Introduce upgrade --from-manifests flag#2697
Conversation
The `linkerd upgrade` command read the control-plane's config from Kubernetes, which required the environment to be configured to connect to the appropriate k8s cluster. Intrdouce a `linkerd upgrade --from-manifests` flag, allowing the user to feed the output of `linkerd install` into the upgrade command. Fixes #2629 Signed-off-by: Andrew Seigner <[email protected]>
Signed-off-by: Andrew Seigner <[email protected]>
|
@jon-walton if you have a moment, please take this out for a spin, thanks! |
|
Integration test results for 2dc3488: success 🎉 |
|
awesome, that works 👍 thanks! 🎉 |
olix0r
left a comment
olix0r
left a comment
There was a problem hiding this comment.
Nice clean change!
One question for @grampelberg: if we're supporting a file-based workflow, we probably need to update documentation to address the storage of the issuer credentials.
cli/cmd/upgrade.go
Outdated
| func newUpgradeOptionsWithDefaults() *upgradeOptions { | ||
| return &upgradeOptions{newInstallOptionsWithDefaults()} | ||
| return &upgradeOptions{ | ||
| "", |
There was a problem hiding this comment.
tioli: named params might be easier to read here
|
@olix0r because they show up in the manifest? |
alpeb
left a comment
alpeb
left a comment
There was a problem hiding this comment.
Very elegant approach, looks great to me! 👍
|
Just wanna confirm that we are ok with writing the issuer's secret to disk. |
|
@ihcsim Re: writing secrets to disk, I think that's a good question for @grampelberg, and if the answer is "yes", maybe deserves treatment in our docs. |
Signed-off-by: Andrew Seigner <[email protected]>
|
@grampelberg right. Ideally, we'd encrypt that part of the manifest and have |
|
fwiw, I think all #2629 cares about is the |
|
Integration test results for 3ee494a: success 🎉 |
|
Another possibility would be to add a note in the Upgrade CLI docs, telling people they can store all the resources in disk, but discouraging keeping the Secret one. Then we could have |
|
This is an interesting point. However, when using a gitops workflow, a |
|
Is there another option to writing the secret to disk? It'd need to live somewhere ... From a docs perspective, it is pretty easy to suggest piping through |
The (identity) secret is created during installation, and remained untouched, in the cluster, during an upgrade. |
|
Going to merge this as-is. I agree storing secrets in the clear on disk is not great, but also agree we can guide users via docs on best practices, such as @grampelberg's |
|
Can we open an issue on the website repo to track writing up a blurb about managing the manifest? |
7 participants
The
linkerd upgradecommand read the control-plane's config fromKubernetes, which required the environment to be configured to connect
to the appropriate k8s cluster.
Introduce a
linkerd upgrade --from-manifestsflag, allowing the userto feed the output of
linkerd installinto the upgrade command.Fixes #2629
Signed-off-by: Andrew Seigner [email protected]
Relates to #2637.
Notes
Note that the first commit, 5fb1c0c, contains all the code changes. The second commit simply renames
test_helper.gotofake.go.Examples
Install flow
linkerd install > install_manifests.yaml kubectl apply -f install_manifests.yaml linkerd upgrade --from-manifests install_manifests.yamlValidate
linkerd upgradecommand works the same with and without--from-manifests