Refactor proxy injection to use Helm charts

bin/build-cli-bin

@@ -22,7 +22,7 @@ fi
     cd $rootdir
     cd "$(pwd -P)"
     target="target/cli/${host_platform}/linkerd"
-    GO111MODULE=on go generate -mod=readonly ./cli # TODO: `go generate` does not honor -mod=readonly
+    GO111MODULE=on go generate -mod=readonly ./pkg/charts/static # TODO: `go generate` does not honor -mod=readonly
     GO111MODULE=on CGO_ENABLED=0 go build -o $target -tags prod -mod=readonly -ldflags "-s -w -X github.com/linkerd/linkerd2/pkg/version.Version=$($bindir/root-tag)" ./cli
     echo "$target"
 )

bin/helm.sh

@@ -11,6 +11,7 @@ rootdir="$( cd $bindir/.. && pwd )"
 helm lint $rootdir/charts/partials
 
 helm dep up $rootdir/charts/linkerd2
+helm dep up $rootdir/charts/patch
 helm lint --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2
 
 # if tiller is deployed, perform a dry run installation to check for errors

charts/chart

@@ -0,0 +1 @@
+../chart

charts/partials/templates/_proxy-init.tpl

@@ -40,7 +40,7 @@ securityContext:
 terminationMessagePolicy: FallbackToLogsOnError
 {{- if .ProxyInit.SAMountPath }}
 volumeMounts:
-- mountPath:{{.Proxy.SAMountPath.MountPath}}
-  name:{{.Proxy.SAMountPath.Name}}
+- mountPath: {{.Proxy.SAMountPath.MountPath}}
+  name: {{.Proxy.SAMountPath.Name}}
 {{- end -}}
 {{- end -}}

charts/partials/templates/_proxy.tpl

@@ -61,7 +61,7 @@ env:
 {{ if .Proxy.DisableTap -}}
 - name: LINKERD2_PROXY_TAP_DISABLED
   value: "true"
-{{ else -}}
+{{ else if not .Proxy.DisableIdentity -}}
 - name: LINKERD2_PROXY_TAP_SVC_NAME
   value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
 {{ end -}}
@@ -101,8 +101,8 @@ volumeMounts:
   name: linkerd-identity-end-entity
 {{- end -}}
 {{- if .Proxy.SAMountPath }}
-- mountPath:{{.Proxy.SAMountPath.MountPath}}
-  name:{{.Proxy.SAMountPath.Name}}
+- mountPath: {{.Proxy.SAMountPath.MountPath}}
+  name: {{.Proxy.SAMountPath.Name}}
 {{- end -}}
 {{- end -}}
 {{- end }}

charts/patch/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: "v1"
+name: "patch"
+version: 0.1.0
+description: This chart generates the JSON patch necessary to inject the proxy container into pods
+home: https://linkerd.io
+sources:
+  - https://github.com/linkerd/linkerd2/

charts/patch/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: partials
+  repository: file://../partials
+  version: 0.1.0
+digest: sha256:3a86b96a2966f03ba04518723838b49719a3277dfb9bea0b3f067e83d370e0b3
+generated: "2019-07-29T17:09:48.260154278-05:00"

charts/patch/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+- name: partials
+  version: 0.1.0
+  repository: file://../partials

charts/patch/templates/patch.json

@@ -0,0 +1,83 @@
+{{ with .Values -}}
+{{ $prefix := .PathPrefix -}}
+[    
+  {{- if .AddRootAnnotations }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/metadata/annotations",
+    "value": {}
+  },
+  {{- end }}
+  {{- range $label, $value := .Annotations }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/metadata/annotations/{{$label | replace "/" "~1"}}",
+    "value": "{{$value}}"
+  },
+  {{- end }}
+  {{- if .AddRootLabels }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/metadata/labels",
+    "value": {}
+  },
+  {{- end }}
+  {{- range $label, $value := .Labels }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/metadata/labels/{{$label | replace "/" "~1"}}",
+    "value": "{{$value}}"
+  },
+  {{- end }}
+  {{- if .ProxyInit }}
+  {{- if .AddRootInitContainers }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/initContainers",
+    "value": []
+  },
+  {{- end }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/initContainers/-",
+    "value":
+      {{- include "partials.proxy-init" . | fromYaml | toPrettyJson | nindent 6 }}
+  },
+  {{- end }}
+  {{- with .DebugContainer }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/containers/-",
+    "value":
+      {{- include "partials.debug" . | fromYaml | toPrettyJson | nindent 6 }}
+  },
+  {{- end }}
+  {{- if .Proxy }}
+  {{- if .AddRootVolumes }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/volumes",
+    "value": []
+  },
+  {{- end }}
+  {{- if not .Proxy.DisableIdentity -}}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/volumes/-",
+    "value": {
+      "name": "linkerd-identity-end-entity",
+      "emptyDir": {
+        "medium": "Memory"
+      }
+    }
+  },
+  {{- end }}
+  {
+    "op": "add",
+    "path": "{{$prefix}}/spec/containers/-",
+    "value":
+      {{- include "partials.proxy" . | fromYaml | toPrettyJson | nindent 6 }}
+  },
+  {{- end }}
+]
+{{- end -}}

