diff --git a/.proxy-version b/.proxy-version index 59b976d01f65b..5ea2ba0d8ec15 100644 --- a/.proxy-version +++ b/.proxy-version @@ -1 +1 @@ -v2.98.0 +v2.100.0 diff --git a/charts/linkerd2-multicluster/README.md b/charts/linkerd2-multicluster/README.md index f817df5b8bae8..4770c764d9e57 100644 --- a/charts/linkerd2-multicluster/README.md +++ b/charts/linkerd2-multicluster/README.md @@ -22,7 +22,7 @@ linkerd2-multicluster chart and their default values. |`gatewayName` | The name of the gateway that will be installed |`linkerd-gateway` | |`gatewayNginxImage` | The Nginx image |`nginx` | |`gatewayNginxImageVersion` | The version of the Nginx image |`1.17` | -|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4180` | +|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4143` | |`gatewayProbePath` | The path that will be used by remote clusters for determining whether the gateway is alive |`/health` | |`gatewayProbePort` | The port used for liveliness probing |`4181` | |`gatewayProbeSeconds` | The interval (in seconds) between liveness probes |`3` | diff --git a/charts/linkerd2-multicluster/templates/gateway.yaml b/charts/linkerd2-multicluster/templates/gateway.yaml index 7932f11162581..14c894acb443f 100644 --- a/charts/linkerd2-multicluster/templates/gateway.yaml +++ b/charts/linkerd2-multicluster/templates/gateway.yaml @@ -11,12 +11,12 @@ data: nginx.conf: |- events { } - stream { - server { - listen {{.Values.gatewayPort}}; - proxy_pass 127.0.0.1:{{.Values.proxyOutboundPort}}; - } - } + stream { + server { + listen 4180; + proxy_pass 127.0.0.1:{{.Values.proxyOutboundPort}}; + } + } http { server { listen {{.Values.gatewayProbePort}}; @@ -56,7 +56,8 @@ spec: annotations: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} linkerd.io/inject: enabled - config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}}" + config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}},4180" + config.linkerd.io/enable-gateway: "true" labels: app: {{.Values.gatewayName}} spec: @@ -78,9 +79,9 @@ spec: initialDelaySeconds: 10 image: {{.Values.gatewayNginxImage}}:{{.Values.gatewayNginxImageVersion}} ports: - - name: linkerd-gateway - containerPort: {{.Values.gatewayPort}} - - name: linkerd-gateway-probe + - name: mc-relay + containerPort: 4180 + - name: mc-probe containerPort: {{.Values.gatewayProbePort}} - name: local-probe containerPort: {{.Values.gatewayLocalProbePort}} @@ -102,10 +103,10 @@ metadata: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} spec: ports: - - name: linkerd-gateway + - name: mc-gateway port: {{.Values.gatewayPort}} protocol: TCP - - name: linkerd-gateway-probe + - name: mc-probe port: {{.Values.gatewayProbePort}} protocol: TCP selector: diff --git a/charts/linkerd2-multicluster/values.yaml b/charts/linkerd2-multicluster/values.yaml index 6fcfe6c1bc273..edf82a2f4d8ab 100644 --- a/charts/linkerd2-multicluster/values.yaml +++ b/charts/linkerd2-multicluster/values.yaml @@ -8,7 +8,7 @@ gatewayLocalProbePort: 8888 gatewayName: linkerd-gateway gatewayNginxImage: nginx gatewayNginxImageVersion: 1.17 -gatewayPort: 4180 +gatewayPort: 4143 gatewayProbePath: /health gatewayProbePort: 4181 gatewayProbeSeconds: 3 diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 31fc83eb91b92..7203f1b821efb 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -18,12 +18,15 @@ env: value: 127.0.0.1:{{.Values.global.proxy.ports.outbound}} - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:{{.Values.global.proxy.ports.inbound}} +{{ if .Values.global.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.global.clusterDomain}} +{{ end -}} - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s." .Values.global.clusterDomain }} - value: {{ternary "." $internalProfileSuffix .Values.global.proxy.enableExternalProfiles}} + value: {{printf "svc.%s." .Values.global.clusterDomain}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s." .Values.global.clusterDomain }} - value: {{ternary "." $internalProfileSuffix .Values.global.proxy.enableExternalProfiles}} + {{- $internalDomain := printf "svc.%s." .Values.global.clusterDomain }} + value: {{ternary "." $internalDomain .Values.global.proxy.enableExternalProfiles}} - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE diff --git a/controller/cmd/service-mirror/cluster_watcher_test_util.go b/controller/cmd/service-mirror/cluster_watcher_test_util.go index 84cc8a4b3bd46..c2605163f75cb 100644 --- a/controller/cmd/service-mirror/cluster_watcher_test_util.go +++ b/controller/cmd/service-mirror/cluster_watcher_test_util.go @@ -104,7 +104,7 @@ var createServiceWrongGatewaySpec = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "linkerd-gateway-wrong", 888, "", 111, "/path", 666), + gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "mc-wrong", 888, "", 111, "/path", 666), }, } @@ -130,7 +130,7 @@ var createServiceOkeGatewaySpec = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "linkerd-gateway", 888, "gateway-identity", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "mc-gateway", 888, "gateway-identity", defaultProbePort, defaultProbePath, defaultProbePeriod), }, } @@ -193,7 +193,7 @@ var updateServiceToNewGateway = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("gateway-new", "gateway-ns", "currentGatewayResVersion", "0.0.0.0", "linkerd-gateway", 999, "", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("gateway-new", "gateway-ns", "currentGatewayResVersion", "0.0.0.0", "mc-gateway", 999, "", defaultProbePort, defaultProbePath, defaultProbePeriod), }, localResources: []string{ mirroredServiceAsYaml("test-service-remote", "test-namespace", "gateway", "gateway-ns", "past", "pastGatewayResVersion", []corev1.ServicePort{ @@ -269,7 +269,7 @@ var updateServiceWithChangedPorts = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("gateway", "gateway-ns", "currentGatewayResVersion", "192.0.2.127", "linkerd-gateway", 888, "", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("gateway", "gateway-ns", "currentGatewayResVersion", "192.0.2.127", "mc-gateway", 888, "", defaultProbePort, defaultProbePath, defaultProbePeriod), }, localResources: []string{ mirroredServiceAsYaml("test-service-remote", "test-namespace", "gateway", "gateway-ns", "past", "pastGatewayResVersion", []corev1.ServicePort{ diff --git a/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml b/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml index b136c844d972c..9ed7d5aaf6b6f 100644 --- a/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml +++ b/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml @@ -12,7 +12,7 @@ env: - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: . + value: svc.cluster.local. - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE diff --git a/controller/proxy-injector/fake/data/pod-with-debug.patch.json b/controller/proxy-injector/fake/data/pod-with-debug.patch.json index 03f4133c91a77..bdf69f8866a8b 100644 --- a/controller/proxy-injector/fake/data/pod-with-debug.patch.json +++ b/controller/proxy-injector/fake/data/pod-with-debug.patch.json @@ -32,57 +32,55 @@ { "op": "add", "path": "/spec/initContainers/-", - "value": - { - "args": [ - "--incoming-proxy-port", - "4143", - "--outgoing-proxy-port", - "4140", - "--proxy-uid", - "2102", - "--inbound-ports-to-ignore", - "4190,4191" - ], - "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-init", - "resources": { - "limits": { - "cpu": "100m", - "memory": "50Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } + "value": { + "args": [ + "--incoming-proxy-port", + "4143", + "--outgoing-proxy-port", + "4140", + "--proxy-uid", + "2102", + "--inbound-ports-to-ignore", + "4190,4191" + ], + "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-init", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ] }, - "securityContext": { - "allowPrivilegeEscalation": false, - "capabilities": { - "add": [ - "NET_ADMIN", - "NET_RAW" - ] - }, - "privileged": false, - "readOnlyRootFilesystem": true, - "runAsNonRoot": false, - "runAsUser": 0 - }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", "path": "/spec/containers/-", - "value": - { - "image": "gcr.io/linkerd-io/debug:debug-image-version", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-debug", - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "value": { + "image": "gcr.io/linkerd-io/debug:debug-image-version", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-debug", + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", @@ -92,104 +90,103 @@ { "op": "add", "path": "/spec/containers/-", - "value": - { - "env": [ - { - "name": "LINKERD2_PROXY_LOG", - "value": "warn,linkerd=info" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", - "value": "linkerd-dst.linkerd.svc.cluster.local:8086" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", - "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" - }, - { - "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", - "value": "0.0.0.0:4190" - }, - { - "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", - "value": "0.0.0.0:4191" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", - "value": "127.0.0.1:4140" - }, - { - "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", - "value": "0.0.0.0:4143" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "_pod_ns", - "valueFrom": { - "fieldRef": { - "fieldPath": "metadata.namespace" - } + "value": { + "env": [ + { + "name": "LINKERD2_PROXY_LOG", + "value": "warn,linkerd=info" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", + "value": "linkerd-dst.linkerd.svc.cluster.local:8086" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", + "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + }, + { + "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", + "value": "0.0.0.0:4190" + }, + { + "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", + "value": "0.0.0.0:4191" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", + "value": "127.0.0.1:4140" + }, + { + "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", + "value": "0.0.0.0:4143" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", + "value": "svc.cluster.local." + }, + { + "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", + "value": "." + }, + { + "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "_pod_ns", + "valueFrom": { + "fieldRef": { + "fieldPath": "metadata.namespace" } - }, - { - "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", - "value": "ns:$(_pod_ns)" - }, - { - "name": "LINKERD2_PROXY_IDENTITY_DISABLED", - "value": "disabled" } - ], - "image": "gcr.io/linkerd-io/proxy:dev-undefined", - "imagePullPolicy": "IfNotPresent", - "livenessProbe": { - "httpGet": { - "path": "/live", - "port": 4191 - }, - "initialDelaySeconds": 10 - }, - "name": "linkerd-proxy", - "ports": [ - { - "containerPort": 4143, - "name": "linkerd-proxy" - }, - { - "containerPort": 4191, - "name": "linkerd-admin" - } - ], - "readinessProbe": { - "httpGet": { - "path": "/ready", - "port": 4191 - }, - "initialDelaySeconds": 2 - }, - "resources": null, - "securityContext": { - "allowPrivilegeEscalation": false, - "readOnlyRootFilesystem": true, - "runAsUser": 2102 - }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + }, + { + "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", + "value": "ns:$(_pod_ns)" + }, + { + "name": "LINKERD2_PROXY_IDENTITY_DISABLED", + "value": "disabled" + } + ], + "image": "gcr.io/linkerd-io/proxy:dev-undefined", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "httpGet": { + "path": "/live", + "port": 4191 + }, + "initialDelaySeconds": 10 + }, + "name": "linkerd-proxy", + "ports": [ + { + "containerPort": 4143, + "name": "linkerd-proxy" + }, + { + "containerPort": 4191, + "name": "linkerd-admin" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/ready", + "port": 4191 + }, + "initialDelaySeconds": 2 + }, + "resources": null, + "securityContext": { + "allowPrivilegeEscalation": false, + "readOnlyRootFilesystem": true, + "runAsUser": 2102 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } } ] diff --git a/controller/proxy-injector/fake/data/pod.patch.json b/controller/proxy-injector/fake/data/pod.patch.json index 03919b8b6c805..fcc725dfe028d 100644 --- a/controller/proxy-injector/fake/data/pod.patch.json +++ b/controller/proxy-injector/fake/data/pod.patch.json @@ -32,46 +32,45 @@ { "op": "add", "path": "/spec/initContainers/-", - "value": - { - "args": [ - "--incoming-proxy-port", - "4143", - "--outgoing-proxy-port", - "4140", - "--proxy-uid", - "2102", - "--inbound-ports-to-ignore", - "4190,4191" - ], - "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-init", - "resources": { - "limits": { - "cpu": "100m", - "memory": "50Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } + "value": { + "args": [ + "--incoming-proxy-port", + "4143", + "--outgoing-proxy-port", + "4140", + "--proxy-uid", + "2102", + "--inbound-ports-to-ignore", + "4190,4191" + ], + "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-init", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ] }, - "securityContext": { - "allowPrivilegeEscalation": false, - "capabilities": { - "add": [ - "NET_ADMIN", - "NET_RAW" - ] - }, - "privileged": false, - "readOnlyRootFilesystem": true, - "runAsNonRoot": false, - "runAsUser": 0 - }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", @@ -81,104 +80,103 @@ { "op": "add", "path": "/spec/containers/-", - "value": - { - "env": [ - { - "name": "LINKERD2_PROXY_LOG", - "value": "warn,linkerd=info" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", - "value": "linkerd-dst.linkerd.svc.cluster.local:8086" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", - "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" - }, - { - "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", - "value": "0.0.0.0:4190" - }, - { - "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", - "value": "0.0.0.0:4191" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", - "value": "127.0.0.1:4140" - }, - { - "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", - "value": "0.0.0.0:4143" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "_pod_ns", - "valueFrom": { - "fieldRef": { - "fieldPath": "metadata.namespace" - } + "value": { + "env": [ + { + "name": "LINKERD2_PROXY_LOG", + "value": "warn,linkerd=info" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", + "value": "linkerd-dst.linkerd.svc.cluster.local:8086" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", + "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + }, + { + "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", + "value": "0.0.0.0:4190" + }, + { + "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", + "value": "0.0.0.0:4191" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", + "value": "127.0.0.1:4140" + }, + { + "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", + "value": "0.0.0.0:4143" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", + "value": "svc.cluster.local." + }, + { + "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", + "value": "." + }, + { + "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "_pod_ns", + "valueFrom": { + "fieldRef": { + "fieldPath": "metadata.namespace" } - }, - { - "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", - "value": "ns:$(_pod_ns)" - }, - { - "name": "LINKERD2_PROXY_IDENTITY_DISABLED", - "value": "disabled" } - ], - "image": "gcr.io/linkerd-io/proxy:dev-undefined", - "imagePullPolicy": "IfNotPresent", - "livenessProbe": { - "httpGet": { - "path": "/live", - "port": 4191 - }, - "initialDelaySeconds": 10 - }, - "name": "linkerd-proxy", - "ports": [ - { - "containerPort": 4143, - "name": "linkerd-proxy" - }, - { - "containerPort": 4191, - "name": "linkerd-admin" - } - ], - "readinessProbe": { - "httpGet": { - "path": "/ready", - "port": 4191 - }, - "initialDelaySeconds": 2 - }, - "resources": null, - "securityContext": { - "allowPrivilegeEscalation": false, - "readOnlyRootFilesystem": true, - "runAsUser": 2102 - }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + }, + { + "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", + "value": "ns:$(_pod_ns)" + }, + { + "name": "LINKERD2_PROXY_IDENTITY_DISABLED", + "value": "disabled" + } + ], + "image": "gcr.io/linkerd-io/proxy:dev-undefined", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "httpGet": { + "path": "/live", + "port": 4191 + }, + "initialDelaySeconds": 10 + }, + "name": "linkerd-proxy", + "ports": [ + { + "containerPort": 4143, + "name": "linkerd-proxy" + }, + { + "containerPort": 4191, + "name": "linkerd-admin" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/ready", + "port": 4191 + }, + "initialDelaySeconds": 2 + }, + "resources": null, + "securityContext": { + "allowPrivilegeEscalation": false, + "readOnlyRootFilesystem": true, + "runAsUser": 2102 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } } ] diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 0b5471b092af8..0af09c6e3b5e7 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -112,6 +112,7 @@ type ( Trace *Trace `json:"trace"` UID int64 `json:"uid"` WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` + IsGateway bool `json:"isGateway"` RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` } diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index 85689d22f366d..5b92ca82ff7df 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -498,6 +498,7 @@ func (conf *ResourceConfig) injectPodSpec(values *patch) { UID: conf.proxyUID(), Resources: conf.proxyResourceRequirements(), WaitBeforeExitSeconds: conf.proxyWaitBeforeExitSeconds(), + IsGateway: conf.isGateway(), RequireIdentityOnInboundPorts: conf.requireIdentityOnInboundPorts(), } @@ -806,6 +807,15 @@ func (conf *ResourceConfig) requireIdentityOnInboundPorts() string { return conf.getOverride(k8s.ProxyRequireIdentityOnInboundPortsAnnotation) } +func (conf *ResourceConfig) isGateway() bool { + if override := conf.getOverride(k8s.ProxyEnableGatewayAnnotation); override != "" { + value, err := strconv.ParseBool(override) + return err == nil && value + } + + return false +} + func (conf *ResourceConfig) proxyWaitBeforeExitSeconds() uint64 { if override := conf.getOverride(k8s.ProxyWaitBeforeExitSecondsAnnotation); override != "" { waitBeforeExitSeconds, err := strconv.ParseUint(override, 10, 64) diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 2465074e6bb72..31f03b12532ad 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -195,6 +195,10 @@ const ( // to always require identity on inbound ports ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports" + // ProxyEnableGatewayAnnotation can be used to configure the proxy + // to operate as a gateway, routing requests that target the inbound router. + ProxyEnableGatewayAnnotation = ProxyConfigAnnotationsPrefix + "/enable-gateway" + // ProxyDisableIdentityAnnotation can be used to disable identity on the injected proxy. ProxyDisableIdentityAnnotation = ProxyConfigAnnotationsPrefix + "/disable-identity" @@ -433,10 +437,10 @@ const ( ConfigKeyName = "kubeconfig" // GatewayPortName is the name of the incoming port of the gateway - GatewayPortName = "linkerd-gateway" + GatewayPortName = "mc-gateway" // ProbePortName is the name of the probe port of the gateway - ProbePortName = "linkerd-gateway-probe" + ProbePortName = "mc-probe" // ServiceMirrorLabel is the value used in the controller component label ServiceMirrorLabel = "servicemirror" diff --git a/test/inject/testdata/injected_params.golden b/test/inject/testdata/injected_params.golden index 4986da1f06e3a..1a65f894ec588 100644 --- a/test/inject/testdata/injected_params.golden +++ b/test/inject/testdata/injected_params.golden @@ -64,7 +64,7 @@ spec: - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:678 - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: . + value: svc.cluster.local. - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE