From 60d148259573b838fa9331cb43e2e4a009a6412d Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 2 Jun 2025 14:48:53 -0500 Subject: [PATCH 1/5] feat(helm): grant linkerd-config read access to additional SAs The intent of this change is to enable extensions to access Linkerd's configuration. It introduces the linkerd-config RoleBinding, associated to the existing Role `ext-namespace-metadata-linkerd-config` that grants read access to the linkerd-config ConfigMap (that Role name is now outdated but leaving as-is to avoid disruption). The service accounts for that binding are to be listed on the new `values.yaml` entry `configAccess`, for example: ```yaml configAccess: - name: ext1 namespace: linkerd-ext1 - name: ext2 namespace: linkerd-ext2 ``` --- .../templates/config-rbac.yaml | 22 +++++++++++++++++++ charts/linkerd-control-plane/values.yaml | 6 +++++ 2 files changed, 28 insertions(+) diff --git a/charts/linkerd-control-plane/templates/config-rbac.yaml b/charts/linkerd-control-plane/templates/config-rbac.yaml index 5f5c34203ee3d..caeaf5da58888 100644 --- a/charts/linkerd-control-plane/templates/config-rbac.yaml +++ b/charts/linkerd-control-plane/templates/config-rbac.yaml @@ -14,3 +14,25 @@ rules: resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] +{{- with .Values.configAccess }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-config + namespace: {{ $.Release.Namespace }} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-ns: {{$.Release.Namespace}} + {{- with $.Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-config + apiGroup: rbac.authorization.k8s.io +subjects: +{{- range . }} +- kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace }} +{{- end }} +{{- end }} diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 867d7c0bca678..798d2741972c2 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -709,3 +709,9 @@ podMonitor: egress: # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster globalEgressNetworkNamespace: linkerd-egress + +# -- List of additional service accounts with read access to the linkerd-config +# ConfigMap +configAccess: +#- name: +# namespace: From 1b57ee4fe9927068f55c74914d0333e5dce3d16c Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 2 Jun 2025 16:36:37 -0500 Subject: [PATCH 2/5] debugging --- .github/workflows/integration.yml | 1 + bin/_test-helpers.sh | 1 + testutil/test_helper.go | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index e6eaa436c0457..7a52e35ea591e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -287,6 +287,7 @@ jobs: - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: "1.23" + - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: pattern: image-archives-* diff --git a/bin/_test-helpers.sh b/bin/_test-helpers.sh index 8f37061156e90..213513eb85359 100644 --- a/bin/_test-helpers.sh +++ b/bin/_test-helpers.sh @@ -400,6 +400,7 @@ setup_helm() { export helm_release_name='helm-test' export helm_multicluster_release_name='multicluster-test' "$bindir"/helm-build + "$helm_path" version "$helm_path" --kube-context="$context" repo add linkerd https://helm.linkerd.io/edge exit_on_err 'error setting up Helm' } diff --git a/testutil/test_helper.go b/testutil/test_helper.go index 629ecae1f2c1e..b29fc3f3afe1b 100644 --- a/testutil/test_helper.go +++ b/testutil/test_helper.go @@ -723,6 +723,7 @@ func (h *TestHelper) GetReleaseChannelVersions() (map[string]string, error) { // the binary. func (h *TestHelper) DownloadCLIBinary(filepath, version string) error { url := fmt.Sprintf("https://github.com/linkerd/linkerd2/releases/download/%[1]s/linkerd2-cli-%[1]s-%s-%s", version, runtime.GOOS, runtime.GOARCH) + fmt.Printf("Downloading Linkerd CLI from %s to %s\n", url, filepath) resp, err := h.httpClient.Get(url) if err != nil { return err From 81bfcd6d93a71f9efa5ad25f55d5a6ad311120cb Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 2 Jun 2025 17:39:20 -0500 Subject: [PATCH 3/5] Revert "debugging" This reverts commit 1b57ee4fe9927068f55c74914d0333e5dce3d16c. --- .github/workflows/integration.yml | 1 - bin/_test-helpers.sh | 1 - testutil/test_helper.go | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 7a52e35ea591e..e6eaa436c0457 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -287,7 +287,6 @@ jobs: - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: "1.23" - - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 with: pattern: image-archives-* diff --git a/bin/_test-helpers.sh b/bin/_test-helpers.sh index 213513eb85359..8f37061156e90 100644 --- a/bin/_test-helpers.sh +++ b/bin/_test-helpers.sh @@ -400,7 +400,6 @@ setup_helm() { export helm_release_name='helm-test' export helm_multicluster_release_name='multicluster-test' "$bindir"/helm-build - "$helm_path" version "$helm_path" --kube-context="$context" repo add linkerd https://helm.linkerd.io/edge exit_on_err 'error setting up Helm' } diff --git a/testutil/test_helper.go b/testutil/test_helper.go index b29fc3f3afe1b..629ecae1f2c1e 100644 --- a/testutil/test_helper.go +++ b/testutil/test_helper.go @@ -723,7 +723,6 @@ func (h *TestHelper) GetReleaseChannelVersions() (map[string]string, error) { // the binary. func (h *TestHelper) DownloadCLIBinary(filepath, version string) error { url := fmt.Sprintf("https://github.com/linkerd/linkerd2/releases/download/%[1]s/linkerd2-cli-%[1]s-%s-%s", version, runtime.GOOS, runtime.GOARCH) - fmt.Printf("Downloading Linkerd CLI from %s to %s\n", url, filepath) resp, err := h.httpClient.Get(url) if err != nil { return err From ca46b6c06dc440484d7b535980ff5e152704a243 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Tue, 3 Jun 2025 21:59:07 +0000 Subject: [PATCH 4/5] Fix roleRef --- charts/linkerd-control-plane/templates/config-rbac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/linkerd-control-plane/templates/config-rbac.yaml b/charts/linkerd-control-plane/templates/config-rbac.yaml index caeaf5da58888..0a2f09a5f012b 100644 --- a/charts/linkerd-control-plane/templates/config-rbac.yaml +++ b/charts/linkerd-control-plane/templates/config-rbac.yaml @@ -27,7 +27,7 @@ metadata: {{- with $.Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} roleRef: kind: Role - name: linkerd-config + name: ext-namespace-metadata-linkerd-config apiGroup: rbac.authorization.k8s.io subjects: {{- range . }} From 4903756e5cddf149128496a25df5b148122895e5 Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Wed, 4 Jun 2025 22:22:21 +0000 Subject: [PATCH 5/5] Naming changes --- charts/linkerd-control-plane/templates/config-rbac.yaml | 5 +++-- charts/linkerd-control-plane/values.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/linkerd-control-plane/templates/config-rbac.yaml b/charts/linkerd-control-plane/templates/config-rbac.yaml index 0a2f09a5f012b..db305ebef1693 100644 --- a/charts/linkerd-control-plane/templates/config-rbac.yaml +++ b/charts/linkerd-control-plane/templates/config-rbac.yaml @@ -14,12 +14,12 @@ rules: resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] -{{- with .Values.configAccess }} +{{- with .Values.configReaders }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: linkerd-config + name: linkerd-config-reader namespace: {{ $.Release.Namespace }} labels: app.kubernetes.io/part-of: Linkerd @@ -35,4 +35,5 @@ subjects: name: {{ .name }} namespace: {{ .namespace }} {{- end }} +... {{- end }} diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 798d2741972c2..0c5a2a4f9bbcd 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -712,6 +712,6 @@ egress: # -- List of additional service accounts with read access to the linkerd-config # ConfigMap -configAccess: +configReaders: #- name: # namespace: