WIP: CNI Plugin (#2071)

* Export RootOptions and BuildFirewallConfiguration so that the cni-plugin can use them.
* Created the cni-plugin based on istio-cni implementation
* Create skeleton files that need to be filled out.
* Create the install scripts and finish up plugin to write iptables
* Added in an integration test around the install_cni.sh and updated the script to handle the case where it isn't the only plugin. Removed the istio kubernetes.go file in favor of pkg/k8s; initial usage of this package; found and fixed the typo in the ClusterRole and ClusterRoleBinding; found the docker-build-cni-plugin script
* Corrected an incorrect name in the docker build file for cni-plugin
* Rename linkerd2-cni to linkerd-cni
* Fixup Dockerfile and clean up code a bit as well as logging statements.
* Update Gopkg.lock after master merge.
* Update test file to remove temporary tag.
* Fixed the command to run during the test while building up the docker run.
* Added attributions to applicable files; in the test file, use a different container for each test scenario and also print the docker logs to stdout when there is an error;
* Add the --no-init-container flag to install and inject. This flag will not output the initContainer and will add an annotation assuming that the cni will be used in this case.
* Update .travis.yml to build the cni-plugin docker image before running the tests.
* Workaround golint warnings.
* Create a new command to install the linkerd-cni plugin.
* Add the --no-init-container option to linkerd inject
* Use the setup ip tables annotation during the proxy auto inject webhook prevent/allow addition of an init container; move cni-plugin tests to the integration-test section of travis
* gate the cni-plugin tests with the -integration-tests flag; remove unnecessary deployment .yaml file.
* Incorporate PR Cleanup suggestions.
* Remove the SetupIPTablesLabel annotation and use config flags and the presence of the init container to determine whether the cni-plugin writes ip tables.
* Fix a logic bug in the cni-plugin code that prevented the iptables from being written; Address PR comments; make tests pass.
* Update go deps shas
* Changed the single file install-cni plugin filename to be .conf vs .conflist; Incorporated latest PR comments around spacing with the new renderer among others.
* Fix an issue with renaming .conf to .conflist when needed.
* Renamed some of the variables to try to make it more clear what is going on.
* Address final PR comments.
* Hide cni flags for the time being.

Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>

.travis.yml

@@ -159,7 +159,9 @@ jobs:
           # Run integration tests.
           version="$(./linkerd version --client --short | tr -cd '[:alnum:]-')"
           ./bin/test-run `pwd`/linkerd linkerd-$version
-
+        - |
+          # Run linkerd-cni integration tests.
+          TAG="$(./linkerd version --client --short)" go test -v -race ./cni-plugin/test -integration-tests
       after_script:
         - |
           # Cleanup after integration test run.

Dockerfile-go-deps

@@ -16,7 +16,7 @@ RUN GOPATH=${TEMP_GOPATH} bin/dep version
 # Vendor the Go dependencies. `dep ensure` caches the entire Git repo for
 # every dependency in `${TEMP_GOPATH}/pkg/dep` so it is important to remove it.
 # `go install` below cannot find the packages under vendor/ so move them to
-# /go/pkg. This is all done in a single RUN to avoid creating a giant
+# /go/src. This is all done in a single RUN to avoid creating a giant
 # intermediate layer. `dep status` cannot be used here to ensure consistency
 # because it needs all our source files, which are not available here.
 COPY Gopkg.toml Gopkg.lock ./
@@ -46,6 +46,10 @@ RUN CGO_ENABLED=0 GOOS=linux go install \
     github.com/prometheus/common/expfmt \
     github.com/prometheus/common/model \
     github.com/sirupsen/logrus \
+    github.com/containernetworking/cni/pkg/version \
+    github.com/containernetworking/cni/pkg/skel \
+    github.com/containernetworking/cni/pkg/types \
+    github.com/containernetworking/cni/pkg/invoke \
     google.golang.org/grpc \
     k8s.io/client-go/discovery \
     k8s.io/client-go/kubernetes \

Gopkg.lock

@@ -108,6 +108,19 @@
   revision = "7f2434bc10da710debe5c4315ed6d4df454b4024"
   version = "v0.1.0"
 
+[[projects]]
+  digest = "1:0c93b97f9166ce4302eacf73de5e80e6380c4391954518db99835f2796513206"
+  name = "github.com/containernetworking/cni"
+  packages = [
+    "pkg/skel",
+    "pkg/types",
+    "pkg/types/020",
+    "pkg/types/current",
+    "pkg/version",
+  ]
+  pruneopts = ""
+  revision = "v0.6.0"
+
 [[projects]]
   digest = "1:a9854984bc40330dde2125537b7f46d0a8d7860b3750de2e7cd0a6f904506212"
   name = "github.com/cyphar/filepath-securejoin"
@@ -505,6 +518,14 @@
   revision = "ba968bfe8b2f7e042a574c888954fccecfa385b4"
   version = "v0.8.1"
 
