linkerd2-cni on Kubernetes via Grafana Tanka hackery.

install-cni-delete-event.patch

--- gitvendor/cni-plugin/deployment/scripts/install-cni.sh.orig	2022-06-30 07:30:19.904455844 +0200
+++ gitvendor/cni-plugin/deployment/scripts/install-cni.sh	2022-06-30 07:29:49.579927634 +0200
@@ -308,7 +308,7 @@
         sync "$filename" "$action" "$cni_conf_sha"
         # When file exists (i.e we didn't deal with a DELETE ev)
         # then calculate its sha to be used the next turn.
-        if [ -e "$directory/$filename" ]; then
+        if [[ -e "$directory/$filename" && "$action" != 'DELETE' ]]; then
           cni_conf_sha="$(sha256sum "$directory/$filename" | while read -r s _; do echo "$s"; done)"
         fi
       fi

linkerd2-cni.libsonnet

local tanka = import 'github.com/grafana/jsonnet-libs/tanka-util/main.libsonnet';
local helm = tanka.helm.new(std.thisFile);
local k = import 'dice-kausal/dice-kausal.libsonnet',
      configMap = k.core.v1.configMap,
      daemonSet = k.apps.v1.daemonSet;
local util = (import 'github.com/grafana/jsonnet-libs/ksonnet-util/util.libsonnet').withK(k);

local debug(obj,) = (
  std.trace(std.manifestJsonEx(obj, '  '), obj)
);

{
  _config+:: {
    local c = self,
    linkerd2_cni+: {
      namespace: 'linkerd-cni',
      values+: {
        local values = self,
        cniPluginVersion: 'edge-22.6.2',
        enablePSP: true,
        //ignoreInboundPorts: std.join(',', ['4191', '4190']), // In newer versions, this now defaults to include the proxy and admin ports (4191, 4190)
        ignoreOutboundPorts: std.join(',', ['443', '3306', '9042', '9142', '11211']),
        tolerations: [
          { operator: 'Exists' },
        ],
      },
    },
  },

  cni():: {
    local cni = self,

    _config+:: $._config,

    linkerd2_cni: helm.template('linkerd2-cni', './gitvendor/charts/linkerd2-cni', {
      namespace: $._config.linkerd2_cni.namespace,
      values: cni._config.linkerd2_cni.values,
      kubeVersion: 'v1.21.0',
    }) + {

      configmap_linkerd_install_cni:
        configMap.new('linkerd-install-cni')
        + configMap.withData({
          'install-cni.sh': (importstr './gitvendor/cni-plugin/deployment/scripts/install-cni.sh'),
        }),

      daemon_set_linkerd_cni+:
        daemonSet.configMapVolumeMount(
          self.configmap_linkerd_install_cni,
          '/linkerd/install-cni.sh',
          volumeMountMixin=k.core.v1.volumeMount.withSubPath('install-cni.sh'),  // Mount our patched version of install-cni.sh: https://github.com/linkerd/linkerd2/issues/2219#issuecomment-1170778317
        ),
        //+ daemonSet.emptyVolumeMount('linkerd-tmp-dir', '/tmp'),

      pod_security_policy_linkerd_linkerd_cni_cni+:
        k.policy.v1beta1.podSecurityPolicy.spec.withVolumesMixin(['configMap']),

    },
  },

}

Makefile

.PHONY: vendor-cni
vendor-cni:
	vendir sync
	mkdir gitvendor/charts/linkerd2-cni/charts
	mv gitvendor/charts/partials gitvendor/charts/linkerd2-cni/charts/partials

patch-cni:
	patch -p0 <install-cni-delete-event.patch

vendir.yml

apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
  - path: vendor/charts
    contents:
      - path: linkerd2
        helmChart:
          name: linkerd2
          version: 2.10.2
          repository:
            name: linkerd
            url: https://helm.linkerd.io/stable
      - path: linkerd-viz
        helmChart:
          name: linkerd-viz
          version: 2.10.2
          repository:
            name: linkerd
            url: https://helm.linkerd.io/stable
      - path: linkerd2-cni
        helmChart:
          name: linkerd2-cni
          version: 2.10.2
          repository:
            name: linkerd
            url: https://helm.linkerd.io/stable

- path: gitvendor
    contents:
    - path: .
      git:
        url: https://github.com/linkerd/linkerd2
        ref: edge-22.6.2
      includePaths:
        - charts/linkerd2-cni/**/*
        - charts/partials/**/*
        - cni-plugin/deployment/scripts/install-cni.sh
      legalPaths: []