Proposal: Implement proxy container environment configuration via k8s annotations

[UsingCoding]

What problem are you trying to solve?

Linkerd2 proxy has many various configuration options via environment variables described here linkerd/app/src/env.rs, but current set of annotations do not cover whole environment variables configuration.

Also, there is a lot of environment variables that solve specific cases and they may not need in common annotation configuration

How should the problem be solved?

Proposal

Define annotation prefix like config.linkerd.io/env- which will be detected by injector and transformed into additionalEnv from this PR.

Algorithm of proxy injection:

• Injector will lookup for config.linkerd.io/env- prefix in annotations names
• Transform the rest of the annotation to env style UPPER_CAMEL_CASE, also add LINKERD2_PROXY_ prefix
• Pass new env variable name and value (unchanged from annotation) to additionalEnv

Example:

We want to configure LINKERD2_PROXY_{INBOUND,OUTBOUND}_CONNECT_KEEPALIVE which cannot be configured via annotations defined here

Define deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
spec:
  template:
    metadata:
      annotations:
        config.linkerd.io/env-outbound-connect-keepalive: 1s
        config.linkerd.io/env-inbound-connect-keepalive: 1s
        linkerd.io/inject: enabled
    spec:
      containers:
        - name: nginx

Here define config.linkerd.io/env-outbound-connect-keepalive: 1s and config.linkerd.io/env-inbound-connect-keepalive: 1s annotations to set outbound-connect-keepalive = 1s, inbound-connect-keepalive = 1s.

So, after injection we will have new environment variables in proxy container:
config.linkerd.io/env-outbound-connect-keepalive -> LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
config.linkerd.io/env-inbound-connect-keepalive -> LINKERD2_PROXY_INBOUND_CONNECT_KEEPALIVE

Pod:

apiVersion: v1
kind: Pod
metadata:
#  ...
  name: web-66659966ff-nt25v
spec:
  containers:
    - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd=info,trust_dns=error
        #...
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 1s
        - name: LINKERD2_PROXY_INBOUND_CONNECT_KEEPALIVE
          value: 1s
      image: cr.l5d.io/linkerd/proxy
      name: linkerd-proxy

For why prefix LINKERD2_PROXY_ added automatically

Allows to make this injection more narrow and specific for linkerd2-proxy and do not abuse in various cases

Any alternatives you've considered?

Alternative way is configure this environment variables in helm chart for injection in additionalEnv.
This won't work in several cases:

• Configure specific parameters for specific components of system
• It`s hidden from common way of configuration proxy parameters like here and requires developer or devops to dive deep into linkerd configuration (since in this configuration not only parameters for proxy, and for other things of linkerd)

How would users interact with this feature?

No response

Would you like to work on this feature?

yes