Add Control Plane Helm Templates And Proxy Partials #3146

ihcsim · 2019-07-25T20:56:36Z

This PR introduces the new Linkerd control plane Helm chart, named linkerd2. The goal is to enable Helm users to install and remove the Linkerd control plane by using the helm install and helm delete commands.

No changes are made to the existing linkerd install behaviour. Other Helm commands like upgrade and rollback will be evaluated in upcoming issues.

The mTLS assets must be provided for the Helm chart to work. You can use any ECDSA PEM-encoded keys and certs. See the example usage of the --set-file option below.

Installation steps:

# clone the linkerd repo
git clone git@github.com:linkerd/linkerd2.git

# install control plane
helm install --name=linkerd2 --dep-up \
   --set LinkerdVersion=edge-19.8.2 \             # default to edge-19.8.1
   --set Proxy.Image.Version=edge-19.8.2 \
   --set Identity.Issuer.CrtExpiry="<crt.pem.expiry.data>" \
   --set-file Identity.TrustAnchorsPEM=crt.pem \  # save your pem-encoded key and cert to these files
   --set-file Identity.Issuer.CrtPEM=crt.pem \
   --set-file Identity.Issuer.KeyPEM=key.pem \
   charts/linkerd2

# install control plane ha mode
helm install --name=linkerd2 --dep-up \
    --set LinkerdVersion=edge-19.8.2  \
    --set Proxy.Image.Version=edge-19.8.2 \
    --set Identity.Issuer.CrtExpiry="<crt.pem.expiry.date>" \
    --set-file Identity.TrustAnchorsPEM=crt.pem \
    --set-file Identity.Issuer.CrtPEM=crt.pem \
    --set-file Identity.Issuer.KeyPEM=key.pem \ 
    -f charts/linkerd2/values.yaml \
    -f charts/linkerd2/values-ha.yaml \
    charts/linkerd2

# delete the release
helm delete --purge linkerd2

For GKE development, additional RBAC is needed for tiller:

kubectl -n kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
helm init --service-account=tiller

Fixes #3126.

.gitignore

l5d-bot · 2019-07-25T21:43:29Z

Integration test results for 07f1930: success 🎉
Log output: https://gist.github.com/c83368d1d73e7a2a1a8805bff2349ba8

charts/linkerd/Chart.yaml

l5d-bot · 2019-07-25T22:22:53Z

Integration test results for 20bca76: success 🎉
Log output: https://gist.github.com/0c79454111f2f603d445dac129b43128

l5d-bot · 2019-07-26T04:14:42Z

Integration test results for 1006ea9: success 🎉
Log output: https://gist.github.com/42cbdc1cf633a673db7037cf100f4517

l5d-bot · 2019-07-26T04:26:37Z

Integration test results for 59a3eef: fail 😕
Log output: https://gist.github.com/a760eb6baee7ea2da60ceeaab48ff982

l5d-bot · 2019-07-26T07:00:23Z

Integration test results for 430a5d5: success 🎉
Log output: https://gist.github.com/d5c75ef9419ae81c2f459cd7e55c349c

charts/partials/templates/_proxy.tpl

ihcsim · 2019-07-26T16:04:42Z

@alpeb Appreciate the review 👍. Per slack convo, I will update the partial templates as I continue to add more control plane templates to the linkerd chart. So far, I've gotten to heartbeat, with identity and proxy-injector next on the list. I'll keep you posted.

charts/partials/templates/_proxy-init.tpl

charts/partials/templates/_proxy.tpl

l5d-bot · 2019-07-29T03:11:21Z

Integration test results for 11fd5db: success 🎉
Log output: https://gist.github.com/055e3dfa87cb1e2952b258f937f812c8

charts/linkerd/values.yaml

l5d-bot · 2019-07-30T04:56:44Z

Integration test results for d2878d8: success 🎉
Log output: https://gist.github.com/a6274921735bf1df0f8dab4d5d03612a

l5d-bot · 2019-07-30T06:53:04Z

Integration test results for 1c824a2: success 🎉
Log output: https://gist.github.com/ae9babedd26d141f27bbc2086b744004

l5d-bot · 2019-07-30T16:38:10Z

Integration test results for 1d22f4d: fail 😕
Log output: https://gist.github.com/10ae2acaf9dbe08aa6d69b783313b925

l5d-bot · 2019-07-30T22:22:40Z

Integration test results for 70c1a61: success 🎉
Log output: https://gist.github.com/2df56ac4ed9d60120f64935c9dc51b59

ihcsim · 2019-07-30T22:55:49Z

charts/linkerd/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}


~~Can't~~ Can ignore; auto-generated by Helm.

Also fixed some indentation issues. Signed-off-by: Ivan Sim <ivan@buoyant.io>

Signed-off-by: Ivan Sim <ivan@buoyant.io>

l5d-bot · 2019-08-02T20:49:15Z

Integration test results for a55fa00: success 🎉
Log output: https://gist.github.com/0e13270bc9734062787abb094d82ee8a

Signed-off-by: Ivan Sim <ivan@buoyant.io>

l5d-bot · 2019-08-02T21:25:44Z

Integration test results for 681a921: success 🎉
Log output: https://gist.github.com/7c0cb035c77cb43f59d561230f908167

charts/partials/templates/_proxy.tpl

ihcsim · 2019-08-06T16:14:32Z

Received @grampelberg's approval to merge.

* Updated controller template with proxy partials * Declare dependency in requirements.yaml * Add partial template for proxy's metadata * Add proxy-init partial template * Script to lint Helm charts and update their dependencies * Update partials chart Chart.yaml * Add proxy-init and resource partial templates * Replace hard coded namespace variable in proxy env var * Ignore chart dependencies .tgz files * Add missing fields and re-order YAML elements to match CLI output * Reuse control plane's resource partial template in 'partials' chart * Set the proxy's destination service address env var * Add Grafana's template * Update api version of controller RBAC * Add Heartbeat template * Remove duplicated resources partial template * Add remainder control plane components templates * Add template for the 'linkerd-config' config map * Add debug container template * Update proxy partial with 'disable-identity' and 'disable-tap' variables Note that these are inject-only variables. Also added the LINKERD2_PROXY_TAP_SVC_NAME env var. * Add validation conditions to ensure identity and tap aren't disabled for control plane components * Add partials for service account token mount path and security context capabilities * Change proxy and proxy-init templates to use global scope Some of the nested variables are removed from values.yaml to ensure changes made to root-level variables are propagated directly into the partial templates. The previous approach of using YAML anchors in the values.yaml to share common values can get out-of-sync when values are changed via the Helm's `--set` option. * Update templates and values file to match #3161 * Perform a dry run installation if there is a local Tiller * Reorder JSON elements in linkerd-config * Re-adjust nested partials indentation to work with inject 'patch' chart Previously, the partials will render their content as an element in the list. While it works for installation, the toJson function in the 'inject' patch code ends up converting it into a JSON list, instead of the expected JSON object. * Trap the last fail command in the Helm shell script * Add the identity trust anchor * Address Thomas' feedback on handling HA All the HA-related variables are moved to values-ha.yaml * Convert ignore ports string to JSON list in linkerd-config Also fixed some indentation issues. * Add values-ha.yaml * Include the service account token mount path only if identity is enabled * Fixed malformed JSON in linkerd-config config map * Rename chart to 'linkerd2' * Add NOTES.txt * Fix incorrect variable path in proxy template * Remove fake TLS assets * Add 'required' constraint to identity trust anchors variable * Update tap templates per #3167 * Bump default version to edge-19.8.1 due to dependency on RSA support Signed-off-by: Ivan Sim <ivan@buoyant.io>

ihcsim added the area/install label Jul 25, 2019

ihcsim self-assigned this Jul 25, 2019

alpeb reviewed Jul 25, 2019

View reviewed changes

.gitignore Show resolved Hide resolved

alpeb reviewed Jul 25, 2019

View reviewed changes

charts/linkerd/Chart.yaml Outdated Show resolved Hide resolved

ihcsim force-pushed the isim/helm-charts branch from 07f1930 to 20bca76 Compare July 25, 2019 21:54