Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add functionality to helm chart to allow image digest for controllerImage #11313

Closed
wants to merge 48 commits into from

Conversation

adamshawvipps
Copy link
Contributor

Subject
Introduce helm functionality for controllerImage  digest

Problem
I need to reference each image via a digest or its not allowed to run in our cluster. 
The current helm chart behaviour appends .Values.linkerdVersion but there is currently no way to add a digest.

This is not an issue for other images because they already allow tags

Solution
Add helm functionality to allow setting the controllerImage  tag

Validation
1. update values.yaml with 
controllerImageVersion: tag@sha

2. Run helm template using the above values and view the output. The controllerImage  now has   the   value `cr.l5d.io/linkerd/controller:tag@sha:123` allowing you to reference a digest

Fixes #11312 

DCO Sign off
Signed-off-by: Adam Shaw [email protected]

@adleong
Copy link
Member

adleong commented Sep 8, 2023

Is this a duplicate of #11278 ?

@cromulentbanana
Copy link
Contributor

hi @adleong

Is this a duplicate of #11278 ?

it appears to be a duplicate, but unlike #11278 it does pass tests. Given that I'm also blocked due to the original problem motivating this PR, does anything speak against merging it?

Thanks!

@cromulentbanana
Copy link
Contributor

Hi @adleong

as a second reviewer's approval is needed, will another reviewer independently take that initiative or do one of us need to explicitly ask another maintainer?

Thank you!

@adamshawvipps
Copy link
Contributor Author

@cromulentbanana the DCO sign off on your commit appears to have failed. how to we rectify that?

@cromulentbanana
Copy link
Contributor

cromulentbanana commented Sep 16, 2023

@cromulentbanana the DCO sign off on your commit appears to have failed. how to we rectify that?

I'm sorry, that was an oversight on my part.

Perhaps the fastest solution might be, either revert or amend that commit with the sign-off as your own user. I'm not entirely sure that a revert action will solve the problem since it will leave the offending commit in the history of the "feature branch"

If you're unable or unwilling to do that, I can address this later today.

@adamshawvipps
Copy link
Contributor Author

@cromulentbanana I think we got there in the end

@alpeb are all the concerns addressed now?

adleong and others added 18 commits September 18, 2023 17:53
This release introduces direct pod-to-pod multicluster service mirroring. When
clusters are deployed on a flat network, Linkerd can export multicluster
services in a way where cross-cluster traffic does not need to go through the
gateway. This enhances multicluster authentication and can reduce the need for
provisioning public load balancers.

In addition, this release adds support for the
[Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resource (in the
`gateway.networking.k8s.io` api group). This improves compatibility with other
tools that use these resources such as [Flagger](https://flagger.app/) and
[Argo Rollouts](https://argoproj.github.io/rollouts/). The release also includes
a large number of features and improvements to HTTPRoute including the ability
to set timeouts and the ability to define consumer-namespace HTTPRoutes.

Finally, this release includes a number of bugfixes, performance improvements,
and other smaller additions.

**Upgrade notes**: Please see the
[upgrade instructions](https://linkerd.io/2/tasks/upgrade/#upgrade-notice-stable-2140).

* Multicluster
  * Remove namespace field from cluster scoped resources to fix pruning
  * Added -o json flag for the `linkerd multicluster gateways` command (thanks
    @hiteshwani29)
  * Introduced `logFormat` value to the multicluster `Link` Helm Chart (thanks
    @bunnybilou!)
  * Added leader-election capabilities to the service-mirror controller
  * Added high-availability (HA) mode for the multicluster service-mirror
  * Added a new `remoteDiscoverySelector` field to the multicluster `Link` CRD,
    which enables a service mirroring mode where the control plane
    performs discovery for the mirrored service from the remote cluster, rather
    than creating Endpoints for the mirrored service in the source cluster
* HTTPRoute
  * Fixed `linkerd uninstall` issue for HTTPRoute
  * Added support for `gateway.networking.k8s.io` HTTPRoutes in the policy
    controller
  * Added support for RequestHeaderModifier and RequestRedirect HTTP filters in
    outbound policy; filters may be added at the route or backend level
  * Added support for the `ResponseHeaderModifier` HTTPRoute filter
  * Added support for HTTPRoutes defined in the consumer namespace
  * Added support for HTTPRoute `parent_refs` that do not specify a port
* CRDs
  * Patched the MeshTLSAuthentication CRD to force providing at least one
    identity/identityRef
* Control Plane
  * Send Opaque protocol hint for opaque ports in destination controller
  * Replaced deprecated `failure-domain.beta.kubernetes.io/zone` labels in Helm
    charts  with `topology.kubernetes.io/zone` labels (thanks @piyushsingariya!)
  * Replaced `server_port_subscribers` Destination controller gauge metric with
    `server_port_subscribes` and `server_port_unsubscribes` counter metrics
* Proxy
  * Handle Opaque protocol hints on endpoints
  * Added `outbound_http_balancer_endpoints` metric
  * Fixed missing route_ metrics for requests with ServiceProfiles
  * Fixed proxy startup failure when using the `config.linkerd.io/admin-port`
    annotation (thanks @jclegras!)
  * Added distinguishable version information to proxy logs and metrics
* CLI
  * The `linkerd diagnostics policy` command now displays outbound policy when
    the target resource is a Service
  * A fix for HA validation checks when Linkerd is installed with Helm. Thanks
    @mikutas!!
* Viz
  * Add the `kubelet` NetworkAuthentication back since it is used by the
    `linkerd viz allow-scrapes` subcommand.
  * Fixed the `linkerd viz check` command so that it will wait until the viz
    extension becomes ready
  * Fixed an issue where specifying a `remote_write` config would cause the
    Prometheus config to be invalid (thanks @hiteshwani29)
  * Improved validation of the `--to` and `--from` flags for the `linkerd viz stat`
    command (thanks @pranoyk)
  * Added `-o jsonpath` flag to `linkerd viz tap` to allow filtering output fields
    (thanks @hiteshwani29!)
  * Fixed a Grafana error caused by an incorrect datasource (thanks @albundy83!)
  * Fixed missing "Services" menu item in the Spanish localization for the
  `linkerd-viz` web dashboard (thanks @mclavel!)
* Extensions
  * Added missing label `linkerd.io/extension` to certain resources to ensure they
    pruned when appropriate (thanks @ClementRepo)
  * Added tolerations and nodeSelector support in extensions `namespace-metadata`
    Jobs (thanks @pssalman!)
* Init Containers
  * Added an option for disabling the network validator's security context for
    environments that provide their own
* CNI
  * Added --set flag to install-cni plugin (thanks @amit-62!)
  * Fixed missing resource-cni labels on linkerd-cni, this blocked the
    linkerd-cni pods from coming up when the injector was broken (thanks
    @migueleliasweb!)
* Build
  * Build improvements for multi-arch build artifacts. Thanks @MarkSRobinson!!

This release includes changes from a massive list of contributors! A special
thank-you to everyone who helped make this release possible:

* Amir Karimi @AMK9978
* Amit Kumar @amit-62
* Andre Marcelo-Tanner @kzap
* Andrew @andrew-gropyus
* Arnaud Beun @bunnybilou
* Clement @proxfly
* Dima @krabradosty
* Grégoire Bellon-Gervais @albundy83
* Harsh Soni @harsh020
* Jean-Charles Legras @jclegras
* Loong Dai @daixiang0
* Mark Robinson @MarkSRobinson
* Miguel Elias dos Santos @migueleliasweb
* Pranoy Kumar Kundu @pranoyk
* Ryan Hristovski @ryanhristovski
* Takumi Sue @mikutas
* Zakhar Bessarab @zekker6
* hiteshwani29 @hiteshwani29
* pheianox
* pssalman @pssalman

Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
The `linkerd-meshtls-boring` crate currently uses a Git dependency on
`boring` and `tokio-boring`. This is because, when this crate was
initially introduced, the proxy required unreleased changes to these
crates. Now, however, upstream has published all the changes we depended
on (this happened ages ago), and we can depend on these libraries from
crates.io.

This branch removes the Git deps and updates to v3.0.0 of
`boring`/`tokio-boring`. I've also changed the `cargo-deny` settings to
no longer allow Git deps on these crates, as we no longer depend on them
from Git.

---

* build(deps): use published version of `boring` (linkerd/linkerd2-proxy#2454)

Signed-off-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Nexxiot is no longer using Linkerd2 as we completely removed service mesh from our technology stack.

Signed-off-by: alex-berger <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react) from 7.33.1 to 7.33.2.
- [Release notes](https://github.com/jsx-eslint/eslint-plugin-react/releases)
- [Changelog](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/CHANGELOG.md)
- [Commits](jsx-eslint/eslint-plugin-react@v7.33.1...v7.33.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-react
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 11.0.0 to 12.0.0.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](DavidAnson/markdownlint-cli2-action@8f35160...3aaa38e)

---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
When issuing `linkerd mc gateways` with no links, the command waited
till it timed out (30s by default) before showing an empty table. This
change refactors the concurrency code in `getGatewayMetrics()` to avoid
that.

Also the `linkerd mc link -h` help text for the `--gateway` flag was
showing a dupe default value:

```
If false, allows a link to be created against a cluster that does not have a gateway service (default true) (default true)
```

Signed-off-by: Adam Shaw <[email protected]>
Bumps [jest-environment-jsdom](https://github.com/jestjs/jest/tree/HEAD/packages/jest-environment-jsdom) from 29.6.1 to 29.6.4.
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v29.6.4/packages/jest-environment-jsdom)

---
updated-dependencies:
- dependency-name: jest-environment-jsdom
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.1 to 4.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@fac708d...93397be)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [@babel/eslint-parser](https://github.com/babel/babel/tree/HEAD/eslint/babel-eslint-parser) from 7.22.9 to 7.22.11.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.22.11/eslint/babel-eslint-parser)

---
updated-dependencies:
- dependency-name: "@babel/eslint-parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
…11328)

* stopgap fix for hostport staleness

## Problem

When there's a pod with a `hostPort` entry, `GetProfile` requests
targetting the host's IP and that `hostPort` return an endpoint profile
with that pod's IP and `containerPort`. If that pod vanishes and another
one in that same host with that same `hostPort` comes up, the existing
`GetProfile` streams won't get updated with the new pod information
(metadata, identity, protocol).

That breaks the connectivity of the client proxy relying on that stream.

## Partial Solution

It should be less surprising for those `GetProfile` requests to return
an endpoint profile with the same host IP and port requested, and leave
to the cluster's CNI to peform the translation to the corresponding pod
IP and `containerPort`.

This PR performs that change, but continuing returning the corresponding
pod's information alongside.

If the pod associated to that host IP and port changes, the client proxy
won't loose connectivity, but the pod's information won't get updated
(that'll be fixed in a separate PR).

A new unit test validating this has been added, which will be expanded
to validate the changed pod information when that gets implemented.

## Details of Change

- We no longer do the HostPort->ContainerPort conversion, so the
  `getPortForPod` function was dropped.
- The `getPodByIp` function will now be split in two: `getPodByPodIP`
  and `getPodByHostIP`, the latter being called only if the former
  doesn't return anything.
- The `createAddress` function is now simplified in that it just uses
  the passed IP to build the address. The passed IP will depend on which
  of the two functions just mentioned returned the pod (host IP or pod
  IP)

Signed-off-by: Adam Shaw <[email protected]>
This commit updates `rustls-webpki` from v0.101.3 to v0.104.0.

Signed-off-by: Adam Shaw <[email protected]>
dependabot bot and others added 21 commits September 18, 2023 17:54
…1355)

Bumps [chai](https://github.com/chaijs/chai) from 4.3.7 to 4.3.8.
- [Release notes](https://github.com/chaijs/chai/releases)
- [Changelog](https://github.com/chaijs/chai/blob/4.x.x/History.md)
- [Commits](chaijs/chai@v4.3.7...v4.3.8)

---
updated-dependencies:
- dependency-name: chai
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [@babel/eslint-parser](https://github.com/babel/babel/tree/HEAD/eslint/babel-eslint-parser) from 7.22.11 to 7.22.15.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.22.15/eslint/babel-eslint-parser)

---
updated-dependencies:
- dependency-name: "@babel/eslint-parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [@babel/preset-react](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-react) from 7.22.5 to 7.22.15.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.22.15/packages/babel-preset-react)

---
updated-dependencies:
- dependency-name: "@babel/preset-react"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
…linkerd#11351)

Bumps [peter-evans/repository-dispatch](https://github.com/peter-evans/repository-dispatch) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/peter-evans/repository-dispatch/releases)
- [Commits](peter-evans/repository-dispatch@26b39ed...bf47d10)

---
updated-dependencies:
- dependency-name: peter-evans/repository-dispatch
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
lingui/cli manages locales, extracts messages from source files and
compiles message catalogs for production use. Dependabot's bump seems to
fail since lingui/cli requires at least node v16, and the current
Dockerfile uses node v14.

This change updates the web dockerfile to use node v20 and also
configures the JS web test runner to use node v20.

Lingui/cli's migration docs are covered in
https://lingui.dev/releases/migration-4#backward-incompatible-changes
for migrating from v3.x.x to v4.x.x.

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
…d#11346)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@0b7f8ab...a8a3f3a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
from destination and proxy-injector

Fixes linkerd#10778

Signed-off-by: Takumi Sue <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

---

* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)

Signed-off-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 4.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@c85c95e...3df4ab1)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
This edge release updates the proxy's dependency on the `webpki` library
to patch security vulnerability [RUSTSEC-2023-0052]
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer with a
maliciously-crafted certificate.

* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
  (linkerd#11361)
* Fixed `linkerd check --proxy` incorrectly checking the proxy version
  of pods in the `completed` state (thanks @mikutas!) (linkerd#11295; fixes
  linkerd#11280)
* Removed unnecessary `linkerd.io/helm-release-version` annotation from
  the `linkerd-control-plane` Helm chart (thanks @mikutas!) (linkerd#11329;
  fixes linkerd#10778)

[RUSTSEC-2023-0052]:
    https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Signed-off-by: Adam Shaw <[email protected]>
Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
…nt env (linkerd#11283)

This PR changes a variety of things:
1. Changes value `collector.config` from a string to an object to support field level merging/changing without having to copy/paste the entire unchanged portion of the config.
2. Changes the default `collector.config` for sensible out of the box Linkerd tracing use-case:
    1. Only `opencensus` receiver (the format `linkerd-proxy` emits when configured for tracing)
    2. `resource` processor that maps the Pod name and namespace labels `linkerd-proxy` sets on injected Pods to the fields the `k8sattributes` processor expects for looking up the trace's source Pod.
    3. `k8sattributes` processor for decorating all traces with K8s metadata.
3. Standardizes `image.pullPolicy` behavior across all components and defaults to absent/null `imagePullPolicy` such that the K8s cluster configuration is used.
4. Adds collector RBAC needed for `k8sattributes` to lookup trace source K8s workloads
5. Adds collector ConfigMap checksum to rollout new Pod(s) when config is changed.
6. Adds/parameterizes the collector container command with value `collector.command`.
7. Changes collector image from [opentelemetry-collector](https://github.com/open-telemetry/opentelemetry-collector) to [opentelemetry-collector-contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib) which includes additional connectors, exporters, extensions, processors, receivers.
8. Adds value `collector.env` for additional collector Deployment environment variables.

