policy: Make global egress network namespace configurable (#13250)

In a previous PR (#13246) we introduced an egress networks namespace that is used to create `EgressNetwork` objects that affect all client workloads. This change makes this namespace configurable through helm values. Additionally, we unify the naming convention of the arguments to use **egress** as opposed to **external** Signed-off-by: Zahari Dichev <[email protected]>
linkerd · Nov 1, 2024 · 4b10157 · 4b10157
1 parent 0349f51
commit 4b10157
Show file tree

Hide file tree

Showing 32 changed files with 90 additions and 15 deletions.
diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md
@@ -166,6 +166,7 @@ Kubernetes: `>=1.22.0-0`
 | destinationController.readinessProbe.timeoutSeconds | int | `1` |  |
 | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
 | disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) |
+| egress.globalEgressNetworkNamespace | string | `"linkerd-egress"` | The namespace that is used to store egress configuration that affects all client workloads in the cluster |
 | enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
 | enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
 | enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |

diff --git a/charts/linkerd-control-plane/templates/destination.yaml b/charts/linkerd-control-plane/templates/destination.yaml
@@ -348,6 +348,7 @@ spec:
         - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
         - --log-format={{.Values.controllerLogFormat}}
         - --default-opaque-ports={{.Values.proxy.opaquePorts}}
+        - --global-egress-network-namespace={{.Values.egress.globalEgressNetworkNamespace}}
         {{- if .Values.policyController.probeNetworks }}
         - --probe-networks={{.Values.policyController.probeNetworks | join ","}}
         {{- end}}

diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml
@@ -662,3 +662,10 @@ podMonitor:
   proxy:
     # -- Enables the creation of PodMonitor for the data-plane
     enabled: true
+
+
+# Egress related configuration
+egress:
+  # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster
+  globalEgressNetworkNamespace: linkerd-egress
+
diff --git a/charts/linkerd-crds/README.md b/charts/linkerd-crds/README.md
@@ -66,6 +66,8 @@ Kubernetes: `>=1.22.0-0`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | enableHttpRoutes | bool | `true` |  |
+| enableTcpRoutes | bool | `true` |  |
+| enableTlsRoutes | bool | `true` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go
@@ -161,6 +161,7 @@ func TestRender(t *testing.T) {
 		ProxyInjector:      defaultValues.ProxyInjector,
 		ProfileValidator:   defaultValues.ProfileValidator,
 		PolicyValidator:    defaultValues.PolicyValidator,
+		Egress:             defaultValues.Egress,
 	}
 
 	haValues, err := testInstallOptionsHA(true)

diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden
diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden
diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden
diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden
diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden
diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden
diff --git a/cli/cmd/testdata/install_gid_output.golden b/cli/cmd/testdata/install_gid_output.golden
diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden
diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden
diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden
diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden
diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden
diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha_with_gid.golden
diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden
diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden
diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden
diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden
diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden
diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden
diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go
@@ -89,6 +89,12 @@ type (
 		DestinationProxyResources   *Resources `json:"destinationProxyResources"`
 		IdentityProxyResources      *Resources `json:"identityProxyResources"`
 		ProxyInjectorProxyResources *Resources `json:"proxyInjectorProxyResources"`
+		Egress                      *Egress    `json:"egress"`
+	}
+
+	// Resources represents the computational resources setup for a given container
+	Egress struct {
+		GlobalEgressNetworkNamespace string `json:"globalEgressNetworkNamespace"`
 	}
 
 	// Controller contains the fields to set the controller container

diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go
@@ -249,6 +249,7 @@ func TestNewValues(t *testing.T) {
 		ProxyInjector:    &ProxyInjector{Webhook: Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorInjector}},
 		ProfileValidator: &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple},
 		PolicyValidator:  &Webhook{TLS: &TLS{}, NamespaceSelector: namespaceSelectorSimple},
+		Egress:           &Egress{GlobalEgressNetworkNamespace: "linkerd-egress"},
 	}
 
 	// pin the versions to ensure consistent test result.

diff --git a/policy-controller/k8s/index/src/cluster_info.rs b/policy-controller/k8s/index/src/cluster_info.rs
@@ -35,7 +35,7 @@ pub struct ClusterInfo {
 
     /// The namespace that is designated for egress configuration
     /// affecting all workloads across the cluster
-    pub global_external_network_namespace: Arc<String>,
+    pub global_egress_network_namespace: Arc<String>,
 }
 
 impl ClusterInfo {