Make service mirror controller per target cluster (linkerd#4710)

This PR removes the service mirror controller from `linkerd mc install` to `linkerd mc link`, as described in linkerd/rfc#31.  For fuller context, please see that RFC.

Basic multicluster functionality works here including:
* `linkerd mc install` installs the Link CRD but not any service mirror controllers
* `linkerd mc link` creates a Link resource and installs a service mirror controller which uses that Link
* The service mirror controller creates and manages mirror services, a gateway mirror, and their endpoints.
* The `linkerd mc gateways` command lists all linked target clusters, their liveliness, and probe latences.
* The `linkerd check` multicluster checks have been updated for the new architecture.  Several checks have been rendered obsolete by the new architecture and have been removed.

The following are known issues requiring further work:
* the service mirror controller uses the existing `mirror.linkerd.io/gateway-name` and `mirror.linkerd.io/gateway-ns` annotations to select which services to mirror.  it does not yet support configuring a label selector.
* an unlink command is needed for removing multicluster links: see linkerd#4707
* an mc uninstall command is needed for uninstalling the multicluster addon: see linkerd#4708

Signed-off-by: Alex Leong <[email protected]>
Signed-off-by: Eric Solomon <[email protected]>

Author: adleong

bin/helm-build

@@ -20,6 +20,7 @@ bindir=$( cd "${BASH_SOURCE[0]%/*}" && pwd )
 rootdir=$( cd "$bindir"/.. && pwd )
 
 "$bindir"/helm lint "$rootdir"/charts/linkerd2-multicluster
+"$bindir"/helm lint "$rootdir"/charts/linkerd2-multicluster-link
 "$bindir"/helm lint "$rootdir"/charts/partials
 "$bindir"/helm dep up "$rootdir"/charts/linkerd2-cni
 "$bindir"/helm lint "$rootdir"/charts/linkerd2-cni
@@ -50,6 +51,7 @@ if [ "$1" = package ]; then
     "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/charts/linkerd2
     "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/charts/linkerd2-cni
     "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/charts/linkerd2-multicluster
+    "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/charts/linkerd2-multicluster-link
     mv "$rootdir"/target/helm/index-pre.yaml "$rootdir"/target/helm/index-pre-"$version".yaml
     "$bindir"/helm repo index --url "https://helm.linkerd.io/$repo/" --merge "$rootdir"/target/helm/index-pre-"$version".yaml "$rootdir"/target/helm
 

charts/linkerd2-multicluster-link/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+OWNERS
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/linkerd2-multicluster-link/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+appVersion: edge-XX.X.X
+description: A helm chart containing the resources to enable mirroring of services from a remote cluster
+kubeVersion: ">=1.13.0-0"
+icon: https://linkerd.io/images/logo-only-200h.png
+name: "linkerd2-multicluster-link"
+version: 0.1.0

