Refactor proxy injection to use Helm charts #3195
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes #3128 New `patch` chart ================== A new chart `/charts/patch` was created, that generates the JSON patch payload that is to be returned to the k8s API when doing the injection through the proxy injector, and it's also leveraged by the `linkerd inject --manual` CLI. Virtual File System changes =========================== The VFS was used by `linkerd install` to access the old chart under `/chart`. Now the proxy injection also uses the Helm charts to generate the JSON patch (see above) so we've moved the VFS from `cli/static` to a new common place under `/pkg/charts/static`, and the new root for the VFS is now `/charts`. `linkerd install` hasn't yet migrated to use the new charts (that'll happen in #3127), so the only change in that regard was the creation of `/charts/chart` which is a symlink pointing to `/chart` that `install.go` now uses, so that the VFS contains both the old and new charts, as a temporary measure. You can see that `/bin/Dockerfile-bin`, `/controller/Dockerfile` and `/bin/build-cli-bin` do now `go generate` pointing to the new location (and the `go generate` annotation was moved from `/cli/main.go` to `pkg/charts/static/templates.go`). The symlink trick doesn't work when building the binaries through Docker, so `/bin/Dockerfile-bin` replaces the symlink with an actual copy of `/chart`. Also note that in `/controller/Dockerfile` we now need to include the `prod` tag in `go install` like we do in `/bin/Dockerfile-bin` so that the proxy injector does use the VFS instead of the local file system. Other changes =============== - The common logic to parse a chart has been moved from `install.go` to `/pkg/charts/util.go`. - The special ENV var in the proxy for "outbound router capacity" that only applies to the Prometheus pod is now handled directly in the proxy partial and all the associated go code could be removed. - The `patch.go` lib for generating the JSON patch in go along with its tests `patch_test.go` are no longer needed. - Lots of functions in `/pkg/inject/inject.go` got removed/simplified with their logic being moved into the charts themselves. As a consequence lots of things in `inject_test.go` became irrelevant. - Moved `template-values.go` from `/pkg/inject` to `pkg/charts` as that contains the go structs representation of the chart variables that will be leveraged in #3127. Testing ========= Don't forget to run `/bin/helm.sh` whenever you make changes to charts ;-) Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
alpeb
commented
Aug 5, 2019
| // Skip outbound port 443 to enable Kubernetes API access without the proxy. | ||
| // Once Kubernetes supports sidecar containers, this may be removed, as that | ||
| // will guarantee the proxy is running prior to control-plane startup. | ||
| configs.Proxy.IgnoreOutboundPorts = append(configs.Proxy.IgnoreOutboundPorts, &pb.Port{Port: 443}) |
There was a problem hiding this comment.
This is now handled directly in the chart
alpeb
commented
Aug 5, 2019
| identityAPIPort = 8080 | ||
|
|
||
| envTapDisabled = "LINKERD2_PROXY_TAP_DISABLED" | ||
| envTapSvcName = "LINKERD2_PROXY_TAP_SVC_NAME" |
There was a problem hiding this comment.
All these consts are now in the charts
alpeb
commented
Aug 5, 2019
| }{ | ||
| { | ||
| filename: "pod-inject-empty.yaml", | ||
| ns: nsEnabled, | ||
| conf: confNsEnabled(), | ||
| expected: true, |
There was a problem hiding this comment.
expected is true in all the test cases, so I removed it.
|
Integration test results for 8cf5b42: fail 😕 |
siggy
reviewed
Aug 5, 2019
There was a problem hiding this comment.
i'm going to dig into a more full review, but leaving this here for now as it was the first thing i encountered.
my quick remote build and install yielded an error message followed by a partial installation:
$ bin/docker-build # on a remote machine
$ bin/linkerd install | kubectl apply -f - # bin/go-run cli install yields the same issue
Error: open /patch/charts/partials-0.1.0.tgz: file does not exist
Usage:
linkerd install [flags]
linkerd install [command]
...
Use "linkerd install [command] --help" for more information about a command.
namespace/linkerd created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity created
serviceaccount/linkerd-identity created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-controller created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-controller created
serviceaccount/linkerd-controller created
role.rbac.authorization.k8s.io/linkerd-heartbeat created
rolebinding.rbac.authorization.k8s.io/linkerd-heartbeat created
serviceaccount/linkerd-heartbeat created
serviceaccount/linkerd-web created
customresourcedefinition.apiextensions.k8s.io/serviceprofiles.linkerd.io created
customresourcedefinition.apiextensions.k8s.io/trafficsplits.split.smi-spec.io created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-prometheus created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-prometheus created
serviceaccount/linkerd-prometheus created
serviceaccount/linkerd-grafana created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
serviceaccount/linkerd-proxy-injector created
secret/linkerd-proxy-injector-tls created
mutatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-proxy-injector-webhook-config created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-sp-validator created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-sp-validator created
serviceaccount/linkerd-sp-validator created
secret/linkerd-sp-validator-tls created
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-sp-validator-webhook-config created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-tap created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-tap created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-tap-auth-delegator created
serviceaccount/linkerd-tap created
rolebinding.rbac.authorization.k8s.io/linkerd-linkerd-tap-auth-reader created
secret/linkerd-tap-tls created
apiservice.apiregistration.k8s.io/v1alpha1.tap.linkerd.io created
podsecuritypolicy.policy/linkerd-linkerd-control-plane created
role.rbac.authorization.k8s.io/linkerd-psp created
rolebinding.rbac.authorization.k8s.io/linkerd-psp created
configmap/linkerd-config created
secret/linkerd-identity-issuer created
service/linkerd-identity createdit looks like the install command errors out after outputting service/linkerd-identity:
$ bin/go-run cli install
...
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli git-8cf5b428
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
Error: open /Users/sig/code/linkerd2/charts/patch/charts/partials-0.1.0.tgz: no such file or directory
Usage:
linkerd install [flags]
linkerd install [command]avoid requiring the build environments to have `helm` installed. Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
|
@siggy my last push fixes things so that dependencies are taken care of automatically without forcing the build environments to have But in order to install linkerd through helm ( |
|
Integration test results for 41c64f1: fail 😕 |
siggy
approved these changes
Aug 5, 2019
There was a problem hiding this comment.
looks good! mostly nits and questions. 🚢 👍
mind adding a section to BUILD.md and/or TEST.md around when to use commands like bin/helm.sh and helm dep up charts/linkerd2? maybe documenting the typical dev flow of modifying templates and testing a helm install command?
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
|
Integration test results for 4250749: fail 😕 |
Thanks for the feedback! I've created #3199 in the Helm project to track Helm docs effort 👍 |
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
|
Integration test results for 921b2d9: fail 😕 |
alpeb
added a commit
that referenced
this pull request
Aug 6, 2019
(This replaces #3195 that had some branch issues) Fixes #3128 A new chart `/charts/patch` was created, that generates the JSON patch payload that is to be returned to the k8s API when doing the injection through the proxy injector, and it's also leveraged by the `linkerd inject --manual` CLI. The VFS was used by `linkerd install` to access the old chart under `/chart`. Now the proxy injection also uses the Helm charts to generate the JSON patch (see above) so we've moved the VFS from `cli/static` to a new common place under `/pkg/charts/static`, and the new root for the VFS is now `/charts`. `linkerd install` hasn't yet migrated to use the new charts (that'll happen in #3127), so the only change in that regard was the creation of `/charts/chart` which is a symlink pointing to `/chart` that `install.go` now uses, so that the VFS contains both the old and new charts, as a temporary measure. You can see that `/bin/Dockerfile-bin`, `/controller/Dockerfile` and `/bin/build-cli-bin` do now `go generate` pointing to the new location (and the `go generate` annotation was moved from `/cli/main.go` to `pkg/charts/static/templates.go`). The symlink trick doesn't work when building the binaries through Docker, so `/bin/Dockerfile-bin` replaces the symlink with an actual copy of `/chart`. Also note that in `/controller/Dockerfile` we now need to include the `prod` tag in `go install` like we do in `/bin/Dockerfile-bin` so that the proxy injector does use the VFS instead of the local file system. - The common logic to parse a chart has been moved from `install.go` to `/pkg/charts/util.go`. - The special ENV var in the proxy for "outbound router capacity" that only applies to the Prometheus pod is now handled directly in the proxy partial and all the associated go code could be removed. - The `patch.go` lib for generating the JSON patch in go along with its tests `patch_test.go` are no longer needed. - Lots of functions in `/pkg/inject/inject.go` got removed/simplified with their logic being moved into the charts themselves. As a consequence lots of things in `inject_test.go` became irrelevant. - Moved `template-values.go` from `/pkg/inject` to `pkg/charts` as that contains the go structs representation of the chart variables that will be leveraged in #3127. Don't forget to run `/bin/helm.sh` whenever you make changes to charts ;-) Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
|
This PR has been replaced with #3200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3128
New
patchchartA new chart
/charts/patchwas created, that generates the JSON patchpayload that is to be returned to the k8s API when doing the injection
through the proxy injector, and it's also leveraged by the
linkerd inject --manualCLI.Virtual File System changes
The VFS was used by
linkerd installto access the old chart under/chart. Now the proxy injection also uses the Helm charts to generatethe JSON patch (see above) so we've moved the VFS from
cli/staticto anew common place under
/pkg/charts/static, and the new root for the VFS isnow
/charts.linkerd installhasn't yet migrated to use the new charts (that'llhappen in #3127), so the only change in that regard was the creation of
/charts/chartwhich is a symlink pointing to/chartthatinstall.gonow uses, so that the VFS contains both the old and newcharts, as a temporary measure.
You can see that
/bin/Dockerfile-bin,/controller/Dockerfileand/bin/build-cli-bindo nowgo generatepointing to the new location(and the
go generateannotation was moved from/cli/main.gotopkg/charts/static/templates.go).The symlink trick doesn't work when building the binaries through
Docker, so
/bin/Dockerfile-binreplaces the symlink with an actualcopy of
/chart.Also note that in
/controller/Dockerfilewe now need to include theprodtag ingo installlike we do in/bin/Dockerfile-binso thatthe proxy injector does use the VFS instead of the local file system.
Other changes
install.goto/pkg/charts/util.go.only applies to the Prometheus pod is now handled directly in the proxy
partial and all the associated go code could be removed.
patch.golib for generating the JSON patch in go alongwith its tests
patch_test.goare no longer needed./pkg/inject/inject.gogot removed/simplifiedwith their logic being moved into the charts themselves. As a
consequence lots of things in
inject_test.gobecame irrelevant.template-values.gofrom/pkg/injecttopkg/chartsas thatcontains the go structs representation of the chart variables that
will be leveraged in Refactor CLI Install Command To Work With 2.5 Helm Chart #3127.
Testing
Don't forget to run
/bin/helm.shwhenever you make changes to charts;-)