Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkerd.io/helm-release-version annotation with helmfile #10778

Closed
bunnybilou opened this issue Apr 19, 2023 · 1 comment · Fixed by #11329
Closed

linkerd.io/helm-release-version annotation with helmfile #10778

bunnybilou opened this issue Apr 19, 2023 · 1 comment · Fixed by #11329
Labels
bug help wanted

Comments

@bunnybilou
Copy link
Contributor

What is the issue?

Hi,

We are using helmfile to deploy linkerd charts. Under the covers, Helmfile executes helm upgrade --install for each release and this command is always setting the .Release.Revision to 1 so we always have a diff when using the diff command.

I saw that in the edge-2075 release for some helm charts linkerd.io/helm-release-version annotation has been replaced by checksum/config.

The linkerd.io/helm-release-version annotation only remains in destination and proxy-injector components and I don't know if there is a real need of it

For what I know, for these 2 components we don't need to restart the pods when a config file change so for me it's safe to get ride of this annotation in all the charts.

How can it be reproduced?

Update linkerd helm chart with the helm upgrade --install command

Logs, error output, etc

        annotations:
-         linkerd.io/helm-release-version: "10"
+         linkerd.io/helm-release-version: "1"

output of linkerd check -o short

~ ❯ linkerd check -o short                                                                                                                                                                                                 15:18:04
linkerd-identity
----------------
‼ issuer cert is valid for at least 60 days
    issuer certificate will expire on 2023-04-26T12:15:55Z
    see https://linkerd.io/2.13/checks/#l5d-identity-issuer-cert-not-expiring-soon for hints

linkerd-webhooks-and-apisvc-tls
-------------------------------
‼ proxy-injector cert is valid for at least 60 days
    certificate will expire on 2023-04-25T16:00:57Z
    see https://linkerd.io/2.13/checks/#l5d-proxy-injector-webhook-cert-not-expiring-soon for hints
‼ sp-validator cert is valid for at least 60 days
    certificate will expire on 2023-04-25T16:00:57Z
    see https://linkerd.io/2.13/checks/#l5d-sp-validator-webhook-cert-not-expiring-soon for hints
‼ policy-validator cert is valid for at least 60 days
    certificate will expire on 2023-04-25T16:00:57Z
    see https://linkerd.io/2.13/checks/#l5d-policy-validator-webhook-cert-not-expiring-soon for hints

linkerd-version
---------------
‼ cli is up-to-date
    is running version 2.13.0 but the latest stable version is 2.13.1
    see https://linkerd.io/2.13/checks/#l5d-version-cli for hints

control-plane-version
---------------------
‼ control plane is up-to-date
    is running version 2.13.0 but the latest stable version is 2.13.1
    see https://linkerd.io/2.13/checks/#l5d-version-control for hints

linkerd-control-plane-proxy
---------------------------
‼ control plane proxies are up-to-date
    some proxies are not running the current version:
        * linkerd-destination-5cc9ffb48c-gq4ph (stable-2.13.0)
        * linkerd-destination-5cc9ffb48c-wtwc9 (stable-2.13.0)
        * linkerd-identity-8494dbd577-bpnp9 (stable-2.13.0)
        * linkerd-identity-8494dbd577-hz494 (stable-2.13.0)
        * linkerd-proxy-injector-cbd45b548-lwns7 (stable-2.13.0)
        * linkerd-proxy-injector-cbd45b548-nkzj5 (stable-2.13.0)
    see https://linkerd.io/2.13/checks/#l5d-cp-proxy-version for hints

linkerd-multicluster
--------------------
‼ multicluster extension proxies are up-to-date
    some proxies are not running the current version:
        * linkerd-gateway-6b555c766c-z5wx8 (stable-2.13.0)
        * linkerd-gateway-6b555c766c-zm8np (stable-2.13.0)
        * linkerd-service-mirror-us-east-2-testing-8d79f659f-r28pv (stable-2.13.0)
    see https://linkerd.io/2.13/checks/#l5d-multicluster-proxy-cp-version for hints

linkerd-viz
-----------
‼ tap API server cert is valid for at least 60 days
    certificate will expire on 2023-04-25T14:32:41Z
    see https://linkerd.io/2.13/checks/#l5d-tap-cert-not-expiring-soon for hints
‼ viz extension proxies are up-to-date
    some proxies are not running the current version:
        * metrics-api-675cc97768-tlk96 (stable-2.13.0)
        * prometheus-5fd775fc66-spj67 (stable-2.13.0)
        * tap-865dcff67-s2xxr (stable-2.13.0)
        * tap-injector-7f864555cd-9962k (stable-2.13.0)
        * web-76776b6c48-qkfdh (stable-2.13.0)
    see https://linkerd.io/2.13/checks/#l5d-viz-proxy-cp-version for hints

Environment

Kubernetes 1.25
EKS
Amazon Linux
Linkerd 2.13.0

Possible solution

Remove the linkerd.io/helm-release-version annotation

Additional context

No response

Would you like to work on fixing this bug?

yes
@bunnybilou bunnybilou added the bug label Apr 19, 2023
@SeWieland
Copy link

I do have the exact same issue.

