diff --git a/charts/linkerd2-cni/templates/cni-plugin.yaml b/charts/linkerd2-cni/templates/cni-plugin.yaml index 720f6056e31af..62f2a3514a3b5 100644 --- a/charts/linkerd2-cni/templates/cni-plugin.yaml +++ b/charts/linkerd2-cni/templates/cni-plugin.yaml @@ -22,6 +22,8 @@ kind: Namespace apiVersion: v1 metadata: name: {{.Values.namespace}} + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -185,8 +187,6 @@ spec: k8s-app: linkerd-cni annotations: {{ include "partials.annotations.created-by" . }} - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: {{- if .Values.tolerations }} {{- include "linkerd.tolerations" . | nindent 6 }} diff --git a/charts/linkerd2/README.md b/charts/linkerd2/README.md index 839f80bb3ab3c..bd220cc512946 100644 --- a/charts/linkerd2/README.md +++ b/charts/linkerd2/README.md @@ -220,8 +220,7 @@ Kubernetes: `>=1.17.0-0` | proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided then Helm will generate one. | | proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) | | proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided then Helm will generate one. | -| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | -| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled | | webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | ---------------------------------------------- diff --git a/charts/linkerd2/templates/proxy-injector-rbac.yaml b/charts/linkerd2/templates/proxy-injector-rbac.yaml index a771d2325023b..33b5f1f3050c1 100644 --- a/charts/linkerd2/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd2/templates/proxy-injector-rbac.yaml @@ -83,8 +83,6 @@ webhooks: - name: linkerd-proxy-injector.linkerd.io namespaceSelector: {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }} - objectSelector: - {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }} clientConfig: service: name: linkerd-proxy-injector diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index d5762577521ec..d36c65d526e69 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -273,26 +273,15 @@ proxyInjector: # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) externalSecret: false - # -- Namespace selector used by admission webhook. + # -- Namespace selector used by admission webhook. If not set defaults to all + # namespaces without the annotation + # config.linkerd.io/admission-webhooks=disabled namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - - # -- Object selector used by admission webhook. - objectSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: DoesNotExist - - key: linkerd.io/cni-resource - operator: DoesNotExist # -- Certificate for the proxy injector. If not provided then Helm will generate one. crtPEM: | diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden index 0a6146a358811..137c6d7d004c4 100644 --- a/cli/cmd/testdata/install-cni-plugin_default.golden +++ b/cli/cmd/testdata/install-cni-plugin_default.golden @@ -2,6 +2,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd-cni + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -100,8 +102,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden index 157533b77c8ec..96dcf049c6be8 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden @@ -2,6 +2,8 @@ kind: Namespace apiVersion: v1 metadata: name: other + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -100,8 +102,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden index bcc77672b246e..11a9746a3cf40 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden @@ -2,6 +2,8 @@ kind: Namespace apiVersion: v1 metadata: name: other + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -100,8 +102,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden index 805b605fe0959..4bf6d0e301e46 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden @@ -92,8 +92,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden index 2e6b2f7a08ad7..6b5b60659bb0f 100644 --- a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden +++ b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden @@ -2,6 +2,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd-cni + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -101,8 +103,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_cni_helm_default_output.golden b/cli/cmd/testdata/install_cni_helm_default_output.golden index b6bab799cf7d1..9da1b323c9c8a 100644 --- a/cli/cmd/testdata/install_cni_helm_default_output.golden +++ b/cli/cmd/testdata/install_cni_helm_default_output.golden @@ -4,6 +4,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd-cni + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -102,8 +104,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_cni_helm_override_output.golden