linkerd · klingerf · Feb 11, 2019 · Feb 11, 2019
diff --git a/chart/templates/proxy_injector.yaml b/chart/templates/proxy_injector.yaml
@@ -31,7 +31,8 @@ spec:
         - "proxy-injector"
         - "-controller-namespace={{.Values.Namespace}}"
         - "-log-level={{.Values.ControllerLogLevel}}"
-        - "-no-init-container={{.Values.NoInitContainer }}"
+        - "-no-init-container={{.Values.NoInitContainer}}"
+        - "-tls-enabled={{.Values.EnableTLS}}"
         ports:
         - name: proxy-injector
           containerPort: 8443
@@ -186,6 +187,7 @@ data:
     {{- end}}
     - name: LINKERD2_PROXY_ID
       value: "" # this value will be computed by the webhook
+    {{- if .Values.EnableTLS }}
     - name: LINKERD2_PROXY_TLS_TRUST_ANCHORS
       value: /var/linkerd-io/trust-anchors/{{.Values.TLSTrustAnchorFileName}}
     - name: LINKERD2_PROXY_TLS_CERT
@@ -198,6 +200,7 @@ data:
       value: {{.Values.Namespace}}
     - name: LINKERD2_PROXY_TLS_CONTROLLER_IDENTITY
       value: "" # this value will be computed by the webhook
+    {{- end}}
     image: {{.Values.ProxyImage}}
     imagePullPolicy: IfNotPresent
     livenessProbe:
@@ -229,13 +232,15 @@ data:
     securityContext:
       runAsUser: {{.Values.ProxyUID}}
     terminationMessagePolicy: FallbackToLogsOnError
+    {{- if .Values.EnableTLS }}
     volumeMounts:
     - mountPath: /var/linkerd-io/trust-anchors
       name: {{.Values.TLSTrustAnchorVolumeName}}
       readOnly: true
     - mountPath: /var/linkerd-io/identity
       name: {{.Values.TLSSecretsVolumeName}}
       readOnly: true
+    {{- end }}
   {{.Values.TLSTrustAnchorVolumeSpecFileName}}: |
     name: {{.Values.TLSTrustAnchorVolumeName}}
     configMap:

diff --git a/cli/cmd/testdata/install_no_init_container_auto_inject.golden b/cli/cmd/testdata/install_no_init_container_auto_inject.golden
@@ -1251,6 +1251,7 @@ spec:
         - -controller-namespace=linkerd
         - -log-level=info
         - -no-init-container=true
+        - -tls-enabled=true
         image: gcr.io/linkerd-io/controller:dev-undefined
         imagePullPolicy: IfNotPresent
         livenessProbe:

diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden
@@ -1229,6 +1229,7 @@ spec:
         - -controller-namespace=Namespace
         - -log-level=ControllerLogLevel
         - -no-init-container=false
+        - -tls-enabled=true
         image: ControllerImage
         imagePullPolicy: ImagePullPolicy
         livenessProbe:

diff --git a/controller/cmd/proxy-injector/main.go b/controller/cmd/proxy-injector/main.go
@@ -22,6 +22,7 @@ func main() {
 	controllerNamespace := flag.String("controller-namespace", "linkerd", "namespace in which Linkerd is installed")
 	webhookServiceName := flag.String("webhook-service", "linkerd-proxy-injector.linkerd.io", "name of the admission webhook")
 	noInitContainer := flag.Bool("no-init-container", false, "whether to use an init container or the linkerd-cni plugin")
+	tlsEnabled := flag.Bool("tls-enabled", false, "whether the control plane was installed with TLS enabled")
 	flags.ConfigureAndParse()
 
 	stop := make(chan os.Signal, 1)
@@ -38,7 +39,7 @@ func main() {
 		log.Fatalf("failed to create root CA: %s", err)
 	}
 
