Merged
Conversation
11 tasks
#1721 introduced a `--single-namespace` install flag, enabling the control-plane to function within a single namespace. With the introduction of ServiceProfiles, and upcoming identity changes, this single namespace mode of operation is becoming less viable. This change removes the `--single-namespace` install flag, and all underlying support. The control-plane must have cluster-wide access to operate. A few related changes: - Remove `--single-namespace` from `linkerd check`, this motivates combining some check categories, as we can always assume cluster-wide requirements. - Simplify the `k8s.ResourceAuthz` API, as callers no longer need to make a decision based on cluster-wide vs. namespace-wide access. Components either have access, or they error out. - Modify the web dashboard to always assume ServiceProfiles are enabled. Reverts #1721 Part of #2337 Signed-off-by: Andrew Seigner <[email protected]>
a54d45a to
2367033
Compare
klingerf
approved these changes
Mar 12, 2019
Contributor
klingerf
left a comment
There was a problem hiding this comment.
⭐️ Yay! Such a huge cleanup. 🔪
Found one more single-namespace reference hanging around:
./controller/api/destination/k8s_resolver.go:72: // In single namespace mode, we'll close the stream immediately and the proxy
And we can fix it with:
diff --git a/controller/api/destination/k8s_resolver.go b/controller/api/destination/k8s_resolver.go
index 0938dd82..b82f52be 100644
--- a/controller/api/destination/k8s_resolver.go
+++ b/controller/api/destination/k8s_resolver.go
@@ -69,15 +69,6 @@ func (k *k8sResolver) streamResolution(host string, port int, listener endpointU
}
func (k *k8sResolver) streamProfiles(host string, clientNs string, listener profileUpdateListener) error {
- // In single namespace mode, we'll close the stream immediately and the proxy
- // will reissue the request after 3 seconds. If we wanted to be more
- // sophisticated about this in the future, we could leave the stream open
- // indefinitely, or we could update the API to support a ProfilesDisabled
- // message. For now, however, this works.
- if k.profileWatcher == nil {
- return nil
- }
-
subscriptions := map[profileID]profileUpdateListener{}
primaryListener, secondaryListener := newFallbackProfileListener(listener)
@@ -131,9 +122,7 @@ func (k *k8sResolver) getState() servicePorts {
func (k *k8sResolver) stop() {
k.endpointsWatcher.stop()
- if k.profileWatcher != nil {
- k.profileWatcher.stop()
- }
+ k.profileWatcher.stop()
}
func (k *k8sResolver) resolveKubernetesService(id *serviceID, port int, listener endpointUpdateListener) error {Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#1721 introduced a
--single-namespaceinstall flag,enabling the control-plane to function within a single namespace. With
the introduction of ServiceProfiles, and upcoming identity changes, this
single namespace mode of operation is becoming less viable.
This change removes the
--single-namespaceinstall flag, and allunderlying support. The control-plane must have cluster-wide access to
operate.
A few related changes:
--single-namespacefromlinkerd check, this motivatescombining some check categories, as we can always assume cluster-wide
requirements.
k8s.ResourceAuthzAPI, as callers no longer need tomake a decision based on cluster-wide vs. namespace-wide access.
Components either have access, or they error out.
Reverts #1721
Part of #2337
Signed-off-by: Andrew Seigner [email protected]