+[[projects]]
+  digest = "1:ee2b0c6d6510f89121be4c233754bd79fe1e04d9beebd35ccccd5b38a23412e8"
+  name = "github.com/projectcalico/libcalico-go"
+  packages = ["lib/logutils"]
+  pruneopts = ""
+  revision = "aab828ef9fd5405040c36368f866e5ec9ea314a6"
+  version = "v1.7.3"
+
 [[projects]]
   digest = "1:e76d0fea4ab688de44c38e57cc657a53aed582cdc1e67470d7f3fbbfc3afec1c"
   name = "github.com/prometheus/client_golang"
@@ -1200,6 +1221,10 @@
   analyzer-version = 1
   input-imports = [
     "github.com/briandowns/spinner",
+    "github.com/containernetworking/cni/pkg/skel",
+    "github.com/containernetworking/cni/pkg/types",
+    "github.com/containernetworking/cni/pkg/types/current",
+    "github.com/containernetworking/cni/pkg/version",
     "github.com/emicklei/proto",
     "github.com/fatih/color",
     "github.com/ghodss/yaml",
@@ -1219,6 +1244,7 @@
     "github.com/mattn/go-runewidth",
     "github.com/nsf/termbox-go",
     "github.com/pkg/browser",
+    "github.com/projectcalico/libcalico-go/lib/logutils",
     "github.com/prometheus/client_golang/api",
     "github.com/prometheus/client_golang/api/prometheus/v1",
     "github.com/prometheus/client_golang/prometheus",

Gopkg.toml

@@ -20,6 +20,10 @@ required = [
   name = "github.com/spf13/cobra"
   revision = "7b2c5ac9fc04fc5efafb60700713d4fa609b777b" # cobra has no release tags at time of writing
 
+[[constraint]]
+  name = "github.com/containernetworking/cni"
+  revision = "v0.6.0"
+
 [[constraint]]
   name = "k8s.io/client-go"
   version = "kubernetes-1.13.1"

bin/docker-build

@@ -12,6 +12,7 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 $bindir/docker-build-controller
 $bindir/docker-build-web
 $bindir/docker-build-proxy-init
+$bindir/docker-build-cni-plugin
 if [ -z "${LINKERD_LOCAL_BUILD_CLI:-}" ]; then
     $bindir/docker-build-cli-bin
 else

bin/docker-build-cni-plugin

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eu
+
+if [ $# -ne 0 ]; then
+    echo "no arguments allowed for $(basename "$0"), given: $*" >&2
+    exit 64
+fi
+
+bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+rootdir="$( cd $bindir/.. && pwd )"
+
+. "$bindir"/_docker.sh
+. "$bindir"/_tag.sh
+
+dockerfile=$rootdir/cni-plugin/Dockerfile
+
+validate_go_deps_tag "$dockerfile"
+
+(
+    "$bindir"/docker-build-base
+    "$bindir"/docker-build-go-deps
+) >/dev/null
+
+docker_build cni-plugin "$(head_root_tag)" "$dockerfile"

bin/docker-images

@@ -16,7 +16,7 @@ docker_image() {
 
 tag=$(head_root_tag)
 
-for img in cli-bin controller grafana proxy proxy-init web  ; do
+for img in cli-bin cni-plugin controller grafana proxy proxy-init web  ; do
     docker_image "$img" "$tag"
 done
 

bin/docker-pull

@@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 . $bindir/_docker.sh
 
-for img in cli-bin controller grafana proxy proxy-init web  ; do
+for img in cli-bin cni-plugin controller grafana proxy proxy-init web  ; do
     docker_pull "$img" "$tag"
 done

bin/docker-push

@@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 . $bindir/_docker.sh
 
-for img in cli-bin controller grafana proxy proxy-init web  ; do
+for img in cli-bin cni-plugin controller grafana proxy proxy-init web  ; do
     docker_push "$img" "$tag"
 done

bin/docker-retag-all

@@ -13,6 +13,6 @@ bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 . $bindir/_docker.sh
 
-for img in cli-bin controller grafana proxy proxy-init web  ; do
+for img in cli-bin cni-plugin controller grafana proxy proxy-init web  ; do
     docker_retag "$img" "$from" "$to"
 done

cli/Dockerfile-bin

@@ -1,5 +1,5 @@
 ## compile binaries
-FROM gcr.io/linkerd-io/go-deps:ceb2d9f1 as golang
+FROM gcr.io/linkerd-io/go-deps:a2d3bf8c as golang
 WORKDIR /go/src/github.com/linkerd/linkerd2
 COPY cli cli
 COPY controller/k8s controller/k8s

cli/cmd/inject.go

@@ -12,7 +12,7 @@ import (
 	"github.com/linkerd/linkerd2/pkg/healthcheck"
 	"github.com/linkerd/linkerd2/pkg/k8s"
 	"github.com/spf13/cobra"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	k8sMeta "k8s.io/apimachinery/pkg/api/meta"
 	k8sResource "k8s.io/apimachinery/pkg/api/resource"
 	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -102,6 +102,7 @@ sub-folders, or coming from stdin.`,
 	}
 
 	addProxyConfigFlags(cmd, options.proxyConfigOptions)
+
 	return cmd
 }
 
@@ -178,23 +179,6 @@ func injectPodSpec(t *v1.PodSpec, identity k8s.TLSIdentity, controlPlaneDNSNameO
 		initArgs = append(initArgs, strings.Join(outboundSkipPortsStr, ","))
 	}
 
-	nonRoot := false
-	runAsUser := int64(0)
-	initContainer := v1.Container{
-		Name:                     k8s.InitContainerName,
-		Image:                    options.taggedProxyInitImage(),
-		ImagePullPolicy:          v1.PullPolicy(options.imagePullPolicy),
-		TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
-		Args:                     initArgs,
-		SecurityContext: &v1.SecurityContext{
-			Capabilities: &v1.Capabilities{
-				Add: []v1.Capability{v1.Capability("NET_ADMIN")},
-			},
-			Privileged:   &f,
-			RunAsNonRoot: &nonRoot,
-			RunAsUser:    &runAsUser,
-		},
-	}
 	controlPlaneDNS := fmt.Sprintf("linkerd-proxy-api.%s.svc.cluster.local", controlPlaneNamespace)
 	if controlPlaneDNSNameOverride != "" {
 		controlPlaneDNS = controlPlaneDNSNameOverride
@@ -334,7 +318,26 @@ func injectPodSpec(t *v1.PodSpec, identity k8s.TLSIdentity, controlPlaneDNSNameO
 	}
 
 	t.Containers = append(t.Containers, sidecar)
-	t.InitContainers = append(t.InitContainers, initContainer)
+	if !options.noInitContainer {
+		nonRoot := false
+		runAsUser := int64(0)
+		initContainer := v1.Container{
+			Name:                     k8s.InitContainerName,
+			Image:                    options.taggedProxyInitImage(),
+			ImagePullPolicy:          v1.PullPolicy(options.imagePullPolicy),
+			TerminationMessagePolicy: v1.TerminationMessageFallbackToLogsOnError,
+			Args:                     initArgs,
+			SecurityContext: &v1.SecurityContext{
+				Capabilities: &v1.Capabilities{
+					Add: []v1.Capability{v1.Capability("NET_ADMIN")},
+				},
+				Privileged:   &f,
+				RunAsNonRoot: &nonRoot,
+				RunAsUser:    &runAsUser,
+			},
+		}
+		t.InitContainers = append(t.InitContainers, initContainer)
+	}
 
 	return true
 }

cli/cmd/inject_test.go

@@ -63,6 +63,10 @@ func TestUninjectAndInject(t *testing.T) {
 	proxyRequestOptions.proxyCPURequest = "110m"
 	proxyRequestOptions.proxyMemoryRequest = "100Mi"
 
+	noInitContainerOptions := newInjectOptions()
+	noInitContainerOptions.linkerdVersion = "testinjectversion"
+	noInitContainerOptions.noInitContainer = true
+
 	testCases := []injectYAML{
 		{
 			inputFileName:     "inject_emojivoto_deployment.input.yml",
@@ -148,6 +152,12 @@ func TestUninjectAndInject(t *testing.T) {
 			reportFileName:    "inject_contour.report",
 			testInjectOptions: defaultOptions,
 		},
+		{
+			inputFileName:     "inject_emojivoto_deployment.input.yml",
+			goldenFileName:    "inject_emojivoto_deployment_no_init_container.golden.yml",
+			reportFileName:    "inject_emojivoto_deployment.report",
+			testInjectOptions: noInitContainerOptions,
+		},
 	}
 
 	for i, tc := range testCases {