Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

policy: Make global egress network namespace configurable #13250

Merged
merged 3 commits into from
Nov 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions charts/linkerd-control-plane/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ Kubernetes: `>=1.22.0-0`
| destinationController.readinessProbe.timeoutSeconds | int | `1` | |
| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) |
| egress.globalEgressNetworkNamespace | string | `"linkerd-egress"` | The namespace that is used to store egress configuration that affects all client workloads in the cluster |
| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
Expand Down
1 change: 1 addition & 0 deletions charts/linkerd-control-plane/templates/destination.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,7 @@ spec:
- --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
- --log-format={{.Values.controllerLogFormat}}
- --default-opaque-ports={{.Values.proxy.opaquePorts}}
- --global-egress-network-namespace={{.Values.egress.globalEgressNetworkNamespace}}
{{- if .Values.policyController.probeNetworks }}
- --probe-networks={{.Values.policyController.probeNetworks | join ","}}
{{- end}}
Expand Down
7 changes: 7 additions & 0 deletions charts/linkerd-control-plane/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -662,3 +662,10 @@ podMonitor:
proxy:
# -- Enables the creation of PodMonitor for the data-plane
enabled: true


# Egress related configuration
egress:
# -- The namespace that is used to store egress configuration that affects all client workloads in the cluster
globalEgressNetworkNamespace: linkerd-egress

2 changes: 2 additions & 0 deletions charts/linkerd-crds/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ Kubernetes: `>=1.22.0-0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| enableHttpRoutes | bool | `true` | |
| enableTcpRoutes | bool | `true` | |
| enableTlsRoutes | bool | `true` | |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
1 change: 1 addition & 0 deletions cli/cmd/install_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ func TestRender(t *testing.T) {
ProxyInjector: defaultValues.ProxyInjector,
ProfileValidator: defaultValues.ProfileValidator,
PolicyValidator: defaultValues.PolicyValidator,
Egress: defaultValues.Egress,
}

haValues, err := testInstallOptionsHA(true)
Expand Down
3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_controlplane_tracing_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_custom_domain.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_custom_registry.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_default.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_default_token.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_gid_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_ha_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_ha_with_overrides_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_heartbeat_disabled_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_helm_control_plane_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_helm_output_ha_labels.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_no_init_container.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_proxy_ignores.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions cli/cmd/testdata/install_values_file.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions pkg/charts/linkerd2/values.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,12 @@ type (
DestinationProxyResources *Resources `json:"destinationProxyResources"`
IdentityProxyResources *Resources `json:"identityProxyResources"`
ProxyInjectorProxyResources *Resources `json:"proxyInjectorProxyResources"`
Egress *Egress `json:"egress"`
}

// Resources represents the computational resources setup for a given container
Egress struct {
GlobalEgressNetworkNamespace string `json:"globalEgressNetworkNamespace"`
}

// Controller contains the fields to set the controller container
Expand Down
1 change: 1 addition & 0 deletions pkg/charts/linkerd2/values_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,7 @@ func TestNewValues(t *testing.T) {
ProxyInjector: &ProxyInjector{Webhook: Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorInjector}},
ProfileValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple},
PolicyValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple},
Egress: &Egress{GlobalEgressNetworkNamespace: "linkerd-egress"},
}

// pin the versions to ensure consistent test result.
Expand Down
2 changes: 1 addition & 1 deletion policy-controller/k8s/index/src/cluster_info.rs
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ pub struct ClusterInfo {

/// The namespace that is designated for egress configuration
/// affecting all workloads across the cluster
pub global_external_network_namespace: Arc<String>,
pub global_egress_network_namespace: Arc<String>,
}

impl ClusterInfo {
Expand Down
Loading
Loading