Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension namespace labels block proxy inject for linkerd viz #11

Open
gerryg80 opened this issue Oct 19, 2022 · 0 comments
Open

Extension namespace labels block proxy inject for linkerd viz #11

gerryg80 opened this issue Oct 19, 2022 · 0 comments
Assignees
@ggolub

Comments

@gerryg80
Copy link

This module creates linkerd-viz in a state where it isn't usable. "linkerd viz tap" did not work until I cleaned up the namespace labels.

The issue originates from the loop that creates all namespaces with identical annotations and labels. In particular the label config.linkerd.io/admission-webhooks: disabled on the linkerd-viz namespace prevents the pods from getting the proxy sidecar:

$ k get ns linkerd-viz -o json | jq .metadata.labels
{
  "config.linkerd.io/admission-webhooks": "disabled",
  "kubernetes.io/metadata.name": "linkerd-viz",
  "linkerd.io/control-plane-ns": "linkerd-viz",
  "linkerd.io/extension": "viz",
  "linkerd.io/is-control-plane": "true"
}

The extra labels also declare this to be the linker control-plane-ns (which is actually just linkerd). Not clear that interferes with anything but a default install of linkerd-viz using the CLI only has these labels on the namespace:

$ k get ns linkerd-viz -o json  | jq .metadata.labels 
{
  "kubernetes.io/metadata.name": "linkerd-viz",
  "linkerd.io/extension": "viz"
}

The module also creates the namespace with the linkerd.io/inject: disabled annotation. This is confusing but doesn't appear to interfere with the proxy once the admission webhook has been fixed.

This was the state before the fix - linkerd viz check returned only warnings but linkerd viz tap could not connect to workloads.

$ kubectl get po -n linkerd-viz 
NAME                            READY   STATUS    RESTARTS   AGE
metrics-api-6b6dfb4c8d-gfpkw    1/1     Running   0          25h
prometheus-6f5fdddb9c-fs6gq     1/1     Running   0          24h
tap-6ccc558b78-9pb4g            1/1     Running   0          25h
tap-injector-6cc44d7b76-b8rnf   1/1     Running   0          25h
web-85dcd74f4d-fz7tj            1/1     Running   0          25h

$ linkerd viz check 
linkerd-viz
-----------
√ linkerd-viz Namespace exists
√ linkerd-viz ClusterRoles exist
√ linkerd-viz ClusterRoleBindings exist
√ tap API server has valid cert
‼ tap API server cert is valid for at least 60 days
    certificate will expire on 2022-11-30T14:16:08Z
    see https://linkerd.io/2/checks/#l5d-tap-cert-not-expiring-soon for hints
√ tap API service is running
‼ linkerd-viz pods are injected
    could not find proxy container for metrics-api-6b6dfb4c8d-gfpkw pod
    see https://linkerd.io/2/checks/#l5d-viz-pods-injection for hints
‼ viz extension pods are running
    container "linkerd-proxy" in pod "metrics-api-6b6dfb4c8d-gfpkw" is not ready
    see https://linkerd.io/2/checks/#l5d-viz-pods-running for hints
‼ viz extension proxies are healthy
    no "linkerd-proxy" containers found in the "linkerd" namespace
    see https://linkerd.io/2/checks/#l5d-viz-proxy-healthy for hints
√ viz extension proxies are up-to-date
√ viz extension proxies and cli versions match
√ prometheus is installed and configured correctly
√ can initialize the client
√ viz extension self-check

Status check results are √
@ggolub ggolub self-assigned this Oct 25, 2022
@ggolub ggolub mentioned this issue Nov 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ggolub ggolub

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Linkerd-Viz Fix Azure-Terraform/terraform-helm-linkerd
2 participants
@gerryg80 @ggolub