Signed-off-by: Cameron Boulton <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
…nkerd#11366)

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.10.0 to 3.0.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@885d146...f95db51)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
A git related "dubious ownership" error was preventing the go format action from running in CI. As a result of go formatting not getting checked in CI, some go formatting drift has been introduced.

Add the appropriate git config command to resolve dubious ownership so that go format checking is run in CI.

Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
…kerd#11364)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 39.0.1 to 39.0.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@246636f...6ee9cdc)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
…rd#11369)

Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.4 to 0.28.2.
- [Commits](kubernetes/kube-aggregator@v0.27.4...v0.28.2)

---
updated-dependencies:
- dependency-name: k8s.io/kube-aggregator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Adam Shaw <[email protected]>
…erd#11222)

Need to be able to set labels on Pod Monitors

add a labels section to podMonitor

Helm Lint/Helm Template

Fixes #[11175]

Signed-off-by: Justin S <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
We intermittently see flaky policy integration test failures like:

```
 failures:
    either

thread 'either' panicked at 'assertion failed: `(left == right)`
  left: `7`,
 right: `0`: blessed uninjected curl must succeed', policy-test/tests/e2e_server_authorization.rs:293:9
```

This test failure is saying that the curl process is returning an exit code of 7 instead of the expected exit code of 0.  This exit code indicates that curl failed to establish a connection.  https://everything.curl.dev/usingcurl/returns

It's unclear why this connection occasionally fails in CI and I have not been able to reproduce this failure locally.

However, by looking at the logic of the integration test, we can see that the integration test creates the `web` Service and the `web` Pod and waits for that pod to become ready before unblocking the curl from executing.  This means that, theoretically, there could be a race condition between the test and the kubernetes endpoints controller.  As soon as the web pod becomes ready, the endpoints controller will update the endpoints resource for the `web` Service and at the same time, our test will unblock the curl command.  If the test wins this race, it is possible that curl will run before the endpoints resource has been updated.

We add an additional wait condition to the test to wait until the endpoints resource has an endpoint before unblocking curl.

Since I could not reproduce the test failure locally, it is impossible to say if this is actually the cause of the flakiness or if this change fixes it.

Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
@adleong
Copy link
Member

adleong commented Sep 18, 2023

Hi @adamshawvipps, I think something has gone wrong with your git branch. Can you try making sure that your main base branch is up to date?

For future reference, there are a number of different ways to agree to the DCO including by public statement, if that's easier. https://github.com/linkerd/linkerd2/blob/main/CONTRIBUTING.md#developer-certificate-of-origin

@adamshawvipps
Copy link
Contributor Author

@adleong thanks for your help. I attempted to update the branch. Please let me know how it looks now

@cromulentbanana
Copy link
Contributor

cromulentbanana commented Sep 20, 2023

@adleong thanks for your help. I attempted to update the branch. Please let me know how it looks now

hi @adamshawvipps this PR currently modifies 131 files over 48 commits -- that doesn't seem right to me.

For illustrative purposes, in my own git remote, I've rebased your original feature branch (main) on that of upstream -- you can find it here: https://github.com/cromulentbanana/linkerd2. Hope that helps.

I expect that if you fetch my repo and reset your main branch to my main branch, then this PR should be fixed.

@cromulentbanana
Copy link
Contributor

In order to help speed this along, I submitted a PR that could replace this PR in its currently broken state: #11406

@adleong @alpeb Feel free to either take my new PR in place of this one or abandon it, as you like.

@cromulentbanana
Copy link
Contributor

hi @adamshawvipps would you prefer to fix this PR or shall we abandon it and go forward with #11406 ?

@cromulentbanana
Copy link
Contributor

I believe that this can be closed now that #11406 has been merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.