Skip to content

Commit

Permalink
Add Control Plane Helm Templates And Proxy Partials (#3146)
Browse files Browse the repository at this point in the history
* Updated controller template with proxy partials
* Declare dependency in requirements.yaml
* Add partial template for proxy's metadata
* Add proxy-init partial template
* Script to lint Helm charts and update their dependencies
* Update partials chart Chart.yaml
* Add proxy-init and resource partial templates
* Replace hard coded namespace variable in proxy env var
* Ignore chart dependencies .tgz files
* Add missing fields and re-order YAML elements to match CLI output
* Reuse control plane's resource partial template in 'partials' chart
* Set the proxy's destination service address env var
* Add Grafana's template
* Update api version of controller RBAC
* Add Heartbeat template
* Remove duplicated resources partial template
* Add remainder control plane components templates
* Add template for the 'linkerd-config' config map
* Add debug container template
* Update proxy partial with 'disable-identity' and 'disable-tap' variables

Note that these are inject-only variables.
Also added the LINKERD2_PROXY_TAP_SVC_NAME env var.

* Add validation conditions to ensure identity and tap aren't disabled for
control plane components
* Add partials for service account token mount path and security context capabilities
* Change proxy and proxy-init templates to use global scope

Some of the nested variables are removed from values.yaml to ensure changes
made to root-level variables are propagated directly into the partial
templates. The previous approach of using YAML anchors in the
values.yaml to share common values can get out-of-sync when values are
changed via the Helm's `--set` option.

* Update templates and values file to match #3161
* Perform a dry run installation if there is a local Tiller
* Reorder JSON elements in linkerd-config
* Re-adjust nested partials indentation to work with inject 'patch' chart

Previously, the partials will render their content as an element in the list.
While it works for installation, the toJson function in the 'inject' patch code
ends up converting it into a JSON list, instead of the expected JSON
object.

* Trap the last fail command in the Helm shell script
* Add the identity trust anchor
* Address Thomas' feedback on handling HA

All the HA-related variables are moved to values-ha.yaml

* Convert ignore ports string to JSON list in linkerd-config

Also fixed some indentation issues.

* Add values-ha.yaml
* Include the service account token mount path only if identity is enabled
* Fixed malformed JSON in linkerd-config config map
* Rename chart to 'linkerd2'
* Add NOTES.txt
* Fix incorrect variable path in proxy template
* Remove fake TLS assets
* Add 'required' constraint to identity trust anchors variable
* Update tap templates per #3167
* Bump default version to edge-19.8.1 due to dependency on RSA support

Signed-off-by: Ivan Sim <ivan@buoyant.io>
  • Loading branch information
ihcsim authored and cpretzer committed Aug 6, 2019
1 parent 0cd38ee commit 1e469f3
Show file tree
Hide file tree
Showing 48 changed files with 2,492 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ web/app/yarn-error.log
.golangci-lint*
**/*.gogen*
**/*.swp
charts/*/charts/
23 changes: 23 additions & 0 deletions bin/helm.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash

set -e

# trap the last failed command
trap 'printf "Error on exit:\n Exit code: $?\n Failed command: \"$BASH_COMMAND\"\n"' ERR

bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
rootdir="$( cd $bindir/.. && pwd )"

helm lint $rootdir/charts/partials

helm dep up $rootdir/charts/linkerd2
helm lint --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2

# if tiller is deployed, perform a dry run installation to check for errors
if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then
echo "Performing dry run installation"
helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 2> /dev/null

echo "Performing dry run installation (HA mode)"
helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null
fi
21 changes: 21 additions & 0 deletions charts/linkerd2/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
11 changes: 11 additions & 0 deletions charts/linkerd2/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: "v1"
appVersion: edge-19.8.1
description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required.
home: https://linkerd.io
keywords:
- service-mesh
kubeVersion: ">=1.12.0-0"
name: "linkerd2"
sources:
- /~https://github.com/linkerd/linkerd2/
version: 0.1.0
6 changes: 6 additions & 0 deletions charts/linkerd2/requirements.lock
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
dependencies:
- name: partials
repository: file://../partials
version: 0.1.0
digest: sha256:3a86b96a2966f03ba04518723838b49719a3277dfb9bea0b3f067e83d370e0b3
generated: 2019-07-24T19:51:15.04322926-07:00
4 changes: 4 additions & 0 deletions charts/linkerd2/requirements.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
dependencies:
- name: partials
version: 0.1.0
repository: file://../partials
14 changes: 14 additions & 0 deletions charts/linkerd2/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Linkerd was successfully installed 🎉

Add the linkerd CLI to your path with:

export PATH=\$PATH:\$HOME/.linkerd2/bin

Now run:

linkerd check --pre # validate that Linkerd can be installed
linkerd install | kubectl apply -f - # install the control plane into the 'linkerd' namespace
linkerd check # validate everything worked!
linkerd dashboard # launch the dashboard

