Remove dependency of linkerd-config for control plane components #4915
Conversation
This PR removes the dependency of mounting `linkerd-config` into control plane components by making all that information passed through CLI flags.` Signed-off-by: Tarun Pothulapati <[email protected]>
Pothulapati
force-pushed
the
tarun/cp-no-configmap
branch
from
9811745
to
4a2acaa
Compare
controller/cmd/identity/main.go
Outdated
| @@ -42,6 +40,13 @@ func Main(args []string) { | |||
| addr := cmd.String("addr", ":8080", "address to serve on") | |||
| adminAddr := cmd.String("admin-addr", ":9990", "address of HTTP admin server") | |||
| kubeConfigPath := cmd.String("kubeconfig", "", "path to kube config") | |||
| controllerNS := cmd.String("controller-namespace", "", "namespace of the linkerd control plane") | |||
There was a problem hiding this comment.
I think this is just specifies which namespace to emit kubernetes events to, right? We could just call the flag --namespace. or maybe even get the current namespace from the downward api.
There was a problem hiding this comment.
Hmm, I went with --controller-namespace as every other component also has it, and helps with consistency?
|
It looks like the golden files need to be updated. Additionally there are some unit test failures related to the way that clock skew allowance is rendered during upgrade. It looks like this has revealed an existing bug where when the clock skew allowance is read from the configmap during upgrade, it is rendered as a protobuf duration instead of as a go duration: I think we need to first convert it to a go duration in order to render it correctly. |
Protobuf's Duration is different from goland Duration, and hence this conversion has to be done manually during retrieval. This worked previously because we were not using that value directly, and were storing the same value in protobuf format once again (i.e in the configMap) but now with these duration values being used as flags outside the configmap, this was discovered. Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Pothulapati
force-pushed
the
tarun/cp-no-configmap
branch
from
db78e6b
to
2db3d7a
Compare
| @@ -587,15 +588,25 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx | |||
| } | |||
| } | |||
|
|
|||
| clockSkewDuration, err := ptypes.Duration(idctx.GetClockSkewAllowance()) | |||
There was a problem hiding this comment.
This was causing the upgrade tests to fail, as protobuf's duration is different from Duration in golang, we have to manually convert that using this func, if we are using the value directly. I think this wasn't a problem previously because we were again converting it back into protobuf and using it only there.
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
cli/cmd/upgrade_test.go
Outdated
| @@ -186,6 +189,11 @@ func TestUpgradeOverwriteIssuer(t *testing.T) { | |||
| if id == "ConfigMap/linkerd-config" { | |||
| continue | |||
| } | |||
|
|
|||
| if id == "Deployment/linkerd-identity" { | |||
| // skip checking identity as `identity-trust-anchor-pem` is overridden, which is passed as a CLI flag | |||
There was a problem hiding this comment.
if we wanted to take this a step further, we could verify that that the path is {spec, containers, *, spec, args, *} or whatever and that the diff.b is issuerCerts.caCrt.
There was a problem hiding this comment.
Great suggestion! Done 👍
This commit removes linkerd-config dependency in the proxy-injector and passes all the values through flags Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
|
Updated this PR to remove the |
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Pothulapati
force-pushed
the
tarun/cp-no-configmap
branch
from
6bc818e
to
37b5ec6
Compare
|
Nit: can you use |
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
|
I think this will be simpler if we do #5008 first. Then we can use that in inject instead of loading the protobuf config. |
|
@adleong 👍 waiting for the new configMap PR's to merge first! :) |
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
|
As we discussed, I think it would be helpful to narrow this PR to just focus on inject or to split the inject portions of this PR into a separate PR. |
Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
cli/cmd/upgrade_test.go
Outdated
| @@ -202,6 +204,13 @@ func TestUpgradeOverwriteIssuer(t *testing.T) { | |||
| // Trust root has changed. | |||
| continue | |||
| } | |||
|
|
|||
| if id == "Deployment/linkerd-identity" || id == "Deployment/linkerd-proxy-injector" { | |||
| if !pathMatch(diff.path, []string{"spec", "template", "spec", "containers", "*", "args", "*"}) || strings.TrimPrefix(diff.b.(string), "-identity-trust-anchors-pem=") != issuerCerts.ca { | |||
There was a problem hiding this comment.
- If there's a diff outside the container args then fail
- If there's a diff in some of the containers arg, check if that arg's value differs from
issuerCerts.ca. What if the diff is not for that particular arg?
Signed-off-by: Tarun Pothulapati <[email protected]>
…omorrow. Signed-off-by: Tarun Pothulapati <[email protected]>
There was a problem hiding this comment.
This looks pretty good.
I notice that we're using partials.FlagIfNotEmpty in most places to skip rendering the flag if it's empty. But, will these values ever be empty? I believe they all should have default values from the chart or are required values (such as the trust anchors PEM). I think it probably makes more sense to assume that all defaulting logic has already been applied by the time rendering happens and that all of these values have been populated. This way we're not spreading the defaulting logic between the values generation and the control plane component flags.
here, most args have some values by default. This was not the case with proxy-injector and hence we went down this route but now that its a separate thing (and probably uses a ConfigMap), these checks are removed. Signed-off-by: Tarun Pothulapati <[email protected]>
Signed-off-by: Tarun Pothulapati <[email protected]>
|
@adleong That makes sense, and most fields used here are not empty. Also, The reason for adding that helper check function was for proxy-injector, as it had fields that could be |
| @@ -259,6 +259,7 @@ github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:x | |||
| github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= | |||
| github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= | |||
| github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= | |||
| github.com/golang/protobuf v1.4.1 h1:ZFgWrT+bLgsYPirOnRfKLYJLvssAegOj/hgyMFdJZe0= | |||
There was a problem hiding this comment.
any reason why this needs to be added?
There was a problem hiding this comment.
This is go.sum which is edited/used by only the go compiler, and this was done automatically. probably because some code paths do not depend on the protobuf pkg anymore. Also, Running go mod tidy on this branch removed some stuff.
Signed-off-by: Tarun Pothulapati <[email protected]>
Part of #4914
This PR removes the dependency of mounting
linkerd-configinto controlplane components by making all that information passed through CLI
flags.`
Signed-off-by: Tarun Pothulapati [email protected]