Change proxy and proxy-init templates to use global scope

Some of the nested variables are removed from values.yaml to ensure changes
made to root-level variables are propagated directly into the partial
templates. The previous approach of using YAML anchors in the
values.yaml to share common values can get out-of-sync when values are
changed via the Helm's `--set` option.

Signed-off-by: Ivan Sim <ivan@buoyant.io>

charts/linkerd/templates/_config.tpl

@@ -0,0 +1,64 @@
+{{- define "linkerd.configs.global" -}}
+{
+  "autoInjectContext": null,
+  "clusterDomain": "{{.ClusterDomain}}",
+  "cniEnabled": {{.CNIEnabled}},
+  "identityContext":{
+    "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}",
+    "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}",
+    "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM}}",
+    "trustDomain": "{{.TrustDomain}}"
+  },
+  "linkerdNamespace": "{{.Namespace}}",
+  "omitWebhookSideEffects": {{.OmitWebhookSideEffects}},
+  "version": "{{.LinkerdVersion}}"
+}
+{{- end -}}
+
+{{- define "linkerd.configs.proxy" -}}
+{
+  "adminPort":{
+    "port": {{.Proxy.Port.Admin}}
+  },
+  "controlPort":{
+    "port": {{.Proxy.Port.Control}}
+  },
+  "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}},
+  "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}},
+  "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}},
+  "inboundPort":{
+    "port": {{.Proxy.Port.Inbound}}
+  },
+  "logLevel":{
+    "level": "{{.Proxy.LogLevel}}"
+  },
+  "outboundPort":{
+    "port": {{.Proxy.Port.Outbound}}
+  },
+  "proxyImage":{
+    "imageName":"{{.Proxy.Image.Name}}",
+    "pullPolicy":"{{.Proxy.Image.PullPolicy}}"
+  },
+  "proxyInitImage":{
+    "imageName":"{{.ProxyInit.Image.Name}}",
+    "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}"
+  },
+  "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}",
+  "proxyUid": {{.Proxy.UID}},
+  "proxyVersion": "{{.Proxy.Image.Version}}",
+  "resource":{
+    "limitCpu": "{{.Proxy.ResourceRequirements.CPU.Limit}}",
+    "limitMemory": "{{.Proxy.ResourceRequirements.Memory.Limit}}",
+    "requestCpu": "{{.Proxy.ResourceRequirements.CPU.Request}}",
+    "requestMemory": "{{.Proxy.ResourceRequirements.Memory.Request}}"
+  }
+}
+{{- end -}}
+
+{{- define "linkerd.configs.install" -}}
+{
+  "uuid":"{{ uuidv4 }}",
+  "cliVersion":"{{ .LinkerdVersion }}",
+  "flags":[]
+}
+{{- end -}}

charts/linkerd/templates/config.yaml

@@ -1,7 +1,4 @@
 {{with .Values -}}
-{{- if empty .Configs -}}
-{{- fail ".Configs must be defined and non-empty" -}}
-{{- end -}}
 ---
 kind: ConfigMap
 apiVersion: v1
@@ -15,13 +12,27 @@ metadata:
     {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}}
 data:
   global: |
-    {{- toJson (required ".Configs.Global must be non-empty" .Configs.Global) | nindent 4 }}
+  {{- if .Configs -}}
+  {{- if .Configs.Global -}}
+  {{.Configs.Global}}
+  {{- end }}
+  {{- else -}}
+  {{- include "linkerd.configs.global" . | nindent 4}}
+  {{- end }}
   proxy: |
-    {{- toJson (required ".Configs.Proxy must be non-empty" .Configs.Proxy) | nindent 4 }}
+  {{- if .Configs -}}
+  {{- if .Configs.Proxy -}}
+  {{.Configs.Proxy}}
+  {{- end }}
+  {{- else -}}
+  {{- include "linkerd.configs.proxy" . | nindent 4}}
+  {{- end }}
   install: |
+  {{- if .Configs -}}
   {{- if .Configs.Install -}}
-    {{- toJson .Configs.Install | nindent 4 }}
-  {{ else }}
-    {"uuid":"{{ uuidv4  }}","cliVersion":"{{.LinkerdVersion}}", "flags":[]}
-  {{- end -}}
+  {{.Configs.Instal}}
+  {{- end }}
+  {{- else -}}
+  {{- include "linkerd.configs.install" . | nindent 4}}
+  {{- end }}
 {{- end -}}

charts/linkerd/templates/controller.yaml

@@ -144,9 +144,9 @@ spec:
         volumeMounts:
         - mountPath: /var/run/linkerd/config
           name: config
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-controller
       volumes:
       - configMap:

charts/linkerd/templates/grafana.yaml

@@ -146,9 +146,9 @@ spec:
         - mountPath: /etc/grafana
           name: grafana-config
           readOnly: true
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-grafana
       volumes:
       - emptyDir: {}

charts/linkerd/templates/identity.yaml

@@ -112,9 +112,9 @@ spec:
           name: config
         - mountPath: /var/run/linkerd/identity/issuer
           name: identity-issuer
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-identity
       volumes:
       - configMap:

charts/linkerd/templates/prometheus.yaml

@@ -180,9 +180,9 @@ spec:
         - mountPath: /etc/prometheus
           name: prometheus-config
           readOnly: true
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-prometheus
       volumes:
       - emptyDir: {}

charts/linkerd/templates/proxy-injector.yaml

@@ -74,9 +74,9 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: tls
           readOnly: true
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-proxy-injector
       volumes:
       - configMap:

charts/linkerd/templates/sp-validator.yaml

@@ -91,9 +91,9 @@ spec:
         - mountPath: /var/run/linkerd/tls
           name: tls
           readOnly: true
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-sp-validator
       volumes:
       - name: tls

charts/linkerd/templates/tap.yaml

@@ -88,9 +88,9 @@ spec:
         {{- end }}
         securityContext:
           runAsUser: {{.ControllerUID}}
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-tap
       volumes:
       {{- include "partials.proxy.volumes.identity" . | nindent 6 -}}

charts/linkerd/templates/web.yaml

@@ -91,9 +91,9 @@ spec:
         volumeMounts:
         - mountPath: /var/run/linkerd/config
           name: config
-      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      {{- include "partials.proxy" . | nindent 6 -}}
       initContainers:
-      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      {{- include "partials.proxy-init" . | nindent 6 }}
       serviceAccountName: linkerd-web
       volumes:
       - configMap:

charts/linkerd/values.yaml

@@ -3,13 +3,13 @@
 # Declare variables to be passed into your templates.
 
 ClusterDomain: &cluster_domain cluster.local
-CNIEnabled: &cni_enabled false # not supported in Linkerd 2.5
+CNIEnabled: false # not supported in Linkerd 2.5
 EnableH2Upgrade: true
-HighAvailability: &high_availability false
+HighAvailability: false
 ImagePullPolicy: &image_pull_policy IfNotPresent
 LinkerdVersion: &linkerd_version stable-2.4.0
-Namespace: &namespace linkerd
-OmitWebhookSideEffects: &omit_webhook_side_effects false
+Namespace: linkerd
+OmitWebhookSideEffects: false
 
 # controller configuration
 ControllerImage: gcr.io/linkerd-io/controller
@@ -31,8 +31,10 @@ PublicAPIResources:
 # identity configuration
 Identity:
   Issuer:
+    ClockSkewAllowance: 20s
+
     # PEM encoded certificate
-    CrtPEM: &identity_issuer_crt |
+    CrtPEM: |
       -----BEGIN CERTIFICATE-----
       MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0
       eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1
@@ -49,6 +51,8 @@ Identity:
     CrtExpiry: 2020-07-25T03:17:08Z
     CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry
 
