stefanprodan/gitops-linkerd

linkerd HA requires kube-system namespace modifications

bdols opened this issue · 2 comments

bdols commented

I used this repo as a basis for bootstrapping linkerd 2.11.4.

When I enable linkerd HA (via asundry helm values from linkerd's values-ha.yaml), linkerd check reports that pod injection needs to be disabled in kube-system:

linkerd-ha-checks
-----------------
‼ pod injection disabled on kube-system
    kube-system namespace needs to have the label config.linkerd.io/admission-webhooks: disabled if injector webhook failure policy is Fail
    see https://linkerd.io/2.11/checks/#l5d-injection-disabled for hints

I added the kube-system namespace as a resource in the kustomization as follows but pruning could (and will fail to ) remove the namespace, and there may be other implications that I am not seeing right now:

kind: Namespace
metadata:
  name: kube-system
  labels:
    config.linkerd.io/admission-webhooks: disabled

I tried using Kustomization patches as follows but it didn't work and I didn't see errors:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
  name: patch-kube-system
  namespace: flux-system
spec:
  interval: 10m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  prune: false
  patches:
    - patch: |
        - op: replace
          path: /metadata/labels/config.linkerd.io~1admission-webhooks
          value: disabled
      target:
        kind: Namespace
        name: kube-system
        namespace: kube-system

what's the best way to modify kube-system for linkerd HA?

flux: v0.31.3
helm-controller: v0.22.1
image-automation-controller: v0.23.4
image-reflector-controller: v0.19.2
kustomize-controller: v0.26.2
notification-controller: v0.24.0
source-controller: v0.25.9

stefanprodan commented

See the docs here on how to patch existing resources and how to prevent Flux from deleting them: https://fluxcd.io/docs/faq/#how-to-patch-coredns-and-other-pre-installed-addons

bdols commented

thank you, this worked for me:

apiVersion: v1
kind: Namespace
metadata:
  name: kube-system
  labels:
    config.linkerd.io/admission-webhooks: disabled
  annotations:
    kustomize.toolkit.fluxcd.io/prune: disabled
    kustomize.toolkit.fluxcd.io/ssa: merge