Remove namespace from multicluster charts

bin/helm-build

@@ -30,6 +30,7 @@ rm -f viz/charts/linkerd-viz/charts/*
 
 "$bindir"/helm dep up "$rootdir"/multicluster/charts/linkerd-multicluster
 "$bindir"/helm lint "$rootdir"/multicluster/charts/linkerd-multicluster
+"$bindir"/helm dep up "$rootdir"/multicluster/charts/linkerd-multicluster-link
 "$bindir"/helm lint "$rootdir"/multicluster/charts/linkerd-multicluster-link
 "$bindir"/helm lint "$rootdir"/charts/partials
 "$bindir"/helm dep up "$rootdir"/charts/linkerd2-cni

bin/test-cleanup

@@ -37,6 +37,7 @@ if [[ "${releases[*]}" =~ 'helm-test' ]]; then
   "$bindir/helm" --kube-context="$k8s_context" --namespace linkerd delete helm-test
 fi
 if [[ "${releases[*]}" =~ 'multicluster-test' ]]; then
-  "$bindir/helm" --kube-context="$k8s_context" delete multicluster-test
+  "$bindir/helm" --kube-context="$k8s_context" --namespace linkerd-multicluster delete multicluster-test
+  kubectl delete ns linkerd-multicluster
 fi
 

multicluster/charts/linkerd-multicluster-link/README.md

@@ -17,6 +17,10 @@ shouldn't be used as-is unless you really know what you're doing ;-)
 
 Kubernetes: `>=1.16.0-0`
 
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../../../charts/partials | partials | 0.1.0 |
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -25,7 +29,6 @@ Kubernetes: `>=1.16.0-0`
 | controllerImageVersion | string | `"linkerdVersionValue"` | Tag for the Service Mirror container Docker image |
 | gateway.probe.port | int | `4191` | The port used for liveliness probing |
 | logLevel | string | `"info"` | Log level for the Multicluster components |
-| namespace | string | `"linkerd-multicluster"` | Service Mirror component namespace |
 | serviceMirrorRetryLimit | int | `3` | Number of times update from the remote cluster is allowed to be requeued (retried) |
 | serviceMirrorUID | int | `2103` | User id under which the Service Mirror shall be ran |
 

multicluster/charts/linkerd-multicluster-link/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: partials
+  repository: file://../../../charts/partials
+  version: 0.1.0
+digest: sha256:e2c1d0d581afb33df46411df7a89fca2628328fc7bd0975167e7812bf128e27f
+generated: "2021-08-11T14:34:45.712339546-05:00"

multicluster/charts/linkerd-multicluster-link/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+  - name: partials
+    version: 0.1.0
+    repository: file://../../../charts/partials

multicluster/charts/linkerd-multicluster-link/templates/gateway-mirror.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: probe-gateway-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     mirror.linkerd.io/mirrored-gateway: "true"
     mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}

multicluster/charts/linkerd-multicluster-link/templates/psp.yaml

@@ -3,15 +3,15 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: multicluster-link-psp
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/extension: multicluster
-    namespace: {{.Values.namespace}}
+    namespace: {{.Release.Namespace}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: psp
 subjects:
 - kind: ServiceAccount
   name: linkerd-service-mirror-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  namespace: {{.Release.Namespace}}

multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml

@@ -28,13 +28,13 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: linkerd-service-mirror-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  namespace: {{.Release.Namespace}}
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
       linkerd.io/control-plane-component: service-mirror
       mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
@@ -51,7 +51,7 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
       linkerd.io/control-plane-component: service-mirror
       mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
@@ -62,13 +62,13 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: linkerd-service-mirror-{{.Values.targetClusterName}}
-    namespace: {{.Values.namespace}}
+    namespace: {{.Release.Namespace}}
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
   name: linkerd-service-mirror-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/control-plane-component: service-mirror
     mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
@@ -80,7 +80,7 @@ metadata:
     linkerd.io/control-plane-component: service-mirror
     mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
   name: linkerd-service-mirror-{{.Values.targetClusterName}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
 spec:
   replicas: 1
   selector:
@@ -100,7 +100,7 @@ spec:
         - service-mirror
         - -log-level={{.Values.logLevel}}
         - -event-requeue-limit={{.Values.serviceMirrorRetryLimit}}
-        - -namespace={{.Values.namespace}}
+        - -namespace={{.Release.Namespace}}
         - {{.Values.targetClusterName}}
         image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion}}
         name: service-mirror

multicluster/charts/linkerd-multicluster-link/values.yaml

@@ -7,8 +7,6 @@ gateway:
   probe:
     # -- The port used for liveliness probing
     port: 4191
-# -- Service Mirror component namespace
-namespace: linkerd-multicluster
 # -- Log level for the Multicluster components
 logLevel: info
 # -- Number of times update from the remote cluster is allowed to be requeued

multicluster/charts/linkerd-multicluster/README.md

@@ -90,10 +90,8 @@ Kubernetes: `>=1.16.0-0`
 | gateway.serviceAnnotations | object | `{}` | Annotations to add to the gateway service |
 | gateway.serviceType | string | `"LoadBalancer"` | Service Type of gateway Service |
 | identityTrustDomain | string | `"cluster.local"` | Identity Trust Domain of the certificate authority |
-| installNamespace | bool | `true` | If the namespace should be installed |
 | linkerdNamespace | string | `"linkerd"` | Namespace of linkerd installation |
 | linkerdVersion | string | `"linkerdVersionValue"` | Control plane version |
-| namespace | string | `"linkerd-multicluster"` | Service Mirror component namespace |
 | proxyOutboundPort | int | `4140` | The port on which the proxy accepts outbound traffic |
 | remoteMirrorServiceAccount | bool | `true` | If the remote mirror service account should be installed |
 | remoteMirrorServiceAccountName | string | `"linkerd-service-mirror-remote-access-default"` | The name of the service account used to allow remote clusters to mirror local services |

multicluster/charts/linkerd-multicluster/templates/gateway.yaml

@@ -13,7 +13,7 @@ metadata:
     app: {{.Values.gateway.name}}
     linkerd.io/extension: multicluster
   name: {{.Values.gateway.name}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
 spec:
   replicas: 1
   selector:
@@ -38,11 +38,11 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{.Values.gateway.name}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/extension: multicluster
   annotations:
-    mirror.linkerd.io/gateway-identity: {{.Values.gateway.name}}.{{.Values.namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
+    mirror.linkerd.io/gateway-identity: {{.Values.gateway.name}}.{{.Release.Namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
     mirror.linkerd.io/probe-period: "{{.Values.gateway.probe.seconds}}"
     mirror.linkerd.io/probe-path: {{.Values.gateway.probe.path}}
     mirror.linkerd.io/multicluster-gateway: "true"
@@ -75,7 +75,7 @@ kind: ServiceAccount
 apiVersion: v1
 metadata:
   name: {{.Values.gateway.name}}
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/extension: multicluster
 {{end -}}

multicluster/charts/linkerd-multicluster/templates/namespace-metadata-rbac.yaml

@@ -0,0 +1,42 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  name: namespace-metadata
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  name: namespace-metadata
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "patch"]
+  resourceNames: ["{{.Release.Namespace}}"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  name: namespace-metadata
+roleRef:
+  kind: Role
+  name: namespace-metadata
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: namespace-metadata
+  namespace: {{.Release.Namespace}}

multicluster/charts/linkerd-multicluster/templates/namespace-metadata.yaml

@@ -0,0 +1,46 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app.kubernetes.io/name: namespace-metadata
+    app.kubernetes.io/part-of: Linkerd
+    app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.cliVersion}}
+  name: namespace-metadata
+spec:
+  template:
+    metadata:
+      annotations:
+        {{ include "partials.annotations.created-by" . }}
+      labels:
+        app.kubernetes.io/name: namespace-metadata
+        app.kubernetes.io/part-of: Linkerd
+        app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.cliVersion}}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: namespace-metadata
+      containers:
+      - name: namespace-metadata
+        image: curlimages/curl:7.78.0
+        command: ["/bin/sh"]
+        args:
+        - -c
+        - |
+          ops=''
+          token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          ns=$(curl -kfv -H "Authorization: Bearer $token" \
+            "https://kubernetes.default.svc/api/v1/namespaces/{{.Release.Namespace}}")
+
+          if echo "$ns" | grep -vq 'labels'; then
+            ops="$ops{\"op\": \"add\",\"path\": \"/metadata/labels\",\"value\": {}},"
+          fi
+
+          ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"multicluster\"}"
+
+          curl -kfv -XPATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $token" \
+            -d "[$ops]" \
+            "https://kubernetes.default.svc/api/v1/namespaces/{{.Release.Namespace}}?fieldManager=kubectl-label"

multicluster/charts/linkerd-multicluster/templates/namespace.yaml

@@ -1,8 +1,8 @@
-{{if .Values.installNamespace -}}
+{{- if eq .Release.Service "CLI" -}}
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: {{ .Values.namespace }}
+  name: {{ .Release.Namespace }}
   labels:
     linkerd.io/extension: multicluster
 {{end -}}

multicluster/charts/linkerd-multicluster/templates/psp.yaml

@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: psp
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/extension: multicluster
 rules:
@@ -18,16 +18,16 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: multicluster-psp
-  namespace: {{.Values.namespace}}
+  {{ include "partials.namespace" . }}
   labels:
     linkerd.io/extension: multicluster
-    namespace: {{.Values.namespace}}
+    namespace: {{.Release.Namespace}}
 roleRef:
   kind: Role
   name: psp
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
   name: {{.Values.gateway.name}}
-  namespace: {{.Values.namespace}}
+  namespace: {{.Release.Namespace}}
 {{ end -}}

multicluster/charts/linkerd-multicluster/templates/remote-access-service-mirror-rbac.yaml

@@ -9,7 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{.}}
-  namespace: {{$.Values.namespace}}
+  {{ include "partials.namespace" $ }}
   labels:
     linkerd.io/extension: multicluster
   annotations:
@@ -30,7 +30,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{.}}
-  namespace: {{$.Values.namespace}}
+  {{ include "partials.namespace" $ }}
   labels:
     linkerd.io/extension: multicluster
   annotations:
@@ -40,7 +40,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{.}}
-  namespace: {{$.Values.namespace}}
+  {{ include "partials.namespace" $ }}
   labels:
     linkerd.io/extension: multicluster
   annotations:
@@ -52,6 +52,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{.}}
-  namespace: {{$.Values.namespace}}
+  namespace: {{$.Release.Namespace}}
 {{end -}}
 {{end -}}

multicluster/charts/linkerd-multicluster/values.yaml

@@ -24,12 +24,8 @@ gateway:
   # -- Set loadBalancerIP on gateway service
   loadBalancerIP: ""
 
-# -- If the namespace should be installed
-installNamespace: true
 # -- Control plane version
 linkerdVersion: linkerdVersionValue
-# -- Service Mirror component namespace
-namespace: linkerd-multicluster
 # -- The port on which the proxy accepts outbound traffic
 proxyOutboundPort: 4140
 # -- If the remote mirror service account should be installed