feat(cni-installer): implement cni installer in go#761
Open
raykroeker wants to merge 15 commits into
Open
Conversation
* Binary command cni-install.
* CNI package that wraps the installer behaviour with an Installer type
and Run method.
* Copy files (e.g. the cni plugin) to a destination from a source
defined by the environment:
* Destination: env:CONTAINER_MOUNT_PREFIX / env:DEST_CNI_BIN_DIR
* Source: env:CONTAINER_CNI_BIN_DIR
* Configure CNI based on either an environment or a file source:
* env:CNI_NETWORK_CONFIG
* file located at env:CNI_NETWORK_CONFIG_FILE
and write it to a cni config file at
* env:CONTAINER_MOUNT_PREFIX / env:DEST_CNI_NET_DIR
* Configure kubeconfig for the plugin from static config injected
with an authn token located at a file:
* Kube config file: env:CONTAINER_MOUNT_PREFIX /
env:DEST_CNI_NET_DIR / env:KUBECONFIG_FILE_NAME
* Authn token file:
/var/run/secrets/kubernetes.io/serviceaccount/token
* Watch the auth token file for fs events (create|rename|write)
before rewriting the kube config.
* Watch the cni config root for fs events (create|rename|write) and
rewrite config files injecting the linkerd configuration as a tail
plugin in the list
* Filter on and assert on specific fs events. * Bump timeout on events to 1s (hoping to solve CI/CD failures).
…oductization-install
…oductization-install
Test docker image with local integration test suite. Fix re-reading sources, add better logging, ignore fs events that don't impact anything.
Add removal to the installer. Walk a log of entries that have been applied and revert them. Update the integration test manifests to drop the expiry of the service account token to 10m from 1h. Watch the service account parent directory versus the token file directly which is a link. Filter on changes to ..data Rename '.conf' files to '.conflist' when injecting linkered cni config.
…oductization-install
raykroeker
changed the title
raykroeker
commented
Jun 12, 2026
| kubernetes.io/os: linux | ||
| hostNetwork: true | ||
| serviceAccountName: linkerd-cni | ||
| automountServiceAccountToken: false |
Contributor
Author
There was a problem hiding this comment.
Changes to the test-scenario files drop the service account token's lifecycle down to 10m (a hard floor).
raykroeker
commented
Jun 12, 2026
| clusters: | ||
| - name: local | ||
| cluster: | ||
| server: {{ .ServiceProtocol }}://{{ .ServiceHost }}:{{ .ServicePort }} |
Contributor
Author
There was a problem hiding this comment.
I don't like protocol being configurable. This is how the previous installer was implemented. I'd like to remove this.
raykroeker
commented
Jun 12, 2026
| // data. | ||
| CertificateAuthorityData string | ||
| // SkipTLSVerify sets tls config to be insecure. | ||
| SkipTLSVerify bool |
Contributor
Author
There was a problem hiding this comment.
I don't like skip tls verify being configurable. This is how the previous installer was implemented. I'd like to remove this.
Insert a trailing space on non-code files (test data). Trim space from the test data files on read. Update test case.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change implements rfc6 - installer reliability. It removes race conditions using a single thread to handle file-system events, leverages a shared library for those monitoring and handling those events, and provides unit test coverage.
The interface consists of a new command binary and Installer type used to perform both install and removal:
cni-install/main.go:Runs the installer as well as the removal on exit.pkg/cni/install.go:Defines the factory and interface for the Installer type.Install
The implementation walks through 3 initial steps:
After the completion of these steps, the installer establishes a watch on:
..datadirectory trigger a reconfiguration of the kube config file.Remove
Changes to files are tracked in the installer's in-memory log. When the command exits/quits (via
signal.Notify) each log event is reverted: