Skip to content

feat(inject): add proxy-additional-env annotation for per-scope env overrides#15156

Merged
alpeb merged 4 commits intolinkerd:mainfrom
relu:add-proxy-additional-env-annotation
Apr 15, 2026
Merged

feat(inject): add proxy-additional-env annotation for per-scope env overrides#15156
alpeb merged 4 commits intolinkerd:mainfrom
relu:add-proxy-additional-env-annotation

Conversation

@relu
Copy link
Copy Markdown
Contributor

@relu relu commented Apr 10, 2026

Add support for a generic annotation that allows setting additional proxy environment variables via a JSON-encoded list of Kubernetes EnvVar objects on namespaces and workloads.

During injection, env vars are merged by name with precedence: Helm proxy.additionalEnv < namespace annotation < workload annotation

This provides a generic mechanism for per-namespace/workload proxy env var overrides without requiring dedicated annotations for each new proxy setting.

Addresses #15152

@relu relu requested a review from a team as a code owner April 10, 2026 10:51
…verrides

Add support for a generic annotation that allows setting additional
proxy environment variables via a JSON-encoded list of Kubernetes EnvVar
objects on namespaces and workloads.

During injection, env vars are merged by name with precedence: Helm
proxy.additionalEnv < namespace annotation < workload annotation

This provides a generic mechanism for per-namespace/workload proxy env
var overrides without requiring dedicated annotations for each new proxy
setting.

Addresses linkerd#15152

Signed-off-by: Aurel Canciu <aurel.canciu@nexhealth.com>
@relu relu force-pushed the add-proxy-additional-env-annotation branch from c63e580 to c9a5185 Compare April 10, 2026 10:51
Copy link
Copy Markdown
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @relu , looks great!

Please add a reference to this new annotation in the ProxyAnnotations slice. This will allow for AppendNamespaceAnnotations to consider it, and be properly inherited to workloads from namespace, if the workload doesn't have it already. I understand this would be redundant with what MergeAdditionalEnv already does, but IMO it would be more aligned with the behavior of the other annotations, and make things a little less surprising.

Also please a new entry in cli/cmd/doc.go.

I'm checking why the multicluster integration test is failing...

Comment thread pkg/k8s/labels.go
Signed-off-by: Aurel Canciu <aurel.canciu@nexhealth.com>
@alpeb
Copy link
Copy Markdown
Member

alpeb commented Apr 14, 2026

Thanks for the quick turnaround. One last ask: can you also expand TestInjectAutoNamespaceOverrideAnnotations with this annotation, so we get integration test coverage as well?

Signed-off-by: Aurel Canciu <aurel.canciu@nexhealth.com>
@alpeb
Copy link
Copy Markdown
Member

alpeb commented Apr 15, 2026

The tests are failing because the PatchDeploy function isn't properly escaping the annotation value. Can you please fix that?

Signed-off-by: Aurel Canciu <aurel.canciu@nexhealth.com>
@relu
Copy link
Copy Markdown
Contributor Author

relu commented Apr 15, 2026

Opted for a change to PatchDeploy itself so that the output is escaped accordingly.

Copy link
Copy Markdown
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All green! Thanks again @relu !

@alpeb alpeb merged commit 55ba865 into linkerd:main Apr 15, 2026
95 of 103 checks passed
@relu relu deleted the add-proxy-additional-env-annotation branch April 15, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants