Sidecar injection for flagger and/or linkerd namespace

[qingvincentyin]

The docs as well as the helm chart (or the output of linkerd install) suggest that the linkerd (or linkerd-viz) namespace should NOT have the annotation linkerd.io/inject: enabled.

I believe that is incorrect or at least misleading. It worked well that way for a while until I installed flagger according to:

• https://linkerd.io/2.11/tasks/canary-release/#install-flagger

excerpt:
> kubectl apply -k github.com/fluxcd/flagger/kustomize/linkerd

The above installation of flagger (which installs in the linkerd namespace) would not cause flagger's pod to be injected with linkerd-proxy sidecar. Without the sidecar, we'd get this:

$ linkerd check --verbose
...
linkerd-viz
-----------
...
‼ linkerd-viz pods are injected
    could not find proxy container for flagger-c98fb9895-vv7cb pod
    see https://linkerd.io/2/checks/#l5d-viz-pods-injection for hints
‼ viz extension pods are running
    container "linkerd-proxy" in pod "flagger-c98fb9895-vv7cb" is not ready
    see https://linkerd.io/2/checks/#l5d-viz-pods-running for hints

The above linkerd check would first spin for maybe 5 minutes before printing out the above warning. Furthermore, we'd get this:

$ linkerd viz dashboard
Waiting for linkerd-viz extension to become available
Waiting for linkerd-viz extension to become available
Waiting for linkerd-viz extension to become available
... ## repeating for 5 minutes or so before popping up the dashboard in browser.

My solution is to inject a sidecar into the flagger pod. The easiest way to do so is to annotate the linkerd namespace with:

kind: Namespace
metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: enabled

Of course, an alternate solution (which I didn't try) is to annotate flagger's kind: Deployment rather than to annotate the entire linkerd namespace. But so far, annotating the namespace seems to work fine for me.

See Also:

• https://stackoverflow.com/a/71300146/13676217

However, to enable the sidecar injection, the namespace must NOT have this label:

kind: Namespace
metadata:
  name: linkerd
  labels:
    config.linkerd.io/admission-webhooks: disabled # This would disable sidecar injection.

That label is automatically created by linkerd install. And, according to the following doc, must be set to disabled:

• https://linkerd.io/2.11/tasks/install-helm/#customizing-the-namespace-in-the-stable-release

So, we now have a conflicting situation: Linkerd control plane doesn't want sidecar injection in linkerd namespace, but linkerd check for flagger, as well as linkerd vis dashboard (when flagger is installed into linkerd namespace) wants it.

What should be done?

[qingvincentyin]

OK, I figured out the problem myself.

It turns out I installed viz into the namespace linkerd rather than linkerd-viz.

While the control plane (in namespace linkerd) doesn't want sidecar injection, the viz extension does. When the two components are installed into the same namespace, we'd be stuck in whether to turn on sidecar injection or not.

Now I moved viz to namespace linkerd-viz (while flagger still remains in namespace linkerd without sidecar), everything is finally OK:

kind: Namespace
metadata:
  name: linked
  annotations:
    linkerd.io/inject: disabled
  labels:
    config.linkerd.io/admission-webhooks: disabled
    linkerd.io/control-plane-ns: linkerd
    linkerd.io/is-control-plane: "true"
    ...

and

kind: Namespace
metadata:
  name: linkerd-viz
  labels:
    linkerd.io/extension: viz
    ...

BTW, the sidecar injection annotation for viz are set at the level of kind: Deployment (by Helm chart) rather than at the level of kind: Namespace.