Skip to content

Commit

Permalink
Use IPv6-enabled proxy-init
Browse files Browse the repository at this point in the history
Followup to linkerd/linkerd2-proxy-init#350

In support of the new proxy-init flags `--iptables-mode` and `--ipv6`:

- For the linkerd-control-plane chart added the values.yaml entry `enableIPv6` (defaults to true). The `proxyInit.iptablesMode` was already there, but we interpret it now slightly differently in `_proxy-init.tpl`.
- For the linkerd2-cni chart added the entries `iptablesMode` (defaults to "legacy") and `enableIPv6` (defaults to true).

Note this allows routing IPv6 traffic to the proxy, but it's just the first step towards IPv6/dual-stack support. More control plane and proxy changes will come up next.

*Do not merge yet*: We're pulling the images `ghcr.io/alpeb/proxy-init:ipv6` and `ghcr.io/alpeb/cni-plugin:ipv6` as temporary builds for linkerd/linkerd2-proxy-init#350, while that gets released.
  • Loading branch information
alpeb committed Mar 12, 2024
1 parent cb21f1b commit cae945b
Show file tree
Hide file tree
Showing 65 changed files with 357 additions and 141 deletions.
5 changes: 3 additions & 2 deletions charts/linkerd-control-plane/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ Kubernetes: `>=1.22.0-0`
| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
| enableIPv6 | bool | `true` | enables routing IPv6 traffic in addition to IPv4 traffic through the proxy |
| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability |
| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components |
Expand Down Expand Up @@ -269,9 +270,9 @@ Kubernetes: `>=1.22.0-0`
| proxyInit.closeWaitTimeoutSecs | int | `0` | |
| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) |
| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
| proxyInit.image.name | string | `"ghcr.io/alpeb/proxy-init"` | Docker image for the proxy-init container |
| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image |
| proxyInit.image.version | string | `"v2.2.4"` | Tag for the proxy-init container image |
| proxyInit.image.version | string | `"ipv6"` | Tag for the proxy-init container image |
| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
Expand Down
6 changes: 4 additions & 2 deletions charts/linkerd-control-plane/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ deploymentStrategy:
# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
# gate is on
enableEndpointSlices: true
# -- enables routing IPv6 traffic in addition to IPv4 traffic through the proxy
enableIPv6: true
# -- enables pod anti affinity creation on deployments for high availability
enablePodAntiAffinity: false
# -- enables the use of pprof endpoints on control plane component's admin
Expand Down Expand Up @@ -259,12 +261,12 @@ proxyInit:
logFormat: ""
image:
# -- Docker image for the proxy-init container
name: cr.l5d.io/linkerd/proxy-init
name: ghcr.io/alpeb/proxy-init
# -- Pull policy for the proxy-init container image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy-init container image
version: v2.2.4
version: ipv6
resources:
cpu:
# -- Maximum amount of CPU units that the proxy-init container can use
Expand Down
6 changes: 4 additions & 2 deletions charts/linkerd2-cni/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,17 @@ Kubernetes: `>=1.22.0-0`
| commonLabels | object | `{}` | Labels to apply to all resources |
| destCNIBinDir | string | `"/opt/cni/bin"` | Directory on the host where the CNI configuration will be placed |
| destCNINetDir | string | `"/etc/cni/net.d"` | Directory on the host where the CNI plugin binaries reside |
| enableIPv6 | bool | `true` | Enables adding IPv6 rules on top of IPv4 rules |
| enablePSP | bool | `false` | Add a PSP resource and bind it to the linkerd-cni ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
| extraInitContainers | list | `[]` | Add additional initContainers to the daemonset |
| ignoreInboundPorts | string | `""` | Default set of inbound ports to skip via iptables |
| ignoreOutboundPorts | string | `""` | Default set of outbound ports to skip via iptables |
| image.name | string | `"cr.l5d.io/linkerd/cni-plugin"` | Docker image for the CNI plugin |
| image.name | string | `"ghcr.io/alpeb/cni-plugin"` | Docker image for the CNI plugin |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the linkerd-cni container |
| image.version | string | `"v1.3.0"` | Tag for the CNI container Docker image |
| image.version | string | `"ipv6"` | Tag for the CNI container Docker image |
| imagePullSecrets | list | `[]` | |
| inboundProxyPort | int | `4143` | Inbound port for the proxy container |
| iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing |
| logLevel | string | `"info"` | Log level for the CNI plugin |
| outboundProxyPort | int | `4140` | Outbound port for the proxy container |
| podLabels | object | `{}` | Additional labels to add to all pods |
Expand Down
4 changes: 3 additions & 1 deletion charts/linkerd2-cni/templates/cni-plugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,9 @@ data:
],
{{- end }}
"simulate": false,
"use-wait-flag": {{.Values.useWaitFlag}}
"use-wait-flag": {{.Values.useWaitFlag}},
"iptables-mode": {{.Values.iptablesMode | quote}},
"ipv6": {{.Values.enableIPv6}}
}
}
---
Expand Down
8 changes: 6 additions & 2 deletions charts/linkerd2-cni/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ destCNINetDir: "/etc/cni/net.d"
destCNIBinDir: "/opt/cni/bin"
# -- Configures the CNI plugin to use the -w flag for the iptables command
useWaitFlag: false
# -- Variant of iptables that will be used to configure routing
iptablesMode: "legacy"
# -- Enables adding IPv6 rules on top of IPv4 rules
enableIPv6: true
# -- Kubernetes priorityClassName for the CNI plugin's Pods
priorityClassName: ""

Expand All @@ -51,9 +55,9 @@ tolerations:
# -|- Image section
image:
# -- Docker image for the CNI plugin
name: "cr.l5d.io/linkerd/cni-plugin"
name: "ghcr.io/alpeb/cni-plugin"
# -- Tag for the CNI container Docker image
version: "v1.3.0"
version: "ipv6"
# -- Pull policy for the linkerd-cni container
pullPolicy: IfNotPresent

Expand Down
13 changes: 6 additions & 7 deletions charts/partials/templates/_proxy-init.tpl
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
{{- define "partials.proxy-init" -}}
args:
{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }}
- --firewall-bin-path
- "iptables-nft"
- --firewall-save-bin-path
- "iptables-nft-save"
{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
{{ if not (has .Values.proxyInit.iptablesMode (list "nft" "legacy")) -}}
{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
{{end -}}
args:
- --iptables-mode={{.Values.proxyInit.iptablesMode}}
{{- if .Values.enableIPv6 }}
- --ipv6
{{- end }}
- --incoming-proxy-port
- {{.Values.proxy.ports.inbound | quote}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ spec:
name: http
initContainers:
- args:
- --iptables-mode=legacy
- --ipv6
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
Expand All @@ -181,7 +183,7 @@ spec:
- 4190,4191,4567,4568
- --outbound-ports-to-ignore
- 4567,4568
image: cr.l5d.io/linkerd/proxy-init:v2.2.4
image: ghcr.io/alpeb/proxy-init:ipv6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ spec:
name: server
initContainers:
- args:
- --iptables-mode=legacy
- --ipv6
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
Expand All @@ -181,7 +183,7 @@ spec:
- 4190,4191,4567,4568
- --outbound-ports-to-ignore
- 4567,4568
image: cr.l5d.io/linkerd/proxy-init:v2.2.4
image: ghcr.io/alpeb/proxy-init:ipv6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
Expand Down Expand Up @@ -394,6 +396,8 @@ spec:
name: http
initContainers:
- args:
- --iptables-mode=legacy
- --ipv6
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
Expand All @@ -404,7 +408,7 @@ spec:
- 4190,4191,4567,4568
- --outbound-ports-to-ignore
- 4567,4568
image: cr.l5d.io/linkerd/proxy-init:v2.2.4
image: ghcr.io/alpeb/proxy-init:ipv6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,8 @@ spec:
name: server
initContainers:
- args:
- --iptables-mode=legacy
- --ipv6
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
Expand All @@ -181,7 +183,7 @@ spec:
- 4190,4191,4567,4568
- --outbound-ports-to-ignore
- 4567,4568
image: cr.l5d.io/linkerd/proxy-init:v2.2.4
image: ghcr.io/alpeb/proxy-init:ipv6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
Expand Down
4 changes: 3 additions & 1 deletion cli/cmd/testdata/inject_contour.golden.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 12 additions & 4 deletions cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/inject_emojivoto_deployment.golden.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit cae945b

Please sign in to comment.