Add reinitialize-pods controller to linkerd-cni DaemonSet

Followup to linkerd/linkerd2-proxy-init#306
Fixes #11073

This adds the `reinitialize-pods` container to the `linkerd-cni`
DaemonSet, along with its config in `values.yaml`.

Also the `linkerd-cni`'s version is bumped, to contain the new binary
for this controller.

## TO-DOs

- Integration test

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -112,6 +112,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "nodes", "namespaces", "services"]
   verbs: ["list", "get", "watch"]
+- apiGroups: [""]
+  resources: ["pods/eviction"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -274,6 +277,54 @@ spec:
         {{- if .Values.resources }}
         {{- include "partials.resources" .Values.resources | nindent 8 }}
         {{- end }}
+      # This container watches over pods whose linkerd-network-validator
+      # container failed, probably because of a race condition while setting up
+      # the CNI plugin chain, and evicts those pods so they can try acquiring a
+      # proper network config again
+      - name: reinitialize-pods
+        image: {{ .Values.reinitializePods.image.name -}}:{{- .Values.reinitializePods.image.version }}
+        imagePullPolicy: {{ .Values.reinitializePods.image.pullPolicy }}
+        {{- if .Values.reinitializePods.enableSecurityContext }}
+        env:
+        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        command:
+          - /usr/lib/linkerd/linkerd-reinitialize-pods
+        args:
+          - --admin-addr=0.0.0.0:9990
+          - --log-format
+          - {{ .Values.reinitializePods.logFormat }}
+          - --log-level
+          - {{ .Values.reinitializePods.logLevel }}
+        livenessProbe:
+          httpGet:
+            path: /live
+            port: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: admin-http
+          initialDelaySeconds: 10
+        ports:
+        - containerPort: 9990
+          name: admin-http
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+        {{- end }}
+        {{- if .Values.resources }}
+        {{- include "partials.resources" .Values.resources | nindent 8 }}
+        {{- end }}
+      priorityClassName: system-cluster-critical
       volumes:
       {{- if ne .Values.destCNIBinDir .Values.destCNINetDir }}
       - name: cni-bin-dir

charts/linkerd2-cni/values.yaml

@@ -53,7 +53,7 @@ image:
   # -- Docker image for the CNI plugin
   name: "cr.l5d.io/linkerd/cni-plugin"
   # -- Tag for the CNI container Docker image
-  version: "v1.2.2"
+  version: "v1.3.0"
   # -- Pull policy for the linkerd-cni container
   pullPolicy: IfNotPresent
 
@@ -86,7 +86,7 @@ extraInitContainers: []
 #     - mountPath: /host/etc/cni/net.d
 #       name: cni-net-dir
 
-# -- Resource requests and limits for linkerd-cni daemonset containers
+# -- Resource requests and limits for linkerd-cni daemonset container
 resources:
   cpu:
     # -- Maximum amount of CPU units that the cni container can use
@@ -103,3 +103,39 @@ resources:
     limit: ""
     # -- Amount of ephemeral storage that the cni container requests
     request: ""
+
+reinitializePods:
+  image:
+    # -- Docker image for the reinitialize-pods container
+    name: "cr.l5d.io/linkerd/cni-plugin"
+    # -- Tag for the reinitialize-pods container Docker image
+    version: "v1.3.0"
+    # -- Pull policy for the reinitialize-pods container
+    pullPolicy: IfNotPresent
+
+  # -- Log level for the reinitialize-pods container
+  # @default -- info
+  logLevel: info
+  # -- Log format (`plain` or `json`) for the reinitialize-pods container
+  # @default -- plain
+  logFormat: plain
+
+  # -- Include a securityContext in the reinitialize-pods container
+  enableSecurityContext: true
+
+  resources:
+    cpu:
+      # -- Maximum amount of CPU units that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of CPU units that the reinitialize-pods container requests
+      request: ""
+    memory:
+      # -- Maximum amount of memory that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of memory that the reinitialize-pods container requests
+      request: ""
+    ephemeral-storage:
+      # -- Maximum amount of ephemeral storage that the reinitialize-pods container can use
+      limit: ""
+      # -- Amount of ephemeral storage that the reinitialize-pods container requests
+      request: ""

pkg/charts/cni/values.go

@@ -35,6 +35,15 @@ type Resources struct {
 	EphemeralStorage Constraints `json:"ephemeral-storage"`
 }
 
+// ReinitializePods contains the config for the reinitialize-pods container
+type ReinitializePods struct {
+	Image                 Image     `json:"image"`
+	LogLevel              string    `json:"logLevel"`
+	LogFormat             string    `json:"logFormat"`
+	EnableSecurityContext bool      `json:"enableSecurityContext"`
+	Resources             Resources `json:"resources"`
+}
+
 // Values contains the top-level elements in the cni Helm chart
 type Values struct {
 	InboundProxyPort    uint                `json:"inboundProxyPort"`
@@ -60,6 +69,7 @@ type Values struct {
 	EnablePSP           bool                `json:"enablePSP"`
 	Privileged          bool                `json:"privileged"`
 	Resources           Resources           `json:"resources"`
+	ReinitializePods    ReinitializePods    `json:"reinitializePods"`
 }
 
 // NewValues returns a new instance of the Values type.