New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Control plane debug #3507
Control plane debug #3507
Conversation
This doesn't appear to be working for $ kubectl -n emojivoto get deploy -o yaml | bin/go-run cli debug-sidecar inject -
deployment "emoji" skipped
deployment "vote-bot" skipped
deployment "voting" skipped
deployment "web" skipped I suspect it is because of the mix of auto-injection via annotation and manual. It probably isn't the end of the world if this doesn't work, as you can just use linkerd internal debug-sidecar -
linkerd dev add-debug-sidecar -
linkerd diagnose control-plane-debug - @olix0r what's your thinking? We're starting to introduce a set of commands like this that are for internal diagnosis. |
Most likely, will take a look. Emoji is meshed, right ? So yes @grampelberg I actually did not realize that when the proxy is autoinjected, it does not actually appear in the yaml that we are processing, so my requirement for injecting a debug sidecar is that there is a proxy container running. This can be changed to also check whether there is |
Not by default, just pass it through |
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
520afb9
to
50b8b35
Compare
Can you explain what the bug is that prevents the debug container from being injected into control plane components and how it is fixed? I'm confused as to why we need a new linkerd CLI command to inject the debug container into control plane components. What doesn't linkerd inject work for this? Can we fix that rather than introducing a new command? |
|
@adleong There was a problem where the uninject was removing some annotations from the control plane component when uninjecting and that was causing the buggy behavior. This has been fixed in this commit, right here. Adding a separate command is the result of having a discussion with @grampelberg around introducing a family of commands that only run on the control plane components and are used for more advanced level debugging. |
If this is just an internal tool, I'd rather solve this problem with instructions for how to manually edit manifests or something like that rather than adding the technical debt of a new subcommand. If you're unfamiliar with the complications of the implementation, it's unclear why this would be a separate command and whether the functionality is overlapping. |
@adleong I am fine with just scratching the whole separate command part and just fixing the problem that was preventing the debug sidecar injection into the control plane components. I think @grampelberg might also have an opinion on the matter. |
I think @grampelberg was just trying to keep the scope narrow here so that this didn't balloon into a huge amount of work. But if you already have a fix that makes @grampelberg does that sound right to you? |
What are the implications of adding it to
It has been useful while helping folks debug issues to ask them to add the debug container to a control plane component and the run a command. So far, the instructions for doing it manually have been extremely hit and miss. I'm looking for something that is easy to explain and get the data back from. |
If I understand correctly, running With that established, I don't think we need a new command here. |
Alright then, I will remove the new command and we take it from there. |
This reverts commit 50b8b35. Signed-off-by: zaharidichev <zaharidichev@gmail.com>
Signed-off-by: zaharidichev <zaharidichev@gmail.com>
Removed the additional command and left just the fix for the original bug that @grampelberg found. If you decide the command is needed, I can add it back. Up to you :) |
I just tried this using this command:
However, since the auto-injector skips pods in the control plane namespace, this had the effect of stripping the proxy out of the pod:
I think, as we discussed above, running |
With the manual flag, it works great, however:
|
@adleong yes, sorry I overlooked that one by mistake |
@zaharidichev can you add a bit more context to the description about the bug that's being fixed here. I'm missing the background on why meta should or shouldn't be uninjected from control plane pods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
pkg/inject/uninject.go
Outdated
} else { | ||
report.Uninjected.Proxy = true | ||
} | ||
//do not uninject meta if this is a control plane component |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is pretty confusing so I think it warrants a more extensive comment explaining the context. Control plane components must only ever be manually injected, so they will never have the linkerd.io/inject
annotation. Furthermore, since these components are part of linkerd itself, we don't want to strip off the other linkerd.io/*
annotations such as linkerd.io/created-by
when uninjecting.
Although.... maybe we DO want to strip off linkerd.io/proxy-version
? wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I will amend that, good call. Wrt to the linkerd.io/proxy-version
my view is that there is no need to remove it. I assume if the value of the annotation has changed before the nject, then it will be updated. Isn't that correct?
Also, just to confirm my understanding, from end user perspective, uninject
as a command would probably never be used on control plane components by a user, correct. Its only used as part of inject
, which in turn is used not to really inject anything, but to update the injected container such as in the case of adding a debug sidecar. I wonder whether I am the only one who finds all that a bit confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether I am the only one who finds all that a bit confusing.
I'm pretty sure everyone finds this all very confusing.
… is present Signed-off-by: zaharidichev <zaharidichev@gmail.com>
742b151
to
7c235fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works great, and it's awesome things settled down on the simplest solution 🏅
This pr fixes a problem where control plane component cannot be injected with a debug sidecar. The problem was stemming from the fact that during inject, the control plane components are stripped from all
linkerd.io
metadata. This later on causes inconsistency when the proxy is injected again and leads to invalid yaml being produced causing an error in the form of:The Deployment "linkerd-tap" is invalid: spec.template.metadata.labels: Invalid value: map[string]string(nil):
selectordoes not match template
labels``In addition to that this pr introduces a check that ensures that we can run
inject
on control plane components only if the--manual
flag is present.Fixes #3396