyPath == "notfound" || vizLabels.IsTapEnabled(pod) { return admissionResponse, nil } namespace, err := k8sAPI.Get(k8s.NS, request.Namespace) From 945cd81712b56f89dae9a83cfe4b953fe89bd478 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 10 Oct 2023 13:00:57 -0700 Subject: [PATCH 03/22] Update initContainer ordering for native sidecars Signed-off-by: TJ Miller --- charts/patch/templates/patch.json | 10 ++++++---- cli/cmd/testdata/inject_contour.golden.yml | 22 +++++++++++----------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index 2f1b12b5af405..4c6d0555ad977 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -62,14 +62,14 @@ }, { "op": "add", - "path": "{{$prefix}}/spec/initContainers/-", + "path": "{{$prefix}}/spec/initContainers/0", "value": {{- include "partials.proxy-init" . | fromYaml | toPrettyJson | nindent 6 }} }, {{- else if and .Values.proxy .Values.cniEnabled }} { "op": "add", - "path": "{{$prefix}}/spec/initContainers/-", + "path": "{{$prefix}}/spec/initContainers/0", "value": {{- include "partials.network-validator" . | fromYaml | toPrettyJson | nindent 6 }} }, @@ -103,8 +103,10 @@ {{- end }} { "op": "add", - {{- if .Values.proxy.nativeSidecar }} - "path": "{{$prefix}}/spec/initContainers/-", + {{- if and .Values.proxy.nativeSidecar (not .Values.proxyInit) }} + "path": "{{$prefix}}/spec/initContainers/0", + {{- else if and .Values.proxy.nativeSidecar .Values.proxyInit }} + "path": "{{$prefix}}/spec/initContainers/1", {{- else if .Values.proxy.await }} "path": "{{$prefix}}/spec/containers/0", {{- else }} diff --git a/cli/cmd/testdata/inject_contour.golden.yml b/cli/cmd/testdata/inject_contour.golden.yml index f8144419e3ee3..8c4ff21b09efc 100644 --- a/cli/cmd/testdata/inject_contour.golden.yml +++ b/cli/cmd/testdata/inject_contour.golden.yml @@ -190,17 +190,6 @@ spec: - mountPath: /config name: contour-config initContainers: - - args: - - bootstrap - - /config/contour.yaml - command: - - contour - image: gcr.io/heptio-images/contour:master - imagePullPolicy: Always - name: envoy-initconfig - volumeMounts: - - mountPath: /config - name: contour-config - args: - --incoming-proxy-port - "4143" @@ -238,6 +227,17 @@ spec: volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock + - args: + - bootstrap + - /config/contour.yaml + command: + - contour + image: gcr.io/heptio-images/contour:master + imagePullPolicy: Always + name: envoy-initconfig + volumeMounts: + - mountPath: /config + name: contour-config volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock From ccf447dd365c82f048190ee5a75cbf899fff1be2 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Wed, 18 Oct 2023 15:54:12 -0700 Subject: [PATCH 04/22] Only control initContainer order when doing native sidecars Signed-off-by: TJ Miller --- charts/patch/templates/patch.json | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index 4c6d0555ad977..29d676f72360a 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -1,4 +1,5 @@ {{ $prefix := .Values.pathPrefix -}} +{{ $initIndex := ternary "0" "-" (dig "proxy" "nativeSidecar" false (merge (dict) .Values)) -}} [ {{- if .Values.addRootMetadata }} { @@ -62,14 +63,14 @@ }, { "op": "add", - "path": "{{$prefix}}/spec/initContainers/0", + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}{{$initIndex = add1 $initIndex}}", "value": {{- include "partials.proxy-init" . | fromYaml | toPrettyJson | nindent 6 }} }, {{- else if and .Values.proxy .Values.cniEnabled }} { "op": "add", - "path": "{{$prefix}}/spec/initContainers/0", + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}{{$initIndex = add1 $initIndex}}", "value": {{- include "partials.network-validator" . | fromYaml | toPrettyJson | nindent 6 }} }, @@ -103,10 +104,8 @@ {{- end }} { "op": "add", - {{- if and .Values.proxy.nativeSidecar (not .Values.proxyInit) }} - "path": "{{$prefix}}/spec/initContainers/0", - {{- else if and .Values.proxy.nativeSidecar .Values.proxyInit }} - "path": "{{$prefix}}/spec/initContainers/1", + {{- if .Values.proxy.nativeSidecar }} + "path": "{{$prefix}}/spec/initContainers/{{$initIndex}}", {{- else if .Values.proxy.await }} "path": "{{$prefix}}/spec/containers/0", {{- else }} From 8dd3eea66cc363506ef442ca85f29035647573b1 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Wed, 18 Oct 2023 15:54:57 -0700 Subject: [PATCH 05/22] Add native sidecar startupProbe and preStop Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 22 +++++++++++++++---- cli/cmd/testdata/inject_contour.golden.yml | 22 +++++++++---------- ...ivoto_deployment_native_sidecar.golden.yml | 12 ++++++++-- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 3ef88f425639a..f0af4245a4c5c 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -168,6 +168,14 @@ readinessProbe: path: /ready port: {{.Values.proxy.ports.admin}} initialDelaySeconds: 2 +{{- if .Values.proxy.nativeSidecar }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: 0 + periodSeconds: 1 +{{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} {{- end }} @@ -182,9 +190,9 @@ securityContext: seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError -{{- if or (.Values.proxy.await) (.Values.proxy.waitBeforeExitSeconds) }} +{{- if or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds .Values.proxy.nativeSidecar }} lifecycle: -{{- if .Values.proxy.await }} +{{- if and .Values.proxy.await (not .Values.proxy.nativeSidecar) }} postStart: exec: command: @@ -192,12 +200,18 @@ lifecycle: - --timeout=2m - --port={{.Values.proxy.ports.admin}} {{- end }} -{{- if .Values.proxy.waitBeforeExitSeconds }} +{{- if or .Values.proxy.waitBeforeExitSeconds .Values.proxy.nativeSidecar }} preStop: exec: command: + {{- if .Values.proxy.nativeSidecar }} + - /usr/lib/linkerd/linkerd-await + - --timeout=1s + - --port={{.Values.proxy.ports.admin}} + - --shutdown + {{- end }} - /bin/sleep - - {{.Values.proxy.waitBeforeExitSeconds | quote}} + - {{.Values.proxy.waitBeforeExitSeconds | default 0 | quote}} {{- end }} {{- end }} volumeMounts: diff --git a/cli/cmd/testdata/inject_contour.golden.yml b/cli/cmd/testdata/inject_contour.golden.yml index 8c4ff21b09efc..f8144419e3ee3 100644 --- a/cli/cmd/testdata/inject_contour.golden.yml +++ b/cli/cmd/testdata/inject_contour.golden.yml @@ -190,6 +190,17 @@ spec: - mountPath: /config name: contour-config initContainers: + - args: + - bootstrap + - /config/contour.yaml + command: + - contour + image: gcr.io/heptio-images/contour:master + imagePullPolicy: Always + name: envoy-initconfig + volumeMounts: + - mountPath: /config + name: contour-config - args: - --incoming-proxy-port - "4143" @@ -227,17 +238,6 @@ spec: volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock - - args: - - bootstrap - - /config/contour.yaml - command: - - contour - image: gcr.io/heptio-images/contour:master - imagePullPolicy: Always - name: envoy-initconfig - volumeMounts: - - mountPath: /config - name: contour-config volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml index ed427015f0096..0e5dc181167b3 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -175,12 +175,15 @@ spec: image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent lifecycle: - postStart: + preStop: exec: command: - /usr/lib/linkerd/linkerd-await - - --timeout=2m + - --timeout=1s - --port=4191 + - --shutdown + - /bin/sleep + - "0" livenessProbe: httpGet: path: /live @@ -205,6 +208,11 @@ spec: runAsUser: 2102 seccompProfile: type: RuntimeDefault + startupProbe: + httpGet: + path: /ready + port: 4191 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity From 9bf8f862224affcb3a224aeda31da24ece709607 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 24 Oct 2023 12:04:59 -0700 Subject: [PATCH 06/22] Reuse input file for native sidecar test Signed-off-by: TJ Miller --- cli/cmd/inject_test.go | 2 +- ...jivoto_deployment_native_sidecar.input.yml | 31 ------------------- 2 files changed, 1 insertion(+), 32 deletions(-) delete mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml diff --git a/cli/cmd/inject_test.go b/cli/cmd/inject_test.go index 3586fc2da97fd..0210f299409ee 100644 --- a/cli/cmd/inject_test.go +++ b/cli/cmd/inject_test.go @@ -345,7 +345,7 @@ func TestUninjectAndInject(t *testing.T) { }(), }, { - inputFileName: "inject_emojivoto_deployment_native_sidecar.input.yml", + inputFileName: "inject_emojivoto_deployment.input.yml", goldenFileName: "inject_emojivoto_deployment_native_sidecar.golden.yml", reportFileName: "inject_emojivoto_deployment_native_sidecar.report", injectProxy: true, diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml deleted file mode 100644 index cf20c6963de06..0000000000000 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.input.yml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web - namespace: emojivoto -spec: - replicas: 1 - selector: - matchLabels: - app: web-svc - template: - metadata: - labels: - app: web-svc - spec: - containers: - - env: - - name: WEB_PORT - value: "80" - - name: EMOJISVC_HOST - value: emoji-svc.emojivoto:8080 - - name: VOTINGSVC_HOST - value: voting-svc.emojivoto:8080 - - name: INDEX_BUNDLE - value: dist/index_bundle.js - image: buoyantio/emojivoto-web:v10 - name: web-svc - ports: - - containerPort: 80 - name: http ---- From 50fb0eef50881ce14abe5ee1e0fc978e3140dddd Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 24 Oct 2023 12:05:18 -0700 Subject: [PATCH 07/22] Add cli doc for native sidecar Signed-off-by: TJ Miller --- cli/cmd/doc.