feat(helm): Allow specifying podAnnotations per deployment (#13388)

Fixes #13389

Values added:

- `destinationController.podAnnotations`
  - annotations only for `linkerd-destination`
- `identity.podAnnotations`
  - annotations only for `linkerd-identity`
- `proxyInjector.podAnnotations`
  - annotations only for `linkerd-proxy-injector`

 Each deployment's podAnnotations take precedence over global one by means of [mergeOverwrite](https://helm.sh/docs/chart_template_guide/function_list/#mergeoverwrite-mustmergeoverwrite).

Signed-off-by: Takumi Sue <[email protected]>

Author: mikutas

charts/linkerd-control-plane/README.md

@@ -163,6 +163,7 @@ Kubernetes: `>=1.22.0-0`
 | destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` |  |
 | destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` |  |
 | destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` |  |
+| destinationController.podAnnotations | object | `{}` | Additional annotations to add to destination pods |
 | destinationController.readinessProbe.timeoutSeconds | int | `1` |  |
 | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
 | disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) |
@@ -183,6 +184,7 @@ Kubernetes: `>=1.22.0-0`
 | identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
 | identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
 | identity.livenessProbe.timeoutSeconds | int | `1` |  |
+| identity.podAnnotations | object | `{}` | Additional annotations to add to identity pods |
 | identity.readinessProbe.timeoutSeconds | int | `1` |  |
 | identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token |
 | identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. |
@@ -311,6 +313,7 @@ Kubernetes: `>=1.22.0-0`
 | proxyInjector.livenessProbe.timeoutSeconds | int | `1` |  |
 | proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. |
 | proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. |
+| proxyInjector.podAnnotations | object | `{}` | Additional annotations to add to proxy-injector pods |
 | proxyInjector.readinessProbe.timeoutSeconds | int | `1` |  |
 | proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. |
 | revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. |

charts/linkerd-control-plane/templates/destination.yaml

@@ -163,7 +163,7 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }}
         {{ include "partials.annotations.created-by" . }}
         {{- include "partials.proxy.annotations" . | nindent 8}}
-        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.destinationController.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}
         config.linkerd.io/default-inbound-policy: "all-unauthenticated"
       labels:
         linkerd.io/control-plane-component: destination

charts/linkerd-control-plane/templates/identity.yaml

@@ -136,7 +136,7 @@ spec:
       annotations:
         {{ include "partials.annotations.created-by" . }}
         {{- include "partials.proxy.annotations" . | nindent 8}}
-        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}
         config.linkerd.io/default-inbound-policy: "all-unauthenticated"
       labels:
         linkerd.io/control-plane-component: identity

charts/linkerd-control-plane/templates/proxy-injector.yaml

@@ -42,7 +42,7 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
         {{ include "partials.annotations.created-by" . }}
         {{- include "partials.proxy.annotations" . | nindent 8}}
-        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        {{- with (mergeOverwrite (deepCopy .Values.podAnnotations) .Values.identity.podAnnotations) }}{{ toYaml . | trim | nindent 8 }}{{- end }}
         config.linkerd.io/opaque-ports: "8443"
         config.linkerd.io/default-inbound-policy: "all-unauthenticated"
       labels:

charts/linkerd-control-plane/values.yaml

@@ -384,6 +384,8 @@ destinationController:
       timeout:
         seconds: 3
       while_idle: true
+  # -- Additional annotations to add to destination pods
+  podAnnotations: {}
   livenessProbe:
     timeoutSeconds: 1
   readinessProbe:
@@ -428,6 +430,9 @@ identity:
 
   kubeAPI: *kubeapi
 
+  # -- Additional annotations to add to identity pods
+  podAnnotations: {}
+
   livenessProbe:
     timeoutSeconds: 1
   readinessProbe:
@@ -505,6 +510,9 @@ proxyInjector:
   # for more information.
   injectCaFromSecret: ""
 
+  # -- Additional annotations to add to proxy-injector pods
+  podAnnotations: {}
+
   livenessProbe:
     timeoutSeconds: 1
   readinessProbe:
@@ -668,4 +676,3 @@ podMonitor:
 egress:
   # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster
   globalEgressNetworkNamespace: linkerd-egress
-  

cli/cmd/install_test.go

@@ -60,7 +60,7 @@ func TestRender(t *testing.T) {
 		CNIEnabled:              false,
 		IdentityTrustDomain:     defaultValues.IdentityTrustDomain,
 		IdentityTrustAnchorsPEM: defaultValues.IdentityTrustAnchorsPEM,
-		DestinationController:   map[string]any{},
+		DestinationController:   defaultValues.DestinationController,
 		PodAnnotations:          map[string]string{},
 		PodLabels:               map[string]string{},
 		PriorityClassName:       "PriorityClassName",