-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Control Plane Helm Templates And Proxy Partials (#3146)
* Updated controller template with proxy partials * Declare dependency in requirements.yaml * Add partial template for proxy's metadata * Add proxy-init partial template * Script to lint Helm charts and update their dependencies * Update partials chart Chart.yaml * Add proxy-init and resource partial templates * Replace hard coded namespace variable in proxy env var * Ignore chart dependencies .tgz files * Add missing fields and re-order YAML elements to match CLI output * Reuse control plane's resource partial template in 'partials' chart * Set the proxy's destination service address env var * Add Grafana's template * Update api version of controller RBAC * Add Heartbeat template * Remove duplicated resources partial template * Add remainder control plane components templates * Add template for the 'linkerd-config' config map * Add debug container template * Update proxy partial with 'disable-identity' and 'disable-tap' variables Note that these are inject-only variables. Also added the LINKERD2_PROXY_TAP_SVC_NAME env var. * Add validation conditions to ensure identity and tap aren't disabled for control plane components * Add partials for service account token mount path and security context capabilities * Change proxy and proxy-init templates to use global scope Some of the nested variables are removed from values.yaml to ensure changes made to root-level variables are propagated directly into the partial templates. The previous approach of using YAML anchors in the values.yaml to share common values can get out-of-sync when values are changed via the Helm's `--set` option. * Update templates and values file to match #3161 * Perform a dry run installation if there is a local Tiller * Reorder JSON elements in linkerd-config * Re-adjust nested partials indentation to work with inject 'patch' chart Previously, the partials will render their content as an element in the list. While it works for installation, the toJson function in the 'inject' patch code ends up converting it into a JSON list, instead of the expected JSON object. * Trap the last fail command in the Helm shell script * Add the identity trust anchor * Address Thomas' feedback on handling HA All the HA-related variables are moved to values-ha.yaml * Convert ignore ports string to JSON list in linkerd-config Also fixed some indentation issues. * Add values-ha.yaml * Include the service account token mount path only if identity is enabled * Fixed malformed JSON in linkerd-config config map * Rename chart to 'linkerd2' * Add NOTES.txt * Fix incorrect variable path in proxy template * Remove fake TLS assets * Add 'required' constraint to identity trust anchors variable * Update tap templates per #3167 * Bump default version to edge-19.8.1 due to dependency on RSA support Signed-off-by: Ivan Sim <ivan@buoyant.io>
- Loading branch information
Showing
48 changed files
with
2,492 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,3 +14,4 @@ web/app/yarn-error.log | |
.golangci-lint* | ||
**/*.gogen* | ||
**/*.swp | ||
charts/*/charts/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
# trap the last failed command | ||
trap 'printf "Error on exit:\n Exit code: $?\n Failed command: \"$BASH_COMMAND\"\n"' ERR | ||
|
||
bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
rootdir="$( cd $bindir/.. && pwd )" | ||
|
||
helm lint $rootdir/charts/partials | ||
|
||
helm dep up $rootdir/charts/linkerd2 | ||
helm lint --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 | ||
|
||
# if tiller is deployed, perform a dry run installation to check for errors | ||
if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then | ||
echo "Performing dry run installation" | ||
helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 2> /dev/null | ||
|
||
