diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index 316f26e3a1095..94b5592156d67 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -159,6 +159,7 @@ Kubernetes: `>=1.22.0-0` | debugContainer.image.version | string | linkerdVersion | Tag for the debug container image | | deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy | | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | +| disableIPv6 | bool | `false` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) | | enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on | | enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | | enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 538141ec6ba9e..c4e7a177980b0 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -39,6 +39,10 @@ enablePodAntiAffinity: false enablePprof: false # -- enables the creation of pod disruption budgets for control plane components enablePodDisruptionBudget: false +# -- disables routing IPv6 traffic in addition to IPv4 traffic through the +# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni +# v1.4.0) +disableIPv6: false controller: # -- sets pod disruption budget parameter for all deployments diff --git a/charts/linkerd2-cni/README.md b/charts/linkerd2-cni/README.md index b8cbff96636a8..b154a4b5fe333 100644 --- a/charts/linkerd2-cni/README.md +++ b/charts/linkerd2-cni/README.md @@ -25,6 +25,7 @@ Kubernetes: `>=1.22.0-0` | commonLabels | object | `{}` | Labels to apply to all resources | | destCNIBinDir | string | `"/opt/cni/bin"` | Directory on the host where the CNI configuration will be placed | | destCNINetDir | string | `"/etc/cni/net.d"` | Directory on the host where the CNI plugin binaries reside | +| disableIPv6 | bool | `false` | Disables adding IPv6 rules on top of IPv4 rules | | enablePSP | bool | `false` | Add a PSP resource and bind it to the linkerd-cni ServiceAccounts. Note PSP has been deprecated since k8s v1.21 | | extraInitContainers | list | `[]` | Add additional initContainers to the daemonset | | ignoreInboundPorts | string | `""` | Default set of inbound ports to skip via iptables | @@ -34,6 +35,7 @@ Kubernetes: `>=1.22.0-0` | image.version | string | `"v1.3.0"` | Tag for the CNI container Docker image | | imagePullSecrets | list | `[]` | | | inboundProxyPort | int | `4143` | Inbound port for the proxy container | +| iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing | | logLevel | string | `"info"` | Log level for the CNI plugin | | outboundProxyPort | int | `4140` | Outbound port for the proxy container | | podLabels | object | `{}` | Additional labels to add to all pods | diff --git a/charts/linkerd2-cni/templates/cni-plugin.yaml b/charts/linkerd2-cni/templates/cni-plugin.yaml index 54072411eaca0..9469fce67b49b 100644 --- a/charts/linkerd2-cni/templates/cni-plugin.yaml +++ b/charts/linkerd2-cni/templates/cni-plugin.yaml @@ -150,6 +150,7 @@ data: dest_cni_bin_dir: "{{.Values.destCNIBinDir}}" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -176,7 +177,9 @@ data: ], {{- end }} "simulate": false, - "use-wait-flag": {{.Values.useWaitFlag}} + "use-wait-flag": {{.Values.useWaitFlag}}, + "iptables-mode": {{.Values.iptablesMode | quote}}, + "ipv6": {{ternary "false" "true" .Values.disableIPv6 }} } } --- diff --git a/charts/linkerd2-cni/values.yaml b/charts/linkerd2-cni/values.yaml index a9f9e8fd48781..516a9083b3f3c 100644 --- a/charts/linkerd2-cni/values.yaml +++ b/charts/linkerd2-cni/values.yaml @@ -26,6 +26,10 @@ destCNINetDir: "/etc/cni/net.d" destCNIBinDir: "/opt/cni/bin" # -- Configures the CNI plugin to use the -w flag for the iptables command useWaitFlag: false +# -- Variant of iptables that will be used to configure routing +iptablesMode: "legacy" +# -- Disables adding IPv6 rules on top of IPv4 rules +disableIPv6: false # -- Kubernetes priorityClassName for the CNI plugin's Pods priorityClassName: "" diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 91cc96e0a63df..305a53a36efb9 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -7,6 +7,9 @@ args: - "iptables-nft-save" {{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} {{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false {{- end }} - --incoming-proxy-port - {{.Values.proxy.ports.inbound | quote}} diff --git a/cli/cmd/testdata/install-cni-plugin_default.golden b/cli/cmd/testdata/install-cni-plugin_default.golden index b53078e535d99..eb65ca31c7985 100644 --- a/cli/cmd/testdata/install-cni-plugin_default.golden +++ b/cli/cmd/testdata/install-cni-plugin_default.golden @@ -53,6 +53,7 @@ data: dest_cni_bin_dir: "/opt/cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -73,7 +74,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden index b64981de55e70..86fcd8a259a31 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured.golden @@ -53,6 +53,7 @@ data: dest_cni_bin_dir: "/opt/my-cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -73,7 +74,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden index 0bea8074d9255..20517779d8a9f 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_equal_dsts.golden @@ -53,6 +53,7 @@ data: dest_cni_bin_dir: "/etc/kubernetes/cni/net.d" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -73,7 +74,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden index b64981de55e70..86fcd8a259a31 100644 --- a/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden +++ b/cli/cmd/testdata/install-cni-plugin_fully_configured_no_namespace.golden @@ -53,6 +53,7 @@ data: dest_cni_bin_dir: "/opt/my-cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -73,7 +74,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden index d1b14c150448e..79f9026151280 100644 --- a/cli/cmd/testdata/install-cni-plugin_skip_ports.golden +++ b/cli/cmd/testdata/install-cni-plugin_skip_ports.golden @@ -53,6 +53,7 @@ data: dest_cni_bin_dir: "/opt/cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -74,7 +75,9 @@ data: "inbound-ports-to-ignore": ["4191","4190","80","8080"], "outbound-ports-to-ignore": ["443","1000"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install_cni_helm_default_output.golden