feat: add default-inbound-policy to inject flags (#7428)

PR #6750 adds the config.linkerd.io/default-inbound-policy annotation for setting the default inbound policy for an injected proxy.

This commit adds support for a default-inbound-policy flag in makeProxyFlags so that it can be set with the linkerd inject command.

Closes #6754

Signed-off-by: ahmedalhulaibi <ahmed.alhulaibi41@gmail.com>

cli/cmd/inject.go

@@ -486,6 +486,10 @@ func getOverrideAnnotations(values *charts.Values, base *charts.Values) map[stri
 		}
 	}
 
+	if proxy.DefaultInboundPolicy != baseProxy.DefaultInboundPolicy {
+		overrideAnnotations[k8s.ProxyDefaultInboundPolicyAnnotation] = proxy.DefaultInboundPolicy
+	}
+
 	// Set fields that can't be converted into annotations
 	values.Namespace = controlPlaneNamespace
 

cli/cmd/inject_test.go

@@ -310,6 +310,28 @@ func TestUninjectAndInject(t *testing.T) {
 			injectProxy:      true,
 			testInjectConfig: ingressConfig,
 		},
+		{
+			inputFileName:  "inject_emojivoto_deployment.input.yml",
+			goldenFileName: "inject_emojivoto_deployment_default_inbound_policy.golden.yml",
+			reportFileName: "inject_emojivoto_deployment_default_inbound_policy.golden.report",
+			injectProxy:    false,
+			testInjectConfig: func() *linkerd2.Values {
+				values := defaultConfig()
+				values.Proxy.DefaultInboundPolicy = k8s.AllAuthenticated
+				return values
+			}(),
+		},
+		{
+			inputFileName:  "inject_emojivoto_pod.input.yml",
+			goldenFileName: "inject_emojivoto_pod_default_inbound_policy.golden.yml",
+			reportFileName: "inject_emojivoto_pod_default_inbound_policy.golden.report",
+			injectProxy:    false,
+			testInjectConfig: func() *linkerd2.Values {
+				values := defaultConfig()
+				values.Proxy.DefaultInboundPolicy = k8s.AllAuthenticated
+				return values
+			}(),
+		},
 	}
 
 	for i, tc := range testCases {

cli/cmd/options.go

@@ -397,6 +397,12 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
 				return nil
 			}),
 
+		flag.NewStringFlag(proxyFlags, "default-inbound-policy", defaults.Proxy.DefaultInboundPolicy, "Inbound policy to use to control inbound access to the proxy",
+			func(values *l5dcharts.Values, value string) error {
+				values.Proxy.DefaultInboundPolicy = value
+				return nil
+			}),
+
 		// Deprecated flags
 
 		flag.NewStringFlag(proxyFlags, "proxy-memory", defaults.Proxy.Resources.Memory.Request, "Amount of Memory that the proxy sidecar requests",

cli/cmd/testdata/inject_emojivoto_deployment_default_inbound_policy.golden.report

@@ -0,0 +1,3 @@
+
+deployment "web" injected
+

cli/cmd/testdata/inject_emojivoto_deployment_default_inbound_policy.golden.report.verbose

@@ -0,0 +1,10 @@
+
+√ pods do not use host networking
+√ pods do not have a 3rd party proxy or initContainer already injected
+√ pods are not annotated to disable injection
+√ at least one resource can be injected or annotated
+√ pod specs do not include UDP ports
+√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
+
+deployment "web" injected
+

cli/cmd/testdata/inject_emojivoto_pod_default_inbound_policy.golden.report

@@ -0,0 +1,3 @@
+
+pod "vote-bot" injected
+

cli/cmd/testdata/inject_emojivoto_pod_default_inbound_policy.golden.report.verbose

@@ -0,0 +1,10 @@
+
+√ pods do not use host networking
+√ pods do not have a 3rd party proxy or initContainer already injected
+√ pods are not annotated to disable injection
+√ at least one resource can be injected or annotated
+√ pod specs do not include UDP ports
+√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
+
+pod "vote-bot" injected
+