I have not yet found any workaround. Setting

podAnnotations:
  linkerd.io/helm-release-version: "latest"

Was not helpful

mikutas added a commit to mikutas/linkerd2 that referenced this issue Sep 2, 2023
@mikutas
Remove unnecessary helm-release-version annotation
d5fffe6 
from destination and proxy-injector

Fixes linkerd#10778

Signed-off-by: Takumi Sue <[email protected]>
@mikutas mikutas mentioned this issue Sep 2, 2023
Merged
adleong pushed a commit that referenced this issue Sep 11, 2023
@mikutas
Remove unnecessary helm-release-version annotation (#11329)
1dc2603 
from destination and proxy-injector

Fixes #10778

Signed-off-by: Takumi Sue <[email protected]>
hawkw added a commit that referenced this issue Sep 13, 2023
@hawkw
edge-23.9.2
7cf8611 
This edge release updates the proxy's dependency on the `webpki` library
to patch security vulnerability [RUSTSEC-2023-0052]
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer with a
maliciously-crafted certificate.

* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
  ([#11361])
* Fixed `linkerd check --proxy` incorrectly checking the proxy version
  of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes
  [#11280])
* Removed unnecessary `linkerd.io/helm-release-version` annotation from
  the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329];
  fixes [#10778])

[RUSTSEC-2023-0052]:
    https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
@hawkw hawkw mentioned this issue Sep 13, 2023
Merged
hawkw added a commit that referenced this issue Sep 13, 2023
@hawkw
edge-23.9.2 (#11367)
f5e490c 
This edge release updates the proxy's dependency on the `webpki` library
to patch security vulnerability [RUSTSEC-2023-0052]
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer with a
maliciously-crafted certificate.

* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
  (#11361)
* Fixed `linkerd check --proxy` incorrectly checking the proxy version
  of pods in the `completed` state (thanks @mikutas!) (#11295; fixes
  #11280)
* Removed unnecessary `linkerd.io/helm-release-version` annotation from
  the `linkerd-control-plane` Helm chart (thanks @mikutas!) (#11329;
  fixes #10778)

[RUSTSEC-2023-0052]:
    https://rustsec.org/advisories/RUSTSEC-2023-0052.html
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this issue Sep 18, 2023
@mikutas @adamshawvipps
Remove unnecessary helm-release-version annotation (linkerd#11329)
0953393 
from destination and proxy-injector

Fixes linkerd#10778

Signed-off-by: Takumi Sue <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this issue Sep 18, 2023
@hawkw @adamshawvipps
edge-23.9.2 (linkerd#11367)
d587b6a 
This edge release updates the proxy's dependency on the `webpki` library
to patch security vulnerability [RUSTSEC-2023-0052]
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer with a
maliciously-crafted certificate.

* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
  (linkerd#11361)
* Fixed `linkerd check --proxy` incorrectly checking the proxy version
  of pods in the `completed` state (thanks @mikutas!) (linkerd#11295; fixes
  linkerd#11280)
* Removed unnecessary `linkerd.io/helm-release-version` annotation from
  the `linkerd-control-plane` Helm chart (thanks @mikutas!) (linkerd#11329;
  fixes linkerd#10778)

[RUSTSEC-2023-0052]:
    https://rustsec.org/advisories/RUSTSEC-2023-0052.html
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this issue Sep 18, 2023
@mikutas @adamshawvipps
Remove unnecessary helm-release-version annotation (linkerd#11329)
9536fff 
from destination and proxy-injector

Fixes linkerd#10778

Signed-off-by: Takumi Sue <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this issue Sep 18, 2023
@hawkw @adamshawvipps
edge-23.9.2 (linkerd#11367)
18e138a 
This edge release updates the proxy's dependency on the `webpki` library
to patch security vulnerability [RUSTSEC-2023-0052]
(GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack
when accepting a TLS handshake from an untrusted peer with a
maliciously-crafted certificate.

* Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
  (linkerd#11361)
* Fixed `linkerd check --proxy` incorrectly checking the proxy version
  of pods in the `completed` state (thanks @mikutas!) (linkerd#11295; fixes
  linkerd#11280)
* Removed unnecessary `linkerd.io/helm-release-version` annotation from
  the `linkerd-control-plane` Helm chart (thanks @mikutas!) (linkerd#11329;
  fixes linkerd#10778)

[RUSTSEC-2023-0052]:
    https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Signed-off-by: Adam Shaw <[email protected]>
mateiidavid added a commit that referenced this issue Sep 21, 2023
@mateiidavid
stable-2.14.1
6339cbc 
This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this issue Sep 21, 2023
Merged
mateiidavid added a commit that referenced this issue Sep 25, 2023
@mateiidavid @hawkw
stable-2.14.1 (#11405)
f496587 
* stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove unnecessary helm-release-version annotation mikutas/linkerd2
3 participants
@risingspiral @bunnybilou @SeWieland