echo "Performing dry run installation (HA mode)" | ||
helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: "v1" | ||
appVersion: edge-19.8.1 | ||
description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. | ||
home: https://linkerd.io | ||
keywords: | ||
- service-mesh | ||
kubeVersion: ">=1.12.0-0" | ||
name: "linkerd2" | ||
sources: | ||
- /~https://github.com/linkerd/linkerd2/ | ||
version: 0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
dependencies: | ||
- name: partials | ||
repository: file://../partials | ||
version: 0.1.0 | ||
digest: sha256:3a86b96a2966f03ba04518723838b49719a3277dfb9bea0b3f067e83d370e0b3 | ||
generated: 2019-07-24T19:51:15.04322926-07:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
dependencies: | ||
- name: partials | ||
version: 0.1.0 | ||
repository: file://../partials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
Linkerd was successfully installed 🎉 | ||
|
||
Add the linkerd CLI to your path with: | ||
|
||
export PATH=\$PATH:\$HOME/.linkerd2/bin | ||
|
||
Now run: | ||
|
||
linkerd check --pre # validate that Linkerd can be installed | ||
linkerd install | kubectl apply -f - # install the control plane into the 'linkerd' namespace | ||
linkerd check # validate everything worked! | ||
linkerd dashboard # launch the dashboard | ||
|
||
Looking for more? Visit https://linkerd.io/2/next-steps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{ define "linkerd.pod-affinity" -}} | ||
affinity: | ||
podAntiAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- podAffinityTerm: | ||
labelSelector: | ||
matchExpressions: | ||
- key: {{ .Label }} | ||
operator: In | ||
values: | ||
- {{ .Component }} | ||
topologyKey: failure-domain.beta.kubernetes.io/zone | ||
weight: 100 | ||
requiredDuringSchedulingIgnoredDuringExecution: | ||
- labelSelector: | ||
matchExpressions: | ||
- key: {{ .Label }} | ||
operator: In | ||
values: | ||
- {{ .Component }} | ||
topologyKey: kubernetes.io/hostname | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
{{- define "linkerd.configs.global" -}} | ||
{ | ||
"linkerdNamespace": "{{.Namespace}}", | ||
"cniEnabled": false, | ||
"version": "{{.LinkerdVersion}}", | ||
"identityContext":{ | ||
"trustDomain": "{{.Identity.TrustDomain}}", | ||
"trustAnchorsPem": "{{required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | replace "\n" "\\n"}}", | ||
"issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", | ||
"clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}" | ||
}, | ||
"autoInjectContext": null, | ||
"omitWebhookSideEffects": {{.OmitWebhookSideEffects}}, | ||
"clusterDomain": "{{.ClusterDomain}}" | ||
} | ||
{{- end -}} | ||
|
||
{{- define "linkerd.configs.proxy" -}} | ||
{ | ||
"proxyImage":{ | ||
"imageName":"{{.Proxy.Image.Name}}", | ||
"pullPolicy":"{{.Proxy.Image.PullPolicy}}" | ||
}, | ||
"proxyInitImage":{ | ||
"imageName":"{{.ProxyInit.Image.Name}}", | ||
"pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" | ||
}, | ||
"controlPort":{ | ||
"port": {{.Proxy.Ports.Control}} | ||
}, | ||
"ignoreInboundPorts":[ | ||
{{- $ports := splitList "," .ProxyInit.IgnoreInboundPorts -}} | ||
{{- if gt (len $ports) 1}} | ||
{{- $last := sub (len $ports) 1 -}} | ||
{{- range $i,$port := $ports -}} | ||
{"port":{{$port}}}{{ternary "," "" (ne $i $last)}} | ||
{{- end -}} | ||
{{- end -}} | ||
], | ||
"ignoreOutboundPorts":[ | ||
{{- $ports := splitList "," .ProxyInit.IgnoreOutboundPorts -}} | ||
{{- if gt (len $ports) 1}} | ||
{{- $last := sub (len $ports) 1 -}} | ||
{{- range $i,$port := $ports -}} | ||
{"port":{{$port}}}{{ternary "," "" (ne $i $last)}} | ||
{{- end -}} | ||
{{- end -}} | ||
], | ||
"inboundPort":{ | ||
"port": {{.Proxy.Ports.Inbound}} | ||
}, | ||
"adminPort":{ | ||
"port": {{.Proxy.Ports.Admin}} | ||
}, | ||
"outboundPort":{ | ||
"port": {{.Proxy.Ports.Outbound}} | ||
}, | ||
"resource":{ | ||
"requestCpu": "{{.Proxy.Resources.CPU.Request}}", | ||
"limitCpu": "{{.Proxy.Resources.CPU.Limit}}", | ||
"requestMemory": "{{.Proxy.Resources.Memory.Request}}", | ||
"limitMemory": "{{.Proxy.Resources.Memory.Limit}}" | ||
}, | ||
"proxyUid": {{.Proxy.UID}}, | ||
"logLevel":{ | ||
"level": "{{.Proxy.LogLevel}}" | ||
}, | ||
"disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, | ||
"proxyVersion": "{{.Proxy.Image.Version}}", | ||
"proxyInitImageVersion": "{{.ProxyInit.Image.Version}}" | ||
} | ||
{{- end -}} | ||
|
||
{{- define "linkerd.configs.install" -}} | ||
{ | ||
"uuid":"{{ uuidv4 }}", | ||
"cliVersion":"{{ .LinkerdVersion }}", | ||
"flags":[] | ||
} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "linkerd.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "linkerd.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "linkerd.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{{- define "linkerd.proxy.validation" -}} | ||
{{- if .DisableIdentity -}} | ||
{{- fail (printf "Can't disable identity mTLS for %s. Set '.Values.Proxy.DisableIdentity' to 'false'" .Component) -}} | ||
{{- end -}} | ||
|
||
{{- if .DisableTap -}} | ||
{{- fail (printf "Can't disable tap for %s. Set '.Values.Proxy.DisableTap' to 'false'" .Component) -}} | ||
{{- end -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
{{with .Values -}} | ||
--- | ||
kind: ConfigMap | ||
apiVersion: v1 | ||
metadata: | ||
name: linkerd-config | ||
namespace: {{.Namespace}} | ||
labels: | ||
{{.ControllerComponentLabel}}: controller | ||
{{.ControllerNamespaceLabel}}: {{.Namespace}} | ||
annotations: | ||
{{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} | ||
data: | ||
global: | | ||
{{- if .Configs -}} | ||
{{- if .Configs.Global -}} | ||
{{.Configs.Global}} | ||
{{- end }} | ||
{{- else -}} | ||
{{- include "linkerd.configs.global" . | nindent 4}} | ||
{{- end }} | ||
proxy: | | ||
{{- if .Configs -}} | ||
{{- if .Configs.Proxy -}} | ||
{{.Configs.Proxy}} | ||
{{- end }} | ||
{{- else -}} | ||
{{- include "linkerd.configs.proxy" . | nindent 4}} | ||
{{- end }} | ||
install: | | ||
{{- if .Configs -}} | ||
{{- if .Configs.Install -}} | ||
{{.Configs.Instal}} | ||
{{- end }} | ||
{{- else -}} | ||
{{- include "linkerd.configs.install" . | nindent 4}} | ||
{{- end }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
{{with .Values -}} | ||
--- | ||
### | ||
### Controller RBAC | ||
### | ||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: linkerd-{{.Namespace}}-controller | ||
labels: | ||
{{.ControllerComponentLabel}}: controller | ||
{{.ControllerNamespaceLabel}}: {{.Namespace}} | ||
rules: | ||
- apiGroups: ["extensions", "apps"] | ||
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] | ||
verbs: ["list", "get", "watch"] | ||
- apiGroups: ["extensions", "batch"] | ||
resources: ["jobs"] | ||
verbs: ["list" , "get", "watch"] | ||
- apiGroups: [""] | ||
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] | ||
verbs: ["list", "get", "watch"] | ||
- apiGroups: ["linkerd.io"] | ||
resources: ["serviceprofiles"] | ||
verbs: ["list", "get", "watch"] | ||
- apiGroups: ["split.smi-spec.io"] | ||
resources: ["trafficsplits"] | ||
verbs: ["list", "get", "watch"] | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: linkerd-{{.Namespace}}-controller | ||
labels: | ||
{{.ControllerComponentLabel}}: controller | ||
{{.ControllerNamespaceLabel}}: {{.Namespace}} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: linkerd-{{.Namespace}}-controller | ||
subjects: | ||
- kind: ServiceAccount | ||
name: linkerd-controller | ||
namespace: {{.Namespace}} | ||
--- | ||
kind: ServiceAccount | ||
apiVersion: v1 | ||
metadata: | ||
name: linkerd-controller | ||
namespace: {{.Namespace}} | ||
labels: | ||
{{.ControllerComponentLabel}}: controller | ||
{{.ControllerNamespaceLabel}}: {{.Namespace}} | ||
{{- end -}} |
Oops, something went wrong.