charts/linkerd2-multicluster-link/README.md

@@ -0,0 +1,40 @@
+
+# Linkerd2-multicluster-link Helm Chart
+
+Linkerd is a *service mesh*, designed to give platform-wide observability,
+reliability, and security without requiring configuration or code changes. This
+chart provides the components needed to enable communication between clusters.
+
+## Configuration
+
+The following table lists the configurable parameters of the
+linkerd2-multicluster chart and their default values.
+
+| Parameter                       | Description                                                                                 | Default                                      |
+|---------------------------------|---------------------------------------------------------------------------------------------|----------------------------------------------|
+|`controllerComponentLabel`       | Control plane label. Do not edit                                                            |`linkerd.io/control-plane-component`          |
+|`controllerImage`                | Docker image for the Service mirror component (uses the Linkerd controller image)           |`gcr.io/linkerd-io/controller`                |
+|`controllerImageVersion`         | Tag for the Service Mirror container Docker image                                           |`latest version`                              |
+|`createdByAnnotation`            | Annotation label for the proxy create. Do not edit.                                         |`linkerd.io/created-by`                       |
+|`gateway`                        | If the gateway component should be installed                                                |`true`                                        |
+|`gatewayLocalProbePath`          | The path that will be used by the local liveness checks to ensure the gateway is alive      |`/health-local`                               |
+|`gatewayLocalProbePort`          | The port that will be used by the local liveness checks to ensure the gateway is alive      |`8888`                                        |
+|`gatewayName`                    | The name of the gateway that will be installed                                              |`linkerd-gateway`                             |
+|`gatewayNginxImage`              | The Nginx image                                                                             |`nginx`                                       |
+|`gatewayNginxImageVersion`       | The version of the Nginx image                                                              |`1.17`                                        |
+|`gatewayPort`                    | The port on which all the gateway will accept incoming traffic                              |`4143`                                        |
+|`gatewayProbePath`               | The path that will be used by remote clusters for determining whether the gateway is alive  |`/health`                                     |
+|`gatewayProbePort`               | The port used for liveliness probing                                                        |`4181`                                        |
+|`gatewayProbeSeconds`            | The interval (in seconds) between liveness probes                                           |`3`                                           |
+|`identityTrustDomain`            | Trust domain used for identity of the existing linkerd installation                         |`cluster.local`                               |
+|`installNamespace`               | If the namespace should be installed                                                        |`true`                                        |
+|`linkerdNamespace`               | The namespace of the existing Linkerd installation                                          |`linkerd`                                     |
+|`linkerdVersion`                 | Control plane version                                                                       | latest version                               |
+|`namespace`                      | Service Mirror component namespace                                                          |`linkerd-multicluster`                        |
+|`proxyOutboundPort`              | The port on which the proxy accepts outbound traffic                                        |`4140`                                        |
+|`remoteMirrorServiceAccountName` | The name of the service account used to allow remote clusters to mirror local services      |`linkerd-service-mirror-remote-access-default`|
+|`remoteMirrorServiceAccount`     | If the remote mirror service account should be installed                                    |`true`                                        |
+|`serviceMirror`                  | If the service mirror component should be installed                                         |`true`                                        |
+|`logLevel`                       | Log level for the Multicluster components                                                   |`info`                                        |
+|`serviceMirrorRetryLimit`        | Number of times update from the remote cluster is allowed to be requeued (retried)          |`3`                                           |
+|`serviceMirrorUID`               | User id under which the Service Mirror shall be ran                                         |`2103`                                        |

charts/linkerd2-multicluster-link/templates/gateway-mirror.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: probe-gateway-{{.Values.targetClusterName}}
+  namespace: {{.Values.namespace}}
+  labels:
+    mirror.linkerd.io/mirrored-gateway: "true"
+    mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
+spec:
+  ports:
+  - name: mc-probe
+    port: {{.Values.gatewayProbePort}}
+    protocol: TCP

charts/linkerd2-multicluster/templates/service-mirror.yaml renamed to charts/linkerd2-multicluster-link/templates/service-mirror.yaml

@@ -1,11 +1,11 @@
-{{if .Values.serviceMirror -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: linkerd-service-mirror-access-local-resources
+  name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
   labels:
     {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+    mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
 rules:
 - apiGroups: [""]
   resources: ["endpoints", "services"]
@@ -17,85 +17,96 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: linkerd-service-mirror-access-local-resources
+  name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
   labels:
     {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+    mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: linkerd-service-mirror-access-local-resources
+  name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
 subjects:
 - kind: ServiceAccount
-  name: linkerd-service-mirror
+  name: linkerd-service-mirror-{{.Values.targetClusterName}}
   namespace: {{.Values.namespace}}
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: linkerd-service-mirror-read-remote-creds
+  name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
   namespace: {{.Values.namespace}}
   labels:
       {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+      mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
+    resourceNames: ["cluster-credentials-{{.Values.targetClusterName}}"]
+    verbs: ["list", "get", "watch"]
+  - apiGroups: ["multicluster.linkerd.io"]
+    resources: ["links"]
     verbs: ["list", "get", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: linkerd-service-mirror-read-remote-creds
+  name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
   namespace: {{.Values.namespace}}
   labels:
       {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+      mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: linkerd-service-mirror-read-remote-creds
+  name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
 subjects:
   - kind: ServiceAccount
-    name: linkerd-service-mirror
+    name: linkerd-service-mirror-{{.Values.targetClusterName}}
     namespace: {{.Values.namespace}}
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  name: linkerd-service-mirror
+  name: linkerd-service-mirror-{{.Values.targetClusterName}}
   namespace: {{.Values.namespace}}
   labels:
     {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+    mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     {{.Values.controllerComponentLabel}}: linkerd-service-mirror
-  name: linkerd-service-mirror
+    mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
+  name: linkerd-service-mirror-{{.Values.targetClusterName}}
   namespace: {{.Values.namespace}}
 spec:
   replicas: 1
   selector:
     matchLabels:
       {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+      mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
   template:
     metadata:
       annotations:
         linkerd.io/inject: enabled
       labels:
         {{.Values.controllerComponentLabel}}: linkerd-service-mirror
+        mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
     spec:
       containers:
       - args:
         - service-mirror
         - -log-level={{.Values.logLevel}}
         - -event-requeue-limit={{.Values.serviceMirrorRetryLimit}}
         - -namespace={{.Values.namespace}}
+        - {{.Values.targetClusterName}}
         image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion}}
         name: service-mirror
         securityContext:
           runAsUser: {{.Values.serviceMirrorUID}}
         ports:
         - containerPort: 9999
           name: admin-http
-      serviceAccountName: linkerd-service-mirror
-{{end -}}
+      serviceAccountName: linkerd-service-mirror-{{.Values.targetClusterName}}

charts/linkerd2-multicluster-link/values.yaml

@@ -0,0 +1,9 @@
+controllerComponentLabel: linkerd.io/control-plane-component
+controllerImage: gcr.io/linkerd-io/controller
+controllerImageVersion: linkerdVersionValue
+createdByAnnotation: linkerd.io/created-by
+gatewayProbePort: 4181
+namespace: linkerd-multicluster
+logLevel: info
+serviceMirrorRetryLimit: 3
+serviceMirrorUID: 2103

charts/linkerd2-multicluster/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 appVersion: edge-XX.X.X
-description: A helm chart containing the resources to enable mirroring of services on remote clusters
+description: A helm chart containing the resources to support multicluster linking to remote clusters
 kubeVersion: ">=1.13.0-0"
 icon: https://linkerd.io/images/logo-only-200h.png
 name: "linkerd2-multicluster"
-version: 0.1.0
+version: 0.1.0

charts/linkerd2-multicluster/templates/link-crd.yaml

@@ -0,0 +1,22 @@
+---
+###
+### Link CRD
+###
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: links.multicluster.linkerd.io
+  annotations:
+    {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
+spec:
+  group: multicluster.linkerd.io
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+  scope: Namespaced
+  names:
+    plural: links
+    singular: link
+    kind: Link

charts/linkerd2-multicluster/values.yaml

@@ -1,6 +1,3 @@
-controllerComponentLabel: linkerd.io/control-plane-component
-controllerImage: gcr.io/linkerd-io/controller
-controllerImageVersion: linkerdVersionValue
 createdByAnnotation: linkerd.io/created-by
 gateway: true
 gatewayLocalProbePath: /health-local
@@ -12,15 +9,9 @@ gatewayPort: 4143
 gatewayProbePath: /health
 gatewayProbePort: 4181
 gatewayProbeSeconds: 3
-identityTrustDomain: cluster.local
 installNamespace: true
-linkerdNamespace: linkerd
 linkerdVersion: linkerdVersionValue
 namespace: linkerd-multicluster
 proxyOutboundPort: 4140
-serviceMirror: true
-logLevel: info
-serviceMirrorRetryLimit: 3
-serviceMirrorUID: 2103
 remoteMirrorServiceAccount: true
 remoteMirrorServiceAccountName: linkerd-service-mirror-remote-access-default