Include reusable authentications in the linkerd installation

[olix0r]

The default Linkerd installation should be able to include authorization and authentication resources. The authentications would be useful to reuse in other installations inluding Linkerd extensions and application probe policies.

---

Unfortunately, there are a few issues with this:

There's a race condition that may prevent these resources from being applied, especially in HA configurations. If the admission controller webhook is configured in the same YAML blob that defines authentication instances, the policy admission controller won't be running as the resources are applied. In the best case, validation will be skipped. In the worst case--in HA installations, where a failure policy is configured to require admission controller validation--the application will fail and the resources will not be created.

We could potentially exempt the linkerd namespace's resources from being validated--but this is not ideal, as these resources could change after installation in ways that are fundamentally incorrect. Users would have no feedback on these changes.

Furthermore, the cli/cmd/upgrade_test.go tests do not include CRDs, so upgrades fail if they include any of these resources. This is probably fairly easy to fix.

Finally, it's unfortunate that we've defined clusterNetworks as a comma-separated list instead of as an array datastructure (same goes for our opaque port settings). It's a backwards-incompatible change to modify this, but we may wish to do this before 2.12...

Signed-off-by: Oliver Gould [email protected]

[olix0r]

There's a race condition

I was wrong about this. The webhook should already skip namespaces with the annotation config.linkerd.io/admission-webhooks: disabled

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.