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cli/cmd/doc.go b/cli/cmd/doc.go index 20867238085ea..e2cbb51be6b8e 100644 --- a/cli/cmd/doc.go +++ b/cli/cmd/doc.go @@ -280,5 +280,9 @@ func generateAnnotationsDocs() []annotationDoc { Name: k8s.ProxyShutdownGracePeriodAnnotation, Description: "Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.", }, + { + Name: k8s.ProxyEnableNativeSidecarAnnotation, + Description: "Enables native sidecars as init containers. Requires Kubernetes >=1.28, SidecarContainers feature gate, and disables waitBeforeExitSeconds.", + }, } } From 6cb451de7ff16d4af86312e7613f1a8d5a612794 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 24 Oct 2023 12:05:35 -0700 Subject: [PATCH 08/22] Fix control plane install with native sidecars Signed-off-by: TJ Miller --- charts/linkerd-control-plane/README.md | 1 + charts/linkerd-control-plane/templates/destination.yaml | 1 + charts/linkerd-control-plane/templates/identity.yaml | 1 + charts/linkerd-control-plane/templates/proxy-injector.yaml | 1 + charts/linkerd-control-plane/values.yaml | 7 +++++++ 5 files changed, 11 insertions(+) diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index b4ac14a7af28e..c242119171eb5 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -239,6 +239,7 @@ Kubernetes: `>=1.21.0-0` | proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | | proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | | proxy.logLevel | string | `"warn,linkerd=info,trust_dns=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.28 and the SidecarContainers feature gate to be enabled. Note the setting .proxy.waitBeforeExitSeconds is discarded in this mode because sidecar support for preStop hooks is not yet implemeted. It is expected in Kubernetes version 1.29. | | proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | | proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | | proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index d9992747f8710..53af7036aa467 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -190,6 +190,7 @@ spec: */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - args: - destination diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index b22357f019592..50579d941c645 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -215,6 +215,7 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} initContainers: {{ if .Values.cniEnabled -}} diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index 89798c06aee9f..f14d5bbfd60fd 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -70,6 +70,7 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - args: - proxy-injector diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 0fb82cc2f3819..7efa649bb9ba4 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -191,6 +191,13 @@ proxy: # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" # @default -- "all-unauthenticated" defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.28 and the + # SidecarContainers feature gate to be enabled. Note the setting + # .proxy.waitBeforeExitSeconds is discarded in this mode because + # sidecar support for preStop hooks is not yet implemeted. It is expected + # in Kubernetes version 1.29. + nativeSidecar: false # proxy-init configuration proxyInit: From f082f512917d480ba8b492a8aa1ce7036009df63 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 24 Oct 2023 14:33:30 -0700 Subject: [PATCH 09/22] Allow default authorizations to work with native sidecars Signed-off-by: TJ Miller --- policy-controller/k8s/index/src/inbound/pod.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/policy-controller/k8s/index/src/inbound/pod.rs b/policy-controller/k8s/index/src/inbound/pod.rs index 61130c7f8e480..0aa5f37ee0c7d 100644 --- a/policy-controller/k8s/index/src/inbound/pod.rs +++ b/policy-controller/k8s/index/src/inbound/pod.rs @@ -43,7 +43,12 @@ pub(crate) fn tcp_ports_by_name(spec: &k8s::PodSpec) -> HashMap /// Pod and the paths for which probes are expected. pub(crate) fn pod_http_probes(pod: &k8s::PodSpec) -> PortMap> { let mut probes = PortMap::>::default(); - for (port, path) in pod.containers.iter().flat_map(container_http_probe_paths) { + for (port, path) in pod + .containers + .iter() + .chain(pod.init_containers.iter().flatten()) + .flat_map(container_http_probe_paths) + { probes.entry(port).or_default().insert(path); } probes From 28b0acad14b4b795ed04031e48181090acab40b0 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 3 Nov 2023 16:26:49 -0700 Subject: [PATCH 10/22] Allow native sidecars in controlplane without startupProbe Signed-off-by: TJ Miller --- charts/linkerd-control-plane/templates/destination.yaml | 6 +++++- charts/linkerd-control-plane/templates/identity.yaml | 6 +++++- charts/linkerd-control-plane/templates/proxy-injector.yaml | 6 +++++- charts/partials/templates/_proxy.tpl | 2 +- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index 53af7036aa467..b2b51ceff65bd 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -190,8 +190,9 @@ spec: */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} - {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - destination - -addr=:8086 @@ -342,6 +343,9 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index 50579d941c645..3370bed7dd819 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -215,8 +215,9 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} - {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} initContainers: {{ if .Values.cniEnabled -}} - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} @@ -229,6 +230,9 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index f14d5bbfd60fd..5d59680eee6b9 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -70,8 +70,9 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} - {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} - args: - proxy-injector - -log-level={{.Values.controllerLogLevel}} @@ -128,6 +129,9 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index f0af4245a4c5c..4218f6f919216 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -168,7 +168,7 @@ readinessProbe: path: /ready port: {{.Values.proxy.ports.admin}} initialDelaySeconds: 2 -{{- if .Values.proxy.nativeSidecar }} +{{- if and .Values.proxy.nativeSidecar (not .Values.proxy.component) }} startupProbe: httpGet: path: /ready From f6b2ddbc700264e1ce3a323f959a987249963dbf Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 3 Nov 2023 16:27:24 -0700 Subject: [PATCH 11/22] Cleanup additional unneeded testdata file Signed-off-by: TJ Miller --- cli/cmd/inject_test.go | 2 +- .../testdata/inject_emojivoto_deployment_native_sidecar.report | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report diff --git a/cli/cmd/inject_test.go b/cli/cmd/inject_test.go index 0210f299409ee..709526f466d25 100644 --- a/cli/cmd/inject_test.go +++ b/cli/cmd/inject_test.go @@ -347,7 +347,7 @@ func TestUninjectAndInject(t *testing.T) { { inputFileName: "inject_emojivoto_deployment.input.yml", goldenFileName: "inject_emojivoto_deployment_native_sidecar.golden.yml", - reportFileName: "inject_emojivoto_deployment_native_sidecar.report", + reportFileName: "inject_emojivoto_deployment.report", injectProxy: true, testInjectConfig: func() *linkerd2.Values { values := defaultConfig() diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report deleted file mode 100644 index 99851e468c904..0000000000000 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report +++ /dev/null @@ -1,3 +0,0 @@ - -deployment "web" injected - From 6e8f068548839946b5db21c99afe354b51d6ec0f Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 3 Nov 2023 16:28:15 -0700 Subject: [PATCH 12/22] Remove native sidecar proxy preStop shutdown hook Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 10 ++-------- ...ject_emojivoto_deployment_native_sidecar.golden.yml | 10 ---------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 4218f6f919216..3803576b755bf 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -200,18 +200,12 @@ lifecycle: - --timeout=2m - --port={{.Values.proxy.ports.admin}} {{- end }} -{{- if or .Values.proxy.waitBeforeExitSeconds .Values.proxy.nativeSidecar }} +{{- if .Values.proxy.waitBeforeExitSeconds }} preStop: exec: command: - {{- if .Values.proxy.nativeSidecar }} - - /usr/lib/linkerd/linkerd-await - - --timeout=1s - - --port={{.Values.proxy.ports.admin}} - - --shutdown - {{- end }} - /bin/sleep - - {{.Values.proxy.waitBeforeExitSeconds | default 0 | quote}} + - {{.Values.proxy.waitBeforeExitSeconds | quote}} {{- end }} {{- end }} volumeMounts: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml index 0e5dc181167b3..4eb52dc31eb0b 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -174,16 +174,6 @@ spec: value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /usr/lib/linkerd/linkerd-await - - --timeout=1s - - --port=4191 - - --shutdown - - /bin/sleep - - "0" livenessProbe: httpGet: path: /live From 6303ff3807224c1b084dc39dee4d6ba122696e24 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Tue, 7 Nov 2023 12:35:52 -0800 Subject: [PATCH 13/22] Mimic await behavior with startupProbe Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 3 ++- .../inject_emojivoto_deployment_native_sidecar.golden.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 3803576b755bf..8cc4a50257e12 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -168,13 +168,14 @@ readinessProbe: path: /ready port: {{.Values.proxy.ports.admin}} initialDelaySeconds: 2 -{{- if and .Values.proxy.nativeSidecar (not .Values.proxy.component) }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} startupProbe: httpGet: path: /ready port: {{.Values.proxy.ports.admin}} initialDelaySeconds: 0 periodSeconds: 1 + failureThreshold: 120 {{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml index 4eb52dc31eb0b..9ba6815059764 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.golden.yml @@ -199,6 +199,7 @@ spec: seccompProfile: type: RuntimeDefault startupProbe: + failureThreshold: 120 httpGet: path: /ready port: 4191 From db2f92bc23d35be087e712875363b06f02352f1e Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Wed, 8 Nov 2023 15:24:23 -0800 Subject: [PATCH 14/22] Override startupProbe parameters for destination and injector components Signed-off-by: TJ Miller --- charts/linkerd-control-plane/templates/destination.yaml | 3 +++ charts/linkerd-control-plane/templates/proxy-injector.yaml | 3 +++ charts/partials/templates/_proxy.tpl | 6 +++--- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index b2b51ceff65bd..8b3a28b22cb1a 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -344,6 +344,9 @@ spec: - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 20 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if .Values.priorityClassName -}} diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index 5d59680eee6b9..c1d93b2ce465a 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -130,6 +130,9 @@ spec: - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 20 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if .Values.priorityClassName -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 8cc4a50257e12..21563e796f323 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -173,9 +173,9 @@ startupProbe: httpGet: path: /ready port: {{.Values.proxy.ports.admin}} - initialDelaySeconds: 0 - periodSeconds: 1 - failureThreshold: 120 + initialDelaySeconds: {{.Values.proxy.startupProbeInitialDelaySeconds | default 0}} + periodSeconds: {{.Values.proxy.startupProbePeriodSeconds | default 1}} + failureThreshold: {{.Values.proxy.startupProbeFailureThreshold | default 120}} {{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} From 27b13286b593b9a1a55f356dfa505e7c94ed84c3 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 10 Nov 2023 12:52:07 -0800 Subject: [PATCH 15/22] Use empty string when proxypath is not found Signed-off-by: TJ Miller --- controller/webhook/util.go | 2 +- jaeger/injector/mutator/webhook.go | 2 +- viz/tap/injector/webhook.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controller/webhook/util.go b/controller/webhook/util.go index 883e09d217fc3..320b533df5c8f 100644 --- a/controller/webhook/util.go +++ b/controller/webhook/util.go @@ -20,5 +20,5 @@ func GetProxyContainerPath(spec corev1.PodSpec) string { return fmt.Sprintf("initContainers/%d", i) } } - return "notfound" + return "" } diff --git a/jaeger/injector/mutator/webhook.go b/jaeger/injector/mutator/webhook.go index c823609e354bc..de51848732329 100644 --- a/jaeger/injector/mutator/webhook.go +++ b/jaeger/injector/mutator/webhook.go @@ -65,7 +65,7 @@ func Mutate(collectorSvcAddr, collectorSvcAccount, clusterDomain, linkerdNamespa ClusterDomain: clusterDomain, LinkerdNamespace: linkerdNamespace, } - if params.ProxyPath == "notfound" || labels.IsTracingEnabled(pod) { + if params.ProxyPath == "" || labels.IsTracingEnabled(pod) { return admissionResponse, nil } diff --git a/viz/tap/injector/webhook.go b/viz/tap/injector/webhook.go index 305a7a97b12fe..bd65406b59c82 100644 --- a/viz/tap/injector/webhook.go +++ b/viz/tap/injector/webhook.go @@ -44,7 +44,7 @@ func Mutate(tapSvcName string) webhook.Handler { ProxyPath: webhook.GetProxyContainerPath(pod.Spec), ProxyTapSvcName: tapSvcName, } - if params.ProxyPath == "notfound" || vizLabels.IsTapEnabled(pod) { + if params.ProxyPath == "" || vizLabels.IsTapEnabled(pod) { return admissionResponse, nil } namespace, err := k8sAPI.Get(k8s.NS, request.Namespace) From 2cda12970c888791a99c95c8cf21a8d1d74387b3 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 10 Nov 2023 12:52:28 -0800 Subject: [PATCH 16/22] Remove unused file inject_emojivoto_deployment_native_sidecar.report.verbose Signed-off-by: TJ Miller --- ..._emojivoto_deployment_native_sidecar.report.verbose | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose b/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose deleted file mode 100644 index 87f93a664175d..0000000000000 --- a/cli/cmd/testdata/inject_emojivoto_deployment_native_sidecar.report.verbose +++ /dev/null @@ -1,10 +0,0 @@ - -√ pods do not use host networking -√ pods do not have a 3rd party proxy or initContainer already injected -√ pods are not annotated to disable injection -√ at least one resource can be injected or annotated -√ pod specs do not include UDP ports -√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled - -deployment "web" injected - From 8e91ba216f378e5d0b36de956264b068ae7f5271 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 10 Nov 2023 12:57:41 -0800 Subject: [PATCH 17/22] Update helm docs Signed-off-by: TJ Miller --- charts/linkerd-control-plane/README.md | 2 +- charts/linkerd-control-plane/values.yaml | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index c242119171eb5..b154475be79d1 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -239,7 +239,7 @@ Kubernetes: `>=1.21.0-0` | proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | | proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | | proxy.logLevel | string | `"warn,linkerd=info,trust_dns=error"` | Log level for the proxy | -| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.28 and the SidecarContainers feature gate to be enabled. Note the setting .proxy.waitBeforeExitSeconds is discarded in this mode because sidecar support for preStop hooks is not yet implemeted. It is expected in Kubernetes version 1.29. | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | | proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | | proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | | proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 7efa649bb9ba4..7e7196f1fc8ad 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -192,11 +192,8 @@ proxy: # @default -- "all-unauthenticated" defaultInboundPolicy: "all-unauthenticated" # -- Enable KEP-753 native sidecars - # This is an experimental feature. It requires Kubernetes >= 1.28 and the - # SidecarContainers feature gate to be enabled. Note the setting - # .proxy.waitBeforeExitSeconds is discarded in this mode because - # sidecar support for preStop hooks is not yet implemeted. It is expected - # in Kubernetes version 1.29. + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. nativeSidecar: false # proxy-init configuration From 6d68d6540e7228f2a0dee64a6ee8bf0743c58c64 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 10 Nov 2023 13:00:29 -0800 Subject: [PATCH 18/22] Disallow nativeSidecar and waitBeforeExitSeconds together Signed-off-by: TJ Miller --- charts/partials/templates/_proxy.tpl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 21563e796f323..1dea8567d8580 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -1,4 +1,7 @@ {{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} {{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} env: - name: _pod_name @@ -191,9 +194,9 @@ securityContext: seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError -{{- if or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds .Values.proxy.nativeSidecar }} +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} lifecycle: -{{- if and .Values.proxy.await (not .Values.proxy.nativeSidecar) }} +{{- if .Values.proxy.await }} postStart: exec: command: From 7b36117e440b7964c3d01841b4b18071bbbd4d06 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Fri, 10 Nov 2023 13:02:12 -0800 Subject: [PATCH 19/22] Disable nativeSidecar for identity and increase startupProbeInitialDelaySeconds for inject and destination Signed-off-by: TJ Miller --- charts/linkerd-control-plane/templates/destination.yaml | 2 +- charts/linkerd-control-plane/templates/identity.yaml | 6 +----- charts/linkerd-control-plane/templates/proxy-injector.yaml | 2 +- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml index 8b3a28b22cb1a..a4081b69101ea 100644 --- a/charts/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd-control-plane/templates/destination.yaml @@ -344,7 +344,7 @@ spec: - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if $tree.Values.proxy.nativeSidecar }} - {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 20 }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/linkerd-control-plane/templates/identity.yaml b/charts/linkerd-control-plane/templates/identity.yaml index 3370bed7dd819..d2003a8d471b0 100644 --- a/charts/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd-control-plane/templates/identity.yaml @@ -206,6 +206,7 @@ spec: {{- $_ := set $tree.Values.proxy "await" false }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} {{- /* The identity controller cannot discover policies, so we configure it with defaults that enforce TLS on the identity service. @@ -215,9 +216,7 @@ spec: {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} - {{- if not $tree.Values.proxy.nativeSidecar }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{- end }} initContainers: {{ if .Values.cniEnabled -}} - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} @@ -230,9 +229,6 @@ spec: {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} - {{- if $tree.Values.proxy.nativeSidecar }} - - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} {{- if .Values.priorityClassName -}} priorityClassName: {{ .Values.priorityClassName }} {{ end -}} diff --git a/charts/linkerd-control-plane/templates/proxy-injector.yaml b/charts/linkerd-control-plane/templates/proxy-injector.yaml index c1d93b2ce465a..4fd044d65ccea 100644 --- a/charts/linkerd-control-plane/templates/proxy-injector.yaml +++ b/charts/linkerd-control-plane/templates/proxy-injector.yaml @@ -130,7 +130,7 @@ spec: - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} {{- if $tree.Values.proxy.nativeSidecar }} - {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 20 }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} From fb3f58ca079a5e8b5dec24eb2ccedfede3131252 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Mon, 20 Nov 2023 12:03:31 -0800 Subject: [PATCH 20/22] Add comment and rewrite, for readability, patch $initIndex Signed-off-by: TJ Miller --- charts/patch/templates/patch.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/patch/templates/patch.json b/charts/patch/templates/patch.json index 29d676f72360a..8f83f59c0c8ed 100644 --- a/charts/patch/templates/patch.json +++ b/charts/patch/templates/patch.json @@ -1,5 +1,14 @@ {{ $prefix := .Values.pathPrefix -}} -{{ $initIndex := ternary "0" "-" (dig "proxy" "nativeSidecar" false (merge (dict) .Values)) -}} +{{/* +$initIndex represents the patch insertion index of the next initContainer when +proxy.nativeSidecar is true. If enabled, the proxy-init or network-validator +should run first, immediately followed by the proxy. This ordering allows us +to proxy traffic in subsequent initContainers. + +Note: dig is not used directly on .Values because it rejects chartutil.Values +structs. +*/}} +{{- $initIndex := ternary "0" "-" (.Values.proxy | default (dict) | dig "nativeSidecar" false) -}} [ {{- if .Values.addRootMetadata }} { From 7cd36797d586097bfde7978e6aefe683785c4ae3 Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Mon, 20 Nov 2023 12:03:37 -0800 Subject: [PATCH 21/22] Add default proxy startupProbe parameters to values.yaml Signed-off-by: TJ Miller --- charts/linkerd-control-plane/README.md | 1 + charts/linkerd-control-plane/values.yaml | 5 +++++ charts/partials/templates/_proxy.tpl | 6 +++--- .../testdata/install_controlplane_tracing_output.golden | 4 ++++ cli/cmd/testdata/install_custom_domain.golden | 4 ++++ cli/cmd/testdata/install_custom_registry.golden | 4 ++++ cli/cmd/testdata/install_default.golden | 4 ++++ .../testdata/install_default_override_dst_get_nets.golden | 4 ++++ cli/cmd/testdata/install_default_token.golden | 4 ++++ cli/cmd/testdata/install_ha_output.golden | 4 ++++ cli/cmd/testdata/install_ha_with_overrides_output.golden | 4 ++++ cli/cmd/testdata/install_heartbeat_disabled_output.golden | 4 ++++ cli/cmd/testdata/install_helm_control_plane_output.golden | 4 ++++ .../testdata/install_helm_control_plane_output_ha.golden | 4 ++++ cli/cmd/testdata/install_helm_output_ha_labels.golden | 4 ++++ .../install_helm_output_ha_namespace_selector.golden | 4 ++++ cli/cmd/testdata/install_no_init_container.golden | 4 ++++ cli/cmd/testdata/install_output.golden | 3 ++- cli/cmd/testdata/install_proxy_ignores.golden | 4 ++++ cli/cmd/testdata/install_values_file.golden | 4 ++++ pkg/charts/linkerd2/values.go | 8 ++++++++ pkg/charts/linkerd2/values_test.go | 5 +++++ 22 files changed, 88 insertions(+), 4 deletions(-) diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index b154475be79d1..f3bfb399f4d4a 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -255,6 +255,7 @@ Kubernetes: `>=1.21.0-0` | proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | | proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | | proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe | object | `{"failureThreshold":120,"initialDelaySeconds":0,"periodSeconds":1}` | Native sidecar proxy startup probe parameters. | | proxy.uid | int | `2102` | User id under which the proxy runs | | proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | | proxyInit.closeWaitTimeoutSecs | int | `0` | | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 7e7196f1fc8ad..5ae19b7e1820d 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -195,6 +195,11 @@ proxy: # This is an experimental feature. It requires Kubernetes >= 1.29. # If enabled, .proxy.waitBeforeExitSeconds should not be used. nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 # proxy-init configuration proxyInit: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 1dea8567d8580..da0d10b6c73e8 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -176,9 +176,9 @@ startupProbe: httpGet: path: /ready port: {{.Values.proxy.ports.admin}} - initialDelaySeconds: {{.Values.proxy.startupProbeInitialDelaySeconds | default 0}} - periodSeconds: {{.Values.proxy.startupProbePeriodSeconds | default 1}} - failureThreshold: {{.Values.proxy.startupProbeFailureThreshold | default 120}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} {{- end }} {{- if .Values.proxy.resources }} {{ include "partials.resources" .Values.proxy.resources }} diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index b22f23c117822..8e42b874146ca 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index e40079f407d4e..e41d54dc7b06e 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 7c1eb71c210bf..99a3e54c89061 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index e40079f407d4e..e41d54dc7b06e 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 4a80f030c2299..6905aee1501ac 