Revert incompatible multicluster changes

Changes to the multicluster Link resources' label selector lead to some
friction when upgrading from 2.11.1, as these resources must be deleted
and re-created.

These changes are reverted from the 2.11 branch.

Signed-off-by: Oliver Gould <ver@buoyant.io>

charts/linkerd2-cni/templates/cni-plugin.yaml

@@ -22,6 +22,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: {{.Values.namespace}}
+  annotations:
+    linkerd.io/inject: disabled
   labels:
     linkerd.io/cni-resource: "true"
     config.linkerd.io/admission-webhooks: disabled
@@ -185,8 +187,6 @@ spec:
         k8s-app: linkerd-cni
       annotations:
         {{ include "partials.annotations.created-by" . }}
-        linkerd.io/cni-resource: "true"
-        linkerd.io/inject: disabled
     spec:
       {{- if .Values.tolerations }}
       {{- include "linkerd.tolerations" . | nindent 6 }}

charts/linkerd2/README.md

@@ -220,8 +220,7 @@ Kubernetes: `>=1.17.0-0`
 | proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided then Helm will generate one. |
 | proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) |
 | proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided then Helm will generate one. |
-| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. |
-| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. |
+| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled |
 | webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector |
 
 ----------------------------------------------

charts/linkerd2/templates/proxy-injector-rbac.yaml

@@ -83,8 +83,6 @@ webhooks:
 - name: linkerd-proxy-injector.linkerd.io
   namespaceSelector:
     {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }}
-  objectSelector:
-    {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }}
   clientConfig:
     service:
       name: linkerd-proxy-injector

charts/linkerd2/values.yaml

@@ -273,26 +273,15 @@ proxyInjector:
   # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below)
   externalSecret: false
 
-  # -- Namespace selector used by admission webhook.
+  # -- Namespace selector used by admission webhook. If not set defaults to all
+  # namespaces without the annotation
+  # config.linkerd.io/admission-webhooks=disabled
   namespaceSelector:
     matchExpressions:
     - key: config.linkerd.io/admission-webhooks
       operator: NotIn
       values:
       - disabled
-    - key: kubernetes.io/metadata.name
-      operator: NotIn
-      values:
-      - kube-system
-      - cert-manager
-
-  # -- Object selector used by admission webhook.
-  objectSelector:
-    matchExpressions:
-    - key: linkerd.io/control-plane-component
-      operator: DoesNotExist
-    - key: linkerd.io/cni-resource
-      operator: DoesNotExist
 
   # -- Certificate for the proxy injector. If not provided then Helm will generate one.
   crtPEM: |