+    IssuanceLifeTime: 86400s
+
     # PEM encode ECDSA private key
     KeyPEM: |
       -----BEGIN EC PRIVATE KEY-----
@@ -83,34 +87,28 @@ Proxy:
   Capabilities:
     Add:
     Drop:
-  ClusterDomain: *cluster_domain
-  ControlPlaneNamespace: *namespace
   EnableExternalProfile: false
-  HighAvailability: *high_availability
-  Identity:
-    TrustDomain: *cluster_domain
-    TrustAnchors: *identity_issuer_crt
   Image:
-    Name: &proxy_image_name gcr.io/linkerd-io/proxy
+    Name: gcr.io/linkerd-io/proxy
     PullPolicy: *image_pull_policy
     Version: *linkerd_version
-  LogLevel: &proxy_log_level warn,linkerd2_proxy=info
+  LogLevel: warn,linkerd2_proxy=info
   MountPaths:
-  Port: &proxy_ports
-    Admin: &proxy_port_admin 4191
-    Control: &proxy_port_control 4190
-    Inbound: &proxy_port_inbound 4143
-    Outbound: &proxy_port_outbound 4140
-  UID: &proxy_uid 2102
+  Port:
+    Admin: 4191
+    Control: 4190
+    Inbound: 4143
+    Outbound: 4140
+  UID: 2102
 
   # use this to override the default resource requirements in HA mode
   ResourceRequirements:
     CPU:
-      Limit: &proxy_cpu_limit "1"
-      Request: &proxy_cpu_request 100m
+      Limit: "1"
+      Request: 100m
     Memory:
-      Limit: &proxy_memory_limit 250Mi
-      Request: &proxy_memory_request 20Mi
+      Limit: 250Mi
+      Request: 20Mi
 
   # inject-only options. Do not change this for control plane installation
   DisableIdentity: false
@@ -122,15 +120,12 @@ ProxyInit:
     Add:
     Drop:
   Image:
-    Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init
+    Name: gcr.io/linkerd-io/proxy-init
     PullPolicy: *image_pull_policy
-    Version: &proxy_init_image_version v1.0.0
-  Proxy:
-    Port:
-      <<: *proxy_ports
-      IgnoreInboundPorts: ""
-      IgnoreOutboundPorts: "443"
-    UID: *proxy_uid
+    Version: v1.0.0
+  IgnoreInboundPorts: ""
+  IgnoreOutboundPorts: "443"
+  MountPath:
 
   # use this to override the default resource requirements in HA mode
   ResourceRequirements:
@@ -158,46 +153,6 @@ WebImage: gcr.io/linkerd-io/web
 WebResources:
   <<: *controller_resources
 
-# linkerd-config config map data
-Configs:
-  Global:
-    clusterDomain: *cluster_domain
-    cniEnabled: *cni_enabled
-    identityContext:
-      trustAnchorsPem": *identity_issuer_crt
-      trustDomain: *cluster_domain
-    linkerdNamespace: *namespace
-    omitWebhookSideEffects: *omit_webhook_side_effects
-    version: *linkerd_version
-  Proxy:
-    adminPort:
-      port: *proxy_port_admin
-    controlPort:
-      port: *proxy_port_control
-    ignoreInboundPorts: []
-    ignoreOutboundPorts: []
-    inboundPort:
-      port: *proxy_port_inbound
-    logLevel:
-      level: *proxy_log_level
-    outboundPort:
-      port: *proxy_port_outbound
-    proxyImage:
-      imageName: *proxy_image_name
-      pullPolicy: *image_pull_policy
-    proxyInitImage:
-      imageName: *proxy_init_image_name
-      pullPolicy: *image_pull_policy
-    proxyInitImageVersion: *proxy_init_image_version
-    proxyUid: *proxy_uid
-    proxyVersion: *linkerd_version
-    resource:
-      limitCpu: *proxy_cpu_limit
-      limitMemory: *proxy_memory_limit
-      requestCpu: *proxy_cpu_request
-      requestMemory: *proxy_memory_request
-    disableExternalProfiles: true
-
 # annotations
 CreatedByAnnotation: linkerd.io/created-by
 ProxyInjectAnnotation: linkerd.io/inject