-	webhookConfig, err := injector.NewWebhookConfig(k8sClient, *controllerNamespace, *webhookServiceName, *noInitContainer, rootCA)
+	webhookConfig, err := injector.NewWebhookConfig(k8sClient, *controllerNamespace, *webhookServiceName, rootCA)
 	if err != nil {
 		log.Fatalf("failed to read the trust anchor file: %s", err)
 	}
@@ -56,7 +57,7 @@ func main() {
 		FileTLSIdentityVolumeSpec:    k8sPkg.MountPathTLSIdentityVolumeSpec,
 	}
 
-	s, err := injector.NewWebhookServer(k8sClient, resources, *addr, *controllerNamespace, *noInitContainer, rootCA)
+	s, err := injector.NewWebhookServer(k8sClient, resources, *addr, *controllerNamespace, *noInitContainer, *tlsEnabled, rootCA)
 	if err != nil {
 		log.Fatalf("failed to initialize the webhook server: %s", err)
 	}

diff --git a/controller/proxy-injector/fake/data/config-proxy-tls-disabled.yaml b/controller/proxy-injector/fake/data/config-proxy-tls-disabled.yaml
@@ -0,0 +1,47 @@
+env:
+- name: LINKERD2_PROXY_LOG
+  value: warn,linkerd2_proxy=info
+- name: LINKERD2_PROXY_CONTROL_URL
+  value: tcp://linkerd-proxy-api.linkerd.svc.cluster.local:8086
+- name: LINKERD2_PROXY_CONTROL_LISTENER
+  value: tcp://0.0.0.0:4190
+- name: LINKERD2_PROXY_METRICS_LISTENER
+  value: tcp://0.0.0.0:4191
+- name: LINKERD2_PROXY_OUTBOUND_LISTENER
+  value: tcp://127.0.0.1:4140
+- name: LINKERD2_PROXY_INBOUND_LISTENER
+  value: tcp://0.0.0.0:4143
+- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
+  value: .
+- name: LINKERD2_PROXY_POD_NAMESPACE
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.namespace
+- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_ID
+  value: ""
+image: gcr.io/linkerd-io/proxy:v18.8.4
+imagePullPolicy: IfNotPresent
+livenessProbe:
+  httpGet:
+    path: /metrics
+    port: 4191
+  initialDelaySeconds: 10
+name: linkerd-proxy
+ports:
+- containerPort: 4143
+  name: linkerd-proxy
+- containerPort: 4191
+  name: linkerd-metrics
+readinessProbe:
+  httpGet:
+    path: /metrics
+    port: 4191
+  initialDelaySeconds: 10
+resources: {}
+securityContext:
+  runAsUser: 2102
+terminationMessagePolicy: FallbackToLogsOnError
diff --git a/controller/proxy-injector/fake/data/inject-enabled-tls-disabled-response.yaml b/controller/proxy-injector/fake/data/inject-enabled-tls-disabled-response.yaml
@@ -0,0 +1,73 @@
+iapiVersion: admission.k8s.io/v1beta1
+kind: AdmissionReview
+request:
+  kind:
+    group: apps
+    kind: Deployment
+    version: v1
+  namespace: kube-public
+  object:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/last-applied-configuration: |
+          {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx"},"name":"nginx","namespace":"kube-public"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"annotations":{"created-by":"isim"},"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx","name":"nginx","ports":[{"containerPort":80,"name":"http"}]}]}}}}
