add PodDisruptionBudget for tap and tap injector (#42)

Signed-off-by: Matias Charriere <[email protected]>
giantswarm · Aug 22, 2023 · 78f463b · 78f463b
1 parent cd70fef
commit 78f463b
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 29 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add PodDisruptionBudget for `tap` and `tap-injector`.
+
 ## [1.1.0] - 2023-08-15
 
 ### Changed

diff --git a/helm/linkerd-viz/README.md b/helm/linkerd-viz/README.md
@@ -3,9 +3,9 @@
 The Linkerd-Viz extension contains observability and visualization
 components for Linkerd.
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
 
-![AppVersion: stable-2.12.4](https://img.shields.io/badge/AppVersion-stable--2.12.4-informational?style=flat-square)
+![AppVersion: stable-2.13.4](https://img.shields.io/badge/AppVersion-stable--2.13.4-informational?style=flat-square)
 
 **Homepage:** <https://linkerd.io>
 
@@ -80,6 +80,7 @@ Kubernetes: `>=1.16.0-0`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use |
+| commonLabels | object | `{"application.giantswarm.io/team":"cabbage","giantswarm.io/service-type":"managed"}` | Labels to apply to all resources |
 | dashboard.UID | string | `nil` | UID for the dashboard resource |
 | dashboard.enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information |
 | dashboard.image.name | string | `"giantswarm/linkerd2-web"` | Docker image name for the web instance |
@@ -91,18 +92,21 @@ Kubernetes: `>=1.16.0-0`
 | dashboard.proxy | string | `nil` |  |
 | dashboard.replicas | int | `1` | Number of replicas of dashboard |
 | dashboard.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the web container can use |
-| dashboard.resources.cpu.request | string | `nil` | Amount of CPU units that the web container requests |
+| dashboard.resources.cpu.request | string | `"100m"` | Amount of CPU units that the web container requests |
 | dashboard.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the web container can use |
 | dashboard.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the web container requests |
-| dashboard.resources.memory.limit | string | `nil` | Maximum amount of memory that web container can use |
-| dashboard.resources.memory.request | string | `nil` | Amount of memory that the web container requests |
+| dashboard.resources.memory.limit | string | `"250Mi"` | Maximum amount of memory that web container can use |
+| dashboard.resources.memory.request | string | `"50Mi"` | Amount of memory that the web container requests |
 | dashboard.restrictPrivileges | bool | `false` | Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check |
+| dashboard.service | object | `{"annotations":{}}` | dashboard service configuration |
+| dashboard.service.annotations | object | `{}` | Additional annotations to add to dashboard service |
 | defaultImagePullPolicy | string | `"IfNotPresent"` | Docker imagePullPolicy for all viz components |
 | defaultLogFormat | string | `"plain"` | Log format (`plain` or `json`) for all the viz components. |
 | defaultLogLevel | string | `"info"` | Log level for all the viz components |
 | defaultUID | int | `2103` | UID for all the viz components |
 | enablePSP | bool | `false` | Create Roles and RoleBindings to associate this extension's ServiceAccounts to the control plane PSP resource. This requires that `enabledPSP` is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21 |
-| enablePodAntiAffinity | bool | `false` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. |
+| enablePodAntiAffinity | bool | `true` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. |
+| enablePodDisruptionBudget | bool | `true` | enables the creation of pod disruption budgets for tap and tap-injector components |
 | grafana.externalUrl | string | `nil` | url of a Grafana instance hosted off-cluster. Cannot be set if grafana.url is set. The reverse proxy will not be used for this URL. |
 | grafana.uidPrefix | string | `nil` | prefix for Grafana dashboard UID's, used when grafana.externalUrl is set. |
 | grafana.url | string | `nil` | url of an in-cluster Grafana instance with reverse proxy configured, used by the Linkerd viz web dashboard to provide direct links to specific Grafana dashboards. Cannot be set if grafana.externalUrl is set. See the [Linkerd documentation](https://linkerd.io/2/tasks/grafana) for more information |
@@ -111,7 +115,7 @@ Kubernetes: `>=1.16.0-0`
 | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed.  Registry secrets are applied to the respective service accounts |
 | jaegerUrl | string | `""` | url of external jaeger instance Set this to `jaeger.linkerd-jaeger.svc.<clusterDomain>:16686` if you plan to use jaeger extension |
 | linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install |
-| linkerdVersion | string | `"stable-2.12.4"` | control plane version. See Proxy section for proxy version |
+| linkerdVersion | string | `"stable-2.13.4"` | control plane version. See Proxy section for proxy version |
 | metricsAPI.UID | string | `nil` | UID for the metrics-api resource |
 | metricsAPI.image.name | string | `"giantswarm/linkerd-metrics-api"` | Docker image name for the metrics-api component |
 | metricsAPI.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the metrics-api component |
@@ -123,17 +127,20 @@ Kubernetes: `>=1.16.0-0`
 | metricsAPI.proxy | string | `nil` |  |
 | metricsAPI.replicas | int | `1` | number of replicas of the metrics-api component |
 | metricsAPI.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the metrics-api container can use |
-| metricsAPI.resources.cpu.request | string | `nil` | Amount of CPU units that the metrics-api container requests |
+| metricsAPI.resources.cpu.request | string | `"100m"` | Amount of CPU units that the metrics-api container requests |
 | metricsAPI.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the metrics-api container can use |
 | metricsAPI.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the metrics-api container requests |
-| metricsAPI.resources.memory.limit | string | `nil` | Maximum amount of memory that metrics-api container can use |
-| metricsAPI.resources.memory.request | string | `nil` | Amount of memory that the metrics-api container requests |
+| metricsAPI.resources.memory.limit | string | `"250Mi"` | Maximum amount of memory that metrics-api container can use |
+| metricsAPI.resources.memory.request | string | `"50Mi"` | Amount of memory that the metrics-api container requests |
+| metricsAPI.service | object | `{"annotations":{}}` | metrics-api service configuration |
+| metricsAPI.service.annotations | object | `{}` | Additional annotations to add to metrics-api service |
 | metricsAPI.tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information |
-| namespaceMetadata.image.name | string | `"giantswarm/curl"` | Docker image name for the namespace-metadata instance |
+| namespaceMetadata.image.name | string | `"giantswarm/linkerd2-extension-init"` | Docker image name for the namespace-metadata instance |
 | namespaceMetadata.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the namespace-metadata instance |
-| namespaceMetadata.image.registry | string | `""` | Docker registry for the namespace-metadata instance |
-| namespaceMetadata.image.version | string | `"7.78.0"` | Docker image tag for the namespace-metadata instance |
+| namespaceMetadata.image.registry | string | defaultRegistry | Docker registry for the namespace-metadata instance |
+| namespaceMetadata.image.tag | string | `"v0.1.0"` | Docker image tag for the namespace-metadata instance |
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Default nodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
+| podLabels | object | `{}` | Additional labels to add to all pods |
 | prometheus.alertRelabelConfigs | string | `nil` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. |
 | prometheus.alertmanagers | string | `nil` | Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. |
 | prometheus.args | object | `{"config.file":"/etc/prometheus/prometheus.yml","storage.tsdb.path":"/data","storage.tsdb.retention.time":"6h"}` | Command line options for Prometheus binary |
@@ -142,18 +149,18 @@ Kubernetes: `>=1.16.0-0`
 | prometheus.image.name | string | `"giantswarm/prometheus"` | Docker image name for the prometheus instance |
 | prometheus.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the prometheus instance |
 | prometheus.image.registry | string | `""` | Docker registry for the prometheus instance |
-| prometheus.image.tag | string | `"v2.30.3"` | Docker image tag for the prometheus instance |
+| prometheus.image.tag | string | `"v2.43.0"` | Docker image tag for the prometheus instance |
 | prometheus.logFormat | string | defaultLogLevel | log format (plain, json) of the prometheus instance |
 | prometheus.logLevel | string | defaultLogLevel | log level of the prometheus instance |
 | prometheus.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
 | prometheus.proxy | string | `nil` |  |
 | prometheus.remoteWrite | string | `nil` | Allows transparently sending samples to an endpoint. Mostly used for long term storage. |
 | prometheus.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the prometheus container can use |
-| prometheus.resources.cpu.request | string | `nil` | Amount of CPU units that the prometheus container requests |
+| prometheus.resources.cpu.request | string | `"300m"` | Amount of CPU units that the prometheus container requests |
 | prometheus.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the prometheus container can use |
 | prometheus.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the prometheus container requests |
-| prometheus.resources.memory.limit | string | `nil` | Maximum amount of memory that prometheus container can use |
-| prometheus.resources.memory.request | string | `nil` | Amount of memory that the prometheus container requests |
+| prometheus.resources.memory.limit | string | `"6144Mi"` | Maximum amount of memory that prometheus container can use |
+| prometheus.resources.memory.request | string | `"300Mi"` | Amount of memory that the prometheus container requests |
 | prometheus.ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) |
 | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. |
 | prometheus.sidecarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems |
@@ -163,6 +170,7 @@ Kubernetes: `>=1.16.0-0`