cli/Dockerfile-bin

@@ -2,7 +2,13 @@
 FROM gcr.io/linkerd-io/go-deps:b62fe1ae as golang
 WORKDIR /linkerd-build
 COPY cli cli
-COPY chart chart
+COPY charts charts
+
+# TODO: remove this section after `linkerd install` starts using the new Helm charts
+RUN rm charts/chart
+RUN mkdir charts/chart
+COPY chart charts/chart
+
 COPY controller/k8s controller/k8s
 COPY controller/api controller/api
 COPY controller/gen controller/gen
@@ -11,7 +17,7 @@ RUN mkdir -p /out
 
 # Generate static templates
 # TODO: `go generate` does not honor -mod=readonly
-RUN go generate -mod=readonly ./cli
+RUN go generate -mod=readonly ./pkg/charts/static
 
 # Cache builds without version info
 RUN CGO_ENABLED=0 GOOS=darwin  go build -o /out/linkerd-darwin  -tags prod -mod=readonly -ldflags "-s -w" ./cli

cli/cmd/inject.go

@@ -31,11 +31,10 @@ const (
 )
 
 type resourceTransformerInject struct {
-	injectProxy           bool
-	configs               *cfg.All
-	overrideAnnotations   map[string]string
-	proxyOutboundCapacity map[string]uint
-	enableDebugSidecar    bool
+	injectProxy         bool
+	configs             *cfg.All
+	overrideAnnotations map[string]string
+	enableDebugSidecar  bool
 }
 
 func runInjectCmd(inputs []io.Reader, errWriter, outWriter io.Writer, transformer *resourceTransformerInject) int {
@@ -131,9 +130,6 @@ func uninjectAndInject(inputs []io.Reader, errWriter, outWriter io.Writer, trans
 
 func (rt resourceTransformerInject) transform(bytes []byte) ([]byte, []inject.Report, error) {
 	conf := inject.NewResourceConfig(rt.configs, inject.OriginCLI)
-	if len(rt.proxyOutboundCapacity) > 0 {
-		conf = conf.WithProxyOutboundCapacity(rt.proxyOutboundCapacity)
-	}
 
 	if rt.enableDebugSidecar {
 		conf.AppendPodAnnotation(k8s.ProxyEnableDebugAnnotation, "true")
@@ -160,19 +156,11 @@ func (rt resourceTransformerInject) transform(bytes []byte) ([]byte, []inject.Re
 		conf.AppendPodAnnotations(rt.overrideAnnotations)
 	}
 
-	p, err := conf.GetPatch(rt.injectProxy)
-	if err != nil {
-		return nil, nil, err
-	}
-	if p.IsEmpty() {
-		return bytes, reports, nil
-	}
-
-	patchJSON, err := p.Marshal()
+	patchJSON, err := conf.GetPatch(rt.injectProxy)
 	if err != nil {
 		return nil, nil, err
 	}
-	if patchJSON == nil {
+	if len(patchJSON) == 0 {
 		return bytes, reports, nil
 	}
 	log.Infof("patch generated for: %s", report.ResName())

cli/cmd/install.go

@@ -1,20 +1,18 @@
 package cmd
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
-	"path"
 	"strings"
 	"time"
 
 	"github.com/golang/protobuf/ptypes"
 	"github.com/google/uuid"
-	"github.com/linkerd/linkerd2/cli/static"
 	pb "github.com/linkerd/linkerd2/controller/gen/config"
+	"github.com/linkerd/linkerd2/pkg/charts"
 	"github.com/linkerd/linkerd2/pkg/config"
 	"github.com/linkerd/linkerd2/pkg/healthcheck"
 	"github.com/linkerd/linkerd2/pkg/k8s"
@@ -27,9 +25,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/helm/pkg/chartutil"
-	"k8s.io/helm/pkg/proto/hapi/chart"
-	"k8s.io/helm/pkg/renderutil"
-	"k8s.io/helm/pkg/timeconv"
 	"sigs.k8s.io/yaml"
 )
 