b/cli/cmd/testdata/install_cni_helm_override_output.golden index 277515f66fbc8..ae6126785b9ff 100644 --- a/cli/cmd/testdata/install_cni_helm_override_output.golden +++ b/cli/cmd/testdata/install_cni_helm_override_output.golden @@ -4,6 +4,8 @@ kind: Namespace apiVersion: v1 metadata: name: linkerd-test + annotations: + linkerd.io/inject: disabled labels: linkerd.io/cni-resource: "true" config.linkerd.io/admission-webhooks: disabled @@ -102,8 +104,6 @@ spec: k8s-app: linkerd-cni annotations: linkerd.io/created-by: test-version - linkerd.io/cni-resource: "true" - linkerd.io/inject: disabled spec: nodeSelector: kubernetes.io/os: linux diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index a71e5c4961c59..1a2cdfe1c6e7f 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2199,7 +2187,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index d04662fa94d9e..e77ff6961d423 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2197,7 +2185,7 @@ spec: template: metadata: annotations: - checksum/config: db40a1a4ed3e82ea2fd0361049626b2489ea254e90226cf3d94c52c1cf35e25b + checksum/config: bce2277a89759f9ac7669e8043ef265aca604e32fa847929ea3bfa3327905042 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index dbac93d537534..64f644d39fd27 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2197,7 +2185,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 6ab07364b4988..62f23eff3745d 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2197,7 +2185,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index e7b76605a8a9f..111279c9210d3 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2197,7 +2185,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index b54924d07d990..21e05133bced0 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1411,11 +1404,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -2330,7 +2318,7 @@ spec: template: metadata: annotations: - checksum/config: f351cf0bb00bcd1f35b9e25ea8a3743c5d0f64ff235b0c433e96f972f03e85c8 + checksum/config: 67e053df1cc859aa15c82ff6e5e65c055041bb36ade50655e9bf44976521018f linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index e06a14620c886..d8c0d4a8e3aac 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1411,11 +1404,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -2330,7 +2318,7 @@ spec: template: metadata: annotations: - checksum/config: f351cf0bb00bcd1f35b9e25ea8a3743c5d0f64ff235b0c433e96f972f03e85c8 + checksum/config: 67e053df1cc859aa15c82ff6e5e65c055041bb36ade50655e9bf44976521018f linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index ab6d2daed5263..d7f4a08688bc7 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -1112,13 +1112,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1324,11 +1317,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2079,7 +2067,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index c9e529c0c92a2..0abbe1a1eab59 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -1197,13 +1197,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1389,11 +1382,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tap: @@ -2194,7 +2182,7 @@ spec: template: metadata: annotations: - checksum/config: c5be73974dd70107edd889abd070f744cdb0f1f0ce39486f10fb8b24f454da15 + checksum/config: 20a7b3bda0bfdd9b7cf388efb0b438612caa444c23e015168dae1cdb0109e34e linkerd.io/created-by: linkerd/helm linkerd-version linkerd.io/identity-mode: default linkerd.io/proxy-version: test-proxy-version diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index f8478789bda69..65537dba446fb 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -1197,13 +1197,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1407,11 +1400,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -2327,7 +2315,7 @@ spec: template: metadata: annotations: - checksum/config: 4dbc476a3ebb9d5d79b839057027dfb470df94d7126384c78efd6e15161be8c1 + checksum/config: cf6b4520e0ad2b0010db5a18443bd632c87ac0216f8f118e723e0f33f5842d7e linkerd.io/created-by: linkerd/helm linkerd-version linkerd.io/identity-mode: default linkerd.io/proxy-version: test-proxy-version diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 112197077dfa7..3c4f305f13a52 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -1197,13 +1197,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1411,11 +1404,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: cpu: @@ -2343,7 +2331,7 @@ spec: template: metadata: annotations: - checksum/config: 4dbc476a3ebb9d5d79b839057027dfb470df94d7126384c78efd6e15161be8c1 + checksum/config: cf6b4520e0ad2b0010db5a18443bd632c87ac0216f8f118e723e0f33f5842d7e linkerd.io/created-by: linkerd/helm linkerd-version linkerd.io/identity-mode: default linkerd.io/proxy-version: test-proxy-version diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 8d024808ae908..4e429e60288aa 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -1197,8 +1197,6 @@ webhooks: operator: In values: - enabled - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -2317,7 +2315,7 @@ spec: template: metadata: annotations: - checksum/config: f590616ff1f50ae5daf722257b66224918e3536f06cbe5684fa8ec9329921e44 + checksum/config: 5e2cfa2bd882cd79c2104f822ff8062620bd9103e176aa47064940e2e0fbcff6 linkerd.io/created-by: linkerd/helm linkerd-version linkerd.io/identity-mode: default linkerd.io/proxy-version: test-proxy-version diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 12f4e286c4167..f0eaa7154f4f1 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2123,7 +2111,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 6ddc70891eb64..e3f815270ad36 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2207,7 +2195,7 @@ spec: template: metadata: annotations: - checksum/config: 4d50d695d29dfde317ca01965e664fe1eed1a07982359017fa18945db2ceb058 + checksum/config: 54ac8689f1236f2c97fa3bb59f9ac21abab03e06e06eca84b1fd9ba035dce1e8 linkerd.io/created-by: CliVersion linkerd.io/identity-mode: default linkerd.io/proxy-version: ProxyVersion diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 2aac8b58ad493..a9084d3b4a522 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -1181,13 +1181,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1393,11 +1386,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2197,7 +2185,7 @@ spec: template: metadata: annotations: - checksum/config: 70979ba7360299d257bc2cae51ababb0d595fef611ffe4bee38a62833b02a002 + checksum/config: 31ca92e63a48870d9b7cad9d7a613e2164b4b016577720744b2f0a1da3a3c844 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 6e32d09757b2f..e76311fcf4e3f 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -1167,13 +1167,6 @@ webhooks: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager - objectSelector: - null clientConfig: service: name: linkerd-proxy-injector @@ -1379,11 +1372,6 @@ data: operator: NotIn values: - disabled - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - kube-system - - cert-manager proxyInjectorProxyResources: null proxyInjectorResources: null tolerations: null @@ -2183,7 +2171,7 @@ spec: template: metadata: annotations: - checksum/config: db40a1a4ed3e82ea2fd0361049626b2489ea254e90226cf3d94c52c1cf35e25b + checksum/config: bce2277a89759f9ac7669e8043ef265aca604e32fa847929ea3bfa3327905042 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version diff --git a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml index 5706e02888d82..973801fdacafc 100644 --- a/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml +++ b/multicluster/charts/linkerd-multicluster-link/templates/service-mirror.yaml @@ -5,7 +5,7 @@ metadata: name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}} labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} rules: - apiGroups: [""] @@ -21,7 +21,7 @@ metadata: name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}} labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} roleRef: apiGroup: rbac.authorization.k8s.io @@ -39,7 +39,7 @@ metadata: namespace: {{.Values.namespace}} labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} rules: - apiGroups: [""] @@ -57,7 +57,7 @@ metadata: namespace: {{.Values.namespace}} labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} roleRef: apiGroup: rbac.authorization.k8s.io @@ -75,7 +75,7 @@ metadata: namespace: {{.Values.namespace}} labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} --- apiVersion: apps/v1 @@ -83,7 +83,7 @@ kind: Deployment metadata: labels: linkerd.io/extension: multicluster - component: service-mirror + linkerd.io/control-plane-component: service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} name: linkerd-service-mirror-{{.Values.targetClusterName}} namespace: {{.Values.namespace}} @@ -91,14 +91,14 @@ spec: replicas: 1 selector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} template: metadata: annotations: linkerd.io/inject: enabled labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}} spec: containers: diff --git a/multicluster/charts/linkerd-multicluster/templates/gateway.yaml b/multicluster/charts/linkerd-multicluster/templates/gateway.yaml index c32658c941e10..ac67e774ceea7 100644 --- a/multicluster/charts/linkerd-multicluster/templates/gateway.yaml +++ b/multicluster/charts/linkerd-multicluster/templates/gateway.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/name: gateway app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: {{.Values.linkerdVersion}} - component: gateway + linkerd.io/control-plane-component: gateway app: {{.Values.gateway.name}} linkerd.io/extension: multicluster name: {{.Values.gateway.name}} @@ -72,7 +72,7 @@ metadata: mirror.linkerd.io/probe-period: "{{.Values.gateway.probe.seconds}}" mirror.linkerd.io/probe-path: {{.Values.gateway.probe.path}} mirror.linkerd.io/multicluster-gateway: "true" - component: gateway + linkerd.io/control-plane-component: gateway {{ include "partials.annotations.created-by" . }} {{- with .Values.gateway.serviceAnnotations }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: diff --git a/multicluster/charts/linkerd-multicluster/templates/proxy-admin-policy.yaml b/multicluster/charts/linkerd-multicluster/templates/proxy-admin-policy.yaml index be99e4c7e6c05..8568cb84cbd02 100644 --- a/multicluster/charts/linkerd-multicluster/templates/proxy-admin-policy.yaml +++ b/multicluster/charts/linkerd-multicluster/templates/proxy-admin-policy.yaml @@ -41,7 +41,7 @@ metadata: spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: linkerd-admin proxyProtocol: HTTP/1 --- diff --git a/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml b/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml index 7f85cad31152e..17298782d8de4 100644 --- a/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml +++ b/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml @@ -5,11 +5,11 @@ metadata: namespace: {{.Values.namespace}} name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: admin-http proxyProtocol: HTTP/1 --- @@ -19,7 +19,7 @@ metadata: namespace: {{.Values.namespace}} name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: server: name: service-mirror diff --git a/multicluster/cmd/check.go b/multicluster/cmd/check.go index 29e9de9cad624..26792b21a6191 100644 --- a/multicluster/cmd/check.go +++ b/multicluster/cmd/check.go @@ -679,7 +679,7 @@ func joinErrors(errs []error, tabDepth int) error { } func serviceMirrorComponentsSelector(targetCluster string) string { - return fmt.Sprintf("component=%s,%s=%s", - linkerdServiceMirrorComponentName, + return fmt.Sprintf("%s=%s,%s=%s", + k8s.ControllerComponentLabel, linkerdServiceMirrorComponentName, k8s.RemoteClusterNameLabel, targetCluster) } diff --git a/multicluster/cmd/testdata/install_default.golden b/multicluster/cmd/testdata/install_default.golden index 4f77cb98851f6..ef1bed1224174 100644 --- a/multicluster/cmd/testdata/install_default.golden +++ b/multicluster/cmd/testdata/install_default.golden @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/name: gateway app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: linkerdVersionValue - component: gateway + linkerd.io/control-plane-component: gateway app: linkerd-gateway linkerd.io/extension: multicluster name: linkerd-gateway @@ -51,7 +51,7 @@ metadata: mirror.linkerd.io/probe-period: "3" mirror.linkerd.io/probe-path: /ready mirror.linkerd.io/multicluster-gateway: "true" - component: gateway + linkerd.io/control-plane-component: gateway linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: ports: @@ -115,7 +115,7 @@ metadata: spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: linkerd-admin proxyProtocol: HTTP/1 --- @@ -336,11 +336,11 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: admin-http proxyProtocol: HTTP/1 --- @@ -350,7 +350,7 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: server: name: service-mirror diff --git a/multicluster/cmd/testdata/install_ha.golden b/multicluster/cmd/testdata/install_ha.golden index d37aa64c22244..373e6ae0adcdb 100644 --- a/multicluster/cmd/testdata/install_ha.golden +++ b/multicluster/cmd/testdata/install_ha.golden @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/name: gateway app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: linkerdVersionValue - component: gateway + linkerd.io/control-plane-component: gateway app: linkerd-gateway linkerd.io/extension: multicluster name: linkerd-gateway @@ -89,7 +89,7 @@ metadata: mirror.linkerd.io/probe-period: "3" mirror.linkerd.io/probe-path: /ready mirror.linkerd.io/multicluster-gateway: "true" - component: gateway + linkerd.io/control-plane-component: gateway linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: ports: @@ -153,7 +153,7 @@ metadata: spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: linkerd-admin proxyProtocol: HTTP/1 --- @@ -405,11 +405,11 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: admin-http proxyProtocol: HTTP/1 --- @@ -419,7 +419,7 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: server: name: service-mirror diff --git a/multicluster/cmd/testdata/install_psp.golden b/multicluster/cmd/testdata/install_psp.golden index 53e0dfc462d0c..0c2c084cef108 100644 --- a/multicluster/cmd/testdata/install_psp.golden +++ b/multicluster/cmd/testdata/install_psp.golden @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/name: gateway app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: linkerdVersionValue - component: gateway + linkerd.io/control-plane-component: gateway app: linkerd-gateway linkerd.io/extension: multicluster name: linkerd-gateway @@ -51,7 +51,7 @@ metadata: mirror.linkerd.io/probe-period: "3" mirror.linkerd.io/probe-path: /ready mirror.linkerd.io/multicluster-gateway: "true" - component: gateway + linkerd.io/control-plane-component: gateway linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: ports: @@ -115,7 +115,7 @@ metadata: spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: linkerd-admin proxyProtocol: HTTP/1 --- @@ -367,11 +367,11 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: podSelector: matchLabels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror port: admin-http proxyProtocol: HTTP/1 --- @@ -381,7 +381,7 @@ metadata: namespace: linkerd-multicluster name: service-mirror labels: - component: linkerd-service-mirror + linkerd.io/control-plane-component: linkerd-service-mirror spec: server: name: service-mirror diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 7d3d28de58fbc..f90051808c61c 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -17,22 +17,15 @@ func TestNewValues(t *testing.T) { testVersion := "linkerd-dev" - matchExpressionsSimple := []metav1.LabelSelectorRequirement{ - { - Key: "config.linkerd.io/admission-webhooks", - Operator: "NotIn", - Values: []string{"disabled"}, + namespaceSelector := &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "config.linkerd.io/admission-webhooks", + Operator: "NotIn", + Values: []string{"disabled"}, + }, }, } - matchExpressionsInjector := append(matchExpressionsSimple, metav1.LabelSelectorRequirement{ - Key: "kubernetes.io/metadata.name", - Operator: "NotIn", - Values: []string{"kube-system", "cert-manager"}, - }, - ) - - namespaceSelectorSimple := &metav1.LabelSelector{MatchExpressions: matchExpressionsSimple} - namespaceSelectorInjector := &metav1.LabelSelector{MatchExpressions: matchExpressionsInjector} expected := &Values{ ControllerImage: "cr.l5d.io/linkerd/controller", @@ -150,9 +143,9 @@ func TestNewValues(t *testing.T) { }, }, - ProxyInjector: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorInjector}, - ProfileValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple}, - PolicyValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple}, + ProxyInjector: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, + ProfileValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, + PolicyValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, } // pin the versions to ensure consistent test result. diff --git a/viz/charts/linkerd-viz/templates/prometheus.yaml b/viz/charts/linkerd-viz/templates/prometheus.yaml index be774528d4ef1..2de7000ec5b95 100644 --- a/viz/charts/linkerd-viz/templates/prometheus.yaml +++ b/viz/charts/linkerd-viz/templates/prometheus.yaml @@ -90,7 +90,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ diff --git a/viz/cmd/testdata/install_default.golden b/viz/cmd/testdata/install_default.golden index 653bb9086119f..c1da1fe826acd 100644 --- a/viz/cmd/testdata/install_default.golden +++ b/viz/cmd/testdata/install_default.golden @@ -864,7 +864,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ diff --git a/viz/cmd/testdata/install_default_overrides.golden b/viz/cmd/testdata/install_default_overrides.golden index 8ee92c5c9eddd..1a02bb6c946a0 100644 --- a/viz/cmd/testdata/install_default_overrides.golden +++ b/viz/cmd/testdata/install_default_overrides.golden @@ -864,7 +864,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ diff --git a/viz/cmd/testdata/install_grafana_disabled.golden b/viz/cmd/testdata/install_grafana_disabled.golden index f4c47513eda08..d39b8f95c48bf 100644 --- a/viz/cmd/testdata/install_grafana_disabled.golden +++ b/viz/cmd/testdata/install_grafana_disabled.golden @@ -645,7 +645,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ diff --git a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden index fea5b1b376cce..016f7fb92d10c 100644 --- a/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden +++ b/viz/cmd/testdata/install_prometheus_loglevel_from_args.golden @@ -864,7 +864,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden index 8e8d3332469a7..2718c0e2c3f24 100644 --- a/viz/cmd/testdata/install_proxy_resources.golden +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -868,7 +868,7 @@ data: - role: pod relabel_configs: - source_labels: - - __meta_kubernetes_pod_label_component + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$