 | tap.caBundle | string | `""` | Bundle of CA certificates for tap. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
 | tap.crtPEM | string | `""` | Certificate for the Tap component. If not provided and not using an external secret then Helm will generate one. |
 | tap.externalSecret | bool | `false` | Do not create a secret resource for the Tap component. If this is set to `true`, the value `tap.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `tap.injectCaFrom` or `tap.injectCaFromSecret` (see below). |
+| tap.ignoreHeaders | list | `[]` | List of headers that will be ignored for Linkerd Tap |
 | tap.image.name | string | `"giantswarm/linkerd-tap"` | Docker image name for the tap instance |
 | tap.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the tap component |
 | tap.image.registry | string | defaultRegistry | Docker registry for the tap instance |
@@ -173,13 +181,15 @@ Kubernetes: `>=1.16.0-0`
 | tap.logFormat | string | defaultLogFormat | log format of the tap component |
 | tap.logLevel | string | defaultLogLevel | log level of the tap component |
 | tap.proxy | string | `nil` |  |
-| tap.replicas | int | `1` | Number of tap component replicas |
+| tap.replicas | int | `3` | Number of tap component replicas |
 | tap.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the tap container can use |
-| tap.resources.cpu.request | string | `nil` | Amount of CPU units that the tap container requests |
+| tap.resources.cpu.request | string | `"100m"` | Amount of CPU units that the tap container requests |
 | tap.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the tap container can use |
 | tap.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the tap container requests |
-| tap.resources.memory.limit | string | `nil` | Maximum amount of memory that tap container can use |
-| tap.resources.memory.request | string | `nil` | Amount of memory that the tap container requests |
+| tap.resources.memory.limit | string | `"250Mi"` | Maximum amount of memory that tap container can use |
+| tap.resources.memory.request | string | `"50Mi"` | Amount of memory that the tap container requests |
+| tap.service | object | `{"annotations":{}}` | tap service configuration |
+| tap.service.annotations | object | `{}` | Additional annotations to add to tap service |
 | tapInjector.UID | string | `nil` | UID for the tapInjector resource |
 | tapInjector.caBundle | string | `""` | Bundle of CA certificates for the tapInjector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `tapInjector.crtPEM`. If `tapInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
 | tapInjector.crtPEM | string | `""` | Certificate for the tapInjector. If not provided and not using an external secret then Helm will generate one. |
@@ -194,16 +204,22 @@ Kubernetes: `>=1.16.0-0`
 | tapInjector.keyPEM | string | `""` | Certificate key for the tapInjector. If not provided and not using an external secret then Helm will generate one. |
 | tapInjector.logFormat | string | defaultLogFormat | log format of the tapInjector component |
 | tapInjector.logLevel | string | defaultLogLevel | log level of the tapInjector |
-| tapInjector.namespaceSelector | string | `nil` |  |
+| tapInjector.namespaceSelector[0].key | string | `"kubernetes.io/metadata.name"` |  |
+| tapInjector.namespaceSelector[0].operator | string | `"NotIn"` |  |
+| tapInjector.namespaceSelector[0].values[0] | string | `"kube-system"` |  |
+| tapInjector.namespaceSelector[0].values[1] | string | `"cert-manager"` |  |
+| tapInjector.namespaceSelector[0].values[2] | string | `"giantswarm"` |  |
 | tapInjector.objectSelector | string | `nil` |  |
 | tapInjector.proxy | string | `nil` |  |
-| tapInjector.replicas | int | `1` | Number of replicas of tapInjector |
+| tapInjector.replicas | int | `2` | Number of replicas of tapInjector |
 | tapInjector.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the tapInjector container can use |
-| tapInjector.resources.cpu.request | string | `nil` | Amount of CPU units that the tapInjector container requests |
+| tapInjector.resources.cpu.request | string | `"100m"` | Amount of CPU units that the tapInjector container requests |
 | tapInjector.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the tapInjector container can use |
 | tapInjector.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the tapInjector container requests |
-| tapInjector.resources.memory.limit | string | `nil` | Maximum amount of memory that tapInjector container can use |
-| tapInjector.resources.memory.request | string | `nil` | Amount of memory that the tapInjector container requests |
+| tapInjector.resources.memory.limit | string | `"250Mi"` | Maximum amount of memory that tapInjector container can use |
+| tapInjector.resources.memory.request | string | `"50Mi"` | Amount of memory that the tapInjector container requests |
+| tapInjector.service | object | `{"annotations":{}}` | tap service configuration |
+| tapInjector.service.annotations | object | `{}` | Additional annotations to add to tapInjector service |
 | tolerations | string | `nil` | Default tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information |
 
 ----------------------------------------------

diff --git a/helm/linkerd-viz/templates/tap-injector.yaml b/helm/linkerd-viz/templates/tap-injector.yaml
@@ -128,3 +128,24 @@ spec:
       - name: tls
         secret:
           secretName: tap-injector-k8s-tls
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: tap-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/extension: viz
+    component: tap-injector
+    namespace: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      linkerd.io/extension: viz
+      component: tap-injector
+{{- end }}
diff --git a/helm/linkerd-viz/templates/tap.yaml b/helm/linkerd-viz/templates/tap.yaml
@@ -143,3 +143,24 @@ spec:
       - name: tls
         secret:
           secretName: tap-k8s-tls
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: tap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/extension: viz
+    component: tap
+    namespace: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      linkerd.io/extension: viz
+      component: tap
+{{- end }}
diff --git a/helm/linkerd-viz/values.yaml b/helm/linkerd-viz/values.yaml
@@ -55,6 +55,9 @@ tolerations: &default_tolerations
 # Enable this only when you have multiple replicas of components.
 enablePodAntiAffinity: true
 
+# -- enables the creation of pod disruption budgets for tap and tap-injector components
+enablePodDisruptionBudget: true
+
 # -- NodeAffinity section, See the
 # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
 # for more information

diff --git a/vendir.lock.yml b/vendir.lock.yml
@@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1
 directories:
 - contents:
   - git:
-      commitTitle: use global image registry...
-      sha: 9fe8a80ec8e33a903df799a54416fcbe728eaec0
+      commitTitle: Add PDB for tap and tap-injector (#558)...
+      sha: ab842c589f03422eaecf9c5ef58ae86af5a7aed5
       tags:
-      - stable-2.10.1-2935-g9fe8a80ec
+      - stable-2.10.1-2937-gab842c589
     path: linkerd
   path: vendor
 - contents: