From 1da8fcce6333fe121d4582cecf33e7f8023c553e Mon Sep 17 00:00:00 2001 From: Takumi Sue <23391543+mikutas@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:49:24 +0900 Subject: [PATCH] Skip webhook on kube-system by default for tap-injector/jaeger-injector (#11649) Linkerd's control plane will skip webhook requests for resources in kube-system. The same configuration should be applied for other webhooks, i.e. tap and jaeger injectors. This change allows users to skip webhook on kube-system by default for tap and jaeger injector. Closes #11647 Signed-off-by: Takumi Sue --- jaeger/charts/linkerd-jaeger/README.md | 2 +- jaeger/charts/linkerd-jaeger/values.yaml | 10 ++++++---- jaeger/cmd/testdata/install_collector_disabled.golden | 10 +++++++++- jaeger/cmd/testdata/install_default.golden | 11 ++++++++++- jaeger/cmd/testdata/install_jaeger_disabled.golden | 10 +++++++++- viz/charts/linkerd-viz/README.md | 2 +- viz/charts/linkerd-viz/values.yaml | 10 ++++++---- viz/cmd/testdata/install_default.golden | 9 ++++++++- viz/cmd/testdata/install_default_overrides.golden | 9 ++++++++- viz/cmd/testdata/install_prometheus_disabled.golden | 9 ++++++++- .../install_prometheus_loglevel_from_args.golden | 9 ++++++++- viz/cmd/testdata/install_proxy_resources.golden | 9 ++++++++- 12 files changed, 82 insertions(+), 18 deletions(-) diff --git a/jaeger/charts/linkerd-jaeger/README.md b/jaeger/charts/linkerd-jaeger/README.md index ed25ff21f8500..feaf1d05171f0 100644 --- a/jaeger/charts/linkerd-jaeger/README.md +++ b/jaeger/charts/linkerd-jaeger/README.md @@ -134,7 +134,7 @@ Kubernetes: `>=1.21.0-0` | webhook.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | | webhook.keyPEM | string | `""` | Certificate key for the webhook. If not provided and not using an external secret then Helm will generate one. | | webhook.logLevel | string | `"info"` | | -| webhook.namespaceSelector | string | `nil` | | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. | | webhook.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | | webhook.objectSelector | string | `nil` | | | webhook.replicas | int | `1` | Number of replicas of the jaeger-injector component | diff --git a/jaeger/charts/linkerd-jaeger/values.yaml b/jaeger/charts/linkerd-jaeger/values.yaml index 9ad7c674d1c8a..ca9efa0cd3353 100644 --- a/jaeger/charts/linkerd-jaeger/values.yaml +++ b/jaeger/charts/linkerd-jaeger/values.yaml @@ -284,11 +284,13 @@ webhook: pullPolicy: "" logLevel: info + # -- Namespace selector used by admission webhook. namespaceSelector: - #matchExpressions: - #- key: runlevel - # operator: NotIn - # values: ["0","1"] + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system objectSelector: #matchLabels: # foo: bar diff --git a/jaeger/cmd/testdata/install_collector_disabled.golden b/jaeger/cmd/testdata/install_collector_disabled.golden index f3fcdb4000ff1..e194fe7c88f19 100644 --- a/jaeger/cmd/testdata/install_collector_disabled.golden +++ b/jaeger/cmd/testdata/install_collector_disabled.golden @@ -30,7 +30,7 @@ spec: template: metadata: annotations: - checksum/config: c5d4d160a7fd2febef85a7a02d2df5b5575dec35abc84d696e9afa8d3f8423e6 + checksum/config: e51bdbaf37450b54e9daa9d8e09de78005be8cdbcbabc74ea314492a0fc74768 linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -41,6 +41,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -collector-svc-addr=collector.linkerd-jaeger:55678 @@ -208,6 +209,12 @@ metadata: linkerd.io/extension: jaeger webhooks: - name: jaeger-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: jaeger-injector @@ -288,6 +295,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - --query.base-path=/jaeger diff --git a/jaeger/cmd/testdata/install_default.golden b/jaeger/cmd/testdata/install_default.golden index 39f407119f2fb..b60eeb99f0b22 100644 --- a/jaeger/cmd/testdata/install_default.golden +++ b/jaeger/cmd/testdata/install_default.golden @@ -30,7 +30,7 @@ spec: template: metadata: annotations: - checksum/config: 59b9d7a68d62aabbd291fabf1aa9596df514c7d37853ba34cfd38a0ccb9365d5 + checksum/config: 86385686bca3c64713b2759edabf06ea7e7fdfa14ab0bfa02e9a734dcab4626f linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -41,6 +41,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -collector-svc-addr=collector.linkerd-jaeger:55678 @@ -251,6 +252,12 @@ metadata: linkerd.io/extension: jaeger webhooks: - name: jaeger-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: jaeger-injector @@ -447,6 +454,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - command: - /otelcol-contrib @@ -561,6 +569,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - --query.base-path=/jaeger diff --git a/jaeger/cmd/testdata/install_jaeger_disabled.golden b/jaeger/cmd/testdata/install_jaeger_disabled.golden index 84a506f3e373c..0ddb4a50ae599 100644 --- a/jaeger/cmd/testdata/install_jaeger_disabled.golden +++ b/jaeger/cmd/testdata/install_jaeger_disabled.golden @@ -30,7 +30,7 @@ spec: template: metadata: annotations: - checksum/config: 33e744466fd4a94faf5e7cd42d65af7b75beedcdfdb5264667f97b0299e8724e + checksum/config: fe46dd2c7aa7005c397ecf35aeb0e810a5f0d5587974c0311efec930b4c95efb linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -41,6 +41,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -collector-svc-addr=collector.linkerd-jaeger:55678 @@ -251,6 +252,12 @@ metadata: linkerd.io/extension: jaeger webhooks: - name: jaeger-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: jaeger-injector @@ -436,6 +443,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - command: - /otelcol-contrib diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index aee32d2b9d9b6..b261d66f9952c 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -198,7 +198,7 @@ Kubernetes: `>=1.21.0-0` | tapInjector.keyPEM | string | `""` | Certificate key for the tapInjector. If not provided and not using an external secret then Helm will generate one. | | tapInjector.logFormat | string | defaultLogFormat | log format of the tapInjector component | | tapInjector.logLevel | string | defaultLogLevel | log level of the tapInjector | -| tapInjector.namespaceSelector | string | `nil` | | +| tapInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}` | Namespace selector used by admission webhook. | | tapInjector.objectSelector | string | `nil` | | | tapInjector.proxy | string | `nil` | | | tapInjector.replicas | int | `1` | Number of replicas of tapInjector | diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml index 24009e95bf932..87e58bb4e3ce9 100644 --- a/viz/charts/linkerd-viz/values.yaml +++ b/viz/charts/linkerd-viz/values.yaml @@ -246,11 +246,13 @@ tapInjector: # @default -- defaultImagePullPolicy pullPolicy: "" + # -- Namespace selector used by admission webhook. namespaceSelector: - # matchExpressions: - # - key: runlevel - # operator: NotIn - # values: ["0","1"] + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system objectSelector: # matchLabels: # foo: bar diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden index eadce5ab7c80f..8a61f7404db0a 100644 --- a/viz/cmd/testdata/install_default.golden +++ b/viz/cmd/testdata/install_default.golden @@ -1020,6 +1020,12 @@ metadata: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: tap-injector @@ -1082,7 +1088,7 @@ spec: template: metadata: annotations: - checksum/config: 390143015ec83a86ded6630634da5834c8ac7700b93d486a7dc101a15cb87f15 + checksum/config: d1929cba78b3be3d4f4ccdb0177d328b09d87f39ba90f30fbbbd471be561f18f linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -1263,6 +1269,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden index de55473a02e4b..3dae2ddbb7126 100644 --- a/viz/cmd/testdata/install_default_overrides.golden +++ b/viz/cmd/testdata/install_default_overrides.golden @@ -1020,6 +1020,12 @@ metadata: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: tap-injector @@ -1082,7 +1088,7 @@ spec: template: metadata: annotations: - checksum/config: 390143015ec83a86ded6630634da5834c8ac7700b93d486a7dc101a15cb87f15 + checksum/config: d1929cba78b3be3d4f4ccdb0177d328b09d87f39ba90f30fbbbd471be561f18f linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -1263,6 +1269,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 diff --git a/viz/cmd/testdata/install_prometheus_disabled.golden b/viz/cmd/testdata/install_prometheus_disabled.golden index 1dc1d7fe3dca7..bedafbf997636 100644 --- a/viz/cmd/testdata/install_prometheus_disabled.golden +++ b/viz/cmd/testdata/install_prometheus_disabled.golden @@ -729,6 +729,12 @@ metadata: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: tap-injector @@ -791,7 +797,7 @@ spec: template: metadata: annotations: - checksum/config: 390143015ec83a86ded6630634da5834c8ac7700b93d486a7dc101a15cb87f15 + checksum/config: d1929cba78b3be3d4f4ccdb0177d328b09d87f39ba90f30fbbbd471be561f18f linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -972,6 +978,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden index ba308ab927c92..c996adaf21d9c 100644 --- a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden +++ b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden @@ -1020,6 +1020,12 @@ metadata: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: tap-injector @@ -1082,7 +1088,7 @@ spec: template: metadata: annotations: - checksum/config: 390143015ec83a86ded6630634da5834c8ac7700b93d486a7dc101a15cb87f15 + checksum/config: d1929cba78b3be3d4f4ccdb0177d328b09d87f39ba90f30fbbbd471be561f18f linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -1263,6 +1269,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden index 9bf15f55e19a6..c013871e40546 100644 --- a/viz/cmd/testdata/install_proxy_resources.golden +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -1028,6 +1028,12 @@ metadata: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system clientConfig: service: name: tap-injector @@ -1090,7 +1096,7 @@ spec: template: metadata: annotations: - checksum/config: 390143015ec83a86ded6630634da5834c8ac7700b93d486a7dc101a15cb87f15 + checksum/config: d1929cba78b3be3d4f4ccdb0177d328b09d87f39ba90f30fbbbd471be561f18f linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" @@ -1275,6 +1281,7 @@ spec: spec: nodeSelector: kubernetes.io/os: linux + containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085