From 0e943f41a19789dbecbb25a19d54158de9911370 Mon Sep 17 00:00:00 2001
From: Alejandro Pedraza <alejandro@buoyant.io>
Date: Wed, 6 Dec 2023 11:25:00 -0500
Subject: [PATCH] Add RBAC for publishing events, and env var for pod name

---
 charts/linkerd2-cni/templates/cni-plugin.yaml            | 9 ++++++++-
 cli/cmd/testdata/install-cni-plugin_default.golden       | 9 ++++++++-
 .../testdata/install-cni-plugin_fully_configured.golden  | 9 ++++++++-
 ...install-cni-plugin_fully_configured_equal_dsts.golden | 9 ++++++++-
 ...stall-cni-plugin_fully_configured_no_namespace.golden | 9 ++++++++-
 cli/cmd/testdata/install-cni-plugin_skip_ports.golden    | 9 ++++++++-
 cli/cmd/testdata/install_cni_helm_default_output.golden  | 9 ++++++++-
 cli/cmd/testdata/install_cni_helm_override_output.golden | 9 ++++++++-
 8 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/charts/linkerd2-cni/templates/cni-plugin.yaml b/charts/linkerd2-cni/templates/cni-plugin.yaml
index 62e0833d30763..09d10b5214644 100644
--- a/charts/linkerd2-cni/templates/cni-plugin.yaml
+++ b/charts/linkerd2-cni/templates/cni-plugin.yaml
@@ -115,6 +115,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -286,10 +289,14 @@ spec:
         imagePullPolicy: {{ .Values.reinitializePods.image.pullPolicy }}
         {{- if .Values.reinitializePods.enableSecurityContext }}
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden
index 2f52c30758d26..c6b5547fcf28e 100644
--- a/cli/cmd/testdata/install-cni-plugin_default.golden
+++ b/cli/cmd/testdata/install-cni-plugin_default.golden
@@ -28,6 +28,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -171,10 +174,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
index 20bedd8388423..6b295968fb02c 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden
@@ -28,6 +28,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -170,10 +173,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
index 54328acb1c5e0..9841b9a6e1ff8 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden
@@ -28,6 +28,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -168,10 +171,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
index 20bedd8388423..6b295968fb02c 100644
--- a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
+++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden
@@ -28,6 +28,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -170,10 +173,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
index 25d57f54ffe9d..e147c729a42ac 100644
--- a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
+++ b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden
@@ -28,6 +28,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -170,10 +173,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install_cni_helm_default_output.golden b/cli/cmd/testdata/install_cni_helm_default_output.golden
index f07cddd234eed..3cf24d0218373 100644
--- a/cli/cmd/testdata/install_cni_helm_default_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_default_output.golden
@@ -21,6 +21,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -162,10 +165,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args:
diff --git a/cli/cmd/testdata/install_cni_helm_override_output.golden b/cli/cmd/testdata/install_cni_helm_override_output.golden
index 730b02d2cf8a4..a4f3c81b99f03 100644
--- a/cli/cmd/testdata/install_cni_helm_override_output.golden
+++ b/cli/cmd/testdata/install_cni_helm_override_output.golden
@@ -21,6 +21,9 @@ rules:
 - apiGroups: [""]
   resources: ["pods/eviction"]
   verbs: ["create"]
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -163,10 +166,14 @@ spec:
         image: cr.l5d.io/linkerd/cni-plugin:v1.3.0
         imagePullPolicy: IfNotPresent
         env:
-        - name: LINKERD_REINITIALIZE_PODS_POD_NODE_NAME
+        - name: LINKERD_REINITIALIZE_PODS_NODE_NAME
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: LINKERD_REINITIALIZE_PODS_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         command:
           - /usr/lib/linkerd/linkerd-reinitialize-pods
         args: