add: linkerd-crds, linkerd-control-plane (#196)

add: `linkerd-crds`, `linkerd-control-plane` --------- Co-authored-by: Jonathan Hurley <[email protected]> Co-authored-by: Aaron Miller <[email protected]>
awslabs · Aug 14, 2024 · 7681e4c · 7681e4c
1 parent d30e88b
commit 7681e4c
Show file tree

Hide file tree

Showing 7 changed files with 388 additions and 0 deletions.
diff --git a/cmd/install/install.go b/cmd/install/install.go
@@ -79,6 +79,8 @@ func NewInstallCmd() *cobra.Command {
 	cmd.AddCommand(NewInstallAliasCmds(kubePrometheusApps, "kube-prometheus-")...)
 	cmd.AddCommand(NewInstallAliasCmds(kubePrometheusApps, "kprom-")...)
 	cmd.AddCommand(kube_state_metrics.NewApp().NewInstallCmd())
+	cmd.AddCommand(NewInstallLinkerdCmd())
+	cmd.AddCommand(NewInstallAliasCmds(linkerdApps, "linkerd-")...)
 	cmd.AddCommand(NewInstallKubecostCmd())
 	cmd.AddCommand(NewInstallAliasCmds(kubecostApps, "kubecost-")...)
 	cmd.AddCommand(metrics_server.NewApp().NewInstallCmd())

diff --git a/cmd/install/linkerd.go b/cmd/install/linkerd.go
@@ -0,0 +1,49 @@
+package install
+
+import (
+	"github.com/awslabs/eksdemo/pkg/application"
+	"github.com/awslabs/eksdemo/pkg/application/linkerd/controlplane"
+	"github.com/awslabs/eksdemo/pkg/application/linkerd/crds"
+	"github.com/spf13/cobra"
+)
+
+var linkerdApps []func() *application.Application
+
+func NewInstallLinkerdCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "linkerd",
+		Short: "Linkerd Service Mesh",
+	}
+
+	// Don't show flag errors for `install linkerd` without a subcommand
+	cmd.DisableFlagParsing = true
+
+	for _, i := range linkerdApps {
+		cmd.AddCommand(i().NewInstallCmd())
+	}
+
+	return cmd
+}
+
+func NewUninstallLinkerdCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "linkerd",
+		Short: "Linkerd Service Mesh",
+	}
+
+	// Don't show flag errors for `uninstall linkerd` without a subcommand
+	cmd.DisableFlagParsing = true
+
+	for _, i := range linkerdApps {
+		cmd.AddCommand(i().NewUninstallCmd())
+	}
+
+	return cmd
+}
+
+func init() {
+	linkerdApps = []func() *application.Application{
+		controlplane.NewApp,
+		crds.NewApp,
+	}
+}
diff --git a/cmd/install/uninstall.go b/cmd/install/uninstall.go
@@ -75,6 +75,8 @@ func NewUninstallCmd() *cobra.Command {
 	cmd.AddCommand(NewUninstallIstioCmd())
 	cmd.AddCommand(NewUninstallAliasCmds(istioApps, "istio-")...)
 	cmd.AddCommand(keycloak_amg.NewApp().NewUninstallCmd())
+	cmd.AddCommand(NewUninstallLinkerdCmd())
+	cmd.AddCommand(NewUninstallAliasCmds(linkerdApps, "linkerd-")...)
 	cmd.AddCommand(NewUninstallKubePrometheusCmd())
 	cmd.AddCommand(NewUninstallAliasCmds(kubePrometheusApps, "kube-prometheus-")...)
 	cmd.AddCommand(NewUninstallAliasCmds(kubePrometheusApps, "kprom-")...)

