Add PDB for tap and tap-injector (#558)

To avoid disruption during cluster nodes rolling or scaling, it's
desired to complement the maxUnavailable from the rolling strategy with
a PodDisruptionBudget.

This commit adds the respective PDB objects following the core
components implementation to the `tap` and `tap-injector` deployments.
It can be enabled with the enablePodDisruptionBudget helm chart value.

Fixes linkerd#11248

Signed-off-by: Matias Charriere <matias@giantswarm.io>

viz/charts/linkerd-viz/README.md

@@ -98,6 +98,7 @@ Kubernetes: `>=1.21.0-0`
 | defaultUID | int | `2103` | UID for all the viz components |
 | enablePSP | bool | `false` | Create Roles and RoleBindings to associate this extension's ServiceAccounts to the control plane PSP resource. This requires that `enabledPSP` is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21 |
 | enablePodAntiAffinity | bool | `false` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. |
+| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for tap and tap-injector components |
 | grafana.externalUrl | string | `nil` | url of a Grafana instance hosted off-cluster. Cannot be set if grafana.url is set. The reverse proxy will not be used for this URL. |
 | grafana.uidPrefix | string | `nil` | prefix for Grafana dashboard UID's, used when grafana.externalUrl is set. |
 | grafana.url | string | `nil` | url of an in-cluster Grafana instance with reverse proxy configured, used by the Linkerd viz web dashboard to provide direct links to specific Grafana dashboards. Cannot be set if grafana.externalUrl is set. See the [Linkerd documentation](https://linkerd.io/2/tasks/grafana) for more information |

viz/charts/linkerd-viz/templates/tap-injector.yaml

@@ -128,3 +128,24 @@ spec:
       - name: tls
         secret:
           secretName: tap-injector-k8s-tls
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: tap-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/extension: viz
+    component: tap-injector
+    namespace: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      linkerd.io/extension: viz
+      component: tap-injector
+{{- end }}

viz/charts/linkerd-viz/templates/tap.yaml

@@ -143,3 +143,24 @@ spec:
       - name: tls
         secret:
           secretName: tap-k8s-tls
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: tap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/extension: viz
+    component: tap
+    namespace: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      linkerd.io/extension: viz
+      component: tap
+{{- end }}

viz/charts/linkerd-viz/values-ha.yaml

@@ -3,6 +3,7 @@
 #   helm install -f values.yaml -f values-ha.yaml
 
 enablePodAntiAffinity: true
+enablePodDisruptionBudget: true
 
 # nodeAffinity:
 

viz/charts/linkerd-viz/values.yaml

@@ -50,6 +50,9 @@ tolerations: &default_tolerations
 # Enable this only when you have multiple replicas of components.
 enablePodAntiAffinity: false
 
+# -- enables the creation of pod disruption budgets for tap and tap-injector components
+enablePodDisruptionBudget: false
+
 # -- NodeAffinity section, See the
 # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
 # for more information