Remove namespace from charts and split them into linkerd-crds and linkerd-control-plane
#6635
Conversation
First part of #6584 With this change, the `namespace.yaml` template is rendered only for CLI installs and not Helm, and likewise the `namespace:` entry in the namespace-level objects (using a new `partials.namespace` helper). The `installNamespace` and `namespace` entries in `values.yaml` have been removed. There in the templates where the namespace is required, we moved from `.Values.namespace` to `.Release.Namespace` which is filled-in automatically by Helm. For the CLI, `install.go` now explicitly defines the contents of the `Release` map alongside `Values`. The proxy-injector has a new `linkerd-namespace` argument given the namespace is no longer persisted in the `linkerd-config` ConfigMap, so it has to be passed in. To pass it further down to `injector.Inject()` without modifying the `Handler` signature, a closure was used. To land later in a followup: same deal for the other charts. Extensions will require usage of the post-install hook for adding metadata though.
Second part of #6584, followup of #6635 (and based off of alpeb/no-ns-helm-core) Stop rendering `namespace.yaml` in the `linkerd-viz` chart, same as we did in #6635. The additional change here is the addition of the `namespace-metadata.yaml` template (and its RBAC), _not_ rendered in CLI installs, which is a Helm `post-install` hook, consisting on a Job that executes a script adding the required annotations and labels to the viz namespace using a PATCH request against kube-api. The script first checks if the namespace doesn't already have an annotations/labels entries, in which case it has to add extra ops in that patch. The Job uses a multiarch `curlimages/curl` image, which is built by curl.haxx.se. I couldn't find a simple multiarch "kubectl" image that would have allowed us issuing simple kubectl commands. The `curlimages/curl` image is based on Alpine; it won't have as much as CVE-related reports noise as a Debian image, but it'd be better to have something slimmer still. Eventually we could build our own scratch-based binary if deemed worthy. I'll post in followup PRs the same changes for the other extensions and the CNI chart.
alpeb
changed the title
Third part of #6584, followup of #6635 (and based off of alpeb/no-ns-helm-core) Stop rendering the namespace in the `linkerd2-cni` chart, same as we did in #6635. This also removes the `install-namespace` option from `linkerd install-cni`, which isn't found in `linkerd install` nor `linkerd viz install` anyways, and it would add some complexity to support.
alpeb
force-pushed
the
alpeb/no-ns-helm-core
branch
from
13ab43b to
9f6ee44
Compare
Third part of #6584, followup of #6635 (and based off of alpeb/no-ns-helm-core) Stop rendering the namespace in the `linkerd2-cni` chart, same as we did in #6635. This also removes the `install-namespace` option from `linkerd install-cni`, which isn't found in `linkerd install` nor `linkerd viz install` anyways, and it would add some complexity to support.
There was a problem hiding this comment.
Nice. What will the upgrade procedure be for Helm users? I take it they have to do a uninstall and then reinstall of the helm chart? Assuming they use the same issuer certificates, can they keep the data plane running the entire time? Will there be any interruption to data plane traffic?
|
Just to make sure I understand: when installing with Helm, is the expectation is that namespace will already exist because either a) the user created the linkerd namespace ahead of time or is that right? |
There was a problem hiding this comment.
Changes LGTM but I would love to know more about the upgrade procedure. Especially if we can figure out a no down-time way of upgrading existing linkerd Helm installs.
From what I understand, The real pain-point with Helm is its secret which is being stored into the default namespace. (irrespective of which namespace the control-plane is being installed). Can we define some manual steps through which we can move that secret into the namespace in which linkerd is installed into, and from there on a normal upgrade would be sufficient? I guess we would be left with some stale namespace values when we are moving the secret but this should still work because we would be passing the right --linkerd-namespace flag with the upgrade which should correctly set all the values as expected🤔
| if err != nil { | ||
| return nil, err | ||
| } | ||
| namespace, err := valuesTree.GetString("namespace") |
There was a problem hiding this comment.
Hmm, This is removed because. Now we don't need to find if namespace has been overriden through helm values, etc, and there's now only a single way to override namespace which is through --namespace flag propogated into controlPlaneNamespace, right?
| @@ -509,7 +508,6 @@ func helmOverridesEdge(root *tls.CA) ([]string, []string) { | |||
| } | |||
| vizArgs := []string{ | |||
| "--set", "linkerdVersion=" + TestHelper.GetVersion(), | |||
| "--set", "namespace=" + TestHelper.GetVizNamespace(), | |||
There was a problem hiding this comment.
These are vizArgs right? and we aren't removing that in this PR right? 🤔
There was a problem hiding this comment.
Correct, that's addressed in #6638
|
Thanks gentlemen for the reviews 👍
Yeah, they'll have to uninstall the chart and install the new chart again. The proxies in the data plane will log errors while the control plane gets reinstalled, but from my testing, traffic continues to flow between data plane pods. And after the control plane is available again, the proxies stop logging errors.
That's correct.
Sounds tricky, not sure if a simple move will suffice. Also note there's also an upcoming PR that will split the core Helm chart into two (#6620), so we'll end up with totally different charts, which means we'll have to uninstall the old one anyways. |
|
Note: please don't merge this just yet, as I want to have all the Helm charts changes (including #6620) to be included in the same edge 😉 |
Hmm, Makes sense! |
There was a problem hiding this comment.
Tested this out and it works really well. Confirmed the changes by installing with helm (helm install --create-namespace --namespace linkerd) and also with (helm install --generate-namespace --namespace dev). Both worked well to install the control plane.
Also looked in the configmap to see if we are missing the namespace field (since that's no longer persisted in the cm), and also had a look at the injector manifest to double check the flag is in. Can confirm everything worked well and control plane was up and running.
The only thing here is that when we create a namespace that doesn't have the default name (e.g dev), checks and injections fail unless we explicitly pass in --linkerd-namespace. I guess this is by design though since we have historically supported installing in a separate namespace for a while -- I've never personally done it in tests until now so thought I'd mention it.
I'll hold off on approval until the rest of the changes are merged in, will want to re-test it everything then but so far everything seems to be 👌🏻 👌🏻 .
|
Thanks @mateiidavid ,
Yep, no change in functionality there, check and inject have required expliciting the namespace for a while, when not using the default one. |
Another part of #6584, branched off of #6635 (alpeb/no-ns-helm-core). Stop rendering the namespace in the `linkerd-multicluster` chart as we did in #6635. Also: - Got rid of the `namespace` values.yaml entry in the `linkerd-multicluster` and `linkerd-multicluster-link` charts, and also the `installNamespace` entry in the former. - Added a dependency on the `partials` chart to the `linkerd-multicluster-link` chart, so that we can tap on the `partials.namespace` helper. - Added the post-install hook resources to the `linkerd-multicluster` chart. - We don't have any more the restriction on having the muticluster objects live in a separate namespace than linkerd. It's still good practice, and that's the default for the CLI install, but I removed that validation. Finally, as a side-effect, the `allow` subcommand was fixed; it has been broken for a while apparently: ```console $ linkerd mc allow --service-account-name foobar Error: template: linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml:16:7: executing "linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml" at <include "partials.annotations.created-by" $>: error calling include: template: no template "partials.annotations.created-by" associated with template "gotpl" ```
Another part of #6584 based off of #6635 (alpeb/no-ns-helm-core) Stop rendering `namespace.yaml` in the `linkerd-jaeger` chart, same as we did in #6635. This makes use of a Helm `post-install` hook to add the `linkerd.io/extension: jaeger` label to the namespace created by Helm. The `linkerd.io/inject: enabled` and `config.linkerd.io/proxy-await: enabled` annotations have been moved down from the namespace and into each workload.
