From 521cd5328768e0856162c4b780f4eac4c82c84ee Mon Sep 17 00:00:00 2001 From: Cody Vandermyn Date: Wed, 30 Jan 2019 11:51:34 -0800 Subject: [PATCH 001/112] WIP: CNI Plugin (#2071) * Export RootOptions and BuildFirewallConfiguration so that the cni-plugin can use them. * Created the cni-plugin based on istio-cni implementation * Create skeleton files that need to be filled out. * Create the install scripts and finish up plugin to write iptables * Added in an integration test around the install_cni.sh and updated the script to handle the case where it isn't the only plugin. Removed the istio kubernetes.go file in favor of pkg/k8s; initial usage of this package; found and fixed the typo in the ClusterRole and ClusterRoleBinding; found the docker-build-cni-plugin script * Corrected an incorrect name in the docker build file for cni-plugin * Rename linkerd2-cni to linkerd-cni * Fixup Dockerfile and clean up code a bit as well as logging statements. * Update Gopkg.lock after master merge. * Update test file to remove temporary tag. * Fixed the command to run during the test while building up the docker run. * Added attributions to applicable files; in the test file, use a different container for each test scenario and also print the docker logs to stdout when there is an error; * Add the --no-init-container flag to install and inject. This flag will not output the initContainer and will add an annotation assuming that the cni will be used in this case. * Update .travis.yml to build the cni-plugin docker image before running the tests. * Workaround golint warnings. * Create a new command to install the linkerd-cni plugin. * Add the --no-init-container option to linkerd inject * Use the setup ip tables annotation during the proxy auto inject webhook prevent/allow addition of an init container; move cni-plugin tests to the integration-test section of travis * gate the cni-plugin tests with the -integration-tests flag; remove unnecessary deployment .yaml file. * Incorporate PR Cleanup suggestions. * Remove the SetupIPTablesLabel annotation and use config flags and the presence of the init container to determine whether the cni-plugin writes ip tables. * Fix a logic bug in the cni-plugin code that prevented the iptables from being written; Address PR comments; make tests pass. * Update go deps shas * Changed the single file install-cni plugin filename to be .conf vs .conflist; Incorporated latest PR comments around spacing with the new renderer among others. * Fix an issue with renaming .conf to .conflist when needed. * Renamed some of the variables to try to make it more clear what is going on. * Address final PR comments. * Hide cni flags for the time being. Signed-off-by: Cody Vandermyn --- cni-plugin/Dockerfile | 19 + .../deployment/linkerd-cni.conf.default | 22 ++ cni-plugin/deployment/scripts/filter.jq | 13 + cni-plugin/deployment/scripts/install-cni.sh | 227 +++++++++++ cni-plugin/main.go | 242 ++++++++++++ cni-plugin/test/data/env_vars.sh | 21 + .../test/data/expected/01-linkerd-cni.conf-1 | 22 ++ .../test/data/expected/10-calico.conflist-1 | 50 +++ .../data/expected/10-calico.conflist-1.clean | 28 ++ .../data/expected/10-host-local.conf-1.clean | 21 + .../data/expected/10-host-local.conflist-1 | 43 +++ cni-plugin/test/data/k8s_svcacct/ca.crt | 4 + cni-plugin/test/data/k8s_svcacct/namespace | 1 + cni-plugin/test/data/k8s_svcacct/token | 1 + cni-plugin/test/data/pre/10-calico.conflist | 28 ++ cni-plugin/test/data/pre/10-host-local.conf | 14 + cni-plugin/test/install-cni_test.go | 360 ++++++++++++++++++ 17 files changed, 1116 insertions(+) create mode 100644 cni-plugin/Dockerfile create mode 100644 cni-plugin/deployment/linkerd-cni.conf.default create mode 100644 cni-plugin/deployment/scripts/filter.jq create mode 100755 cni-plugin/deployment/scripts/install-cni.sh create mode 100644 cni-plugin/main.go create mode 100644 cni-plugin/test/data/env_vars.sh create mode 100644 cni-plugin/test/data/expected/01-linkerd-cni.conf-1 create mode 100644 cni-plugin/test/data/expected/10-calico.conflist-1 create mode 100644 cni-plugin/test/data/expected/10-calico.conflist-1.clean create mode 100644 cni-plugin/test/data/expected/10-host-local.conf-1.clean create mode 100644 cni-plugin/test/data/expected/10-host-local.conflist-1 create mode 100644 cni-plugin/test/data/k8s_svcacct/ca.crt create mode 100644 cni-plugin/test/data/k8s_svcacct/namespace create mode 100644 cni-plugin/test/data/k8s_svcacct/token create mode 100644 cni-plugin/test/data/pre/10-calico.conflist create mode 100644 cni-plugin/test/data/pre/10-host-local.conf create mode 100644 cni-plugin/test/install-cni_test.go diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile new file mode 100644 index 00000000..3cd4a865 --- /dev/null +++ b/cni-plugin/Dockerfile @@ -0,0 +1,19 @@ +## compile cni-plugin utility +FROM gcr.io/linkerd-io/go-deps:a2d3bf8c as golang +WORKDIR /go/src/github.com/linkerd/linkerd2 +COPY proxy-init proxy-init +COPY pkg pkg +COPY controller controller +COPY cni-plugin cni-plugin +RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v ./cni-plugin/ + +FROM gcr.io/linkerd-io/base:2017-10-30.01 +WORKDIR /linkerd +RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 +COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ +COPY LICENSE . +COPY cni-plugin/deployment/scripts/install-cni.sh . +COPY cni-plugin/deployment/linkerd-cni.conf.default . +COPY cni-plugin/deployment/scripts/filter.jq . +ENV PATH=/linkerd:/opt/cni/bin:$PATH +CMD ["install-cni.sh"] diff --git a/cni-plugin/deployment/linkerd-cni.conf.default b/cni-plugin/deployment/linkerd-cni.conf.default new file mode 100644 index 00000000..114fbfa5 --- /dev/null +++ b/cni-plugin/deployment/linkerd-cni.conf.default @@ -0,0 +1,22 @@ +{ + "name": "linkerd-cni", + "type": "linkerd-cni", + "log_level": "__LOG_LEVEL__", + "policy": { + "type": "k8s", + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + }, + "linkerd": { + "incoming-proxy-port": __INCOMING_PROXY_PORT__, + "outgoing-proxy-port": __OUTGOING_PROXY_PORT__, + "proxy-uid": __PROXY_UID__, + "ports-to-redirect": [__PORTS_TO_REDIRECT__], + "inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__], + "outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__], + "simulate": __SIMULATE__ + } +} \ No newline at end of file diff --git a/cni-plugin/deployment/scripts/filter.jq b/cni-plugin/deployment/scripts/filter.jq new file mode 100644 index 00000000..3737cbf9 --- /dev/null +++ b/cni-plugin/deployment/scripts/filter.jq @@ -0,0 +1,13 @@ +if has("type") then + .plugins = [.] + | del(.plugins[0].cniVersion) + | to_entries + | map(select(.key=="plugins")) + | from_entries + | .plugins += [$CNI_TMP_CONF_DATA] + | .name = "k8s-pod-network" + | .cniVersion = "0.3.0" +else + del(.plugins[]? | select(.type == "linkerd-cni")) + | .plugins += [$CNI_TMP_CONF_DATA] +end \ No newline at end of file diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh new file mode 100755 index 00000000..1d2fc4fb --- /dev/null +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -0,0 +1,227 @@ +#!/bin/sh +# Copyright (c) 2018 Tigera, Inc. All rights reserved. +# Copyright 2018 Istio Authors +# Modifications copyright (c) Linkerd authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file was inspired by: +# 1) https://github.com/projectcalico/cni-plugin/blob/c1175467c227c1656577c80bfc0ee7795da2e2bc/k8s-install/scripts/install-cni.sh +# 2) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/deployments/kubernetes/install/scripts/install-cni.sh + +# Script to install Linkerd CNI on a Kubernetes host. +# - Expects the host CNI binary path to be mounted at /host/opt/cni/bin. +# - Expects the host CNI network config path to be mounted at /host/etc/cni/net.d. +# - Expects the desired CNI config in the CNI_NETWORK_CONFIG env variable. + +# Ensure all variables are defined, and that the script fails when an error is hit. +set -u -e + +# Helper function for raising errors +# Usage: +# some_command || exit_with_error "some_command_failed: maybe try..." +exit_with_error() { + echo "${1}" + exit 1 +} + +# The directory on the host where existing CNI plugin configs are installed +# and where this script will write out its configuration through the container +# mount point. Defaults to /etc/cni/net.d, but can be overridden by setting +# DEST_CNI_NET_DIR. +DEST_CNI_NET_DIR=${DEST_CNI_NET_DIR:-/etc/cni/net.d} +# The directory on the host where existing CNI binaries are installed. Defaults to +# /opt/cni/bin, but can be overridden by setting DEST_CNI_BIN_DIR. The linkerd-cni +# binary will end up in this directory from the host's point of view. +DEST_CNI_BIN_DIR=${DEST_CNI_BIN_DIR:-/opt/cni/bin} +# The mount prefix of the host machine from the container's point of view. +# Defaults to /host, but can be overridden by setting CONTAINER_MOUNT_PREFIX. +CONTAINER_MOUNT_PREFIX=${CONTAINER_MOUNT_PREFIX:-/host} +# The location in the container where the linkerd-cni binary resides. Can be +# overridden by setting CONTAINER_CNI_BIN_DIR. The binary in this directory +# will be copied over to the host DEST_CNI_BIN_DIR through the mount point. +CONTAINER_CNI_BIN_DIR=${CONTAINER_CNI_BIN_DIR:-/opt/cni/bin} + +# Default to the first file following a find | sort since the Kubernetes CNI runtime is going +# to look for the lexicographically first file. If the directory is empty, then use a name +# of our choosing. +CNI_CONF_PATH=${CNI_CONF_PATH:-$(find "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | sort | head -n 1)} +CNI_CONF_PATH=${CNI_CONF_PATH:-"${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/01-linkerd-cni.conf"} + +KUBECONFIG_FILE_NAME=${KUBECONFIG_FILE_NAME:-ZZZ-linkerd-cni-kubeconfig} + +cleanup() { + echo 'Removing linkerd-cni artifacts.' + + if [ -e "${CNI_CONF_PATH}" ]; then + echo "Removing linkerd-cni config: ${CNI_CONF_PATH}" + CNI_CONF_DATA=$(cat "${CNI_CONF_PATH}" | jq 'del( .plugins[]? | select( .type == "linkerd-cni" ))') + echo "${CNI_CONF_DATA}" > "${CNI_CONF_PATH}" + + if [ "${CNI_CONF_PATH}" = "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/01-linkerd-cni.conf" ]; then + rm -f "${CNI_CONF_PATH}" + fi + fi + if [ -e "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" ]; then + echo "Removing linkerd-cni kubeconfig: ${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" + rm -f "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" + fi + if [ -e "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}"/linkerd-cni ]; then + echo "Removing linkerd-cni binary: ${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}/linkerd-cni" + rm -f "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}/linkerd-cni" + fi + echo 'Exiting.' +} + +# Capture the usual signals and exit from the script +trap cleanup EXIT +trap 'echo "SIGINT received, simply exiting..."; cleanup' INT +trap 'echo "SIGTERM received, simply exiting..."; cleanup' TERM +trap 'echo "SIGHUP received, simply exiting..."; cleanup' HUP + +# Place the new binaries if the mounted directory is writeable. +dir="${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}" +if [ ! -w "${dir}" ]; then + exit_with_error "${dir} is non-writeable, failure" +fi +for path in "${CONTAINER_CNI_BIN_DIR}"/*; do + cp "${path}" "${dir}"/ || exit_with_error "Failed to copy ${path} to ${dir}." +done + +echo "Wrote linkerd CNI binaries to ${dir}" + +TMP_CONF='/linkerd/linkerd-cni.conf.default' +# If specified, overwrite the network configuration file. +: "${CNI_NETWORK_CONFIG_FILE:=}" +: "${CNI_NETWORK_CONFIG:=}" +if [ -e "${CNI_NETWORK_CONFIG_FILE}" ]; then + echo "Using CNI config template from ${CNI_NETWORK_CONFIG_FILE}." + cp "${CNI_NETWORK_CONFIG_FILE}" "${TMP_CONF}" +elif [ "${CNI_NETWORK_CONFIG}" != "" ]; then + echo 'Using CNI config template from CNI_NETWORK_CONFIG environment variable.' + cat >"${TMP_CONF}" < "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" < ${TMP_CONF} +fi + +# If the old config filename ends with .conf, rename it to .conflist, because it has changed to be a list +filename=$(basename -- "${CNI_CONF_PATH}") +extension="${filename##*.}" +if [ "${filename}" != "01-linkerd-cni.conf" ] && [ "${extension}" = "conf" ]; then + echo "Renaming ${CNI_CONF_PATH} extension to .conflist" + CNI_CONF_PATH="${CNI_CONF_PATH}list" +fi + +# Delete old CNI config files for upgrades. +if [ "${CNI_CONF_PATH}" != "${CNI_OLD_CONF_PATH}" ]; then + echo "Removing CNI_OLD_CONF_PATH: ${CNI_OLD_CONF_PATH}" + rm -f "${CNI_OLD_CONF_PATH}" +fi + +# Move the temporary CNI config into place. +mv "${TMP_CONF}" "${CNI_CONF_PATH}" || exit_with_error 'Failed to mv files.' + +echo "Created CNI config ${CNI_CONF_PATH}" + +# Unless told otherwise, sleep forever. +# This prevents Kubernetes from restarting the pod repeatedly. +should_sleep=${SLEEP:-"true"} +echo "Done configuring CNI. Sleep=$should_sleep" +while [ "${should_sleep}" = "true" ]; do + sleep 10 +done diff --git a/cni-plugin/main.go b/cni-plugin/main.go new file mode 100644 index 00000000..bb570666 --- /dev/null +++ b/cni-plugin/main.go @@ -0,0 +1,242 @@ +// Copyright 2017 CNI authors +// Modifications copyright (c) Linkerd authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// This file was inspired by: +// 1) https://github.com/istio/cni/blob/c63a509539b5ed165a6617548c31b686f13c2133/cmd/istio-cni/main.go + +package main + +import ( + "encoding/json" + "fmt" + "os" + "strings" + + "github.com/containernetworking/cni/pkg/skel" + "github.com/containernetworking/cni/pkg/types" + "github.com/containernetworking/cni/pkg/types/current" + "github.com/containernetworking/cni/pkg/version" + "github.com/linkerd/linkerd2/pkg/k8s" + "github.com/linkerd/linkerd2/proxy-init/cmd" + "github.com/linkerd/linkerd2/proxy-init/iptables" + "github.com/projectcalico/libcalico-go/lib/logutils" + "github.com/sirupsen/logrus" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +// ProxyInit is the configuration for the proxy-init binary +type ProxyInit struct { + IncomingProxyPort int `json:"incoming-proxy-port"` + OutgoingProxyPort int `json:"outgoing-proxy-port"` + ProxyUID int `json:"proxy-uid"` + PortsToRedirect []int `json:"ports-to-redirect"` + InboundPortsToIgnore []int `json:"inbound-ports-to-ignore"` + OutboundPortsToIgnore []int `json:"outbound-ports-to-ignore"` + Simulate bool `json:"simulate"` +} + +// Kubernetes a K8s specific struct to hold config +type Kubernetes struct { + K8sAPIRoot string `json:"k8s_api_root"` + Kubeconfig string `json:"kubeconfig"` +} + +// K8sArgs is the valid CNI_ARGS used for Kubernetes +// The field names need to match exact keys in kubelet args for unmarshalling +type K8sArgs struct { + types.CommonArgs + K8sPodName types.UnmarshallableString + K8sPodNamespace types.UnmarshallableString +} + +// PluginConf is whatever JSON is passed via stdin. +type PluginConf struct { + types.NetConf + + // This is the previous result, when called in the context of a chained + // plugin. We will just pass any prevResult through. + RawPrevResult *map[string]interface{} `json:"prevResult"` + PrevResult *current.Result `json:"-"` + + LogLevel string `json:"log_level"` + ProxyInit ProxyInit `json:"linkerd"` + Kubernetes Kubernetes `json:"kubernetes"` +} + +func main() { + // Set up logging formatting. + logrus.SetFormatter(&logutils.Formatter{}) + // Install a hook that adds file/line no information. + logrus.AddHook(&logutils.ContextHook{}) + skel.PluginMain(cmdAdd, cmdDel, version.All) +} + +func configureLogging(logLevel string) { + if strings.EqualFold(logLevel, "debug") { + logrus.SetLevel(logrus.DebugLevel) + } else if strings.EqualFold(logLevel, "info") { + logrus.SetLevel(logrus.InfoLevel) + } else { + // Default level + logrus.SetLevel(logrus.WarnLevel) + } + + // Must log to Stderr because the CNI runtime uses Stdout as its state + logrus.SetOutput(os.Stderr) +} + +// parseConfig parses the supplied configuration (and prevResult) from stdin. +func parseConfig(stdin []byte) (*PluginConf, error) { + conf := PluginConf{} + + logrus.Debugf("linkerd-cni: stdin to plugin: %v", string(stdin)) + if err := json.Unmarshal(stdin, &conf); err != nil { + return nil, fmt.Errorf("linkerd-cni: failed to parse network configuration: %v", err) + } + + if conf.RawPrevResult != nil { + resultBytes, err := json.Marshal(conf.RawPrevResult) + if err != nil { + return nil, fmt.Errorf("linkerd-cni: could not serialize prevResult: %v", err) + } + + res, err := version.NewResult(conf.CNIVersion, resultBytes) + if err != nil { + return nil, fmt.Errorf("linkerd-cni: could not parse prevResult: %v", err) + } + conf.RawPrevResult = nil + conf.PrevResult, err = current.NewResultFromResult(res) + if err != nil { + return nil, fmt.Errorf("linkerd-cni: could not convert result to current version: %v", err) + } + logrus.Debugf("linkerd-cni: prevResult: %v", conf.PrevResult) + } + + return &conf, nil +} + +// cmdAdd is called by the CNI runtime for ADD requests +func cmdAdd(args *skel.CmdArgs) error { + logrus.Debug("linkerd-cni: cmdAdd, parsing config") + conf, err := parseConfig(args.StdinData) + if err != nil { + return err + } + configureLogging(conf.LogLevel) + + if conf.PrevResult != nil { + logrus.WithFields(logrus.Fields{ + "version": conf.CNIVersion, + "prevResult": conf.PrevResult, + }).Debug("linkerd-cni: cmdAdd, config parsed") + } else { + logrus.WithFields(logrus.Fields{ + "version": conf.CNIVersion, + }).Debug("linkerd-cni: cmdAdd, config parsed") + } + + // Determine if running under k8s by checking the CNI args + k8sArgs := K8sArgs{} + args.Args = strings.Replace(args.Args, "K8S_POD_NAMESPACE", "K8sPodNamespace", 1) + args.Args = strings.Replace(args.Args, "K8S_POD_NAME", "K8sPodName", 1) + if err := types.LoadArgs(args.Args, &k8sArgs); err != nil { + return err + } + + namespace := string(k8sArgs.K8sPodNamespace) + podName := string(k8sArgs.K8sPodName) + logEntry := logrus.WithFields(logrus.Fields{ + "ContainerID": args.ContainerID, + "Pod": podName, + "Namespace": namespace, + }) + + if namespace != "" && podName != "" { + config, err := k8s.GetConfig(conf.Kubernetes.Kubeconfig, "linkerd-cni-context") + if err != nil { + return err + } + + client, err := kubernetes.NewForConfig(config) + if err != nil { + return err + } + + pod, err := client.CoreV1().Pods(namespace).Get(podName, metav1.GetOptions{}) + if err != nil { + return err + } + + containsLinkerdProxy := false + for _, container := range pod.Spec.Containers { + if container.Name == k8s.ProxyContainerName { + containsLinkerdProxy = true + break + } + } + + containsInitContainer := false + for _, container := range pod.Spec.InitContainers { + if container.Name == k8s.InitContainerName { + containsInitContainer = true + break + } + } + + if containsLinkerdProxy && !containsInitContainer { + logEntry.Infof("linkerd-cni: setting up iptables firewall") + options := cmd.RootOptions{ + IncomingProxyPort: conf.ProxyInit.IncomingProxyPort, + OutgoingProxyPort: conf.ProxyInit.OutgoingProxyPort, + ProxyUserID: conf.ProxyInit.ProxyUID, + PortsToRedirect: conf.ProxyInit.PortsToRedirect, + InboundPortsToIgnore: conf.ProxyInit.InboundPortsToIgnore, + OutboundPortsToIgnore: conf.ProxyInit.OutboundPortsToIgnore, + SimulateOnly: conf.ProxyInit.Simulate, + NetNs: args.Netns, + } + firewallConfiguration, err := cmd.BuildFirewallConfiguration(&options) + if err != nil { + logEntry.Errorf("linkerd-cni: could not create a Firewall Configuration from the options: %v", options) + return err + } + iptables.ConfigureFirewall(*firewallConfiguration) + } else { + logEntry.Infof("linkerd-cni: linkerd-init initConainer is present, skipping.") + } + } else { + logEntry.Infof("linkerd-cni: no Kubernetes namespace or pod name found, skipping.") + } + + logrus.Infof("linkerd-cni: plugin is finished") + if conf.PrevResult != nil { + // Pass through the prevResult for the next plugin + return types.PrintResult(conf.PrevResult, conf.CNIVersion) + } + + logrus.Infof("linkerd-cni: no previous result to pass through, emptying stdout") + return nil +} + +// cmdDel is called for DELETE requests +func cmdDel(args *skel.CmdArgs) error { + logrus.Info("linkerd-cni: cmdDel not implemented") + return nil +} + +func cmdGet(args *skel.CmdArgs) error { + return fmt.Errorf("linkerd-cni: cmdGet not implemented") +} diff --git a/cni-plugin/test/data/env_vars.sh b/cni-plugin/test/data/env_vars.sh new file mode 100644 index 00000000..e86afd5a --- /dev/null +++ b/cni-plugin/test/data/env_vars.sh @@ -0,0 +1,21 @@ +KUBE_DNS_SERVICE_PORT=53 +KUBE_DNS_PORT_53_TCP_PROTO=tcp +KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53 +KUBE_DNS_PORT_53_UDP_PROTO=udp +KUBERNETES_PORT_443_TCP_PROTO=tcp +KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1 +KUBE_DNS_PORT_53_UDP_ADDR=10.110.0.10 +KUBERNETES_PORT=tcp://10.110.0.1:443 +KUBE_DNS_PORT_53_TCP_ADDR=10.110.0.10 +KUBE_DNS_PORT=udp://10.110.0.10:53 +KUBERNETES_SERVICE_PORT_HTTPS=443 +KUBERNETES_PORT_443_TCP_PORT=443 +KUBERNETES_PORT_443_TCP=tcp://10.110.0.1:443 +KUBE_DNS_PORT_53_TCP_PORT=53 +KUBE_DNS_PORT_53_TCP=tcp://10.110.0.10:53 +KUBERNETES_SERVICE_PORT=443 +KUBE_DNS_SERVICE_PORT_DNS=53 +KUBE_DNS_SERVICE_PORT_DNS_TCP=53 +KUBERNETES_SERVICE_HOST=10.110.0.1 +KUBE_DNS_PORT_53_UDP_PORT=53 +KUBE_DNS_SERVICE_HOST=10.110.0.10 \ No newline at end of file diff --git a/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 new file mode 100644 index 00000000..8e9b8b4e --- /dev/null +++ b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 @@ -0,0 +1,22 @@ +{ + "name": "linkerd-cni", + "type": "linkerd-cni", + "log_level": "warn", + "policy": { + "type": "k8s", + "k8s_api_root": "https://10.110.0.1:443", + "k8s_auth_token": "MyAwesomeToken" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" + }, + "linkerd": { + "incoming-proxy-port": -1, + "outgoing-proxy-port": -1, + "proxy-uid": -1, + "ports-to-redirect": [], + "inbound-ports-to-ignore": [], + "outbound-ports-to-ignore": [], + "simulate": false + } +} diff --git a/cni-plugin/test/data/expected/10-calico.conflist-1 b/cni-plugin/test/data/expected/10-calico.conflist-1 new file mode 100644 index 00000000..4caec8a6 --- /dev/null +++ b/cni-plugin/test/data/expected/10-calico.conflist-1 @@ -0,0 +1,50 @@ +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "calico", + "etcd_endpoints": "http://10.110.0.136:6666", + "log_level": "info", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": { + "portMappings": true + } + }, + { + "name": "linkerd-cni", + "type": "linkerd-cni", + "log_level": "warn", + "policy": { + "type": "k8s", + "k8s_api_root": "https://10.110.0.1:443", + "k8s_auth_token": "MyAwesomeToken" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" + }, + "linkerd": { + "incoming-proxy-port": -1, + "outgoing-proxy-port": -1, + "proxy-uid": -1, + "ports-to-redirect": [], + "inbound-ports-to-ignore": [], + "outbound-ports-to-ignore": [], + "simulate": false + } + } + ] +} diff --git a/cni-plugin/test/data/expected/10-calico.conflist-1.clean b/cni-plugin/test/data/expected/10-calico.conflist-1.clean new file mode 100644 index 00000000..61d0b452 --- /dev/null +++ b/cni-plugin/test/data/expected/10-calico.conflist-1.clean @@ -0,0 +1,28 @@ +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "calico", + "etcd_endpoints": "http://10.110.0.136:6666", + "log_level": "info", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": { + "portMappings": true + } + } + ] +} diff --git a/cni-plugin/test/data/expected/10-host-local.conf-1.clean b/cni-plugin/test/data/expected/10-host-local.conf-1.clean new file mode 100644 index 00000000..b8193ff5 --- /dev/null +++ b/cni-plugin/test/data/expected/10-host-local.conf-1.clean @@ -0,0 +1,21 @@ +{ + "plugins": [ + { + "name": "dbnet", + "type": "bridge", + "bridge": "cni0", + "ipam": { + "type": "host-local", + "subnet": "10.1.0.0/16", + "gateway": "10.1.0.1" + }, + "dns": { + "nameservers": [ + "10.1.0.1" + ] + } + } + ], + "name": "k8s-pod-network", + "cniVersion": "0.3.0" +} diff --git a/cni-plugin/test/data/expected/10-host-local.conflist-1 b/cni-plugin/test/data/expected/10-host-local.conflist-1 new file mode 100644 index 00000000..acda2a28 --- /dev/null +++ b/cni-plugin/test/data/expected/10-host-local.conflist-1 @@ -0,0 +1,43 @@ +{ + "plugins": [ + { + "name": "dbnet", + "type": "bridge", + "bridge": "cni0", + "ipam": { + "type": "host-local", + "subnet": "10.1.0.0/16", + "gateway": "10.1.0.1" + }, + "dns": { + "nameservers": [ + "10.1.0.1" + ] + } + }, + { + "name": "linkerd-cni", + "type": "linkerd-cni", + "log_level": "warn", + "policy": { + "type": "k8s", + "k8s_api_root": "https://10.110.0.1:443", + "k8s_auth_token": "MyAwesomeToken" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" + }, + "linkerd": { + "incoming-proxy-port": -1, + "outgoing-proxy-port": -1, + "proxy-uid": -1, + "ports-to-redirect": [], + "inbound-ports-to-ignore": [], + "outbound-ports-to-ignore": [], + "simulate": false + } + } + ], + "name": "k8s-pod-network", + "cniVersion": "0.3.0" +} diff --git a/cni-plugin/test/data/k8s_svcacct/ca.crt b/cni-plugin/test/data/k8s_svcacct/ca.crt new file mode 100644 index 00000000..efd11277 --- /dev/null +++ b/cni-plugin/test/data/k8s_svcacct/ca.crt @@ -0,0 +1,4 @@ + +-----BEGIN CERTIFICATE----- +MyBestCertificate +-----END CERTIFICATE----- \ No newline at end of file diff --git a/cni-plugin/test/data/k8s_svcacct/namespace b/cni-plugin/test/data/k8s_svcacct/namespace new file mode 100644 index 00000000..d2826d00 --- /dev/null +++ b/cni-plugin/test/data/k8s_svcacct/namespace @@ -0,0 +1 @@ +test-namespace \ No newline at end of file diff --git a/cni-plugin/test/data/k8s_svcacct/token b/cni-plugin/test/data/k8s_svcacct/token new file mode 100644 index 00000000..0c6f7ca5 --- /dev/null +++ b/cni-plugin/test/data/k8s_svcacct/token @@ -0,0 +1 @@ +MyAwesomeToken \ No newline at end of file diff --git a/cni-plugin/test/data/pre/10-calico.conflist b/cni-plugin/test/data/pre/10-calico.conflist new file mode 100644 index 00000000..eccb89b9 --- /dev/null +++ b/cni-plugin/test/data/pre/10-calico.conflist @@ -0,0 +1,28 @@ +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "calico", + "etcd_endpoints": "http://10.110.0.136:6666", + "log_level": "info", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": { + "portMappings": true + } + } + ] +} \ No newline at end of file diff --git a/cni-plugin/test/data/pre/10-host-local.conf b/cni-plugin/test/data/pre/10-host-local.conf new file mode 100644 index 00000000..19d5365a --- /dev/null +++ b/cni-plugin/test/data/pre/10-host-local.conf @@ -0,0 +1,14 @@ +{ + "cniVersion": "0.3.0", + "name": "dbnet", + "type": "bridge", + "bridge": "cni0", + "ipam": { + "type": "host-local", + "subnet": "10.1.0.0/16", + "gateway": "10.1.0.1" + }, + "dns": { + "nameservers": [ "10.1.0.1" ] + } +} \ No newline at end of file diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go new file mode 100644 index 00000000..9791ba68 --- /dev/null +++ b/cni-plugin/test/install-cni_test.go @@ -0,0 +1,360 @@ +// Copyright 2018 Istio Authors +// Modifications copyright (c) Linkerd authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package test + +import ( + "bytes" + "flag" + "fmt" + "io/ioutil" + "os" + "os/exec" + "os/user" + "strconv" + "strings" + "testing" + "time" +) + +const ( + hostCniNetDir = "/host/etc/cni/net.d" + cniNetSubDir = "/data/pre/" + k8sSvcAcctSubDir = "/data/k8s_svcacct/" + + cniConfName = "CNI_CONF_NAME" + cniNetworkConfigName = "CNI_NETWORK_CONFIG" +) + +func env(key, fallback string) string { + if value, ok := os.LookupEnv(key); ok { + return value + } + return fallback +} + +func setEnv(key, value string, t *testing.T) { + err := os.Setenv(key, value) + if err != nil { + t.Fatalf("Couldn't set environment variable, err: %v", err) + } +} + +func mktemp(dir, prefix string, t *testing.T) string { + tempDir, err := ioutil.TempDir(dir, prefix) + if err != nil { + t.Fatalf("Couldn't get current working directory, err: %v", err) + } + t.Logf("Created temporary dir: %v", tempDir) + return tempDir +} + +func pwd(t *testing.T) string { + wd, err := os.Getwd() + if err != nil { + t.Fatalf("Couldn't get current working directory, err: %v", err) + } + return wd + "/" +} + +func ls(dir string, t *testing.T) []string { + files, err := ioutil.ReadDir(dir) + if err != nil { + t.Fatalf("Failed to list files, err: %v", err) + } + fileNames := make([]string, len(files)) + for i, f := range files { + fileNames[i] = f.Name() + } + return fileNames +} + +func cp(src, dest string, t *testing.T) { + data, err := ioutil.ReadFile(src) + if err != nil { + t.Fatalf("Failed to read file %v, err: %v", src, err) + } + if err = ioutil.WriteFile(dest, data, 0644); err != nil { + t.Fatalf("Failed to write file %v, err: %v", dest, err) + } +} + +func rm(dir string, t *testing.T) { + err := os.RemoveAll(dir) + if err != nil { + t.Fatalf("Failed to remove dir %v, err: %v", dir, err) + } +} + +// populateTempDirs populates temporary test directories with golden files +func populateTempDirs(wd string, tempCNINetDir string, preConfFile string, t *testing.T) { + t.Logf("Pre-populating working dirs") + t.Logf("Copying %v into temp config dir %v", preConfFile, tempCNINetDir) + cp(wd+cniNetSubDir+preConfFile, tempCNINetDir+"/"+preConfFile, t) +} + +// populateK8sCreds populates temporary k8s directories with k8s credentials like service account token +func populateK8sCreds(wd string, tempK8sSvcAcctDir string, t *testing.T) { + for _, f := range ls(wd+k8sSvcAcctSubDir, t) { + t.Logf("Copying %v into temp k8s serviceaccount dir %v", f, tempK8sSvcAcctDir) + cp(wd+k8sSvcAcctSubDir+f, tempK8sSvcAcctDir+"/"+f, t) + } + t.Logf("Finished pre-populating working dirs") +} + +// startDocker starts a test Docker container and runs the install-cni.sh script. +func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir string, tempCNIBinDir string, tempK8sSvcAcctDir string, t *testing.T) string { + // The following is in place to default to a sane development environment that mirrors how bin/fast-build + // does it. To change to a different docker image, set the HUB and TAG environment variables before running the tests. + gitShaHead, _ := exec.Command("git", "rev-parse", "--short=8", "HEAD").Output() + user, _ := user.Current() + tag := "dev-" + strings.Trim(string(gitShaHead), "\n") + "-" + user.Username + dockerImage := env("HUB", "gcr.io/linkerd-io") + "/cni-plugin:" + env("TAG", tag) + errFileName := testWorkRootDir + "/docker_run_stderr" + + // Build arguments list by picking whatever is necessary from the environment. + args := []string{"run", "-d", + "--name", "test-linkerd-cni-install-" + strconv.Itoa(testNum), + "-v", tempCNINetDir + ":" + hostCniNetDir, + "-v", tempCNIBinDir + ":/host/opt/cni/bin", + "-v", tempK8sSvcAcctDir + ":/var/run/secrets/kubernetes.io/serviceaccount", + "--env-file", wd + "/data/env_vars.sh", + "-e", cniNetworkConfigName, + "-e", "SLEEP=true", + } + if _, ok := os.LookupEnv(cniConfName); ok { + args = append(args, "-e", cniConfName) + } + args = append(args, dockerImage) + args = append(args, "install-cni.sh") + + // Create a temporary log file to write docker command error log. + errFile, err := os.Create(errFileName) + if err != nil { + t.Fatalf("Couldn't create docker stderr file, err: %v", err) + } + defer func() { + errClose := errFile.Close() + if errClose != nil { + t.Fatalf("Couldn't close docker stderr file, err: %v", errClose) + } + }() + + // Run the docker command and write errors to a temporary file. + cmd := exec.Command("docker", args...) + cmd.Stderr = errFile + + containerID, err := cmd.Output() + if err != nil { + errFileContents, _ := ioutil.ReadFile(errFileName) + t.Logf("%v contents:\n\n%v\n\n", errFileName, string(errFileContents)) + t.Fatalf("Test %v ERROR: failed to start docker container '%v', see %v", testNum, dockerImage, errFileName) + } + t.Logf("Container ID: %s", containerID) + return strings.Trim(string(containerID), "\n") +} + +// docker runs the given docker command on the given container ID. +func docker(cmd, containerID string, t *testing.T) { + out, err := exec.Command("docker", cmd, containerID).CombinedOutput() + if err != nil { + t.Fatalf("Failed to execute 'docker %s %s', err: %v", cmd, containerID, err) + } + t.Logf("docker %s %s - out: %s", cmd, containerID, out) +} + +// compareConfResult does a string compare of 2 test files. +func compareConfResult(testWorkRootDir string, tempCNINetDir string, result string, expected string, t *testing.T) { + tempResult := tempCNINetDir + "/" + result + resultFile, err := ioutil.ReadFile(tempResult) + if err != nil { + t.Fatalf("Failed to read file %v, err: %v", tempResult, err) + } + + expectedFile, err := ioutil.ReadFile(expected) + if err != nil { + t.Fatalf("Failed to read file %v, err: %v", expected, err) + } + + if bytes.Equal(resultFile, expectedFile) { + t.Logf("PASS: result matches expected: %v v. %v", tempResult, expected) + } else { + tempFail := mktemp(testWorkRootDir, result+".fail.XXXX", t) + t.Errorf("FAIL: result doesn't match expected: %v v. %v", tempResult, expected) + cp(tempResult, tempFail+"/"+result, t) + t.Fatalf("Check %v for diff contents", tempFail) + } +} + +// checkBinDir verifies the presence/absence of test files. +func checkBinDir(t *testing.T, tempCNIBinDir string, op string, files ...string) { + for _, f := range files { + if _, err := os.Stat(tempCNIBinDir + "/" + f); !os.IsNotExist(err) { + if op == "add" { + t.Logf("PASS: File %v was added to %v", f, tempCNIBinDir) + } else if op == "del" { + t.Fatalf("FAIL: File %v was not removed from %v", f, tempCNIBinDir) + } + } else { + if op == "add" { + t.Fatalf("FAIL: File %v was not added to %v", f, tempCNIBinDir) + } else if op == "del" { + t.Logf("PASS: File %v was removed from %v", f, tempCNIBinDir) + } + } + } +} + +// doTest sets up necessary environment variables, runs the Docker installation +// container and verifies output file correctness. +func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile string, expectNetConfFile string, expectedPostCleanNetConfFile string, tempCNINetDir string, tempCNIBinDir string, tempK8sSvcAcctDir string, testWorkRootDir string, t *testing.T) { + t.Logf("Test %v: prior cni-conf='%v', expected result='%v'", testNum, initialNetConfFile, finalNetConfFile) + + if initialNetConfFile != "NONE" { + setEnv(cniConfName, initialNetConfFile, t) + } + defaultData, err := ioutil.ReadFile(wd + "../deployment/linkerd-cni.conf.default") + if err != nil { + t.Fatalf("Failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) + } + setEnv(cniNetworkConfigName, string(defaultData), t) + + containerID := startDocker(testNum, wd, testWorkRootDir, tempCNINetDir, tempCNIBinDir, tempK8sSvcAcctDir, t) + time.Sleep(5 * time.Second) + + compareConfResult(testWorkRootDir, tempCNINetDir, finalNetConfFile, expectNetConfFile, t) + checkBinDir(t, tempCNIBinDir, "add", "linkerd-cni") + + docker("stop", containerID, t) + time.Sleep(5 * time.Second) + + t.Logf("Test %v: Check the cleanup worked", testNum) + checkBinDir(t, tempCNIBinDir, "del", "linkerd-cni") + if len(expectedPostCleanNetConfFile) > 0 { + compareConfResult(testWorkRootDir, tempCNINetDir, finalNetConfFile, expectedPostCleanNetConfFile, t) + } else { + files := ls(tempCNINetDir, t) + if len(files) > 0 { + t.Fatalf("FAIL: CNI_CONF_DIR is not empty: %v", files) + } else { + t.Log("PASS: CNI_CONF_DIR is empty") + } + } + + docker("logs", containerID, t) + docker("rm", containerID, t) +} + +func TestMain(m *testing.M) { + runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests") + flag.Parse() + + if !*runTests { + fmt.Fprintln(os.Stderr, "integration tests not enabled: enable with -integration-tests") + os.Exit(0) + } + + os.Exit(m.Run()) +} + +func TestInstallCNI_Scenario1(t *testing.T) { + t.Log("If the test fails, you will want to check the docker logs of the container and then be sure to stop && remove it before running the tests again.") + + t.Log("Scenario 1: There isn't an existing plugin configuration in the CNI_NET_DIR.") + t.Log("GIVEN the CNI_NET_DIR=/etc/cni/net.d/ is empty") + t.Log("WHEN the install-cni.sh script is executed") + t.Log("THEN it should write the 01-linkerd-cni.conf file appropriately") + t.Log("AND WHEN the container is stopped") + t.Log("THEN it should delete the linkerd-cni artifacts") + + wd := pwd(t) + t.Logf("..setting the working directory: %v", wd) + testWd := "/tmp" + t.Logf("..setting the test working directory: %v", testWd) + testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) + t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) + defer rm(testCNINetDir, t) + testCNIBinDir := mktemp(testWd, "linkerd-cni-binXXXXX", t) + t.Logf("..creating the test CNI_BIN_DIR: %v", testCNIBinDir) + defer rm(testCNIBinDir, t) + testK8sSvcAcctDir := mktemp(testWd, "kube-svcacctXXXXX", t) + t.Logf("..creating the k8s service account directory: %v", testK8sSvcAcctDir) + defer rm(testK8sSvcAcctDir, t) + + populateK8sCreds(wd, testK8sSvcAcctDir, t) + doTest(1, wd, "NONE", "01-linkerd-cni.conf", wd+"data/expected/01-linkerd-cni.conf-1", "", testCNINetDir, testCNIBinDir, testK8sSvcAcctDir, testWd, t) +} + +func TestInstallCNI_Scenario2(t *testing.T) { + t.Log("If the test fails, you will want to check the docker logs of the container and then be sure to stop && remove it before running the tests again.") + + t.Log("Scenario 2: There is an existing plugin configuration (.conf) in the CNI_NET_DIR.") + t.Log("GIVEN the CNI_NET_DIR=/etc/cni/net.d/ is NOT empty") + t.Log("WHEN the install-cni.sh script is executed") + t.Log("THEN it should update the existing file contents appropriately") + t.Log("THEN it should rename the existing file appropriately") + t.Log("AND WHEN the container is stopped") + t.Log("THEN it should delete the linkerd-cni artifacts") + t.Log("THEN it should revert back to the previous plugin configuration and filename") + + wd := pwd(t) + t.Logf("..setting the working directory: %v", wd) + testWd := "/tmp" + t.Logf("..setting the test working directory: %v", testWd) + testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) + t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) + defer rm(testCNINetDir, t) + testCNIBinDir := mktemp(testWd, "linkerd-cni-binXXXXX", t) + t.Logf("..creating the test CNI_BIN_DIR: %v", testCNIBinDir) + defer rm(testCNIBinDir, t) + testK8sSvcAcctDir := mktemp(testWd, "kube-svcacctXXXXX", t) + t.Logf("..creating the k8s service account directory: %v", testK8sSvcAcctDir) + defer rm(testK8sSvcAcctDir, t) + + populateTempDirs(wd, testCNINetDir, "10-host-local.conf", t) + populateK8sCreds(wd, testK8sSvcAcctDir, t) + doTest(2, wd, hostCniNetDir+"/10-host-local.conf", "10-host-local.conflist", wd+"data/expected/10-host-local.conflist-1", wd+"data/expected/10-host-local.conf-1.clean", testCNINetDir, testCNIBinDir, testK8sSvcAcctDir, testWd, t) +} + +func TestInstallCNI_Scenario3(t *testing.T) { + t.Log("If the test fails, you will want to check the docker logs of the container and then be sure to stop && remove it before running the tests again.") + + t.Log("Scenario 3: There is an existing plugin configuration (.conflist) in the CNI_NET_DIR.") + t.Log("GIVEN the CNI_NET_DIR=/etc/cni/net.d/ is NOT empty") + t.Log("WHEN the install-cni.sh script is executed") + t.Log("THEN it should update the existing file contents appropriately") + t.Log("THEN it should rename the existing file appropriately") + t.Log("AND WHEN the container is stopped") + t.Log("THEN it should delete the linkerd-cni artifacts") + t.Log("THEN it should revert back to the previous plugin configuration and filename") + + wd := pwd(t) + t.Logf("..setting the working directory: %v", wd) + testWd := "/tmp" + t.Logf("..setting the test working directory: %v", testWd) + testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) + t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) + defer rm(testCNINetDir, t) + testCNIBinDir := mktemp(testWd, "linkerd-cni-binXXXXX", t) + t.Logf("..creating the test CNI_BIN_DIR: %v", testCNIBinDir) + defer rm(testCNIBinDir, t) + testK8sSvcAcctDir := mktemp(testWd, "kube-svcacctXXXXX", t) + t.Logf("..creating the k8s service account directory: %v", testK8sSvcAcctDir) + defer rm(testK8sSvcAcctDir, t) + + populateTempDirs(wd, testCNINetDir, "10-calico.conflist", t) + populateK8sCreds(wd, testK8sSvcAcctDir, t) + doTest(3, wd, hostCniNetDir+"/10-calico.conflist", "10-calico.conflist", wd+"data/expected/10-calico.conflist-1", wd+"data/expected/10-calico.conflist-1.clean", testCNINetDir, testCNIBinDir, testK8sSvcAcctDir, testWd, t) +} From 4989fe686b0170ef34ecde2d64c5f35d594a6a3e Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Wed, 30 Jan 2019 16:48:55 -0800 Subject: [PATCH 002/112] Add support for timeouts in service profiles (#2149) Fixes #2042 Adds a new field to service profile routes called `timeout`. Any requests to that route which take longer than the given timeout will be aborted and a 504 response will be returned instead. If the timeout field is not specified, a default timeout of 10 seconds is used. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 3cd4a865..402381f1 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:a2d3bf8c as golang +FROM gcr.io/linkerd-io/go-deps:2c00d213 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 83311c59e5c38aa5b7d5eccd793bcd9dbde45cea Mon Sep 17 00:00:00 2001 From: Cody Vandermyn Date: Thu, 31 Jan 2019 13:52:39 -0800 Subject: [PATCH 003/112] Added flags to allow further configuration of destination cni bin and cni conf directories; fixed up spacing in template. (#2181) Signed-off-by: Cody Vandermyn --- cni-plugin/main.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index bb570666..f80e44d7 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -215,7 +215,11 @@ func cmdAdd(args *skel.CmdArgs) error { } iptables.ConfigureFirewall(*firewallConfiguration) } else { - logEntry.Infof("linkerd-cni: linkerd-init initConainer is present, skipping.") + if containsInitContainer { + logEntry.Infof("linkerd-cni: linkerd-init initContainer is present, skipping.") + } else { + logEntry.Infof("linkerd-cni: linkerd-proxy is not present, skipping.") + } } } else { logEntry.Infof("linkerd-cni: no Kubernetes namespace or pod name found, skipping.") From e22fb79bbdab2f9e1bb84accf6784eb9c1614eea Mon Sep 17 00:00:00 2001 From: Kevin Leimkuhler Date: Mon, 4 Feb 2019 18:09:47 -0800 Subject: [PATCH 004/112] Introduce go generate to embed static templates (#2189) # Problem In order to switch Linkerd template rendering to use `.yaml` files, static assets must be bundled in the Go binary for use by `linkerd install`. # Solution The solution should not affect the local development process of building and testing. [vfsgen](https://github.com/shurcooL/vfsgen) generates Go code that statically implements the provided `http.FileSystem`. Paired with `go generate` and Go [build tags](https://golang.org/pkg/go/build/), we can continue to use the template files on disk when developing with no change required. In `!prod` Go builds, the `cli/static/templates.go` file provides a `http.FileSystem` to the local templates. In `prod` Go builds, `go generate ./cli` generates `cli/static/generated_templates.gogen.go` that statically provides the template files. When built with `-tags prod`, the executable will be built with the staticlly generated file instead of the local files. # Validation The binaries were compiled locally with `bin/docker-build`. The binaries were then tested with `bin/test-run (pwd)/target/cli/darwin/linkerd`. All tests passed. No change was required to successfully run `bin/go-run cli install`. No change was required to run `bin/linkerd install`. Fixes #2153 Signed-off-by: Kevin Leimkuhler --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 402381f1..2b0a1ea2 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:2c00d213 as golang +FROM gcr.io/linkerd-io/go-deps:79da6554 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 1e5add4ba9cd71c86719da8c8944e08637e0cddf Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 7 Feb 2019 14:02:21 -0800 Subject: [PATCH 005/112] Introduce Discovery API and endpoints command (#2195) The Proxy API service lacked introspection of its internal state. Introduce a new gRPC Discovery API, implemented by two servers: 1) Proxy API Server: returns a snapshot of discovery state 2) Public API Server: pass-through to the Proxy API Server Also wire up a new `linkerd endpoints` command. Fixes #2165 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 2b0a1ea2..517488fd 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:79da6554 as golang +FROM gcr.io/linkerd-io/go-deps:4abae893 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 2bd583a12ec1ba9cc28d0b1ccf92d213e9a444d4 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 7 Feb 2019 14:35:47 -0800 Subject: [PATCH 006/112] Improve ServiceProfile validation in linkerd check (#2218) The `linkerd check` command was doing limited validation on ServiceProfiles. Make ServiceProfile validation more complete, specifically validate: - types of all fields - presence of required fields - presence of unknown fields - recursive fields Also move all validation code into a new `Validate` function in the profiles package. Validation of field types and required fields is handled via `yaml.UnmarshalStrict` in the `Validate` function. This motivated migrating from github.com/ghodss/yaml to a fork, sigs.k8s.io/yaml. Fixes #2190 --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 517488fd..3329854b 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:4abae893 as golang +FROM gcr.io/linkerd-io/go-deps:b457d5cb as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From f1b878830743d0219ef8a3fd55d8f5b1b2387111 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Thu, 7 Feb 2019 14:51:43 -0800 Subject: [PATCH 007/112] Read service profiles from client or server namespace instead of control namespace (#2200) Fixes #2077 When looking up service profiles, Linkerd always looks for the service profile objects in the Linkerd control namespace. This is limiting because service owners who wish to create service profiles may not have write access to the Linkerd control namespace. Instead, we have the control plane look for the service profile in both the client namespace (as read from the proxy's `proxy_id` field from the GetProfiles request and from the service's namespace. If a service profile exists in both namespaces, the client namespace takes priority. In this way, clients may override the behavior dictated by the service. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 3329854b..2faf9ff4 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:b457d5cb as golang +FROM gcr.io/linkerd-io/go-deps:fb05ef23 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From e3257d8b91d7c58d38d75dc5fe2eaa172444836f Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Wed, 13 Feb 2019 11:16:28 -0800 Subject: [PATCH 008/112] Introduce golangci-lint tooling, fixes (#2239) `golangci-lint` performs numerous checks on Go code, including golint, ineffassign, govet, and gofmt. This change modifies `bin/lint` to use `golangci-lint`, and replaces usage of golint and govet. Also perform a one-time gofmt cleanup: - `gofmt -s -w controller/` - `gofmt -s -w pkg/` Part of #217 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 2faf9ff4..716240eb 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:fb05ef23 as golang +FROM gcr.io/linkerd-io/go-deps:9c6adbc7 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 06768763e552c036b5c3b06acbd82041b2abb454 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Thu, 14 Feb 2019 09:51:25 -0500 Subject: [PATCH 009/112] Upgrade Spinner to fix race condition (#2265) Fixes #2264 Signed-off-by: Alejandro Pedraza --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 716240eb..399f5658 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:9c6adbc7 as golang +FROM gcr.io/linkerd-io/go-deps:c20f2b2a as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 842c817d72a5daedd39b7617c820065fff7e6c5c Mon Sep 17 00:00:00 2001 From: Thomas Rampelberg Date: Fri, 15 Feb 2019 13:28:31 -0800 Subject: [PATCH 010/112] Generate CLI docs for usage by the website (#2296) * Generate CLI docs for usage by the website * Update description to match existing commands * Remove global --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 399f5658..1dfa14c7 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:c20f2b2a as golang +FROM gcr.io/linkerd-io/go-deps:ddae80d2 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From f94c4f4f10f587fc782cd628338e94e19acace22 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Fri, 22 Feb 2019 15:59:18 -0800 Subject: [PATCH 011/112] Bump base Docker images (#2241) - `debian:jessie-slim` -> `stretch-20190204-slim` - `golang:1.10.3` -> `1.11.5` - `gcr.io/linkerd-io/base:2017-10-30.01` -> `2019-02-19.01` - bump `golangci-lint` to 1.15.0 - use `GOCACHE` in travis Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 1dfa14c7..c133d7ce 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:ddae80d2 as golang +FROM gcr.io/linkerd-io/go-deps:d7f5ab37 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg @@ -7,7 +7,7 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2017-10-30.01 +FROM gcr.io/linkerd-io/base:2019-02-19.01 WORKDIR /linkerd RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ From f4c3710e5bb3bb803d3e1b6d7d8b63b569846858 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Sat, 23 Feb 2019 11:05:39 -0800 Subject: [PATCH 012/112] Enable `unused` linter (#2357) `unused` checks Go code for unused constants, variables, functions, and types. Part of #217 Signed-off-by: Andrew Seigner --- cni-plugin/main.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index f80e44d7..ee42d240 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -240,7 +240,3 @@ func cmdDel(args *skel.CmdArgs) error { logrus.Info("linkerd-cni: cmdDel not implemented") return nil } - -func cmdGet(args *skel.CmdArgs) error { - return fmt.Errorf("linkerd-cni: cmdGet not implemented") -} From 6a517eef74cd13d9965faa835b34d95a01d9fded Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Mon, 25 Feb 2019 12:00:03 -0800 Subject: [PATCH 013/112] lint: Enable goconst (#2365) goconst finds repeated strings that could be replaced by a constant: https://github.com/jgautheron/goconst Part of #217 Signed-off-by: Andrew Seigner --- cni-plugin/test/install-cni_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index 9791ba68..f0c5d5fd 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -36,6 +36,8 @@ const ( cniConfName = "CNI_CONF_NAME" cniNetworkConfigName = "CNI_NETWORK_CONFIG" + + testWd = "/tmp" ) func env(key, fallback string) string { @@ -281,7 +283,6 @@ func TestInstallCNI_Scenario1(t *testing.T) { wd := pwd(t) t.Logf("..setting the working directory: %v", wd) - testWd := "/tmp" t.Logf("..setting the test working directory: %v", testWd) testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) @@ -311,7 +312,6 @@ func TestInstallCNI_Scenario2(t *testing.T) { wd := pwd(t) t.Logf("..setting the working directory: %v", wd) - testWd := "/tmp" t.Logf("..setting the test working directory: %v", testWd) testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) @@ -342,7 +342,6 @@ func TestInstallCNI_Scenario3(t *testing.T) { wd := pwd(t) t.Logf("..setting the working directory: %v", wd) - testWd := "/tmp" t.Logf("..setting the test working directory: %v", testWd) testCNINetDir := mktemp(testWd, "linkerd-cni-confXXXXX", t) t.Logf("..creating the test CNI_NET_DIR: %v", testCNINetDir) From 34e8d80211c912459391eb8ab5854b6058147869 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Tue, 26 Feb 2019 11:54:52 -0800 Subject: [PATCH 014/112] Authorization-aware control-plane components (#2349) The control-plane components relied on a `--single-namespace` param, passed from `linkerd install` into each individual component, to determine which namespaces they were authorized to access, and whether to support ServiceProfiles. This command-line flag was redundant given the authorization rules encoded in the parent `linkerd install` output, via [Cluster]Role[Binding]s. Modify the control-plane components to query Kubernetes at startup to determine which namespaces they are authorized to access, and whether ServiceProfile support is available. This allows removal of the `--single-namespace` flag on the components. Also update `bin/test-cleanup` to cleanup the ServiceProfile CRD. TODO: - Remove `--single-namespace` flag on `linkerd install`, part of #2164 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index c133d7ce..ca58f811 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:d7f5ab37 as golang +FROM gcr.io/linkerd-io/go-deps:c9486134 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From b7e4075edaf0652cb894a2e1e1eefc0eddbd3bd0 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 2 Mar 2019 06:46:54 +0530 Subject: [PATCH 015/112] Wire up stats for Jobs (#2416) Support for Jobs in stat/tap/top cli commands Part of #2007 Signed-off-by: Tarun Pothulapati --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index ca58f811..ba164a86 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:c9486134 as golang +FROM gcr.io/linkerd-io/go-deps:cba6331f as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 6147d1cbfdace464d56703baacfae86b180057f6 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Tue, 5 Mar 2019 08:38:56 -0500 Subject: [PATCH 016/112] Injection consolidation (#2334) - Created the pkg/inject package to hold the new injection shared lib. - Extracted from `/cli/cmd/inject.go` and `/cli/cmd/inject_util.go` the core methods doing the workload parsing and injection, and moved them into `/pkg/inject/inject.go`. The CLI files should now deal only with strictly CLI concerns, and applying the json patch returned by the new lib. - Proceeded analogously with `/cli/cmd/uninject.go` and `/pkg/inject/uninject.go`. - The `InjectReport` struct and helping methods were moved into `/pkg/inject/report.go` - Refactored webhook to use the new injection lib - Removed linkerd-proxy-injector-sidecar-config ConfigMap - Added the ability to add pod labels and annotations without having to specify the already existing ones Fixes #1748, #2289 Signed-off-by: Alejandro Pedraza --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index ba164a86..aa13b3fa 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:cba6331f as golang +FROM gcr.io/linkerd-io/go-deps:ee275c25 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 6bd867cd5f536b506c1cb546635f0c30dd8865d8 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Tue, 5 Mar 2019 10:31:16 -0800 Subject: [PATCH 017/112] Bump Prometheus client to v0.9.2 (#2388) We were depending on an untagged version of prometheus/client_golang from Feb 2018. This bumps our dependency to v0.9.2, from Dec 2018. Also, this is a prerequisite to #1488. Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index aa13b3fa..4a4bfcd6 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:ee275c25 as golang +FROM gcr.io/linkerd-io/go-deps:0074c10b as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 3790eca1e36c2bc211822c43ba32b5c0c748dc03 Mon Sep 17 00:00:00 2001 From: Cody Vandermyn Date: Wed, 6 Mar 2019 10:57:04 -0800 Subject: [PATCH 018/112] add preStop and change sleep command; update yaml spacing (#2441) Signed-off-by: Cody Vandermyn --- cni-plugin/deployment/scripts/install-cni.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index 1d2fc4fb..7c3b7e0f 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -223,5 +223,6 @@ echo "Created CNI config ${CNI_CONF_PATH}" should_sleep=${SLEEP:-"true"} echo "Done configuring CNI. Sleep=$should_sleep" while [ "${should_sleep}" = "true" ]; do - sleep 10 + sleep infinity & + wait $! done From 457073b5d2e9f5ab1d6dc53afedc46a7bb4a214a Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Mon, 18 Mar 2019 17:40:31 -0700 Subject: [PATCH 019/112] Remove `--tls=optional` and `linkerd-ca` (#2515) The proxy's TLS implementation has changed to use a new _Identity_ controller. In preparation for this, the `--tls=optional` CLI flag has been removed from install and inject; and the `ca` controller has been deleted. Metrics and UI treatments for TLS have **not** been removed, as they will continue to be valuable for the new Identity system. With the removal of the old identity scheme, the Destination service's proxy ID field is now set with an opaque string (e.g. `ns:emojivoto`) to enable locality awareness. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 4a4bfcd6..abf84ed9 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:0074c10b as golang +FROM gcr.io/linkerd-io/go-deps:332e5f70 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 4c488349c5eca996aaeb6b3dea0f5d5e89aa5492 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 19 Mar 2019 13:58:45 -0700 Subject: [PATCH 020/112] Introduce the Identity controller implementation (#2521) This change introduces a new Identity service implementation for the `io.linkerd.proxy.identity.Identity` gRPC service. The `pkg/identity` contains a core, abstract implementation of the service (generic over both the CA and (Kubernetes) Validator interfaces). `controller/identity` includes a concrete implementation that uses the Kubernetes TokenReview API to validate serviceaccount tokens when issuing certificates. This change does **NOT** alter installation or runtime to include the identity service. This will be included in a follow-up. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index abf84ed9..9ea66b04 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:332e5f70 as golang +FROM gcr.io/linkerd-io/go-deps:cdba5b70 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 5731ae7652c92461072041588632a0f43eac4813 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Fri, 29 Mar 2019 10:04:20 -0700 Subject: [PATCH 021/112] config: Store install parameters with global config (#2577) When installing Linkerd, a user may override default settings, or may explicitly configure defaults. Consider install options like `--ha --controller-replicas=4` -- the `--ha` flag sets a new default value for the controller-replicas, and then we override it. When we later upgrade this cluster, how can we know how to configure the cluster? We could store EnableHA and ControllerReplicas configurations in the config, but what if, in a later upgrade, the default value changes? How can we know whether the user specified an override or just used the default? To solve this, we add an `Install` message into a new config. This message includes (at least) the CLI flags used to invoke install. upgrade does not specify defaults for install/proxy-options fields and, instead, uses the persisted install flags to populate default values, before applying overrides from the upgrade invocation. This change breaks the protobuf compatibility by altering the `installation_uuid` field introduced in https://github.com/linkerd/linkerd2/commit/9c442f688575c3ee0261facc7542aa490b89c6cf. Because this change was not yet released (even in an edge release), we feel that it is safe to break. Fixes https://github.com/linkerd/linkerd2/issues/2574 --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 9ea66b04..be26b849 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:cdba5b70 as golang +FROM gcr.io/linkerd-io/go-deps:f39dc9a4 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 9e8e8a25299f670bfe3bcfa6c41b4115cf409bc7 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Fri, 5 Apr 2019 16:10:47 -0500 Subject: [PATCH 022/112] Add validation webhook for service profiles (#2623) Add validation webhook for service profiles Fixes #2075 Todo in a follow-up PRs: remove the SP check from the CLI check. Signed-off-by: Alejandro Pedraza --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index be26b849..4d0d770d 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:f39dc9a4 as golang +FROM gcr.io/linkerd-io/go-deps:3f016933 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 0b571e58d48aed7ec908c08ead56d40300310e37 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Mon, 8 Apr 2019 10:58:02 -0700 Subject: [PATCH 023/112] Switch UUID implementation (#2667) The UUID implementation we use to generate install IDs is technically not random enough for secure uses, which ours is not. To prevent security scanners like SNYK from flagging this false-positive, let's just switch to the other UUID implementation (Already in our dependencies). --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 4d0d770d..87b1c1c7 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:3f016933 as golang +FROM gcr.io/linkerd-io/go-deps:44063d94 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 8530bfd1bcf7301aeea011c1b737949fba8d9e49 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 18 Apr 2019 09:31:56 -0700 Subject: [PATCH 024/112] Don't use spinner in cli when run without a tty (#2716) In some non-tty environments, the `linkerd check` spinner can render unexpected control characters. Disable the spinner when run without a tty. Fixes #2700 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 87b1c1c7..38da306a 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:44063d94 as golang +FROM gcr.io/linkerd-io/go-deps:4120b3aa as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 2d3d2ced391d79bae7c5316b4a1a2db6d513d4c4 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 25 Apr 2019 11:31:38 -0700 Subject: [PATCH 025/112] Consolidate k8s APIs (#2747) Numerous codepaths have emerged that create k8s configs, k8s clients, and make k8s api requests. This branch consolidates k8s client creation and APIs. The primary change migrates most codepaths to call `k8s.NewAPI` to instantiate a `KubernetesAPI` struct from `pkg`. `KubernetesAPI` implements the `kubernetes.Interface` (clientset) interface, and also persists a `client-go` `rest.Config`. Specific list of changes: - removes manual GET requests from `k8s.KubernetesAPI`, in favor of clientsets - replaces most calls to `k8s.GetConfig`+`kubernetes.NewForConfig` with a single `k8s.NewAPI` - introduces a `timeout` param to `k8s.NewAPI`, currently only used by healthchecks - removes `NewClientSet` in `controller/k8s/clientset.go` in favor of `k8s.NewAPI` - removes `httpClient` and `clientset` from `HealthChecker`, use `KubernetesAPI` instead Signed-off-by: Andrew Seigner --- cni-plugin/main.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index ee42d240..9d0c7555 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -34,7 +34,6 @@ import ( "github.com/projectcalico/libcalico-go/lib/logutils" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" ) // ProxyInit is the configuration for the proxy-init binary @@ -165,12 +164,7 @@ func cmdAdd(args *skel.CmdArgs) error { }) if namespace != "" && podName != "" { - config, err := k8s.GetConfig(conf.Kubernetes.Kubeconfig, "linkerd-cni-context") - if err != nil { - return err - } - - client, err := kubernetes.NewForConfig(config) + client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", 0) if err != nil { return err } From 43199971eae919b5e51a90477d986a0839149112 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Sun, 28 Apr 2019 18:55:22 -0700 Subject: [PATCH 026/112] Introduce k8s apiextensions support (#2759) CustomResourceDefinition parsing and retrieval is not available via client-go's `kubernetes.Interface`, but rather via a separate `k8s.io/apiextensions-apiserver` package. Introduce support for CustomResourceDefintion object parsing and retrieval. This change facilitates retrieval of CRDs from the k8s API server, and also provides CRD resources as mock objects. Also introduce a `NewFakeAPI` constructor, deprecating `NewFakeClientSets`. Callers need no longer be concerned with discreet clientsets (for k8s resources vs. CRDs vs. (eventually) ServiceProfiles), and can instead use the unified `KubernetesAPI`. Part of #2337, in service to multi-stage check. Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 38da306a..0f5ba55e 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:4120b3aa as golang +FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY proxy-init proxy-init COPY pkg pkg From 12188e67722ff5e608267ee4759898e76905651e Mon Sep 17 00:00:00 2001 From: Cody Vandermyn Date: Tue, 7 May 2019 10:22:20 -0700 Subject: [PATCH 027/112] lower the log level of the linkerd-cni output (#2787) Signed-off-by: Cody Vandermyn --- cni-plugin/main.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 9d0c7555..b8a1498c 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -191,7 +191,7 @@ func cmdAdd(args *skel.CmdArgs) error { } if containsLinkerdProxy && !containsInitContainer { - logEntry.Infof("linkerd-cni: setting up iptables firewall") + logEntry.Debug("linkerd-cni: setting up iptables firewall") options := cmd.RootOptions{ IncomingProxyPort: conf.ProxyInit.IncomingProxyPort, OutgoingProxyPort: conf.ProxyInit.OutgoingProxyPort, @@ -210,27 +210,27 @@ func cmdAdd(args *skel.CmdArgs) error { iptables.ConfigureFirewall(*firewallConfiguration) } else { if containsInitContainer { - logEntry.Infof("linkerd-cni: linkerd-init initContainer is present, skipping.") + logEntry.Debug("linkerd-cni: linkerd-init initContainer is present, skipping.") } else { - logEntry.Infof("linkerd-cni: linkerd-proxy is not present, skipping.") + logEntry.Debug("linkerd-cni: linkerd-proxy is not present, skipping.") } } } else { - logEntry.Infof("linkerd-cni: no Kubernetes namespace or pod name found, skipping.") + logEntry.Debug("linkerd-cni: no Kubernetes namespace or pod name found, skipping.") } - logrus.Infof("linkerd-cni: plugin is finished") + logrus.Debug("linkerd-cni: plugin is finished") if conf.PrevResult != nil { // Pass through the prevResult for the next plugin return types.PrintResult(conf.PrevResult, conf.CNIVersion) } - logrus.Infof("linkerd-cni: no previous result to pass through, emptying stdout") + logrus.Debug("linkerd-cni: no previous result to pass through, emptying stdout") return nil } // cmdDel is called for DELETE requests func cmdDel(args *skel.CmdArgs) error { - logrus.Info("linkerd-cni: cmdDel not implemented") + logrus.Debug("linkerd-cni: cmdDel not implemented") return nil } From 3783c2eb7d8afbb57483684d64495c20220ce0f6 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 3 Jun 2019 16:24:05 -0500 Subject: [PATCH 028/112] Split proxy-init into separate repo (#2824) Split proxy-init into separate repo Fixes #2563 The new repo is https://github.com/linkerd/linkerd2-proxy-init, and I tagged the latest there `v1.0.0`. Here, I've removed the `/proxy-init` dir and pinned the injected proxy-init version to `v1.0.0` in the injector code and tests. `/cni-plugin` depends on proxy-init, so I updated the import paths there, and could verify CNI is still working (there is some flakiness but unrelated to this PR). For consistency, I added a `--init-image-version` flag to `linkerd inject` along with its corresponding override config annotation. Signed-off-by: Alejandro Pedraza --- cni-plugin/Dockerfile | 3 +-- cni-plugin/main.go | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 0f5ba55e..9bff89e7 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,6 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:f364cab7 as golang +FROM gcr.io/linkerd-io/go-deps:22013b76 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 -COPY proxy-init proxy-init COPY pkg pkg COPY controller controller COPY cni-plugin cni-plugin diff --git a/cni-plugin/main.go b/cni-plugin/main.go index b8a1498c..a5372d97 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -28,9 +28,9 @@ import ( "github.com/containernetworking/cni/pkg/types" "github.com/containernetworking/cni/pkg/types/current" "github.com/containernetworking/cni/pkg/version" + "github.com/linkerd/linkerd2-proxy-init/cmd" + "github.com/linkerd/linkerd2-proxy-init/iptables" "github.com/linkerd/linkerd2/pkg/k8s" - "github.com/linkerd/linkerd2/proxy-init/cmd" - "github.com/linkerd/linkerd2/proxy-init/iptables" "github.com/projectcalico/libcalico-go/lib/logutils" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" From c12353f28ecc5cf3cf5405f21aab7469c7a4e1e0 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Tue, 4 Jun 2019 15:01:16 -0700 Subject: [PATCH 029/112] Refactor destination service (#2786) This is a major refactor of the destination service. The goals of this refactor are to simplify the code for improved maintainability. In particular: * Remove the "resolver" interfaces. These were a holdover from when our decision tree was more complex about how to handle different kinds of authorities. The current implementation only accepts fully qualified kubernetes service names and thus this was an unnecessary level of indirection. * Moved the endpoints and profile watchers into their own package for a more clear separation of concerns. These watchers deal only in Kubernetes primitives and are agnostic to how they are used. This allows a cleaner layering when we use them from our gRPC service. * Renamed the "listener" types to "translator" to make it more clear that the function of these structs is to translate kubernetes updates from the watcher to gRPC messages. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 9bff89e7..a49cd788 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:22013b76 as golang +FROM gcr.io/linkerd-io/go-deps:84e77435 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY pkg pkg COPY controller controller From 257a7c9b17fe6397e75d65840d17c00a7bfab410 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Tue, 11 Jun 2019 10:04:42 -0700 Subject: [PATCH 030/112] Add support for TrafficSplits (#2897) Add support for querying TrafficSplit resources through the common API layer. This is done by depending on the TrafficSplit client bindings from smi-sdk-go. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index a49cd788..8dd99f65 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:84e77435 as golang +FROM gcr.io/linkerd-io/go-deps:b3c7654e as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY pkg pkg COPY controller controller From ff0e79a82ec3c6728a7cc9e313cc38d17d7406d1 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Fri, 28 Jun 2019 13:19:47 -0700 Subject: [PATCH 031/112] Add traffic splitting to destination profiles (#2931) This change implements the DstOverrides feature of the destination profile API (aka traffic splitting). We add a TrafficSplitWatcher to the destination service which watches for TrafficSplit resources and notifies subscribers about TrafficSplits for services that they are subscribed to. A new TrafficSplitAdaptor then merges the TrafficSplit logic into the DstOverrides field of the destination profile. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 8dd99f65..f2d51d26 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:b3c7654e as golang +FROM gcr.io/linkerd-io/go-deps:7ac58ac0 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY pkg pkg COPY controller controller From 68cc5d12f4b067a5fc8d5ddf50465a1db0adb1fe Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Mon, 8 Jul 2019 11:50:26 -0700 Subject: [PATCH 032/112] Add prometheus metrics for watchers (#3022) To give better visibility into the inner workings of the kubernetes watchers in the destination service, we add some prometheus metrics. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index f2d51d26..7b9c6d09 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:7ac58ac0 as golang +FROM gcr.io/linkerd-io/go-deps:4c8f4294 as golang WORKDIR /go/src/github.com/linkerd/linkerd2 COPY pkg pkg COPY controller controller From 39d5d651e2ddebcb0cbe9442f676562131d5b795 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 25 Jul 2019 14:41:38 -0700 Subject: [PATCH 033/112] Introduce Go modules support (#2481) The repo relied on `dep` for managing Go dependencies. Go 1.11 shipped with Go modules support. Go 1.13 will be released in August 2019 with module support enabled by default, deprecating GOPATH. This change replaces `dep` with Go modules for dependency management. All scripts, including Docker builds and ci, should work without any dev environment changes. To execute `go` commands directly during development, do one of the following: 1. clone this repo outside of `GOPATH`; or 2. run `export GO111MODULE=on` Summary of changes: - Docker build scripts and ci set `-mod=readonly`, to ensure dependencies defined in `go.mod` are exactly what is used for the builds. - Dependency updates to `go.mod` are accomplished by running `go build` and `go test` directly. - `bin/go-run`, `bin/build-cli-bin`, and `bin/test-run` set `GO111MODULE=on`, permitting usage inside and outside of GOPATH. - `gcr.io/linkerd-io/go-deps` tags hashed from `go.mod`. - `bin/update-codegen.sh` still requires running from GOPATH, instructions added to BUILD.md. Fixes #1488 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 7b9c6d09..3b79148a 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,10 +1,10 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:4c8f4294 as golang -WORKDIR /go/src/github.com/linkerd/linkerd2 +FROM gcr.io/linkerd-io/go-deps:b62fe1ae as golang +WORKDIR /linkerd-build COPY pkg pkg COPY controller controller COPY cni-plugin cni-plugin -RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v ./cni-plugin/ +RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ FROM gcr.io/linkerd-io/base:2019-02-19.01 WORKDIR /linkerd From 539993b3def0412061d2f01ae2df6023f0e746dc Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Wed, 31 Jul 2019 16:05:33 -0700 Subject: [PATCH 034/112] Introduce `linkerd --as` flag for impersonation (#3173) Similar to `kubectl --as`, global flag across all linkerd subcommands which sets a `ImpersonationConfig` in the Kubernetes API config. Signed-off-by: Andrew Seigner --- cni-plugin/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index a5372d97..b4522f0f 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -164,7 +164,7 @@ func cmdAdd(args *skel.CmdArgs) error { }) if namespace != "" && podName != "" { - client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", 0) + client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", "", 0) if err != nil { return err } From 995328005cd7145321e66add9df579e5aab47017 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Tue, 13 Aug 2019 17:02:52 -0700 Subject: [PATCH 035/112] Check in gen deps (#3245) Go dependencies which are only used by generated code had not previously been checked into the repo. Because `go generate` does not respect the `-mod=readonly` flag, running `bin/linkerd` will add these dependencies and dirty the local repo. This can interfere with the way version tags are generated. To avoid this, we simply check these deps in. Note that running `go mod tidy` will remove these again. Thus, it is not recommended to run `go mod tidy`. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 3b79148a..d7235d97 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:b62fe1ae as golang +FROM gcr.io/linkerd-io/go-deps:813c9be3 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 25159369f437472010729993dccb597dced596b0 Mon Sep 17 00:00:00 2001 From: cpretzer Date: Thu, 15 Aug 2019 12:58:18 -0700 Subject: [PATCH 036/112] Add a flag to install-cni command to configure iptables wait flag (#3066) Signed-off-by: Charles Pretzer --- cni-plugin/Dockerfile | 2 +- cni-plugin/deployment/linkerd-cni.conf.default | 5 +++-- cni-plugin/deployment/scripts/install-cni.sh | 1 + cni-plugin/main.go | 2 ++ 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index d7235d97..22a93dda 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:813c9be3 as golang +FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/cni-plugin/deployment/linkerd-cni.conf.default b/cni-plugin/deployment/linkerd-cni.conf.default index 114fbfa5..5820c86c 100644 --- a/cni-plugin/deployment/linkerd-cni.conf.default +++ b/cni-plugin/deployment/linkerd-cni.conf.default @@ -17,6 +17,7 @@ "ports-to-redirect": [__PORTS_TO_REDIRECT__], "inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__], "outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__], - "simulate": __SIMULATE__ + "simulate": __SIMULATE__, + "use-wait-flag": __USE_WAIT_FLAG__ } -} \ No newline at end of file +} diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index 7c3b7e0f..3cf42496 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -182,6 +182,7 @@ sed -i s~__PORTS_TO_REDIRECT__~"${PORTS_TO_REDIRECT:=}"~g ${TMP_CONF} sed -i s~__INBOUND_PORTS_TO_IGNORE__~"${INBOUND_PORTS_TO_IGNORE:=}"~g ${TMP_CONF} sed -i s~__OUTBOUND_PORTS_TO_IGNORE__~"${OUTBOUND_PORTS_TO_IGNORE:=}"~g ${TMP_CONF} sed -i s~__SIMULATE__~"${SIMULATE:=false}"~g ${TMP_CONF} +sed -i s~__USE_WAIT_FLAG__~"${USE_WAIT_FLAG:=false}"~g ${TMP_CONF} CNI_OLD_CONF_PATH="${CNI_OLD_CONF_PATH:-${CNI_CONF_PATH}}" diff --git a/cni-plugin/main.go b/cni-plugin/main.go index b4522f0f..ffe7d822 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -45,6 +45,7 @@ type ProxyInit struct { InboundPortsToIgnore []int `json:"inbound-ports-to-ignore"` OutboundPortsToIgnore []int `json:"outbound-ports-to-ignore"` Simulate bool `json:"simulate"` + UseWaitFlag bool `json:"use-wait-flag"` } // Kubernetes a K8s specific struct to hold config @@ -201,6 +202,7 @@ func cmdAdd(args *skel.CmdArgs) error { OutboundPortsToIgnore: conf.ProxyInit.OutboundPortsToIgnore, SimulateOnly: conf.ProxyInit.Simulate, NetNs: args.Netns, + UseWaitFlag: conf.ProxyInit.UseWaitFlag, } firewallConfiguration, err := cmd.BuildFirewallConfiguration(&options) if err != nil { From 584521e2f0e4929bf1980bffa022414276079663 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Thu, 15 Aug 2019 20:19:29 -0500 Subject: [PATCH 037/112] Update CNI integration tests (#3273) Followup to #3066 Signed-off-by: Alejandro Pedraza --- cni-plugin/test/data/expected/01-linkerd-cni.conf-1 | 4 +++- cni-plugin/test/data/expected/10-calico.conflist-1 | 3 ++- cni-plugin/test/data/expected/10-host-local.conflist-1 | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 index 8e9b8b4e..2bc0a39a 100644 --- a/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 +++ b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 @@ -17,6 +17,8 @@ "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], - "simulate": false + "simulate": false, + "use-wait-flag": false } } + diff --git a/cni-plugin/test/data/expected/10-calico.conflist-1 b/cni-plugin/test/data/expected/10-calico.conflist-1 index 4caec8a6..197c69f4 100644 --- a/cni-plugin/test/data/expected/10-calico.conflist-1 +++ b/cni-plugin/test/data/expected/10-calico.conflist-1 @@ -43,7 +43,8 @@ "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], - "simulate": false + "simulate": false, + "use-wait-flag": false } } ] diff --git a/cni-plugin/test/data/expected/10-host-local.conflist-1 b/cni-plugin/test/data/expected/10-host-local.conflist-1 index acda2a28..6493bbb7 100644 --- a/cni-plugin/test/data/expected/10-host-local.conflist-1 +++ b/cni-plugin/test/data/expected/10-host-local.conflist-1 @@ -34,7 +34,8 @@ "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], - "simulate": false + "simulate": false, + "use-wait-flag": false } } ], From c569b5e9fb351771070184f066d99a299994c7cb Mon Sep 17 00:00:00 2001 From: Ivan Sim <1330522+ihcsim@users.noreply.github.com> Date: Tue, 20 Aug 2019 19:26:38 -0700 Subject: [PATCH 038/112] Merge the CLI 'installValues' type with Helm 'Values' type (#3291) * Rename template-values.go * Define new constructor of charts.Values type * Move all Helm values related code to the pkg/charts package * Bump dependency * Use '/' in filepath to remain compatible with VFS requirement * Add unit test to verify Helm YAML output * Alejandro's feedback * Add unit test for Helm YAML validation (HA) Signed-off-by: Ivan Sim --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 22a93dda..07a12bab 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From bf45fa82a8e104594b2445e015815a7688f31544 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 21 Aug 2019 10:03:29 -0700 Subject: [PATCH 039/112] Require go 1.12.9 for controller builds (#3297) Netflix recently announced a security advisory that identified several Denial of Service attack vectors that can affect server implementations of the HTTP/2 protocol, and has issued eight CVEs. [1] Go is affected by two of the vulnerabilities (CVE-2019-9512 and CVE-2019-9514) and so Linkerd components that serve HTTP/2 traffic are also affected. [2] These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory, until the server crashes. The Kubernetes Product Security Committee has assigned this set of vulnerabilities with a CVSS score of 7.5. [3] [1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md [2] https://golang.org/doc/devel/release.html#go1.12 [3] https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 07a12bab..f3fbd2ca 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang +FROM gcr.io/linkerd-io/go-deps:df2264ad as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 8208771a745bfcdc6fed78ce11e5a21dec500d3d Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Tue, 3 Sep 2019 16:22:43 -0700 Subject: [PATCH 040/112] Remove broken thrift dependency (#3370) The repo depended on a (recently broken) thrift package: ``` github.com/linkerd/linkerd2 -> contrib.go.opencensus.io/exporter/ocagent@v0.2.0 -> go.opencensus.io@v0.17.0 -> git.apache.org/thrift.git@v0.0.0-20180902110319-2566ecd5d999 ``` ... via this line in `controller/k8s`: ```go _ "k8s.io/client-go/plugin/pkg/client/auth" ``` ...which created a dependency on go.opencensus.io: ```bash $ go mod why go.opencensus.io ... github.com/linkerd/linkerd2/controller/k8s k8s.io/client-go/plugin/pkg/client/auth k8s.io/client-go/plugin/pkg/client/auth/azure github.com/Azure/go-autorest/autorest github.com/Azure/go-autorest/tracing contrib.go.opencensus.io/exporter/ocagent go.opencensus.io ``` Bump contrib.go.opencensus.io/exporter/ocagent from `v0.2.0` to `v0.6.0`, creating this new dependency chain: ``` github.com/linkerd/linkerd2 -> contrib.go.opencensus.io/exporter/ocagent@v0.6.0 -> google.golang.org/api@v0.7.0 -> go.opencensus.io@v0.21.0 ``` Bumping our go.opencensus.io dependency from `v0.17.0` to `v0.21.0` pulls in this commit: https://github.com/census-instrumentation/opencensus-go/commit/ed3a3f0bf00d34af1ca7056123dae29672ca3b1a#diff-37aff102a57d3d7b797f152915a6dc16 ...which removes our dependency on github.com/apache/thrift Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index f3fbd2ca..d40ed87f 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:df2264ad as golang +FROM gcr.io/linkerd-io/go-deps:c921a98b as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 203adadee68e36e1b27912032592e7662ae8d606 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Thu, 5 Sep 2019 11:28:33 -0700 Subject: [PATCH 041/112] Decrease proxy and web Docker image sizes (#3384) The `proxy` and `web` Docker images were 161MB and 186MB, respectively. Most of the space was tools installed into the `linkerd.io/base` image. Decrease `proxy` and `web` Docker images to 73MB and 90MB, respectively. Switch these images to be based off of `debian:stretch-20190812-slim`. Also set `-ldflags "-s -w"` for `proxy-identity` and `web`. Modify `linkerd.io/base` to also be based off of `debian:stretch-20190812-slim`, update tag to `2019-09-04.01`. Fixes #3383 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index d40ed87f..23e36ce5 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -6,7 +6,7 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2019-02-19.01 +FROM gcr.io/linkerd-io/base:2019-09-04.01 WORKDIR /linkerd RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ From 26b523e97b6a5c74acf76a6a6665f0e397ff5f38 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Mon, 9 Sep 2019 09:06:14 -0700 Subject: [PATCH 042/112] Bump proxy-init to 1.2.0 (#3397) Pulls in latest proxy-init: https://github.com/linkerd/linkerd2-proxy-init/releases/tag/v1.2.0 This also bumps a dependency on cobra, which provides more complete zsh completion. Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 23e36ce5..358948d5 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:c921a98b as golang +FROM gcr.io/linkerd-io/go-deps:28511e41 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 4e69218edd5236396f0b3e2d617bae474f9f62d3 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Tue, 10 Sep 2019 11:04:29 -0700 Subject: [PATCH 043/112] Update to client-go v12.0.0, forked stern (#3387) The repo depended on an old version of client-go. It also depended on stern, which itself depended on an old version of client-go, making client-go upgrade non-trivial. Update the repo to client-go v12.0.0, and also replace stern with a fork. This fork of stern includes the following changes: - updated to use Go Modules - updated to use client-go v12.0.0 - fixed log line interleaving: - https://github.com/wercker/stern/issues/96 - based on: - https://github.com/oandrew/stern/commit/8723308e46b408e239ce369ced12706d01479532 Fixes #3382 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 358948d5..049cb957 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:28511e41 as golang +FROM gcr.io/linkerd-io/go-deps:1c1e51a3 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From eaf7460448e33e229d5b5996aafcafe1dbf225e2 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 26 Sep 2019 20:41:48 +0530 Subject: [PATCH 044/112] Trace Control Plane components using OC (#3461) * add exporter config for all components Signed-off-by: Tarun Pothulapati * add cmd flags wrt tracing Signed-off-by: Tarun Pothulapati * add ochttp tracing to web server Signed-off-by: Tarun Pothulapati * add flags to the tap deployment Signed-off-by: Tarun Pothulapati * add trace flags to install and upgrade command Signed-off-by: Tarun Pothulapati * add linkerd prefix to svc names Signed-off-by: Tarun Pothulapati * add ochttp trasport to API Internal Client Signed-off-by: Tarun Pothulapati * fix goimport linting errors Signed-off-by: Tarun Pothulapati * add ochttp handler to tap http server Signed-off-by: Tarun Pothulapati * review and fix tests Signed-off-by: Tarun Pothulapati * update test values Signed-off-by: Tarun Pothulapati * use common template Signed-off-by: Tarun Pothulapati * update tests Signed-off-by: Tarun Pothulapati * use Initialize Signed-off-by: Tarun Pothulapati * fix sample flag Signed-off-by: Tarun Pothulapati * add verbose info reg flags Signed-off-by: Tarun Pothulapati --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 049cb957..a8142528 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:1c1e51a3 as golang +FROM gcr.io/linkerd-io/go-deps:a3fe37ac as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From d99102f3dcca92f5a78824905292d01c62d4779f Mon Sep 17 00:00:00 2001 From: cpretzer Date: Thu, 26 Sep 2019 09:02:12 -0700 Subject: [PATCH 045/112] Update base docker image to debian latest stable: buster (#3438) * Update base docker image to debian latest stable: buster Signed-off-by: Charles Pretzer * Update all files to use buster image --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index a8142528..a9ec9f22 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -6,7 +6,7 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2019-09-04.01 +FROM gcr.io/linkerd-io/base:2019-09-17.01 WORKDIR /linkerd RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ From ce20854416c39631bf4cf6ce5a0ddc37d71274ec Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Thu, 26 Sep 2019 11:56:44 -0700 Subject: [PATCH 046/112] Revert "Trace Control Plane components using OC (#3461)" (#3484) This reverts commit eaf7460448e33e229d5b5996aafcafe1dbf225e2. This is a temporary revert of #3461 while we sort out some details of how this should configured and how it should interact with configuring a trace collector on the Linkerd proxy. We will reintroduce this change once the config plan is straightened out. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index a9ec9f22..304a1068 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:a3fe37ac as golang +FROM gcr.io/linkerd-io/go-deps:1c1e51a3 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 1cda0820d8fb04aa2c74bd2ccc477587e6c4ed50 Mon Sep 17 00:00:00 2001 From: cpretzer Date: Thu, 26 Sep 2019 13:40:43 -0700 Subject: [PATCH 047/112] Revert upgrade to buster based on CNI test failure after merge (#3486) --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 304a1068..049cb957 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -6,7 +6,7 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2019-09-17.01 +FROM gcr.io/linkerd-io/base:2019-09-04.01 WORKDIR /linkerd RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ From a3b846af7d36e4d22045bb5901af033949c450ec Mon Sep 17 00:00:00 2001 From: Kevin Leimkuhler Date: Sun, 29 Sep 2019 09:54:37 -0700 Subject: [PATCH 048/112] Add TapEvent headers and trailers to the tap protobuf (#3410) ### Motivation In order to expose arbitrary headers through tap, headers and trailers should be read from the linkerd2-proxy-api `TapEvent`s and set in the public `TapEvent`s. This change should have no user facing changes as it just prepares the events for JSON output in linkerd/linkerd2#3390 ### Solution The public API has been updated with a headers field for `TapEvent_Http_RequestInit_` and `TapEvent_Http_ResponseInit_`, and trailers field for `TapEvent_Http_ResponseEnd_`. These values are set by reading the corresponding fields off of the proxy's tap events. The proto changes are equivalent to the proto changes proposed in linkerd/linkerd2-proxy-api#33 Closes #3262 Signed-off-by: Kevin Leimkuhler --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 049cb957..ed503d99 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:1c1e51a3 as golang +FROM gcr.io/linkerd-io/go-deps:7777de65 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 6079f11189f9cc88664ba566df533ea80d5bbe75 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Wed, 16 Oct 2019 13:56:11 -0700 Subject: [PATCH 049/112] Switch from using golangci fmt to using goimports (#3555) CI currently enforcing formatting rules by using the fmt linter of golang-ci-lint which is invoked from the bin/lint script. However it doesn't seem possible to use golang-ci-lint as a formatter, only as a linter which checks formatting. This means any formatter used by your IDE or invoked manually may or may not use the same formatting rules as golang-ci-lint depending on which formatter you use and which specific revision of that formatter you use. In this change we stop using golang-ci-lint for format checking. We introduce `tools.go` and add goimports to the `go.mod` and `go.sum` files. This allows everyone to easily get the same revision of goimports by running `go install -mod=readonly golang.org/x/tools/cmd/goimports` from inside of the project. We add a step in the CI workflow that uses goimports via the `bin/fmt` script to check formatting. Some shell gymnastics were required in the `bin/fmt` script to work around some limitations of `goimports`: * goimports does not have a built-in mechanism for excluding directories, and we need to exclude the vendor director as well as the generated Go sources * goimports returns a 0 exit code, even when formatting errors are detected Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index ed503d99..391ffaad 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:7777de65 as golang +FROM gcr.io/linkerd-io/go-deps:e9a301f6 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From ede337d2c1a27b2f941b298f55fb329916eb73ac Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 19 Oct 2019 00:49:13 +0530 Subject: [PATCH 050/112] Trace Control plane Components with OC (#3495) * add trace flags and initialisation * add ocgrpc handler to newgrpc * add ochttp handler to linkerd web * add flags to linkerd web * add ochttp handler to prometheus handler initialisation * add ochttp clients for components * add span for prometheus query * update godep sha * fix reviews * better commenting * add err checking * remove sampling * add check in main * move to pkg/trace Signed-off-by: Tarun Pothulapati --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 391ffaad..d2180f59 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:e9a301f6 as golang +FROM gcr.io/linkerd-io/go-deps:14d57ed4 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 32fa6b505ac9cded381ef70aa181f542a43607a0 Mon Sep 17 00:00:00 2001 From: Andrew Seigner Date: Mon, 21 Oct 2019 12:12:19 -0700 Subject: [PATCH 051/112] Add APIService fake clientset support (#3569) The `linkerd upgrade --from-manifests` command supports reading the manifest output via `linkerd install`. PR #3167 introduced a tap APIService object into `linkerd install`, but the manifest-reading code in fake.go was never updated to support this new object kind. Update the fake clientset code to support APIService objects. Fixes #3559 Signed-off-by: Andrew Seigner --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index d2180f59..9e18814b 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:14d57ed4 as golang +FROM gcr.io/linkerd-io/go-deps:98181d11 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 7ea870e93271d4d1be7f5dfa22fb9deb9a0651c9 Mon Sep 17 00:00:00 2001 From: Zahari Dichev Date: Thu, 24 Oct 2019 23:15:14 +0300 Subject: [PATCH 052/112] Cert manager support (#3600) * Add support for --identity-issuer-mode flag to install cmd * Change flag to be a bool * Read correct data form identity when external issuer is used * Add ability for identity service to dynamically reload certs * Fix failing tests * Minor refactor * Load trust anchors from identity issuer secret * Make identity service actually watch for issuer certs updates * Add some testing around cmd line identity options validation * Add tests ensuring that identity service loads issuer * Take into account external-issuer flag during upgrade + tests * Fix failing upgrade test * Address initial review feedback * Address further review feedback on cli and helm * Do not persist --identity-external-issuer * Some improvements to identitiy service * Bring back persistane of external issuer flag * Address more feedback * Update dockerfiles shas * Publishing k8s events on issuer certs rotation * Ensure --ignore-cluster+external issuer is not supported * Update go-deps shas * Transition to identity issuer scheme based configuration * Use k8s consts for secret file names Signed-off-by: zaharidichev --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 9e18814b..5d2b0c9b 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:98181d11 as golang +FROM gcr.io/linkerd-io/go-deps:f4c3ddf4 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From a1684d3e7e25f6c28bda126a63450f89eb215ffb Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Wed, 13 Nov 2019 12:54:36 -0500 Subject: [PATCH 053/112] Upgrade go to 1.13.4 (#3702) Fixes #3566 As explained in #3566, as of go 1.13 there's a strict check that ensures a dependency's timestamp matches it's sha (as declared in go.mod). Our smi-sdk dependency has a problem with that that got resolved later on, but more work would be required to upgrade that dependency. In the meantime a quick pair of replace statements at the bottom of go.mod fix the issue. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 5d2b0c9b..4cf37989 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:f4c3ddf4 as golang +FROM gcr.io/linkerd-io/go-deps:1c6a29b8 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From ba855234157b2ebade99e3f434410fe52be1bb0f Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Fri, 29 Nov 2019 09:19:11 -0500 Subject: [PATCH 054/112] Removed calico logutils dependency, incompatible with go 1.13 (#3763) * Removed calico logutils dependency, incompatible with go 1.13 Fixes #1153 Removed dependency on `github.com/projectcalico/libcalico-go/lib/logutils` because it has problems with go modules, as described in projectcalico/libcalico-go#1153 Not a big deal since it was only used for modifying the plugin's log format. --- cni-plugin/Dockerfile | 2 +- cni-plugin/main.go | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 4cf37989..e32cccbe 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:1c6a29b8 as golang +FROM gcr.io/linkerd-io/go-deps:7ea16e73 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/cni-plugin/main.go b/cni-plugin/main.go index ffe7d822..1d827fbd 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -31,7 +31,6 @@ import ( "github.com/linkerd/linkerd2-proxy-init/cmd" "github.com/linkerd/linkerd2-proxy-init/iptables" "github.com/linkerd/linkerd2/pkg/k8s" - "github.com/projectcalico/libcalico-go/lib/logutils" "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -77,10 +76,6 @@ type PluginConf struct { } func main() { - // Set up logging formatting. - logrus.SetFormatter(&logutils.Formatter{}) - // Install a hook that adds file/line no information. - logrus.AddHook(&logutils.ContextHook{}) skel.PluginMain(cmdAdd, cmdDel, version.All) } From 36cd54154997c459c676bfa90bc5b6b5766206f0 Mon Sep 17 00:00:00 2001 From: Zahari Dichev Date: Tue, 10 Dec 2019 13:21:28 +0200 Subject: [PATCH 055/112] Move CNI template to helm (#3581) * Create helm chart for the CNI plugin Signed-off-by: zaharidichev * Add helm install tests for the CNI plugin Signed-off-by: zaharidichev * Add readme for the CNI helm chart Signed-off-by: zaharidichev * Fix integration tests Signed-off-by: zaharidichev * Remove old cni-plugin.yaml Signed-off-by: zaharidichev * Add trace partial template Signed-off-by: zaharidichev * Address more comments Signed-off-by: Zahari Dichev --- cni-plugin/deployment/linkerd-cni.conf.default | 18 +++++++++--------- cni-plugin/deployment/scripts/install-cni.sh | 9 --------- .../test/data/expected/01-linkerd-cni.conf-1 | 8 ++++---- .../test/data/expected/10-calico.conflist-1 | 8 ++++---- .../data/expected/10-host-local.conflist-1 | 8 ++++---- 5 files changed, 21 insertions(+), 30 deletions(-) diff --git a/cni-plugin/deployment/linkerd-cni.conf.default b/cni-plugin/deployment/linkerd-cni.conf.default index 5820c86c..a7e699fe 100644 --- a/cni-plugin/deployment/linkerd-cni.conf.default +++ b/cni-plugin/deployment/linkerd-cni.conf.default @@ -1,7 +1,7 @@ { "name": "linkerd-cni", "type": "linkerd-cni", - "log_level": "__LOG_LEVEL__", + "log_level": "info", "policy": { "type": "k8s", "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", @@ -11,13 +11,13 @@ "kubeconfig": "__KUBECONFIG_FILEPATH__" }, "linkerd": { - "incoming-proxy-port": __INCOMING_PROXY_PORT__, - "outgoing-proxy-port": __OUTGOING_PROXY_PORT__, - "proxy-uid": __PROXY_UID__, - "ports-to-redirect": [__PORTS_TO_REDIRECT__], - "inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__], - "outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__], - "simulate": __SIMULATE__, - "use-wait-flag": __USE_WAIT_FLAG__ + "incoming-proxy-port": 4143, + "outgoing-proxy-port": 4140, + "proxy-uid": 2102, + "ports-to-redirect": [], + "inbound-ports-to-ignore": [], + "outbound-ports-to-ignore": [], + "simulate": false, + "use-wait-flag": false } } diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index 3cf42496..9083ac51 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -174,15 +174,6 @@ sed -i s/__CNI_MTU__/"${CNI_MTU:-1500}"/g ${TMP_CONF} # Use alternative command character "~", since these include a "/". sed -i s~__KUBECONFIG_FILEPATH__~"${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}"~g ${TMP_CONF} -sed -i s~__LOG_LEVEL__~"${LOG_LEVEL:-warn}"~g ${TMP_CONF} -sed -i s~__INCOMING_PROXY_PORT__~"${INCOMING_PROXY_PORT:=-1}"~g ${TMP_CONF} -sed -i s~__OUTGOING_PROXY_PORT__~"${OUTGOING_PROXY_PORT:=-1}"~g ${TMP_CONF} -sed -i s~__PROXY_UID__~"${PROXY_UID:=-1}"~g ${TMP_CONF} -sed -i s~__PORTS_TO_REDIRECT__~"${PORTS_TO_REDIRECT:=}"~g ${TMP_CONF} -sed -i s~__INBOUND_PORTS_TO_IGNORE__~"${INBOUND_PORTS_TO_IGNORE:=}"~g ${TMP_CONF} -sed -i s~__OUTBOUND_PORTS_TO_IGNORE__~"${OUTBOUND_PORTS_TO_IGNORE:=}"~g ${TMP_CONF} -sed -i s~__SIMULATE__~"${SIMULATE:=false}"~g ${TMP_CONF} -sed -i s~__USE_WAIT_FLAG__~"${USE_WAIT_FLAG:=false}"~g ${TMP_CONF} CNI_OLD_CONF_PATH="${CNI_OLD_CONF_PATH:-${CNI_CONF_PATH}}" diff --git a/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 index 2bc0a39a..a527424e 100644 --- a/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 +++ b/cni-plugin/test/data/expected/01-linkerd-cni.conf-1 @@ -1,7 +1,7 @@ { "name": "linkerd-cni", "type": "linkerd-cni", - "log_level": "warn", + "log_level": "info", "policy": { "type": "k8s", "k8s_api_root": "https://10.110.0.1:443", @@ -11,9 +11,9 @@ "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" }, "linkerd": { - "incoming-proxy-port": -1, - "outgoing-proxy-port": -1, - "proxy-uid": -1, + "incoming-proxy-port": 4143, + "outgoing-proxy-port": 4140, + "proxy-uid": 2102, "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], diff --git a/cni-plugin/test/data/expected/10-calico.conflist-1 b/cni-plugin/test/data/expected/10-calico.conflist-1 index 197c69f4..d38901d2 100644 --- a/cni-plugin/test/data/expected/10-calico.conflist-1 +++ b/cni-plugin/test/data/expected/10-calico.conflist-1 @@ -27,7 +27,7 @@ { "name": "linkerd-cni", "type": "linkerd-cni", - "log_level": "warn", + "log_level": "info", "policy": { "type": "k8s", "k8s_api_root": "https://10.110.0.1:443", @@ -37,9 +37,9 @@ "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" }, "linkerd": { - "incoming-proxy-port": -1, - "outgoing-proxy-port": -1, - "proxy-uid": -1, + "incoming-proxy-port": 4143, + "outgoing-proxy-port": 4140, + "proxy-uid": 2102, "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], diff --git a/cni-plugin/test/data/expected/10-host-local.conflist-1 b/cni-plugin/test/data/expected/10-host-local.conflist-1 index 6493bbb7..e271484b 100644 --- a/cni-plugin/test/data/expected/10-host-local.conflist-1 +++ b/cni-plugin/test/data/expected/10-host-local.conflist-1 @@ -18,7 +18,7 @@ { "name": "linkerd-cni", "type": "linkerd-cni", - "log_level": "warn", + "log_level": "info", "policy": { "type": "k8s", "k8s_api_root": "https://10.110.0.1:443", @@ -28,9 +28,9 @@ "kubeconfig": "/etc/cni/net.d/ZZZ-linkerd-cni-kubeconfig" }, "linkerd": { - "incoming-proxy-port": -1, - "outgoing-proxy-port": -1, - "proxy-uid": -1, + "incoming-proxy-port": 4143, + "outgoing-proxy-port": 4140, + "proxy-uid": 2102, "ports-to-redirect": [], "inbound-ports-to-ignore": [], "outbound-ports-to-ignore": [], From 47e7684a53b96f3394d23b7107cd5d4d92e84d33 Mon Sep 17 00:00:00 2001 From: Dax McDonald Date: Wed, 11 Dec 2019 16:26:16 -0700 Subject: [PATCH 056/112] Upgrade prometheus to v1.2.1 (#3541) Signed-off-by: Dax McDonald --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index e32cccbe..e8f17751 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:7ea16e73 as golang +FROM gcr.io/linkerd-io/go-deps:0279da99 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 1c455a63c1724155435dbef896bd9f5de9a15167 Mon Sep 17 00:00:00 2001 From: "Sergio C. Arteaga" Date: Tue, 17 Dec 2019 15:15:00 +0100 Subject: [PATCH 057/112] Cache StatSummary responses in dashboard web server (#3769) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sergio Castaño Arteaga --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index e8f17751..a7bfaaec 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:0279da99 as golang +FROM gcr.io/linkerd-io/go-deps:2273074d as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 9c70a34a7e496f5b508eff0c3b7dd4d5d91691a1 Mon Sep 17 00:00:00 2001 From: Paul Balogh Date: Fri, 20 Dec 2019 08:32:13 -0600 Subject: [PATCH 058/112] Enable mixed configuration of skip-[inbound|outbound]-ports (#3766) * Enable mixed configuration of skip-[inbound|outbound]-ports using port numbers and ranges (#3752) * included tests for generated output given proxy-ignore configuration options * renamed "validate" method to "parseAndValidate" given mutation * updated documentation to denote inclusiveness of ranges * Updates for expansion of ignored inbound and outbound port ranges to be handled by the proxy-init rather than CLI (#3766) This change maintains the configured ports and ranges as strings rather than unsigned integers, while still providing validation at the command layer. * Bump versions for proxy-init to v1.3.0 Signed-off-by: Paul Balogh --- cni-plugin/Dockerfile | 2 +- cni-plugin/main.go | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index a7bfaaec..2af622dc 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:2273074d as golang +FROM gcr.io/linkerd-io/go-deps:f6fda337 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 1d827fbd..98d0a422 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -37,14 +37,14 @@ import ( // ProxyInit is the configuration for the proxy-init binary type ProxyInit struct { - IncomingProxyPort int `json:"incoming-proxy-port"` - OutgoingProxyPort int `json:"outgoing-proxy-port"` - ProxyUID int `json:"proxy-uid"` - PortsToRedirect []int `json:"ports-to-redirect"` - InboundPortsToIgnore []int `json:"inbound-ports-to-ignore"` - OutboundPortsToIgnore []int `json:"outbound-ports-to-ignore"` - Simulate bool `json:"simulate"` - UseWaitFlag bool `json:"use-wait-flag"` + IncomingProxyPort int `json:"incoming-proxy-port"` + OutgoingProxyPort int `json:"outgoing-proxy-port"` + ProxyUID int `json:"proxy-uid"` + PortsToRedirect []int `json:"ports-to-redirect"` + InboundPortsToIgnore []string `json:"inbound-ports-to-ignore"` + OutboundPortsToIgnore []string `json:"outbound-ports-to-ignore"` + Simulate bool `json:"simulate"` + UseWaitFlag bool `json:"use-wait-flag"` } // Kubernetes a K8s specific struct to hold config From c44fd501345901222c2f12a78625cfdf3ebdab40 Mon Sep 17 00:00:00 2001 From: Mayank Shah Date: Mon, 13 Jan 2020 23:32:24 +0530 Subject: [PATCH 059/112] Remove empty fields from generated configs (#3886) Fixes - https://github.com/linkerd/linkerd2/issues/2962 - https://github.com/linkerd/linkerd2/issues/2545 ### Problem Field omissions for workload objects are not respected while marshaling to JSON. ### Solution After digging a bit into the code, I came to realize that while marshaling, workload objects have empty structs as values for various fields which would rather be omitted. As of now, the standard library`encoding/json` does not support zero values of structs with the `omitemty` tag. The relevant issue can be found [here](https://github.com/golang/go/issues/11939). To tackle this problem, the object declaration should have _pointer-to-struct_ as a field type instead of _struct_ itself. However, this approach would be out of scope as the workload object declaration is handled by the k8s library. I was able to find a drop-in replacement for the `encoding/json` library which supports zero value of structs with the `omitempty` tag. It can be found [here](https://github.com/clarketm/json). I have made use of this library to implement a simple filter like functionality to remove empty tags once a YAML with empty tags is generated, hence leaving the previously existing methods unaffected Signed-off-by: Mayank Shah --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 2af622dc..8c24e598 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:f6fda337 as golang +FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 267c6166a70d84812537d1504da85739a5c3af68 Mon Sep 17 00:00:00 2001 From: Mayank Shah Date: Wed, 22 Jan 2020 20:08:31 +0530 Subject: [PATCH 060/112] Add `as-group` CLI flag (#3952) Add CLI flag --as-group that can impersonate group for k8s operations Signed-off-by: Mayank Shah mayankshah1614@gmail.com --- cni-plugin/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 98d0a422..600003d9 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -160,7 +160,7 @@ func cmdAdd(args *skel.CmdArgs) error { }) if namespace != "" && podName != "" { - client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", "", 0) + client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", "", []string{}, 0) if err != nil { return err } From 4406d026f18237fe12895e1dd38cdcba9edca660 Mon Sep 17 00:00:00 2001 From: Zahari Dichev Date: Thu, 23 Jan 2020 19:55:04 +0200 Subject: [PATCH 061/112] Fix CNI config parsing (#3953) This PR addreses the problem introduced after #3766. Fixes #3941 Signed-off-by: Zahari Dichev --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 8c24e598..b229039b 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:8d2ce4bf as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 1ced02548e223fb2144cdc6bffd66a6b5b0ddc38 Mon Sep 17 00:00:00 2001 From: Dax McDonald Date: Fri, 7 Feb 2020 08:58:54 -0700 Subject: [PATCH 062/112] Use correct go module file syntax (#4021) The correct syntax for the go module file is go MAJOR.MINOR Signed-off-by: Dax McDonald --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index b229039b..9ae99bcb 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:8d2ce4bf as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 9799bc789e344a98417198e85c91693c225fd460 Mon Sep 17 00:00:00 2001 From: Kevin Leimkuhler Date: Tue, 17 Mar 2020 11:16:18 -0700 Subject: [PATCH 063/112] Update linkerd/stern to fix go.mod parsing (#4173) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Motivation I noticed the Go language server stopped working in VS Code and narrowed it down to `go build ./...` failing with the following: ``` ❯ go build ./... go: github.com/linkerd/stern@v0.0.0-20190907020106-201e8ccdff9c: parsing go.mod: go.mod:3: usage: go 1.23 ``` This change updates `linkerd/stern` version with changes made in linkerd/stern#3 to fix this issue. This does not depend on #4170, but it is also needed in order to completely fix `go build ./...` --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 9ae99bcb..789ccba2 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang +FROM gcr.io/linkerd-io/go-deps:d0918050 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From dd8c7b30ff35c3ba58d0d4154d9e31b2c8e92845 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Tue, 17 Mar 2020 14:49:25 -0500 Subject: [PATCH 064/112] Bump proxy-init to v1.3.2 (#4170) * Bump proxy-init to v1.3.2 Bumped `proxy-init` version to v1.3.2, fixing an issue with `go.mod` (linkerd/linkerd2-proxy-init#9). This is a non-user-facing fix. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 789ccba2..69e39fbf 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:d0918050 as golang +FROM gcr.io/linkerd-io/go-deps:6b9a8ea4 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From b44156aa43348f009f2f97ebdd9331eddfa020ea Mon Sep 17 00:00:00 2001 From: Zahari Dichev Date: Wed, 25 Mar 2020 10:56:36 +0200 Subject: [PATCH 065/112] Set auth override (#4160) Set AuthOverride when present on endpoints annotation Signed-off-by: Zahari Dichev --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 69e39fbf..c812258e 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:6b9a8ea4 as golang +FROM gcr.io/linkerd-io/go-deps:1b3f62c3 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 27f5cd4209780d2f41a1b489fb5a71f70f646f9c Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Wed, 1 Apr 2020 10:07:23 -0700 Subject: [PATCH 066/112] Upgrade to client-go 0.17.4 and smi-sdk-go 0.3.0 (#4221) Here we upgrade our dependencies on client-go to 0.17.4 and smi-sdk-go to 0.3.0. Since smi-sdk-go uses client-go 0.17.4, these upgrades must be performed simultaneously. This also requires simultaneously upgrading our dependency on linkerd/stern to a SHA which also uses client-go 0.17.4. This keeps all of our transitive dependencies synchronized on one version of client-go. This ALSO requires updating our codegen scripts to use the 0.17.4 version of code-generator and running it to generate 0.17.4 compatible generated code. I took this opportunity to update our code generation script to properly use the version of code-generater from `go.mod` rather than a hardcoded SHA. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index c812258e..0f7ae38f 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:1b3f62c3 as golang +FROM gcr.io/linkerd-io/go-deps:e387f3b8 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 6055f1cceb7ccf0c32c75f8d6f1ff67c9861c5a7 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Mon, 20 Apr 2020 17:14:51 -0700 Subject: [PATCH 067/112] Upgrade to go 1.14.2 (#4278) Upgrade Linkerd's base docker image to use go 1.14.2 in order to stay modern. The only code change required was to update a test which was checking the error message of a `crypto/x509.CertificateInvalidError`. The error message of this error changed between go versions. We update the test to not check for the specific error string so that this test passes regardless of go version. