Remove legacy upgrade and it's references (#7309)

With [linkerd2#5008](#5008) and associated PRs, we changed the way configuration is handled by storing a helm values struct inside of the configmap.

Now that we have had one stable release with new configuration, were no longer use and need to maintain the legacy config. This commit removes all the associated logic, protobuf files, and references.

Changes Include:

- Removed [`proto/config/config.proto`](https://github.com/linkerd/linkerd2/blob/main/proto/config/config.proto)
- Changed [`bin/protoc-go.sh`](https://github.com/linkerd/linkerd2/blob/main/bin/protoc-go.sh) to not include `config.proto`
- Changed [`FetchLinkerdConfigMap()`](https://github.com/linkerd/linkerd2/blob/741fde679b726dd8548765deaf14e7a8c2d2c706/pkg/healthcheck/healthcheck.go#L1768) in `healthcheck.go` to return only the configmap, with the pb type.
- Changed [`FetchCurrentConfiguration()`](https://github.com/linkerd/linkerd2/blob/741fde679b726dd8548765deaf14e7a8c2d2c706/pkg/healthcheck/healthcheck.go#L1647) only unmarshal and use helm value struct from configmap (as a follow-up to the todo above; note that there's already a todo here to refactor the function once value struct is the default, which has already happened)
- Removed [`upgrade_legacy.go`](https://github.com/linkerd/linkerd2/blob/main/cli/cmd/upgrade_legacy.go)

Signed-off-by: Krzysztof Dryś <[email protected]>

Author: krzysztofdrys

bin/protoc-go.sh

@@ -11,7 +11,6 @@ rm -rf controller/gen/common controller/gen/config viz/metrics-api/gen viz/tap/g
 mkdir -p controller/gen/common/net viz/metrics-api/gen/viz viz/tap/gen/tap
 
 "$bindir"/protoc -I proto --go_out=paths=source_relative:controller/gen proto/common/net.proto
-"$bindir"/protoc -I proto --go_out=paths=source_relative:controller/gen proto/config/config.proto
 "$bindir"/protoc -I proto -I viz/metrics-api/proto --go_out=paths=source_relative:viz/metrics-api/gen viz/metrics-api/proto/viz.proto
 "$bindir"/protoc -I proto -I viz/metrics-api/proto --go-grpc_out=paths=source_relative:viz/metrics-api/gen/viz viz/metrics-api/proto/viz.proto
 "$bindir"/protoc -I proto -I viz/tap/proto -I viz/metrics-api/proto --go_out=paths=source_relative:viz/tap/gen viz/tap/proto/viz_tap.proto

cli/cmd/repair.go

@@ -8,10 +8,13 @@ import (
 	"regexp"
 	"time"
 
-	"github.com/golang/protobuf/ptypes"
-	pb "github.com/linkerd/linkerd2/controller/gen/config"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/kubernetes"
+
 	"github.com/linkerd/linkerd2/pkg/charts/linkerd2"
+	charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2"
 	"github.com/linkerd/linkerd2/pkg/healthcheck"
+	"github.com/linkerd/linkerd2/pkg/issuercerts"
 	"github.com/linkerd/linkerd2/pkg/k8s"
 	"github.com/linkerd/linkerd2/pkg/version"
 	"github.com/spf13/cobra"
@@ -127,16 +130,16 @@ func repair(ctx context.Context, forced bool) error {
 	if err != nil {
 		return fmt.Errorf("Failed to parse IssuanceLifetime from linkerd-config: %s", err)
 	}
-	idCtx := pb.IdentityContext{
-		TrustAnchorsPem:    values.IdentityTrustAnchorsPEM,
-		Scheme:             values.Identity.Issuer.Scheme,
-		ClockSkewAllowance: ptypes.DurationProto(clockSkewDuration),
-		IssuanceLifetime:   ptypes.DurationProto(issuanceLifetime),
-		TrustDomain:        values.IdentityTrustDomain,
+	idCtx := identityContext{
+		trustAnchorsPem:    values.IdentityTrustAnchorsPEM,
+		scheme:             values.Identity.Issuer.Scheme,
+		clockSkewAllowance: clockSkewDuration,
+		issuanceLifetime:   issuanceLifetime,
+		trustDomain:        values.IdentityTrustDomain,
 	}
 
 	// Populate identity values
-	err = fetchIdentityValues(ctx, k8sAPI, &idCtx, &values)
+	err = fetchIdentityValues(ctx, k8sAPI, idCtx, &values)
 	if err != nil {
 		return fmt.Errorf("Failed to load issuer credentials: %s", err)
 	}
@@ -185,3 +188,68 @@ func resetVersion(values *linkerd2.Values) error {
 	values.LinkerdVersion = defaults.LinkerdVersion
 	return nil
 }
+
+type identityContext struct {
+	trustAnchorsPem    string
+	scheme             string
+	clockSkewAllowance time.Duration
+	issuanceLifetime   time.Duration
+	trustDomain        string
+}
+
+// fetchIdentityValue checks the kubernetes API to fetch an existing
+// linkerd identity configuration.
+//
+// This bypasses the public API so that we can access secrets and validate
+// permissions.
+func fetchIdentityValues(ctx context.Context, k kubernetes.Interface, idctx identityContext, values *charts.Values) error {
+	if idctx.scheme == "" {
+		// if this is empty, then we are upgrading from a version
+		// that did not support issuer schemes. Just default to the
+		// linkerd one.
+		idctx.scheme = k8s.IdentityIssuerSchemeLinkerd
+	}
+
+	var trustAnchorsPEM string
+	var issuerData *issuercerts.IssuerCertData
+	var err error
+
+	trustAnchorsPEM = idctx.trustAnchorsPem
+
+	issuerData, err = fetchIssuer(ctx, k, trustAnchorsPEM, idctx.scheme)
+	if err != nil {
+		return err
+	}
+
+	values.IdentityTrustAnchorsPEM = trustAnchorsPEM
+	values.Identity.Issuer.Scheme = idctx.scheme
+	values.Identity.Issuer.ClockSkewAllowance = idctx.clockSkewAllowance.String()
+	values.Identity.Issuer.IssuanceLifetime = idctx.issuanceLifetime.String()
+	values.Identity.Issuer.TLS.KeyPEM = issuerData.IssuerKey
+	values.Identity.Issuer.TLS.CrtPEM = issuerData.IssuerCrt
+
+	return nil
+}
+
+func fetchIssuer(ctx context.Context, k kubernetes.Interface, trustPEM string, scheme string) (*issuercerts.IssuerCertData, error) {
+	var (
+		issuerData *issuercerts.IssuerCertData
+		err        error
+	)
+	switch scheme {
+	case string(corev1.SecretTypeTLS):
+		// Do not return external issuer certs as no need of storing them in config and upgrade secrets
+		// Also contradicts condition in https://github.com/linkerd/linkerd2/blob/main/cli/cmd/options.go#L550
+		return &issuercerts.IssuerCertData{}, nil
+	default:
+		issuerData, err = issuercerts.FetchIssuerData(ctx, k, trustPEM, controlPlaneNamespace)
+		if issuerData != nil && issuerData.TrustAnchors != trustPEM {
+			issuerData.TrustAnchors = trustPEM
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return issuerData, nil
+}

cli/cmd/upgrade.go

@@ -265,19 +265,10 @@ func upgrade(ctx context.Context, k *k8s.KubernetesAPI, flags []flag.Flag, stage
 	if err != nil {
 		return bytes.Buffer{}, fmt.Errorf("failed to load stored values: %w", err)
 	}
-	// If there is no linkerd-config-overrides secret, assume we are upgrading
-	// from a version of Linkerd prior to the introduction of this secret.  In
-	// this case we load the values from the legacy linkerd-config configmap.
-	if values == nil {
-		values, err = loadStoredValuesLegacy(ctx, k)
-		if err != nil {
-			return bytes.Buffer{}, err
-		}
-	}
 
-	// If values is still nil, then neither the linkerd-config-overrides secret
-	// nor the legacy values were found. This means either means that Linkerd
-	// was installed with Helm or that the installation needs to be repaired.
+	// If values is still nil, then the linkerd-config-overrides secret was not found.
+	// This means either means that Linkerd was installed with Helm or that the installation
+	// needs to be repaired.
 	if values == nil {
 		return bytes.Buffer{}, errors.New(
 			`Could not find the Linkerd config. If Linkerd was installed with Helm, please

cli/cmd/upgrade_legacy.go

@@ -203,8 +203,7 @@ func getServiceOpaquePortsAnnotation(svc *corev1.Service) (map[uint32]struct{},
 func parseServiceOpaquePorts(annotation string, sps []corev1.ServicePort) []string {
 	portRanges := util.GetPortRanges(annotation)
 	var values []string
-	for _, portRange := range portRanges {
-		pr := portRange.GetPortRange()
+	for _, pr := range portRanges {
 		port, named := isNamed(pr, sps)
 		if named {
 			values = append(values, strconv.Itoa(int(port)))