* Remove namespace for linkerd2-viz chart Second part of #6584, followup of #6635 (and based off of alpeb/no-ns-helm-core) Stop rendering `namespace.yaml` in the `linkerd-viz` chart, same as we did in #6635. The additional change here is the addition of the `namespace-metadata.yaml` template (and its RBAC), _not_ rendered in CLI installs, which is a Helm `post-install` hook, consisting on a Job that executes a script adding the required annotations and labels to the viz namespace using a PATCH request against kube-api. The script first checks if the namespace doesn't already have an annotations/labels entries, in which case it has to add extra ops in that patch. The Job uses a multiarch `curlimages/curl` image, which is built by curl.haxx.se. I couldn't find a simple multiarch "kubectl" image that would have allowed us issuing simple kubectl commands. The `curlimages/curl` image is based on Alpine; it won't have as much as CVE-related reports noise as a Debian image, but it'd be better to have something slimmer still. Eventually we could build our own scratch-based binary if deemed worthy.
|
I've just merged #6638 here and updated this PR's description accordingly. |
* Remove namespace from linkerd2-cni chart Third part of #6584, followup of #6635 (and based off of alpeb/no-ns-helm-core) Stop rendering the namespace in the `linkerd2-cni` chart, same as we did in #6635. This also removes the `install-namespace` option from `linkerd install-cni`, which isn't found in `linkerd install` nor `linkerd viz install` anyways, and it would add some complexity to support.
|
@kleimkuhler ah thanks, yeah that makes a lot of sense. I failed to consider this might be turned off. Disregard what I said then this is definitely good to 🚢 from my side! |
Fixes #6620, branched off of #6635 (remove namespace from charts) This removes the `linkerd2` chart, and replaces it with the `linkerd-base` and `linkerd-control-plane` charts. Note that the viz and other extension charts are not concerned by this change. `linkerd-base` and `linkerd-control-plane` mimic what the CLI commands `linkerd install config` (cluster-level and RBAC resources) and `linkerd install control-plane` (everything else, namespace-scoped resources) do, respectively. Please see #6620 for more details. Also note the original `values.yaml` file has been split into both charts accordingly. ### UX ```console $ helm install linkerd-base --namespace linkerd --create-namespace linkerd/linkerd-base ... # certs.yaml should contain identityTrustAnchorsPEM and the identity issuer values $ helm install linkerd-control-plane --namespace linkerd -f certs.yaml linkerd/linkerd-control-plane ``` ### Upgrade As explained in #6635, this is a breaking change. Users will have to uninstall the `linkerd2` chart and install these two, and eventually rollout the proxies (they should continue to work during the transition anyway). ### CLI The CLI install/upgrade code was updated to be able to pick the templates from these new charts, but the CLI UX remains identical as before. ### Other changes - These charts are Helm v3, which is reflected in the `Chart.yaml` entries and in the removal of the `requirements.yaml` files. - In the integration tests, replaced the `helm-chart` arg with `helm-charts` containing the path `./charts`, used to build the paths for both charts. ### Followups - Update the `release.yaml` workflow to push these new charts. The old one probably needs a deprecation tag or something like that. - Now it's possible to add a `ServiceProfile` instance for Destination in the `linkerd-control-plane` chart.
alpeb
changed the title
linkerd-base and linkerd-control-plane
|
I merged #6691 here and updated the description accordingly. |
alpeb
changed the title
linkerd-base and linkerd-control-planelinkerd-crd and linkerd-control-plane
|
After some feedback we decided to rename |
kleimkuhler
dismissed
their stale review
Still looks good. Left some comments on #7448 which once merged, I can approve this again.
* Set up helm charts versioning Implements part of #7405 Separates `version` from `appVersion` in both `linkerd-crds` and `linkerd-control-plane` charts. In `linkerd-crds` embeds `version` as a label in the CRDs. In `linkerd-control-plane`, embeds `linkerd-crds`'s `version` as a new entry in the `linkerd-config` ConfigMap, to use in a new `linkerd check` that will be implemented in a separate PR.
alpeb
changed the title
linkerd-crd and linkerd-control-planelinkerd-crds and linkerd-control-plane
* Helm migration instructions for 2.12 This updates the helm install instructions to account for the new charts as per linkerd/linkerd2#6635 and linkerd/linkerd2#6691 Also this adds a new section for 2.12 in `upgrade.md`, detailing the migration steps needed for the new charts. Co-authored-by: Matei David <matei@buoyant.io>
Followup to #6635, where we missed removing the no longer used `namespace` entry.
Followup to #6635, where we missed removing the no longer used `namespace` entry.
In #6635 (f9f3ebe), we removed the `Namespace` resources from the linkerd Helm charts. But this change also removed the `namespace` field from all generated metadata, adding conditional logic to only include it when being installed via the CLI. This conditional logic currently causes spurious whitespace in output YAML. This doesn't cause problems but is aesthetically inconsistent/distracting. This change removes the `partials.namespace` helper and instead inlines the value in our templates. This makes our CLI- and Helm-generated manifests slightly more consistent and removes needless indirection. Signed-off-by: Oliver Gould <ver@buoyant.io>
In #6635 (f9f3ebe), we removed the `Namespace` resources from the linkerd Helm charts. But this change also removed the `namespace` field from all generated metadata, adding conditional logic to only include it when being installed via the CLI. This conditional logic currently causes spurious whitespace in output YAML. This doesn't cause problems but is aesthetically inconsistent/distracting. This change removes the `partials.namespace` helper and instead inlines the value in our templates. This makes our CLI- and Helm-generated manifests slightly more consistent and removes needless indirection. Signed-off-by: Oliver Gould <ver@buoyant.io>
Fixes #6584 #6620 #7405
Namespace Removal
With this change, the
namespace.yamltemplate is rendered only for CLI installs and not Helm, and likewise thenamespace:entry in the namespace-level objects (using a newpartials.namespacehelper).The
installNamespaceandnamespaceentries invalues.yamlhave been removed.There in the templates where the namespace is required, we moved from
.Values.namespaceto.Release.Namespacewhich is filled-in automatically by Helm. For the CLI,install.gonow explicitly defines the contents of theReleasemap alongsideValues.The proxy-injector has a new
linkerd-namespaceargument given the namespace is no longer persisted in thelinkerd-configConfigMap, so it has to be passed in. To pass it further down toinjector.Inject()without modifying theHandlersignature, a closure was used.Update: Merged-in #6638: Similar changes for the
linkerd-vizchart:Stop rendering
namespace.yamlin thelinkerd-vizchart.The additional change here is the addition of the
namespace-metadata.yamltemplate (and its RBAC), not rendered in CLI installs, which is a Helmpost-installhook, consisting on a Job that executes a script adding the required annotations and labels to the viz namespace using a PATCH request against kube-api. The script first checks if the namespace doesn't already have an annotations/labels entries, in which case it has to add extra ops in that patch.Update: Merged-in the approved #6643, #6665 and #6669 which address the
linkerd2-cni,linkerd-multiclusterandlinkerd-jaegercharts.Additional changes from what's already mentioned above:
linkerd install-cni, which isn't found inlinkerd installnorlinkerd viz installanyways, and it would add some complexity to support.partialschart to thelinkerd-multicluster-linkchart, so that we can tap on thepartials.namespacehelper.Finally, as a side-effect, the
linkerd mc allowsubcommand was fixed; it has been broken for a while apparently:Update: see helm/helm#5465 describing the current best-practice
Core Helm Charts Split
This removes the
linkerd2chart, and replaces it with thelinkerd-crdsandlinkerd-control-planecharts. Note that the viz and other extension charts are not concerned by this change.Also note the original
values.yamlfile has been split into both charts accordingly.UX
Upgrade
As explained in #6635, this is a breaking change. Users will have to uninstall the
linkerd2chart and install these two, and eventually rollout the proxies (they should continue to work during the transition anyway).CLI
The CLI install/upgrade code was updated to be able to pick the templates from these new charts, but the CLI UX remains identical as before.
Other changes
linkerd-crdsandlinkerd-control-planecharts now carry a version scheme independent of linkerd's own versioning, as explained in Helm charts versioning scheme #7405.Chart.yamlentries and in the removal of therequirements.yamlfiles.helm-chartarg withhelm-chartscontaining the path./charts, used to build the paths for both charts.Followups
ServiceProfileinstance for Destination in thelinkerd-control-planechart.