+      creationTimestamp: null
+      labels:
+        app: nginx
+      name: nginx
+      namespace: kube-public
+    spec:
+      progressDeadlineSeconds: 600
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app: nginx
+      strategy:
+        rollingUpdate:
+          maxSurge: 25%
+          maxUnavailable: 25%
+        type: RollingUpdate
+      template:
+        metadata:
+          annotations:
+            linkerd.io/inject: enabled
+            created-by: isim
+          creationTimestamp: null
+          labels:
+            app: nginx
+        spec:
+          containers:
+          - image: nginx
+            imagePullPolicy: Always
+            name: nginx
+            ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+            resources: {}
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+          dnsPolicy: ClusterFirst
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext: {}
+          terminationGracePeriodSeconds: 30
+    status: {}
+  oldObject: null
+  operation: CREATE
+  resource:
+    group: apps
+    resource: deployments
+    version: v1
+  uid: 3c3c45ff-bee9-11e8-9c41-b4d755961931
+  userInfo:
+    groups:
+    - system:masters
+    - system:authenticated
+    username: minikube-user
+response:
+  allowed: true
+  patch: W3sib3AiOiJhZGQiLCJwYXRoIjoiL3NwZWMvdGVtcGxhdGUvc3BlYy9jb250YWluZXJzLy0iLCJ2YWx1ZSI6eyJuYW1lIjoibGlua2VyZC1wcm94eSIsImltYWdlIjoiZ2NyLmlvL2xpbmtlcmQtaW8vcHJveHk6djE4LjguNCIsInBvcnRzIjpbeyJuYW1lIjoibGlua2VyZC1wcm94eSIsImNvbnRhaW5lclBvcnQiOjQxNDN9LHsibmFtZSI6ImxpbmtlcmQtbWV0cmljcyIsImNvbnRhaW5lclBvcnQiOjQxOTF9XSwiZW52IjpbeyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfTE9HIiwidmFsdWUiOiJ3YXJuLGxpbmtlcmQyX3Byb3h5PWluZm8ifSx7Im5hbWUiOiJMSU5LRVJEMl9QUk9YWV9DT05UUk9MX1VSTCIsInZhbHVlIjoidGNwOi8vbGlua2VyZC1wcm94eS1hcGkubGlua2VyZC5zdmMuY2x1c3Rlci5sb2NhbDo4MDg2In0seyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfQ09OVFJPTF9MSVNURU5FUiIsInZhbHVlIjoidGNwOi8vMC4wLjAuMDo0MTkwIn0seyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfTUVUUklDU19MSVNURU5FUiIsInZhbHVlIjoidGNwOi8vMC4wLjAuMDo0MTkxIn0seyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfT1VUQk9VTkRfTElTVEVORVIiLCJ2YWx1ZSI6InRjcDovLzEyNy4wLjAuMTo0MTQwIn0seyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfSU5CT1VORF9MSVNURU5FUiIsInZhbHVlIjoidGNwOi8vMC4wLjAuMDo0MTQzIn0seyJuYW1lIjoiTElOS0VSRDJfUFJPWFlfREVTVElOQVRJT05fUFJPRklMRV9TVUZGSVhFUyIsInZhbHVlIjoiLiJ9LHsibmFtZSI6IkxJTktFUkQyX1BST1hZX1BPRF9OQU1FU1BBQ0UiLCJ2YWx1ZUZyb20iOnsiZmllbGRSZWYiOnsiZmllbGRQYXRoIjoibWV0YWRhdGEubmFtZXNwYWNlIn19fSx7Im5hbWUiOiJMSU5LRVJEMl9QUk9YWV9JTkJPVU5EX0FDQ0VQVF9LRUVQQUxJVkUiLCJ2YWx1ZSI6IjEwMDAwbXMifSx7Im5hbWUiOiJMSU5LRVJEMl9QUk9YWV9PVVRCT1VORF9DT05ORUNUX0tFRVBBTElWRSIsInZhbHVlIjoiMTAwMDBtcyJ9LHsibmFtZSI6IkxJTktFUkQyX1BST1hZX0lEIn1dLCJyZXNvdXJjZXMiOnt9LCJsaXZlbmVzc1Byb2JlIjp7Imh0dHBHZXQiOnsicGF0aCI6Ii9tZXRyaWNzIiwicG9ydCI6NDE5MX0sImluaXRpYWxEZWxheVNlY29uZHMiOjEwfSwicmVhZGluZXNzUHJvYmUiOnsiaHR0cEdldCI6eyJwYXRoIjoiL21ldHJpY3MiLCJwb3J0Ijo0MTkxfSwiaW5pdGlhbERlbGF5U2Vjb25kcyI6MTB9LCJ0ZXJtaW5hdGlvbk1lc3NhZ2VQb2xpY3kiOiJGYWxsYmFja1RvTG9nc09uRXJyb3IiLCJpbWFnZVB1bGxQb2xpY3kiOiJJZk5vdFByZXNlbnQiLCJzZWN1cml0eUNvbnRleHQiOnsicnVuQXNVc2VyIjoyMTAyfX19LHsib3AiOiJhZGQiLCJwYXRoIjoiL3NwZWMvdGVtcGxhdGUvc3BlYy9pbml0Q29udGFpbmVycyIsInZhbHVlIjpbXX0seyJvcCI6ImFkZCIsInBhdGgiOiIvc3BlYy90ZW1wbGF0ZS9zcGVjL2luaXRDb250YWluZXJzLy0iLCJ2YWx1ZSI6eyJuYW1lIjoibGlua2VyZC1pbml0IiwiaW1hZ2UiOiJnY3IuaW8vbGlua2VyZC1pby9wcm94eS1pbml0OnYxOC44LjQiLCJhcmdzIjpbIi0taW5jb21pbmctcHJveHktcG9ydCIsIjQxNDMiLCItLW91dGdvaW5nLXByb3h5LXBvcnQiLCI0MTQwIiwiLS1wcm94eS11aWQiLCIyMTAyIiwiLS1pbmJvdW5kLXBvcnRzLXRvLWlnbm9yZSIsIjQxOTAsNDE5MSJdLCJyZXNvdXJjZXMiOnt9LCJ0ZXJtaW5hdGlvbk1lc3NhZ2VQb2xpY3kiOiJGYWxsYmFja1RvTG9nc09uRXJyb3IiLCJpbWFnZVB1bGxQb2xpY3kiOiJJZk5vdFByZXNlbnQiLCJzZWN1cml0eUNvbnRleHQiOnsiY2FwYWJpbGl0aWVzIjp7ImFkZCI6WyJORVRfQURNSU4iXX0sInByaXZpbGVnZWQiOmZhbHNlLCJydW5Bc1VzZXIiOjAsInJ1bkFzTm9uUm9vdCI6ZmFsc2V9fX0seyJvcCI6ImFkZCIsInBhdGgiOiIvc3BlYy90ZW1wbGF0ZS9tZXRhZGF0YS9sYWJlbHMiLCJ2YWx1ZSI6eyJhcHAiOiJuZ2lueCIsImxpbmtlcmQuaW8vY29udHJvbC1wbGFuZS1ucyI6ImxpbmtlcmQiLCJsaW5rZXJkLmlvL3Byb3h5LWRlcGxveW1lbnQiOiJuZ2lueCJ9fSx7Im9wIjoiYWRkIiwicGF0aCI6Ii9tZXRhZGF0YS9sYWJlbHMiLCJ2YWx1ZSI6eyJhcHAiOiJuZ2lueCIsImxpbmtlcmQuaW8vY29udHJvbC1wbGFuZS1ucyI6ImxpbmtlcmQiLCJsaW5rZXJkLmlvL3Byb3h5LWRlcGxveW1lbnQiOiJuZ2lueCJ9fSx7Im9wIjoiYWRkIiwicGF0aCI6Ii9zcGVjL3RlbXBsYXRlL21ldGFkYXRhL2Fubm90YXRpb25zIiwidmFsdWUiOnsiY3JlYXRlZC1ieSI6ImlzaW0iLCJsaW5rZXJkLmlvL2NyZWF0ZWQtYnkiOiJsaW5rZXJkL3Byb3h5LWluamVjdG9yIHYxOC44LjQiLCJsaW5rZXJkLmlvL2luamVjdCI6ImVuYWJsZWQiLCJsaW5rZXJkLmlvL3Byb3h5LXZlcnNpb24iOiJ2MTguOC40In19XQ==
+  patchType: JSONPatch
+  uid: 3c3c45ff-bee9-11e8-9c41-b4d755961931
diff --git a/controller/proxy-injector/fake/data/inject-no-init-container-request.json b/controller/proxy-injector/fake/data/inject-no-init-container-request.json
diff --git a/controller/proxy-injector/fake/factory.go b/controller/proxy-injector/fake/factory.go
@@ -15,10 +15,12 @@ const (
 	DefaultControllerNamespace   = "linkerd"
 	DefaultNamespace             = "default"
 	FileProxySpec                = "fake/data/config-proxy.yaml"
+	FileProxyTLSDisabledSpec     = "fake/data/config-proxy-tls-disabled.yaml"
 	FileProxyInitSpec            = "fake/data/config-proxy-init.yaml"
 	FileTLSTrustAnchorVolumeSpec = "fake/data/config-linkerd-trust-anchors.yaml"
 	FileTLSIdentityVolumeSpec    = "fake/data/config-linkerd-secrets.yaml"
 	DefaultNoInitContainer       = false
+	DefaultTLSEnabled            = true
 )
 
 // Factory is a factory that can convert in-file YAML content into Kubernetes

diff --git a/controller/proxy-injector/server.go b/controller/proxy-injector/server.go
@@ -21,7 +21,7 @@ type WebhookServer struct {
 }
 
 // NewWebhookServer returns a new instance of the WebhookServer.
-func NewWebhookServer(client kubernetes.Interface, resources *WebhookResources, addr, controllerNamespace string, noInitContainer bool, rootCA *pkgTls.CA) (*WebhookServer, error) {
+func NewWebhookServer(client kubernetes.Interface, resources *WebhookResources, addr, controllerNamespace string, noInitContainer, tlsEnabled bool, rootCA *pkgTls.CA) (*WebhookServer, error) {
 	c, err := tlsConfig(rootCA, controllerNamespace)
 	if err != nil {
 		return nil, err
@@ -32,7 +32,7 @@ func NewWebhookServer(client kubernetes.Interface, resources *WebhookResources,
 		TLSConfig: c,
 	}
 
-	webhook, err := NewWebhook(client, resources, controllerNamespace, noInitContainer)
+	webhook, err := NewWebhook(client, resources, controllerNamespace, noInitContainer, tlsEnabled)
 	if err != nil {
 		return nil, err
 	}

diff --git a/controller/proxy-injector/server_test.go b/controller/proxy-injector/server_test.go
@@ -29,7 +29,7 @@ func init() {
 		FileTLSTrustAnchorVolumeSpec: fake.FileTLSTrustAnchorVolumeSpec,
 		FileTLSIdentityVolumeSpec:    fake.FileTLSIdentityVolumeSpec,
 	}
-	webhook, err := NewWebhook(fakeClient, testWebhookResources, fake.DefaultControllerNamespace, false)
+	webhook, err := NewWebhook(fakeClient, testWebhookResources, fake.DefaultControllerNamespace, false, true)
 	if err != nil {
 		panic(err)
 	}
@@ -87,7 +87,7 @@ func TestNewWebhookServer(t *testing.T) {
 	)
 	fakeClient := fake.NewClient(kubeconfig)
 
-	server, err := NewWebhookServer(fakeClient, testWebhookResources, addr, fake.DefaultControllerNamespace, false, rootCA)
+	server, err := NewWebhookServer(fakeClient, testWebhookResources, addr, fake.DefaultControllerNamespace, false, true, rootCA)
 	if err != nil {
 		t.Fatal("Unexpected error: ", err)
 	}