@@ -166,7 +161,6 @@ const (
 	controlPlaneStage = "control-plane"
 
 	prometheusImage                   = "prom/prometheus:v2.11.1"
-	prometheusProxyOutboundCapacity   = 10000
 	defaultControllerReplicas         = 1
 	defaultHAControllerReplicas       = 3
 	defaultIdentityTrustDomain        = "cluster.local"
@@ -711,7 +705,6 @@ func (values *installValues) render(w io.Writer, configs *pb.All) error {
 	if err != nil {
 		return err
 	}
-	chrtConfig := &chart.Config{Raw: string(rawValues), Values: map[string]*chart.Value{}}
 
 	files := []*chartutil.BufferedFile{
 		{Name: chartutil.ChartfileName},
@@ -752,73 +745,24 @@ func (values *installValues) render(w io.Writer, configs *pb.All) error {
 		}...)
 	}
 
-	// Read templates into bytes
-	for _, f := range files {
-		data, err := readIntoBytes(f.Name)
-		if err != nil {
-			return err
-		}
-		f.Data = data
+	chart := &charts.Chart{
+		Name:      "linkerd",
+		Dir:       "chart",
+		Namespace: controlPlaneNamespace,
+		RawValues: rawValues,
+		Files:     files,
 	}
-
-	// Create chart and render templates
-	chrt, err := chartutil.LoadFiles(files)
+	buf, err := chart.Render()
 	if err != nil {
 		return err
 	}
 
-	renderOpts := renderutil.Options{
-		ReleaseOptions: chartutil.ReleaseOptions{
-			Name:      "linkerd",
-			IsInstall: true,
-			IsUpgrade: false,
-			Time:      timeconv.Now(),
-			Namespace: controlPlaneNamespace,
-		},
-		KubeVersion: "",
-	}
-
-	renderedTemplates, err := renderutil.Render(chrt, chrtConfig, renderOpts)
-	if err != nil {
-		return err
-	}
-
-	// Merge templates and inject
-	var buf bytes.Buffer
-	for _, tmpl := range files {
-		t := path.Join(renderOpts.ReleaseOptions.Name, tmpl.Name)
-		if _, err := buf.WriteString(renderedTemplates[t]); err != nil {
-			return err
-		}
-	}
-
-	// Skip outbound port 443 to enable Kubernetes API access without the proxy.
-	// Once Kubernetes supports sidecar containers, this may be removed, as that
-	// will guarantee the proxy is running prior to control-plane startup.
-	configs.Proxy.IgnoreOutboundPorts = append(configs.Proxy.IgnoreOutboundPorts, &pb.Port{Port: 443})
-
 	return processYAML(&buf, w, ioutil.Discard, resourceTransformerInject{
 		injectProxy: true,
 		configs:     configs,
-		proxyOutboundCapacity: map[string]uint{
-			values.PrometheusImage: prometheusProxyOutboundCapacity,
-		},
 	})
 }
 
-func readIntoBytes(filename string) ([]byte, error) {
-	file, err := static.Templates.Open(filename)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-
-	buf := new(bytes.Buffer)
-	buf.ReadFrom(file)
-
-	return buf.Bytes(), nil
-}
-
 func (options *installOptions) configs(identity *pb.IdentityContext) *pb.All {
 	return &pb.All{
 		Global:  options.globalConfig(identity),

cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml

@@ -72,8 +72,6 @@ spec:
               fieldPath: metadata.namespace
         - name: LINKERD2_PROXY_DESTINATION_CONTEXT
           value: ns:$(_pod_ns)
-        - name: LINKERD2_PROXY_TAP_DISABLED
-          value: "true"
         - name: LINKERD2_PROXY_IDENTITY_DIR
           value: /var/run/linkerd/identity/end-entity
         - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
@@ -106,6 +104,8 @@ spec:
           value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
         - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
           value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
+        - name: LINKERD2_PROXY_TAP_DISABLED
+          value: "true"
         image: gcr.io/linkerd-io/proxy:override
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -148,7 +148,7 @@ spec:
         - --proxy-uid
         - "2102"
         - --inbound-ports-to-ignore
-        - 7777,8888,4190,9998
+        - 4190,9998,7777,8888
         - --outbound-ports-to-ignore
         - "9999"
         image: gcr.io/linkerd-io/proxy-init:v1.0.0

cli/main.go

@@ -1,5 +1,3 @@
-//go:generate go run static/generate.go
-
 package main
 
 import (