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 0f7ae38f..76167da1 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:e387f3b8 as golang +FROM gcr.io/linkerd-io/go-deps:8c47576d as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From f2a6c15b9902698cfb22b2eab8d52e3517a430e3 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Thu, 14 May 2020 12:13:07 -0500 Subject: [PATCH 068/112] Refactor CNI integration tests to use annotations functions (#4363) Followup to #4341 Replaced all the `t.Error`/`t.Fatal` calls in the integration tests with the new functions defined in `testutil/annotations.go` as described in #4292, in order for the errors to produce Github annotations. This piece takes care of the CNI integration test suite. This also enables the annotations for these and the general integration tests, by setting the `GH_ANNOTATIONS` environment variable in the workflows whose flakiness we're interested on catching: Kind integration, Cloud integration and Release. Re #4176 --- cni-plugin/test/install-cni_test.go | 57 +++++++++++++++++++---------- 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index f0c5d5fd..4030ac6b 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -27,6 +27,8 @@ import ( "strings" "testing" "time" + + "github.com/linkerd/linkerd2/testutil" ) const ( @@ -50,14 +52,16 @@ func env(key, fallback string) string { func setEnv(key, value string, t *testing.T) { err := os.Setenv(key, value) if err != nil { - t.Fatalf("Couldn't set environment variable, err: %v", err) + testutil.AnnotatedFatalf(t, "couldn't set environment variable", + "couldn't set environment variable: %v", err) } } func mktemp(dir, prefix string, t *testing.T) string { tempDir, err := ioutil.TempDir(dir, prefix) if err != nil { - t.Fatalf("Couldn't get current working directory, err: %v", err) + testutil.AnnotatedFatalf(t, "couldn't get current working directory", + "couldn't get current working directory: %v", err) } t.Logf("Created temporary dir: %v", tempDir) return tempDir @@ -66,7 +70,8 @@ func mktemp(dir, prefix string, t *testing.T) string { func pwd(t *testing.T) string { wd, err := os.Getwd() if err != nil { - t.Fatalf("Couldn't get current working directory, err: %v", err) + testutil.AnnotatedFatalf(t, "couldn't get current working directory", + "couldn't get current working directory: %v", err) } return wd + "/" } @@ -74,7 +79,8 @@ func pwd(t *testing.T) string { func ls(dir string, t *testing.T) []string { files, err := ioutil.ReadDir(dir) if err != nil { - t.Fatalf("Failed to list files, err: %v", err) + testutil.AnnotatedFatalf(t, "failed to list files", + "failed to list files: %v", err) } fileNames := make([]string, len(files)) for i, f := range files { @@ -86,17 +92,20 @@ func ls(dir string, t *testing.T) []string { func cp(src, dest string, t *testing.T) { data, err := ioutil.ReadFile(src) if err != nil { - t.Fatalf("Failed to read file %v, err: %v", src, err) + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", src), + "failed to read file %v: %v", src, err) } if err = ioutil.WriteFile(dest, data, 0644); err != nil { - t.Fatalf("Failed to write file %v, err: %v", dest, err) + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to write file %v", dest), + "failed to write file %v: %v", dest, err) } } func rm(dir string, t *testing.T) { err := os.RemoveAll(dir) if err != nil { - t.Fatalf("Failed to remove dir %v, err: %v", dir, err) + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to remove dir %v", dir), + "failed to remove dir %v: %v", dir, err) } } @@ -145,12 +154,14 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s // Create a temporary log file to write docker command error log. errFile, err := os.Create(errFileName) if err != nil { - t.Fatalf("Couldn't create docker stderr file, err: %v", err) + testutil.AnnotatedFatalf(t, "couldn't create docker stderr file", + "couldn't create docker stderr file: %v", err) } defer func() { errClose := errFile.Close() if errClose != nil { - t.Fatalf("Couldn't close docker stderr file, err: %v", errClose) + testutil.AnnotatedFatalf(t, "couldn't close docker stderr file", + "couldn't close docker stderr file: %v", errClose) } }() @@ -162,7 +173,8 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s if err != nil { errFileContents, _ := ioutil.ReadFile(errFileName) t.Logf("%v contents:\n\n%v\n\n", errFileName, string(errFileContents)) - t.Fatalf("Test %v ERROR: failed to start docker container '%v', see %v", testNum, dockerImage, errFileName) + testutil.Fatalf(t, + "test %v ERROR: failed to start docker container '%v', see %v", testNum, dockerImage, errFileName) } t.Logf("Container ID: %s", containerID) return strings.Trim(string(containerID), "\n") @@ -172,7 +184,8 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s func docker(cmd, containerID string, t *testing.T) { out, err := exec.Command("docker", cmd, containerID).CombinedOutput() if err != nil { - t.Fatalf("Failed to execute 'docker %s %s', err: %v", cmd, containerID, err) + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to execute 'docker %s %s'", cmd, containerID), + "failed to execute 'docker %s %s': %v", cmd, containerID, err) } t.Logf("docker %s %s - out: %s", cmd, containerID, out) } @@ -182,21 +195,23 @@ func compareConfResult(testWorkRootDir string, tempCNINetDir string, result stri tempResult := tempCNINetDir + "/" + result resultFile, err := ioutil.ReadFile(tempResult) if err != nil { - t.Fatalf("Failed to read file %v, err: %v", tempResult, err) + testutil.AnnotatedFatalf(t, "failed to read file", + "failed to read file %v: %v", tempResult, err) } expectedFile, err := ioutil.ReadFile(expected) if err != nil { - t.Fatalf("Failed to read file %v, err: %v", expected, err) + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", expected), + "failed to read file %v, err: %v", expected, err) } if bytes.Equal(resultFile, expectedFile) { t.Logf("PASS: result matches expected: %v v. %v", tempResult, expected) } else { tempFail := mktemp(testWorkRootDir, result+".fail.XXXX", t) - t.Errorf("FAIL: result doesn't match expected: %v v. %v", tempResult, expected) cp(tempResult, tempFail+"/"+result, t) - t.Fatalf("Check %v for diff contents", tempFail) + testutil.AnnotatedErrorf(t, "FAIL: result doesn't match expected", + "FAIL: result doesn't match expected: %v v. %v\nCheck %v for diff contents", tempResult, expected, tempFail) } } @@ -207,11 +222,13 @@ func checkBinDir(t *testing.T, tempCNIBinDir string, op string, files ...string) if op == "add" { t.Logf("PASS: File %v was added to %v", f, tempCNIBinDir) } else if op == "del" { - t.Fatalf("FAIL: File %v was not removed from %v", f, tempCNIBinDir) + testutil.AnnotatedFatalf(t, fmt.Sprintf("FAIL: File %v was not removed", f), + "FAIL: File %v was not removed from %v", f, tempCNIBinDir) } } else { if op == "add" { - t.Fatalf("FAIL: File %v was not added to %v", f, tempCNIBinDir) + testutil.AnnotatedFatalf(t, fmt.Sprintf("FAIL: File %v was not added", f), + "FAIL: File %v was not added to %v", f, tempCNIBinDir) } else if op == "del" { t.Logf("PASS: File %v was removed from %v", f, tempCNIBinDir) } @@ -229,7 +246,8 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile } defaultData, err := ioutil.ReadFile(wd + "../deployment/linkerd-cni.conf.default") if err != nil { - t.Fatalf("Failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) + testutil.AnnotatedFatalf(t, "failed to read file linkerd-cni.conf.default", + "failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) } setEnv(cniNetworkConfigName, string(defaultData), t) @@ -249,7 +267,8 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile } else { files := ls(tempCNINetDir, t) if len(files) > 0 { - t.Fatalf("FAIL: CNI_CONF_DIR is not empty: %v", files) + testutil.AnnotatedFatalf(t, "FAIL: CNI_CONF_DIR is not empty", + "FAIL: CNI_CONF_DIR is not empty: %v", files) } else { t.Log("PASS: CNI_CONF_DIR is empty") } From 10ec3b5e30abb756844851473e43dad9ddeff26d Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Wed, 20 May 2020 18:29:14 +0200 Subject: [PATCH 069/112] install-cni.sh: Fix shellcheck issues (#4405) Where cat and echo are actually not needed, they have been removed. Signed-off-by: Joakim Roubert --- cni-plugin/deployment/scripts/install-cni.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index 9083ac51..a31e608f 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -65,7 +65,7 @@ cleanup() { if [ -e "${CNI_CONF_PATH}" ]; then echo "Removing linkerd-cni config: ${CNI_CONF_PATH}" - CNI_CONF_DATA=$(cat "${CNI_CONF_PATH}" | jq 'del( .plugins[]? | select( .type == "linkerd-cni" ))') + CNI_CONF_DATA=$(jq 'del( .plugins[]? | select( .type == "linkerd-cni" ))' "${CNI_CONF_PATH}") echo "${CNI_CONF_DATA}" > "${CNI_CONF_PATH}" if [ "${CNI_CONF_PATH}" = "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/01-linkerd-cni.conf" ]; then @@ -133,7 +133,7 @@ if [ -f "${SERVICE_ACCOUNT_PATH}/token" ]; then if [ "${SKIP_TLS_VERIFY}" = "true" ]; then TLS_CFG='insecure-skip-tls-verify: true' elif [ -f "${KUBE_CA_FILE}" ]; then - TLS_CFG="certificate-authority-data: $(cat "${KUBE_CA_FILE}" | base64 | tr -d '\n')" + TLS_CFG="certificate-authority-data: $(base64 "${KUBE_CA_FILE}" | tr -d '\n')" fi # Write a kubeconfig file for the CNI plugin. Do this @@ -187,7 +187,7 @@ CNI_CONF_FILE="${CNI_CONF_PATH}" if [ -e "${CNI_CONF_FILE}" ]; then # Add the linkerd-cni plugin to the existing list CNI_TMP_CONF_DATA=$(cat "${TMP_CONF}") - CNI_CONF_DATA=$(cat "${CNI_CONF_FILE}" | jq --argjson CNI_TMP_CONF_DATA "$CNI_TMP_CONF_DATA" -f /linkerd/filter.jq) + CNI_CONF_DATA=$(jq --argjson CNI_TMP_CONF_DATA "$CNI_TMP_CONF_DATA" -f /linkerd/filter.jq "${CNI_CONF_FILE}") echo "${CNI_CONF_DATA}" > ${TMP_CONF} fi From beb45fb31912de2b40e0e9c3c2551b28c6e8408c Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Thu, 21 May 2020 14:14:14 -0700 Subject: [PATCH 070/112] Add --close-wait-timeout inject flag (#4409) Depends on https://github.com/linkerd/linkerd2-proxy-init/pull/10 Fixes #4276 We add a `--close-wait-timeout` inject flag which configures the proxy-init container to run with `privileged: true` and to set `nf_conntrack_tcp_timeout_close_wait`. Signed-off-by: Alex Leong --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 76167da1..1fd771d7 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:8c47576d as golang +FROM gcr.io/linkerd-io/go-deps:4f0eebd9 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 963d4aa893d3e0e240648498e6b79b1299fddef7 Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Tue, 2 Jun 2020 22:44:38 +0200 Subject: [PATCH 071/112] Fix quotes in shellscripts (#4406) - Add quotes where missing, to handle whitespace & c:o. - Use single quotes for non-expansion strings. - Fix quotes were the current would cause errors. Signed-off-by: Joakim Roubert --- cni-plugin/deployment/scripts/install-cni.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index a31e608f..c1ecf220 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -130,7 +130,7 @@ if [ -f "${SERVICE_ACCOUNT_PATH}/token" ]; then echo 'KUBERNETES_SERVICE_PORT not set'; exit 1; fi - if [ "${SKIP_TLS_VERIFY}" = "true" ]; then + if [ "${SKIP_TLS_VERIFY}" = 'true' ]; then TLS_CFG='insecure-skip-tls-verify: true' elif [ -f "${KUBE_CA_FILE}" ]; then TLS_CFG="certificate-authority-data: $(base64 "${KUBE_CA_FILE}" | tr -d '\n')" @@ -166,8 +166,8 @@ EOF fi # Insert any of the supported "auto" parameters. -grep "__KUBERNETES_SERVICE_HOST__" ${TMP_CONF} && sed -i s/__KUBERNETES_SERVICE_HOST__/"${KUBERNETES_SERVICE_HOST}"/g ${TMP_CONF} -grep "__KUBERNETES_SERVICE_PORT__" ${TMP_CONF} && sed -i s/__KUBERNETES_SERVICE_PORT__/"${KUBERNETES_SERVICE_PORT}"/g ${TMP_CONF} +grep '__KUBERNETES_SERVICE_HOST__' ${TMP_CONF} && sed -i s/__KUBERNETES_SERVICE_HOST__/"${KUBERNETES_SERVICE_HOST}"/g ${TMP_CONF} +grep '__KUBERNETES_SERVICE_PORT__' ${TMP_CONF} && sed -i s/__KUBERNETES_SERVICE_PORT__/"${KUBERNETES_SERVICE_PORT}"/g ${TMP_CONF} sed -i s/__KUBERNETES_NODE_NAME__/"${KUBERNETES_NODE_NAME:-$(hostname)}"/g ${TMP_CONF} sed -i s/__KUBECONFIG_FILENAME__/"${KUBECONFIG_FILE_NAME}"/g ${TMP_CONF} sed -i s/__CNI_MTU__/"${CNI_MTU:-1500}"/g ${TMP_CONF} @@ -192,9 +192,9 @@ if [ -e "${CNI_CONF_FILE}" ]; then fi # If the old config filename ends with .conf, rename it to .conflist, because it has changed to be a list -filename=$(basename -- "${CNI_CONF_PATH}") +filename=${CNI_CONF_PATH##*/} extension="${filename##*.}" -if [ "${filename}" != "01-linkerd-cni.conf" ] && [ "${extension}" = "conf" ]; then +if [ "${filename}" != '01-linkerd-cni.conf' ] && [ "${extension}" = 'conf' ]; then echo "Renaming ${CNI_CONF_PATH} extension to .conflist" CNI_CONF_PATH="${CNI_CONF_PATH}list" fi @@ -214,7 +214,7 @@ echo "Created CNI config ${CNI_CONF_PATH}" # This prevents Kubernetes from restarting the pod repeatedly. should_sleep=${SLEEP:-"true"} echo "Done configuring CNI. Sleep=$should_sleep" -while [ "${should_sleep}" = "true" ]; do +while [ "${should_sleep}" = 'true' ]; do sleep infinity & wait $! done From 49eb94cd4b9094be82cf58fbec03684f024029e4 Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Mon, 15 Jun 2020 19:49:26 +0200 Subject: [PATCH 072/112] Use buster for base and web images too (#4567) Requires setting iptables-legacy as the iptables provider. Signed-off-by: Joakim Roubert --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 1fd771d7..e1b270a2 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -6,7 +6,7 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2019-09-04.01 +FROM gcr.io/linkerd-io/base:2020-06-08.01 WORKDIR /linkerd RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ From a94a124571768759ce19668e8f706117e860f871 Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Fri, 19 Jun 2020 21:49:29 +0200 Subject: [PATCH 073/112] Improve shellscript portability by using /bin/env (#4628) Using `/bin/env` increases portability for the shell scripts (and often using `/bin/env` is requested by e.g. Mac users). This would also facilitate testing scripts with different Bash versions via the Bash containers, as they have bash in `/usr/local` and not `/bin`. Using `/bin/env`, there is no need to change the script when testing. (I assume the latter was behind https://github.com/linkerd/linkerd2/pull/4593/files/c301ea214b7ccf8d74d7c41cbf8c4cc05fea7d4a#diff-ecec5e3a811f60bc2739019004fa35b0, which would not happen using `/bin/env`.) Signed-off-by: Joakim Roubert --- cni-plugin/deployment/scripts/install-cni.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index c1ecf220..f59c6ebf 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/env sh # Copyright (c) 2018 Tigera, Inc. All rights reserved. # Copyright 2018 Istio Authors # Modifications copyright (c) Linkerd authors From 8f0edf1ec82840a40d9503c5a5b09b410f57a646 Mon Sep 17 00:00:00 2001 From: Lutz Behnke Date: Wed, 24 Jun 2020 19:54:27 +0200 Subject: [PATCH 074/112] Add support for Helm configuration of per-component proxy resources requests and limits (#4226) Signed-off-by: Lutz Behnke --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index e1b270a2..5ea6fd86 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:4f0eebd9 as golang +FROM gcr.io/linkerd-io/go-deps:1a8bf322 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From bc82be451f9e220c65b9b8109c578cef57093248 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 24 Jun 2020 12:52:59 -0700 Subject: [PATCH 075/112] Update proxy-api version to v0.1.13 (#4614) This update includes no API changes, but updates grpc-go to the latest release. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 5ea6fd86..47d05466 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:1a8bf322 as golang +FROM gcr.io/linkerd-io/go-deps:30d997a8 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From db514bd55849ee3a895b8d1c253af7be17c689ad Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Fri, 26 Jun 2020 09:36:48 -0500 Subject: [PATCH 076/112] Upgrade generated protobuf files to v1.4.2 (#4673) Regenerated protobuf files, using version 1.4.2 that was upgraded from 1.3.2 with the proxy-api update in #4614. As of v1.4 protobuf messages are disallowed to be copied (because they hold a mutex), so whenever a message is passed to or returned from a function we need to use a pointer. This affects _mostly_ test files. This is required to unblock #4620 which is adding a field to the config protobuf. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 47d05466..5f585bd3 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:30d997a8 as golang +FROM gcr.io/linkerd-io/go-deps:a525d867 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From ee2846fd2a656cca1e1cfece7e02978e38f817f1 Mon Sep 17 00:00:00 2001 From: Wei Lun Date: Tue, 21 Jul 2020 06:46:30 +0800 Subject: [PATCH 077/112] add fish shell completion (#4751) fixes #4208 Signed-off-by: Wei Lun --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 5f585bd3..37e39faf 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:a525d867 as golang +FROM gcr.io/linkerd-io/go-deps:61149d15 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From 31893fe79d79012dadfbfa26b475c8666054ced8 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Wed, 22 Jul 2020 14:27:45 -0500 Subject: [PATCH 078/112] Migrate CI to docker buildx and other improvements (#4765) * Migrate CI to docker buildx and other improvements ## Motivation - Improve build times in forks. Specially when rerunning builds because of some flaky test. - Start using `docker buildx` to pave the way for multiplatform builds. ## Performance improvements These timings were taken for the `kind_integration.yml` workflow when we merged and rerun the lodash bump PR (#4762) Before these improvements: - when merging: `24:18` - when rerunning after merge (docker cache warm): `19:00` - when running the same changes in a fork (no docker cache): `32:15` After these improvements: - when merging: `25:38` - when rerunning after merge (docker cache warm): `19:25` - when running the same changes in a fork (docker cache warm): `19:25` As explained below, non-forks and forks now use the same cache, so the important take is that forks will always start with a warm cache and we'll no longer see long build times like the `32:15` above. The downside is a slight increase in the build times for non-forks (up to a little more than a minute, depending on the case). ## Build containers in parallel The `docker_build` job in the `kind_integration.yml`, `cloud_integration.yml` and `release.yml` workflows relied on running `bin/docker-build` which builds all the containers in sequence. Now each container is built in parallel using a matrix strategy. ## New caching strategy CI now uses `docker buildx` for building the container images, which allows using an external cache source for builds, a location in the filesystem in this case. That location gets cached using actions/cache, using the key `{{ runner.os }}-buildx-${{ matrix.target }}-${{ env.TAG }}` and the restore key `${{ runner.os }}-buildx-${{ matrix.target }}-`. For example when building the `web` container, its image and all the intermediary layers get cached under the key `Linux-buildx-web-git-abc0123`. When that has been cached in the `main` branch, that cache will be available to all the child branches, including forks. If a new branch in a fork asks for a key like `Linux-buildx-web-git-def456`, the key won't be found during the first CI run, but the system falls back to the key `Linux-buildx-web-git-abc0123` from `main` and so the build will start with a warm cache (more info about how keys are matched in the [actions/cache docs](https://docs.github.com/en/actions/configuring-and-managing-workflows/caching-dependencies-to-speed-up-workflows#matching-a-cache-key)). ## Packet host no longer needed To benefit from the warm caches both in non-forks and forks like just explained, we're required to ditch doing the builds in Packet and now everything runs in the github runners VMs. As a result there's no longer separate logic for non-forks and forks in the workflow files; `kind_integration.yml` was greatly simplified but `cloud_integration.yml` and `release.yml` got a little bigger in order to use the actions artifacts as a repository for the images built. This bloat will be fixed when support for [composite actions](https://github.com/actions/runner/blob/users/ethanchewy/compositeADR/docs/adrs/0549-composite-run-steps.md) lands in github. ## Local builds You still are able to run `bin/docker-build` or any of the `docker-build.*` scripts. And to make use of buildx, run those same scripts after having set the env var `DOCKER_BUILDKIT=1`. Using buildx supposes you have installed it, as instructed [here](https://github.com/docker/buildx). ## Other - A new script `bin/docker-cache-prune` is used to remove unused images from the cache. Without that the cache grows constantly and we can rapidly hit the 5GB limit (when the limit is attained the oldest entries get evicted). - The `go-deps` dockerfile base image was changed from `golang:1.14.2` (ubuntu based) to `golang-1:14.2-alpine` also to conserve cache space. # Addressed separately in #4875: Got rid of the `go-deps` image and instead added something similar on top of all the Dockerfiles dealing with `go`, as a first stage for those Dockerfiles. That continues to serve as a way to pre-populate go's build cache, which speeds up the builds in the subsequent stages. That build should in theory be rebuilt automatically only when `go.mod` or `go.sum` change, and now we don't require running `bin/update-go-deps-shas`. That script was removed along with all the logic elsewhere that used it, including the `go_dependencies` job in the `static_checks.yml` github workflow. The list of modules preinstalled was moved from `Dockerfile-go-deps` to a new script `bin/install-deps`. I couldn't find a way to generate that list dynamically, so whenever a slow-to-compile dependency is found, we have to make sure it's included in that list. Although this simplifies the dev workflow, note that the real motivation behind this was a limitation in buildx's `docker-container` driver that forbids us from depending on images that haven't been pushed to a registry, so we have to resort to building the dependencies as a first stage in the Dockerfiles. --- cni-plugin/Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 37e39faf..6d0e9043 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,13 @@ +# Precompile key slow-to-build dependencies +FROM golang:1.14.2-alpine as go-deps +WORKDIR /linkerd-build +COPY go.mod go.sum ./ +COPY bin/install-deps bin/ +RUN go mod download +RUN ./bin/install-deps + ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:61149d15 as golang +FROM go-deps as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller From cf35a3d6a1b959c7df9e3c4ca5b8f6b2a18a260c Mon Sep 17 00:00:00 2001 From: Ali Ariff Date: Fri, 24 Jul 2020 00:00:12 +0200 Subject: [PATCH 079/112] CI: Remove Base image (#4782) Removed the dependency on the base image, and instead install the needed packages in the Dockerfiles for debug and CNI. Also removed some obsolete info from BUILD.md Signed-off-by: Ali Ariff --- cni-plugin/Dockerfile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 6d0e9043..a2d76b2d 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -14,9 +14,17 @@ COPY controller controller COPY cni-plugin cni-plugin RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM gcr.io/linkerd-io/base:2020-06-08.01 +FROM debian:buster-20200514-slim WORKDIR /linkerd -RUN curl -kL -o $(which jq) https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 +RUN apt-get update && apt-get install -y --no-install-recommends \ + iptables \ + jq && \ + rm -rf /var/lib/apt/lists/* + +# We still rely on old iptables-legacy syntax. +RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \ + && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ COPY LICENSE . COPY cni-plugin/deployment/scripts/install-cni.sh . From 7154b7ef6bb39003dcc07da5c0bfd4753499e9a4 Mon Sep 17 00:00:00 2001 From: Ali Ariff Date: Wed, 5 Aug 2020 20:14:01 +0200 Subject: [PATCH 080/112] Build ARM docker images (#4794) Build ARM docker images in the release workflow. # Changes: - Add a new env key `DOCKER_MULTIARCH` and `DOCKER_PUSH`. When set, it will build multi-arch images and push them to the registry. See https://github.com/docker/buildx/issues/59 for why it must be pushed to the registry. - Usage of `crazy-max/ghaction-docker-buildx ` is necessary as it already configured with the ability to perform cross-compilation (using QEMU) so we can just use it, instead of manually set up it. - Usage of `buildx` now make default global arguments. (See: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope) # Follow-up: - Releasing the CLI binary file in ARM architecture. The docker images resulting from these changes already build in the ARM arch. Still, we need to make another adjustment like how to retrieve those binaries and to name it correctly as part of Github Release artifacts. Signed-off-by: Ali Ariff --- cni-plugin/Dockerfile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index a2d76b2d..f7922bb8 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,10 +1,13 @@ +ARG BUILDPLATFORM=linux/amd64 + # Precompile key slow-to-build dependencies -FROM golang:1.14.2-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.14.2-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ RUN go mod download -RUN ./bin/install-deps +ARG TARGETARCH +RUN ./bin/install-deps $TARGETARCH ## compile cni-plugin utility FROM go-deps as golang @@ -12,7 +15,8 @@ WORKDIR /linkerd-build COPY pkg pkg COPY controller controller COPY cni-plugin cni-plugin -RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ +ARG TARGETARCH +RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ FROM debian:buster-20200514-slim WORKDIR /linkerd From 11180698ba9433604fa01db30ab8c53e7815fea2 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Thu, 10 Sep 2020 15:16:24 -0500 Subject: [PATCH 081/112] Push docker images to ghcr.io instead of gcr.io (#4953) * Push docker images to ghcr.io instead of gcr.io The `cloud_integration.yml` and `release.yml` workflows were modified to log into ghcr.io, and remove the `Configure gcloud` step which is no longer necessary. Note that besides the changes to cloud_integration.yml and release.yml, there was a change to the upgrade-stable integration test so that we do linkerd upgrade --addon-overwrite to reset the addons settings because in stable-2.8.1 the Grafana image was pegged to gcr.io/linkerd-io/grafana in linkerd-config-addons. This will need to be mentioned in the 2.9 upgrade notes. Also the egress integration test has a debug container that now is pegged to the edge-20.9.2 tag. Besides that, the other changes are just a global search and replace (s/gcr.io\/linkerd-io/ghcr.io\/linkerd/). --- cni-plugin/test/install-cni_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index 4030ac6b..f2bcf560 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -132,7 +132,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s gitShaHead, _ := exec.Command("git", "rev-parse", "--short=8", "HEAD").Output() user, _ := user.Current() tag := "dev-" + strings.Trim(string(gitShaHead), "\n") + "-" + user.Username - dockerImage := env("HUB", "gcr.io/linkerd-io") + "/cni-plugin:" + env("TAG", tag) + dockerImage := env("HUB", "ghcr.io/linkerd") + "/cni-plugin:" + env("TAG", tag) errFileName := testWorkRootDir + "/docker_run_stderr" // Build arguments list by picking whatever is necessary from the environment. From 37c11c42e1b72e879cacbad40a5626d34247414b Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 23 Sep 2020 13:00:22 +0530 Subject: [PATCH 082/112] CNI: Use skip ports configuration in CNI (#4974) * CNI: Use skip ports configuration in CNI This PR updates the install and `cmdAdd` workflow (which is called for each new Pod creation) to retrieve and set the configured Skip Ports. This also updates the `cmdAdd` workflow to check if the new pod is a control plane Pod, and adds `443` to OutBoundSkipPort so that 443 (used with k8s API) is skipped as it was causing errors because a resolve lookup was happening for them which is not intended. --- cni-plugin/main.go | 50 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 600003d9..643d8578 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -32,6 +32,7 @@ import ( "github.com/linkerd/linkerd2-proxy-init/iptables" "github.com/linkerd/linkerd2/pkg/k8s" "github.com/sirupsen/logrus" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -199,6 +200,36 @@ func cmdAdd(args *skel.CmdArgs) error { NetNs: args.Netns, UseWaitFlag: conf.ProxyInit.UseWaitFlag, } + + // Check if there are any overridden ports to be skipped + outboundSkipOverride, err := getAnnotationOverride(client, pod, k8s.ProxyIgnoreOutboundPortsAnnotation) + if err != nil { + logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) + return err + } + + if outboundSkipOverride != "" { + logEntry.Debugf("linkerd-cni: overriding OutboundPortsToIgnore to %s", outboundSkipOverride) + options.OutboundPortsToIgnore = strings.Split(outboundSkipOverride, ",") + } + + inboundSkipOverride, err := getAnnotationOverride(client, pod, k8s.ProxyIgnoreInboundPortsAnnotation) + if err != nil { + logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) + return err + } + + if inboundSkipOverride != "" { + logEntry.Debugf("linkerd-cni: overriding InboundPortsToIgnore to %s", inboundSkipOverride) + options.InboundPortsToIgnore = strings.Split(inboundSkipOverride, ",") + } + + if pod.GetLabels()[k8s.ControllerComponentLabel] != "" { + // Skip 443 outbound port if its a control plane component + logEntry.Debug("linkerd-cni: adding 443 to OutboundPortsToIgnore as its a control plane component") + options.OutboundPortsToIgnore = append(options.OutboundPortsToIgnore, "443") + } + firewallConfiguration, err := cmd.BuildFirewallConfiguration(&options) if err != nil { logEntry.Errorf("linkerd-cni: could not create a Firewall Configuration from the options: %v", options) @@ -231,3 +262,22 @@ func cmdDel(args *skel.CmdArgs) error { logrus.Debug("linkerd-cni: cmdDel not implemented") return nil } + +func getAnnotationOverride(api *k8s.KubernetesAPI, pod *v1.Pod, key string) (string, error) { + // Check if the annotation is present on the pod + if override := pod.GetObjectMeta().GetAnnotations()[key]; override != "" { + return override, nil + } + + // Check if the annotation is present on the namespace + ns, err := api.CoreV1().Namespaces().Get(pod.GetObjectMeta().GetNamespace(), metav1.GetOptions{}) + if err != nil { + return "", err + } + + if override := ns.GetObjectMeta().GetAnnotations()[key]; override != "" { + return override, nil + } + + return "", nil +} From ffff5c398eda7c4d43aac27064f7796b34165e25 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 28 Sep 2020 23:15:18 +0530 Subject: [PATCH 083/112] Bump k8s client-go to v0.19.2 (#5002) Fixes #4191 #4993 This bumps Kubernetes client-go to the latest v0.19.2 (We had to switch directly to 1.19 because of this issue). Bumping to v0.19.2 required upgrading to smi-sdk-go v0.4.1. This also depends on linkerd/stern#5 This consists of the following changes: - Fix ./bin/update-codegen.sh by adding the template path to the gen commands, as it is needed after we moved to GOMOD. - Bump all k8s related dependencies to v0.19.2 - Generate CRD types, client code using the latest k8s.io/code-generator - Use context.Context as the first argument, in all code paths that touch the k8s client-go interface Signed-off-by: Tarun Pothulapati --- cni-plugin/main.