Looking for more? Visit https://linkerd.io/2/next-steps
22 changes: 22 additions & 0 deletions charts/linkerd2/templates/_affinity.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{ define "linkerd.pod-affinity" -}}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ .Label }}
operator: In
values:
- {{ .Component }}
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: {{ .Label }}
operator: In
values:
- {{ .Component }}
topologyKey: kubernetes.io/hostname
{{- end }}
80 changes: 80 additions & 0 deletions charts/linkerd2/templates/_config.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{{- define "linkerd.configs.global" -}}
{
"linkerdNamespace": "{{.Namespace}}",
"cniEnabled": false,
"version": "{{.LinkerdVersion}}",
"identityContext":{
"trustDomain": "{{.Identity.TrustDomain}}",
"trustAnchorsPem": "{{required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | replace "\n" "\\n"}}",
"issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}",
"clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}"
},
"autoInjectContext": null,
"omitWebhookSideEffects": {{.OmitWebhookSideEffects}},
"clusterDomain": "{{.ClusterDomain}}"
}
{{- end -}}

{{- define "linkerd.configs.proxy" -}}
{
"proxyImage":{
"imageName":"{{.Proxy.Image.Name}}",
"pullPolicy":"{{.Proxy.Image.PullPolicy}}"
},
"proxyInitImage":{
"imageName":"{{.ProxyInit.Image.Name}}",
"pullPolicy":"{{.ProxyInit.Image.PullPolicy}}"
},
"controlPort":{
"port": {{.Proxy.Ports.Control}}
},
"ignoreInboundPorts":[
{{- $ports := splitList "," .ProxyInit.IgnoreInboundPorts -}}
{{- if gt (len $ports) 1}}
{{- $last := sub (len $ports) 1 -}}
{{- range $i,$port := $ports -}}
{"port":{{$port}}}{{ternary "," "" (ne $i $last)}}
{{- end -}}
{{- end -}}
],
"ignoreOutboundPorts":[
{{- $ports := splitList "," .ProxyInit.IgnoreOutboundPorts -}}
{{- if gt (len $ports) 1}}
{{- $last := sub (len $ports) 1 -}}
{{- range $i,$port := $ports -}}
{"port":{{$port}}}{{ternary "," "" (ne $i $last)}}
{{- end -}}
{{- end -}}
],
"inboundPort":{
"port": {{.Proxy.Ports.Inbound}}
},
"adminPort":{
"port": {{.Proxy.Ports.Admin}}
},
"outboundPort":{
"port": {{.Proxy.Ports.Outbound}}
},
"resource":{
"requestCpu": "{{.Proxy.Resources.CPU.Request}}",
"limitCpu": "{{.Proxy.Resources.CPU.Limit}}",
"requestMemory": "{{.Proxy.Resources.Memory.Request}}",
"limitMemory": "{{.Proxy.Resources.Memory.Limit}}"
},
"proxyUid": {{.Proxy.UID}},
"logLevel":{
"level": "{{.Proxy.LogLevel}}"
},
"disableExternalProfiles": {{not .Proxy.EnableExternalProfile}},
"proxyVersion": "{{.Proxy.Image.Version}}",
"proxyInitImageVersion": "{{.ProxyInit.Image.Version}}"
}
{{- end -}}

{{- define "linkerd.configs.install" -}}
{
"uuid":"{{ uuidv4 }}",
"cliVersion":"{{ .LinkerdVersion }}",
"flags":[]
}
{{- end -}}
32 changes: 32 additions & 0 deletions charts/linkerd2/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "linkerd.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "linkerd.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "linkerd.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
9 changes: 9 additions & 0 deletions charts/linkerd2/templates/_validate.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{- define "linkerd.proxy.validation" -}}
{{- if .DisableIdentity -}}
{{- fail (printf "Can't disable identity mTLS for %s. Set '.Values.Proxy.DisableIdentity' to 'false'" .Component) -}}
{{- end -}}

{{- if .DisableTap -}}
{{- fail (printf "Can't disable tap for %s. Set '.Values.Proxy.DisableTap' to 'false'" .Component) -}}
{{- end -}}
{{- end -}}
38 changes: 38 additions & 0 deletions charts/linkerd2/templates/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{{with .Values -}}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: controller
{{.ControllerNamespaceLabel}}: {{.Namespace}}
annotations:
{{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}}
data:
global: |
{{- if .Configs -}}
{{- if .Configs.Global -}}
{{.Configs.Global}}
{{- end }}
{{- else -}}
{{- include "linkerd.configs.global" . | nindent 4}}
{{- end }}
proxy: |
{{- if .Configs -}}
{{- if .Configs.Proxy -}}
{{.Configs.Proxy}}
{{- end }}
{{- else -}}
{{- include "linkerd.configs.proxy" . | nindent 4}}
{{- end }}
install: |
{{- if .Configs -}}
{{- if .Configs.Install -}}
{{.Configs.Instal}}
{{- end }}
{{- else -}}
{{- include "linkerd.configs.install" . | nindent 4}}
{{- end }}
{{- end -}}
55 changes: 55 additions & 0 deletions charts/linkerd2/templates/controller-rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{{with .Values -}}
---
###
### Controller RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Namespace}}-controller
labels:
{{.ControllerComponentLabel}}: controller
{{.ControllerNamespaceLabel}}: {{.Namespace}}
rules:
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["jobs"]
verbs: ["list" , "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Namespace}}-controller
labels:
{{.ControllerComponentLabel}}: controller
{{.ControllerNamespaceLabel}}: {{.Namespace}}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-{{.Namespace}}-controller
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: {{.Namespace}}
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-controller
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: controller
{{.ControllerNamespaceLabel}}: {{.Namespace}}
{{- end -}}
Loading

0 comments on commit 1e469f3

Please sign in to comment.