From 006f6e2c3beac552479882d724043944cfe21ead Mon Sep 17 00:00:00 2001 From: Matei David Date: Mon, 13 Nov 2023 15:55:03 +0000 Subject: [PATCH 1/3] Fix service-mirror template when running in HA mode Two clusters can be linked in HA mode. When HA values are used, the service-mirror deployment receives some pod affinity rules to ensure fair scheduling of pods across a cluster's nodes. The service-mirror Deployment's template seems to be broken at the moment when using HA values. Affinity rules are incorrectly grouped under a top-level `podAntiAffinity` field. The Kubernetes API requires the rules to be grouped under a top-level `affinity` field. This change rectifies that by introducing the missing parent. Fixes #11603 Signed-off-by: Matei David --- .../templates/service-mirror.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml index 76b6241758c80..339bd4b13ee82 100644 --- a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml +++ b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml @@ -86,6 +86,7 @@ metadata: {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} {{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} --- +{{- $tree := deepCopy . }} apiVersion: apps/v1 kind: Deployment metadata: @@ -120,10 +121,9 @@ spec: mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: - {{- if .Values.enablePodAntiAffinity -}} - {{- $local := dict "label" "mirror.linkerd.io/cluster-name" "component" .Values.targetClusterName -}} - {{- include "linkerd.pod-affinity" $local | nindent 6 -}} - {{- end }} + {{- $_ := set $tree "component" .Values.targetClusterName -}} + {{- $_ := set $tree "label" "mirror.linkerd.io/cluster-name" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} containers: - args: - service-mirror From bef2ecc182b6abfec683065179dd4f13ca19a516 Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 16 Nov 2023 13:39:08 +0000 Subject: [PATCH 2/3] Fix typo in default svc mirror fixture Signed-off-by: Matei David --- .../testdata/service_mirror_default.golden | 151 ++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 multicluster/cmd/testdata/service_mirror_default.golden diff --git a/multicluster/cmd/testdata/service_mirror_default.golden b/multicluster/cmd/testdata/service_mirror_default.golden new file mode 100644 index 0000000000000..7290e1763eef7 --- /dev/null +++ b/multicluster/cmd/testdata/service_mirror_default.golden @@ -0,0 +1,151 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-service-mirror-access-local-resources-test-cluster + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster +rules: +- apiGroups: [""] + resources: ["endpoints", "services"] + verbs: ["list", "get", "watch", "create", "delete", "update"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-service-mirror-access-local-resources-test-cluster + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-service-mirror-access-local-resources-test-cluster +subjects: +- kind: ServiceAccount + name: linkerd-service-mirror-test-cluster + namespace: test +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-service-mirror-read-remote-creds-test-cluster + namespace: test + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["cluster-credentials-test-cluster"] + verbs: ["list", "get", "watch"] + - apiGroups: ["multicluster.linkerd.io"] + resources: ["links"] + verbs: ["list", "get", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-service-mirror-read-remote-creds-test-cluster + namespace: test + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: linkerd-service-mirror-read-remote-creds-test-cluster +subjects: + - kind: ServiceAccount + name: linkerd-service-mirror-test-cluster + namespace: test +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-service-mirror-test-cluster + namespace: test + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + linkerd.io/extension: multicluster + component: service-mirror + mirror.linkerd.io/cluster-name: test-cluster + name: linkerd-service-mirror-test-cluster + namespace: test +spec: + replicas: 1 + selector: + matchLabels: + component: linkerd-service-mirror + mirror.linkerd.io/cluster-name: test-cluster + template: + metadata: + annotations: + linkerd.io/inject: enabled + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" + labels: + linkerd.io/extension: multicluster + component: linkerd-service-mirror + mirror.linkerd.io/cluster-name: test-cluster + spec: + containers: + - args: + - service-mirror + - -log-level=info + - -log-format=plain + - -event-requeue-limit=3 + - -namespace=test + - -enable-pprof=false + - test-cluster + image: cr.l5d.io/linkerd/controller:dev-undefined + name: service-mirror + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2103 + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 9999 + name: admin-http + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-service-mirror-test-cluster +--- +apiVersion: v1 +kind: Service +metadata: + name: probe-gateway-test-cluster + namespace: test + labels: + linkerd.io/extension: multicluster + mirror.linkerd.io/mirrored-gateway: "true" + mirror.linkerd.io/cluster-name: test-cluster +spec: + ports: + - name: mc-probe + port: 4191 + protocol: TCP From e7c499fa7a206456d1bc320ac7f2c0624c2ee08f Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 16 Nov 2023 13:40:18 +0000 Subject: [PATCH 3/3] Add test for HA mode and fix newline when rendering non-HA templates Signed-off-by: Matei David --- .../templates/service-mirror.yaml | 5 ++- multicluster/cmd/link_test.go | 10 ++++- ...efault.golden => service_mirror_ha.golden} | 39 +++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) rename multicluster/cmd/testdata/{serivce_mirror_default.golden => service_mirror_ha.golden} (78%) diff --git a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml index 339bd4b13ee82..626f79286f55c 100644 --- a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml +++ b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml @@ -86,7 +86,6 @@ metadata: {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} {{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} --- -{{- $tree := deepCopy . }} apiVersion: apps/v1 kind: Deployment metadata: @@ -121,9 +120,13 @@ spec: mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: + {{- if .Values.enablePodAntiAffinity}} + {{- with $tree := deepCopy . }} {{- $_ := set $tree "component" .Values.targetClusterName -}} {{- $_ := set $tree "label" "mirror.linkerd.io/cluster-name" -}} {{- include "linkerd.affinity" $tree | nindent 6 }} + {{- end }} + {{- end }} containers: - args: - service-mirror diff --git a/multicluster/cmd/link_test.go b/multicluster/cmd/link_test.go index bcb39e3029f83..97e3790a5217e 100644 --- a/multicluster/cmd/link_test.go +++ b/multicluster/cmd/link_test.go @@ -20,7 +20,15 @@ func TestServiceMirrorRender(t *testing.T) { { linkValues, nil, - "serivce_mirror_default.golden", + "service_mirror_default.golden", + }, + + { + linkValues, + map[string]interface{}{ + "enablePodAntiAffinity": true, + }, + "service_mirror_ha.golden", }, } for i, tc := range testCases { diff --git a/multicluster/cmd/testdata/serivce_mirror_default.golden b/multicluster/cmd/testdata/service_mirror_ha.golden similarity index 78% rename from multicluster/cmd/testdata/serivce_mirror_default.golden rename to multicluster/cmd/testdata/service_mirror_ha.golden index 7290e1763eef7..9b5ec6866b87e 100644 --- a/multicluster/cmd/testdata/serivce_mirror_default.golden +++ b/multicluster/cmd/testdata/service_mirror_ha.golden @@ -95,6 +95,9 @@ spec: matchLabels: component: linkerd-service-mirror mirror.linkerd.io/cluster-name: test-cluster + strategy: + rollingUpdate: + maxUnavailable: 1 template: metadata: annotations: @@ -106,6 +109,26 @@ spec: component: linkerd-service-mirror mirror.linkerd.io/cluster-name: test-cluster spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mirror.linkerd.io/cluster-name + operator: In + values: + - test-cluster + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: mirror.linkerd.io/cluster-name + operator: In + values: + - test-cluster + topologyKey: kubernetes.io/hostname containers: - args: - service-mirror @@ -135,6 +158,22 @@ spec: type: RuntimeDefault serviceAccountName: linkerd-service-mirror-test-cluster --- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-service-mirror-test-cluster + namespace: test + labels: + component: linkerd-service-mirror + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + maxUnavailable: 1 + selector: + matchLabels: + component: linkerd-service-mirror + mirror.linkerd.io/cluster-name: test-cluster +--- apiVersion: v1 kind: Service metadata: