diff --git a/bin/_test-helpers.sh b/bin/_test-helpers.sh index e90ed51b4..772ce9ba0 100644 --- a/bin/_test-helpers.sh +++ b/bin/_test-helpers.sh @@ -389,8 +389,9 @@ run_helm-upgrade_test() { fi setup_helm + helm_viz_chart="$( cd "$bindir"/.. && pwd )"/viz/charts/linkerd-viz run_test "$test_directory/install_test.go" --helm-path="$helm_path" --helm-chart="$helm_chart" \ - --helm-stable-chart='linkerd/linkerd2' --helm-release="$helm_release_name" --upgrade-helm-from-version="$stable_version" + --viz-helm-chart="$helm_viz_chart" --helm-stable-chart='linkerd/linkerd2' --helm-release="$helm_release_name" --upgrade-helm-from-version="$stable_version" helm_cleanup } @@ -440,9 +441,10 @@ run_helm-deep_test() { local tests=() setup_helm helm_multicluster_chart="$( cd "$bindir"/.. && pwd )"/multicluster/charts/linkerd2-multicluster + helm_viz_chart="$( cd "$bindir"/.. && pwd )"/viz/charts/linkerd-viz run_test "$test_directory/install_test.go" --helm-path="$helm_path" --helm-chart="$helm_chart" \ --helm-release="$helm_release_name" --multicluster-helm-chart="$helm_multicluster_chart" \ - --multicluster-helm-release="$helm_multicluster_release_name" + --viz-helm-chart="$helm_viz_chart" --multicluster-helm-release="$helm_multicluster_release_name" while IFS= read -r line; do tests+=("$line"); done <<< "$(go list "$test_directory"/.../...)" for test in "${tests[@]}"; do run_test "$test" diff --git a/bin/build-cli-bin b/bin/build-cli-bin index 47effe954..892dc6648 100755 --- a/bin/build-cli-bin +++ b/bin/build-cli-bin @@ -21,6 +21,8 @@ rootdir=$( cd "$bindir"/.. && pwd ) GO111MODULE=on go generate -mod=readonly ./pkg/charts/static GO111MODULE=on go generate -mod=readonly ./jaeger/static GO111MODULE=on go generate -mod=readonly ./multicluster/static + GO111MODULE=on go generate -mod=readonly ./viz/static + root_tag=$("$bindir"/root-tag) GO111MODULE=on CGO_ENABLED=0 go build -o "$target" -tags prod -mod=readonly -ldflags "-s -w -X github.com/linkerd/linkerd2/pkg/version.Version=$root_tag" ./cli echo "$target" diff --git a/bin/helm-build b/bin/helm-build index e8ecab1d0..368836e22 100755 --- a/bin/helm-build +++ b/bin/helm-build @@ -7,6 +7,7 @@ setValues() { sed -i "s/$1/$2/" charts/linkerd2-cni/values.yaml sed -i "s/$1/$2/" multicluster/charts/linkerd2-multicluster/values.yaml sed -i "s/$1/$2/" jaeger/charts/jaeger/values.yaml + sed -i "s/$1/$2/" viz/charts/linkerd-viz/values.yaml } showErr() { @@ -31,6 +32,8 @@ rootdir=$( cd "$bindir"/.. && pwd ) "$bindir"/helm lint "$rootdir"/charts/linkerd2-cni "$bindir"/helm dep up "$rootdir"/jaeger/charts/jaeger "$bindir"/helm lint "$rootdir"/jaeger/charts/jaeger +"$bindir"/helm dep up "$rootdir"/viz/charts/linkerd-viz +"$bindir"/helm lint "$rootdir"/viz/charts/linkerd-viz # `bin/helm-build package` assumes the presence of "$rootdir"/target/helm/index-pre.yaml which is downloaded in the chart_deploy CI job if [ "$1" = package ]; then @@ -55,6 +58,8 @@ if [ "$1" = package ]; then "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/charts/linkerd2-cni "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/multicluster/charts/linkerd2-multicluster "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/jaeger/charts/jaeger + "$bindir"/helm --version "$version" --app-version "$tag" -d "$rootdir"/target/helm package "$rootdir"/viz/charts/linkerd-viz + mv "$rootdir"/target/helm/index-pre.yaml "$rootdir"/target/helm/index-pre-"$version".yaml "$bindir"/helm repo index --url "https://helm.linkerd.io/$repo/" --merge "$rootdir"/target/helm/index-pre-"$version".yaml "$rootdir"/target/helm diff --git a/charts/add-ons/grafana/Chart.yaml b/charts/add-ons/grafana/Chart.yaml deleted file mode 100644 index 1c58f8ba6..000000000 --- a/charts/add-ons/grafana/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for the grafana add-on in Linkerd -name: grafana -version: 0.1.0 -maintainers: - - name: Linkerd authors - email: cncf-linkerd-dev@lists.cncf.io - url: https://linkerd.io/ diff --git a/charts/add-ons/grafana/README.md b/charts/add-ons/grafana/README.md deleted file mode 100644 index 5ec9e5f4b..000000000 --- a/charts/add-ons/grafana/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# grafana - -A Helm chart for the grafana add-on in Linkerd - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) - -![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| file://../../partials | partials | 0.1.0 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| image.name | string | `"ghcr.io/linkerd/grafana"` | Docker image name for the grafana instance | -| image.tag | string | `nil` | Docker image tag for the grafana instance | -| proxy.resources | string | `nil` | Structure analog to the resources fields above, but overriding the resources of the linkerd proxy injected into the grafana pod. | -| resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the grafana container can use | -| resources.cpu.request | string | `nil` | Amount of CPU units that the grafana container requests | -| resources.memory.limit | string | `nil` | Maximum amount of memory that grafana container can use | -| resources.memory.request | string | `nil` | Amount of memory that the grafana container requests | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/add-ons/grafana/README.md.gotmpl b/charts/add-ons/grafana/README.md.gotmpl deleted file mode 100644 index 37f510106..000000000 --- a/charts/add-ons/grafana/README.md.gotmpl +++ /dev/null @@ -1,14 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.description" . }} - -{{ template "chart.versionBadge" . }} -{{ template "chart.typeBadge" . }} -{{ template "chart.appVersionBadge" . }} - -{{ template "chart.homepageLine" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/charts/add-ons/grafana/requirements.lock b/charts/add-ons/grafana/requirements.lock deleted file mode 100644 index 2579815e3..000000000 --- a/charts/add-ons/grafana/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: partials - repository: file://../../partials - version: 0.1.0 -digest: sha256:2202cf6f3783f79e78414e7a94b651589f322f3724ab220f0ea3bf8f31954de4 -generated: "2020-05-01T17:24:16.918227568+05:30" diff --git a/charts/add-ons/grafana/requirements.yaml b/charts/add-ons/grafana/requirements.yaml deleted file mode 100644 index b5d3df388..000000000 --- a/charts/add-ons/grafana/requirements.yaml +++ /dev/null @@ -1,4 +0,0 @@ -dependencies: - - name: partials - version: 0.1.0 - repository: file://../../partials diff --git a/charts/add-ons/grafana/templates/grafana-rbac.yaml b/charts/add-ons/grafana/templates/grafana-rbac.yaml deleted file mode 100644 index cfefead43..000000000 --- a/charts/add-ons/grafana/templates/grafana-rbac.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} diff --git a/charts/add-ons/grafana/templates/grafana.yaml b/charts/add-ons/grafana/templates/grafana.yaml deleted file mode 100644 index a40c149a3..000000000 --- a/charts/add-ons/grafana/templates/grafana.yaml +++ /dev/null @@ -1,192 +0,0 @@ ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - {{- if .Values.global.prometheusUrl }} - url: {{.Values.global.prometheusUrl}} - {{- else }} - url: http://linkerd-prometheus.{{.Values.global.namespace}}.svc.{{.Values.global.clusterDomain}}:9090 - {{- end }} - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} -spec: - type: ClusterIP - selector: - {{.Values.global.controllerComponentLabel}}: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -{{- $tree := deepCopy . }} -{{ $_ := set $tree.Values.global.proxy "workloadKind" "deployment" -}} -{{ $_ := set $tree.Values.global.proxy "component" "linkerd-grafana" -}} -{{ include "linkerd.proxy.validation" .Values.global.proxy -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: {{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - name: linkerd-grafana - namespace: {{.Values.global.namespace}} -spec: - replicas: 1 - selector: - matchLabels: - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 6}} - template: - metadata: - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - {{- include "partials.proxy.annotations" .Values.global.proxy| nindent 8 }} - {{- with .Values.global.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} - labels: - {{.Values.global.controllerComponentLabel}}: grafana - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{.Values.global.workloadNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 8 }} - {{- with .Values.global.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} - spec: - {{- if .Values.tolerations -}} - {{- include "linkerd.tolerations" . | nindent 6 }} - {{- end -}} - {{- include "linkerd.node-selector" . | nindent 6 }} - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: {{.Values.image.name}}:{{ default (default .Values.global.linkerdVersion .Values.global.controllerImageVersion) .Values.image.tag}} - imagePullPolicy: {{.Values.global.imagePullPolicy}} - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - {{- if .Values.resources -}} - {{- include "partials.resources" .Values.resources | nindent 8 }} - {{- end }} - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - {{- if not (empty .Values.proxy) }} - {{- if not (empty .Values.proxy.resources) }} - {{- $r := merge .Values.proxy.resources .Values.global.proxy.resources }} - {{- $_ := set $tree.Values.global.proxy "resources" $r }} - {{- end }} - {{- end }} - - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{ if not .Values.global.cniEnabled -}} - initContainers: - - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - {{ if not .Values.global.cniEnabled -}} - - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/add-ons/grafana/values.yaml b/charts/add-ons/grafana/values.yaml deleted file mode 100644 index c16b17081..000000000 --- a/charts/add-ons/grafana/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -image: - # -- Docker image name for the grafana instance - name: ghcr.io/linkerd/grafana - # -- Docker image tag for the grafana instance - tag: - -resources: - cpu: - # -- Maximum amount of CPU units that the grafana container can use - limit: - # -- Amount of CPU units that the grafana container requests - request: - memory: - # -- Maximum amount of memory that grafana container can use - limit: - # -- Amount of memory that the grafana container requests - request: -proxy: - # -- Structure analog to the resources fields above, but overriding the - # resources of the linkerd proxy injected into the grafana pod. - resources: \ No newline at end of file diff --git a/charts/add-ons/prometheus/.helmignore b/charts/add-ons/prometheus/.helmignore deleted file mode 100644 index 50af03172..000000000 --- a/charts/add-ons/prometheus/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/add-ons/prometheus/Chart.yaml b/charts/add-ons/prometheus/Chart.yaml deleted file mode 100644 index 220f27dac..000000000 --- a/charts/add-ons/prometheus/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for the prometheus add-on in Linkerd -name: prometheus -version: 0.1.0 -maintainers: - - name: Linkerd authors - email: cncf-linkerd-dev@lists.cncf.io - url: https://linkerd.io/ diff --git a/charts/add-ons/prometheus/README.md b/charts/add-ons/prometheus/README.md deleted file mode 100644 index 66b4efaf4..000000000 --- a/charts/add-ons/prometheus/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# prometheus - -A Helm chart for the prometheus add-on in Linkerd - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) - -![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| file://../../partials | partials | 0.1.0 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| alertManagers | string | `nil` | Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. | -| alertRelabelConfigs | string | `nil` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. | -| args | object | `{"config.file":"/etc/prometheus/prometheus.yml","log.level":"info","storage.tsdb.path":"/data","storage.tsdb.retention.time":"6h"}` | Command line options for Prometheus binary | -| globalConfig | object | `{"evaluation_interval":"10s","scrape_interval":"10s","scrape_timeout":"10s"}` | The global configuration specifies parameters that are valid in all other configuration contexts. | -| image | string | `"prom/prometheus:v2.19.3"` | Docker image for the prometheus instance | -| proxy.resources | string | `nil` | CPU and Memory resources required by proxy injected into prometheus pod (see global.proxy.resources for sub-fields) | -| remoteWrite | string | `nil` | Allows transparently sending samples to an endpoint. Mostly used for long term storage. | -| resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the prometheus container can use | -| resources.cpu.request | string | `nil` | Amount of CPU units that the prometheus container requests | -| resources.memory.limit | string | `nil` | Maximum amount of memory that prometheus container can use | -| resources.memory.request | string | `nil` | Amount of memory that the prometheus container requests | -| ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) | -| scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | -| sideCarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/add-ons/prometheus/README.md.gotmpl b/charts/add-ons/prometheus/README.md.gotmpl deleted file mode 100644 index 37f510106..000000000 --- a/charts/add-ons/prometheus/README.md.gotmpl +++ /dev/null @@ -1,14 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.description" . }} - -{{ template "chart.versionBadge" . }} -{{ template "chart.typeBadge" . }} -{{ template "chart.appVersionBadge" . }} - -{{ template "chart.homepageLine" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/charts/add-ons/prometheus/requirements.yaml b/charts/add-ons/prometheus/requirements.yaml deleted file mode 100644 index b5d3df388..000000000 --- a/charts/add-ons/prometheus/requirements.yaml +++ /dev/null @@ -1,4 +0,0 @@ -dependencies: - - name: partials - version: 0.1.0 - repository: file://../../partials diff --git a/charts/add-ons/prometheus/templates/prometheus-rbac.yaml b/charts/add-ons/prometheus/templates/prometheus-rbac.yaml deleted file mode 100644 index 6b72e448c..000000000 --- a/charts/add-ons/prometheus/templates/prometheus-rbac.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-{{.Values.global.namespace}}-prometheus - labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-{{.Values.global.namespace}}-prometheus - labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-{{.Values.global.namespace}}-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: {{.Values.global.namespace}} ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} diff --git a/charts/add-ons/prometheus/values.yaml b/charts/add-ons/prometheus/values.yaml deleted file mode 100644 index 6f25b187d..000000000 --- a/charts/add-ons/prometheus/values.yaml +++ /dev/null @@ -1,123 +0,0 @@ -# This add-on's default property values are declared in `charts/add-ons/prometheus/values.yaml`. -# If installing/upgrading with Helm, you can override them through the usual `--set` or `-f` flags -# when installing with the parent linkerd2 chart -# Do not override them in this file! -# If installing/upgrading with linkerd's CLI, use the `--config` flag. - -# -- Docker image for the prometheus instance -image: prom/prometheus:v2.19.3 -# -- Command line options for Prometheus binary -args: - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - config.file: /etc/prometheus/prometheus.yml - log.level: info -# -- The global configuration specifies parameters that are valid in all other -# configuration contexts. -globalConfig: - scrape_interval: 10s - scrape_timeout: 10s - evaluation_interval: 10s - -# -- Alert relabeling is applied to alerts before they are sent to the -# Alertmanager. -alertRelabelConfigs: -# Ex: -# - action: labeldrop -# regex: prometheus_replica - -# -- Alertmanager instances the Prometheus server sends alerts to configured via -# the static_configs parameter. -alertManagers: -# Ex: -# - scheme: http -# static_configs: -# - targets: -# - "alertmanager.linkerd.svc:9093" - -# -- Allows transparently sending samples to an endpoint. Mostly used for long -# term storage. -remoteWrite: - -# -- Alerting/recording rule ConfigMap mounts (sub-path names must end in -# ´_rules.yml´ or ´_rules.yaml´) -ruleConfigMapMounts: -# Ex: -# - name: alerting-rules -# subPath: alerting_rules.yml -# configMap: linkerd-prometheus-rules -# - name: recording-rules -# subPath: recording_rules.yml -# configMap: linkerd-prometheus-rules - -# -- A scrapeConfigs section specifies a set of targets and parameters -# describing how to scrape them. -scrapeConfigs: -# Ex: -# - job_name: 'kubernetes-nodes' -# scheme: https -# tls_config: -# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token -# kubernetes_sd_configs: -# - role: node -# relabel_configs: -# - action: labelmap -# regex: __meta_kubernetes_node_label_(.+) - -# -- A sidecarContainers section specifies a list of secondary containers to run -# in the prometheus pod e.g. to export data to non-prometheus systems -sideCarContainers: -# Ex: -# - name: sidecar -# image: gcr.io/myproject/stackdriver-prometheus-sidecar -# imagePullPolicy: Always -# command: -# - /bin/sh -# - -c -# - | -# exec /bin/stackdriver-prometheus-sidecar \ -# --stackdriver.project-id=myproject \ -# --stackdriver.kubernetes.location=us-central1 \ -# --stackdriver.kubernetes.cluster-name=mycluster \ -# --prometheus.wal-directory=/data/wal \ -# --log.level=info -# volumeMounts: -# - mountPath: /data -# name: data -# ports: -# - name: foo -# containerPort: 9091 -# protocol: TCP - - -proxy: - # -- CPU and Memory resources required by proxy injected into prometheus pod - # (see global.proxy.resources for sub-fields) - resources: - -### WARNING: persistence is experimental and has not been tested/vetted by the Linkerd team. -### As such, please refer to https://linkerd.io/2/tasks/exporting-metrics/ for the recommended approach to metrics data retention. -# if enabled, creates a persistent volume claim for prometheus data -# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims -#persistence: -# -- Storage class used to create prometheus data PV. -# storageClass: -# -- PVC access mode. -# accessMode: -# -- Prometheus data volume size. -# size: - - -resources: - cpu: - # -- Maximum amount of CPU units that the prometheus container can use - limit: - # -- Amount of CPU units that the prometheus container requests - request: - memory: - # -- Maximum amount of memory that prometheus container can use - limit: - # -- Amount of memory that the prometheus container requests - request: - diff --git a/charts/linkerd2/README.md b/charts/linkerd2/README.md index 68d99f1f0..9521fb0a0 100644 --- a/charts/linkerd2/README.md +++ b/charts/linkerd2/README.md @@ -118,8 +118,6 @@ Kubernetes: `>=1.13.0-0` | Repository | Name | Version | |------------|------|---------| -| file://../add-ons/grafana | grafana | 0.1.0 | -| file://../add-ons/prometheus | prometheus | 0.1.0 | | file://../partials | partials | 0.1.0 | ## Values @@ -129,13 +127,11 @@ Kubernetes: `>=1.13.0-0` | controllerImage | string | `"ghcr.io/linkerd/controller"` | Docker image for the controller, tap and identity components | | controllerReplicas | int | `1` | Number of replicas for each control plane pod | | controllerUID | int | `2103` | User ID for the control plane components | -| dashboard.replicas | int | `1` | Number of replicas of dashboard | | debugContainer.image.name | string | `"ghcr.io/linkerd/debug"` | Docker image for the debug container | | debugContainer.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the debug container Docker image | | debugContainer.image.version | string | `"linkerdVersionValue"` | Tag for the debug container Docker image | | disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | | enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | -| enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | | global.clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | | global.clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"` | The cluster networks for which service discovery is performed. This should include the pod network but need not include the node network. By default, all private networks are specified so that resolution works in typical Kubernetes environments. | | global.cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | @@ -192,7 +188,6 @@ Kubernetes: `>=1.13.0-0` | global.proxyInjectAnnotation | string | `"linkerd.io/inject"` | Annotation label to signal injection. Do not edit. | | global.proxyInjectDisabled | string | `"disabled"` | Annotation value to disable injection. Do not edit. | | global.workloadNamespaceLabel | string | `"linkerd.io/workload-ns"` | | -| grafana.enabled | bool | `true` | | | heartbeatSchedule | string | `"0 0 * * *"` | Config for the heartbeat cronjob | | identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster | | identity.issuer.crtExpiry | string | `nil` | Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM | @@ -210,17 +205,11 @@ Kubernetes: `>=1.13.0-0` | profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). | | profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided then Helm will generate one. | | profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | -| prometheus.enabled | bool | `true` | | | proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. | | proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided then Helm will generate one. | | proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) | | proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided then Helm will generate one. | | proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled | -| tap.caBundle | string | `""` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. | -| tap.crtPEM | string | `""` | Certificate for the Tap component. If not provided then Helm will generate one. | -| tap.externalSecret | bool | `false` | Do not create a secret resource for the Tap component. If this is set to `true`, the value `tap.caBundle` must be set (see below). | -| tap.keyPEM | string | `""` | Certificate key for Tap component. If not provided then Helm will generate one. | -| webImage | string | `"ghcr.io/linkerd/web"` | | | webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | ---------------------------------------------- diff --git a/charts/linkerd2/requirements.lock b/charts/linkerd2/requirements.lock index 1a8088526..968cd6e43 100644 --- a/charts/linkerd2/requirements.lock +++ b/charts/linkerd2/requirements.lock @@ -2,11 +2,5 @@ dependencies: - name: partials repository: file://../partials version: 0.1.0 -- name: prometheus - repository: file://../add-ons/prometheus - version: 0.1.0 -- name: grafana - repository: file://../add-ons/grafana - version: 0.1.0 -digest: sha256:2bbca4bf61028194ae6ee86763f21fa2488c9d141e3529bae642fa72b45fb34c -generated: "2020-12-18T23:27:44.921336524Z" +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2020-12-21T17:47:25.811707816Z" diff --git a/charts/linkerd2/requirements.yaml b/charts/linkerd2/requirements.yaml index c731a5997..a17d782a8 100644 --- a/charts/linkerd2/requirements.yaml +++ b/charts/linkerd2/requirements.yaml @@ -2,11 +2,3 @@ dependencies: - name: partials version: 0.1.0 repository: file://../partials -- name: prometheus - version: 0.1.0 - repository: file://../add-ons/prometheus - condition: prometheus.enabled -- name: grafana - version: 0.1.0 - repository: file://../add-ons/grafana - condition: grafana.enabled diff --git a/charts/linkerd2/templates/config.yaml b/charts/linkerd2/templates/config.yaml index a49b162cf..06c8c0e98 100644 --- a/charts/linkerd2/templates/config.yaml +++ b/charts/linkerd2/templates/config.yaml @@ -25,9 +25,6 @@ data: {{- if kindIs "map" $values.proxyInjector -}} {{- $_ := unset $values.proxyInjector "keyPEM"}} {{- end -}} - {{- if kindIs "map" $values.tap -}} - {{- $_ := unset $values.tap "keyPEM"}} - {{- end -}} {{- $_ := unset $values "partials"}} {{- $_ := unset $values "configs"}} {{- $_ := unset $values "stage"}} diff --git a/charts/linkerd2/templates/controller-rbac.yaml b/charts/linkerd2/templates/controller-rbac.yaml index ffffd7324..9d7b0cfa7 100644 --- a/charts/linkerd2/templates/controller-rbac.yaml +++ b/charts/linkerd2/templates/controller-rbac.yaml @@ -51,4 +51,4 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: controller {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} diff --git a/charts/linkerd2/templates/controller.yaml b/charts/linkerd2/templates/controller.yaml index 20486ab57..06477f197 100644 --- a/charts/linkerd2/templates/controller.yaml +++ b/charts/linkerd2/templates/controller.yaml @@ -81,8 +81,8 @@ spec: - -cluster-domain={{.Values.global.clusterDomain}} {{- if .Values.global.prometheusUrl }} - -prometheus-url={{.Values.global.prometheusUrl}} - {{- else if .Values.prometheus.enabled }} - - -prometheus-url=http://linkerd-prometheus.{{.Values.global.namespace}}.svc.{{.Values.global.clusterDomain}}:9090 + {{- else }} + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.{{.Values.global.clusterDomain}}:9090 {{- end }} {{- include "partials.linkerd.trace" . | nindent 8 -}} image: {{.Values.controllerImage}}:{{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} diff --git a/charts/linkerd2/templates/destination-rbac.yaml b/charts/linkerd2/templates/destination-rbac.yaml index 744db7c4b..c78dd799a 100644 --- a/charts/linkerd2/templates/destination-rbac.yaml +++ b/charts/linkerd2/templates/destination-rbac.yaml @@ -56,4 +56,4 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: destination {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} diff --git a/charts/linkerd2/templates/heartbeat-rbac.yaml b/charts/linkerd2/templates/heartbeat-rbac.yaml index 374cd9422..52b471814 100644 --- a/charts/linkerd2/templates/heartbeat-rbac.yaml +++ b/charts/linkerd2/templates/heartbeat-rbac.yaml @@ -41,5 +41,5 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: heartbeat {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} {{- end }} diff --git a/charts/linkerd2/templates/heartbeat.yaml b/charts/linkerd2/templates/heartbeat.yaml index 08c484972..ec679ee24 100644 --- a/charts/linkerd2/templates/heartbeat.yaml +++ b/charts/linkerd2/templates/heartbeat.yaml @@ -48,8 +48,8 @@ spec: - "-log-level={{.Values.global.controllerLogLevel}}" {{- if .Values.global.prometheusUrl }} - "-prometheus-url={{.Values.global.prometheusUrl}}" - {{- else if .Values.prometheus.enabled }} - - "-prometheus-url=http://linkerd-prometheus.{{.Values.global.namespace}}.svc.{{.Values.global.clusterDomain}}:9090" + {{- else }} + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.{{.Values.global.clusterDomain}}:9090" {{- end }} {{- if .Values.heartbeatResources -}} {{- include "partials.resources" .Values.heartbeatResources | nindent 12 }} diff --git a/charts/linkerd2/templates/identity-rbac.yaml b/charts/linkerd2/templates/identity-rbac.yaml index a38e77d78..3d5d148f0 100644 --- a/charts/linkerd2/templates/identity-rbac.yaml +++ b/charts/linkerd2/templates/identity-rbac.yaml @@ -46,5 +46,5 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: identity {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} {{ end -}} diff --git a/charts/linkerd2/templates/proxy-injector-rbac.yaml b/charts/linkerd2/templates/proxy-injector-rbac.yaml index e5de7b070..985a85dab 100644 --- a/charts/linkerd2/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd2/templates/proxy-injector-rbac.yaml @@ -52,7 +52,7 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: proxy-injector {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} --- {{- $host := printf "linkerd-proxy-injector.%s.svc" .Values.global.namespace }} {{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} diff --git a/charts/linkerd2/templates/psp.yaml b/charts/linkerd2/templates/psp.yaml index 6cfa17b1b..588d43b0c 100644 --- a/charts/linkerd2/templates/psp.yaml +++ b/charts/linkerd2/templates/psp.yaml @@ -90,11 +90,6 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: {{.Values.global.namespace}} -{{ if .Values.grafana.enabled -}} -- kind: ServiceAccount - name: linkerd-grafana - namespace: {{.Values.global.namespace}} -{{ end -}} {{ if not .Values.disableHeartBeat -}} - kind: ServiceAccount name: linkerd-heartbeat @@ -103,20 +98,9 @@ subjects: - kind: ServiceAccount name: linkerd-identity namespace: {{.Values.global.namespace}} -{{ if .Values.prometheus.enabled -}} -- kind: ServiceAccount - name: linkerd-prometheus - namespace: {{.Values.global.namespace}} -{{ end -}} - kind: ServiceAccount name: linkerd-proxy-injector namespace: {{.Values.global.namespace}} - kind: ServiceAccount name: linkerd-sp-validator namespace: {{.Values.global.namespace}} -- kind: ServiceAccount - name: linkerd-tap - namespace: {{.Values.global.namespace}} -- kind: ServiceAccount - name: linkerd-web - namespace: {{.Values.global.namespace}} diff --git a/charts/linkerd2/templates/sp-validator-rbac.yaml b/charts/linkerd2/templates/sp-validator-rbac.yaml index 2ad85b0f5..2548ef7db 100644 --- a/charts/linkerd2/templates/sp-validator-rbac.yaml +++ b/charts/linkerd2/templates/sp-validator-rbac.yaml @@ -40,7 +40,7 @@ metadata: labels: {{.Values.global.controllerComponentLabel}}: sp-validator {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} +{{- include "partials.image-pull-secrets" .Values.global.imagePullSecrets }} --- {{- $host := printf "linkerd-sp-validator.%s.svc" .Values.global.namespace }} {{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} diff --git a/charts/linkerd2/templates/tap.yaml b/charts/linkerd2/templates/tap.yaml deleted file mode 100644 index 02bb2237f..000000000 --- a/charts/linkerd2/templates/tap.yaml +++ /dev/null @@ -1,135 +0,0 @@ ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} -spec: - type: ClusterIP - selector: - {{.Values.global.controllerComponentLabel}}: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -{{- $tree := deepCopy . }} -{{ $_ := set $tree.Values.global.proxy "workloadKind" "deployment" -}} -{{ $_ := set $tree.Values.global.proxy "component" "linkerd-tap" -}} -{{ include "linkerd.proxy.validation" .Values.global.proxy -}} -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: {{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - name: linkerd-tap - namespace: {{.Values.global.namespace}} -spec: - replicas: {{.Values.controllerReplicas}} - selector: - matchLabels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 6}} - {{- if .Values.enablePodAntiAffinity }} - strategy: - rollingUpdate: - maxUnavailable: 1 - {{- end }} - template: - metadata: - annotations: - {{- if (or (empty .Values.global.cliVersion) (not (eq (.Values.stage | toString) "control-plane"))) }} - checksum/config: {{ include (print $.Template.BasePath "/tap-rbac.yaml") . | sha256sum }} - {{- end }} - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - {{- include "partials.proxy.annotations" .Values.global.proxy| nindent 8}} - {{- with .Values.global.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} - labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{.Values.global.workloadNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 8}} - {{- with .Values.global.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} - spec: - {{- if .Values.tolerations -}} - {{- include "linkerd.tolerations" . | nindent 6 }} - {{- end -}} - {{- include "linkerd.node-selector" . | nindent 6 }} - {{- if .Values.enablePodAntiAffinity -}} - {{- $local := dict "component" "tap" "label" .Values.global.controllerComponentLabel -}} - {{- include "linkerd.pod-affinity" $local | nindent 6 -}} - {{- end }} - containers: - - args: - - tap - - -controller-namespace={{.Values.global.namespace}} - - -log-level={{.Values.global.controllerLogLevel}} - - -identity-trust-domain={{.Values.global.identityTrustDomain }} - {{- include "partials.linkerd.trace" . | nindent 8 -}} - image: {{.Values.controllerImage}}:{{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - imagePullPolicy: {{.Values.global.imagePullPolicy}} - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - {{- if .Values.tapResources -}} - {{- include "partials.resources" .Values.tapResources | nindent 8 }} - {{- end }} - securityContext: - runAsUser: {{.Values.controllerUID}} - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - {{- if not (empty .Values.tapProxyResources) }} - {{- $r := merge .Values.tapProxyResources .Values.global.proxy.resources }} - {{- $_ := set $tree.Values.global.proxy "resources" $r }} - {{- end }} - - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{ if not .Values.global.cniEnabled -}} - initContainers: - - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - serviceAccountName: linkerd-tap - volumes: - {{ if not .Values.global.cniEnabled -}} - - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - diff --git a/charts/linkerd2/templates/web.yaml b/charts/linkerd2/templates/web.yaml deleted file mode 100644 index ddf7bdbe6..000000000 --- a/charts/linkerd2/templates/web.yaml +++ /dev/null @@ -1,125 +0,0 @@ ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: {{.Values.global.namespace}} - labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} -spec: - type: ClusterIP - selector: - {{.Values.global.controllerComponentLabel}}: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -{{- $tree := deepCopy . }} -{{ $_ := set $tree.Values.global.proxy "workloadKind" "deployment" -}} -{{ $_ := set $tree.Values.global.proxy "component" "linkerd-web" -}} -{{ include "linkerd.proxy.validation" .Values.global.proxy -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: {{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - name: linkerd-web - namespace: {{.Values.global.namespace}} -spec: - replicas: {{.Values.dashboard.replicas}} - selector: - matchLabels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 6}} - template: - metadata: - annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - {{- include "partials.proxy.annotations" .Values.global.proxy| nindent 8}} - {{- with .Values.global.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} - labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{.Values.global.workloadNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 8}} - {{- with .Values.global.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} - spec: - {{- if .Values.tolerations -}} - {{- include "linkerd.tolerations" . | nindent 6 }} - {{- end -}} - {{- include "linkerd.node-selector" . | nindent 6 }} - containers: - - args: - - -api-addr=linkerd-controller-api.{{.Values.global.namespace}}.svc.{{.Values.global.clusterDomain}}:8085 - - -cluster-domain={{.Values.global.clusterDomain}} - {{- if .Values.global.grafanaUrl }} - - -grafana-addr={{.Values.global.grafanaUrl}} - {{- else if .Values.grafana.enabled }} - - -grafana-addr=linkerd-grafana.{{.Values.global.namespace}}.svc.{{.Values.global.clusterDomain}}:3000 - {{- end}} - - -controller-namespace={{.Values.global.namespace}} - - -log-level={{.Values.global.controllerLogLevel}} - {{- if .Values.enforcedHostRegexp }} - - -enforced-host={{.Values.enforcedHostRegexp}} - {{- else -}} - {{- $hostFull := replace "." "\\." (printf "linkerd-web.%s.svc.%s" .Values.global.namespace .Values.global.clusterDomain) }} - {{- $hostAbbrev := replace "." "\\." (printf "linkerd-web.%s.svc" .Values.global.namespace) }} - - -enforced-host=^(localhost|127\.0\.0\.1|{{ $hostFull }}|{{ $hostAbbrev }}|\[::1\])(:\d+)?$ - {{- end}} - {{- include "partials.linkerd.trace" . | nindent 8 -}} - image: {{.Values.webImage}}:{{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - imagePullPolicy: {{.Values.global.imagePullPolicy}} - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - {{- if .Values.webResources -}} - {{- include "partials.resources" .Values.webResources | nindent 8 }} - {{- end }} - securityContext: - runAsUser: {{.Values.controllerUID}} - {{- if not (empty .Values.webProxyResources) }} - {{- $r := merge .Values.webProxyResources .Values.global.proxy.resources }} - {{- $_ := set $tree.Values.global.proxy "resources" $r }} - {{- end }} - - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{ if not .Values.global.cniEnabled -}} - initContainers: - - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - serviceAccountName: linkerd-web - volumes: - {{ if not .Values.global.cniEnabled -}} - - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/linkerd2/values-ha.yaml b/charts/linkerd2/values-ha.yaml index 89d69234a..6f5b2d43f 100644 --- a/charts/linkerd2/values-ha.yaml +++ b/charts/linkerd2/values-ha.yaml @@ -33,36 +33,12 @@ identityResources: limit: 250Mi request: 10Mi -# grafana configuration -grafana: - resources: - cpu: *controller_resources_cpu - memory: - limit: 1024Mi - request: 50Mi - # heartbeat configuration heartbeatResources: *controller_resources -# prometheus configuration -prometheus: - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi - # proxy injector configuration proxyInjectorResources: *controller_resources webhookFailurePolicy: Fail # service profile validator configuration spValidatorResources: *controller_resources - -# tap configuration -tapResources: *controller_resources - -# web configuration -webResources: *controller_resources diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 1d2c7e887..886c334ce 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -165,11 +165,6 @@ global: imagePullSecrets: [] # - name: my-private-docker-registry-login-secret -# -- Host header validation regex for the dashboard. See the [Linkerd -# documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more -# information -enforcedHostRegexp: "" - # -- Allow proxies to perform transparent HTTP/2 upgrading enableH2Upgrade: true @@ -197,12 +192,6 @@ controllerUID: 2103 # injected into destination pod (see `global.proxy.resources` for sub-fields) #destinationProxyResources: - -# web dashboard configuration -dashboard: - # -- Number of replicas of dashboard - replicas: 1 - # debug configuration debugContainer: image: @@ -322,42 +311,6 @@ profileValidator: #`global.proxy.resources` #publicAPIProxyResources: -# tap configuration -tap: - # -- Do not create a secret resource for the Tap component. If this is set to - # `true`, the value `tap.caBundle` must be set (see below). - externalSecret: false - # -- Certificate for the Tap component. If not provided then Helm will - # generate one. - crtPEM: | - - # -- Certificate key for Tap component. If not provided then Helm will - # generate one. - keyPEM: | - - # -- Bundle of CA certificates for Tap component. If not provided then Helm - # will use the certificate generated for `tap.crtPEM`. If - # `tap.externalSecret` is set to true, this value must be set, as no - # certificate will be generated. - caBundle: | - -# -|- CPU and Memory resources required by tap (see `global.proxy.resources` for -#sub-fields) -#tapResources: -# -|- CPU and Memory resources required by proxy injected into tap pod (see -#`global.proxy.resources` for sub-fields) -#tapProxyResources: - -# -- Docker image for the web container -webImage: ghcr.io/linkerd/web -# -<- CPU and Memory resources required by web UI (see `global.proxy.resources` -#for sub-fields) -#webResources: -# -|- CPU and Memory resources required by proxy injected into web UI pod (see -#`global.proxy.resources` for sub-fields) -#webProxyResources: - - # If the namespace is controlled by an external tool or can't be installed with Helm # you can disable its installation. In this case: # - The namespace created by the external tool must match the namespace value above @@ -378,88 +331,3 @@ nodeSelector: # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) # for more information #tolerations: - -# Configuration for Add-ons -# Full configuration fields https://github.com/linkerd/linkerd2/tree/master/charts/linkerd2#add-ons-configuration - -grafana: - enabled: true - # image: - # name: ghcr.io/linkerd/grafana - # tag: latest - # set resource requests and limits for grafana and its linkerd proxy respectively - # see global.proxy.resources in the linkerd2 chart for details. - # resources: - # proxy: - # resources: - -prometheus: - enabled: true - # image: prom/prometheus:v2.15.3 - # args: - # storage.tsdb.retention.time: 6h - # log.level: debug - # globalConfig: - # scrape_interval: 10s - # scrape_timeout: 10s - # scrapeConfigs: - # - job_name: 'kubernetes-nodes' - # scheme: https - # tls_config: - # ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # kubernetes_sd_configs: - # - role: node - # relabel_configs: - # - action: labelmap - # regex: __meta_kubernetes_node_label_(.+) - # alertManagers: - # - scheme: http - # static_configs: - # - targets: - # - "alertmanager.linkerd.svc:9093" - # alertRelabelConfigs: - # - action: labeldrop - # regex: prometheus_replica - # ruleConfigMapMounts: - # - name: alerting-rules - # subPath: alerting_rules.yml - # configMap: linkerd-prometheus-rules - # - name: recording-rules - # subPath: recording_rules.yml - # configMap: linkerd-prometheus-rules - ### - ### Sidecar containers allow access to the prometheus data directory, - ### e.g. for exporting data to non-prometheus systems. - # sidecarContainers: - # - name: sidecar - # image: gcr.io/myproject/stackdriver-prometheus-sidecar - # imagePullPolicy: Always - # command: - # - /bin/sh - # - -c - # - | - # exec /bin/stackdriver-prometheus-sidecar \ - # --stackdriver.project-id=myproject \ - # --stackdriver.kubernetes.location=us-central1 \ - # --stackdriver.kubernetes.cluster-name=mycluster \ - # --prometheus.wal-directory=/data/wal \ - # --log.level=info - # volumeMounts: - # - mountPath: /data - # name: data - # ports: - # - name: foo - # containerPort: 9091 - # protocol: TCP - ### WARNING: persistence is experimental and has not been tested/vetted by the Linkerd team. - ### As such, please refer to https://linkerd.io/2/tasks/exporting-metrics/ for the recommended approach to metrics data retention. - # if enabled, creates a persistent volume claim for prometheus data - # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims - # persistence: - # storageClass: "" - # accessMode: ReadWriteOnce - # size: 8Gi - # resources: - # proxy: - # resources: diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 50c141f3f..a32063144 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -95,7 +95,7 @@ env: value: "true" {{ else if not .Values.global.proxy.disableIdentity -}} - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) {{ end -}} image: {{.Values.global.proxy.image.name}}:{{.Values.global.proxy.image.version}} imagePullPolicy: {{.Values.global.proxy.image.pullPolicy}} diff --git a/charts/partials/templates/_pull-secrets.tpl b/charts/partials/templates/_pull-secrets.tpl index bfe5098b8..0c9aa4f01 100644 --- a/charts/partials/templates/_pull-secrets.tpl +++ b/charts/partials/templates/_pull-secrets.tpl @@ -1,6 +1,6 @@ -{{- define "partials.image-pull-secrets" -}} -{{- if .Values.global.imagePullSecrets }} +{{- define "partials.image-pull-secrets"}} +{{- if . }} imagePullSecrets: -{{ toYaml .Values.global.imagePullSecrets | indent 2 }} +{{ toYaml . | indent 2 }} {{- end }} {{- end -}} diff --git a/cli/Dockerfile-bin b/cli/Dockerfile-bin index dcbe21ce6..9da6add8e 100644 --- a/cli/Dockerfile-bin +++ b/cli/Dockerfile-bin @@ -16,6 +16,7 @@ COPY cli cli COPY charts charts COPY jaeger jaeger COPY multicluster multicluster +COPY viz viz COPY controller/k8s controller/k8s COPY controller/api controller/api @@ -28,6 +29,7 @@ RUN mkdir -p /out RUN go generate -mod=readonly ./pkg/charts/static RUN go generate -mod=readonly ./jaeger/static RUN go generate -mod=readonly ./multicluster/static +RUN go generate -mod=readonly ./viz/static # Cache builds without version info RUN CGO_ENABLED=0 GOOS=darwin go build -o /out/linkerd-darwin -tags prod -mod=readonly -ldflags "-s -w" ./cli diff --git a/cli/cmd/check.go b/cli/cmd/check.go index c4af28700..d3535730e 100644 --- a/cli/cmd/check.go +++ b/cli/cmd/check.go @@ -187,7 +187,6 @@ func configureAndRunChecks(ctx context.Context, wout io.Writer, werr io.Writer, checks = append(checks, healthcheck.LinkerdCNIPluginChecks) checks = append(checks, healthcheck.LinkerdHAChecks) - checks = append(checks, healthcheck.AddOnCategories...) } } diff --git a/cli/cmd/dashboard.go b/cli/cmd/dashboard.go index 6531412b9..eba313c12 100644 --- a/cli/cmd/dashboard.go +++ b/cli/cmd/dashboard.go @@ -94,7 +94,7 @@ func newCmdDashboard() *cobra.Command { portforward, err := k8s.NewPortForward( cmd.Context(), k8sAPI, - controlPlaneNamespace, + defaultLinkerdVizNamespace, webDeployment, options.host, options.port, diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 2399dfea8..093da472e 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -26,10 +26,6 @@ import ( ) const ( - - // addOnChartsPath is where the linkerd2 add-ons will be present - addOnChartsPath = "add-ons" - configStage = "config" controlPlaneStage = "control-plane" @@ -64,12 +60,10 @@ var ( "templates/controller-rbac.yaml", "templates/destination-rbac.yaml", "templates/heartbeat-rbac.yaml", - "templates/web-rbac.yaml", "templates/serviceprofile-crd.yaml", "templates/trafficsplit-crd.yaml", "templates/proxy-injector-rbac.yaml", "templates/sp-validator-rbac.yaml", - "templates/tap-rbac.yaml", "templates/psp.yaml", } @@ -80,10 +74,8 @@ var ( "templates/controller.yaml", "templates/destination.yaml", "templates/heartbeat.yaml", - "templates/web.yaml", "templates/proxy-injector.yaml", "templates/sp-validator.yaml", - "templates/tap.yaml", } ignoreCluster bool @@ -312,42 +304,12 @@ func render(w io.Writer, values *l5dcharts.Values, stage string) error { {Name: chartutil.ChartfileName}, } - addOns, err := l5dcharts.ParseAddOnValues(values) - if err != nil { - return err - } - - // Initialize add-on sub-charts - addOnCharts := make(map[string]*charts.Chart) - for _, addOn := range addOns { - addOnCharts[addOn.Name()] = &charts.Chart{ - Name: addOn.Name(), - Dir: addOnChartsPath + "/" + addOn.Name(), - Namespace: controlPlaneNamespace, - RawValues: append(addOn.Values(), rawValues...), - Files: []*loader.BufferedFile{ - { - Name: chartutil.ChartfileName, - }, - { - Name: chartutil.ValuesfileName, - }, - }, - Fs: static.Templates, - } - } - if stage == "" || stage == configStage { for _, template := range templatesConfigStage { files = append(files, &loader.BufferedFile{Name: template}, ) } - - // Fill add-on's sub-charts with config templates - for _, addOn := range addOns { - addOnCharts[addOn.Name()].Files = append(addOnCharts[addOn.Name()].Files, addOn.ConfigStageTemplates()...) - } } if stage == "" || stage == controlPlaneStage { @@ -356,12 +318,6 @@ func render(w io.Writer, values *l5dcharts.Values, stage string) error { &loader.BufferedFile{Name: template}, ) } - - // Fill add-on's sub-charts with control-plane templates - for _, addOn := range addOns { - addOnCharts[addOn.Name()].Files = append(addOnCharts[addOn.Name()].Files, addOn.ControlPlaneStageTemplates()...) - } - } // TODO refactor to use l5dcharts.LoadChart() @@ -378,17 +334,6 @@ func render(w io.Writer, values *l5dcharts.Values, stage string) error { return err } - for _, addon := range addOns { - b, err := addOnCharts[addon.Name()].Render() - if err != nil { - return err - } - - if _, err := buf.WriteString(b.String()); err != nil { - return err - } - } - if stage == "" || stage == controlPlaneStage { overrides, err := renderOverrides(values, values.GetGlobal().Namespace) if err != nil { diff --git a/cli/cmd/install_addon_test.go b/cli/cmd/install_addon_test.go deleted file mode 100644 index e8f5e945f..000000000 --- a/cli/cmd/install_addon_test.go +++ /dev/null @@ -1,62 +0,0 @@ -package cmd - -import ( - "bytes" - "fmt" - "io/ioutil" - "path/filepath" - "testing" - - charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" - "sigs.k8s.io/yaml" -) - -func TestAddOnRender(t *testing.T) { - withExistingGrafanaValues, err := testInstallOptions() - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - data, err := ioutil.ReadFile(filepath.Join("testdata", "existing-grafana-config.yaml")) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - err = yaml.Unmarshal(data, withExistingGrafanaValues) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - addFakeTLSSecrets(withExistingGrafanaValues) - - withPrometheusAddOnOverwriteValues, err := testInstallOptions() - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - data, err = ioutil.ReadFile(filepath.Join("testdata", "prom-config.yaml")) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - err = yaml.Unmarshal(data, withPrometheusAddOnOverwriteValues) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - addFakeTLSSecrets(withPrometheusAddOnOverwriteValues) - - testCases := []struct { - values *charts.Values - goldenFileName string - }{ - - {withExistingGrafanaValues, "install_grafana_existing.golden"}, - {withPrometheusAddOnOverwriteValues, "install_prometheus_overwrite.golden"}, - } - - for i, tc := range testCases { - tc := tc // pin - t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { - var buf bytes.Buffer - if err := render(&buf, tc.values, ""); err != nil { - t.Fatalf("Failed to render templates: %v", err) - } - diffTestdata(t, tc.goldenFileName, buf.String()) - }) - } -} diff --git a/cli/cmd/install_helm_test.go b/cli/cmd/install_helm_test.go index ccf21ad53..32e6c2f63 100644 --- a/cli/cmd/install_helm_test.go +++ b/cli/cmd/install_helm_test.go @@ -6,12 +6,9 @@ import ( "path/filepath" "testing" - "github.com/linkerd/linkerd2/pkg/charts" l5dcharts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" - "github.com/linkerd/linkerd2/pkg/charts/static" "github.com/linkerd/linkerd2/pkg/k8s" "helm.sh/helm/v3/pkg/chart" - "helm.sh/helm/v3/pkg/chart/loader" "helm.sh/helm/v3/pkg/chartutil" "helm.sh/helm/v3/pkg/engine" "sigs.k8s.io/yaml" @@ -36,16 +33,6 @@ func TestRenderHelm(t *testing.T) { testRenderHelm(t, chartControlPlane, "install_helm_output_ha.golden") }) - t.Run("Non-HA with add-ons mode", func(t *testing.T) { - ha := false - additionalConfig := ` -tracing: - enabled: true -` - chartControlPlane := chartControlPlane(t, ha, additionalConfig, "111", "222") - testRenderHelm(t, chartControlPlane, "install_helm_output_addons.golden") - }) - t.Run("HA mode with podLabels and podAnnotations", func(t *testing.T) { ha := true additionalConfig := ` @@ -248,15 +235,6 @@ func chartControlPlane(t *testing.T, ha bool, additionalConfig string, ignoreOut linkerd2Chart.AddDependency(chartPartials) - addons, err := l5dcharts.ParseAddOnValues(values) - if err != nil { - t.Fatal("Unexpected error", err) - } - - for _, addon := range addons { - linkerd2Chart.AddDependency(buildAddOnChart(t, addon, chartPartials)) - } - for _, filepath := range append(templatesConfigStage, templatesControlPlaneStage...) { linkerd2Chart.Templates = append(linkerd2Chart.Templates, &chart.File{ Name: filepath, @@ -271,41 +249,6 @@ func chartControlPlane(t *testing.T, ha bool, additionalConfig string, ignoreOut return linkerd2Chart } -func buildAddOnChart(t *testing.T, addon l5dcharts.AddOn, chartPartials *chart.Chart) *chart.Chart { - rawValues := readValuesFile(t, filepath.Join("add-ons", addon.Name())) - - var values chartutil.Values - err := yaml.Unmarshal(rawValues, &values) - if err != nil { - t.Fatal("Unexpected error", err) - } - - addOnChart := chart.Chart{ - Metadata: &chart.Metadata{ - Name: addon.Name(), - Sources: []string{ - filepath.Join("..", "..", "..", "charts", "add-ons", addon.Name()), - }, - }, - Values: values, - } - - addOnChart.AddDependency(chartPartials) - - for _, filepath := range append(addon.ConfigStageTemplates(), addon.ControlPlaneStageTemplates()...) { - addOnChart.Templates = append(addOnChart.Templates, &chart.File{ - Name: filepath.Name, - }) - } - - for _, template := range addOnChart.Templates { - filepath := filepath.Join(addOnChart.Metadata.Sources[0], template.Name) - template.Data = []byte(readTestdata(t, filepath)) - } - - return &addOnChart -} - func chartPartials(t *testing.T, paths []string) *chart.Chart { var partialTemplates []*chart.File for _, path := range paths { @@ -346,17 +289,3 @@ func readTestValues(ha bool, ignoreOutboundPorts string, ignoreInboundPorts stri return values, nil } - -// readValues reads values.yaml file from the given path -func readValuesFile(t *testing.T, path string) []byte { - - valuesFiles := []*loader.BufferedFile{ - {Name: chartutil.ValuesfileName}, - } - - if err := charts.FilesReader(static.Templates, path+"/", valuesFiles); err != nil { - t.Fatal("Unexpected error", err) - } - - return valuesFiles[0].Data -} diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 10fa5dbd9..70dbb1312 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -30,17 +30,15 @@ func TestRender(t *testing.T) { // A configuration that shows that all config setting strings are honored // by `render()`. metaValues := &charts.Values{ - ControllerImage: "ControllerImage", - WebImage: "WebImage", - ControllerUID: 2103, - EnableH2Upgrade: true, - WebhookFailurePolicy: "WebhookFailurePolicy", - OmitWebhookSideEffects: false, - RestrictDashboardPrivileges: false, - InstallNamespace: true, - Identity: defaultValues.Identity, - NodeSelector: defaultValues.NodeSelector, - Tolerations: defaultValues.Tolerations, + ControllerImage: "ControllerImage", + ControllerUID: 2103, + EnableH2Upgrade: true, + WebhookFailurePolicy: "WebhookFailurePolicy", + OmitWebhookSideEffects: false, + InstallNamespace: true, + Identity: defaultValues.Identity, + NodeSelector: defaultValues.NodeSelector, + Tolerations: defaultValues.Tolerations, Global: &charts.Global{ Namespace: "Namespace", ClusterDomain: "cluster.local", @@ -126,15 +124,6 @@ func TestRender(t *testing.T) { ControllerReplicas: 1, ProxyInjector: defaultValues.ProxyInjector, ProfileValidator: defaultValues.ProfileValidator, - Tap: defaultValues.Tap, - Dashboard: &charts.Dashboard{ - Replicas: 1, - }, - Prometheus: charts.Prometheus{ - "enabled": true, - "image": "PrometheusImage", - }, - Grafana: defaultValues.Grafana, } haValues, err := testInstallOptionsHA(true) @@ -177,13 +166,6 @@ func TestRender(t *testing.T) { withHeartBeatDisabledValues.DisableHeartBeat = true addFakeTLSSecrets(withHeartBeatDisabledValues) - withRestrictedDashboardPrivilegesValues, err := testInstallOptions() - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - withRestrictedDashboardPrivilegesValues.RestrictDashboardPrivileges = true - addFakeTLSSecrets(withRestrictedDashboardPrivilegesValues) - withControlPlaneTracingValues, err := testInstallOptions() if err != nil { t.Fatalf("Unexpected error: %v\n", err) @@ -225,7 +207,6 @@ func TestRender(t *testing.T) { {cniEnabledValues, "install_no_init_container.golden"}, {withProxyIgnoresValues, "install_proxy_ignores.golden"}, {withHeartBeatDisabledValues, "install_heartbeat_disabled_output.golden"}, - {withRestrictedDashboardPrivilegesValues, "install_restricted_dashboard.golden"}, {withControlPlaneTracingValues, "install_controlplane_tracing_output.golden"}, {withCustomRegistryValues, "install_custom_registry.golden"}, {withCustomDestinationGetNetsValues, "install_default_override_dst_get_nets.golden"}, @@ -556,7 +537,4 @@ func addFakeTLSSecrets(values *charts.Values) { values.ProfileValidator.CrtPEM = "profile validator crt" values.ProfileValidator.KeyPEM = "profile validator key" values.ProfileValidator.CaBundle = "profile validator CA bundle" - values.Tap.CrtPEM = "tap crt" - values.Tap.KeyPEM = "tap key" - values.Tap.CaBundle = "tap CA bundle" } diff --git a/cli/cmd/options.go b/cli/cmd/options.go index bad985a5d..3b89e2d59 100644 --- a/cli/cmd/options.go +++ b/cli/cmd/options.go @@ -229,13 +229,6 @@ func makeAllStageFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) return nil }), - flag.NewBoolFlag(allStageFlags, "restrict-dashboard-privileges", defaults.RestrictDashboardPrivileges, - "Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check", - func(values *l5dcharts.Values, value bool) error { - values.RestrictDashboardPrivileges = value - return nil - }), - flag.NewStringFlag(allStageFlags, "config", "", "A path to a yaml configuration file. The fields in this file will override the values used to install or upgrade Linkerd.", func(values *l5dcharts.Values, value string) error { @@ -324,7 +317,6 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) { flag.NewStringFlag(proxyFlags, "registry", defaultDockerRegistry, "Docker registry to pull images from", func(values *l5dcharts.Values, value string) error { - values.WebImage = registryOverride(values.WebImage, value) values.ControllerImage = registryOverride(values.ControllerImage, value) values.DebugContainer.Image.Name = registryOverride(values.DebugContainer.Image.Name, value) values.GetGlobal().Proxy.Image.Name = registryOverride(values.GetGlobal().Proxy.Image.Name, value) diff --git a/cli/cmd/root.go b/cli/cmd/root.go index e69de604d..b3587e42b 100644 --- a/cli/cmd/root.go +++ b/cli/cmd/root.go @@ -12,6 +12,7 @@ import ( "github.com/linkerd/linkerd2/cli/flag" jaeger "github.com/linkerd/linkerd2/jaeger/cmd" multicluster "github.com/linkerd/linkerd2/multicluster/cmd" + viz "github.com/linkerd/linkerd2/viz/cmd" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" @@ -19,10 +20,11 @@ import ( ) const ( - defaultLinkerdNamespace = "linkerd" - defaultCNINamespace = "linkerd-cni" - defaultClusterDomain = "cluster.local" - defaultDockerRegistry = "ghcr.io/linkerd" + defaultLinkerdNamespace = "linkerd" + defaultCNINamespace = "linkerd-cni" + defaultLinkerdVizNamespace = "linkerd-viz" + defaultClusterDomain = "cluster.local" + defaultDockerRegistry = "ghcr.io/linkerd" jsonOutput = "json" tableOutput = "table" @@ -132,6 +134,7 @@ func init() { // Extension Sub Commands RootCmd.AddCommand(jaeger.NewCmdJaeger()) RootCmd.AddCommand(multicluster.NewCmdMulticluster()) + RootCmd.AddCommand(viz.NewCmdViz()) } type statOptionsBase struct { diff --git a/cli/cmd/testdata/grafana_disabled.yaml b/cli/cmd/testdata/grafana_disabled.yaml deleted file mode 100644 index 6650ddbd3..000000000 --- a/cli/cmd/testdata/grafana_disabled.yaml +++ /dev/null @@ -1,2 +0,0 @@ -grafana: - enabled: false diff --git a/cli/cmd/testdata/grafana_enabled.yaml b/cli/cmd/testdata/grafana_enabled.yaml deleted file mode 100644 index 4b0b000fc..000000000 --- a/cli/cmd/testdata/grafana_enabled.yaml +++ /dev/null @@ -1,2 +0,0 @@ -grafana: - enabled: true diff --git a/cli/cmd/testdata/grafana_enabled_resources.yaml b/cli/cmd/testdata/grafana_enabled_resources.yaml deleted file mode 100644 index cc83c68f6..000000000 --- a/cli/cmd/testdata/grafana_enabled_resources.yaml +++ /dev/null @@ -1,9 +0,0 @@ -grafana: - enabled: true - resources: - cpu: - limit: "1" - request: 100m - memory: - limit: 250Mi - request: 50Mi diff --git a/cli/cmd/testdata/grafana_overwrite.yaml b/cli/cmd/testdata/grafana_overwrite.yaml deleted file mode 100644 index 407020760..000000000 --- a/cli/cmd/testdata/grafana_overwrite.yaml +++ /dev/null @@ -1,5 +0,0 @@ -grafana: - enabled: true - image: - name: linkerd-image-overwrite - tag: image-tag-overwrite diff --git a/cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml b/cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml index 4b03619fa..2a10b2888 100644 --- a/cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml +++ b/cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml @@ -97,7 +97,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml b/cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml index 664b3dd60..d041d5007 100644 --- a/cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml +++ b/cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml @@ -97,7 +97,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -266,7 +266,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml b/cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml index b5bc2a89c..4a840b0c0 100644 --- a/cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml +++ b/cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml @@ -97,7 +97,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_contour.golden.yml b/cli/cmd/testdata/inject_contour.golden.yml index dbb768525..d6d13c698 100644 --- a/cli/cmd/testdata/inject_contour.golden.yml +++ b/cli/cmd/testdata/inject_contour.golden.yml @@ -126,7 +126,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml b/cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml index 5011e9754..f90fc8d21 100644 --- a/cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml @@ -108,7 +108,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -288,7 +288,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -468,7 +468,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -648,7 +648,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment.golden.yml index 32037186a..f8384b4bd 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment.golden.yml @@ -108,7 +108,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml index 6e14fed9d..0aa30b223 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml @@ -116,7 +116,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml index 9f36adfd2..bec78d5f8 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml @@ -108,7 +108,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -288,7 +288,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml index e30e13cac..683d57dab 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml @@ -113,7 +113,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml index e7ba46967..ec7f28235 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml @@ -108,7 +108,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml index 9e3a05843..21cd8c3f4 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml @@ -109,7 +109,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml index 46214ee86..04557fa3c 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml @@ -108,7 +108,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml index 59aa8b11e..526e5bba7 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml @@ -109,7 +109,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml index 204f038bb..e3a7f14ca 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml @@ -110,7 +110,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml b/cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml index 988b8de2a..931983c6f 100644 --- a/cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml @@ -110,7 +110,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_list.golden.yml b/cli/cmd/testdata/inject_emojivoto_list.golden.yml index 9e0598198..4706f8f12 100644 --- a/cli/cmd/testdata/inject_emojivoto_list.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_list.golden.yml @@ -110,7 +110,7 @@ items: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -284,7 +284,7 @@ items: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml b/cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml index e28a92f38..1d8a01fd8 100644 --- a/cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml @@ -110,7 +110,7 @@ items: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -284,7 +284,7 @@ items: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_pod.golden.yml b/cli/cmd/testdata/inject_emojivoto_pod.golden.yml index 2f57d20b5..0b977c8a2 100644 --- a/cli/cmd/testdata/inject_emojivoto_pod.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_pod.golden.yml @@ -93,7 +93,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml b/cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml index f23130d60..0c321a1fc 100644 --- a/cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml @@ -95,7 +95,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml b/cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml index 89cb67479..2bb69715a 100644 --- a/cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml @@ -97,7 +97,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml b/cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml index 4e104cf2f..5c2bc0a1d 100644 --- a/cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml +++ b/cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml @@ -109,7 +109,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_gettest_deployment.good.golden.yml b/cli/cmd/testdata/inject_gettest_deployment.good.golden.yml index bac088b41..f5a166cda 100644 --- a/cli/cmd/testdata/inject_gettest_deployment.good.golden.yml +++ b/cli/cmd/testdata/inject_gettest_deployment.good.golden.yml @@ -110,7 +110,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:testinjectversion imagePullPolicy: IfNotPresent livenessProbe: @@ -292,7 +292,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:testinjectversion imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/inject_tap_deployment_debug.golden.yml b/cli/cmd/testdata/inject_tap_deployment_debug.golden.yml index 366f87755..d0c28e6fb 100644 --- a/cli/cmd/testdata/inject_tap_deployment_debug.golden.yml +++ b/cli/cmd/testdata/inject_tap_deployment_debug.golden.yml @@ -161,7 +161,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-inject-proxy-version imagePullPolicy: IfNotPresent livenessProbe: diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index f58e027b5..40264a1e7 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -949,8 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1178,7 +914,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1317,7 +1053,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 - -trace-collector=collector.linkerd-jaeger.svc.cluster.local:55678 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent @@ -1412,7 +1148,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1664,7 +1400,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1778,245 +1514,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - - -trace-collector=collector.linkerd-jaeger.svc.cluster.local:55678 - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2156,7 +1658,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2410,7 +1912,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2485,1000 +1987,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - - -trace-collector=collector.linkerd-jaeger.svc.cluster.local:55678 - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xQbGFuZVRyYWNpbmc6IHRydWUKICBjb250cm9sbGVySW1hZ2VWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQp0YXA6CiAgY2FCdW5kbGU6IHRhcCBDQSBidW5kbGUKICBjcnRQRU06IHRhcCBjcnQKICBrZXlQRU06IHRhcCBrZXkK + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xQbGFuZVRyYWNpbmc6IHRydWUKICBjb250cm9sbGVySW1hZ2VWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 628614491..9b75d1dd7 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: my.custom.registry/linkerd-io/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: my.custom.registry/linkerd-io/debug @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -949,8 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: my.custom.registry/linkerd-io/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1177,7 +913,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: my.custom.registry/linkerd-io/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1316,7 +1052,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: my.custom.registry/linkerd-io/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1410,7 +1146,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: my.custom.registry/linkerd-io/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1661,7 +1397,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: my.custom.registry/linkerd-io/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1775,244 +1511,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: my.custom.registry/linkerd-io/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: my.custom.registry/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: my.custom.registry/linkerd-io/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2152,7 +1655,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: my.custom.registry/linkerd-io/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2406,7 +1909,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: my.custom.registry/linkerd-io/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2481,999 +1984,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: my.custom.registry/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: my.custom.registry/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: my.custom.registry/linkerd-io/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: my.custom.registry/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: my.custom.registry/linkerd-io/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: my.custom.registry/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: my.custom.registry/linkerd-io/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: Y29udHJvbGxlckltYWdlOiBteS5jdXN0b20ucmVnaXN0cnkvbGlua2VyZC1pby9jb250cm9sbGVyCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogbXkuY3VzdG9tLnJlZ2lzdHJ5L2xpbmtlcmQtaW8vZGVidWcKICAgIHZlcnNpb246IGluc3RhbGwtZGVidWctdmVyc2lvbgpnbG9iYWw6CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgbmFtZTogbXkuY3VzdG9tLnJlZ2lzdHJ5L2xpbmtlcmQtaW8vcHJveHkKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCiAgcHJveHlJbml0OgogICAgaW1hZ2U6CiAgICAgIG5hbWU6IG15LmN1c3RvbS5yZWdpc3RyeS9saW5rZXJkLWlvL3Byb3h5LWluaXQKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQp0YXA6CiAgY2FCdW5kbGU6IHRhcCBDQSBidW5kbGUKICBjcnRQRU06IHRhcCBjcnQKICBrZXlQRU06IHRhcCBrZXkKd2ViSW1hZ2U6IG15LmN1c3RvbS5yZWdpc3RyeS9saW5rZXJkLWlvL3dlYgo= + linkerd-config-overrides: Y29udHJvbGxlckltYWdlOiBteS5jdXN0b20ucmVnaXN0cnkvbGlua2VyZC1pby9jb250cm9sbGVyCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogbXkuY3VzdG9tLnJlZ2lzdHJ5L2xpbmtlcmQtaW8vZGVidWcKICAgIHZlcnNpb246IGluc3RhbGwtZGVidWctdmVyc2lvbgpnbG9iYWw6CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgbmFtZTogbXkuY3VzdG9tLnJlZ2lzdHJ5L2xpbmtlcmQtaW8vcHJveHkKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCiAgcHJveHlJbml0OgogICAgaW1hZ2U6CiAgICAgIG5hbWU6IG15LmN1c3RvbS5yZWdpc3RyeS9saW5rZXJkLWlvL3Byb3h5LWluaXQKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 54786f9cf..f72a84365 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -949,8 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1177,7 +913,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1316,7 +1052,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1410,7 +1146,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1661,7 +1397,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1775,244 +1511,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2152,7 +1655,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2406,7 +1909,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2481,999 +1984,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnRhcDoKICBjYUJ1bmRsZTogdGFwIENBIGJ1bmRsZQogIGNydFBFTTogdGFwIGNydAogIGtleVBFTTogdGFwIGtleQo= + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5Cg== kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 2dbc8dfb4..1762eae56 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -949,8 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1177,7 +913,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1316,7 +1052,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1410,7 +1146,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1661,7 +1397,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1775,244 +1511,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2152,7 +1655,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2406,7 +1909,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2481,999 +1984,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNsdXN0ZXJOZXR3b3JrczogMTAuMC4wLjAvOCwxMDAuNjQuMC4wLzEwLDE3Mi4wLjAuMC84CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKdGFwOgogIGNhQnVuZGxlOiB0YXAgQ0EgYnVuZGxlCiAgY3J0UEVNOiB0YXAgY3J0CiAga2V5UEVNOiB0YXAga2V5Cg== + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNsdXN0ZXJOZXR3b3JrczogMTAuMC4wLjAvOCwxMDAuNjQuMC4wLzEwLDE3Mi4wLjAuMC84CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkK kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_grafana_existing.golden b/cli/cmd/testdata/install_grafana_existing.golden index b8bf4a4f5..2b35e3f9b 100644 --- a/cli/cmd/testdata/install_grafana_existing.golden +++ b/cli/cmd/testdata/install_grafana_existing.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -756,21 +520,12 @@ roleRef: name: linkerd-psp apiGroup: rbac.authorization.k8s.io subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd @@ -778,10 +533,7 @@ subjects: name: linkerd-sp-validator namespace: linkerd - kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web + name: linkerd-heartbeat namespace: linkerd --- kind: ConfigMap @@ -799,8 +551,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -933,6 +683,7 @@ data: identityProxyResources: null identityResources: null installNamespace: true + linkerdVizNamespace: linkerd-viz nodeSelector: beta.kubernetes.io/os: linux omitWebhookSideEffects: false @@ -946,8 +697,7 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true + prometheus: null proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,14 +715,9 @@ data: restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false tapProxyResources: null tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web webProxyResources: null webResources: null webhookFailurePolicy: Ignore @@ -1174,7 +919,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1250,236 +995,6 @@ spec: name: linkerd-identity-end-entity --- ### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - public-api - - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - - -controller-namespace=linkerd - - -log-level=info - - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-controller - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Destination Controller Service ### --- @@ -1658,7 +1173,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1772,244 +1287,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=somegrafana.xyz - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2149,7 +1431,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2403,7 +1685,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2479,98 +1761,90 @@ spec: name: linkerd-identity-end-entity --- ### -### Tap +### Controller ### --- kind: Service apiVersion: v1 metadata: - name: linkerd-tap + name: linkerd-controller-api namespace: linkerd labels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli dev-undefined spec: type: ClusterIP selector: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver + - name: http + port: 8085 + targetPort: 8085 --- -kind: Deployment apiVersion: apps/v1 +kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli dev-undefined labels: - app.kubernetes.io/name: tap + app.kubernetes.io/name: controller app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd - name: linkerd-tap + name: linkerd-controller namespace: linkerd spec: replicas: 1 selector: matchLabels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap + linkerd.io/proxy-deployment: linkerd-controller template: metadata: annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version labels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap + linkerd.io/proxy-deployment: linkerd-controller spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - - tap + - public-api + - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - -controller-namespace=linkerd - -log-level=info - - -identity-trust-domain=cluster.local + - -cluster-domain=cluster.local + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping - port: 9998 + port: 9995 initialDelaySeconds: 10 - name: tap + name: public-api ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 + - containerPort: 8085 + name: http + - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready - port: 9998 + port: 9995 securityContext: runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" @@ -2644,7 +1918,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2708,450 +1982,17 @@ spec: volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap + serviceAccountName: linkerd-controller volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity --- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgZ3JhZmFuYVVybDogc29tZWdyYWZhbmEueHl6CiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpncmFmYW5hOgogIGVuYWJsZWQ6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKdGFwOgogIGNhQnVuZGxlOiB0YXAgQ0EgYnVuZGxlCiAgY3J0UEVNOiB0YXAgY3J0CiAga2V5UEVNOiB0YXAga2V5Cg== + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgZ3JhZmFuYVVybDogc29tZWdyYWZhbmEueHl6CiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpncmFmYW5hOgogIGVuYWJsZWQ6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkK kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index f736189e7..a537c7a74 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 3 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -914,15 +664,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 1024Mi - request: 50Mi heartbeatResources: cpu: limit: "" @@ -974,15 +715,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -1009,7 +741,6 @@ data: memory: limit: 250Mi request: 50Mi - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: cpu: @@ -1018,28 +749,7 @@ data: memory: limit: 250Mi request: 50Mi - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi webhookFailurePolicy: Fail --- ### @@ -1268,7 +978,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1435,7 +1145,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1535,7 +1245,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1820,7 +1530,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1939,7 +1649,7 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" resources: limits: memory: "250Mi" @@ -1950,250 +1660,6 @@ spec: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2362,7 +1828,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2650,7 +2116,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2730,1053 +2196,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 3 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - strategy: - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: kubernetes.io/hostname - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - limits: - memory: "1024Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - limits: - memory: "8192Mi" - requests: - cpu: "300m" - memory: "300Mi" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAzCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlc3RpbmF0aW9uUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQplbmFibGVQb2RBbnRpQWZmaW5pdHk6IHRydWUKZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIGltYWdlUHVsbFNlY3JldHM6IG51bGwKICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KICAgIHJlc291cmNlczoKICAgICAgY3B1OgogICAgICAgIHJlcXVlc3Q6IDEwMG0KICAgICAgbWVtb3J5OgogICAgICAgIGxpbWl0OiAyNTBNaQogICAgICAgIHJlcXVlc3Q6IDIwTWkKZ3JhZmFuYToKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiAiIgogICAgICByZXF1ZXN0OiAxMDBtCiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiAxMDI0TWkKICAgICAgcmVxdWVzdDogNTBNaQpoZWFydGJlYXRSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDEwTWkKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm9tZXRoZXVzOgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6ICIiCiAgICAgIHJlcXVlc3Q6IDMwMG0KICAgIG1lbW9yeToKICAgICAgbGltaXQ6IDgxOTJNaQogICAgICByZXF1ZXN0OiAzMDBNaQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnByb3h5SW5qZWN0b3JSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCnB1YmxpY0FQSVJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKc3BWYWxpZGF0b3JSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCnRhcDoKICBjYUJ1bmRsZTogdGFwIENBIGJ1bmRsZQogIGNydFBFTTogdGFwIGNydAogIGtleVBFTTogdGFwIGtleQp0YXBSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCndlYlJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKd2ViaG9va0ZhaWx1cmVQb2xpY3k6IEZhaWwK + linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAzCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlc3RpbmF0aW9uUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQplbmFibGVQb2RBbnRpQWZmaW5pdHk6IHRydWUKZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIGltYWdlUHVsbFNlY3JldHM6IG51bGwKICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KICAgIHJlc291cmNlczoKICAgICAgY3B1OgogICAgICAgIHJlcXVlc3Q6IDEwMG0KICAgICAgbWVtb3J5OgogICAgICAgIGxpbWl0OiAyNTBNaQogICAgICAgIHJlcXVlc3Q6IDIwTWkKaGVhcnRiZWF0UmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiAxME1pCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQpwcm94eUluamVjdG9yUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpwdWJsaWNBUElSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCnNwVmFsaWRhdG9yUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQp3ZWJob29rRmFpbHVyZVBvbGljeTogRmFpbAo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 4867e54c9..efa561a9f 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 2 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -914,15 +664,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 1024Mi - request: 50Mi heartbeatResources: cpu: limit: "" @@ -974,15 +715,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -1009,7 +741,6 @@ data: memory: limit: 250Mi request: 50Mi - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: cpu: @@ -1018,28 +749,7 @@ data: memory: limit: 250Mi request: 50Mi - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi webhookFailurePolicy: Fail --- ### @@ -1268,7 +978,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1435,7 +1145,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1535,7 +1245,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1820,7 +1530,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1939,7 +1649,7 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" resources: limits: memory: "250Mi" @@ -1950,250 +1660,6 @@ spec: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "400m" - memory: "300Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2362,7 +1828,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2650,7 +2116,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2730,1053 +2196,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 2 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - strategy: - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: kubernetes.io/hostname - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "400m" - memory: "300Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - limits: - memory: "1024Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "400m" - memory: "300Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - limits: - memory: "8192Mi" - requests: - cpu: "300m" - memory: "300Mi" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "400m" - memory: "300Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAyCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlc3RpbmF0aW9uUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQplbmFibGVQb2RBbnRpQWZmaW5pdHk6IHRydWUKZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaGlnaEF2YWlsYWJpbGl0eTogdHJ1ZQogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBpbWFnZVB1bGxTZWNyZXRzOiBudWxsCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCiAgICByZXNvdXJjZXM6CiAgICAgIGNwdToKICAgICAgICByZXF1ZXN0OiA0MDBtCiAgICAgIG1lbW9yeToKICAgICAgICBsaW1pdDogMjUwTWkKICAgICAgICByZXF1ZXN0OiAzMDBNaQpncmFmYW5hOgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6ICIiCiAgICAgIHJlcXVlc3Q6IDEwMG0KICAgIG1lbW9yeToKICAgICAgbGltaXQ6IDEwMjRNaQogICAgICByZXF1ZXN0OiA1ME1pCmhlYXJ0YmVhdFJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5UmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogMTBNaQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb21ldGhldXM6CiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICBsaW1pdDogIiIKICAgICAgcmVxdWVzdDogMzAwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogODE5Mk1pCiAgICAgIHJlcXVlc3Q6IDMwME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKcHJveHlJbmplY3RvclJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKcHVibGljQVBJUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpzcFZhbGlkYXRvclJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKdGFwOgogIGNhQnVuZGxlOiB0YXAgQ0EgYnVuZGxlCiAgY3J0UEVNOiB0YXAgY3J0CiAga2V5UEVNOiB0YXAga2V5CnRhcFJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKd2ViUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQp3ZWJob29rRmFpbHVyZVBvbGljeTogRmFpbAo= + linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAyCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlc3RpbmF0aW9uUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQplbmFibGVQb2RBbnRpQWZmaW5pdHk6IHRydWUKZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaGlnaEF2YWlsYWJpbGl0eTogdHJ1ZQogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBpbWFnZVB1bGxTZWNyZXRzOiBudWxsCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCiAgICByZXNvdXJjZXM6CiAgICAgIGNwdToKICAgICAgICByZXF1ZXN0OiA0MDBtCiAgICAgIG1lbW9yeToKICAgICAgICBsaW1pdDogMjUwTWkKICAgICAgICByZXF1ZXN0OiAzMDBNaQpoZWFydGJlYXRSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDEwTWkKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnByb3h5SW5qZWN0b3JSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCnB1YmxpY0FQSVJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKc3BWYWxpZGF0b3JSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCndlYmhvb2tGYWlsdXJlUG9saWN5OiBGYWlsCg== kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index d19e2402c..f6b4474f5 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -169,118 +169,6 @@ metadata: --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -523,130 +411,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -721,27 +485,15 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -758,8 +510,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -864,8 +614,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -905,8 +653,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -921,19 +667,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1133,7 +869,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1272,7 +1008,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1366,7 +1102,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1617,7 +1353,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1691,239 +1427,6 @@ spec: --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2063,7 +1566,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2317,7 +1820,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2392,999 +1895,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZGlzYWJsZUhlYXJ0QmVhdDogdHJ1ZQpnbG9iYWw6CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKdGFwOgogIGNhQnVuZGxlOiB0YXAgQ0EgYnVuZGxlCiAgY3J0UEVNOiB0YXAgY3J0CiAga2V5UEVNOiB0YXAga2V5Cg== + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZGlzYWJsZUhlYXJ0QmVhdDogdHJ1ZQpnbG9iYWw6CiAgY29udHJvbGxlckltYWdlVmVyc2lvbjogaW5zdGFsbC1jb250cm9sLXBsYW5lLXZlcnNpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkK kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index 912a21820..ae1d6cb63 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -219,120 +219,6 @@ metadata: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd --- -# Source: linkerd2/templates/web-rbac.yaml ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- # Source: linkerd2/templates/serviceprofile-crd.yaml --- ### @@ -583,132 +469,6 @@ webhooks: resources: ["serviceprofiles"] sideEffects: None --- -# Source: linkerd2/templates/tap-rbac.yaml ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC10YXAtY3J0LXBlbQ== - tls.key: dGVzdC10YXAta2V5LXBlbQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGVzdC10YXAtY2EtYnVuZGxl ---- # Source: linkerd2/templates/psp.yaml --- ### @@ -786,30 +546,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- # Source: linkerd2/templates/config.yaml --- @@ -828,8 +576,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -922,185 +668,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - image: - name: ghcr.io/linkerd/grafana - tag: null - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - resources: - cpu: - limit: null - request: null - memory: - limit: null - request: null heartbeatResources: null heartbeatSchedule: 0 0 * * * identity: @@ -1128,198 +695,6 @@ data: operator: NotIn values: - disabled - prometheus: - alertManagers: null - alertRelabelConfigs: null - args: - config.file: /etc/prometheus/prometheus.yml - log.level: info - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - globalConfig: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - image: prom/prometheus:v2.19.3 - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - remoteWrite: null - resources: - cpu: - limit: null - request: null - memory: - limit: null - request: null - ruleConfigMapMounts: null - scrapeConfigs: null - sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -1334,19 +709,13 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null tap: caBundle: test-tap-ca-bundle crtPEM: test-tap-crt-pem - externalSecret: false - tapProxyResources: null - tapResources: null + keyPEM: test-tap-key-pem tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- # Source: linkerd2/templates/identity.yaml @@ -1537,7 +906,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1678,7 +1047,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:linkerd-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1761,7 +1130,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2003,7 +1372,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2119,234 +1488,10 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- -# Source: linkerd2/templates/web.yaml ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- # Source: linkerd2/templates/proxy-injector.yaml --- ### @@ -2478,7 +1623,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2723,7 +1868,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2797,970 +1942,3 @@ spec: - emptyDir: medium: Memory name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/tap.yaml ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/grafana/templates/grafana.yaml ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - null - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/prometheus/templates/prometheus.yaml ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - null - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_helm_output_addons.golden b/cli/cmd/testdata/install_helm_output_addons.golden deleted file mode 100644 index 912a21820..000000000 --- a/cli/cmd/testdata/install_helm_output_addons.golden +++ /dev/null @@ -1,3766 +0,0 @@ ---- -# Source: linkerd2/templates/namespace.yaml ---- -### -### Linkerd Namespace -### ---- -kind: Namespace -apiVersion: v1 -metadata: - name: linkerd - annotations: - linkerd.io/inject: disabled - labels: - linkerd.io/is-control-plane: "true" - config.linkerd.io/admission-webhooks: disabled - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/identity-rbac.yaml ---- -### -### Identity Controller Service RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-identity -subjects: -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/controller-rbac.yaml ---- -### -### Controller RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-controller -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-controller - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/destination-rbac.yaml ---- -### -### Destination Controller Service -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "nodes", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-destination -subjects: -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-destination - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/heartbeat-rbac.yaml ---- -### -### Heartbeat RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-heartbeat - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/web-rbac.yaml ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/templates/serviceprofile-crd.yaml ---- -### -### Service Profile CRD -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceprofiles.linkerd.io - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: linkerd.io - versions: - - name: v1alpha1 - served: true - storage: false - - name: v1alpha2 - served: true - storage: true - scope: Namespaced - names: - plural: serviceprofiles - singular: serviceprofile - kind: ServiceProfile - shortNames: - - sp ---- -# Source: linkerd2/templates/trafficsplit-crd.yaml ---- -### -### TrafficSplit CRD -### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: trafficsplits.split.smi-spec.io - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: split.smi-spec.io - version: v1alpha1 - scope: Namespaced - names: - kind: TrafficSplit - shortNames: - - ts - plural: trafficsplits - singular: trafficsplit - additionalPrinterColumns: - - name: Service - type: string - description: The apex service of this split. - JSONPath: .spec.service ---- -# Source: linkerd2/templates/proxy-injector-rbac.yaml ---- -### -### Proxy Injector RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["namespaces", "replicationcontrollers"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-proxy-injector - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-proxy-injector-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt - tls.key: dGVzdC1wcm94eS1pbmplY3Rvci1rZXktcGVt ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: linkerd-proxy-injector-webhook-config - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-proxy-injector.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-proxy-injector - namespace: linkerd - path: "/" - caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU= - failurePolicy: Ignore - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - sideEffects: None ---- -# Source: linkerd2/templates/sp-validator-rbac.yaml ---- -### -### Service Profile Validator RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-sp-validator - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-sp-validator-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt - tls.key: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1rZXktcGVt ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: linkerd-sp-validator-webhook-config - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-sp-validator.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-sp-validator - namespace: linkerd - path: "/" - caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU= - failurePolicy: Ignore - rules: - - operations: [ "CREATE" , "UPDATE" ] - apiGroups: ["linkerd.io"] - apiVersions: ["v1alpha1", "v1alpha2"] - resources: ["serviceprofiles"] - sideEffects: None ---- -# Source: linkerd2/templates/tap-rbac.yaml ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC10YXAtY3J0LXBlbQ== - tls.key: dGVzdC10YXAta2V5LXBlbQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGVzdC10YXAtY2EtYnVuZGxl ---- -# Source: linkerd2/templates/psp.yaml ---- -### -### Control Plane PSP -### ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: linkerd-linkerd-control-plane - labels: - linkerd.io/control-plane-ns: linkerd -spec: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - allowedCapabilities: - - NET_ADMIN - - NET_RAW - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - seLinux: - rule: RunAsAny - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - volumes: - - configMap - - emptyDir - - secret - - projected - - downwardAPI - - persistentVolumeClaim ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ['policy', 'extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - linkerd-linkerd-control-plane ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -# Source: linkerd2/templates/config.yaml ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - values: | - controllerImage: ghcr.io/linkerd/controller - controllerReplicas: 1 - controllerUID: 2103 - dashboard: - replicas: 1 - debugContainer: - image: - name: ghcr.io/linkerd/debug - pullPolicy: IfNotPresent - version: test-debug-version - destinationProxyResources: null - destinationResources: null - disableHeartBeat: false - enableH2Upgrade: true - enablePodAntiAffinity: false - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - image: - name: ghcr.io/linkerd/grafana - tag: null - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - resources: - cpu: - limit: null - request: null - memory: - limit: null - request: null - heartbeatResources: null - heartbeatSchedule: 0 0 * * * - identity: - issuer: - clockSkewAllowance: 20s - crtExpiry: Jul 30 17:21:14 2020 - crtExpiryAnnotation: linkerd.io/identity-issuer-expiry - issuanceLifetime: 24h0m0s - scheme: linkerd.io/tls - tls: - crtPEM: test-crt-pem - identityProxyResources: null - identityResources: null - installNamespace: true - nodeSelector: - beta.kubernetes.io/os: linux - omitWebhookSideEffects: false - profileValidator: - caBundle: test-profile-validator-ca-bundle - crtPEM: test-profile-validator-crt-pem - externalSecret: false - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - prometheus: - alertManagers: null - alertRelabelConfigs: null - args: - config.file: /etc/prometheus/prometheus.yml - log.level: info - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - globalConfig: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - image: prom/prometheus:v2.19.3 - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - remoteWrite: null - resources: - cpu: - limit: null - request: null - memory: - limit: null - request: null - ruleConfigMapMounts: null - scrapeConfigs: null - sideCarContainers: null - proxyInjector: - caBundle: test-proxy-injector-ca-bundle - crtPEM: test-proxy-injector-crt-pem - externalSecret: false - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - proxyInjectorProxyResources: null - proxyInjectorResources: null - publicAPIProxyResources: null - publicAPIResources: null - restrictDashboardPrivileges: false - spValidatorProxyResources: null - spValidatorResources: null - tap: - caBundle: test-tap-ca-bundle - crtPEM: test-tap-crt-pem - externalSecret: false - tapProxyResources: null - tapResources: null - tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null - webhookFailurePolicy: Ignore ---- -# Source: linkerd2/templates/identity.yaml ---- -### -### Identity Controller Service -### ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-identity-issuer - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-issuer-expiry: Jul 30 17:21:14 2020 -data: - crt.pem: dGVzdC1jcnQtcGVt - key.pem: dGVzdC1rZXktcGVt ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity-headless - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - clusterIP: None - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: identity - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - name: linkerd-identity - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - identity - - -log-level=info - - -controller-namespace=linkerd - - -identity-trust-domain=test.trust.domain - - -identity-issuance-lifetime=24h0m0s - - -identity-clock-skew-allowance=20s - - -identity-trust-anchors-pem=dGVzdC10cnVzdC1hbmNob3I= - - -identity-scheme=linkerd.io/tls - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9990 - initialDelaySeconds: 10 - name: identity - ports: - - containerPort: 8080 - name: grpc - - containerPort: 9990 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9990 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/identity/issuer - name: identity-issuer - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: localhost.:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-identity - volumes: - - name: identity-issuer - secret: - secretName: linkerd-identity-issuer - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/controller.yaml ---- -### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - public-api - - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - - -controller-namespace=linkerd - - -log-level=info - - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-controller - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/destination.yaml ---- -### -### Destination Controller Service -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-dst - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: destination - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-dst-headless - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - clusterIP: None - selector: - linkerd.io/control-plane-component: destination - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: destination - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - name: linkerd-destination - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - destination - - -addr=:8086 - - -controller-namespace=linkerd - - -enable-h2-upgrade=true - - -log-level=info - - -enable-endpoint-slices=false - - -cluster-domain=cluster.local - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9996 - initialDelaySeconds: 10 - name: destination - ports: - - containerPort: 8086 - name: grpc - - containerPort: 9996 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9996 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: localhost.:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-destination - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/heartbeat.yaml ---- -### -### Heartbeat -### ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - app.kubernetes.io/name: heartbeat - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - schedule: "0 0 * * *" - successfulJobsHistoryLimit: 0 - jobTemplate: - spec: - template: - metadata: - labels: - linkerd.io/control-plane-component: heartbeat - linkerd.io/workload-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - spec: - nodeSelector: - beta.kubernetes.io/os: linux - serviceAccountName: linkerd-heartbeat - restartPolicy: Never - containers: - - name: heartbeat - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - args: - - "heartbeat" - - "-controller-namespace=linkerd" - - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - securityContext: - runAsUser: 2103 ---- -# Source: linkerd2/templates/web.yaml ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/proxy-injector.yaml ---- -### -### Proxy Injector -### ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: proxy-injector - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - name: linkerd-proxy-injector - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: proxy-injector - template: - metadata: - annotations: - checksum/config: 2dec8ad53cfb62eb135ea83b83d613b8287798861447f19c9ef6a0431b0027c0 - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-proxy-injector - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - proxy-injector - - -log-level=info - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: proxy-injector - ports: - - containerPort: 8443 - name: proxy-injector - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-proxy-injector - volumes: - - configMap: - name: linkerd-config - name: config - - name: tls - secret: - secretName: linkerd-proxy-injector-k8s-tls - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: proxy-injector - ports: - - name: proxy-injector - port: 443 - targetPort: proxy-injector ---- -# Source: linkerd2/templates/sp-validator.yaml ---- -### -### Service Profile Validator -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: sp-validator - ports: - - name: sp-validator - port: 443 - targetPort: sp-validator ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: sp-validator - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - name: linkerd-sp-validator - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: sp-validator - template: - metadata: - annotations: - checksum/config: a7be91627e3c678c3c221f1e074f7d4b612e213bdb27eb9f1e169b0f14526b57 - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-sp-validator - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - sp-validator - - -log-level=info - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9997 - initialDelaySeconds: 10 - name: sp-validator - ports: - - containerPort: 8443 - name: sp-validator - - containerPort: 9997 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9997 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-sp-validator - volumes: - - name: tls - secret: - secretName: linkerd-sp-validator-k8s-tls - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/tap.yaml ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/grafana/templates/grafana.yaml ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - null - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/prometheus/templates/prometheus.yaml ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - null - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index 2d266520b..c385be75c 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -219,120 +219,6 @@ metadata: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd --- -# Source: linkerd2/templates/web-rbac.yaml ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- # Source: linkerd2/templates/serviceprofile-crd.yaml --- ### @@ -583,132 +469,6 @@ webhooks: resources: ["serviceprofiles"] sideEffects: None --- -# Source: linkerd2/templates/tap-rbac.yaml ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC10YXAtY3J0LXBlbQ== - tls.key: dGVzdC10YXAta2V5LXBlbQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGVzdC10YXAtY2EtYnVuZGxl ---- # Source: linkerd2/templates/psp.yaml --- ### @@ -786,30 +546,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- # Source: linkerd2/templates/config.yaml --- @@ -828,8 +576,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 3 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -928,185 +674,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - image: - name: ghcr.io/linkerd/grafana - tag: null - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 1024Mi - request: 50Mi heartbeatResources: cpu: limit: "" @@ -1146,198 +713,6 @@ data: operator: NotIn values: - disabled - prometheus: - alertManagers: null - alertRelabelConfigs: null - args: - config.file: /etc/prometheus/prometheus.yml - log.level: info - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - globalConfig: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - image: prom/prometheus:v2.19.3 - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - remoteWrite: null - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi - ruleConfigMapMounts: null - scrapeConfigs: null - sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -1364,7 +739,6 @@ data: memory: limit: 250Mi request: 50Mi - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: cpu: @@ -1376,25 +750,8 @@ data: tap: caBundle: test-tap-ca-bundle crtPEM: test-tap-crt-pem - externalSecret: false - tapProxyResources: null - tapResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi + keyPEM: test-tap-key-pem tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi webhookFailurePolicy: Fail --- # Source: linkerd2/templates/identity.yaml @@ -1614,7 +971,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1783,7 +1140,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:linkerd-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1872,7 +1229,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2148,7 +1505,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2269,7 +1626,7 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" resources: limits: memory: "250Mi" @@ -2279,241 +1636,6 @@ spec: securityContext: runAsUser: 2103 --- -# Source: linkerd2/templates/web.yaml ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- # Source: linkerd2/templates/proxy-injector.yaml --- ### @@ -2674,7 +1796,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2953,7 +2075,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -3032,1024 +2154,3 @@ spec: - emptyDir: medium: Memory name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/tap.yaml ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 3 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - strategy: - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: kubernetes.io/hostname - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/grafana/templates/grafana.yaml ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - null - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - limits: - memory: "1024Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/prometheus/templates/prometheus.yaml ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - null - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - limits: - memory: "8192Mi" - requests: - cpu: "300m" - memory: "300Mi" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 32d289f5f..1a37c9edb 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -219,120 +219,6 @@ metadata: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd --- -# Source: linkerd2/templates/web-rbac.yaml ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- # Source: linkerd2/templates/serviceprofile-crd.yaml --- ### @@ -583,132 +469,6 @@ webhooks: resources: ["serviceprofiles"] sideEffects: None --- -# Source: linkerd2/templates/tap-rbac.yaml ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC10YXAtY3J0LXBlbQ== - tls.key: dGVzdC10YXAta2V5LXBlbQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGVzdC10YXAtY2EtYnVuZGxl ---- # Source: linkerd2/templates/psp.yaml --- ### @@ -786,30 +546,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- # Source: linkerd2/templates/config.yaml --- @@ -828,8 +576,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 3 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -932,193 +678,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: - asda: fasda - bingo: bongo - podLabels: - fiz: buz - foo: bar - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "444" - ignoreOutboundPorts: "333" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - image: - name: ghcr.io/linkerd/grafana - tag: null - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: - asda: fasda - bingo: bongo - podLabels: - fiz: buz - foo: bar - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "444" - ignoreOutboundPorts: "333" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 1024Mi - request: 50Mi heartbeatResources: cpu: limit: "" @@ -1158,206 +717,6 @@ data: operator: NotIn values: - disabled - prometheus: - alertManagers: null - alertRelabelConfigs: null - args: - config.file: /etc/prometheus/prometheus.yml - log.level: info - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: - asda: fasda - bingo: bongo - podLabels: - fiz: buz - foo: bar - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "444" - ignoreOutboundPorts: "333" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - globalConfig: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - image: prom/prometheus:v2.19.3 - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: - asda: fasda - bingo: bongo - podLabels: - fiz: buz - foo: bar - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "444" - ignoreOutboundPorts: "333" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - remoteWrite: null - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi - ruleConfigMapMounts: null - scrapeConfigs: null - sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -1384,7 +743,6 @@ data: memory: limit: 250Mi request: 50Mi - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: cpu: @@ -1396,25 +754,8 @@ data: tap: caBundle: test-tap-ca-bundle crtPEM: test-tap-crt-pem - externalSecret: false - tapProxyResources: null - tapResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi + keyPEM: test-tap-key-pem tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi webhookFailurePolicy: Fail --- # Source: linkerd2/templates/identity.yaml @@ -1638,7 +979,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1811,7 +1152,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:linkerd-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1900,7 +1241,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2180,7 +1521,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2305,7 +1646,7 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" resources: limits: memory: "250Mi" @@ -2315,245 +1656,6 @@ spec: securityContext: runAsUser: 2103 --- -# Source: linkerd2/templates/web.yaml ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - asda: fasda - bingo: bongo - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - fiz: buz - foo: bar - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,444" - - --outbound-ports-to-ignore - - "333" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- # Source: linkerd2/templates/proxy-injector.yaml --- ### @@ -2718,7 +1820,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -3001,7 +2103,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -3080,1036 +2182,3 @@ spec: - emptyDir: medium: Memory name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/tap.yaml ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 3 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - strategy: - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - asda: fasda - bingo: bongo - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - fiz: buz - foo: bar - spec: - nodeSelector: - beta.kubernetes.io/os: linux - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: kubernetes.io/hostname - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,444" - - --outbound-ports-to-ignore - - "333" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/grafana/templates/grafana.yaml ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - asda: fasda - bingo: bongo - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - fiz: buz - foo: bar - spec: - nodeSelector: - null - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - limits: - memory: "1024Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,444" - - --outbound-ports-to-ignore - - "333" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/prometheus/templates/prometheus.yaml ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - asda: fasda - bingo: bongo - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - fiz: buz - foo: bar - spec: - nodeSelector: - null - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - limits: - memory: "8192Mi" - requests: - cpu: "300m" - memory: "300Mi" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,444" - - --outbound-ports-to-ignore - - "333" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index cad5e76e5..ffdbdda6a 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -219,120 +219,6 @@ metadata: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd --- -# Source: linkerd2/templates/web-rbac.yaml ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- # Source: linkerd2/templates/serviceprofile-crd.yaml --- ### @@ -583,132 +469,6 @@ webhooks: resources: ["serviceprofiles"] sideEffects: None --- -# Source: linkerd2/templates/tap-rbac.yaml ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -type: kubernetes.io/tls -data: - tls.crt: dGVzdC10YXAtY3J0LXBlbQ== - tls.key: dGVzdC10YXAta2V5LXBlbQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGVzdC10YXAtY2EtYnVuZGxl ---- # Source: linkerd2/templates/psp.yaml --- ### @@ -786,30 +546,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- # Source: linkerd2/templates/config.yaml --- @@ -828,8 +576,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 3 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -928,185 +674,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - image: - name: ghcr.io/linkerd/grafana - tag: null - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 1024Mi - request: 50Mi heartbeatResources: cpu: limit: "" @@ -1146,198 +713,6 @@ data: operator: In values: - enabled - prometheus: - alertManagers: null - alertRelabelConfigs: null - args: - config.file: /etc/prometheus/prometheus.yml - log.level: info - storage.tsdb.path: /data - storage.tsdb.retention.time: 6h - enabled: true - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - globalConfig: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - image: prom/prometheus:v2.19.3 - partials: - global: - cliVersion: "" - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: linkerd-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: test-trust-anchor - identityTrustDomain: test.trust.domain - imagePullPolicy: IfNotPresent - imagePullSecrets: null - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: linkerd-version - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: test-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 20Mi - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: "222" - ignoreOutboundPorts: "111" - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: test-proxy-init-version - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - proxy: - resources: null - remoteWrite: null - resources: - cpu: - limit: "" - request: 300m - memory: - limit: 8192Mi - request: 300Mi - ruleConfigMapMounts: null - scrapeConfigs: null - sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -1364,7 +739,6 @@ data: memory: limit: 250Mi request: 50Mi - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: cpu: @@ -1376,25 +750,8 @@ data: tap: caBundle: test-tap-ca-bundle crtPEM: test-tap-crt-pem - externalSecret: false - tapProxyResources: null - tapResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi + keyPEM: test-tap-key-pem tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: - cpu: - limit: "" - request: 100m - memory: - limit: 250Mi - request: 50Mi webhookFailurePolicy: Fail --- # Source: linkerd2/templates/identity.yaml @@ -1614,7 +971,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1783,7 +1140,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:linkerd-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1872,7 +1229,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2148,7 +1505,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2269,7 +1626,7 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" resources: limits: memory: "250Mi" @@ -2279,241 +1636,6 @@ spec: securityContext: runAsUser: 2103 --- -# Source: linkerd2/templates/web.yaml ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- # Source: linkerd2/templates/proxy-injector.yaml --- ### @@ -2674,7 +1796,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2953,7 +2075,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:test-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -3032,1024 +2154,3 @@ spec: - emptyDir: medium: Memory name: linkerd-identity-end-entity ---- -# Source: linkerd2/templates/tap.yaml ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 3 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - strategy: - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - annotations: - checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: linkerd.io/control-plane-component - operator: In - values: - - tap - topologyKey: kubernetes.io/hostname - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=test.trust.domain - image: ghcr.io/linkerd/controller:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/grafana/templates/grafana.yaml ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - null - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:linkerd-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - limits: - memory: "1024Mi" - requests: - cpu: "100m" - memory: "50Mi" - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -# Source: linkerd2/charts/prometheus/templates/prometheus.yaml ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: linkerd-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/helm linkerd-version - linkerd.io/identity-mode: default - linkerd.io/proxy-version: test-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - null - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - limits: - memory: "8192Mi" - requests: - cpu: "300m" - memory: "300Mi" - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - test-trust-anchor - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: test.trust.domain - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:test-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - memory: "250Mi" - requests: - cpu: "100m" - memory: "20Mi" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,222" - - --outbound-ports-to-ignore - - "111" - image: ghcr.io/linkerd/proxy-init:test-proxy-init-version - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 3c9bbdaae..efa7ffb91 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -759,30 +523,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -799,8 +551,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -905,8 +655,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -946,8 +694,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -962,19 +708,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1174,7 +910,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1275,7 +1011,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1369,7 +1105,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1582,7 +1318,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1658,206 +1394,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-web - volumes: - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -1997,7 +1538,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2213,7 +1754,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2250,885 +1791,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-tap - volumes: - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNuaUVuYWJsZWQ6IHRydWUKICBjb250cm9sbGVySW1hZ2VWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQp0YXA6CiAgY2FCdW5kbGU6IHRhcCBDQSBidW5kbGUKICBjcnRQRU06IHRhcCBjcnQKICBrZXlQRU06IHRhcCBrZXkK + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNuaUVuYWJsZWQ6IHRydWUKICBjb250cm9sbGVySW1hZ2VWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBwcm94eToKICAgIGltYWdlOgogICAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 98abe0258..09c204bfc 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -210,118 +210,6 @@ metadata: ControllerNamespaceLabel: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ControllerImage controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: DebugImageName @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: ProxyInjectAnnotation proxyInjectDisabled: ProxyInjectDisabled workloadNamespaceLabel: WorkloadNamespaceLabel - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: "" identity: @@ -949,9 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true - image: PrometheusImage proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -966,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: WebImage - webProxyResources: null - webResources: null webhookFailurePolicy: WebhookFailurePolicy --- ### @@ -1174,7 +909,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ProxyImageName:ProxyVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -1319,7 +1054,7 @@ spec: - -controller-namespace=linkerd - -log-level=ControllerLogLevel - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ControllerImage:ControllerImageVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -1409,7 +1144,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ProxyImageName:ProxyVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -1662,7 +1397,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ProxyImageName:ProxyVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -1782,246 +1517,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=ControllerLogLevel" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -spec: - type: ClusterIP - selector: - ControllerComponentLabel: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - CreatedByAnnotation: CliVersion - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: ControllerImageVersion - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - CreatedByAnnotation: CliVersion - linkerd.io/identity-mode: default - linkerd.io/proxy-version: ProxyVersion - labels: - ControllerComponentLabel: web - ControllerNamespaceLabel: linkerd - WorkloadNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=ControllerLogLevel - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: WebImage:ControllerImageVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "ClusterNetworks" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ProxyImageName:ProxyVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - cpu: "cpu-limit" - memory: "memory-limit" - requests: - cpu: "cpu-request" - memory: "memory-request" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191" - - --outbound-ports-to-ignore - - "443" - image: ProxyInitImageName:ProxyInitVersion - imagePullPolicy: ImagePullPolicy - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2157,7 +1657,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ProxyImageName:ProxyVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -2413,7 +1913,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ProxyImageName:ProxyVersion imagePullPolicy: ImagePullPolicy livenessProbe: @@ -2494,1005 +1994,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -spec: - type: ClusterIP - selector: - ControllerComponentLabel: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - CreatedByAnnotation: CliVersion - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: ControllerImageVersion - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: aef797109c168e77adfbdcb91b94ade00745023e5952a481af73b47727917289 - CreatedByAnnotation: CliVersion - linkerd.io/identity-mode: default - linkerd.io/proxy-version: ProxyVersion - labels: - ControllerComponentLabel: tap - ControllerNamespaceLabel: linkerd - WorkloadNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=ControllerLogLevel - - -identity-trust-domain=cluster.local - image: ControllerImage:ControllerImageVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "ClusterNetworks" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ProxyImageName:ProxyVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - cpu: "cpu-limit" - memory: "memory-limit" - requests: - cpu: "cpu-request" - memory: "memory-request" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191" - - --outbound-ports-to-ignore - - "443" - image: ProxyInitImageName:ProxyInitVersion - imagePullPolicy: ImagePullPolicy - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -spec: - type: ClusterIP - selector: - ControllerComponentLabel: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - CreatedByAnnotation: CliVersion - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: ControllerImageVersion - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - CreatedByAnnotation: CliVersion - linkerd.io/identity-mode: default - linkerd.io/proxy-version: ProxyVersion - labels: - ControllerComponentLabel: grafana - ControllerNamespaceLabel: linkerd - WorkloadNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:ControllerImageVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "ClusterNetworks" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ProxyImageName:ProxyVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - cpu: "cpu-limit" - memory: "memory-limit" - requests: - cpu: "cpu-request" - memory: "memory-request" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191" - - --outbound-ports-to-ignore - - "443" - image: ProxyInitImageName:ProxyInitVersion - imagePullPolicy: ImagePullPolicy - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd - annotations: - CreatedByAnnotation: CliVersion -spec: - type: ClusterIP - selector: - ControllerComponentLabel: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - CreatedByAnnotation: CliVersion - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: ControllerImageVersion - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - CreatedByAnnotation: CliVersion - linkerd.io/identity-mode: default - linkerd.io/proxy-version: ProxyVersion - labels: - ControllerComponentLabel: prometheus - ControllerNamespaceLabel: linkerd - WorkloadNamespaceLabel: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: PrometheusImage - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "ClusterNetworks" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ProxyImageName:ProxyVersion - imagePullPolicy: ImagePullPolicy - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - limits: - cpu: "cpu-limit" - memory: "memory-limit" - requests: - cpu: "cpu-request" - memory: "memory-request" - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191" - - --outbound-ports-to-ignore - - "443" - image: ProxyInitImageName:ProxyInitVersion - imagePullPolicy: ImagePullPolicy - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: Y29udHJvbGxlckltYWdlOiBDb250cm9sbGVySW1hZ2UKZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICBuYW1lOiBEZWJ1Z0ltYWdlTmFtZQogICAgcHVsbFBvbGljeTogRGVidWdJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IERlYnVnVmVyc2lvbgpnbG9iYWw6CiAgY2xpVmVyc2lvbjogQ2xpVmVyc2lvbgogIGNsdXN0ZXJOZXR3b3JrczogQ2x1c3Rlck5ldHdvcmtzCiAgY29udHJvbFBsYW5lVHJhY2luZ05hbWVzcGFjZTogIiIKICBjb250cm9sbGVyQ29tcG9uZW50TGFiZWw6IENvbnRyb2xsZXJDb21wb25lbnRMYWJlbAogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IENvbnRyb2xsZXJJbWFnZVZlcnNpb24KICBjb250cm9sbGVyTG9nTGV2ZWw6IENvbnRyb2xsZXJMb2dMZXZlbAogIGNvbnRyb2xsZXJOYW1lc3BhY2VMYWJlbDogQ29udHJvbGxlck5hbWVzcGFjZUxhYmVsCiAgY3JlYXRlZEJ5QW5ub3RhdGlvbjogQ3JlYXRlZEJ5QW5ub3RhdGlvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBpbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogIGltYWdlUHVsbFNlY3JldHM6IG51bGwKICBsaW5rZXJkTmFtZXNwYWNlTGFiZWw6IExpbmtlcmROYW1lc3BhY2VMYWJlbAogIGxpbmtlcmRWZXJzaW9uOiAiIgogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIG5hbWU6IFByb3h5SW1hZ2VOYW1lCiAgICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgICB2ZXJzaW9uOiBQcm94eVZlcnNpb24KICAgIGluYm91bmRDb25uZWN0VGltZW91dDogIiIKICAgIG91dGJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgICByZXNvdXJjZXM6CiAgICAgIGNwdToKICAgICAgICBsaW1pdDogY3B1LWxpbWl0CiAgICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgICAgbWVtb3J5OgogICAgICAgIGxpbWl0OiBtZW1vcnktbGltaXQKICAgICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdAogIHByb3h5Q29udGFpbmVyTmFtZTogUHJveHlDb250YWluZXJOYW1lCiAgcHJveHlJbml0OgogICAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogICAgaWdub3JlT3V0Ym91bmRQb3J0czogIjQ0MyIKICAgIGltYWdlOgogICAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICAgIHZlcnNpb246IFByb3h5SW5pdFZlcnNpb24KICBwcm94eUluamVjdEFubm90YXRpb246IFByb3h5SW5qZWN0QW5ub3RhdGlvbgogIHByb3h5SW5qZWN0RGlzYWJsZWQ6IFByb3h5SW5qZWN0RGlzYWJsZWQKICB3b3JrbG9hZE5hbWVzcGFjZUxhYmVsOiBXb3JrbG9hZE5hbWVzcGFjZUxhYmVsCmhlYXJ0YmVhdFNjaGVkdWxlOiAiIgppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJvbWV0aGV1czoKICBpbWFnZTogUHJvbWV0aGV1c0ltYWdlCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKdGFwOgogIGNhQnVuZGxlOiB0YXAgQ0EgYnVuZGxlCiAgY3J0UEVNOiB0YXAgY3J0CiAga2V5UEVNOiB0YXAga2V5CndlYkltYWdlOiBXZWJJbWFnZQp3ZWJob29rRmFpbHVyZVBvbGljeTogV2ViaG9va0ZhaWx1cmVQb2xpY3kK + linkerd-config-overrides: Y29udHJvbGxlckltYWdlOiBDb250cm9sbGVySW1hZ2UKZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICBuYW1lOiBEZWJ1Z0ltYWdlTmFtZQogICAgcHVsbFBvbGljeTogRGVidWdJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IERlYnVnVmVyc2lvbgpnbG9iYWw6CiAgY2xpVmVyc2lvbjogQ2xpVmVyc2lvbgogIGNsdXN0ZXJOZXR3b3JrczogQ2x1c3Rlck5ldHdvcmtzCiAgY29udHJvbFBsYW5lVHJhY2luZ05hbWVzcGFjZTogIiIKICBjb250cm9sbGVyQ29tcG9uZW50TGFiZWw6IENvbnRyb2xsZXJDb21wb25lbnRMYWJlbAogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IENvbnRyb2xsZXJJbWFnZVZlcnNpb24KICBjb250cm9sbGVyTG9nTGV2ZWw6IENvbnRyb2xsZXJMb2dMZXZlbAogIGNvbnRyb2xsZXJOYW1lc3BhY2VMYWJlbDogQ29udHJvbGxlck5hbWVzcGFjZUxhYmVsCiAgY3JlYXRlZEJ5QW5ub3RhdGlvbjogQ3JlYXRlZEJ5QW5ub3RhdGlvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBpbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogIGltYWdlUHVsbFNlY3JldHM6IG51bGwKICBsaW5rZXJkTmFtZXNwYWNlTGFiZWw6IExpbmtlcmROYW1lc3BhY2VMYWJlbAogIGxpbmtlcmRWZXJzaW9uOiAiIgogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIG5hbWU6IFByb3h5SW1hZ2VOYW1lCiAgICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgICB2ZXJzaW9uOiBQcm94eVZlcnNpb24KICAgIGluYm91bmRDb25uZWN0VGltZW91dDogIiIKICAgIG91dGJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgICByZXNvdXJjZXM6CiAgICAgIGNwdToKICAgICAgICBsaW1pdDogY3B1LWxpbWl0CiAgICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgICAgbWVtb3J5OgogICAgICAgIGxpbWl0OiBtZW1vcnktbGltaXQKICAgICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdAogIHByb3h5Q29udGFpbmVyTmFtZTogUHJveHlDb250YWluZXJOYW1lCiAgcHJveHlJbml0OgogICAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogICAgaWdub3JlT3V0Ym91bmRQb3J0czogIjQ0MyIKICAgIGltYWdlOgogICAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICAgIHZlcnNpb246IFByb3h5SW5pdFZlcnNpb24KICBwcm94eUluamVjdEFubm90YXRpb246IFByb3h5SW5qZWN0QW5ub3RhdGlvbgogIHByb3h5SW5qZWN0RGlzYWJsZWQ6IFByb3h5SW5qZWN0RGlzYWJsZWQKICB3b3JrbG9hZE5hbWVzcGFjZUxhYmVsOiBXb3JrbG9hZE5hbWVzcGFjZUxhYmVsCmhlYXJ0YmVhdFNjaGVkdWxlOiAiIgppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQp3ZWJob29rRmFpbHVyZVBvbGljeTogV2ViaG9va0ZhaWx1cmVQb2xpY3kK kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_prometheus_overwrite.golden b/cli/cmd/testdata/install_prometheus_overwrite.golden index edcacaaff..87657dccb 100644 --- a/cli/cmd/testdata/install_prometheus_overwrite.golden +++ b/cli/cmd/testdata/install_prometheus_overwrite.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -756,24 +520,12 @@ roleRef: name: linkerd-psp apiGroup: rbac.authorization.k8s.io subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd @@ -781,10 +533,7 @@ subjects: name: linkerd-sp-validator namespace: linkerd - kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web + name: linkerd-heartbeat namespace: linkerd --- kind: ConfigMap @@ -802,8 +551,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -908,8 +655,7 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true + grafana: null heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -936,6 +682,7 @@ data: identityProxyResources: null identityResources: null installNamespace: true + linkerdVizNamespace: linkerd-viz nodeSelector: beta.kubernetes.io/os: linux omitWebhookSideEffects: false @@ -960,7 +707,6 @@ data: regex: prometheus_replica args: log.format: json - enabled: true globalConfig: evaluation_interval: 2m external_labels: @@ -1025,14 +771,9 @@ data: restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false tapProxyResources: null tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web webProxyResources: null webResources: null webhookFailurePolicy: Ignore @@ -1234,7 +975,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1310,236 +1051,6 @@ spec: name: linkerd-identity-end-entity --- ### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - public-api - - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - - -controller-namespace=linkerd - - -log-level=info - - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-controller - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Destination Controller Service ### --- @@ -1718,7 +1229,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1832,244 +1343,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2209,7 +1487,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2463,7 +1741,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2539,98 +1817,90 @@ spec: name: linkerd-identity-end-entity --- ### -### Tap +### Controller ### --- kind: Service apiVersion: v1 metadata: - name: linkerd-tap + name: linkerd-controller-api namespace: linkerd labels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli dev-undefined spec: type: ClusterIP selector: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver + - name: http + port: 8085 + targetPort: 8085 --- -kind: Deployment apiVersion: apps/v1 +kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli dev-undefined labels: - app.kubernetes.io/name: tap + app.kubernetes.io/name: controller app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd - name: linkerd-tap + name: linkerd-controller namespace: linkerd spec: replicas: 1 selector: matchLabels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap + linkerd.io/proxy-deployment: linkerd-controller template: metadata: annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/identity-mode: default linkerd.io/proxy-version: install-proxy-version labels: - linkerd.io/control-plane-component: tap + linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap + linkerd.io/proxy-deployment: linkerd-controller spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - - tap + - public-api + - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - -controller-namespace=linkerd - -log-level=info - - -identity-trust-domain=cluster.local + - -cluster-domain=cluster.local + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping - port: 9998 + port: 9995 initialDelaySeconds: 10 - name: tap + name: public-api ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 + - containerPort: 8085 + name: http + - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready - port: 9998 + port: 9995 securityContext: runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" @@ -2704,7 +1974,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2768,828 +2038,17 @@ spec: volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap + serviceAccountName: linkerd-controller volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 2m - external_labels: - cluster: cluster-1 - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - job_name: kubernetes-nodes - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - alerting: - alert_relabel_configs: - - action: labeldrop - regex: prometheus_replica - alertmanagers: - - scheme: http - static_configs: - - targets: - - alertmanager.linkerd.svc:9093 - remote_write: - - url: http://cortex-service.default:9009/api/prom/push ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - command: - - /bin/sh - - -c - - | - exec /bin/stackdriver-prometheus-sidecar \ - --stackdriver.project-id=myproject \ - --stackdriver.kubernetes.location=us-central1 \ - --stackdriver.kubernetes.cluster-name=mycluster \ - --prometheus.wal-directory=/data/wal \ - --log.level=info - volumeMounts: - - mountPath: /data - name: data - imagePullPolicy: always - lifecycle: - type: Sidecar - name: sidecar - ports: - - containerPort: 9091 - name: foo - protocol: TCP - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.format=json - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: linkedin.io/prom - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - name: alerting-rules - mountPath: /etc/prometheus/alerting_rules.yml - subPath: alerting_rules.yml - readOnly: true - - name: recording-rules - mountPath: /etc/prometheus/recording_rules.yml - subPath: recording_rules.yml - readOnly: true - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: alerting-rules - configMap: - name: linkerd-prometheus-rules - - name: recording-rules - configMap: - name: linkerd-prometheus-rules - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity --- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm9tZXRoZXVzOgogIGFsZXJ0TWFuYWdlcnM6CiAgLSBzY2hlbWU6IGh0dHAKICAgIHN0YXRpY19jb25maWdzOgogICAgLSB0YXJnZXRzOgogICAgICAtIGFsZXJ0bWFuYWdlci5saW5rZXJkLnN2Yzo5MDkzCiAgYWxlcnRSZWxhYmVsQ29uZmlnczoKICAtIGFjdGlvbjogbGFiZWxkcm9wCiAgICByZWdleDogcHJvbWV0aGV1c19yZXBsaWNhCiAgYXJnczoKICAgIGxvZy5mb3JtYXQ6IGpzb24KICBnbG9iYWxDb25maWc6CiAgICBldmFsdWF0aW9uX2ludGVydmFsOiAybQogICAgZXh0ZXJuYWxfbGFiZWxzOgogICAgICBjbHVzdGVyOiBjbHVzdGVyLTEKICBpbWFnZTogbGlua2VkaW4uaW8vcHJvbQogIHJlbW90ZVdyaXRlOgogIC0gdXJsOiBodHRwOi8vY29ydGV4LXNlcnZpY2UuZGVmYXVsdDo5MDA5L2FwaS9wcm9tL3B1c2gKICBydWxlQ29uZmlnTWFwTW91bnRzOgogIC0gY29uZmlnTWFwOiBsaW5rZXJkLXByb21ldGhldXMtcnVsZXMKICAgIG5hbWU6IGFsZXJ0aW5nLXJ1bGVzCiAgICBzdWJQYXRoOiBhbGVydGluZ19ydWxlcy55bWwKICAtIGNvbmZpZ01hcDogbGlua2VyZC1wcm9tZXRoZXVzLXJ1bGVzCiAgICBuYW1lOiByZWNvcmRpbmctcnVsZXMKICAgIHN1YlBhdGg6IHJlY29yZGluZ19ydWxlcy55bWwKICBzY3JhcGVDb25maWdzOgogIC0gYmVhcmVyX3Rva2VuX2ZpbGU6IC92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC90b2tlbgogICAgam9iX25hbWU6IGt1YmVybmV0ZXMtbm9kZXMKICAgIGt1YmVybmV0ZXNfc2RfY29uZmlnczoKICAgIC0gcm9sZTogbm9kZQogICAgcmVsYWJlbF9jb25maWdzOgogICAgLSBhY3Rpb246IGxhYmVsbWFwCiAgICAgIHJlZ2V4OiBfX21ldGFfa3ViZXJuZXRlc19ub2RlX2xhYmVsXyguKykKICAgIHNjaGVtZTogaHR0cHMKICAgIHRsc19jb25maWc6CiAgICAgIGNhX2ZpbGU6IC92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9jYS5jcnQKICBzaWRlY2FyQ29udGFpbmVyczoKICAtIGNvbW1hbmQ6CiAgICAtIC9iaW4vc2gKICAgIC0gLWMKICAgIC0gfAogICAgICBleGVjIC9iaW4vc3RhY2tkcml2ZXItcHJvbWV0aGV1cy1zaWRlY2FyIFwKICAgICAgICAtLXN0YWNrZHJpdmVyLnByb2plY3QtaWQ9bXlwcm9qZWN0IFwKICAgICAgICAtLXN0YWNrZHJpdmVyLmt1YmVybmV0ZXMubG9jYXRpb249dXMtY2VudHJhbDEgXAogICAgICAgIC0tc3RhY2tkcml2ZXIua3ViZXJuZXRlcy5jbHVzdGVyLW5hbWU9bXljbHVzdGVyIFwKICAgICAgICAtLXByb21ldGhldXMud2FsLWRpcmVjdG9yeT0vZGF0YS93YWwgXAogICAgICAgIC0tbG9nLmxldmVsPWluZm8KICAgICAgdm9sdW1lTW91bnRzOgogICAgICAtIG1vdW50UGF0aDogL2RhdGEKICAgICAgICBuYW1lOiBkYXRhCiAgICBpbWFnZVB1bGxQb2xpY3k6IGFsd2F5cwogICAgbGlmZWN5Y2xlOgogICAgICB0eXBlOiBTaWRlY2FyCiAgICBuYW1lOiBzaWRlY2FyCiAgICBwb3J0czoKICAgIC0gY29udGFpbmVyUG9ydDogOTA5MQogICAgICBuYW1lOiBmb28KICAgICAgcHJvdG9jb2w6IFRDUApwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnRhcDoKICBjYUJ1bmRsZTogdGFwIENBIGJ1bmRsZQogIGNydFBFTTogdGFwIGNydAogIGtleVBFTTogdGFwIGtleQo= + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm9tZXRoZXVzOgogIGFsZXJ0TWFuYWdlcnM6CiAgLSBzY2hlbWU6IGh0dHAKICAgIHN0YXRpY19jb25maWdzOgogICAgLSB0YXJnZXRzOgogICAgICAtIGFsZXJ0bWFuYWdlci5saW5rZXJkLnN2Yzo5MDkzCiAgYWxlcnRSZWxhYmVsQ29uZmlnczoKICAtIGFjdGlvbjogbGFiZWxkcm9wCiAgICByZWdleDogcHJvbWV0aGV1c19yZXBsaWNhCiAgYXJnczoKICAgIGxvZy5mb3JtYXQ6IGpzb24KICBnbG9iYWxDb25maWc6CiAgICBldmFsdWF0aW9uX2ludGVydmFsOiAybQogICAgZXh0ZXJuYWxfbGFiZWxzOgogICAgICBjbHVzdGVyOiBjbHVzdGVyLTEKICBpbWFnZTogbGlua2VkaW4uaW8vcHJvbQogIHJlbW90ZVdyaXRlOgogIC0gdXJsOiBodHRwOi8vY29ydGV4LXNlcnZpY2UuZGVmYXVsdDo5MDA5L2FwaS9wcm9tL3B1c2gKICBydWxlQ29uZmlnTWFwTW91bnRzOgogIC0gY29uZmlnTWFwOiBsaW5rZXJkLXByb21ldGhldXMtcnVsZXMKICAgIG5hbWU6IGFsZXJ0aW5nLXJ1bGVzCiAgICBzdWJQYXRoOiBhbGVydGluZ19ydWxlcy55bWwKICAtIGNvbmZpZ01hcDogbGlua2VyZC1wcm9tZXRoZXVzLXJ1bGVzCiAgICBuYW1lOiByZWNvcmRpbmctcnVsZXMKICAgIHN1YlBhdGg6IHJlY29yZGluZ19ydWxlcy55bWwKICBzY3JhcGVDb25maWdzOgogIC0gYmVhcmVyX3Rva2VuX2ZpbGU6IC92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC90b2tlbgogICAgam9iX25hbWU6IGt1YmVybmV0ZXMtbm9kZXMKICAgIGt1YmVybmV0ZXNfc2RfY29uZmlnczoKICAgIC0gcm9sZTogbm9kZQogICAgcmVsYWJlbF9jb25maWdzOgogICAgLSBhY3Rpb246IGxhYmVsbWFwCiAgICAgIHJlZ2V4OiBfX21ldGFfa3ViZXJuZXRlc19ub2RlX2xhYmVsXyguKykKICAgIHNjaGVtZTogaHR0cHMKICAgIHRsc19jb25maWc6CiAgICAgIGNhX2ZpbGU6IC92YXIvcnVuL3NlY3JldHMva3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9jYS5jcnQKICBzaWRlY2FyQ29udGFpbmVyczoKICAtIGNvbW1hbmQ6CiAgICAtIC9iaW4vc2gKICAgIC0gLWMKICAgIC0gfAogICAgICBleGVjIC9iaW4vc3RhY2tkcml2ZXItcHJvbWV0aGV1cy1zaWRlY2FyIFwKICAgICAgICAtLXN0YWNrZHJpdmVyLnByb2plY3QtaWQ9bXlwcm9qZWN0IFwKICAgICAgICAtLXN0YWNrZHJpdmVyLmt1YmVybmV0ZXMubG9jYXRpb249dXMtY2VudHJhbDEgXAogICAgICAgIC0tc3RhY2tkcml2ZXIua3ViZXJuZXRlcy5jbHVzdGVyLW5hbWU9bXljbHVzdGVyIFwKICAgICAgICAtLXByb21ldGhldXMud2FsLWRpcmVjdG9yeT0vZGF0YS93YWwgXAogICAgICAgIC0tbG9nLmxldmVsPWluZm8KICAgICAgdm9sdW1lTW91bnRzOgogICAgICAtIG1vdW50UGF0aDogL2RhdGEKICAgICAgICBuYW1lOiBkYXRhCiAgICBpbWFnZVB1bGxQb2xpY3k6IGFsd2F5cwogICAgbGlmZWN5Y2xlOgogICAgICB0eXBlOiBTaWRlY2FyCiAgICBuYW1lOiBzaWRlY2FyCiAgICBwb3J0czoKICAgIC0gY29udGFpbmVyUG9ydDogOTA5MQogICAgICBuYW1lOiBmb28KICAgICAgcHJvdG9jb2w6IFRDUApwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5Cg== kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 3682c4d0c..21d352b3a 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -210,118 +210,6 @@ metadata: linkerd.io/control-plane-ns: linkerd --- ### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] -- apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### ### Service Profile CRD ### --- @@ -564,130 +452,6 @@ webhooks: sideEffects: None --- ### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### ### Control Plane PSP ### --- @@ -762,30 +526,18 @@ subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd --- kind: ConfigMap apiVersion: v1 @@ -802,8 +554,6 @@ data: controllerImage: ghcr.io/linkerd/controller controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: image: name: ghcr.io/linkerd/debug @@ -908,8 +658,6 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: 1 2 3 4 5 identity: @@ -949,8 +697,6 @@ data: operator: NotIn values: - disabled - prometheus: - enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt @@ -965,19 +711,9 @@ data: proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null webhookFailurePolicy: Ignore --- ### @@ -1177,7 +913,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1316,7 +1052,7 @@ spec: - -controller-namespace=linkerd - -log-level=info - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 image: ghcr.io/linkerd/controller:install-control-plane-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1410,7 +1146,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1661,7 +1397,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -1775,244 +1511,11 @@ spec: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,22,8100-8102" - - --outbound-ports-to-ignore - - "5432" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### ### Proxy Injector ### --- @@ -2152,7 +1655,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2406,7 +1909,7 @@ spec: - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + value: linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: ghcr.io/linkerd/proxy:install-proxy-version imagePullPolicy: IfNotPresent livenessProbe: @@ -2481,999 +1984,9 @@ spec: medium: Memory name: linkerd-identity-end-entity --- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,22,8100-8102" - - --outbound-ports-to-ignore - - "5432" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,22,8100-8102" - - --outbound-ports-to-ignore - - "5432" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,22,8100-8102" - - --outbound-ports-to-ignore - - "5432" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- apiVersion: v1 data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgogIHByb3h5SW5pdDoKICAgIGlnbm9yZUluYm91bmRQb3J0czogMjIsODEwMC04MTAyCiAgICBpZ25vcmVPdXRib3VuZFBvcnRzOiAiNTQzMiIKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQp0YXA6CiAgY2FCdW5kbGU6IHRhcCBDQSBidW5kbGUKICBjcnRQRU06IHRhcCBjcnQKICBrZXlQRU06IHRhcCBrZXkK + linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgogIHByb3h5SW5pdDoKICAgIGlnbm9yZUluYm91bmRQb3J0czogMjIsODEwMC04MTAyCiAgICBpZ25vcmVPdXRib3VuZFBvcnRzOiAiNTQzMiIKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICBjcnRFeHBpcnk6ICIyMDMwLTA4LTI2VDA3OjEzOjQ3WiIKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJvZmlsZSB2YWxpZGF0b3IgY3J0CiAga2V5UEVNOiBwcm9maWxlIHZhbGlkYXRvciBrZXkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm94eSBpbmplY3RvciBjcnQKICBrZXlQRU06IHByb3h5IGluamVjdG9yIGtleQo= kind: Secret metadata: creationTimestamp: null diff --git a/cli/cmd/testdata/install_restricted_dashboard.golden b/cli/cmd/testdata/install_restricted_dashboard.golden deleted file mode 100644 index 02e634ab3..000000000 --- a/cli/cmd/testdata/install_restricted_dashboard.golden +++ /dev/null @@ -1,3415 +0,0 @@ ---- -### -### Linkerd Namespace -### ---- -kind: Namespace -apiVersion: v1 -metadata: - name: linkerd - annotations: - linkerd.io/inject: disabled - labels: - linkerd.io/is-control-plane: "true" - config.linkerd.io/admission-webhooks: disabled - linkerd.io/control-plane-ns: linkerd ---- -### -### Identity Controller Service RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-identity -subjects: -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd ---- -### -### Controller RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-controller -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-controller - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd ---- -### -### Destination Controller Service -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "nodes", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-destination -subjects: -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-destination - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd ---- -### -### Heartbeat RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-heartbeat - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### -### Service Profile CRD -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceprofiles.linkerd.io - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: linkerd.io - versions: - - name: v1alpha1 - served: true - storage: false - - name: v1alpha2 - served: true - storage: true - scope: Namespaced - names: - plural: serviceprofiles - singular: serviceprofile - kind: ServiceProfile - shortNames: - - sp ---- -### -### TrafficSplit CRD -### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: trafficsplits.split.smi-spec.io - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: split.smi-spec.io - version: v1alpha1 - scope: Namespaced - names: - kind: TrafficSplit - shortNames: - - ts - plural: trafficsplits - singular: trafficsplit - additionalPrinterColumns: - - name: Service - type: string - description: The apex service of this split. - JSONPath: .spec.service ---- -### -### Proxy Injector RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["namespaces", "replicationcontrollers"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-proxy-injector - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-proxy-injector-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: cHJveHkgaW5qZWN0b3IgY3J0 - tls.key: cHJveHkgaW5qZWN0b3Iga2V5 ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: linkerd-proxy-injector-webhook-config - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-proxy-injector.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-proxy-injector - namespace: linkerd - path: "/" - caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl - failurePolicy: Ignore - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - sideEffects: None ---- -### -### Service Profile Validator RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-sp-validator - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-sp-validator-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: cHJvZmlsZSB2YWxpZGF0b3IgY3J0 - tls.key: cHJvZmlsZSB2YWxpZGF0b3Iga2V5 ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: linkerd-sp-validator-webhook-config - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-sp-validator.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-sp-validator - namespace: linkerd - path: "/" - caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl - failurePolicy: Ignore - rules: - - operations: [ "CREATE" , "UPDATE" ] - apiGroups: ["linkerd.io"] - apiVersions: ["v1alpha1", "v1alpha2"] - resources: ["serviceprofiles"] - sideEffects: None ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-k8s-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: kubernetes.io/tls -data: - tls.crt: dGFwIGNydA== - tls.key: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIENBIGJ1bmRsZQ== ---- -### -### Control Plane PSP -### ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: linkerd-linkerd-control-plane - labels: - linkerd.io/control-plane-ns: linkerd -spec: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - allowedCapabilities: - - NET_ADMIN - - NET_RAW - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - seLinux: - rule: RunAsAny - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - volumes: - - configMap - - emptyDir - - secret - - projected - - downwardAPI - - persistentVolumeClaim ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ['policy', 'extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - linkerd-linkerd-control-plane ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - values: | - controllerImage: ghcr.io/linkerd/controller - controllerReplicas: 1 - controllerUID: 2103 - dashboard: - replicas: 1 - debugContainer: - image: - name: ghcr.io/linkerd/debug - pullPolicy: IfNotPresent - version: install-debug-version - destinationProxyResources: null - destinationResources: null - disableHeartBeat: false - enableH2Upgrade: true - enablePodAntiAffinity: false - global: - cliVersion: linkerd/cli dev-undefined - clusterDomain: cluster.local - clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - cniEnabled: false - controlPlaneTracing: false - controlPlaneTracingNamespace: linkerd-jaeger - controllerComponentLabel: linkerd.io/control-plane-component - controllerImageVersion: install-control-plane-version - controllerLogLevel: info - controllerNamespaceLabel: linkerd.io/control-plane-ns - createdByAnnotation: linkerd.io/created-by - enableEndpointSlices: false - grafanaUrl: "" - highAvailability: false - identityTrustAnchorsPEM: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - identityTrustDomain: cluster.local - imagePullPolicy: IfNotPresent - imagePullSecrets: [] - linkerdNamespaceLabel: linkerd.io/is-control-plane - linkerdVersion: dev-undefined - namespace: linkerd - podAnnotations: {} - podLabels: {} - prometheusUrl: "" - proxy: - capabilities: null - disableIdentity: false - disableTap: false - enableExternalProfiles: false - image: - name: ghcr.io/linkerd/proxy - pullPolicy: IfNotPresent - version: install-proxy-version - inboundConnectTimeout: 100ms - isGateway: false - isIngress: false - logFormat: plain - logLevel: warn,linkerd=info - opaquePorts: "" - outboundConnectTimeout: 1000ms - ports: - admin: 4191 - control: 4190 - inbound: 4143 - outbound: 4140 - requireIdentityOnInboundPorts: "" - resources: - cpu: - limit: "" - request: "" - memory: - limit: "" - request: "" - saMountPath: null - uid: 2102 - waitBeforeExitSeconds: 0 - proxyContainerName: linkerd-proxy - proxyInit: - capabilities: null - closeWaitTimeoutSecs: 0 - ignoreInboundPorts: 25,443,587,3306,11211 - ignoreOutboundPorts: 25,443,587,3306,11211 - image: - name: ghcr.io/linkerd/proxy-init - pullPolicy: IfNotPresent - version: v1.3.8 - resources: - cpu: - limit: 100m - request: 10m - memory: - limit: 50Mi - request: 10Mi - saMountPath: null - xtMountPath: - mountPath: /run - name: linkerd-proxy-init-xtables-lock - readOnly: false - proxyInjectAnnotation: linkerd.io/inject - proxyInjectDisabled: disabled - workloadNamespaceLabel: linkerd.io/workload-ns - grafana: - enabled: true - heartbeatResources: null - heartbeatSchedule: 1 2 3 4 5 - identity: - issuer: - clockSkewAllowance: 20s - crtExpiry: "2030-08-26T07:13:47Z" - crtExpiryAnnotation: linkerd.io/identity-issuer-expiry - issuanceLifetime: 24h0m0s - scheme: linkerd.io/tls - tls: - crtPEM: | - -----BEGIN CERTIFICATE----- - MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn - MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy - ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu - a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp - fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1 - 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB - Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC - HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE - AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5 - 51tdrmkHEZRr0qlLSJdHYgEfMzk= - -----END CERTIFICATE----- - identityProxyResources: null - identityResources: null - installNamespace: true - nodeSelector: - beta.kubernetes.io/os: linux - omitWebhookSideEffects: false - profileValidator: - caBundle: profile validator CA bundle - crtPEM: profile validator crt - externalSecret: false - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - prometheus: - enabled: true - proxyInjector: - caBundle: proxy injector CA bundle - crtPEM: proxy injector crt - externalSecret: false - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - proxyInjectorProxyResources: null - proxyInjectorResources: null - publicAPIProxyResources: null - publicAPIResources: null - restrictDashboardPrivileges: true - spValidatorProxyResources: null - spValidatorResources: null - tap: - caBundle: tap CA bundle - crtPEM: tap crt - externalSecret: false - tapProxyResources: null - tapResources: null - tolerations: null - webImage: ghcr.io/linkerd/web - webProxyResources: null - webResources: null - webhookFailurePolicy: Ignore ---- -### -### Identity Controller Service -### ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-identity-issuer - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-issuer-expiry: 2030-08-26T07:13:47Z -data: - crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ== ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity-headless - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - clusterIP: None - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: identity - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - name: linkerd-identity - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - identity - - -log-level=info - - -controller-namespace=linkerd - - -identity-trust-domain=cluster.local - - -identity-issuance-lifetime=24h0m0s - - -identity-clock-skew-allowance=20s - - -identity-trust-anchors-pem=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNApNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyClpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAp1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCi93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwpJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CnZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - - -identity-scheme=linkerd.io/tls - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9990 - initialDelaySeconds: 10 - name: identity - ports: - - containerPort: 8080 - name: grpc - - containerPort: 9990 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9990 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/identity/issuer - name: identity-issuer - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: localhost.:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-identity - volumes: - - name: identity-issuer - secret: - secretName: linkerd-identity-issuer - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - public-api - - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - - -controller-namespace=linkerd - - -log-level=info - - -cluster-domain=cluster.local - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-controller - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Destination Controller Service -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-dst - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: destination - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-dst-headless - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - clusterIP: None - selector: - linkerd.io/control-plane-component: destination - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: destination - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - name: linkerd-destination - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - destination - - -addr=:8086 - - -controller-namespace=linkerd - - -enable-h2-upgrade=true - - -log-level=info - - -enable-endpoint-slices=false - - -cluster-domain=cluster.local - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9996 - initialDelaySeconds: 10 - name: destination - ports: - - containerPort: 8086 - name: grpc - - containerPort: 9996 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9996 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: localhost.:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-destination - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Heartbeat -### ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - app.kubernetes.io/name: heartbeat - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - schedule: "1 2 3 4 5" - successfulJobsHistoryLimit: 0 - jobTemplate: - spec: - template: - metadata: - labels: - linkerd.io/control-plane-component: heartbeat - linkerd.io/workload-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - spec: - nodeSelector: - beta.kubernetes.io/os: linux - serviceAccountName: linkerd-heartbeat - restartPolicy: Never - containers: - - name: heartbeat - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - args: - - "heartbeat" - - "-controller-namespace=linkerd" - - "-log-level=info" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - securityContext: - runAsUser: 2103 ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -cluster-domain=cluster.local - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: ghcr.io/linkerd/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-web - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Proxy Injector -### ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: proxy-injector - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - name: linkerd-proxy-injector - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: proxy-injector - template: - metadata: - annotations: - checksum/config: 906e23f11c1c920abd60ae9cce09ca9f53673544c9c587ef390110c4a4bfe60d - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-proxy-injector - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - proxy-injector - - -log-level=info - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: proxy-injector - ports: - - containerPort: 8443 - name: proxy-injector - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-proxy-injector - volumes: - - configMap: - name: linkerd-config - name: config - - name: tls - secret: - secretName: linkerd-proxy-injector-k8s-tls - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: proxy-injector - ports: - - name: proxy-injector - port: 443 - targetPort: proxy-injector ---- -### -### Service Profile Validator -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: sp-validator - ports: - - name: sp-validator - port: 443 - targetPort: sp-validator ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: sp-validator - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - name: linkerd-sp-validator - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: sp-validator - template: - metadata: - annotations: - checksum/config: 82e78e61c12a83a1c769a6a0b19b1567b0f73e5ebe240277970a23d83de6fe22 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-sp-validator - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - sp-validator - - -log-level=info - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9997 - initialDelaySeconds: 10 - name: sp-validator - ports: - - containerPort: 8443 - name: sp-validator - - containerPort: 9997 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9997 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-sp-validator - volumes: - - name: tls - secret: - secretName: linkerd-sp-validator-k8s-tls - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - checksum/config: 51c6f0865aca4a1b4e25e619385ff0d9f95683e27c4d29c3072eac39b3fa7220 - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - - -identity-trust-domain=cluster.local - image: ghcr.io/linkerd/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-tap - volumes: - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-k8s-tls - ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments - # see https://github.com/grafana/grafana/issues/20096 - - name: GODEBUG - value: netdns=go - image: ghcr.io/linkerd/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - resources: - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - evaluation_interval: 10s - scrape_interval: 10s - scrape_timeout: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - /etc/prometheus/*_rules.yaml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-service-mirror' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: linkerd-service-mirror;admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/workload-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - securityContext: - fsGroup: 65534 - containers: - - args: - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - image: prom/prometheus:v2.19.3 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus/prometheus.yml - name: prometheus-config - subPath: prometheus.yml - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: "warn,linkerd=info" - - name: LINKERD2_PROXY_LOG_FORMAT - value: "plain" - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS - value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT - value: "100ms" - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT - value: "1000ms" - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: _pod_nodeName - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: | - {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw - JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4 - MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r - ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z - l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4 - uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB - /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe - aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC - IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8 - vgUC0d2/9FMueIVMb+46WTCOjsqr - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: ghcr.io/linkerd/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /live - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - "4190,4191,25,443,587,3306,11211" - - --outbound-ports-to-ignore - - "25,443,587,3306,11211" - image: ghcr.io/linkerd/proxy-init:v1.3.8 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /run - name: linkerd-proxy-init-xtables-lock - serviceAccountName: linkerd-prometheus - volumes: - - name: data - emptyDir: {} - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: {} - name: linkerd-proxy-init-xtables-lock - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -apiVersion: v1 -data: - linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZ2xvYmFsOgogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCiAgaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogICAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogICAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogICAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogICAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogICAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogICAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogICAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogICAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogICAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogIHByb3h5OgogICAgaW1hZ2U6CiAgICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgY3J0UEVNOiBwcm9maWxlIHZhbGlkYXRvciBjcnQKICBrZXlQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGtleQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnJlc3RyaWN0RGFzaGJvYXJkUHJpdmlsZWdlczogdHJ1ZQp0YXA6CiAgY2FCdW5kbGU6IHRhcCBDQSBidW5kbGUKICBjcnRQRU06IHRhcCBjcnQKICBrZXlQRU06IHRhcCBrZXkK -kind: Secret -metadata: - creationTimestamp: null - labels: - linkerd.io/control-plane-ns: linkerd - name: linkerd-config-overrides - namespace: linkerd diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index 23f3cd2c6..13fc2aad0 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -247,13 +247,6 @@ func upgrade(ctx context.Context, k *k8s.KubernetesAPI, flags []flag.Flag, stage } } - if addOnOverwrite { - err = clearAddonOverrides(values) - if err != nil { - return bytes.Buffer{}, err - } - } - err = flag.ApplySetFlags(values, flags) if err != nil { return bytes.Buffer{}, err @@ -359,13 +352,3 @@ func ensureIssuerCertWorksWithAllProxies(ctx context.Context, k *k8s.KubernetesA } return nil } - -func clearAddonOverrides(values *l5dcharts.Values) error { - defaults, err := l5dcharts.NewValues() - if err != nil { - return err - } - values.Grafana = defaults.Grafana - values.Prometheus = defaults.Prometheus - return nil -} diff --git a/cli/cmd/upgrade_legacy.go b/cli/cmd/upgrade_legacy.go index bb71e909c..e0533f05f 100644 --- a/cli/cmd/upgrade_legacy.go +++ b/cli/cmd/upgrade_legacy.go @@ -13,11 +13,9 @@ import ( "github.com/linkerd/linkerd2/pkg/issuercerts" "github.com/linkerd/linkerd2/pkg/k8s" "github.com/linkerd/linkerd2/pkg/version" - log "github.com/sirupsen/logrus" "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" "k8s.io/client-go/kubernetes" - "sigs.k8s.io/yaml" ) func loadStoredValuesLegacy(ctx context.Context, k *k8s.KubernetesAPI) (*charts.Values, error) { @@ -66,75 +64,9 @@ func loadStoredValuesLegacy(ctx context.Context, k *k8s.KubernetesAPI) (*charts. } } - if !addOnOverwrite { - // Update Add-Ons Configuration from the linkerd-value cm - cmRawValues, _ := k8s.GetAddOnsConfigMap(ctx, k, controlPlaneNamespace) - if cmRawValues != nil { - //Cm is present now get the data - cmData, ok := cmRawValues["values"] - if !ok { - return nil, fmt.Errorf("values subpath not found in %s configmap", k8s.AddOnsConfigMapName) - } - - // repair Add-On configs - repairedCm, err := repairAddOnConfig([]byte(cmData)) - if err == nil { - // Update only if there is no error - cmData = string(repairedCm) - } else { - log.Warnf("add-on config repair failed: %s", err) - } - - if err = yaml.Unmarshal([]byte(cmData), &values); err != nil { - return nil, err - } - } - } - return values, nil } -func repairAddOnConfig(rawValues []byte) ([]byte, error) { - - var values map[string]interface{} - err := yaml.Unmarshal(rawValues, &values) - if err != nil { - return nil, err - } - - // Grafana Depreciation Fix - // Convert into Map instead of Values, as the latter returns with empty values - if grafana, err := healthcheck.GetMap(values, "grafana"); err == nil { - image, err := healthcheck.GetMap(grafana, "image") - if err == nil { - // Remove image.name tag if only name is present and set to the older image tag - if val, err := healthcheck.GetString(image, "name"); err == nil && val == "gcr.io/linkerd-io/grafana" { - delete(image, "name") - } - - // Remove image tag if its a empty map - if len(image) == 0 { - delete(grafana, "image") - } - } - - // Handle removal of grafana.name field - name, err := healthcheck.GetString(grafana, "name") - if err == nil { - // If default, remove it as its no longer needed - if name == "linkerd-grafana" { - delete(grafana, "name") - } - } - - } - rawValues, err = yaml.Marshal(values) - if err != nil { - return nil, err - } - return rawValues, nil -} - func setFlagsFromInstall(flags *pflag.FlagSet, installFlags []*pb.Install_Flag) { for _, i := range installFlags { if f := flags.Lookup(i.GetName()); f != nil && !f.Changed { diff --git a/cli/cmd/upgrade_test.go b/cli/cmd/upgrade_test.go index 6640a53c3..3223dcb11 100644 --- a/cli/cmd/upgrade_test.go +++ b/cli/cmd/upgrade_test.go @@ -8,7 +8,6 @@ import ( "io" "io/ioutil" "os" - "path/filepath" "strings" "testing" @@ -19,7 +18,6 @@ import ( "github.com/linkerd/linkerd2/pkg/tls" "github.com/spf13/pflag" corev1 "k8s.io/api/core/v1" - "sigs.k8s.io/yaml" ) const ( @@ -288,13 +286,7 @@ func TestUpgradeWebhookCrtsNameChange(t *testing.T) { CrtPEM: injectorCerts.crt, KeyPEM: injectorCerts.key, } - tapCerts := generateCerts(t, "linkerd-tap.linkerd.svc", false) - defer tapCerts.cleanup() - installOpts.Tap.TLS = &linkerd2.TLS{ - CaBundle: tapCerts.ca, - CrtPEM: tapCerts.crt, - KeyPEM: tapCerts.key, - } + validatorCerts := generateCerts(t, "linkerd-sp-validator.linkerd.svc", false) defer validatorCerts.cleanup() installOpts.ProfileValidator.TLS = &linkerd2.TLS{ @@ -346,13 +338,7 @@ func TestUpgradeTwoLevelWebhookCrts(t *testing.T) { CrtPEM: injectorCerts.crt, KeyPEM: injectorCerts.key, } - tapCerts := generateCerts(t, "linkerd-tap.linkerd.svc", false) - defer tapCerts.cleanup() - installOpts.Tap.TLS = &linkerd2.TLS{ - CaBundle: tapCerts.ca, - CrtPEM: tapCerts.crt, - KeyPEM: tapCerts.key, - } + validatorCerts := generateCerts(t, "linkerd-sp-validator.linkerd.svc", false) defer validatorCerts.cleanup() installOpts.ProfileValidator.TLS = &linkerd2.TLS{ @@ -379,168 +365,6 @@ func TestUpgradeTwoLevelWebhookCrts(t *testing.T) { } } -func TestUpgradeWithAddonDisabled(t *testing.T) { - installOpts, upgradeOpts, _ := testOptions(t) - - installAddons, err := ioutil.ReadFile(filepath.Join("testdata", "grafana_disabled.yaml")) - if err != nil { - t.Fatal(err) - } - - err = yaml.Unmarshal(installAddons, installOpts) - if err != nil { - t.Fatal(err) - } - - install := renderInstall(t, installOpts) - upgrade, err := renderUpgrade(install.String(), upgradeOpts) - if err != nil { - t.Fatal(err) - } - expected := replaceVersions(install.String()) - expectedManifests := parseManifestList(expected) - upgradeManifests := parseManifestList(upgrade.String()) - for id, diffs := range diffManifestLists(expectedManifests, upgradeManifests) { - for _, diff := range diffs { - if ignorableDiff(id, diff) { - continue - } - t.Errorf("Unexpected diff in %s:\n%s", id, diff.String()) - } - } -} - -func TestUpgradeEnableAddon(t *testing.T) { - installOpts, upgradeOpts, flagSet := testOptions(t) - - installAddons, err := ioutil.ReadFile(filepath.Join("testdata", "grafana_disabled.yaml")) - if err != nil { - t.Fatal(err) - } - - err = yaml.Unmarshal(installAddons, installOpts) - if err != nil { - t.Fatal(err) - } - - install := renderInstall(t, installOpts) - - flagSet.Set("config", filepath.Join("testdata", "grafana_enabled.yaml")) - - upgrade, err := renderUpgrade(install.String(), upgradeOpts) - if err != nil { - t.Fatal(err) - } - expected := replaceVersions(install.String()) - expectedManifests := parseManifestList(expected) - upgradeManifests := parseManifestList(upgrade.String()) - diffMap := diffManifestLists(expectedManifests, upgradeManifests) - addonManifests := []string{ - "ServiceAccount/linkerd-grafana", "Deployment/linkerd-grafana", "Service/linkerd-grafana", - "ConfigMap/linkerd-grafana-config", - } - for _, id := range addonManifests { - if _, ok := diffMap[id]; ok { - delete(diffMap, id) - } else { - t.Errorf("Expected %s in upgrade output but was absent", id) - } - } - for id, diffs := range diffMap { - for _, diff := range diffs { - if ignorableDiff(id, diff) { - continue - } - if id == "RoleBinding/linkerd-psp" && pathMatch(diff.path, []string{"subjects"}) { - continue - } - if id == "Deployment/linkerd-web" && pathMatch(diff.path, []string{"spec", "template", "spec", "containers", "*", "args"}) { - continue - } - t.Errorf("Unexpected diff in %s:\n%s", id, diff.String()) - } - } -} - -func TestUpgradeRemoveAddonKeys(t *testing.T) { - installOpts, upgradeOpts, flagSet := testOptions(t) - - installAddons, err := ioutil.ReadFile(filepath.Join("testdata", "grafana_enabled_resources.yaml")) - if err != nil { - t.Fatal(err) - } - - err = yaml.Unmarshal(installAddons, installOpts) - if err != nil { - t.Fatal(err) - } - - install := renderInstall(t, installOpts) - - flagSet.Set("config", filepath.Join("testdata", "grafana_enabled.yaml")) - - upgrade, err := renderUpgrade(install.String(), upgradeOpts) - if err != nil { - t.Fatal(err) - } - expected := replaceVersions(install.String()) - expectedManifests := parseManifestList(expected) - upgradeManifests := parseManifestList(upgrade.String()) - for id, diffs := range diffManifestLists(expectedManifests, upgradeManifests) { - for _, diff := range diffs { - if ignorableDiff(id, diff) { - continue - } - t.Errorf("Unexpected diff in %s:\n%s", id, diff.String()) - } - } -} - -func TestUpgradeOverwriteRemoveAddonKeys(t *testing.T) { - installOpts, upgradeOpts, flagSet := testOptions(t) - - installAddons, err := ioutil.ReadFile(filepath.Join("testdata", "grafana_enabled_resources.yaml")) - if err != nil { - t.Fatal(err) - } - - err = yaml.Unmarshal(installAddons, installOpts) - if err != nil { - t.Fatal(err) - } - - install := renderInstall(t, installOpts) - - flagSet.Set("config", filepath.Join("testdata", "grafana_enabled.yaml")) - flagSet.Set("addon-overwrite", "true") - - upgrade, err := renderUpgrade(install.String(), upgradeOpts) - if err != nil { - t.Fatal(err) - } - expected := replaceVersions(install.String()) - expectedManifests := parseManifestList(expected) - upgradeManifests := parseManifestList(upgrade.String()) - diffMap := diffManifestLists(expectedManifests, upgradeManifests) - - resourceDiffFound := false - for id, diffs := range diffMap { - for _, diff := range diffs { - if ignorableDiff(id, diff) { - continue - } - if id == "Deployment/linkerd-grafana" && pathMatch(diff.path, []string{"spec", "template", "spec", "containers", "*", "resources"}) { - resourceDiffFound = true - continue - } - t.Errorf("Unexpected diff in %s:\n%s", id, diff.String()) - } - } - if !resourceDiffFound { - t.Error("Expected grafana resources requirements to be removed, but were not") - } -} - /* Helpers */ func testUpgradeOptions() ([]flag.Flag, *pflag.FlagSet, error) { diff --git a/jaeger/cmd/install.go b/jaeger/cmd/install.go index e4ed44500..88b2ada43 100644 --- a/jaeger/cmd/install.go +++ b/jaeger/cmd/install.go @@ -2,7 +2,6 @@ package cmd import ( "bytes" - "context" "fmt" "io" "os" @@ -19,8 +18,6 @@ import ( "helm.sh/helm/v3/pkg/chartutil" "helm.sh/helm/v3/pkg/cli/values" "helm.sh/helm/v3/pkg/engine" - kerrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) var ( @@ -48,7 +45,12 @@ func newCmdInstall() *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { if !skipChecks { // Ensure there is a Linkerd installation. - exists, err := checkIfLinkerdExists(cmd.Context()) + kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, impersonateGroup, 0) + if err != nil { + return err + } + + exists, err := healthcheck.CheckIfLinkerdExists(cmd.Context(), kubeAPI, controlPlaneNamespace) if err != nil { return fmt.Errorf("could not check for Linkerd existence: %s", err) } @@ -149,28 +151,3 @@ func render(w io.Writer, valuesOverrides map[string]interface{}) error { _, err = w.Write(buf.Bytes()) return err } - -func checkIfLinkerdExists(ctx context.Context) (bool, error) { - kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, impersonateGroup, 0) - if err != nil { - return false, err - } - - _, err = kubeAPI.CoreV1().Namespaces().Get(ctx, controlPlaneNamespace, metav1.GetOptions{}) - if err != nil { - if kerrors.IsNotFound(err) { - return false, nil - } - return false, err - } - - _, _, err = healthcheck.FetchCurrentConfiguration(ctx, kubeAPI, controlPlaneNamespace) - if err != nil { - if kerrors.IsNotFound(err) { - return false, nil - } - return false, err - } - - return true, nil -} diff --git a/pkg/charts/linkerd2/addons.go b/pkg/charts/linkerd2/addons.go deleted file mode 100644 index c0c36c92e..000000000 --- a/pkg/charts/linkerd2/addons.go +++ /dev/null @@ -1,43 +0,0 @@ -package linkerd2 - -import ( - "fmt" - - "helm.sh/helm/v3/pkg/chart/loader" -) - -// AddOn includes the general functions required by add-on, provides -// a common abstraction for install, etc -type AddOn interface { - Name() string - ConfigStageTemplates() []*loader.BufferedFile - ControlPlaneStageTemplates() []*loader.BufferedFile - Values() []byte -} - -// ParseAddOnValues takes a Values struct, and returns an array of the enabled add-ons -func ParseAddOnValues(values *Values) ([]AddOn, error) { - var addOns []AddOn - - if values.Grafana != nil { - if enabled, ok := values.Grafana["enabled"]; ok { - if enabled, ok := enabled.(bool); !ok { - return nil, fmt.Errorf("invalid value for 'grafana.enabled' (should be boolean): %s", values.Grafana["enabled"]) - } else if enabled { - addOns = append(addOns, values.Grafana) - } - } - } - - if values.Prometheus != nil { - if enabled, ok := values.Prometheus["enabled"]; ok { - if enabled, ok := enabled.(bool); !ok { - return nil, fmt.Errorf("invalid value for 'prometheus.enabled' (should be boolean): %s", values.Prometheus["enabled"]) - } else if enabled { - addOns = append(addOns, values.Prometheus) - } - } - } - - return addOns, nil -} diff --git a/pkg/charts/linkerd2/addons_test.go b/pkg/charts/linkerd2/addons_test.go deleted file mode 100644 index 5c476e333..000000000 --- a/pkg/charts/linkerd2/addons_test.go +++ /dev/null @@ -1,34 +0,0 @@ -package linkerd2 - -import ( - "reflect" - "testing" - - "sigs.k8s.io/yaml" -) - -func TestParseAddOnValues(t *testing.T) { - - addonConfig := ` -Grafana: - enabled: true -` - var addOnValues Values - err := yaml.Unmarshal([]byte(addonConfig), &addOnValues) - if err != nil { - t.Fatalf("Unexpected error: %s", err) - } - - addOns, err := ParseAddOnValues(&addOnValues) - if err != nil { - t.Fatalf("Unexpected error: %s", err) - } - - // Check for Grafana addOn to be present - if len(addOns) != 1 { - t.Fatalf("expected 1 add-on to be present but found %d", len(addOns)) - } - if !reflect.DeepEqual(addOns[0], Grafana{"enabled": true}) { - t.Fatal("expected grafana add-on to be present") - } -} diff --git a/pkg/charts/linkerd2/grafana.go b/pkg/charts/linkerd2/grafana.go deleted file mode 100644 index 7fe5ef958..000000000 --- a/pkg/charts/linkerd2/grafana.go +++ /dev/null @@ -1,42 +0,0 @@ -package linkerd2 - -import ( - "helm.sh/helm/v3/pkg/chart/loader" - "sigs.k8s.io/yaml" -) - -const ( - // GrafanaAddOn is the name of the grafana add-on - GrafanaAddOn = "grafana" -) - -// Grafana is an add-on that consists of the grafana components -type Grafana map[string]interface{} - -// Name returns the name of the Grafana add-on -func (g Grafana) Name() string { - return GrafanaAddOn -} - -// Values returns the configuration values that were assigned for this add-on -func (g Grafana) Values() []byte { - values, err := yaml.Marshal(g) - if err != nil { - return nil - } - return values -} - -// ConfigStageTemplates returns the template files that are part of the config stage -func (g Grafana) ConfigStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/grafana-rbac.yaml"}, - } -} - -// ControlPlaneStageTemplates returns the template files that are part of the Control Plane Stage. -func (g Grafana) ControlPlaneStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/grafana.yaml"}, - } -} diff --git a/pkg/charts/linkerd2/prometheus.go b/pkg/charts/linkerd2/prometheus.go deleted file mode 100644 index c3e769064..000000000 --- a/pkg/charts/linkerd2/prometheus.go +++ /dev/null @@ -1,42 +0,0 @@ -package linkerd2 - -import ( - "helm.sh/helm/v3/pkg/chart/loader" - "sigs.k8s.io/yaml" -) - -var ( - // PrometheusAddOn is the name of the prometheus add-on - PrometheusAddOn = "prometheus" -) - -// Prometheus is an add-on that installs the prometheus component -type Prometheus map[string]interface{} - -// Name returns the name of the Prometheus add-on -func (p Prometheus) Name() string { - return PrometheusAddOn -} - -// Values returns the configuration values that were assigned for this add-on -func (p Prometheus) Values() []byte { - values, err := yaml.Marshal(p) - if err != nil { - return nil - } - return values -} - -// ConfigStageTemplates returns the template files that are part of the config stage -func (p Prometheus) ConfigStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/prometheus-rbac.yaml"}, - } -} - -// ControlPlaneStageTemplates returns the template files that are part of the Control Plane Stage. -func (p Prometheus) ControlPlaneStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/prometheus.yaml"}, - } -} diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go deleted file mode 100644 index dbb4828c6..000000000 --- a/pkg/charts/linkerd2/tracing.go +++ /dev/null @@ -1,43 +0,0 @@ -package linkerd2 - -import ( - "helm.sh/helm/v3/pkg/chart/loader" - "sigs.k8s.io/yaml" -) - -var ( - // TracingAddOn represents the name of the tracing add-on - TracingAddOn = "tracing" -) - -// Tracing is an add-on that installs the distributed tracing -// related components like OpenCensus Collector and Jaeger -type Tracing map[string]interface{} - -// Name returns the name of the Tracing add-on -func (t Tracing) Name() string { - return TracingAddOn -} - -// Values returns the configuration values that were assigned for this add-on -func (t Tracing) Values() []byte { - values, err := yaml.Marshal(t) - if err != nil { - return nil - } - return values -} - -// ConfigStageTemplates returns the template files that are part of the config stage -func (t Tracing) ConfigStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/tracing-rbac.yaml"}, - } -} - -// ControlPlaneStageTemplates returns the template files that are part of the Control Plane Stage. -func (t Tracing) ControlPlaneStageTemplates() []*loader.BufferedFile { - return []*loader.BufferedFile{ - {Name: "templates/tracing.yaml"}, - } -} diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 2b9270fc1..23f0b59b7 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -23,29 +23,25 @@ const ( type ( // Values contains the top-level elements in the Helm charts Values struct { - ControllerImage string `json:"controllerImage"` - WebImage string `json:"webImage"` - ControllerReplicas uint `json:"controllerReplicas"` - ControllerUID int64 `json:"controllerUID"` - EnableH2Upgrade bool `json:"enableH2Upgrade"` - EnablePodAntiAffinity bool `json:"enablePodAntiAffinity"` - WebhookFailurePolicy string `json:"webhookFailurePolicy"` - OmitWebhookSideEffects bool `json:"omitWebhookSideEffects"` - RestrictDashboardPrivileges bool `json:"restrictDashboardPrivileges"` - DisableHeartBeat bool `json:"disableHeartBeat"` - HeartbeatSchedule string `json:"heartbeatSchedule"` - InstallNamespace bool `json:"installNamespace"` - Configs ConfigJSONs `json:"configs"` - Global *Global `json:"global"` - Identity *Identity `json:"identity"` - Dashboard *Dashboard `json:"dashboard"` - DebugContainer *DebugContainer `json:"debugContainer"` - ProxyInjector *ProxyInjector `json:"proxyInjector"` - ProfileValidator *ProfileValidator `json:"profileValidator"` - Tap *Tap `json:"tap"` - NodeSelector map[string]string `json:"nodeSelector"` - Tolerations []interface{} `json:"tolerations"` - Stage string `json:"stage"` + ControllerImage string `json:"controllerImage"` + ControllerReplicas uint `json:"controllerReplicas"` + ControllerUID int64 `json:"controllerUID"` + EnableH2Upgrade bool `json:"enableH2Upgrade"` + EnablePodAntiAffinity bool `json:"enablePodAntiAffinity"` + WebhookFailurePolicy string `json:"webhookFailurePolicy"` + OmitWebhookSideEffects bool `json:"omitWebhookSideEffects"` + DisableHeartBeat bool `json:"disableHeartBeat"` + HeartbeatSchedule string `json:"heartbeatSchedule"` + InstallNamespace bool `json:"installNamespace"` + Configs ConfigJSONs `json:"configs"` + Global *Global `json:"global"` + Identity *Identity `json:"identity"` + DebugContainer *DebugContainer `json:"debugContainer"` + ProxyInjector *ProxyInjector `json:"proxyInjector"` + ProfileValidator *ProfileValidator `json:"profileValidator"` + NodeSelector map[string]string `json:"nodeSelector"` + Tolerations []interface{} `json:"tolerations"` + Stage string `json:"stage"` DestinationResources *Resources `json:"destinationResources"` HeartbeatResources *Resources `json:"heartbeatResources"` @@ -53,20 +49,12 @@ type ( ProxyInjectorResources *Resources `json:"proxyInjectorResources"` PublicAPIResources *Resources `json:"publicAPIResources"` SPValidatorResources *Resources `json:"spValidatorResources"` - TapResources *Resources `json:"tapResources"` - WebResources *Resources `json:"webResources"` DestinationProxyResources *Resources `json:"destinationProxyResources"` IdentityProxyResources *Resources `json:"identityProxyResources"` ProxyInjectorProxyResources *Resources `json:"proxyInjectorProxyResources"` PublicAPIProxyResources *Resources `json:"publicAPIProxyResources"` SPValidatorProxyResources *Resources `json:"spValidatorProxyResources"` - TapProxyResources *Resources `json:"tapProxyResources"` - WebProxyResources *Resources `json:"webProxyResources"` - - // Addon Structures - Grafana Grafana `json:"grafana"` - Prometheus Prometheus `json:"prometheus"` } // Global values common across all charts @@ -194,11 +182,6 @@ type ( Memory Constraints `json:"memory"` } - // Dashboard has the Helm variables for the web dashboard - Dashboard struct { - Replicas int32 `json:"replicas"` - } - // Identity contains the fields to set the identity variables in the proxy // sidecar container Identity struct { @@ -227,11 +210,6 @@ type ( NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"` } - // Tap has all the Tap's Helm variables - Tap struct { - *TLS - } - // TLS has a pair of PEM-encoded key and certificate variables used in the // Helm templates TLS struct { @@ -263,7 +241,6 @@ func NewValues() (*Values, error) { v.ProfileValidator.TLS = &TLS{} v.ProxyInjector.TLS = &TLS{} v.Global.ProxyContainerName = k8s.ProxyContainerName - v.Tap = &Tap{TLS: &TLS{}} return v, nil } diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index a110d41cb..2c3d3f035 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -28,21 +28,16 @@ func TestNewValues(t *testing.T) { } expected := &Values{ - ControllerImage: "ghcr.io/linkerd/controller", - WebImage: "ghcr.io/linkerd/web", - ControllerReplicas: 1, - ControllerUID: 2103, - EnableH2Upgrade: true, - EnablePodAntiAffinity: false, - WebhookFailurePolicy: "Ignore", - OmitWebhookSideEffects: false, - RestrictDashboardPrivileges: false, - DisableHeartBeat: false, - HeartbeatSchedule: "0 0 * * *", - InstallNamespace: true, - Prometheus: Prometheus{ - "enabled": true, - }, + ControllerImage: "ghcr.io/linkerd/controller", + ControllerReplicas: 1, + ControllerUID: 2103, + EnableH2Upgrade: true, + EnablePodAntiAffinity: false, + WebhookFailurePolicy: "Ignore", + OmitWebhookSideEffects: false, + DisableHeartBeat: false, + HeartbeatSchedule: "0 0 * * *", + InstallNamespace: true, Global: &Global{ Namespace: "linkerd", ClusterDomain: "cluster.local", @@ -133,9 +128,6 @@ func TestNewValues(t *testing.T) { NodeSelector: map[string]string{ "beta.kubernetes.io/os": "linux", }, - Dashboard: &Dashboard{ - Replicas: 1, - }, DebugContainer: &DebugContainer{ Image: &Image{ Name: "ghcr.io/linkerd/debug", @@ -146,10 +138,6 @@ func TestNewValues(t *testing.T) { ProxyInjector: &ProxyInjector{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, ProfileValidator: &ProfileValidator{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, - Tap: &Tap{TLS: &TLS{}}, - Grafana: Grafana{ - "enabled": true, - }, } // pin the versions to ensure consistent test result. @@ -191,24 +179,8 @@ func TestNewValues(t *testing.T) { expected.PublicAPIResources = controllerResources expected.ProxyInjectorResources = controllerResources expected.SPValidatorResources = controllerResources - expected.TapResources = controllerResources - expected.WebResources = controllerResources expected.HeartbeatResources = controllerResources - expected.Grafana = Grafana{ - "enabled": true, - "resources": map[string]interface{}{ - "cpu": map[string]interface{}{ - "limit": controllerResources.CPU.Limit, - "request": controllerResources.CPU.Request, - }, - "memory": map[string]interface{}{ - "limit": "1024Mi", - "request": "50Mi", - }, - }, - } - expected.IdentityResources = &Resources{ CPU: Constraints{ Limit: controllerResources.CPU.Limit, @@ -220,20 +192,6 @@ func TestNewValues(t *testing.T) { }, } - expected.Prometheus = Prometheus{ - "enabled": true, - "resources": map[string]interface{}{ - "cpu": map[string]interface{}{ - "limit": "", - "request": "300m", - }, - "memory": map[string]interface{}{ - "limit": "8192Mi", - "request": "300Mi", - }, - }, - } - expected.Global.Proxy.Resources = &Resources{ CPU: Constraints{ Limit: "", diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index f9ee9358d..c74d98ae3 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -35,7 +35,6 @@ import ( yamlDecoder "k8s.io/apimachinery/pkg/util/yaml" k8sVersion "k8s.io/apimachinery/pkg/version" "k8s.io/client-go/kubernetes" - apiregistrationv1client "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/typed/apiregistration/v1" "sigs.k8s.io/yaml" ) @@ -152,13 +151,6 @@ const ( linkerdCNIResourceName = "linkerd-cni" linkerdCNIConfigMapName = "linkerd-cni-config" - // linkerdTapAPIServiceName is the name of the tap api service - // This key is passed to checkApiService method to check whether - // the api service is available or not - linkerdTapAPIServiceName = "v1alpha1.tap.linkerd.io" - - tapOldTLSSecretName = "linkerd-tap-tls" - tapTLSSecretName = "linkerd-tap-k8s-tls" proxyInjectorOldTLSSecretName = "linkerd-proxy-injector-tls" proxyInjectorTLSSecretName = "linkerd-proxy-injector-k8s-tls" spValidatorOldTLSSecretName = "linkerd-sp-validator-tls" @@ -188,7 +180,6 @@ var linkerdHAControlPlaneComponents = []string{ "linkerd-identity", "linkerd-proxy-injector", "linkerd-sp-validator", - "linkerd-tap", } // ExpectedServiceAccountNames is a list of the service accounts that a healthy @@ -200,8 +191,6 @@ var ExpectedServiceAccountNames = []string{ "linkerd-identity", "linkerd-proxy-injector", "linkerd-sp-validator", - "linkerd-web", - "linkerd-tap", } var ( @@ -419,7 +408,7 @@ func NewHealthChecker(categoryIDs []CategoryID, options *Options) *HealthChecker Options: options, } - hc.categories = append(hc.allCategories(), hc.addOnCategories()...) + hc.categories = hc.allCategories() checkMap := map[CategoryID]struct{}{} for _, category := range categoryIDs { @@ -1067,43 +1056,6 @@ func (hc *HealthChecker) allCategories() []Category { { id: LinkerdWebhooksAndAPISvcTLS, checkers: []Checker{ - { - description: "tap API server has valid cert", - hintAnchor: "l5d-tap-cert-valid", - fatal: true, - check: func(ctx context.Context) (err error) { - anchors, err := hc.fetchTapCaBundle(ctx) - if err != nil { - return err - } - cert, err := hc.fetchCredsFromSecret(ctx, tapTLSSecretName) - if kerrors.IsNotFound(err) { - cert, err = hc.fetchCredsFromOldSecret(ctx, tapOldTLSSecretName) - } - if err != nil { - return err - } - - identityName := fmt.Sprintf("linkerd-tap.%s.svc", hc.ControlPlaneNamespace) - return hc.checkCertAndAnchors(cert, anchors, identityName) - }, - }, - { - description: "tap API server cert is valid for at least 60 days", - warning: true, - hintAnchor: "l5d-webhook-cert-not-expiring-soon", - check: func(ctx context.Context) error { - cert, err := hc.fetchCredsFromSecret(ctx, tapTLSSecretName) - if kerrors.IsNotFound(err) { - cert, err = hc.fetchCredsFromOldSecret(ctx, tapOldTLSSecretName) - } - if err != nil { - return err - } - return hc.checkCertAndAnchorsExpiringSoon(cert) - - }, - }, { description: "proxy-injector webhook has valid cert", hintAnchor: "l5d-proxy-injector-webhook-cert-valid", @@ -1223,14 +1175,6 @@ func (hc *HealthChecker) allCategories() []Category { return hc.apiClient.SelfCheck(ctx, &healthcheckPb.SelfCheckRequest{}) }, }, - { - description: "tap api service is running", - hintAnchor: "l5d-tap-api", - warning: true, - check: func(ctx context.Context) error { - return hc.checkAPIService(ctx, linkerdTapAPIServiceName) - }, - }, }, }, { @@ -1316,29 +1260,6 @@ func (hc *HealthChecker) allCategories() []Category { return validateDataPlanePods(pods, hc.DataPlaneNamespace) }, }, - { - description: "data plane proxy metrics are present in Prometheus", - hintAnchor: "l5d-data-plane-prom", - retryDeadline: hc.RetryDeadline, - check: func(ctx context.Context) error { - pods, err := hc.getDataPlanePods(ctx) - if err != nil { - return err - } - - // Check if prometheus configured - prometheusValues := make(map[string]interface{}) - err = yaml.Unmarshal(hc.linkerdConfig.Prometheus.Values(), &prometheusValues) - if err != nil { - return err - } - if !GetBool(prometheusValues, "enabled") && hc.linkerdConfig.GetGlobal().PrometheusURL == "" { - return &SkipError{Reason: "no prometheus instance to connect"} - } - - return validateDataPlanePodReporting(pods) - }, - }, { description: "data plane is up-to-date", hintAnchor: "l5d-data-plane-version", @@ -1782,24 +1703,6 @@ func (hc *HealthChecker) fetchSpValidatorCaBundle(ctx context.Context) ([]*x509. return caBundle, nil } -func (hc *HealthChecker) fetchTapCaBundle(ctx context.Context) ([]*x509.Certificate, error) { - apiServiceClient, err := apiregistrationv1client.NewForConfig(hc.kubeAPI.Config) - if err != nil { - return nil, err - } - - apiService, err := apiServiceClient.APIServices().Get(ctx, linkerdTapAPIServiceName, metav1.GetOptions{}) - if err != nil { - return nil, err - } - - caBundle, err := tls.DecodePEMCertificates(string(apiService.Spec.CABundle)) - if err != nil { - return nil, err - } - return caBundle, nil -} - func (hc *HealthChecker) fetchCredsFromSecret(ctx context.Context, secretName string) (*tls.Cred, error) { secret, err := hc.kubeAPI.CoreV1().Secrets(hc.ControlPlaneNamespace).Get(ctx, secretName, metav1.GetOptions{}) if err != nil { @@ -1893,7 +1796,6 @@ func (hc *HealthChecker) expectedRBACNames() []string { fmt.Sprintf("linkerd-%s-identity", hc.ControlPlaneNamespace), fmt.Sprintf("linkerd-%s-proxy-injector", hc.ControlPlaneNamespace), fmt.Sprintf("linkerd-%s-sp-validator", hc.ControlPlaneNamespace), - fmt.Sprintf("linkerd-%s-tap", hc.ControlPlaneNamespace), } } @@ -1977,6 +1879,27 @@ func CheckServiceAccounts(ctx context.Context, api *k8s.KubernetesAPI, saNames [ return checkResources("ServiceAccounts", objects, saNames, true) } +// CheckIfLinkerdExists checks if Linkerd exists +func CheckIfLinkerdExists(ctx context.Context, kubeAPI *k8s.KubernetesAPI, controlPlaneNamespace string) (bool, error) { + _, err := kubeAPI.CoreV1().Namespaces().Get(ctx, controlPlaneNamespace, metav1.GetOptions{}) + if err != nil { + if kerrors.IsNotFound(err) { + return false, nil + } + return false, err + } + + _, _, err = FetchCurrentConfiguration(ctx, kubeAPI, controlPlaneNamespace) + if err != nil { + if kerrors.IsNotFound(err) { + return false, nil + } + return false, err + } + + return true, nil +} + func (hc *HealthChecker) checkCustomResourceDefinitions(ctx context.Context, shouldExist bool) error { options := metav1.ListOptions{ LabelSelector: hc.controlPlaneComponentsSelector(), @@ -2276,29 +2199,6 @@ func (hc *HealthChecker) checkCanGet(ctx context.Context, namespace, group, vers return CheckCanPerformAction(ctx, hc.kubeAPI, "get", namespace, group, version, resource) } -func (hc *HealthChecker) checkAPIService(ctx context.Context, serviceName string) error { - apiServiceClient, err := apiregistrationv1client.NewForConfig(hc.kubeAPI.Config) - if err != nil { - return err - } - - apiStatus, err := apiServiceClient.APIServices().Get(ctx, serviceName, metav1.GetOptions{}) - if err != nil { - return err - } - - for _, condition := range apiStatus.Status.Conditions { - if condition.Type == "Available" { - if condition.Status == "True" { - return nil - } - return fmt.Errorf("%s: %s", condition.Reason, condition.Message) - } - } - - return fmt.Errorf("%s service not available", linkerdTapAPIServiceName) -} - func (hc *HealthChecker) checkCapability(ctx context.Context, cap string) error { if hc.kubeAPI == nil { // we should never get here @@ -2487,7 +2387,7 @@ const running = "Running" func validateControlPlanePods(pods []corev1.Pod) error { statuses := getPodStatuses(pods) - names := []string{"controller", "identity", "sp-validator", "web", "tap"} + names := []string{"controller", "identity", "sp-validator"} // TODO: deprecate this when we drop support for checking pre-default proxy-injector control-planes if _, found := statuses["proxy-injector"]; found { names = append(names, "proxy-injector") diff --git a/pkg/healthcheck/healthcheck_addons.go b/pkg/healthcheck/healthcheck_addons.go deleted file mode 100644 index 214660c1e..000000000 --- a/pkg/healthcheck/healthcheck_addons.go +++ /dev/null @@ -1,238 +0,0 @@ -package healthcheck - -import ( - "context" - "errors" - "fmt" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "sigs.k8s.io/yaml" -) - -const ( - // LinkerdGrafanaAddOnChecks adds checks related to grafana add-on components - LinkerdGrafanaAddOnChecks CategoryID = "linkerd-grafana" - - // LinkerdPrometheusAddOnChecks adds checks related to Prometheus add-on components - LinkerdPrometheusAddOnChecks CategoryID = "linkerd-prometheus" -) - -var ( - // errorKeyNotFound is returned when a key is not found in data - errorKeyNotFound error = errors.New("key not found") - - // AddOnCategories is the list of add-on category checks - AddOnCategories = []CategoryID{LinkerdPrometheusAddOnChecks, LinkerdGrafanaAddOnChecks} -) - -// addOnCategories contain all the checks w.r.t add-ons. It is strongly advised to -// have warning as true, to not make the check fail for add-on failures as most of them are -// not hard requirements unless otherwise. -func (hc *HealthChecker) addOnCategories() []Category { - return []Category{ - { - id: LinkerdPrometheusAddOnChecks, - checkers: []Checker{ - { - description: "prometheus add-on service account exists", - warning: true, - check: func(ctx context.Context) error { - prometheusValues := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Prometheus.Values(), &prometheusValues) - if err != nil { - return err - } - if GetBool(prometheusValues, "enabled") { - return hc.checkServiceAccounts(ctx, []string{"linkerd-prometheus"}, hc.ControlPlaneNamespace, "") - } - return &SkipError{Reason: "prometheus add-on not enabled"} - }, - }, - { - description: "prometheus add-on config map exists", - warning: true, - check: func(ctx context.Context) error { - prometheusValues := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Prometheus.Values(), &prometheusValues) - if err != nil { - return err - } - if GetBool(prometheusValues, "enabled") { - _, err := hc.kubeAPI.CoreV1().ConfigMaps(hc.ControlPlaneNamespace).Get(ctx, "linkerd-prometheus-config", metav1.GetOptions{}) - return err - } - return &SkipError{Reason: "prometheus add-on not enabled"} - }, - }, - { - description: "prometheus pod is running", - warning: true, - retryDeadline: hc.RetryDeadline, - surfaceErrorOnRetry: true, - check: func(ctx context.Context) error { - prometheusValues := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Prometheus.Values(), &prometheusValues) - if err != nil { - return err - } - if GetBool(prometheusValues, "enabled") { - // populate controlPlanePods to get the latest status, during retries - var err error - hc.controlPlanePods, err = hc.kubeAPI.GetPodsByNamespace(ctx, hc.ControlPlaneNamespace) - if err != nil { - return err - } - - return checkContainerRunning(hc.controlPlanePods, "prometheus") - } - return &SkipError{Reason: "prometheus add-on not enabled"} - }, - }, - }, - }, - { - id: LinkerdGrafanaAddOnChecks, - checkers: []Checker{ - { - description: "grafana add-on service account exists", - warning: true, - check: func(ctx context.Context) error { - grafana := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Grafana.Values(), &grafana) - if err != nil { - return err - } - if GetBool(grafana, "enabled") { - name, err := GetString(grafana, "name") - if err != nil && !errors.Is(err, errorKeyNotFound) { - return err - } - - if errors.Is(err, errorKeyNotFound) { - // default name of grafana instance - name = "linkerd-grafana" - } - - return hc.checkServiceAccounts(ctx, []string{name}, hc.ControlPlaneNamespace, "") - } - return &SkipError{Reason: "grafana add-on not enabled"} - }, - }, - { - description: "grafana add-on config map exists", - warning: true, - check: func(ctx context.Context) error { - grafana := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Grafana.Values(), &grafana) - if err != nil { - return err - } - if GetBool(grafana, "enabled") { - name, err := GetString(grafana, "name") - if err != nil && !errors.Is(err, errorKeyNotFound) { - return err - } - - if errors.Is(err, errorKeyNotFound) { - // default name of grafana instance - name = "linkerd-grafana" - } - - _, err = hc.kubeAPI.CoreV1().ConfigMaps(hc.ControlPlaneNamespace).Get(ctx, fmt.Sprintf("%s-config", name), metav1.GetOptions{}) - if err != nil { - return err - } - return nil - } - return &SkipError{Reason: "grafana add-on not enabled"} - }, - }, - { - description: "grafana pod is running", - warning: true, - retryDeadline: hc.RetryDeadline, - surfaceErrorOnRetry: true, - check: func(ctx context.Context) error { - grafana := make(map[string]interface{}) - err := yaml.Unmarshal(hc.linkerdConfig.Grafana.Values(), &grafana) - if err != nil { - return err - } - if GetBool(grafana, "enabled") { - // populate controlPlanePods to get the latest status, during retries - var err error - hc.controlPlanePods, err = hc.kubeAPI.GetPodsByNamespace(ctx, hc.ControlPlaneNamespace) - if err != nil { - return err - } - - return checkContainerRunning(hc.controlPlanePods, "grafana") - } - return &SkipError{Reason: "grafana add-on not enabled"} - }, - }, - }, - }, - } -} - -// GetString returns a String with the given key if present -func GetString(i interface{}, k string) (string, error) { - m, ok := i.