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 643d8578..c4ee6c59 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -19,6 +19,7 @@ package main import ( + "context" "encoding/json" "fmt" "os" @@ -161,12 +162,13 @@ func cmdAdd(args *skel.CmdArgs) error { }) if namespace != "" && podName != "" { + ctx := context.Background() client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", "", []string{}, 0) if err != nil { return err } - pod, err := client.CoreV1().Pods(namespace).Get(podName, metav1.GetOptions{}) + pod, err := client.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{}) if err != nil { return err } @@ -202,7 +204,7 @@ func cmdAdd(args *skel.CmdArgs) error { } // Check if there are any overridden ports to be skipped - outboundSkipOverride, err := getAnnotationOverride(client, pod, k8s.ProxyIgnoreOutboundPortsAnnotation) + outboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreOutboundPortsAnnotation) if err != nil { logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) return err @@ -213,7 +215,7 @@ func cmdAdd(args *skel.CmdArgs) error { options.OutboundPortsToIgnore = strings.Split(outboundSkipOverride, ",") } - inboundSkipOverride, err := getAnnotationOverride(client, pod, k8s.ProxyIgnoreInboundPortsAnnotation) + inboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreInboundPortsAnnotation) if err != nil { logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) return err @@ -263,14 +265,14 @@ func cmdDel(args *skel.CmdArgs) error { return nil } -func getAnnotationOverride(api *k8s.KubernetesAPI, pod *v1.Pod, key string) (string, error) { +func getAnnotationOverride(ctx context.Context, api *k8s.KubernetesAPI, pod *v1.Pod, key string) (string, error) { // Check if the annotation is present on the pod if override := pod.GetObjectMeta().GetAnnotations()[key]; override != "" { return override, nil } // Check if the annotation is present on the namespace - ns, err := api.CoreV1().Namespaces().Get(pod.GetObjectMeta().GetNamespace(), metav1.GetOptions{}) + ns, err := api.CoreV1().Namespaces().Get(ctx, pod.GetObjectMeta().GetNamespace(), metav1.GetOptions{}) if err != nil { return "", err } From 55fce6ad1f9d4f5dbc99ba1b941673fa2cc5d5a5 Mon Sep 17 00:00:00 2001 From: Agnivesh Adhikari Date: Wed, 18 Nov 2020 21:21:15 +0530 Subject: [PATCH 084/112] Updated debian image tags (#5249) Signed-off-by: Agnivesh Adhikari --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index f7922bb8..89dbe02e 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -18,7 +18,7 @@ COPY cni-plugin cni-plugin ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM debian:buster-20200514-slim +FROM debian:buster-20201117-slim WORKDIR /linkerd RUN apt-get update && apt-get install -y --no-install-recommends \ iptables \ From 92e3604e049b265de01a3be1d072c4e13796cf8f Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 16 Feb 2021 08:39:53 -0800 Subject: [PATCH 085/112] Update debian base images to buster-20210208-slim (#5750) Before the upcoming stable release, we should update our base images to use the most recent Debian images to pick up any security fixes that may have been addressed. This change updates all o four debian images to use the `buster-20210208-slim` tag. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 89dbe02e..408b2a61 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -18,7 +18,7 @@ COPY cni-plugin cni-plugin ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM debian:buster-20201117-slim +FROM debian:buster-20210208-slim WORKDIR /linkerd RUN apt-get update && apt-get install -y --no-install-recommends \ iptables \ From de8b988ea761e8ceba254606770bf68f0b050956 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 16 Feb 2021 08:40:06 -0800 Subject: [PATCH 086/112] Update Go to 1.14.15 (#5751) The Go-1.14 release branch includes a number of important updates. This change updates our containers' base image to the latest release, 1.14.15 See linkerd/linkerd2-proxy-init#32 Fixes #5655 --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 408b2a61..19e18e62 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.14.2-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.14.15-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From e95e896022e58b7cd276e1df82b0f40bba934b67 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 17 Feb 2021 14:31:54 -0800 Subject: [PATCH 087/112] docker: Access container images via cr.l5d.io (#5756) We've created a custom domain, `cr.l5d.io`, that redirects to `ghcr.io` (using `scarf.sh`). This custom domain allows us to swap the underlying container registry without impacting users. It also provides us with important metrics about container usage, without collecting PII like IP addresses. This change updates our Helm charts and CLIs to reference this custom domain. The integration test workflow now refers to the new domain, while the release workflow continues to use the `ghcr.io/linkerd` registry for the purpose of publishing images. --- cni-plugin/test/install-cni_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index f2bcf560..08d0edd1 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -132,7 +132,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s gitShaHead, _ := exec.Command("git", "rev-parse", "--short=8", "HEAD").Output() user, _ := user.Current() tag := "dev-" + strings.Trim(string(gitShaHead), "\n") + "-" + user.Username - dockerImage := env("HUB", "ghcr.io/linkerd") + "/cni-plugin:" + env("TAG", tag) + dockerImage := env("HUB", "cr.l5d.io/linkerd") + "/cni-plugin:" + env("TAG", tag) errFileName := testWorkRootDir + "/docker_run_stderr" // Build arguments list by picking whatever is necessary from the environment. From cd8f6170be54e6f5bd783383d84b06332aef2f93 Mon Sep 17 00:00:00 2001 From: "(Frank) Yu Cheng Gu" Date: Wed, 24 Feb 2021 15:23:03 -0500 Subject: [PATCH 088/112] cni: add ConfigureFirewall error propagation (#5811) This change adds error propagation for the CNI's ADD command so that any failures in the `ConfigureFirewall` function to configure the Pod's iptables can be bubbled up to be logged and handled. Fixes #5809 Signed-off-by: Frank Gu --- cni-plugin/main.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index c4ee6c59..6741abaa 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -237,7 +237,12 @@ func cmdAdd(args *skel.CmdArgs) error { logEntry.Errorf("linkerd-cni: could not create a Firewall Configuration from the options: %v", options) return err } - iptables.ConfigureFirewall(*firewallConfiguration) + + err = iptables.ConfigureFirewall(*firewallConfiguration) + if err != nil { + logEntry.Errorf("linkerd-cni: could not configure firewall: %v", err) + return err + } } else { if containsInitContainer { logEntry.Debug("linkerd-cni: linkerd-init initContainer is present, skipping.") From 69b749814cff110a79fcc967ce904e38ddb3b785 Mon Sep 17 00:00:00 2001 From: Dennis Adjei-Baah Date: Mon, 15 Mar 2021 11:20:16 -0500 Subject: [PATCH 089/112] update go.mod and docker images to go 1.16.2 (#5890) * update go.mod and docker images to go 1.16.1 Signed-off-by: Dennis Adjei-Baah * update test error messages for ParseDuration * update go version to 1.16.2 --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 19e18e62..7e974d31 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.14.15-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.16.2-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From 5070d4ad68a03d70777b651cb6ff813aa91335b4 Mon Sep 17 00:00:00 2001 From: Shubhendra Singh Chauhan Date: Tue, 16 Mar 2021 03:05:40 +0530 Subject: [PATCH 090/112] fix: issues affecting code quality (#5827) Fix various lint issues: - Remove unnecessary calls to fmt.Sprint - Fix check for empty string - Fix unnecessary calls to Printf - Combine multiple `append`s into a single call Signed-off-by: shubhendra --- cni-plugin/test/install-cni_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index 08d0edd1..c4c06061 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -148,8 +148,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s if _, ok := os.LookupEnv(cniConfName); ok { args = append(args, "-e", cniConfName) } - args = append(args, dockerImage) - args = append(args, "install-cni.sh") + args = append(args, dockerImage, "install-cni.sh") // Create a temporary log file to write docker command error log. errFile, err := os.Create(errFileName) From ef4587ca0482c5921473db16d072106c9f4787e3 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Mon, 24 May 2021 11:57:46 -0700 Subject: [PATCH 091/112] Update Go to 1.16.4 (#6170) Go 1.16.4 includes a fix for a denial-of-service in net/http: golang/go#45710 Go's error file-line formatting changed in 1.16.3, so this change updates tests to only do suffix matching on these error strings. --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 7e974d31..b8455e63 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.16.2-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.16.4-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From 791c37adbb287bd64c5f18917f58bb8a186d4da5 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Wed, 21 Jul 2021 21:45:58 +0200 Subject: [PATCH 092/112] Enable readOnlyFileSystem for cni plugin chart (#6469) Increase container security by making the root file system of the cni install plugin read-only. Change the temporary directory used in the cni install script, add a writable EmptyDir volume and enable readOnlyFileSystem securityContext in cni plugin helm chart. Tested this by building the container image of the cni plugin and installed the chart onto a cluster. Logs looked the same as before this change. Fixes #6468 Signed-off-by: Gerald Pape --- cni-plugin/deployment/scripts/install-cni.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index f59c6ebf..d89f9fd6 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -100,7 +100,7 @@ done echo "Wrote linkerd CNI binaries to ${dir}" -TMP_CONF='/linkerd/linkerd-cni.conf.default' +TMP_CONF='/tmp/linkerd-cni.conf.default' # If specified, overwrite the network configuration file. : "${CNI_NETWORK_CONFIG_FILE:=}" : "${CNI_NETWORK_CONFIG:=}" From d3b9e1ac383ab1cb1f975b1cc62e281457814683 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Fri, 12 Nov 2021 09:10:03 -0500 Subject: [PATCH 093/112] Upgrade CNI to v0.8.1 (#7270) Addresses #7247 and unblocks #7094 Bumped the cni lib version in `go.mod`, which required implementing the new CHECK command through `cmdCHeck`, which for now is no-op. --- cni-plugin/main.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index 6741abaa..e9943bf7 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -78,7 +78,7 @@ type PluginConf struct { } func main() { - skel.PluginMain(cmdAdd, cmdDel, version.All) + skel.PluginMain(cmdAdd, cmdCheck, cmdDel, version.All, "") } func configureLogging(logLevel string) { @@ -264,6 +264,11 @@ func cmdAdd(args *skel.CmdArgs) error { return nil } +func cmdCheck(args *skel.CmdArgs) error { + logrus.Debug("linkerd-cni: cmdCheck not implemented") + return nil +} + // cmdDel is called for DELETE requests func cmdDel(args *skel.CmdArgs) error { logrus.Debug("linkerd-cni: cmdDel not implemented") From 24d5798d957e75f4686177c693803bf3542e77b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Nov 2021 09:19:43 -0500 Subject: [PATCH 094/112] build(deps): bump github.com/containernetworking/cni from 0.8.1 to 1.0.1 (#7346) * build(deps): bump github.com/containernetworking/cni from 0.8.1 to 1.0.1 Bumps [github.com/containernetworking/cni](https://github.com/containernetworking/cni) from 0.8.1 to 1.0.1. - [Release notes](https://github.com/containernetworking/cni/releases) - [Commits](https://github.com/containernetworking/cni/compare/v0.8.1...v1.0.1) --- updated-dependencies: - dependency-name: github.com/containernetworking/cni dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: Alejandro Pedraza --- cni-plugin/main.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index e9943bf7..bcc23c35 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -27,7 +27,7 @@ import ( "github.com/containernetworking/cni/pkg/skel" "github.com/containernetworking/cni/pkg/types" - "github.com/containernetworking/cni/pkg/types/current" + cniv1 "github.com/containernetworking/cni/pkg/types/100" "github.com/containernetworking/cni/pkg/version" "github.com/linkerd/linkerd2-proxy-init/cmd" "github.com/linkerd/linkerd2-proxy-init/iptables" @@ -70,7 +70,7 @@ type PluginConf struct { // This is the previous result, when called in the context of a chained // plugin. We will just pass any prevResult through. RawPrevResult *map[string]interface{} `json:"prevResult"` - PrevResult *current.Result `json:"-"` + PrevResult *cniv1.Result `json:"-"` LogLevel string `json:"log_level"` ProxyInit ProxyInit `json:"linkerd"` @@ -115,9 +115,9 @@ func parseConfig(stdin []byte) (*PluginConf, error) { return nil, fmt.Errorf("linkerd-cni: could not parse prevResult: %v", err) } conf.RawPrevResult = nil - conf.PrevResult, err = current.NewResultFromResult(res) + conf.PrevResult, err = cniv1.NewResultFromResult(res) if err != nil { - return nil, fmt.Errorf("linkerd-cni: could not convert result to current version: %v", err) + return nil, fmt.Errorf("linkerd-cni: could not convert result to version 1.0: %v", err) } logrus.Debugf("linkerd-cni: prevResult: %v", conf.PrevResult) } From 33d03508689adac9b319e99697c0e0b102b84854 Mon Sep 17 00:00:00 2001 From: Eng Zer Jun Date: Wed, 1 Dec 2021 04:36:11 +0800 Subject: [PATCH 095/112] build: upgrade to Go 1.17 (#7371) * build: upgrade to Go 1.17 This commit introduces three changes: 1. Update the `go` directive in `go.mod` to 1.17 2. Update all Dockerfiles from `golang:1.16.2` to `golang:1.17.3` 3. Update all CI to use Go 1.17 Signed-off-by: Eng Zer Jun * chore: run `go fmt ./...` This commit synchronizes `//go:build` lines with `// +build` lines. Reference: https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md Signed-off-by: Eng Zer Jun --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index b8455e63..7508d27c 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.16.4-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.17.3-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From 8da296760b487a5b47338978b97a463f3c36ddc5 Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Wed, 12 Jan 2022 19:26:27 +0100 Subject: [PATCH 096/112] bin/shellcheck-all: Add filename/shebang check (#7541) We only run shellcheck for files that contain a #!/usr/bin/env shebang with either bash or sh. If a new shellscript file is added that has the .sh extension but either lacks shebang or has something other than that, shellcheck will not be run for that file. Then there is a risk that by mistake such a file slips into the repo under the radar. This patch adds a check for all .sh files to make sure they have a corresponding shebang in order for them to be passed to shellcheck. Change-Id: I24235e672dd82c7c73df6fe6c8beda2a579bd187 Signed-off-by: Joakim Roubert --- cni-plugin/test/data/env_vars.sh | 43 ++++++++++++++++---------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/cni-plugin/test/data/env_vars.sh b/cni-plugin/test/data/env_vars.sh index e86afd5a..ac71f6ce 100644 --- a/cni-plugin/test/data/env_vars.sh +++ b/cni-plugin/test/data/env_vars.sh @@ -1,21 +1,22 @@ -KUBE_DNS_SERVICE_PORT=53 -KUBE_DNS_PORT_53_TCP_PROTO=tcp -KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53 -KUBE_DNS_PORT_53_UDP_PROTO=udp -KUBERNETES_PORT_443_TCP_PROTO=tcp -KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1 -KUBE_DNS_PORT_53_UDP_ADDR=10.110.0.10 -KUBERNETES_PORT=tcp://10.110.0.1:443 -KUBE_DNS_PORT_53_TCP_ADDR=10.110.0.10 -KUBE_DNS_PORT=udp://10.110.0.10:53 -KUBERNETES_SERVICE_PORT_HTTPS=443 -KUBERNETES_PORT_443_TCP_PORT=443 -KUBERNETES_PORT_443_TCP=tcp://10.110.0.1:443 -KUBE_DNS_PORT_53_TCP_PORT=53 -KUBE_DNS_PORT_53_TCP=tcp://10.110.0.10:53 -KUBERNETES_SERVICE_PORT=443 -KUBE_DNS_SERVICE_PORT_DNS=53 -KUBE_DNS_SERVICE_PORT_DNS_TCP=53 -KUBERNETES_SERVICE_HOST=10.110.0.1 -KUBE_DNS_PORT_53_UDP_PORT=53 -KUBE_DNS_SERVICE_HOST=10.110.0.10 \ No newline at end of file +#!/usr/bin/env sh +export KUBE_DNS_SERVICE_PORT=53 +export KUBE_DNS_PORT_53_TCP_PROTO=tcp +export KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53 +export KUBE_DNS_PORT_53_UDP_PROTO=udp +export KUBERNETES_PORT_443_TCP_PROTO=tcp +export KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1 +export KUBE_DNS_PORT_53_UDP_ADDR=10.110.0.10 +export KUBERNETES_PORT=tcp://10.110.0.1:443 +export KUBE_DNS_PORT_53_TCP_ADDR=10.110.0.10 +export KUBE_DNS_PORT=udp://10.110.0.10:53 +export KUBERNETES_SERVICE_PORT_HTTPS=443 +export KUBERNETES_PORT_443_TCP_PORT=443 +export KUBERNETES_PORT_443_TCP=tcp://10.110.0.1:443 +export KUBE_DNS_PORT_53_TCP_PORT=53 +export KUBE_DNS_PORT_53_TCP=tcp://10.110.0.10:53 +export KUBERNETES_SERVICE_PORT=443 +export KUBE_DNS_SERVICE_PORT_DNS=53 +export KUBE_DNS_SERVICE_PORT_DNS_TCP=53 +export KUBERNETES_SERVICE_HOST=10.110.0.1 +export KUBE_DNS_PORT_53_UDP_PORT=53 +export KUBE_DNS_SERVICE_HOST=10.110.0.10 From 1b3090f651619a3d73a85993126e445ba47c11a6 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Fri, 21 Jan 2022 14:31:32 -0500 Subject: [PATCH 097/112] Fix CNI integration test (#7660) Reverts the change made to `env_vars.sh` in #7541 That file is consumed by `docker run --env-file` which requires the old format, as documented [here](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file). Also renamed it to `env_vars.list` to have it not mistaken to be a shell target. This broke the `ARM64 integration test` as seen here: https://github.com/linkerd/linkerd2/runs/4887813913?check_suite_focus=true#step:7:34 --- cni-plugin/test/data/env_vars.list | 21 +++++++++++++++++++++ cni-plugin/test/data/env_vars.sh | 22 ---------------------- cni-plugin/test/install-cni_test.go | 2 +- 3 files changed, 22 insertions(+), 23 deletions(-) create mode 100644 cni-plugin/test/data/env_vars.list delete mode 100644 cni-plugin/test/data/env_vars.sh diff --git a/cni-plugin/test/data/env_vars.list b/cni-plugin/test/data/env_vars.list new file mode 100644 index 00000000..8578bc7a --- /dev/null +++ b/cni-plugin/test/data/env_vars.list @@ -0,0 +1,21 @@ +KUBE_DNS_SERVICE_PORT=53 +KUBE_DNS_PORT_53_TCP_PROTO=tcp +KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53 +KUBE_DNS_PORT_53_UDP_PROTO=udp +KUBERNETES_PORT_443_TCP_PROTO=tcp +KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1 +KUBE_DNS_PORT_53_UDP_ADDR=10.110.0.10 +KUBERNETES_PORT=tcp://10.110.0.1:443 +KUBE_DNS_PORT_53_TCP_ADDR=10.110.0.10 +KUBE_DNS_PORT=udp://10.110.0.10:53 +KUBERNETES_SERVICE_PORT_HTTPS=443 +KUBERNETES_PORT_443_TCP_PORT=443 +KUBERNETES_PORT_443_TCP=tcp://10.110.0.1:443 +KUBE_DNS_PORT_53_TCP_PORT=53 +KUBE_DNS_PORT_53_TCP=tcp://10.110.0.10:53 +KUBERNETES_SERVICE_PORT=443 +KUBE_DNS_SERVICE_PORT_DNS=53 +KUBE_DNS_SERVICE_PORT_DNS_TCP=53 +KUBERNETES_SERVICE_HOST=10.110.0.1 +KUBE_DNS_PORT_53_UDP_PORT=53 +KUBE_DNS_SERVICE_HOST=10.110.0.10 diff --git a/cni-plugin/test/data/env_vars.sh b/cni-plugin/test/data/env_vars.sh deleted file mode 100644 index ac71f6ce..00000000 --- a/cni-plugin/test/data/env_vars.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env sh -export KUBE_DNS_SERVICE_PORT=53 -export KUBE_DNS_PORT_53_TCP_PROTO=tcp -export KUBE_DNS_PORT_53_UDP=udp://10.110.0.10:53 -export KUBE_DNS_PORT_53_UDP_PROTO=udp -export KUBERNETES_PORT_443_TCP_PROTO=tcp -export KUBERNETES_PORT_443_TCP_ADDR=10.110.0.1 -export KUBE_DNS_PORT_53_UDP_ADDR=10.110.0.10 -export KUBERNETES_PORT=tcp://10.110.0.1:443 -export KUBE_DNS_PORT_53_TCP_ADDR=10.110.0.10 -export KUBE_DNS_PORT=udp://10.110.0.10:53 -export KUBERNETES_SERVICE_PORT_HTTPS=443 -export KUBERNETES_PORT_443_TCP_PORT=443 -export KUBERNETES_PORT_443_TCP=tcp://10.110.0.1:443 -export KUBE_DNS_PORT_53_TCP_PORT=53 -export KUBE_DNS_PORT_53_TCP=tcp://10.110.0.10:53 -export KUBERNETES_SERVICE_PORT=443 -export KUBE_DNS_SERVICE_PORT_DNS=53 -export KUBE_DNS_SERVICE_PORT_DNS_TCP=53 -export KUBERNETES_SERVICE_HOST=10.110.0.1 -export KUBE_DNS_PORT_53_UDP_PORT=53 -export KUBE_DNS_SERVICE_HOST=10.110.0.10 diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index c4c06061..94fb6826 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -141,7 +141,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s "-v", tempCNINetDir + ":" + hostCniNetDir, "-v", tempCNIBinDir + ":/host/opt/cni/bin", "-v", tempK8sSvcAcctDir + ":/var/run/secrets/kubernetes.io/serviceaccount", - "--env-file", wd + "/data/env_vars.sh", + "--env-file", wd + "/data/env_vars.list", "-e", cniNetworkConfigName, "-e", "SLEEP=true", } From e0f6604549b19c6cb76e3d4270ac94aca8509881 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 16 Feb 2022 17:32:19 -0800 Subject: [PATCH 098/112] go: Enable `errorlint` checking (#7885) Since Go 1.13, errors may "wrap" other errors. [`errorlint`][el] checks that error formatting and inspection is wrapping-aware. This change enables `errorlint` in golangci-lint and updates all error handling code to pass the lint. Some comparisons in tests have been left unchanged (using `//nolint:errorlint` comments). [el]: https://github.com/polyfloyd/go-errorlint Signed-off-by: Oliver Gould --- cni-plugin/main.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index bcc23c35..bc8bcfb6 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -101,23 +101,23 @@ func parseConfig(stdin []byte) (*PluginConf, error) { logrus.Debugf("linkerd-cni: stdin to plugin: %v", string(stdin)) if err := json.Unmarshal(stdin, &conf); err != nil { - return nil, fmt.Errorf("linkerd-cni: failed to parse network configuration: %v", err) + return nil, fmt.Errorf("linkerd-cni: failed to parse network configuration: %w", err) } if conf.RawPrevResult != nil { resultBytes, err := json.Marshal(conf.RawPrevResult) if err != nil { - return nil, fmt.Errorf("linkerd-cni: could not serialize prevResult: %v", err) + return nil, fmt.Errorf("linkerd-cni: could not serialize prevResult: %w", err) } res, err := version.NewResult(conf.CNIVersion, resultBytes) if err != nil { - return nil, fmt.Errorf("linkerd-cni: could not parse prevResult: %v", err) + return nil, fmt.Errorf("linkerd-cni: could not parse prevResult: %w", err) } conf.RawPrevResult = nil conf.PrevResult, err = cniv1.NewResultFromResult(res) if err != nil { - return nil, fmt.Errorf("linkerd-cni: could not convert result to version 1.0: %v", err) + return nil, fmt.Errorf("linkerd-cni: could not convert result to version 1.0: %w", err) } logrus.Debugf("linkerd-cni: prevResult: %v", conf.PrevResult) } @@ -206,7 +206,7 @@ func cmdAdd(args *skel.CmdArgs) error { // Check if there are any overridden ports to be skipped outboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreOutboundPortsAnnotation) if err != nil { - logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) + logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) return err } @@ -217,7 +217,7 @@ func cmdAdd(args *skel.CmdArgs) error { inboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreInboundPortsAnnotation) if err != nil { - logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %v", err) + logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) return err } @@ -240,7 +240,7 @@ func cmdAdd(args *skel.CmdArgs) error { err = iptables.ConfigureFirewall(*firewallConfiguration) if err != nil { - logEntry.Errorf("linkerd-cni: could not configure firewall: %v", err) + logEntry.Errorf("linkerd-cni: could not configure firewall: %s", err) return err } } else { From 10993a40a1522da48a00a30d188871cc0f881538 Mon Sep 17 00:00:00 2001 From: Kevin Leimkuhler Date: Thu, 3 Mar 2022 10:09:51 -0700 Subject: [PATCH 099/112] Add `gosec` and `errcheck` lints (#7954) Closes #7826 This adds the `gosec` and `errcheck` lints to the `golangci` configuration. Most significant lints have been fixed my individual changes, but this enables them by default so that all future changes are caught ahead of time. A significant amount of these lints are been exluced by the various `exclude-rules` rules added to `.golangci.yml`. These include operations are files that generally do not fail such as `Copy`, `Flush`, or `Write`. We also choose to ignore most errors when cleaning up functions via the `defer` keyword. Aside from those, there are several other rules added that all have comments explaining why it's okay to ignore the errors that they cover. Finally, several smaller fixes in the code have been made where it seems necessary to catch errors or at least log them. Signed-off-by: Kevin Leimkuhler --- cni-plugin/test/install-cni_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index 94fb6826..fe4ec00c 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -95,7 +95,7 @@ func cp(src, dest string, t *testing.T) { testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", src), "failed to read file %v: %v", src, err) } - if err = ioutil.WriteFile(dest, data, 0644); err != nil { + if err = ioutil.WriteFile(dest, data, 0600); err != nil { testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to write file %v", dest), "failed to write file %v: %v", dest, err) } From cba6d52e873ccab8b50fc81fcc411340bf276fa1 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 19 Apr 2022 14:25:30 -0700 Subject: [PATCH 100/112] Update debian to bullseye (#8287) Several container images use `debian:buster-20210208-slim`. `bullseye` is now the default version (i.e., referenced by the `latest` tag). This change updates container images that use debian to reference `bullseye` instead of `buster`. The date tags have been dropped so that we pick up the latest patch version on each Linkerd release. Signed-off-by: Oliver Gould --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 7508d27c..8bb048ef 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -18,7 +18,7 @@ COPY cni-plugin cni-plugin ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ -FROM debian:buster-20210208-slim +FROM debian:bullseye-slim WORKDIR /linkerd RUN apt-get update && apt-get install -y --no-install-recommends \ iptables \ From 9f2f05b6d8c89aba061e654dd58287faa8e25848 Mon Sep 17 00:00:00 2001 From: Matei David Date: Wed, 4 May 2022 12:03:59 +0100 Subject: [PATCH 101/112] Introduce file watch to CNI installer (#8299) Introduce fs watch for cni installer Our CNI installer script is prone to race conditions, especially when a node is rebooted, or restarted. Order of configuration should not matter and our CNI plugin should attach to other plugins (i.e chain to them) or run standalone when applicable. In order to be more flexible, we introduce a filesystem watcher through inotifywait to react to changes in the cni config directory. We react to changes based on SHAs. Linkerd's CNI plugin should append configuration when at least one other file exists, but if multiple files exist, the CNI plugin should not have to make a decision on whether thats the current file to append itself to. As a result, most of the logic in this commit revolves around the assumption that whatever file we detect has been created should be injected with Linkerd's config -- the rest is up to the host. In addition, we also introduce a sleep in the cni preStop hook, changed to using bash and introduce procps to get access to ps and pgrep. Closes #8070 Signed-off-by: Matei David Co-authored-by: Oliver Gould Co-authored-by: Alejandro Pedraza --- cni-plugin/Dockerfile | 2 + cni-plugin/deployment/scripts/install-cni.sh | 355 +++++++++++++------ 2 files changed, 249 insertions(+), 108 deletions(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 8bb048ef..4f01531c 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -22,6 +22,8 @@ FROM debian:bullseye-slim WORKDIR /linkerd RUN apt-get update && apt-get install -y --no-install-recommends \ iptables \ + inotify-tools \ + procps \ jq && \ rm -rf /var/lib/apt/lists/* diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index d89f9fd6..a3a06a4a 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash # Copyright (c) 2018 Tigera, Inc. All rights reserved. # Copyright 2018 Istio Authors # Modifications copyright (c) Linkerd authors @@ -51,98 +51,132 @@ CONTAINER_MOUNT_PREFIX=${CONTAINER_MOUNT_PREFIX:-/host} # overridden by setting CONTAINER_CNI_BIN_DIR. The binary in this directory # will be copied over to the host DEST_CNI_BIN_DIR through the mount point. CONTAINER_CNI_BIN_DIR=${CONTAINER_CNI_BIN_DIR:-/opt/cni/bin} - -# Default to the first file following a find | sort since the Kubernetes CNI runtime is going -# to look for the lexicographically first file. If the directory is empty, then use a name -# of our choosing. -CNI_CONF_PATH=${CNI_CONF_PATH:-$(find "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | sort | head -n 1)} -CNI_CONF_PATH=${CNI_CONF_PATH:-"${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/01-linkerd-cni.conf"} - +# Directory path where CNI configuration should live on the host +HOST_CNI_NET="${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}" +# Default path for when linkerd runs as a standalone CNI plugin +DEFAULT_CNI_CONF_PATH="${HOST_CNI_NET}/01-linkerd-cni.conf" KUBECONFIG_FILE_NAME=${KUBECONFIG_FILE_NAME:-ZZZ-linkerd-cni-kubeconfig} +############################ +### Function definitions ### +############################ + +# Cleanup will remove any installed configuration from the host If there are any +# *conflist files, then linkerd-cni configuration parameters will be removed +# from them; otherwise, if linkerd-cni is the only plugin, the configuration +# file will be removed. cleanup() { + # First, kill 'inotifywait' so we don't process any DELETE/CREATE events + if [ -n "$(pgrep inotifywait)" ]; then + echo "Sending SIGKILL to inotifywait" + kill -s KILL "$(pgrep inotifywait)" + fi + echo 'Removing linkerd-cni artifacts.' - if [ -e "${CNI_CONF_PATH}" ]; then - echo "Removing linkerd-cni config: ${CNI_CONF_PATH}" - CNI_CONF_DATA=$(jq 'del( .plugins[]? | select( .type == "linkerd-cni" ))' "${CNI_CONF_PATH}") - echo "${CNI_CONF_DATA}" > "${CNI_CONF_PATH}" + # Find all conflist files and print them out using a NULL separator instead of + # writing each file in a new line. We will subsequently read each string and + # attempt to rm linkerd config from it using jq helper. + local cni_data="" + find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' \) -print0 | + while read -r -d $'\0' file; do + echo "Removing linkerd-cni config from $file" + cni_data=$(jq 'del( .plugins[]? | select( .type == "linkerd-cni" ))' "$file") + # TODO (matei): we should write this out to a temp file and then do a `mv` + # to be atomic. + echo "$cni_data" > "$file" + done - if [ "${CNI_CONF_PATH}" = "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/01-linkerd-cni.conf" ]; then - rm -f "${CNI_CONF_PATH}" - fi + # Check whether configuration file has been created by our own cni plugin + # and if so, rm it. + if [ -e "${DEFAULT_CNI_CONF_PATH}" ]; then + echo "Cleaning up ${DEFAULT_CNI_CONF_PATH}" + rm -f "${DEFAULT_CNI_CONF_PATH}" fi - if [ -e "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" ]; then - echo "Removing linkerd-cni kubeconfig: ${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" - rm -f "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" + + # Remove binary and kubeconfig file + if [ -e "${HOST_CNI_NET}/${KUBECONFIG_FILE_NAME}" ]; then + echo "Removing linkerd-cni kubeconfig: ${HOST_CNI_NET}/${KUBECONFIG_FILE_NAME}" + rm -f "${HOST_CNI_NET}/${KUBECONFIG_FILE_NAME}" fi if [ -e "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}"/linkerd-cni ]; then echo "Removing linkerd-cni binary: ${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}/linkerd-cni" rm -f "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}/linkerd-cni" fi + echo 'Exiting.' + exit 0 } # Capture the usual signals and exit from the script -trap cleanup EXIT trap 'echo "SIGINT received, simply exiting..."; cleanup' INT trap 'echo "SIGTERM received, simply exiting..."; cleanup' TERM trap 'echo "SIGHUP received, simply exiting..."; cleanup' HUP -# Place the new binaries if the mounted directory is writeable. -dir="${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}" -if [ ! -w "${dir}" ]; then - exit_with_error "${dir} is non-writeable, failure" -fi -for path in "${CONTAINER_CNI_BIN_DIR}"/*; do - cp "${path}" "${dir}"/ || exit_with_error "Failed to copy ${path} to ${dir}." -done +# Install CNI bin will copy the linkerd-cni binary on the host's filesystem +install_cni_bin() { + # Place the new binaries if the mounted directory is writeable. + dir="${CONTAINER_MOUNT_PREFIX}${DEST_CNI_BIN_DIR}" + if [ ! -w "${dir}" ]; then + exit_with_error "${dir} is non-writeable, failure" + fi + for path in "${CONTAINER_CNI_BIN_DIR}"/*; do + cp "${path}" "${dir}"/ || exit_with_error "Failed to copy ${path} to ${dir}." + done + + echo "Wrote linkerd CNI binaries to ${dir}" +} + +create_cni_conf() { + # Create temp configuration and kubeconfig files + # + TMP_CONF='/tmp/linkerd-cni.conf.default' + # If specified, overwrite the network configuration file. + CNI_NETWORK_CONFIG_FILE="${CNI_NETWORK_CONFIG_FILE:-}" + CNI_NETWORK_CONFIG="${CNI_NETWORK_CONFIG:-}" -echo "Wrote linkerd CNI binaries to ${dir}" - -TMP_CONF='/tmp/linkerd-cni.conf.default' -# If specified, overwrite the network configuration file. -: "${CNI_NETWORK_CONFIG_FILE:=}" -: "${CNI_NETWORK_CONFIG:=}" -if [ -e "${CNI_NETWORK_CONFIG_FILE}" ]; then - echo "Using CNI config template from ${CNI_NETWORK_CONFIG_FILE}." - cp "${CNI_NETWORK_CONFIG_FILE}" "${TMP_CONF}" -elif [ "${CNI_NETWORK_CONFIG}" != "" ]; then - echo 'Using CNI config template from CNI_NETWORK_CONFIG environment variable.' - cat >"${TMP_CONF}" <"${TMP_CONF}" < "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" < "${CONTAINER_MOUNT_PREFIX}${DEST_CNI_NET_DIR}/${KUBECONFIG_FILE_NAME}" < ${TMP_CONF} -fi +install_cni_conf() { + local cni_conf_path="$1" + + create_cni_conf + local tmp_data="" + local conf_data="" + if [ -e "${cni_conf_path}" ]; then + # Add the linkerd-cni plugin to the existing list + tmp_data=$(cat "${TMP_CONF}") + conf_data=$(jq --argjson CNI_TMP_CONF_DATA "${tmp_data}" -f /linkerd/filter.jq "${cni_conf_path}") + echo "${conf_data}" > ${TMP_CONF} + fi -# If the old config filename ends with .conf, rename it to .conflist, because it has changed to be a list -filename=${CNI_CONF_PATH##*/} -extension="${filename##*.}" -if [ "${filename}" != '01-linkerd-cni.conf' ] && [ "${extension}" = 'conf' ]; then - echo "Renaming ${CNI_CONF_PATH} extension to .conflist" - CNI_CONF_PATH="${CNI_CONF_PATH}list" -fi + # If the old config filename ends with .conf, rename it to .conflist, because it has changed to be a list + filename=${cni_conf_path##*/} + extension="${filename##*.}" + if [ "${filename}" != '01-linkerd-cni.conf' ] && [ "${extension}" = 'conf' ]; then + echo "Renaming ${cni_conf_path} extension to .conflist" + cni_conf_path="${cni_conf_path}list" + fi -# Delete old CNI config files for upgrades. -if [ "${CNI_CONF_PATH}" != "${CNI_OLD_CONF_PATH}" ]; then - echo "Removing CNI_OLD_CONF_PATH: ${CNI_OLD_CONF_PATH}" - rm -f "${CNI_OLD_CONF_PATH}" -fi + if [ -e "${DEFAULT_CNI_CONF_PATH}" ] && [ "$cni_conf_path" != "${DEFAULT_CNI_CONF_PATH}" ]; then + echo "Removing Linkerd's configuration file: ${DEFAULT_CNI_CONF_PATH}" + rm -f "${DEFAULT_CNI_CONF_PATH}" + fi + + # Move the temporary CNI config into place. + mv "${TMP_CONF}" "${cni_conf_path}" || exit_with_error 'Failed to mv files.' + + echo "Created CNI config ${cni_conf_path}" +} + +# Sync() is responsible for reacting to file system changes. It is used in +# conjunction with inotify events; sync() is called with the name of the file that +# has changed, the event type (which can be either 'CREATE' or 'DELETE'), and +# the previously observed SHA of the configuration file. +# +# Based on the changed file and event type, sync() might re-install the CNI +# plugin's configuration file. +sync() { + local filename="$1" + local ev="$2" + local filepath="${HOST_CNI_NET}/$filename" + + local prev_sha="$3" + + local config_file_count + local new_sha + if [ "$ev" = "DELETE" ]; then + # When the event type is 'DELETE', we check to see if there are any `*conf` or `*conflist` + # files on the host's filesystem. If none are present, we install in + # 'interface' mode, using our own CNI config file. + config_file_count=$(find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | sort | wc -l) + if [ "$config_file_count" -eq 0 ]; then + echo "No active CNI configuration file found after $ev event; re-installing in \"interface\" mode" + install_cni_conf "${DEFAULT_CNI_CONF_PATH}" + fi + elif [ "$ev" = "CREATE" ]; then + # When the event type is 'CREATE', we check the previously observed SHA (updated + # with each file watch) and compare it against the new file's SHA. If they + # differ, it means something has changed. + new_sha=$(sha256sum "${filepath}" | awk '{print $1}') + if [ "$new_sha" != "$prev_sha" ]; then + # Create but don't rm old one since we don't know if this will be configured + # to run as _the_ cni plugin. + echo "New file [$filename] detected; re-installing in \"chained\" mode" + install_cni_conf "$filepath" + else + # If the SHA hasn't changed or we get an unrecognised event, ignore it. + # When the SHA is the same, we can get into infinite loops whereby a file has + # been created and after re-install the watch keeps triggering CREATE events + # that never end. + echo "Ignoring event: $ev $filepath; no real changes detected" + fi + fi +} + +# Monitor will start a watch on host's CNI config directory. Although files are +# mostly `mv'd`, because they are moved from the container's filesystem, the +# events logged will typically be a DELETED followed by a CREATE. When we are on +# the same system partition, `mv` simply renames, however, that won't be the +# case so we don't watch any "moved_to" or "moved_from" events. +monitor() { + inotifywait -m "${HOST_CNI_NET}" -e create,delete | + while read -r directory action filename; do + if [[ "$filename" =~ .*.(conflist|conf)$ ]]; then + echo "Detected change in $directory: $action $filename" + sync "$filename" "$action" "$cni_conf_sha" + # When file exists (i.e we didn't deal with a DELETE ev) + # then calculate its sha to be used the next turn. + if [ -e "$directory/$filename" ]; then + cni_conf_sha="$(sha256sum "$directory/$filename" | awk '{print $1}')" + fi + fi + done +} -# Move the temporary CNI config into place. -mv "${TMP_CONF}" "${CNI_CONF_PATH}" || exit_with_error 'Failed to mv files.' +################################ +### CNI Plugin Install Logic ### +################################ + +install_cni_bin + +# Install CNI configuration. If we have an existing CNI configuration file (*.conflist or *.conf) that is not linkerd's, +# then append our configuration to that file. Otherwise, if no CNI config files +# are present, install our stand-alone config file. +config_file_count=$(find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | grep -v "linkerd" | sort | wc -l) +if [ "$config_file_count" -eq 0 ]; then + echo "No active CNI configuration files found; installing in \"interface\" mode in ${DEFAULT_CNI_CONF_PATH}" + install_cni_conf "${DEFAULT_CNI_CONF_PATH}" +else + find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) -print0 | + while read -r -d $'\0' file; do + echo "Installing CNI configuration in \"chained\" mode for $file" + install_cni_conf "$file" + done +fi -echo "Created CNI config ${CNI_CONF_PATH}" +# Compute SHA for first config file found; this will be updated after every iteration. +# First config file is likely to be chosen as the de facto CNI config by the +# host. +cni_conf_sha="$(sha256sum "$(find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' -o -iname '*conf' \) | sort | head -n 1)" | awk '{print $1}')" -# Unless told otherwise, sleep forever. -# This prevents Kubernetes from restarting the pod repeatedly. -should_sleep=${SLEEP:-"true"} -echo "Done configuring CNI. Sleep=$should_sleep" -while [ "${should_sleep}" = 'true' ]; do +# Watch in bg so we can receive interrupt signals through 'trap'. From 'man +# bash': +# "If bash is waiting for a command to complete and receives a signal +# for which a trap has been set, the trap will not be executed until the command +# completes. When bash is waiting for an asynchronous command via the wait +# builtin, the reception of a signal for which a trap has been set will cause +# the wait builtin to return immediately with an exit status greater than 128, +# immediately after which the trap is executed." +monitor & +while true; do + # sleep so script never finishes + # we start sleep in bg so we can trap signals sleep infinity & + # block wait $! done From 5ade1554d3cceedac5231219d3f14273d847d8c0 Mon Sep 17 00:00:00 2001 From: Joakim Roubert Date: Thu, 26 May 2022 17:19:35 +0200 Subject: [PATCH 102/112] Shellscript housekeeping (#8549) - Replace simple awk commands with shell built-ins - Single quotes instead of double quotes for static strings - No need for -n operator to check that variables are not empty - Use single echo calls instead of several consecutive ones - No quotes are needed for variable assignments - Use the more lightweight echo instead of printf where applicable - No need to use bash's == comparison when there is the POSIX = Signed-off-by: Joakim Roubert --- cni-plugin/deployment/scripts/install-cni.sh | 34 ++++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index a3a06a4a..abc568cb 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -67,8 +67,8 @@ KUBECONFIG_FILE_NAME=${KUBECONFIG_FILE_NAME:-ZZZ-linkerd-cni-kubeconfig} # file will be removed. cleanup() { # First, kill 'inotifywait' so we don't process any DELETE/CREATE events - if [ -n "$(pgrep inotifywait)" ]; then - echo "Sending SIGKILL to inotifywait" + if [ "$(pgrep inotifywait)" ]; then + echo 'Sending SIGKILL to inotifywait' kill -s KILL "$(pgrep inotifywait)" fi @@ -77,7 +77,7 @@ cleanup() { # Find all conflist files and print them out using a NULL separator instead of # writing each file in a new line. We will subsequently read each string and # attempt to rm linkerd config from it using jq helper. - local cni_data="" + local cni_data='' find "${HOST_CNI_NET}" -maxdepth 1 -type f \( -iname '*conflist' \) -print0 | while read -r -d $'\0' file; do echo "Removing linkerd-cni config from $file" @@ -139,7 +139,7 @@ create_cni_conf() { if [ -e "${CNI_NETWORK_CONFIG_FILE}" ]; then echo "Using CNI config template from ${CNI_NETWORK_CONFIG_FILE}." cp "${CNI_NETWORK_CONFIG_FILE}" "${TMP_CONF}" - elif [ "${CNI_NETWORK_CONFIG}" != "" ]; then + elif [ "${CNI_NETWORK_CONFIG}" ]; then echo 'Using CNI config template from CNI_NETWORK_CONFIG environment variable.' cat >"${TMP_CONF}" < Date: Fri, 3 Jun 2022 06:33:21 -0700 Subject: [PATCH 103/112] Update Go to the latest 1.17 release (#8603) Our docker images hardcode a patch version, 1.17.3, which does not include a variety of important fixes that have been released: > go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, > runtime, and the go/types, net/http, and time packages. See the Go > 1.17.4 milestone on our issue tracker for details. > go1.17.5 (released 2021-12-09) includes security fixes to the net/http > and syscall packages. See the Go 1.17.5 milestone on our issue tracker > for details. > go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, > runtime, and the crypto/x509, net/http, and reflect packages. See the Go > 1.17.6 milestone on our issue tracker for details. > go1.17.7 (released 2022-02-10) includes security fixes to the go > command, and the crypto/elliptic and math/big packages, as well as bug > fixes to the compiler, linker, runtime, the go command, and the > debug/macho, debug/pe, and net/http/httptest packages. See the Go 1.17.7 > milestone on our issue tracker for details. > go1.17.8 (released 2022-03-03) includes a security fix to the > regexp/syntax package, as well as bug fixes to the compiler, runtime, > the go command, and the crypto/x509 and net packages. See the Go 1.17.8 > milestone on our issue tracker for details. > go1.17.9 (released 2022-04-12) includes security fixes to the > crypto/elliptic and encoding/pem packages, as well as bug fixes to the > linker and runtime. See the Go 1.17.9 milestone on our issue tracker for > details. > go1.17.10 (released 2022-05-10) includes security fixes to the syscall > package, as well as bug fixes to the compiler, runtime, and the > crypto/x509 and net/http/httptest packages. See the Go 1.17.10 milestone > on our issue tracker for details. > go1.17.11 (released 2022-06-01) includes security fixes to the > crypto/rand, crypto/tls, os/exec, and path/filepath packages, as well as > bug fixes to the crypto/tls package. See the Go 1.17.11 milestone on our > issue tracker for details. This changes our container configs to use the latest 1.17 release on each build so that these patch releases are picked up without manual intervention. Signed-off-by: Oliver Gould --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 4f01531c..db25fa05 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.17.3-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.17-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From 2241002cd532f7c0c04208b3aa318c37792aa922 Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 30 Jun 2022 18:04:46 +0100 Subject: [PATCH 104/112] Fix CNI plugin event processing (#8778) The CNI plugin watches for file changes and reacts accordingly. To append our CNI plugin configuration to an existing configuration file, we keep a watch on the config file directory, and whenever a new file is created (or modified) we append to it. To avoid redundancy and infinite loops, after a file has been processed, we save its SHA in-memory. Whenever a new update is received, we calculate the file's SHA, and if it differs from the previous one, we update it (since the file hasn't been 'seen' by our script yet). The in-memory SHA is continously overridden as updates are received and processed. In our processing logic, we override the SHA only if the file exists (in short, we want to avoid processing the SHA on 'DELETE' events). However, when a different CNI plugin deletes the file, it typically re-creates it immediately after. Since we do not check for the event type and instead rely only on file existence, we end up calculating the SHA for a new file before the file has had a chance to be processed when its associated 'CREATE' event is picked up. This means that new files will essentially be skipped from being updated, since the script considers them to have been processed already (since their SHA was calculated when the previous file was deleted). This change fixes the bug by introducing a type check for the event in addition to checking the file's existence. This allows us to be sure that new files are only processed when the 'CREATE' event is picked up, ensuring we do not skip them. Signed-off-by: Matei David --- cni-plugin/deployment/scripts/install-cni.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index abc568cb..c36ac902 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -308,7 +308,7 @@ monitor() { sync "$filename" "$action" "$cni_conf_sha" # When file exists (i.e we didn't deal with a DELETE ev) # then calculate its sha to be used the next turn. - if [ -e "$directory/$filename" ]; then + if [[ -e "$directory/$filename" && "$action" != 'DELETE' ]]; then cni_conf_sha="$(sha256sum "$directory/$filename" | while read -r s _; do echo "$s"; done)" fi fi From 314797d559132202820d6143a3a685cdbfb93133 Mon Sep 17 00:00:00 2001 From: Matei David Date: Mon, 18 Jul 2022 21:03:26 +0100 Subject: [PATCH 105/112] Bump proxy-init version to v1.6.1 (#8913) Release v1.6.1 of proxy-init adds support for iptables-nft. This change bumps up the proxy-init version used in code, chart values, and golden files. * Update go.mod dep * Update CNI plugin with new opts * Update proxy-init ref in golden files and chart values * Update policy controller CI workflow Signed-off-by: Matei David --- cni-plugin/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index bc8bcfb6..c82815b0 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -201,6 +201,8 @@ func cmdAdd(args *skel.CmdArgs) error { SimulateOnly: conf.ProxyInit.Simulate, NetNs: args.Netns, UseWaitFlag: conf.ProxyInit.UseWaitFlag, + FirewallBinPath: "iptables", + FirewallSaveBinPath: "iptables-save", } // Check if there are any overridden ports to be skipped From f56322b884261e3cc1096dc26e75a83ea3daac21 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 27 Jul 2022 16:10:39 -0700 Subject: [PATCH 106/112] Update Go to 1.18 (#9019) Go 1.18 features a number of important chanages, notably removing client support for defunct TLS versions: https://tip.golang.org/doc/go1.18 This change updates our Go version in CI and development. Signed-off-by: Oliver Gould --- cni-plugin/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index db25fa05..0dad4744 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,7 +1,7 @@ ARG BUILDPLATFORM=linux/amd64 # Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.17-alpine as go-deps +FROM --platform=$BUILDPLATFORM golang:1.18-alpine as go-deps WORKDIR /linkerd-build COPY go.mod go.sum ./ COPY bin/install-deps bin/ From 85af7ccfe673c141d207681d018cd9d49162564b Mon Sep 17 00:00:00 2001 From: Dmitrii Ermakov Date: Thu, 4 Aug 2022 21:02:54 +0300 Subject: [PATCH 107/112] Allow running Linkerd CNI plugin stand-alone (#8864) This PR allows Linkerd-CNI to be called in non-chained (stand-alone) mode. Together with a separate controller https://github.com/ErmakovDmitriy/linkerd-multus-attach-operator this PR should allow to run Linkerd-CNI in Kubernetes clusters with Multus CNI. The main issue with Multus-CNI clusters is that Multus does not handle "*.conflist" CNI configuration files, so Linkerd-CNI is ignored. Please, take a look at some details in issue #8553. Short summary about the aforementioned controller: it adds Multus NetworkAttachmentDefinitions to namespaces which have special annotation `linkerd.io/multus=enabled` and patches Pod definitions with `k8s.cni.cncf.io/v1=linkerd-cni`. The result is that Linkerd-CNI binary is called by Multus with configuration from the NetworkAttachmentDefinition. For using with Openshift, one should manually annotate a namespace or a Pod with config.linkerd.io/proxy-uid annotation with some value in the allowed range, for instance: ```yaml apiVersion: v1 kind: Namespace metadata: annotations: # I used UID in the end of the range "openshift.io/sa.scc.uid-range" config.linkerd.io/proxy-uid: "1000739999" linkerd.io/inject: enabled linkerd.io/multus: enabled openshift.io/sa.scc.mcs: s0:c27,c14 openshift.io/sa.scc.supplemental-groups: 1000730000/10000 openshift.io/sa.scc.uid-range: 1000730000/10000 labels: config.linkerd.io/admission-webhooks: enabled kubernetes.io/metadata.name: emojivoto name: emojivoto ``` Signed-off-by: Dmitrii Ermakov --- cni-plugin/main.go | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/cni-plugin/main.go b/cni-plugin/main.go index c82815b0..dd3ede42 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -23,6 +23,7 @@ import ( "encoding/json" "fmt" "os" + "strconv" "strings" "github.com/containernetworking/cni/pkg/skel" @@ -228,6 +229,25 @@ func cmdAdd(args *skel.CmdArgs) error { options.InboundPortsToIgnore = strings.Split(inboundSkipOverride, ",") } + // Override ProxyUID from annotations. + proxyUIDOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyUIDAnnotation) + if err != nil { + logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) + return err + } + + if proxyUIDOverride != "" { + logEntry.Debugf("linkerd-cni: overriding ProxyUID to %s", proxyUIDOverride) + + parsed, err := strconv.Atoi(proxyUIDOverride) + if err != nil { + logEntry.Errorf("linkerd-cni: could not parse ProxyUID to integer: %s", err) + return err + } + + options.ProxyUserID = parsed + } + if pod.GetLabels()[k8s.ControllerComponentLabel] != "" { // Skip 443 outbound port if its a control plane component logEntry.Debug("linkerd-cni: adding 443 to OutboundPortsToIgnore as its a control plane component") @@ -262,8 +282,9 @@ func cmdAdd(args *skel.CmdArgs) error { return types.PrintResult(conf.PrevResult, conf.CNIVersion) } - logrus.Debug("linkerd-cni: no previous result to pass through, emptying stdout") - return nil + logrus.Debug("linkerd-cni: no previous result to pass through, assume stand-alone run, send ok") + + return types.PrintResult(&cniv1.Result{CNIVersion: cniv1.ImplementedSpecVersion}, conf.CNIVersion) } func cmdCheck(args *skel.CmdArgs) error { From b45f787a28d1cc352f29ca12b643e348cae138dd Mon Sep 17 00:00:00 2001 From: Steve Jenson Date: Thu, 6 Oct 2022 13:06:23 -0700 Subject: [PATCH 108/112] Remove old .conf file from CNI directory when we convert .conf file to .conflist (#9555) * Change the integration test to check that the CNI configuration directory only has a single configuration file * Change the install script to remove the old .conf file when it's rewritten into a .conflist --- cni-plugin/deployment/scripts/install-cni.sh | 4 ++++ cni-plugin/test/install-cni_test.go | 23 ++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/cni-plugin/deployment/scripts/install-cni.sh b/cni-plugin/deployment/scripts/install-cni.sh index c36ac902..f029e763 100755 --- a/cni-plugin/deployment/scripts/install-cni.sh +++ b/cni-plugin/deployment/scripts/install-cni.sh @@ -234,7 +234,10 @@ install_cni_conf() { # If the old config filename ends with .conf, rename it to .conflist, because it has changed to be a list filename=${cni_conf_path##*/} extension=${filename##*.} + # When this variable has a file, we must delete it later. + old_file_path= if [ "${filename}" != '01-linkerd-cni.conf' ] && [ "${extension}" = 'conf' ]; then + old_file_path=${cni_conf_path} echo "Renaming ${cni_conf_path} extension to .conflist" cni_conf_path="${cni_conf_path}list" fi @@ -246,6 +249,7 @@ install_cni_conf() { # Move the temporary CNI config into place. mv "${TMP_CONF}" "${cni_conf_path}" || exit_with_error 'Failed to mv files.' + [ -n "$old_file_path" ] && rm -f "${old_file_path}" && echo "Removing unwanted .conf file" echo "Created CNI config ${cni_conf_path}" } diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index fe4ec00c..5ceefbf5 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -109,6 +109,28 @@ func rm(dir string, t *testing.T) { } } +// Checks that only a single configuration file that CNI will look for exists. CNI will look +// for any filename ending in `.conf` or `.conflist` and pick the first in lexicographic order. +func checkOnlyOneConfFileExists(t *testing.T, directory string) { + filenames := ls(directory, t) + possibleConfigFiles := []string{} + + for _, filename := range filenames { + if strings.HasSuffix(filename, ".conf") || strings.HasSuffix(filename, ".conflist") { + possibleConfigFiles = append(possibleConfigFiles, filename) + } + } + + if len(possibleConfigFiles) == 0 { + t.Log("FAIL: no files found ending with .conf or .conflist in the CNI configuration directory") + // TODO(stevej): testutil.AnnotatedFatal does not result in a Failed test + t.Fail() + } else if len(possibleConfigFiles) > 1 { + t.Logf("FAIL: CNI configuration conflict: multiple files found ending with .conf or .conflist %v", possibleConfigFiles) + t.Fail() + } +} + // populateTempDirs populates temporary test directories with golden files func populateTempDirs(wd string, tempCNINetDir string, preConfFile string, t *testing.T) { t.Logf("Pre-populating working dirs") @@ -255,6 +277,7 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile compareConfResult(testWorkRootDir, tempCNINetDir, finalNetConfFile, expectNetConfFile, t) checkBinDir(t, tempCNIBinDir, "add", "linkerd-cni") + checkOnlyOneConfFileExists(t, tempCNINetDir) docker("stop", containerID, t) time.Sleep(5 * time.Second) From 9aabbe13b0bce8be744e4042b2daa91b9b7502bd Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Thu, 13 Oct 2022 12:10:58 -0500 Subject: [PATCH 109/112] Replace usage of io/ioutil package (#9613) `io/ioutil` has been deprecated since go 1.16 and the linter started to complain about it. --- cni-plugin/test/install-cni_test.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index 5ceefbf5..cc6fbc11 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -19,7 +19,6 @@ import ( "bytes" "flag" "fmt" - "io/ioutil" "os" "os/exec" "os/user" @@ -58,7 +57,7 @@ func setEnv(key, value string, t *testing.T) { } func mktemp(dir, prefix string, t *testing.T) string { - tempDir, err := ioutil.TempDir(dir, prefix) + tempDir, err := os.MkdirTemp(dir, prefix) if err != nil { testutil.AnnotatedFatalf(t, "couldn't get current working directory", "couldn't get current working directory: %v", err) @@ -77,7 +76,7 @@ func pwd(t *testing.T) string { } func ls(dir string, t *testing.T) []string { - files, err := ioutil.ReadDir(dir) + files, err := os.ReadDir(dir) if err != nil { testutil.AnnotatedFatalf(t, "failed to list files", "failed to list files: %v", err) @@ -90,12 +89,12 @@ func ls(dir string, t *testing.T) []string { } func cp(src, dest string, t *testing.T) { - data, err := ioutil.ReadFile(src) + data, err := os.ReadFile(src) if err != nil { testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", src), "failed to read file %v: %v", src, err) } - if err = ioutil.WriteFile(dest, data, 0600); err != nil { + if err = os.WriteFile(dest, data, 0600); err != nil { testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to write file %v", dest), "failed to write file %v: %v", dest, err) } @@ -192,7 +191,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s containerID, err := cmd.Output() if err != nil { - errFileContents, _ := ioutil.ReadFile(errFileName) + errFileContents, _ := os.ReadFile(errFileName) t.Logf("%v contents:\n\n%v\n\n", errFileName, string(errFileContents)) testutil.Fatalf(t, "test %v ERROR: failed to start docker container '%v', see %v", testNum, dockerImage, errFileName) @@ -214,13 +213,13 @@ func docker(cmd, containerID string, t *testing.T) { // compareConfResult does a string compare of 2 test files. func compareConfResult(testWorkRootDir string, tempCNINetDir string, result string, expected string, t *testing.T) { tempResult := tempCNINetDir + "/" + result - resultFile, err := ioutil.ReadFile(tempResult) + resultFile, err := os.ReadFile(tempResult) if err != nil { testutil.AnnotatedFatalf(t, "failed to read file", "failed to read file %v: %v", tempResult, err) } - expectedFile, err := ioutil.ReadFile(expected) + expectedFile, err := os.ReadFile(expected) if err != nil { testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", expected), "failed to read file %v, err: %v", expected, err) @@ -265,7 +264,7 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile if initialNetConfFile != "NONE" { setEnv(cniConfName, initialNetConfFile, t) } - defaultData, err := ioutil.ReadFile(wd + "../deployment/linkerd-cni.conf.default") + defaultData, err := os.ReadFile(wd + "../deployment/linkerd-cni.conf.default") if err != nil { testutil.AnnotatedFatalf(t, "failed to read file linkerd-cni.conf.default", "failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) From d2b109bfdc469e6d6fee6ee0ff1fbd2158f6a335 Mon Sep 17 00:00:00 2001 From: Steve Jenson Date: Tue, 22 Nov 2022 17:31:37 +0000 Subject: [PATCH 110/112] adds cni module to go.mod Signed-off-by: Steve Jenson --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 24abd864..0f766114 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.18 require ( github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.6.1 + github.com/containernetworking/cni v1.1.2 ) require ( From d80369f22f964ea852002b86866c29b890145797 Mon Sep 17 00:00:00 2001 From: Steve Jenson Date: Tue, 22 Nov 2022 17:31:37 +0000 Subject: [PATCH 111/112] adds cni module to go.mod Signed-off-by: Steve Jenson --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 24abd864..e1e497d0 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.18 require ( github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.6.1 + github.com/containernetworking/cni v1.1.2 ) require ( From 049e1c6121996da4e7f860a1a8aa7fb67b5d1f3f Mon Sep 17 00:00:00 2001 From: Steve Jenson Date: Thu, 29 Dec 2022 13:11:36 -0800 Subject: [PATCH 112/112] This branch is fixups for the cni-plugin branch (#140) * modifying import paths and making a temporary copy of testutil/annotations.go Signed-off-by: Steve Jenson * removed testutil, dockerized cni installer tests now pass Signed-off-by: Steve Jenson * moving internal to pkg/linkerd-, removing Dockerfile until fixed, changining imports, removing linkerd2 k8s client with client-go Signed-off-by: Steve Jenson * gofmt install-cni_test.go Signed-off-by: Steve Jenson * go mod updates Signed-off-by: Steve Jenson * adding pkg to Docker image Signed-off-by: Steve Jenson * updating dev from v32 to v35 for go Signed-off-by: Steve Jenson * moving back to old dev image Signed-off-by: Steve Jenson * use dev:v32-go for go lint workflow Signed-off-by: Steve Jenson * fixing linter complaints Signed-off-by: Steve Jenson * fixing linter complaints Signed-off-by: Steve Jenson * turning off noisy lint #1 Signed-off-by: Steve Jenson * turning off noisy lint #2 Signed-off-by: Steve Jenson * turning off noisy lint #3 Signed-off-by: Steve Jenson * turning off noisy lint #4 Signed-off-by: Steve Jenson * turning off noisy lint #5 Signed-off-by: Steve Jenson * turning off noisy lint #6 Signed-off-by: Steve Jenson * Replace pkg/ with internal/ (#148) * Replace pkg/ with internal/ There's no need for a public library export. We can share code within this repo via the `internal` directory. * simplify package names Signed-off-by: Oliver Gould * adding internal back. whoopsie Signed-off-by: Steve Jenson * bumping dev go version Signed-off-by: Steve Jenson * replace deprecated ioutil functions with io functions. Signed-off-by: Steve Jenson * increasing timeout to help with linter issues, adding verbose Signed-off-by: Steve Jenson * replace TODO with literals, wait for the linter to complain so we can give it the magic incantation to sleep now Signed-off-by: Steve Jenson * more linter Signed-off-by: Steve Jenson * gofmt Signed-off-by: Steve Jenson * swap position of comment and argument as the linter has an opinion here, too Signed-off-by: Steve Jenson * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza * Update cni-plugin/main.go Co-authored-by: Alejandro Pedraza * simplify lint call Signed-off-by: Steve Jenson * removed unneeded abstraction Signed-off-by: Steve Jenson * linter for cni-plugin and all go code Signed-off-by: Steve Jenson * giving flags to go linter Signed-off-by: Steve Jenson * run the test on the moved internal package Signed-off-by: Steve Jenson * adding keys back for annotation lookup Signed-off-by: Steve Jenson Signed-off-by: Steve Jenson Signed-off-by: Oliver Gould Co-authored-by: Oliver Gould Co-authored-by: Alejandro Pedraza --- .github/workflows/go.yml | 3 +- Dockerfile | 1 + cni-plugin/Dockerfile | 40 --- cni-plugin/main.go | 41 ++- cni-plugin/test/install-cni_test.go | 72 ++--- go.mod | 43 ++- go.sum | 279 +++++++++++++++++- .../iptables/iptables.go | 2 +- .../iptables/iptables_test.go | 0 .../internal => internal}/util/portrange.go | 0 .../util/portrange_test.go | 0 justfile | 16 +- proxy-init/cmd/root.go | 6 +- proxy-init/cmd/root_test.go | 2 +- proxy-init/integration/iptables/http_test.go | 4 +- .../iptables/test_service/test_service.go | 4 +- 16 files changed, 393 insertions(+), 120 deletions(-) delete mode 100644 cni-plugin/Dockerfile rename {proxy-init/internal => internal}/iptables/iptables.go (99%) rename {proxy-init/internal => internal}/iptables/iptables_test.go (100%) rename {proxy-init/internal => internal}/util/portrange.go (100%) rename {proxy-init/internal => internal}/util/portrange_test.go (100%) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index cfcb83af..9b7dc63a 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -11,9 +11,10 @@ on: jobs: lint: runs-on: ubuntu-20.04 + container: ghcr.io/linkerd/dev:v38-go steps: - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - - uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 + - run: just go-lint --verbose --timeout=10m fmt: runs-on: ubuntu-20.04 diff --git a/Dockerfile b/Dockerfile index 3e49bde2..c28a4cf0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v38-go as go WORKDIR /build COPY --link go.mod go.sum . COPY --link ./proxy-init ./proxy-init +COPY --link ./internal ./internal RUN go mod download ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \ diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile deleted file mode 100644 index 0dad4744..00000000 --- a/cni-plugin/Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -ARG BUILDPLATFORM=linux/amd64 - -# Precompile key slow-to-build dependencies -FROM --platform=$BUILDPLATFORM golang:1.18-alpine as go-deps -WORKDIR /linkerd-build -COPY go.mod go.sum ./ -COPY bin/install-deps bin/ -RUN go mod download -ARG TARGETARCH -RUN ./bin/install-deps $TARGETARCH - -## compile cni-plugin utility -FROM go-deps as golang -WORKDIR /linkerd-build -COPY pkg pkg -COPY controller controller -COPY cni-plugin cni-plugin -ARG TARGETARCH -RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH go build -o /go/bin/linkerd-cni -v -mod=readonly ./cni-plugin/ - -FROM debian:bullseye-slim -WORKDIR /linkerd -RUN apt-get update && apt-get install -y --no-install-recommends \ - iptables \ - inotify-tools \ - procps \ - jq && \ - rm -rf /var/lib/apt/lists/* - -# We still rely on old iptables-legacy syntax. -RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \ - && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy - -COPY --from=golang /go/bin/linkerd-cni /opt/cni/bin/ -COPY LICENSE . -COPY cni-plugin/deployment/scripts/install-cni.sh . -COPY cni-plugin/deployment/linkerd-cni.conf.default . -COPY cni-plugin/deployment/scripts/filter.jq . -ENV PATH=/linkerd:/opt/cni/bin:$PATH -CMD ["install-cni.sh"] diff --git a/cni-plugin/main.go b/cni-plugin/main.go index dd3ede42..77d5d6c3 100644 --- a/cni-plugin/main.go +++ b/cni-plugin/main.go @@ -30,12 +30,14 @@ import ( "github.com/containernetworking/cni/pkg/types" cniv1 "github.com/containernetworking/cni/pkg/types/100" "github.com/containernetworking/cni/pkg/version" - "github.com/linkerd/linkerd2-proxy-init/cmd" - "github.com/linkerd/linkerd2-proxy-init/iptables" - "github.com/linkerd/linkerd2/pkg/k8s" + "github.com/linkerd/linkerd2-proxy-init/internal/iptables" + "github.com/linkerd/linkerd2-proxy-init/proxy-init/cmd" + "github.com/sirupsen/logrus" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" ) // ProxyInit is the configuration for the proxy-init binary @@ -83,12 +85,12 @@ func main() { } func configureLogging(logLevel string) { - if strings.EqualFold(logLevel, "debug") { + switch strings.ToLower(logLevel) { + case "debug": logrus.SetLevel(logrus.DebugLevel) - } else if strings.EqualFold(logLevel, "info") { + case "info": logrus.SetLevel(logrus.InfoLevel) - } else { - // Default level + default: logrus.SetLevel(logrus.WarnLevel) } @@ -164,7 +166,16 @@ func cmdAdd(args *skel.CmdArgs) error { if namespace != "" && podName != "" { ctx := context.Background() - client, err := k8s.NewAPI(conf.Kubernetes.Kubeconfig, "linkerd-cni-context", "", []string{}, 0) + + configLoadingRules := &clientcmd.ClientConfigLoadingRules{ExplicitPath: conf.Kubernetes.Kubeconfig} + configOverrides := &clientcmd.ConfigOverrides{CurrentContext: "linkerd-cni-context"} + + config, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(configLoadingRules, configOverrides).ClientConfig() + if err != nil { + return err + } + + client, err := kubernetes.NewForConfig(config) if err != nil { return err } @@ -176,7 +187,7 @@ func cmdAdd(args *skel.CmdArgs) error { containsLinkerdProxy := false for _, container := range pod.Spec.Containers { - if container.Name == k8s.ProxyContainerName { + if container.Name == "linkerd-proxy" { containsLinkerdProxy = true break } @@ -184,7 +195,7 @@ func cmdAdd(args *skel.CmdArgs) error { containsInitContainer := false for _, container := range pod.Spec.InitContainers { - if container.Name == k8s.InitContainerName { + if container.Name == "linkerd-init" { containsInitContainer = true break } @@ -207,7 +218,7 @@ func cmdAdd(args *skel.CmdArgs) error { } // Check if there are any overridden ports to be skipped - outboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreOutboundPortsAnnotation) + outboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, "config.linkerd.io/skip-outbound-ports") if err != nil { logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) return err @@ -218,7 +229,7 @@ func cmdAdd(args *skel.CmdArgs) error { options.OutboundPortsToIgnore = strings.Split(outboundSkipOverride, ",") } - inboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyIgnoreInboundPortsAnnotation) + inboundSkipOverride, err := getAnnotationOverride(ctx, client, pod, "config.linkerd.io/skip-inbound-ports") if err != nil { logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) return err @@ -230,7 +241,7 @@ func cmdAdd(args *skel.CmdArgs) error { } // Override ProxyUID from annotations. - proxyUIDOverride, err := getAnnotationOverride(ctx, client, pod, k8s.ProxyUIDAnnotation) + proxyUIDOverride, err := getAnnotationOverride(ctx, client, pod, "config.linkerd.io/proxy-uid") if err != nil { logEntry.Errorf("linkerd-cni: could not retrieve overridden annotations: %s", err) return err @@ -248,7 +259,7 @@ func cmdAdd(args *skel.CmdArgs) error { options.ProxyUserID = parsed } - if pod.GetLabels()[k8s.ControllerComponentLabel] != "" { + if pod.GetLabels()["controller-component"] != "" { // Skip 443 outbound port if its a control plane component logEntry.Debug("linkerd-cni: adding 443 to OutboundPortsToIgnore as its a control plane component") options.OutboundPortsToIgnore = append(options.OutboundPortsToIgnore, "443") @@ -298,7 +309,7 @@ func cmdDel(args *skel.CmdArgs) error { return nil } -func getAnnotationOverride(ctx context.Context, api *k8s.KubernetesAPI, pod *v1.Pod, key string) (string, error) { +func getAnnotationOverride(ctx context.Context, api *kubernetes.Clientset, pod *v1.Pod, key string) (string, error) { // Check if the annotation is present on the pod if override := pod.GetObjectMeta().GetAnnotations()[key]; override != "" { return override, nil diff --git a/cni-plugin/test/install-cni_test.go b/cni-plugin/test/install-cni_test.go index cc6fbc11..92cd4297 100644 --- a/cni-plugin/test/install-cni_test.go +++ b/cni-plugin/test/install-cni_test.go @@ -26,8 +26,6 @@ import ( "strings" "testing" "time" - - "github.com/linkerd/linkerd2/testutil" ) const ( @@ -51,16 +49,14 @@ func env(key, fallback string) string { func setEnv(key, value string, t *testing.T) { err := os.Setenv(key, value) if err != nil { - testutil.AnnotatedFatalf(t, "couldn't set environment variable", - "couldn't set environment variable: %v", err) + t.Fatalf("couldn't set environment variable: %v", err) } } func mktemp(dir, prefix string, t *testing.T) string { tempDir, err := os.MkdirTemp(dir, prefix) if err != nil { - testutil.AnnotatedFatalf(t, "couldn't get current working directory", - "couldn't get current working directory: %v", err) + t.Fatalf("couldn't get current working directory: %v", err) } t.Logf("Created temporary dir: %v", tempDir) return tempDir @@ -69,8 +65,7 @@ func mktemp(dir, prefix string, t *testing.T) string { func pwd(t *testing.T) string { wd, err := os.Getwd() if err != nil { - testutil.AnnotatedFatalf(t, "couldn't get current working directory", - "couldn't get current working directory: %v", err) + t.Fatalf("couldn't get current working directory: %v", err) } return wd + "/" } @@ -78,8 +73,7 @@ func pwd(t *testing.T) string { func ls(dir string, t *testing.T) []string { files, err := os.ReadDir(dir) if err != nil { - testutil.AnnotatedFatalf(t, "failed to list files", - "failed to list files: %v", err) + t.Fatalf("failed to list files: %v", err) } fileNames := make([]string, len(files)) for i, f := range files { @@ -89,22 +83,19 @@ func ls(dir string, t *testing.T) []string { } func cp(src, dest string, t *testing.T) { - data, err := os.ReadFile(src) + data, err := os.ReadFile(src) //nolint:gosec if err != nil { - testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", src), - "failed to read file %v: %v", src, err) + t.Fatalf("failed to read file %v: %v", src, err) } if err = os.WriteFile(dest, data, 0600); err != nil { - testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to write file %v", dest), - "failed to write file %v: %v", dest, err) + t.Fatalf("failed to write file %v: %v", dest, err) } } func rm(dir string, t *testing.T) { err := os.RemoveAll(dir) if err != nil { - testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to remove dir %v", dir), - "failed to remove dir %v: %v", dir, err) + t.Fatalf("failed to remove dir %v: %v", dir, err) } } @@ -122,7 +113,6 @@ func checkOnlyOneConfFileExists(t *testing.T, directory string) { if len(possibleConfigFiles) == 0 { t.Log("FAIL: no files found ending with .conf or .conflist in the CNI configuration directory") - // TODO(stevej): testutil.AnnotatedFatal does not result in a Failed test t.Fail() } else if len(possibleConfigFiles) > 1 { t.Logf("FAIL: CNI configuration conflict: multiple files found ending with .conf or .conflist %v", possibleConfigFiles) @@ -172,16 +162,14 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s args = append(args, dockerImage, "install-cni.sh") // Create a temporary log file to write docker command error log. - errFile, err := os.Create(errFileName) + errFile, err := os.Create(errFileName) //nolint:gosec if err != nil { - testutil.AnnotatedFatalf(t, "couldn't create docker stderr file", - "couldn't create docker stderr file: %v", err) + t.Fatalf("couldn't create docker stderr file: %v", err) } defer func() { errClose := errFile.Close() if errClose != nil { - testutil.AnnotatedFatalf(t, "couldn't close docker stderr file", - "couldn't close docker stderr file: %v", errClose) + t.Fatalf("couldn't close docker stderr file: %v", errClose) } }() @@ -191,10 +179,10 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s containerID, err := cmd.Output() if err != nil { - errFileContents, _ := os.ReadFile(errFileName) + errFileContents, _ := os.ReadFile(errFileName) //nolint:gosec t.Logf("%v contents:\n\n%v\n\n", errFileName, string(errFileContents)) - testutil.Fatalf(t, - "test %v ERROR: failed to start docker container '%v', see %v", testNum, dockerImage, errFileName) + t.Fatalf("test %v ERROR: failed to start docker container '%v', see %v", + testNum, dockerImage, errFileName) } t.Logf("Container ID: %s", containerID) return strings.Trim(string(containerID), "\n") @@ -204,8 +192,7 @@ func startDocker(testNum int, wd string, testWorkRootDir string, tempCNINetDir s func docker(cmd, containerID string, t *testing.T) { out, err := exec.Command("docker", cmd, containerID).CombinedOutput() if err != nil { - testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to execute 'docker %s %s'", cmd, containerID), - "failed to execute 'docker %s %s': %v", cmd, containerID, err) + t.Fatalf("failed to execute 'docker %s %s': %v", cmd, containerID, err) } t.Logf("docker %s %s - out: %s", cmd, containerID, out) } @@ -213,25 +200,22 @@ func docker(cmd, containerID string, t *testing.T) { // compareConfResult does a string compare of 2 test files. func compareConfResult(testWorkRootDir string, tempCNINetDir string, result string, expected string, t *testing.T) { tempResult := tempCNINetDir + "/" + result - resultFile, err := os.ReadFile(tempResult) + resultFile, err := os.ReadFile(tempResult) //nolint:gosec if err != nil { - testutil.AnnotatedFatalf(t, "failed to read file", - "failed to read file %v: %v", tempResult, err) + t.Fatalf("failed to read file %v: %v", tempResult, err) } - expectedFile, err := os.ReadFile(expected) + expectedFile, err := os.ReadFile(expected) //nolint:gosec if err != nil { - testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to read file %v", expected), - "failed to read file %v, err: %v", expected, err) + t.Fatalf("failed to read file %v, err: %v", expected, err) } if bytes.Equal(resultFile, expectedFile) { t.Logf("PASS: result matches expected: %v v. %v", tempResult, expected) } else { - tempFail := mktemp(testWorkRootDir, result+".fail.XXXX", t) + tempFail := mktemp(testWorkRootDir, result+".fail.XXXX", t) //nolint:gosec cp(tempResult, tempFail+"/"+result, t) - testutil.AnnotatedErrorf(t, "FAIL: result doesn't match expected", - "FAIL: result doesn't match expected: %v v. %v\nCheck %v for diff contents", tempResult, expected, tempFail) + t.Errorf("FAIL: result doesn't match expected: %v v. %v\nCheck %v for diff contents", tempResult, expected, tempFail) } } @@ -242,13 +226,11 @@ func checkBinDir(t *testing.T, tempCNIBinDir string, op string, files ...string) if op == "add" { t.Logf("PASS: File %v was added to %v", f, tempCNIBinDir) } else if op == "del" { - testutil.AnnotatedFatalf(t, fmt.Sprintf("FAIL: File %v was not removed", f), - "FAIL: File %v was not removed from %v", f, tempCNIBinDir) + t.Fatalf("FAIL: File %v was not removed from %v", f, tempCNIBinDir) } } else { if op == "add" { - testutil.AnnotatedFatalf(t, fmt.Sprintf("FAIL: File %v was not added", f), - "FAIL: File %v was not added to %v", f, tempCNIBinDir) + t.Fatalf("FAIL: File %v was not added to %v", f, tempCNIBinDir) } else if op == "del" { t.Logf("PASS: File %v was removed from %v", f, tempCNIBinDir) } @@ -264,10 +246,9 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile if initialNetConfFile != "NONE" { setEnv(cniConfName, initialNetConfFile, t) } - defaultData, err := os.ReadFile(wd + "../deployment/linkerd-cni.conf.default") + defaultData, err := os.ReadFile(wd + "../deployment/linkerd-cni.conf.default") //nolint:gosec if err != nil { - testutil.AnnotatedFatalf(t, "failed to read file linkerd-cni.conf.default", - "failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) + t.Fatalf("failed to read file %v, err: %v", wd+"../deployment/linkerd-cni.conf.default", err) } setEnv(cniNetworkConfigName, string(defaultData), t) @@ -288,8 +269,7 @@ func doTest(testNum int, wd string, initialNetConfFile string, finalNetConfFile } else { files := ls(tempCNINetDir, t) if len(files) > 0 { - testutil.AnnotatedFatalf(t, "FAIL: CNI_CONF_DIR is not empty", - "FAIL: CNI_CONF_DIR is not empty: %v", files) + t.Fatalf("FAIL: CNI_CONF_DIR is not empty: %v", files) } else { t.Log("PASS: CNI_CONF_DIR is empty") } diff --git a/go.mod b/go.mod index 0f766114..3ac99e64 100644 --- a/go.mod +++ b/go.mod @@ -3,13 +3,50 @@ module github.com/linkerd/linkerd2-proxy-init go 1.18 require ( + github.com/containernetworking/cni v1.1.2 github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.6.1 - github.com/containernetworking/cni v1.1.2 + k8s.io/api v0.25.4 + k8s.io/apimachinery v0.25.4 + k8s.io/client-go v0.25.4 ) require ( - github.com/inconshreveable/mousetrap v1.0.1 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.10.1 // indirect + github.com/go-logr/logr v1.2.3 // indirect + github.com/go-openapi/jsonpointer v0.19.5 // indirect + github.com/go-openapi/jsonreference v0.20.0 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/google/gnostic v0.6.9 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/imdario/mergo v0.3.13 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect + golang.org/x/net v0.2.0 // indirect + golang.org/x/oauth2 v0.2.0 // indirect + golang.org/x/sys v0.2.0 // indirect + golang.org/x/term v0.2.0 // indirect + golang.org/x/text v0.4.0 // indirect + golang.org/x/time v0.2.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.28.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/klog/v2 v2.80.1 // indirect + k8s.io/kube-openapi v0.0.0-20221123214604-86e75ddd809a // indirect + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/go.sum b/go.sum index 6f2b7c97..69dcdea9 100644 --- a/go.sum +++ b/go.sum @@ -1,24 +1,297 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ= +github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= +github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= +github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= +github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= +github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= +github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= +github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU= +golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE= +golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= +k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= +k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= +k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= +k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= +k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20221123214604-86e75ddd809a h1:UR2YSPKAb8j3uL2yK8V+t2ElG4RoBxhJTxa5gg0ZtSo= +k8s.io/kube-openapi v0.0.0-20221123214604-86e75ddd809a/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= +k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/proxy-init/internal/iptables/iptables.go b/internal/iptables/iptables.go similarity index 99% rename from proxy-init/internal/iptables/iptables.go rename to internal/iptables/iptables.go index 09bcec99..21b6b6f4 100644 --- a/proxy-init/internal/iptables/iptables.go +++ b/internal/iptables/iptables.go @@ -12,7 +12,7 @@ import ( log "github.com/sirupsen/logrus" - "github.com/linkerd/linkerd2-proxy-init/proxy-init/internal/util" + util "github.com/linkerd/linkerd2-proxy-init/internal/util" ) const ( diff --git a/proxy-init/internal/iptables/iptables_test.go b/internal/iptables/iptables_test.go similarity index 100% rename from proxy-init/internal/iptables/iptables_test.go rename to internal/iptables/iptables_test.go diff --git a/proxy-init/internal/util/portrange.go b/internal/util/portrange.go similarity index 100% rename from proxy-init/internal/util/portrange.go rename to internal/util/portrange.go diff --git a/proxy-init/internal/util/portrange_test.go b/internal/util/portrange_test.go similarity index 100% rename from proxy-init/internal/util/portrange_test.go rename to internal/util/portrange_test.go diff --git a/justfile b/justfile index 3187a5b7..4d979e74 100644 --- a/justfile +++ b/justfile @@ -11,7 +11,9 @@ _test-image := "test.l5d.io/linkerd/iptables-tester:test" default: lint test -lint: sh-lint md-lint rs-clippy proxy-init-lint action-lint action-dev-check +lint: sh-lint md-lint rs-clippy action-lint action-dev-check + +go-lint *flags: (proxy-init-lint flags) (cni-plugin-lint flags) test: rs-test proxy-init-test-unit proxy-init-test-integration @@ -69,6 +71,13 @@ rs-check-dir dir *flags: validator *args: {{ just_executable() }} --justfile=validator/.justfile {{ args }} +## +## cni-plugin +## + +cni-plugin-lint *flags: + golangci-lint run ./cni-plugin/... {{ flags }} + ## ## proxy-init ## @@ -76,12 +85,13 @@ validator *args: proxy-init-build: go build -o target/linkerd2-proxy-init ./proxy-init -proxy-init-lint: - golangci-lint run ./proxy-init/... +proxy-init-lint *flags: + golangci-lint run ./proxy-init/... {{ flags }} # Run proxy-init unit tests proxy-init-test-unit: go test -v ./proxy-init/... + go test -v ./internal/... # Run proxy-init integration tests after preparing dependencies proxy-init-test-integration: proxy-init-test-integration-deps proxy-init-test-integration-run diff --git a/proxy-init/cmd/root.go b/proxy-init/cmd/root.go index a20d4020..56876972 100644 --- a/proxy-init/cmd/root.go +++ b/proxy-init/cmd/root.go @@ -6,10 +6,10 @@ import ( "os/exec" log "github.com/sirupsen/logrus" - - "github.com/linkerd/linkerd2-proxy-init/proxy-init/internal/iptables" - "github.com/linkerd/linkerd2-proxy-init/proxy-init/internal/util" "github.com/spf13/cobra" + + "github.com/linkerd/linkerd2-proxy-init/internal/iptables" + "github.com/linkerd/linkerd2-proxy-init/internal/util" ) // RootOptions provides the information that will be used to build a firewall configuration. diff --git a/proxy-init/cmd/root_test.go b/proxy-init/cmd/root_test.go index 411ab413..222e9222 100644 --- a/proxy-init/cmd/root_test.go +++ b/proxy-init/cmd/root_test.go @@ -4,7 +4,7 @@ import ( "reflect" "testing" - "github.com/linkerd/linkerd2-proxy-init/proxy-init/internal/iptables" + "github.com/linkerd/linkerd2-proxy-init/internal/iptables" ) func TestBuildFirewallConfiguration(t *testing.T) { diff --git a/proxy-init/integration/iptables/http_test.go b/proxy-init/integration/iptables/http_test.go index aa7c0f2f..d955dc96 100644 --- a/proxy-init/integration/iptables/http_test.go +++ b/proxy-init/integration/iptables/http_test.go @@ -3,7 +3,7 @@ package iptablestest import ( "flag" "fmt" - "io/ioutil" + "io" "net" "net/http" "net/url" @@ -250,7 +250,7 @@ func expectSuccessfulGetRequest(t *testing.T, url string) string { if err != nil { t.Fatalf("failed to send HTTP GET to %s:\n%v", url, err) } - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { t.Fatalf("failed reading GET response from %s:\n%v", url, err) } diff --git a/proxy-init/integration/iptables/test_service/test_service.go b/proxy-init/integration/iptables/test_service/test_service.go index cd32c69d..f4abe6bc 100644 --- a/proxy-init/integration/iptables/test_service/test_service.go +++ b/proxy-init/integration/iptables/test_service/test_service.go @@ -2,7 +2,7 @@ package main import ( "fmt" - "io/ioutil" + "io" "log" "net/http" "os" @@ -30,7 +30,7 @@ func callOtherServiceHandler(w http.ResponseWriter, r *http.Request) { if err != nil { http.Error(w, err.Error(), 500) } else { - body, err := ioutil.ReadAll(downstreamResp.Body) + body, err := io.ReadAll(downstreamResp.Body) if err != nil { http.Error(w, err.Error(), 500) } else {