Update install and upgrade code to use the new helm charts#3229
Update install and upgrade code to use the new helm charts#3229
Conversation
| {{ $ca := genCA (printf "linkerd-proxy-injector.%s.svc" .Namespace) 365 -}} | ||
| crt.pem: {{ b64enc $ca.Cert }} | ||
| key.pem: {{ b64enc $ca.Key }} | ||
| crt.pem: {{ ternary (b64enc $ca.Cert) (b64enc .ProxyInjector.CrtPEM) (empty .ProxyInjector.CrtPEM) }} |
There was a problem hiding this comment.
During upgrade, .ProxyInjector.CrtPEM and .ProxyInjector.KeyPEM will be assigned the values of the existing cert and key, so that they can be re-used. This change is also added to the service profile validator and tap RBAC templates.
Also, the .ProxyInjector.CrtPEM and .ProxyInjector.KeyPEM variables are needed to pin the test fixtures in the install and upgrade tests. Otherwise, Helm will always regenerate the cert/key pairs on every test run. If needed, we can revisit whether it's necessary to use Helm to auto-generate the TLS secrets.
| selector: | ||
| matchLabels: | ||
| {{.ControllerComponentLabel}}: sp-validator | ||
| {{.ControllerNamespaceLabel}}: {{.Namespace}} |
There was a problem hiding this comment.
Service profile validator already has its own selectors in 2.4. Since these selectors are immutable, adding new match labels here will cause upgrade to fail. Hence, I have to revert this change. The same revert is also added to the proxy injector template.
|
|
||
| configJSONs struct{ Global, Proxy, Install string } | ||
|
|
||
| resources struct{ CPU, Memory constraints } |
There was a problem hiding this comment.
These are all moved to the common package at pkg/charts/template-values.go.
|
|
||
| // function pointers that can be overridden for tests | ||
| generateUUID func() string | ||
| generateWebhookTLS func(webhook string) (*tlsValues, error) |
There was a problem hiding this comment.
During install, the webhook TLS secrets will be generated by Helm functions. During an upgrade, these secrets will be preserved.
| if err := options.validate(); err != nil { | ||
| return nil, nil, err | ||
| } | ||
| options.handleHA() |
There was a problem hiding this comment.
See changes in the buildValuesWithoutIdentity() function.
| return fmt.Sprintf("%s-tls", webhook) | ||
| } | ||
|
|
||
| func verifyWebhookTLS(value *tlsValues, webhook string) error { |
There was a problem hiding this comment.
Move to upgrade.go, since they are now only relevant during upgrade.
|
Integration test results for d61ca13: success 🎉 |
siggy
left a comment
siggy
left a comment
There was a problem hiding this comment.
totally works! mostly questions for my own understanding...
| EnablePodAntiAffinity: false | ||
| ImagePullPolicy: &image_pull_policy IfNotPresent | ||
|
|
||
| # control plane version. See Proxy section for proxy version |
There was a problem hiding this comment.
unrelated to this PR, should this be edge-19.8.2, or something else?
There was a problem hiding this comment.
Yes, it should. We are yet to figure out a way to inject the new version numbers into these static files (values.yaml and Chart.yaml) as part of the build.
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
These are now handle by Helm functions inside the templates Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
* Merge the way the 'install' ha and non-ha options are handled into one function * Honor the 'NoInitContainer' option in the components templates * Fail upgrade if the proxy injector, profile validator or tap TLS secrets are missing. These are now auto-generated by Helm during install. And during upgrade, they will be preserved. * Control plane mTLS will not be disabled if identity context in the config map is empty. The data plane mTLS will still be automatically disabled if the context is nil. Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
During upgrade, these secrets are preserved to ensure they remain synced wih the CA bundle in the webhook configurations. These Helm variables are used to override the defaults in the templates. Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
When upgrading from an older version that don't have these secrets, fallback to let Helm create them by creating an empty charts.TLS struct. Signed-off-by: Ivan Sim <[email protected]>
In 2.4, the proxy injector and profile validator webhooks already have their selector labels defined. Since these attributes are immutable, the recent change to these selectors introduced by the Helm chart work will cause upgrade to fail. Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
ihcsim
force-pushed
the
isim/install-with-new-charts
branch
from
d61ca13 to
159a862
Compare
|
Integration test results for 159a862: success 🎉 |
siggy
left a comment
siggy
left a comment
There was a problem hiding this comment.
💥 
code updates look good. confirmed fresh install and upgrade from 2.4 both worked!
👍 🚢
Followup to #3229 Signed-off-by: Alejandro Pedraza <[email protected]>
Followup to #3229 Signed-off-by: Alejandro Pedraza <[email protected]>
4 participants
This PR updates the
linkerd installandlinkerd upgradecommands to use the new Helm chart.The following commands were executed to install and upgrade the control plane. Their YAML output are also diff'ed with that of
edge-19.8.2:Fixes #3127