RFC: Break up linkerd install into stages #2164
Description
This RFC proposes modification to the linkerd install flow, dividing Linkerd
installation into stages grouped by permission level.
Current State
Installation of the full suite of components requires three commands, with
varying combinations of flags:
linkerd install-cni
- ClusterRole
- linkerd-cni
- ClusterRoleBinding
- linkerd-cni
- Namespace
- linkerd
- ServiceAccount
- linkerd-cni
- DaemonSet
- linkerd-cni
- ConfigMap
- linkerd-cni-config
linkerd install
- ClusterRole
- linkerd-linkerd-controller
- linkerd-linkerd-prometheus
- ClusterRoleBinding
- linkerd-linkerd-controller
- linkerd-linkerd-prometheus
- Namespace
- linkerd
- CustomResourceDefinition
- serviceprofiles.linkerd.io
- ServiceAccount
- linkerd-controller
- linkerd-grafana
- linkerd-prometheus
- linkerd-web
- ConfigMap
- linkerd-grafana-config
- linkerd-prometheus-config
- Service
- linkerd-controller-api
- linkerd-grafana
- linkerd-prometheus
- linkerd-proxy-api
- linkerd-proxy-injector
- linkerd-web
- Deployment
- linkerd-controller
- linkerd-grafana
- linkerd-prometheus
- linkerd-web
linkerd install --tls optional
- ClusterRole
- linkerd-linkerd-ca
- ClusterRoleBinding
- linkerd-linkerd-ca
- ServiceAccount
- linkerd-ca
- ConfigMap
- linkerd-ca-bundle
- Deployment
- linkerd-ca
linkerd install --tls optional --proxy-auto-inject
- ClusterRole
- linkerd-linkerd-proxy-injector
- ClusterRoleBinding
- linkerd-linkerd-proxy-injector
- ConfigMap
- linkerd-proxy-injector-sidecar-config
- Service
- linkerd-proxy-injector
- Deployment
- linkerd-proxy-injector
linkerd install-sp
- ServiceProfile
- linkerd-controller-api
- linkerd-proxy-api
- linkerd-prometheus
- linkerd-grafana
Proposal: Multi-stage installation
All components listed above, grouped by privilege, --admin and --user:
$ linkerd install --help
Output Kubernetes configs to install Linkerd.
Usage:
linkerd install [flags]
Flags:
--admin Install components requiring cluster-wide privileges.
--user Install components requiring namespace-wide privileges.The linkerd check command can be modified to mirror the linkerd install flow:
linkerd check --admin
linkerd check --user1. Cluster Admin
Default usage:
linkerd install --adminPossible modifier:
linkerd install --admin --cni- ClusterRole
- linkerd-cni
- linkerd-linkerd-ca
- linkerd-linkerd-controller
- linkerd-linkerd-prometheus
- linkerd-linkerd-proxy-injector
- ClusterRoleBinding
- linkerd-cni
- linkerd-linkerd-ca
- linkerd-linkerd-controller
- linkerd-linkerd-prometheus
- linkerd-linkerd-proxy-injector
- Namespace
- linkerd
- ServiceAccount
- linkerd-cni
- ConfigMap
- linkerd-cni-config
- DaemonSet
- linkerd-cni
- CustomResourceDefinition
- serviceprofiles.linkerd.io
2. Cluster User
linkerd install --user- ServiceAccount
- linkerd-ca
- linkerd-controller
- linkerd-grafana
- linkerd-prometheus
- linkerd-web
- ConfigMap
- linkerd-ca-bundle
- linkerd-grafana-config
- linkerd-prometheus-config
- linkerd-proxy-injector-sidecar-config
- Deployment
- linkerd-ca
- linkerd-controller
- linkerd-grafana
- linkerd-prometheus
- linkerd-proxy-injector
- linkerd-web
- Service
- linkerd-controller-api
- linkerd-grafana
- linkerd-prometheus
- linkerd-proxy-api
- linkerd-proxy-injector
- linkerd-web
- ServiceProfile
- linkerd-controller-api
- linkerd-proxy-api
- linkerd-prometheus
- linkerd-grafana
Developer installation
linkerd install shall continue to work as an atomic installation process,
assuming the user has cluster access sufficient to install all Linkerd
components.
To address the timing issue between installing CRD/serviceprofiles and the
control-plane ServiceProfiles, the ServiceProfiles shall be installed via a
job configured in the linkerd install output.