diff --git a/pkg/application/linkerd/README.md b/pkg/application/linkerd/README.md
@@ -0,0 +1,108 @@
+# `Linkerd Service Mesh`
+
+## Documentation
+
+[Linkerd](https://linkerd.io/)
+[Getting Started Guide](https://linkerd.io/2.15/getting-started/)
+[Helm Install Guide](https://linkerd.io/2.15/tasks/install-helm/)
+[Helm Chart Versions](https://linkerd.io/2.15/reference/helm-chart-version-matrix/)
+
+## Dependencies
+
+This application presumes that you have installed [step](https://smallstep.com/cli/) in your path.
+
+## Install with EKSDemo
+
+`eksdemo install linkerd linkerd-crds`
+`eksdemo install linkerd linkerd-control-plane`
+
+## Installation Arguments
+
+n/a
+
+## Installation Validation
+
+The quickest way to validate Linkerd is using the [CLI](https://linkerd.io/2.15/reference/cli/):
+`linkerd check`
+
+Output should look similar to this:
+```sh
+kubernetes-api
+--------------
+√ can initialize the client
+√ can query the Kubernetes API
+
+kubernetes-version
+------------------
+√ is running the minimum Kubernetes API version
+
+linkerd-existence
+-----------------
+√ 'linkerd-config' config map exists
+√ heartbeat ServiceAccount exist
+√ control plane replica sets are ready
+√ no unschedulable pods
+√ control plane pods are ready
+√ cluster networks contains all pods
+√ cluster networks contains all services
+
+linkerd-config
+--------------
+√ control plane Namespace exists
+√ control plane ClusterRoles exist
+√ control plane ClusterRoleBindings exist
+√ control plane ServiceAccounts exist
+√ control plane CustomResourceDefinitions exist
+√ control plane MutatingWebhookConfigurations exist
+√ control plane ValidatingWebhookConfigurations exist
+√ proxy-init container runs as root user if docker container runtime is used
+
+linkerd-identity
+----------------
+√ certificate config is valid
+√ trust anchors are using supported crypto algorithm
+√ trust anchors are within their validity period
+√ trust anchors are valid for at least 60 days
+√ issuer cert is using supported crypto algorithm
+√ issuer cert is within its validity period
+√ issuer cert is valid for at least 60 days
+√ issuer cert is issued by the trust anchor
+
+linkerd-webhooks-and-apisvc-tls
+-------------------------------
+√ proxy-injector webhook has valid cert
+√ proxy-injector cert is valid for at least 60 days
+√ sp-validator webhook has valid cert
+√ sp-validator cert is valid for at least 60 days
+√ policy-validator webhook has valid cert
+√ policy-validator cert is valid for at least 60 days
+
+linkerd-version
+---------------
+√ can determine the latest version
+‼ cli is up-to-date
+    is running version 24.7.1 but the latest edge version is 24.7.3
+    see https://linkerd.io/2/checks/#l5d-version-cli for hints
+
+control-plane-version
+---------------------
+√ can retrieve the control plane version
+√ control plane is up-to-date
+‼ control plane and cli versions match
+    control plane running edge-24.7.3 but cli running edge-24.7.1
+    see https://linkerd.io/2/checks/#l5d-version-control for hints
+
+linkerd-control-plane-proxy
+---------------------------
+√ control plane proxies are healthy
+√ control plane proxies are up-to-date
+‼ control plane proxies and cli versions match
+    linkerd-destination-6d7bc6d44f-p2chs running edge-24.7.3 but cli running edge-24.7.1
+    see https://linkerd.io/2/checks/#l5d-cp-proxy-cli-version for hints
+
+linkerd-extension-checks
+------------------------
+√ namespace configuration for extensions
+
+Status check results are √
+```
diff --git a/pkg/application/linkerd/controlplane/controlplane.go b/pkg/application/linkerd/controlplane/controlplane.go
@@ -0,0 +1,46 @@
+package controlplane
+
+import (
+	"github.com/awslabs/eksdemo/pkg/application"
+	"github.com/awslabs/eksdemo/pkg/cmd"
+	"github.com/awslabs/eksdemo/pkg/installer"
+	"github.com/awslabs/eksdemo/pkg/template"
+)
+
+func NewApp() *application.Application {
+	options := newOptions()
+
+	return &application.Application{
+		Command: cmd.Command{
+			Parent:      "linkerd",
+			Name:        "control-plane",
+			Description: "Linkerd Service Mesh Control Plane",
+			Aliases:     []string{"controlplane", "cp"},
+		},
+
+		Installer: &installer.HelmInstaller{
+			ChartName:     "linkerd-control-plane",
+			ReleaseName:   "linkerd-control-plane",
+			RepositoryURL: "https://helm.linkerd.io/edge",
+			ValuesTemplate: &template.TextTemplate{
+				Template: valuesTemplate,
+			},
+		},
+
+		Options: options,
+	}
+}
+
+// https://github.com/linkerd/linkerd2/blob/main/charts/linkerd-control-plane/values.yaml
+const valuesTemplate = `---
+identityTrustAnchorsPEM: |
+  {{- .TrustAnchor | trim | nindent 2 }}
+identity:
+  scheme: linkerd.io/tls
+  issuer:
+    tls:
+      crtPEM: |
+        {{- .IssuerCert | trim | nindent 8 }}
+      keyPEM: |
+        {{- .IssuerKey | trim | nindent 8 }}
+`
diff --git a/pkg/application/linkerd/controlplane/options.go b/pkg/application/linkerd/controlplane/options.go
@@ -0,0 +1,142 @@
+package controlplane
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"time"
+
+	"github.com/awslabs/eksdemo/pkg/application"
+)
+
+type Options struct {
+	application.ApplicationOptions
+	TrustAnchor string
+	IssuerCert  string
+	IssuerKey   string
+}
+
+func newOptions() (options *Options) {
+	return &Options{
+		ApplicationOptions: application.ApplicationOptions{
+			DefaultVersion: &application.LatestPrevious{
+				LatestChart:   "2024.7.3",
+				PreviousChart: "2024.7.3",
+				Latest:        "edge-24.7.3",
+				Previous:      "edge-24.7.3",
+			},
+			Namespace: "linkerd",
+		},
+	}
+}
+
+func (options *Options) PreInstall() error {
+	// CA Cert
+	rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+
+	serialNumberUpperBound := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberUpperBound)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+
+	rootCertTemplate := &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "root.linkerd.cluster.local",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * time.Duration(365)),
+		KeyUsage:  x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	derBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		rootCertTemplate,
+		rootCertTemplate,
+		&rootKey.PublicKey,
+		rootKey,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+
+	certBuffer := bytes.Buffer{}
+	err = pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+	options.TrustAnchor = certBuffer.String()
+
+	// Issuer Key
+	issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+	b, _ := x509.MarshalECPrivateKey(issuerKey)
+
+	keyBuffer := bytes.Buffer{}
+	err = pem.Encode(&keyBuffer, &pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+	options.IssuerKey = keyBuffer.String()
+
+	// Issuer Cert
+	serialNumberUpperBound = new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err = rand.Int(rand.Reader, serialNumberUpperBound)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+
+	issuerCertTemplate := &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			CommonName: "identity.linkerd.cluster.local",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * time.Duration(365)),
+		KeyUsage:  x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	derBytes, err = x509.CreateCertificate(
+		rand.Reader,
+		issuerCertTemplate,
+		rootCertTemplate,
+		&issuerKey.PublicKey,
+		rootKey,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+
+	certBuffer = bytes.Buffer{}
+	err = pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		return fmt.Errorf("failed to create linkerd certificates: %w", err)
+	}
+	options.IssuerCert = certBuffer.String()
+
+	return nil
+}