jaeger and viz helm charts install resources in default namespace #10043
Labels
Comments
joebowbeer
changed the title
joebowbeer
referenced
this issue
Dec 22, 2022
…inkerd-control-plane` (#6635) Fixes #6584 #6620 #7405 # Namespace Removal With this change, the `namespace.yaml` template is rendered only for CLI installs and not Helm, and likewise the `namespace:` entry in the namespace-level objects (using a new `partials.namespace` helper). The `installNamespace` and `namespace` entries in `values.yaml` have been removed. There in the templates where the namespace is required, we moved from `.Values.namespace` to `.Release.Namespace` which is filled-in automatically by Helm. For the CLI, `install.go` now explicitly defines the contents of the `Release` map alongside `Values`. The proxy-injector has a new `linkerd-namespace` argument given the namespace is no longer persisted in the `linkerd-config` ConfigMap, so it has to be passed in. To pass it further down to `injector.Inject()` without modifying the `Handler` signature, a closure was used. ------------ Update: Merged-in #6638: Similar changes for the `linkerd-viz` chart: Stop rendering `namespace.yaml` in the `linkerd-viz` chart. The additional change here is the addition of the `namespace-metadata.yaml` template (and its RBAC), _not_ rendered in CLI installs, which is a Helm `post-install` hook, consisting on a Job that executes a script adding the required annotations and labels to the viz namespace using a PATCH request against kube-api. The script first checks if the namespace doesn't already have an annotations/labels entries, in which case it has to add extra ops in that patch. --------- Update: Merged-in the approved #6643, #6665 and #6669 which address the `linkerd2-cni`, `linkerd-multicluster` and `linkerd-jaeger` charts. Additional changes from what's already mentioned above: - Removes the install-namespace option from `linkerd install-cni`, which isn't found in `linkerd install` nor `linkerd viz install` anyways, and it would add some complexity to support. - Added a dependency on the `partials` chart to the `linkerd-multicluster-link` chart, so that we can tap on the `partials.namespace` helper. - We don't have any more the restriction on having the muticluster objects live in a separate namespace than linkerd. It's still good practice, and that's the default for the CLI install, but I removed that validation. Finally, as a side-effect, the `linkerd mc allow` subcommand was fixed; it has been broken for a while apparently: ```console $ linkerd mc allow --service-account-name foobar Error: template: linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml:16:7: executing "linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml" at <include "partials.annotations.created-by" $>: error calling include: template: no template "partials.annotations.created-by" associated with template "gotpl" ``` --------- Update: see helm/helm#5465 describing the current best-practice # Core Helm Charts Split This removes the `linkerd2` chart, and replaces it with the `linkerd-crds` and `linkerd-control-plane` charts. Note that the viz and other extension charts are not concerned by this change. Also note the original `values.yaml` file has been split into both charts accordingly. ### UX ```console $ helm install linkerd-crds --namespace linkerd --create-namespace linkerd/linkerd-crds ... # certs.yaml should contain identityTrustAnchorsPEM and the identity issuer values $ helm install linkerd-control-plane --namespace linkerd -f certs.yaml linkerd/linkerd-control-plane ``` ### Upgrade As explained in #6635, this is a breaking change. Users will have to uninstall the `linkerd2` chart and install these two, and eventually rollout the proxies (they should continue to work during the transition anyway). ### CLI The CLI install/upgrade code was updated to be able to pick the templates from these new charts, but the CLI UX remains identical as before. ### Other changes - The `linkerd-crds` and `linkerd-control-plane` charts now carry a version scheme independent of linkerd's own versioning, as explained in #7405. - These charts are Helm v3, which is reflected in the `Chart.yaml` entries and in the removal of the `requirements.yaml` files. - In the integration tests, replaced the `helm-chart` arg with `helm-charts` containing the path `./charts`, used to build the paths for both charts. ### Followups - Now it's possible to add a `ServiceProfile` instance for Destination in the `linkerd-control-plane` chart.
joebowbeer
added a commit
to joebowbeer/linkerd2
that referenced
this issue
Dec 22, 2022
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
joebowbeer
changed the title
joebowbeer
added a commit
to joebowbeer/linkerd2
that referenced
this issue
Dec 22, 2022
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
|
It's ok to add the namespace like you did in #10044 via |
|
@alpeb I am templating the chart (v30.4.5) so that it can be kustomized and installed by ArgoCD: helm template linkerd ./v30.4.5 -n linkerd-jaegerWhat I see in the jaeger and viz charts source, is that every resource is namespaced except these four, and I didn't realize there might be a difference between |
|
Good point 💯 , I had forgotten about that |
joebowbeer
added a commit
to joebowbeer/linkerd2
that referenced
this issue
Dec 23, 2022
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
kleimkuhler
pushed a commit
that referenced
this issue
Jan 3, 2023
hawkw
pushed a commit
that referenced
this issue
Feb 3, 2023
hawkw
pushed a commit
that referenced
this issue
Feb 6, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What is the issue?
1️⃣ The jaeger helm chart creates four resources without a namespace:
https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/templates/namespace-metadata-rbac.yaml
Resources:
https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/templates/namespace-metadata.yaml
Resource:
2️⃣ The viz helm chart creates four resources without a namespace:
https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-jaeger/templates/namespace-metadata-rbac.yaml
Resources:
https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-jaeger/templates/namespace-metadata.yaml
Resource:
3️⃣ ditto for multicluster charts
How can it be reproduced?
It's obvious from looking at the template source.
I discovered this by trying to install linkerd-jaeger and having my no-default-namespace admission policy deny my request.
Logs, error output, etc
policy disallow-default-namespace -> resource default/ServiceAccount/namespace-metadata failed:
policy disallow-default-namespace -> resource default/Job/namespace-metadata failed:
Note: The Role and RoleBinding are also missing a namespace
output of
linkerd check -o shortEnvironment
N/A
Possible solution
Add
namespace: {{ .Release.Namespace }}to the four resources where it is missing.Additional context
I think this was a regression that happened in #6635
Would you like to work on fixing this bug?
yes
The text was updated successfully, but these errors were encountered: