-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add: `linkerd-crds`, `linkerd-control-plane` --------- Co-authored-by: Jonathan Hurley <[email protected]> Co-authored-by: Aaron Miller <[email protected]>
- Loading branch information
1 parent
d30e88b
commit 7681e4c
Showing
7 changed files
with
388 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
package install | ||
|
||
import ( | ||
"github.com/awslabs/eksdemo/pkg/application" | ||
"github.com/awslabs/eksdemo/pkg/application/linkerd/controlplane" | ||
"github.com/awslabs/eksdemo/pkg/application/linkerd/crds" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
var linkerdApps []func() *application.Application | ||
|
||
func NewInstallLinkerdCmd() *cobra.Command { | ||
cmd := &cobra.Command{ | ||
Use: "linkerd", | ||
Short: "Linkerd Service Mesh", | ||
} | ||
|
||
// Don't show flag errors for `install linkerd` without a subcommand | ||
cmd.DisableFlagParsing = true | ||
|
||
for _, i := range linkerdApps { | ||
cmd.AddCommand(i().NewInstallCmd()) | ||
} | ||
|
||
return cmd | ||
} | ||
|
||
func NewUninstallLinkerdCmd() *cobra.Command { | ||
cmd := &cobra.Command{ | ||
Use: "linkerd", | ||
Short: "Linkerd Service Mesh", | ||
} | ||
|
||
// Don't show flag errors for `uninstall linkerd` without a subcommand | ||
cmd.DisableFlagParsing = true | ||
|
||
for _, i := range linkerdApps { | ||
cmd.AddCommand(i().NewUninstallCmd()) | ||
} | ||
|
||
return cmd | ||
} | ||
|
||
func init() { | ||
linkerdApps = []func() *application.Application{ | ||
controlplane.NewApp, | ||
crds.NewApp, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
# `Linkerd Service Mesh` | ||
|
||
## Documentation | ||
|
||
[Linkerd](https://linkerd.io/) | ||
[Getting Started Guide](https://linkerd.io/2.15/getting-started/) | ||
[Helm Install Guide](https://linkerd.io/2.15/tasks/install-helm/) | ||
[Helm Chart Versions](https://linkerd.io/2.15/reference/helm-chart-version-matrix/) | ||
|
||
## Dependencies | ||
|
||
This application presumes that you have installed [step](https://smallstep.com/cli/) in your path. | ||
|
||
## Install with EKSDemo | ||
|
||
`eksdemo install linkerd linkerd-crds` | ||
`eksdemo install linkerd linkerd-control-plane` | ||
|
||
## Installation Arguments | ||
|
||
n/a | ||
|
||
## Installation Validation | ||
|
||
The quickest way to validate Linkerd is using the [CLI](https://linkerd.io/2.15/reference/cli/): | ||
`linkerd check` | ||
|
||
Output should look similar to this: | ||
```sh | ||
kubernetes-api | ||
-------------- | ||
√ can initialize the client | ||
√ can query the Kubernetes API | ||
|
||
kubernetes-version | ||
------------------ | ||
√ is running the minimum Kubernetes API version | ||
|
||
linkerd-existence | ||
----------------- | ||
√ 'linkerd-config' config map exists | ||
√ heartbeat ServiceAccount exist | ||
√ control plane replica sets are ready | ||
√ no unschedulable pods | ||
√ control plane pods are ready | ||
√ cluster networks contains all pods | ||
√ cluster networks contains all services | ||
|
||
linkerd-config | ||
-------------- | ||
√ control plane Namespace exists | ||
√ control plane ClusterRoles exist | ||
√ control plane ClusterRoleBindings exist | ||
√ control plane ServiceAccounts exist | ||
√ control plane CustomResourceDefinitions exist | ||
√ control plane MutatingWebhookConfigurations exist | ||
√ control plane ValidatingWebhookConfigurations exist | ||
√ proxy-init container runs as root user if docker container runtime is used | ||
|
||
linkerd-identity | ||
---------------- | ||
√ certificate config is valid | ||
√ trust anchors are using supported crypto algorithm | ||
√ trust anchors are within their validity period | ||
√ trust anchors are valid for at least 60 days | ||
√ issuer cert is using supported crypto algorithm | ||
√ issuer cert is within its validity period | ||
√ issuer cert is valid for at least 60 days | ||
√ issuer cert is issued by the trust anchor | ||
|
||
linkerd-webhooks-and-apisvc-tls | ||
------------------------------- | ||
√ proxy-injector webhook has valid cert | ||
√ proxy-injector cert is valid for at least 60 days | ||
√ sp-validator webhook has valid cert | ||
√ sp-validator cert is valid for at least 60 days | ||
√ policy-validator webhook has valid cert | ||
√ policy-validator cert is valid for at least 60 days | ||
|
||
linkerd-version | ||
--------------- | ||
√ can determine the latest version | ||
‼ cli is up-to-date | ||
is running version 24.7.1 but the latest edge version is 24.7.3 | ||
see https://linkerd.io/2/checks/#l5d-version-cli for hints | ||
|
||
control-plane-version | ||
--------------------- | ||
√ can retrieve the control plane version | ||
√ control plane is up-to-date | ||
‼ control plane and cli versions match | ||
control plane running edge-24.7.3 but cli running edge-24.7.1 | ||
see https://linkerd.io/2/checks/#l5d-version-control for hints | ||
|
||
linkerd-control-plane-proxy | ||
--------------------------- | ||
√ control plane proxies are healthy | ||
√ control plane proxies are up-to-date | ||
‼ control plane proxies and cli versions match | ||
linkerd-destination-6d7bc6d44f-p2chs running edge-24.7.3 but cli running edge-24.7.1 | ||
see https://linkerd.io/2/checks/#l5d-cp-proxy-cli-version for hints | ||
|
||
linkerd-extension-checks | ||
------------------------ | ||
√ namespace configuration for extensions | ||
|
||
Status check results are √ | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
package controlplane | ||
|
||
import ( | ||
"github.com/awslabs/eksdemo/pkg/application" | ||
"github.com/awslabs/eksdemo/pkg/cmd" | ||
"github.com/awslabs/eksdemo/pkg/installer" | ||
"github.com/awslabs/eksdemo/pkg/template" | ||
) | ||
|
||
func NewApp() *application.Application { | ||
options := newOptions() | ||
|
||
return &application.Application{ | ||
Command: cmd.Command{ | ||
Parent: "linkerd", | ||
Name: "control-plane", | ||
Description: "Linkerd Service Mesh Control Plane", | ||
Aliases: []string{"controlplane", "cp"}, | ||
}, | ||
|
||
Installer: &installer.HelmInstaller{ | ||
ChartName: "linkerd-control-plane", | ||
ReleaseName: "linkerd-control-plane", | ||
RepositoryURL: "https://helm.linkerd.io/edge", | ||
ValuesTemplate: &template.TextTemplate{ | ||
Template: valuesTemplate, | ||
}, | ||
}, | ||
|
||
Options: options, | ||
} | ||
} | ||
|
||
// https://github.com/linkerd/linkerd2/blob/main/charts/linkerd-control-plane/values.yaml | ||
const valuesTemplate = `--- | ||
identityTrustAnchorsPEM: | | ||
{{- .TrustAnchor | trim | nindent 2 }} | ||
identity: | ||
scheme: linkerd.io/tls | ||
issuer: | ||
tls: | ||
crtPEM: | | ||
{{- .IssuerCert | trim | nindent 8 }} | ||
keyPEM: | | ||
{{- .IssuerKey | trim | nindent 8 }} | ||
` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
package controlplane | ||
|
||
import ( | ||
"bytes" | ||
"crypto/ecdsa" | ||
"crypto/elliptic" | ||
"crypto/rand" | ||
"crypto/x509" | ||
"crypto/x509/pkix" | ||
"encoding/pem" | ||
"fmt" | ||
"math/big" | ||
"time" | ||
|
||
"github.com/awslabs/eksdemo/pkg/application" | ||
) | ||
|
||
type Options struct { | ||
application.ApplicationOptions | ||
TrustAnchor string | ||
IssuerCert string | ||
IssuerKey string | ||
} | ||
|
||
func newOptions() (options *Options) { | ||
return &Options{ | ||
ApplicationOptions: application.ApplicationOptions{ | ||
DefaultVersion: &application.LatestPrevious{ | ||
LatestChart: "2024.7.3", | ||
PreviousChart: "2024.7.3", | ||
Latest: "edge-24.7.3", | ||
Previous: "edge-24.7.3", | ||
}, | ||
Namespace: "linkerd", | ||
}, | ||
} | ||
} | ||
|
||
func (options *Options) PreInstall() error { | ||
// CA Cert | ||
rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
|
||
serialNumberUpperBound := new(big.Int).Lsh(big.NewInt(1), 128) | ||
serialNumber, err := rand.Int(rand.Reader, serialNumberUpperBound) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
|
||
rootCertTemplate := &x509.Certificate{ | ||
SerialNumber: serialNumber, | ||
Subject: pkix.Name{ | ||
CommonName: "root.linkerd.cluster.local", | ||
}, | ||
NotBefore: time.Now(), | ||
NotAfter: time.Now().Add(time.Hour * 24 * time.Duration(365)), | ||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | ||
ExtKeyUsage: []x509.ExtKeyUsage{ | ||
x509.ExtKeyUsageServerAuth, | ||
x509.ExtKeyUsageClientAuth, | ||
}, | ||
BasicConstraintsValid: true, | ||
IsCA: true, | ||
} | ||
|
||
derBytes, err := x509.CreateCertificate( | ||
rand.Reader, | ||
rootCertTemplate, | ||
rootCertTemplate, | ||
&rootKey.PublicKey, | ||
rootKey, | ||
) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
|
||
certBuffer := bytes.Buffer{} | ||
err = pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
options.TrustAnchor = certBuffer.String() | ||
|
||
// Issuer Key | ||
issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
b, _ := x509.MarshalECPrivateKey(issuerKey) | ||
|
||
keyBuffer := bytes.Buffer{} | ||
err = pem.Encode(&keyBuffer, &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
options.IssuerKey = keyBuffer.String() | ||
|
||
// Issuer Cert | ||
serialNumberUpperBound = new(big.Int).Lsh(big.NewInt(1), 128) | ||
serialNumber, err = rand.Int(rand.Reader, serialNumberUpperBound) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
|
||
issuerCertTemplate := &x509.Certificate{ | ||
SerialNumber: serialNumber, | ||
Subject: pkix.Name{ | ||
CommonName: "identity.linkerd.cluster.local", | ||
}, | ||
NotBefore: time.Now(), | ||
NotAfter: time.Now().Add(time.Hour * 24 * time.Duration(365)), | ||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | ||
ExtKeyUsage: []x509.ExtKeyUsage{ | ||
x509.ExtKeyUsageServerAuth, | ||
x509.ExtKeyUsageClientAuth, | ||
}, | ||
BasicConstraintsValid: true, | ||
IsCA: true, | ||
} | ||
|
||
derBytes, err = x509.CreateCertificate( | ||
rand.Reader, | ||
issuerCertTemplate, | ||
rootCertTemplate, | ||
&issuerKey.PublicKey, | ||
rootKey, | ||
) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
|
||
certBuffer = bytes.Buffer{} | ||
err = pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) | ||
if err != nil { | ||
return fmt.Errorf("failed to create linkerd certificates: %w", err) | ||
} | ||
options.IssuerCert = certBuffer.String() | ||
|
||
return nil | ||
} |
Oops, something went wrong.