b/cli/cmd/testdata/install_cni_helm_default_output.golden index 566534f1efea5..eac957d5fd9d3 100644 --- a/cli/cmd/testdata/install_cni_helm_default_output.golden +++ b/cli/cmd/testdata/install_cni_helm_default_output.golden @@ -46,6 +46,7 @@ data: dest_cni_bin_dir: "/opt/cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -66,7 +67,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": false + "use-wait-flag": false, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install_cni_helm_override_output.golden b/cli/cmd/testdata/install_cni_helm_override_output.golden index 2fd31eac240c3..71611be3463e4 100644 --- a/cli/cmd/testdata/install_cni_helm_override_output.golden +++ b/cli/cmd/testdata/install_cni_helm_override_output.golden @@ -46,6 +46,7 @@ data: dest_cni_bin_dir: "/opt/cni/bin-test" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. + # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0 cni_network_config: |- { "name": "linkerd-cni", @@ -66,7 +67,9 @@ data: "ports-to-redirect": [], "inbound-ports-to-ignore": ["4191","4190"], "simulate": false, - "use-wait-flag": true + "use-wait-flag": true, + "iptables-mode": "legacy", + "ipv6": true } } --- diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index 80bd0a015a1a3..52428b61c4ae8 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index e0636ed328644..a5b9140ab44bc 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 7858890302c18..0b51ed17b4e2e 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index e0636ed328644..a5b9140ab44bc 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 1e161fb479923..ad933eeed1950 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 0a456cb2269ea..6792f94fa5041 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 60134d2fcc961..710fdf51eecba 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -525,6 +525,7 @@ data: limit: 250Mi request: 50Mi disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: true diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index cc559c38262d1..bc58bbfa47df6 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -525,6 +525,7 @@ data: limit: 250Mi request: 50Mi disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: true diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 3ad4cd8cb0655..df532f4839772 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -447,6 +447,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: true + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 24924c06d4cef..c4a4c66a0090b 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -517,6 +517,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index d85bd5aa0fcfa..c654fb5958fe0 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -526,6 +526,7 @@ data: limit: 250Mi request: 50Mi disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: true diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 02a5179ced080..a544edf6bf1e5 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -526,6 +526,7 @@ data: limit: 250Mi request: 50Mi disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: true diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 5c6a7279e8d65..b40d0f18d45dd 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -521,6 +521,7 @@ data: limit: 250Mi request: 50Mi disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: true diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 6057aaa24d531..9d4fcccb84512 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index f60789ca3e132..06550d831c674 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -507,6 +507,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: false enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 09bf2042b934c..3f03e908ff130 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index f8e18a45f4395..bb2a622764781 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -516,6 +516,7 @@ data: destinationProxyResources: null destinationResources: null disableHeartBeat: false + disableIPv6: false enableEndpointSlices: true enableH2Upgrade: true enablePodAntiAffinity: false diff --git a/justfile b/justfile index db5396f9302d7..7d1522bc720e1 100644 --- a/justfile +++ b/justfile @@ -464,7 +464,7 @@ _linkerd-viz-uninit: ## ## linkerd multicluster -## +## _mc-target-k3d-flags := "--k3s-arg --disable='local-storage,metrics-server@server:*' --k3s-arg '--cluster-cidr=10.23.0.0/24@server:*'" diff --git a/pkg/charts/cni/values.go b/pkg/charts/cni/values.go index 46e29d23d567e..751d249f59169 100644 --- a/pkg/charts/cni/values.go +++ b/pkg/charts/cni/values.go @@ -66,6 +66,8 @@ type Values struct { CommonLabels map[string]string `json:"commonLabels"` ImagePullSecrets []map[string]string `json:"imagePullSecrets"` ExtraInitContainers []interface{} `json:"extraInitContainers"` + IptablesMode string `json:"iptablesMode"` + DisableIPv6 bool `json:"disableIPv6"` EnablePSP bool `json:"enablePSP"` Privileged bool `json:"privileged"` Resources Resources `json:"resources"` diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index bf1968ca700c2..f1fa43ac66b41 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -49,6 +49,7 @@ type ( HighAvailability bool `json:"highAvailability"` CNIEnabled bool `json:"cniEnabled"` EnableEndpointSlices bool `json:"enableEndpointSlices"` + DisableIPv6 bool `json:"disableIPv6"` ControlPlaneTracing bool `json:"controlPlaneTracing"` ControlPlaneTracingNamespace string `json:"controlPlaneTracingNamespace"` IdentityTrustAnchorsPEM string `json:"identityTrustAnchorsPEM"` diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index ad2968de98ad3..8b8465520ae69 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -66,6 +66,7 @@ func TestNewValues(t *testing.T) { PodAnnotations: map[string]string{}, PodLabels: map[string]string{}, EnableEndpointSlices: true, + DisableIPv6: false, EnablePodDisruptionBudget: false, Controller: &Controller{ PodDisruptionBudget: &PodDisruptionBudget{