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 8b756961234b6..2180f4ae1554c 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 829e402987386..deefa97e9b4e3 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -684,6 +684,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 29f8b7d54026b..b030cbd633d90 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -684,6 +684,10 @@ data: request: 300Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index c86fae9216eeb..f106ceaf35e46 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -588,6 +588,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index fc690b7a2460f..cce8440af8e67 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -634,6 +634,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 88f7de5ee285b..375fc60f39e36 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -661,6 +661,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 0e53d91766ef3..4455b0267340d 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -665,6 +665,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index a24336c815be7..3345be7a2c9a3 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -656,6 +656,10 @@ data: request: 20Mi saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 3d4dcdc135c28..85fc97557f304 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 89d0459f71544..ad8c40b99dcdc 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -637,6 +637,7 @@ data: request: memory-request saMountPath: null shutdownGracePeriod: "" + startupProbe: null uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: ProxyContainerName @@ -1889,7 +1890,7 @@ spec: --- apiVersion: v1 data: - linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIGluYm91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgbG9nTGV2ZWw6IHdhcm4sbGlua2VyZD1pbmZvCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICBvdXRib3VuZERpc2NvdmVyeUNhY2hlVW51c2VkVGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo= + linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIGluYm91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgbG9nTGV2ZWw6IHdhcm4sbGlua2VyZD1pbmZvCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICBvdXRib3VuZERpc2NvdmVyeUNhY2hlVW51c2VkVGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdAogIHN0YXJ0dXBQcm9iZTogbnVsbApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 6f46cd5874772..25bc19143b88f 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 78ea5ceadc1de..9c3923511a752 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -657,6 +657,10 @@ data: request: "" saMountPath: null shutdownGracePeriod: "" + startupProbe: + failureThreshold: 120 + initialDelaySeconds: 0 + periodSeconds: 1 uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index b47d6143e975e..a4f107304dc75 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -120,6 +120,7 @@ type ( AccessLog string `json:"accessLog"` ShutdownGracePeriod string `json:"shutdownGracePeriod"` NativeSidecar bool `json:"nativeSidecar"` + StartupProbe *StartupProbe `json:"startupProbe"` } // ProxyInit contains the fields to set the proxy-init container @@ -227,6 +228,13 @@ type ( EphemeralStorage Constraints `json:"ephemeral-storage"` } + // StartupProbe represents the initContainer startup probe parameters for the proxy + StartupProbe struct { + InitialDelaySeconds uint `json:"initialDelaySeconds"` + PeriodSeconds uint `json:"periodSeconds"` + FailureThreshold uint `json:"failureThreshold"` + } + // Identity contains the fields to set the identity variables in the proxy // sidecar container Identity struct { diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 91c6b3c6fb020..2cba9d1c66dee 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -134,6 +134,11 @@ func TestNewValues(t *testing.T) { InboundDiscoveryCacheUnusedTimeout: "90s", DisableOutboundProtocolDetectTimeout: false, DisableInboundProtocolDetectTimeout: false, + StartupProbe: &StartupProbe{ + FailureThreshold: 120, + InitialDelaySeconds: 0, + PeriodSeconds: 1, + }, }, ProxyInit: &ProxyInit{ IptablesMode: "legacy", From 62bcf87ab764dc02f37a78ea722dba89a41e35dc Mon Sep 17 00:00:00 2001 From: TJ Miller Date: Mon, 20 Nov 2023 15:47:36 -0800 Subject: [PATCH 22/22] Update `cli/cmd/doc.go` ProxyEnableNativeSidecarAnnotation description Signed-off-by: TJ Miller --- cli/cmd/doc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/cmd/doc.go b/cli/cmd/doc.go index e2cbb51be6b8e..f60ab24908a6f 100644 --- a/cli/cmd/doc.go +++ b/cli/cmd/doc.go @@ -282,7 +282,7 @@ func generateAnnotationsDocs() []annotationDoc { }, { Name: k8s.ProxyEnableNativeSidecarAnnotation, - Description: "Enables native sidecars as init containers. Requires Kubernetes >=1.28, SidecarContainers feature gate, and disables waitBeforeExitSeconds.", + Description: "Enable KEP-753 native sidecars. This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.", }, } }