(map[string]interface{}) - if !ok { - return "", errors.New("config value is not a map") - } - - v, ok := m[k] - if !ok { - return "", errorKeyNotFound - } - - res, ok := v.(string) - if !ok { - return "", fmt.Errorf("config value '%v' for key '%s' is not a string", v, k) - } - - return res, nil -} - -// GetBool returns a bool with the given key if present. Defaults to false if -// the key is not present or is a different type. -func GetBool(i interface{}, k string) bool { - m, ok := i.(map[string]interface{}) - if !ok { - return false - } - - v, ok := m[k] - if !ok { - return false - } - - res, ok := v.(bool) - if !ok { - return false - } - - return res -} - -// GetMap returns a Map with the given Key if Present -func GetMap(i interface{}, k string) (map[string]interface{}, error) { - m, ok := i.(map[string]interface{}) - if !ok { - return nil, errors.New("config value is not a map") - } - - v, ok := m[k] - if !ok { - return nil, errorKeyNotFound - } - - res, ok := v.(map[string]interface{}) - if !ok { - return nil, fmt.Errorf("config value '%v' for key '%s' is not a map", v, k) - } - - return res, nil -} diff --git a/pkg/healthcheck/healthcheck_test.go b/pkg/healthcheck/healthcheck_test.go index 015799c11..2e7f7d228 100644 --- a/pkg/healthcheck/healthcheck_test.go +++ b/pkg/healthcheck/healthcheck_test.go @@ -570,7 +570,7 @@ metadata: }, []string{ "linkerd-config control plane Namespace exists", - "linkerd-config control plane ClusterRoles exist: missing ClusterRoles: linkerd-test-ns-controller, linkerd-test-ns-identity, linkerd-test-ns-proxy-injector, linkerd-test-ns-sp-validator, linkerd-test-ns-tap", + "linkerd-config control plane ClusterRoles exist: missing ClusterRoles: linkerd-test-ns-controller, linkerd-test-ns-identity, linkerd-test-ns-proxy-injector, linkerd-test-ns-sp-validator", }, }, { @@ -599,14 +599,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -619,20 +611,12 @@ metadata: name: linkerd-test-ns-sp-validator labels: linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns `, }, []string{ "linkerd-config control plane Namespace exists", "linkerd-config control plane ClusterRoles exist", - "linkerd-config control plane ClusterRoleBindings exist: missing ClusterRoleBindings: linkerd-test-ns-controller, linkerd-test-ns-identity, linkerd-test-ns-proxy-injector, linkerd-test-ns-sp-validator, linkerd-test-ns-tap", + "linkerd-config control plane ClusterRoleBindings exist: missing ClusterRoleBindings: linkerd-test-ns-controller, linkerd-test-ns-identity, linkerd-test-ns-proxy-injector, linkerd-test-ns-sp-validator", }, }, { @@ -661,14 +645,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -683,14 +659,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -709,14 +677,6 @@ metadata: ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -731,14 +691,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ServiceAccount apiVersion: v1 metadata: @@ -768,15 +720,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: test-ns @@ -795,38 +738,11 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-heartbeat namespace: test-ns labels: linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns `, }, []string{ @@ -863,14 +779,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -885,14 +793,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -911,14 +811,6 @@ metadata: ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -933,14 +825,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ServiceAccount apiVersion: v1 metadata: @@ -970,15 +854,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: test-ns @@ -997,15 +872,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-heartbeat namespace: test-ns @@ -1022,15 +888,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -1074,14 +931,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1096,14 +945,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -1122,14 +963,6 @@ metadata: ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1144,14 +977,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ServiceAccount apiVersion: v1 metadata: @@ -1181,15 +1006,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: test-ns @@ -1208,15 +1024,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-heartbeat namespace: test-ns @@ -1233,15 +1040,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -1294,14 +1092,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1316,14 +1106,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -1342,14 +1124,6 @@ metadata: ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1364,14 +1138,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ServiceAccount apiVersion: v1 metadata: @@ -1401,15 +1167,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: test-ns @@ -1428,15 +1185,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-heartbeat namespace: test-ns @@ -1453,15 +1201,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -1523,14 +1262,6 @@ metadata: ` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1545,14 +1276,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -1571,14 +1294,6 @@ metadata: ` kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-prometheus - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-test-ns-proxy-injector labels: @@ -1593,14 +1308,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-test-ns-tap - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` kind: ServiceAccount apiVersion: v1 metadata: @@ -1630,15 +1337,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: test-ns @@ -1657,15 +1355,6 @@ metadata: ` kind: ServiceAccount apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` -kind: ServiceAccount -apiVersion: v1 metadata: name: linkerd-heartbeat namespace: test-ns @@ -1682,15 +1371,6 @@ metadata: linkerd.io/control-plane-ns: test-ns `, ` -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: test-ns - labels: - linkerd.io/control-plane-ns: test-ns -`, - ` apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: @@ -1965,18 +1645,15 @@ func TestValidateControlPlanePods(t *testing.T) { pods := []corev1.Pod{ pod("linkerd-controller-6f78cbd47-bc557", corev1.PodRunning, true), pod("linkerd-grafana-5b7d796646-hh46d", corev1.PodRunning, true), - pod("linkerd-identity-6849948664-27982", corev1.PodRunning, true), - pod("linkerd-prometheus-74d6879cd6-bbdk6", corev1.PodRunning, true), - pod("linkerd-tap-6c878df6c8-2hmtd", corev1.PodFailed, false), + pod("linkerd-identity-6849948664-27982", corev1.PodFailed, true), pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, true), - pod("linkerd-web-98c9ddbcd-7b5lh", corev1.PodRunning, true), } err := validateControlPlanePods(pods) if err == nil { t.Fatal("Expected error, got nothing") } - if err.Error() != "No running pods for \"linkerd-tap\"" { + if err.Error() != "No running pods for \"linkerd-identity\"" { t.Fatalf("Unexpected error message: %s", err.Error()) } }) @@ -1985,17 +1662,15 @@ func TestValidateControlPlanePods(t *testing.T) { pods := []corev1.Pod{ pod("linkerd-controller-6f78cbd47-bc557", corev1.PodRunning, true), pod("linkerd-identity-6849948664-27982", corev1.PodRunning, true), - pod("linkerd-prometheus-74d6879cd6-bbdk6", corev1.PodRunning, true), pod("linkerd-tap-6c878df6c8-2hmtd", corev1.PodRunning, true), - pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, true), - pod("linkerd-web-98c9ddbcd-7b5lh", corev1.PodRunning, false), + pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, false), } err := validateControlPlanePods(pods) if err == nil { t.Fatal("Expected error, got nothing") } - if err.Error() != "pod/linkerd-web-98c9ddbcd-7b5lh container web is not ready" { + if err.Error() != "pod/linkerd-sp-validator-24d2879ce6-cddk9 container sp is not ready" { t.Fatalf("Unexpected error message: %s", err.Error()) } }) @@ -2003,12 +1678,8 @@ func TestValidateControlPlanePods(t *testing.T) { t.Run("Returns nil if all pods are running and all containers are ready", func(t *testing.T) { pods := []corev1.Pod{ pod("linkerd-controller-6f78cbd47-bc557", corev1.PodRunning, true), - pod("linkerd-grafana-5b7d796646-hh46d", corev1.PodRunning, true), pod("linkerd-identity-6849948664-27982", corev1.PodRunning, true), - pod("linkerd-prometheus-74d6879cd6-bbdk6", corev1.PodRunning, true), pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, true), - pod("linkerd-tap-6c878df6c8-2hmtd", corev1.PodRunning, true), - pod("linkerd-web-98c9ddbcd-7b5lh", corev1.PodRunning, true), } err := validateControlPlanePods(pods) @@ -2022,14 +1693,10 @@ func TestValidateControlPlanePods(t *testing.T) { pod("linkerd-controller-6f78cbd47-bc557", corev1.PodRunning, true), pod("linkerd-controller-6f78cbd47-bc558", corev1.PodRunning, false), pod("linkerd-controller-6f78cbd47-bc559", corev1.PodFailed, false), - pod("linkerd-grafana-5b7d796646-hh46d", corev1.PodRunning, true), pod("linkerd-identity-6849948664-27982", corev1.PodRunning, true), pod("linkerd-identity-6849948664-27983", corev1.PodRunning, false), pod("linkerd-identity-6849948664-27984", corev1.PodFailed, false), - pod("linkerd-tap-6c878df6c8-2hmtd", corev1.PodRunning, true), - pod("linkerd-prometheus-74d6879cd6-bbdk6", corev1.PodRunning, true), pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, true), - pod("linkerd-web-98c9ddbcd-7b5lh", corev1.PodRunning, true), } err := validateControlPlanePods(pods) @@ -2041,12 +1708,8 @@ func TestValidateControlPlanePods(t *testing.T) { t.Run("Returns nil if all linkerd pods are running and pod list includes non-linkerd pod", func(t *testing.T) { pods := []corev1.Pod{ pod("linkerd-controller-6f78cbd47-bc557", corev1.PodRunning, true), - pod("linkerd-grafana-5b7d796646-hh46d", corev1.PodRunning, true), pod("linkerd-identity-6849948664-27982", corev1.PodRunning, true), - pod("linkerd-prometheus-74d6879cd6-bbdk6", corev1.PodRunning, true), pod("linkerd-sp-validator-24d2879ce6-cddk9", corev1.PodRunning, true), - pod("linkerd-tap-6c878df6c8-2hmtd", corev1.PodRunning, true), - pod("linkerd-web-98c9ddbcd-7b5lh", corev1.PodRunning, true), pod("hello-43c25d", corev1.PodRunning, true), } @@ -2568,8 +2231,6 @@ data: controllerImage: ControllerImage controllerReplicas: 1 controllerUID: 2103 - dashboard: - replicas: 1 debugContainer: null destinationProxyResources: null destinationResources: null @@ -2649,8 +2310,6 @@ data: proxyInjectAnnotation: ProxyInjectAnnotation proxyInjectDisabled: ProxyInjectDisabled workloadNamespaceLabel: WorkloadNamespaceLabel - grafana: - enabled: true heartbeatResources: null heartbeatSchedule: "" identityProxyResources: null @@ -2659,37 +2318,26 @@ data: nodeSelector: beta.kubernetes.io/os: linux omitWebhookSideEffects: false - prometheus: - enabled: true - image: PrometheusImage proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null - restrictDashboardPrivileges: false spValidatorProxyResources: null spValidatorResources: null stage: "" - tapProxyResources: null - tapResources: null tolerations: null - webImage: WebImage - webProxyResources: null - webResources: null webhookFailurePolicy: WebhookFailurePolicy `, }, &linkerd2.Values{ - ControllerImage: "ControllerImage", - WebImage: "WebImage", - ControllerUID: 2103, - EnableH2Upgrade: true, - WebhookFailurePolicy: "WebhookFailurePolicy", - OmitWebhookSideEffects: false, - RestrictDashboardPrivileges: false, - InstallNamespace: true, - NodeSelector: defaultValues.NodeSelector, - Tolerations: defaultValues.Tolerations, + ControllerImage: "ControllerImage", + ControllerUID: 2103, + EnableH2Upgrade: true, + WebhookFailurePolicy: "WebhookFailurePolicy", + OmitWebhookSideEffects: false, + InstallNamespace: true, + NodeSelector: defaultValues.NodeSelector, + Tolerations: defaultValues.Tolerations, Global: &linkerd2.Global{ Namespace: "Namespace", ClusterDomain: "cluster.local", @@ -2747,14 +2395,6 @@ data: }, }, ControllerReplicas: 1, - Dashboard: &linkerd2.Dashboard{ - Replicas: 1, - }, - Prometheus: linkerd2.Prometheus{ - "enabled": true, - "image": "PrometheusImage", - }, - Grafana: defaultValues.Grafana, }, nil, }, @@ -3525,68 +3165,6 @@ func TestMinReplicaCheck(t *testing.T) { } } -func TestGetString(t *testing.T) { - testCases := []struct { - i interface{} - k string - expected string - expectedError error - }{ - { - i: map[string]interface{}{ - "key": "value", - }, - k: "key", - expected: "value", - expectedError: nil, - }, - { - i: map[string]interface{}{ - "key": map[string]interface{}{ - "key1": "value1", - }, - }, - k: "key", - expected: "", - expectedError: errors.New("config value 'map[key1:value1]' for key 'key' is not a string"), - }, - { - i: map[string]interface{}{ - "key": "value", - }, - k: "key1", - expected: "", - expectedError: errorKeyNotFound, - }, - } - - for i, tc := range testCases { - tc := tc //pin - t.Run(fmt.Sprintf("%d", i), func(t *testing.T) { - ans, err := GetString(tc.i, tc.k) - - if ans != tc.expected { - t.Logf("Expected value: %s\n", tc.expected) - t.Logf("Received value: %s\n", ans) - t.Fatal("test case failed") - } - - if err == nil && tc.expectedError != nil { - t.Log("Expected error: nil") - t.Logf("Received error: %s\n", err) - t.Fatal("test case failed") - } - if err != nil { - if err.Error() != tc.expectedError.Error() { - t.Logf("Expected error: %s\n", tc.expectedError) - t.Logf("Received error: %s\n", err) - t.Fatal("test case failed") - } - } - }) - } -} - type controlPlaneReplicaOptions struct { controller int destination int diff --git a/test/cli/cli_install_static_test.go b/test/cli/cli_install_static_test.go index ed4c123a3..8b9285ff6 100644 --- a/test/cli/cli_install_static_test.go +++ b/test/cli/cli_install_static_test.go @@ -34,7 +34,7 @@ func TestMain(m *testing.M) { exit(1, "-linkerd flag is required") } - TestHelper = testutil.NewGenericTestHelper(*linkerd, "", "l5d", "", "", "", "", "", "", "", "", false, false, false, false, false, *http.DefaultClient, testutil.KubernetesHelper{}) + TestHelper = testutil.NewGenericTestHelper(*linkerd, "", "l5d", "linkerd-viz", "", "", "", "", "", "", "", "", false, false, false, false, false, *http.DefaultClient, testutil.KubernetesHelper{}) os.Exit(m.Run()) } diff --git a/test/integration/edges/edges_test.go b/test/integration/edges/edges_test.go index 60a81c89d..df7af39f7 100644 --- a/test/integration/edges/edges_test.go +++ b/test/integration/edges/edges_test.go @@ -143,11 +143,11 @@ func TestDirectEdges(t *testing.T) { tpl := template.Must(template.ParseFiles("testdata/direct_edges.golden")) vars := struct { - Ns string - ControlNs string + Ns string + VizNs string }{ testNamespace, - TestHelper.GetLinkerdNamespace(), + TestHelper.GetVizNamespace(), } var buf bytes.Buffer if err := tpl.Execute(&buf, vars); err != nil { diff --git a/test/integration/edges/testdata/direct_edges.golden b/test/integration/edges/testdata/direct_edges.golden index 328b3a59c..d6d9490fe 100644 --- a/test/integration/edges/testdata/direct_edges.golden +++ b/test/integration/edges/testdata/direct_edges.golden @@ -10,7 +10,7 @@ \}, \{ "src": "linkerd-prometheus", - "src_namespace": "{{.ControlNs}}", + "src_namespace": "{{.VizNs}}", "dst": "slow-cooker", "dst_namespace": "{{.Ns}}", "client_id": "", @@ -19,7 +19,7 @@ \}, \{ "src": "linkerd-prometheus", - "src_namespace": "{{.ControlNs}}", + "src_namespace": "{{.VizNs}}", "dst": "terminus", "dst_namespace": "{{.Ns}}", "client_id": "", diff --git a/test/integration/endpoints/endpoints_test.go b/test/integration/endpoints/endpoints_test.go index 8c1462848..c0ba41eb0 100644 --- a/test/integration/endpoints/endpoints_test.go +++ b/test/integration/endpoints/endpoints_test.go @@ -21,17 +21,18 @@ func TestMain(m *testing.M) { func TestGoodEndpoints(t *testing.T) { ns := TestHelper.GetLinkerdNamespace() + vizNs := TestHelper.GetVizNamespace() cmd := []string{ "endpoints", fmt.Sprintf("linkerd-controller-api.%s.svc.cluster.local:8085", ns), fmt.Sprintf("linkerd-dst.%s.svc.cluster.local:8086", ns), - fmt.Sprintf("linkerd-grafana.%s.svc.cluster.local:3000", ns), + fmt.Sprintf("linkerd-grafana.%s.svc.cluster.local:3000", vizNs), fmt.Sprintf("linkerd-identity.%s.svc.cluster.local:8080", ns), - fmt.Sprintf("linkerd-prometheus.%s.svc.cluster.local:9090", ns), + fmt.Sprintf("linkerd-prometheus.%s.svc.cluster.local:9090", vizNs), fmt.Sprintf("linkerd-proxy-injector.%s.svc.cluster.local:443", ns), fmt.Sprintf("linkerd-sp-validator.%s.svc.cluster.local:443", ns), - fmt.Sprintf("linkerd-tap.%s.svc.cluster.local:8088", ns), - fmt.Sprintf("linkerd-web.%s.svc.cluster.local:8084", ns), + fmt.Sprintf("linkerd-tap.%s.svc.cluster.local:8088", vizNs), + fmt.Sprintf("linkerd-web.%s.svc.cluster.local:8084", vizNs), "-ojson", } out, err := TestHelper.LinkerdRun(cmd...) @@ -40,7 +41,13 @@ func TestGoodEndpoints(t *testing.T) { } tpl := template.Must(template.ParseFiles("testdata/linkerd_endpoints.golden")) - vars := struct{ Ns string }{ns} + vars := struct { + Ns string + VizNs string + }{ + ns, + vizNs, + } var b bytes.Buffer if err := tpl.Execute(&b, vars); err != nil { testutil.AnnotatedFatalf(t, "failed to parse linkerd_endpoints.golden template", "failed to parse linkerd_endpoints.golden template: %s", err) diff --git a/test/integration/endpoints/testdata/linkerd_endpoints.golden b/test/integration/endpoints/testdata/linkerd_endpoints.golden index 45170d798..05e378c1b 100644 --- a/test/integration/endpoints/testdata/linkerd_endpoints.golden +++ b/test/integration/endpoints/testdata/linkerd_endpoints.golden @@ -13,13 +13,6 @@ "pod": "linkerd\-destination\-[a-f0-9]+\-[a-z0-9]+", "service": "linkerd\-dst\.{{.Ns}}" \}, - \{ - "namespace": "{{.Ns}}", - "ip": "\d+\.\d+\.\d+\.\d+", - "port": 3000, - "pod": "linkerd\-grafana\-[a-f0-9]+\-[a-z0-9]+", - "service": "linkerd\-grafana\.{{.Ns}}" - \}, \{ "namespace": "{{.Ns}}", "ip": "\d+\.\d+\.\d+\.\d+", @@ -27,13 +20,6 @@ "pod": "linkerd\-identity\-[a-f0-9]+\-[a-z0-9]+", "service": "linkerd\-identity\.{{.Ns}}" \}, - \{ - "namespace": "{{.Ns}}", - "ip": "\d+\.\d+\.\d+\.\d+", - "port": 9090, - "pod": "linkerd\-prometheus-[a-f0-9]+\-[a-z0-9]+", - "service": "linkerd\-prometheus\.{{.Ns}}" - \}, \{ "namespace": "{{.Ns}}", "ip": "\d+\.\d+\.\d+\.\d+", @@ -49,17 +35,31 @@ "service": "linkerd\-sp\-validator\.{{.Ns}}" \}, \{ - "namespace": "{{.Ns}}", + "namespace": "{{.VizNs}}", + "ip": "\d+\.\d+\.\d+\.\d+", + "port": 3000, + "pod": "linkerd\-grafana\-[a-f0-9]+\-[a-z0-9]+", + "service": "linkerd\-grafana\.{{.VizNs}}" + \}, + \{ + "namespace": "{{.VizNs}}", + "ip": "\d+\.\d+\.\d+\.\d+", + "port": 9090, + "pod": "linkerd\-prometheus-[a-f0-9]+\-[a-z0-9]+", + "service": "linkerd\-prometheus\.{{.VizNs}}" + \}, + \{ + "namespace": "{{.VizNs}}", "ip": "\d+\.\d+\.\d+\.\d+", "port": 8088, "pod": "linkerd\-tap\-[a-f0-9]+\-[a-z0-9]+", - "service": "linkerd\-tap\.{{.Ns}}" + "service": "linkerd\-tap\.{{.VizNs}}" \}, \{ - "namespace": "{{.Ns}}", + "namespace": "{{.VizNs}}", "ip": "\d+\.\d+\.\d+\.\d+", "port": 8084, "pod": "linkerd\-web\-[a-f0-9]+\-[a-z0-9]+", - "service": "linkerd\-web\.{{.Ns}}" + "service": "linkerd\-web\.{{.VizNs}}" \} \] diff --git a/test/integration/install_test.go b/test/integration/install_test.go index 38815de3e..7c4bd98d3 100644 --- a/test/integration/install_test.go +++ b/test/integration/install_test.go @@ -32,30 +32,32 @@ var ( helmTLSCerts *tls.CA - linkerdSvcStable = []string{ - "linkerd-controller-api", - "linkerd-dst", - "linkerd-grafana", - "linkerd-identity", - "linkerd-prometheus", - "linkerd-web", - "linkerd-tap", + linkerdSvcStable = []testutil.Service{ + {Namespace: "linkerd", Name: "linkerd-controller-api"}, + {Namespace: "linkerd", Name: "linkerd-dst"}, + {Namespace: "linkerd", Name: "linkerd-grafana"}, + {Namespace: "linkerd", Name: "linkerd-identity"}, + {Namespace: "linkerd", Name: "linkerd-prometheus"}, + {Namespace: "linkerd", Name: "linkerd-web"}, + {Namespace: "linkerd", Name: "linkerd-tap"}, + {Namespace: "linkerd", Name: "linkerd-dst-headless"}, + {Namespace: "linkerd", Name: "linkerd-identity-headless"}, } - linkerdSvcEdge = []string{ - "linkerd-controller-api", - "linkerd-dst", - "linkerd-dst-headless", - "linkerd-grafana", - "linkerd-identity", - "linkerd-identity-headless", - "linkerd-prometheus", - "linkerd-web", - "linkerd-tap", + linkerdSvcEdge = []testutil.Service{ + {Namespace: "linkerd", Name: "linkerd-controller-api"}, + {Namespace: "linkerd", Name: "linkerd-dst"}, + {Namespace: "linkerd-viz", Name: "linkerd-grafana"}, + {Namespace: "linkerd", Name: "linkerd-identity"}, + {Namespace: "linkerd-viz", Name: "linkerd-prometheus"}, + {Namespace: "linkerd-viz", Name: "linkerd-web"}, + {Namespace: "linkerd-viz", Name: "linkerd-tap"}, + {Namespace: "linkerd", Name: "linkerd-dst-headless"}, + {Namespace: "linkerd", Name: "linkerd-identity-headless"}, } - multiclusterSvcs = []string{ - "linkerd-gateway", + multiclusterSvcs = []testutil.Service{ + {Namespace: "linkerd-multicluster", Name: "linkerd-gateway"}, } injectionCases = []struct { @@ -261,6 +263,10 @@ func TestInstallOrUpgradeCli(t *testing.T) { "--proxy-version", TestHelper.GetVersion(), "--skip-inbound-ports", skippedInboundPorts, } + vizCmd = []string{"viz", "install"} + vizArgs = []string{ + "--set", fmt.Sprintf("namespace=%s", TestHelper.GetVizNamespace()), + } ) if certsPath := TestHelper.CertsPath(); certsPath != "" { @@ -273,6 +279,7 @@ func TestInstallOrUpgradeCli(t *testing.T) { if TestHelper.GetClusterDomain() != "cluster.local" { args = append(args, "--cluster-domain", TestHelper.GetClusterDomain()) + vizArgs = append(vizArgs, "--set", fmt.Sprintf("clusterDomain=%s", TestHelper.GetClusterDomain())) } if TestHelper.CNI() { @@ -398,6 +405,27 @@ func TestInstallOrUpgradeCli(t *testing.T) { "'kubectl apply' command failed\n%s", out) } + // Wait for the proxy injector to be up + name := "linkerd-proxy-injector" + ns := "linkerd" + o, err := TestHelper.Kubectl("", "--namespace="+ns, "wait", "--for=condition=available", "--timeout=120s", "deploy/"+name) + if err != nil { + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to wait for condition=available for deploy/%s in namespace %s", name, ns), + "failed to wait for condition=available for deploy/%s in namespace %s: %s: %s", name, ns, err, o) + } + + // Install Linkerd Viz Extension + exec = append(vizCmd, vizArgs...) + out, err = TestHelper.LinkerdRun(exec...) + if err != nil { + testutil.AnnotatedFatal(t, "'linkerd viz install' command failed", err) + } + + out, err = TestHelper.KubectlApply(out, "") + if err != nil { + testutil.AnnotatedFatalf(t, "'kubectl apply' command failed", + "'kubectl apply' command failed\n%s", out) + } } // These need to be updated (if there are changes) once a new stable is released @@ -460,14 +488,42 @@ func TestInstallHelm(t *testing.T) { testutil.AnnotatedFatalf(t, "'helm install' command failed", "'helm install' command failed\n%s\n%s", stdout, stderr) } + + // Wait for the proxy injector to be up + name := "linkerd-proxy-injector" + ns := "linkerd" + o, err := TestHelper.Kubectl("", "--namespace="+ns, "wait", "--for=condition=available", "--timeout=120s", "deploy/"+name) + if err != nil { + testutil.AnnotatedFatalf(t, fmt.Sprintf("failed to wait for condition=available for deploy/%s in namespace %s", name, ns), + "failed to wait for condition=available for deploy/%s in namespace %s: %s: %s", name, ns, err, o) + } + + if TestHelper.UpgradeHelmFromVersion() == "" { + vizChart := TestHelper.GetLinkerdVizHelmChart() + vizArgs := []string{ + "--set", "linkerdVersion=" + TestHelper.GetVersion(), + "--set", "namespace=" + TestHelper.GetVizNamespace(), + "--set", "dashboard.image.tag=" + TestHelper.GetVersion(), + "--set", "grafana.image.tag=" + TestHelper.GetVersion(), + "--set", "tap.image.tag=" + TestHelper.GetVersion(), + } + // Install Viz Extension Chart + if stdout, stderr, err := TestHelper.HelmInstallPlain(vizChart, "l5d-viz", vizArgs...); err != nil { + testutil.AnnotatedFatalf(t, "'helm install' command failed", + "'helm install' command failed\n%s\n%s", stdout, stderr) + } + } } func TestControlPlaneResourcesPostInstall(t *testing.T) { expectedServices := linkerdSvcEdge + expectedDeployments := testutil.LinkerdDeployReplicasEdge + // Upgrade Case if TestHelper.UpgradeHelmFromVersion() != "" { expectedServices = linkerdSvcStable + expectedDeployments = testutil.LinkerdDeployReplicasStable } - testutil.TestResourcesPostInstall(TestHelper.GetLinkerdNamespace(), expectedServices, testutil.LinkerdDeployReplicas, TestHelper, t) + testutil.TestResourcesPostInstall(TestHelper.GetLinkerdNamespace(), expectedServices, expectedDeployments, TestHelper, t) } func TestInstallMulticluster(t *testing.T) { @@ -535,20 +591,12 @@ func TestUpgradeHelm(t *testing.T) { "--set", "publicAPIProxyResources.memory.request=101Mi", "--set", "destinationProxyResources.cpu.limit=1020m", "--set", "destinationProxyResources.memory.request=102Mi", - "--set", "grafana.proxy.resources.cpu.limit=1030m", - "--set", "grafana.proxy.resources.memory.request=103Mi", "--set", "identityProxyResources.cpu.limit=1040m", "--set", "identityProxyResources.memory.request=104Mi", - "--set", "prometheus.proxy.resources.cpu.limit=1050m", - "--set", "prometheus.proxy.resources.memory.request=105Mi", "--set", "proxyInjectorProxyResources.cpu.limit=1060m", "--set", "proxyInjectorProxyResources.memory.request=106Mi", "--set", "spValidatorProxyResources.cpu.limit=1080m", "--set", "spValidatorProxyResources.memory.request=108Mi", - "--set", "tapProxyResources.cpu.limit=1090m", - "--set", "tapProxyResources.memory.request=109Mi", - "--set", "webProxyResources.cpu.limit=1100m", - "--set", "webProxyResources.memory.request=110Mi", "--atomic", "--wait", } @@ -557,6 +605,22 @@ func TestUpgradeHelm(t *testing.T) { testutil.AnnotatedFatalf(t, "'helm upgrade' command failed", "'helm upgrade' command failed\n%s\n%s", stdout, stderr) } + + // Install Viz Extension, as there was no viz with stable + // TOODO: Update this to upgrade once this will be the newer stable/edge + vizChart := TestHelper.GetLinkerdVizHelmChart() + vizArgs := []string{ + "--set", "linkerdVersion=" + TestHelper.GetVersion(), + "--set", "namespace=" + TestHelper.GetVizNamespace(), + "--set", "dashboard.image.tag=" + TestHelper.GetVersion(), + "--set", "grafana.image.tag=" + TestHelper.GetVersion(), + "--set", "tap.image.tag=" + TestHelper.GetVersion(), + } + // Install Viz Extension Chart + if stdout, stderr, err := TestHelper.HelmInstallPlain(vizChart, "l5d-viz", vizArgs...); err != nil { + testutil.AnnotatedFatalf(t, "'helm install' command failed", + "'helm install' command failed\n%s\n%s", stdout, stderr) + } } func TestRetrieveUidPostUpgrade(t *testing.T) { @@ -598,13 +662,6 @@ var expectedResources = []expectedData{ memLimit: "200Mi", memRequest: "102Mi", }, - { - pod: "linkerd-grafana", - cpuLimit: "1030m", - cpuRequest: "20m", - memLimit: "200Mi", - memRequest: "103Mi", - }, { pod: "linkerd-identity", cpuLimit: "1040m", @@ -612,13 +669,6 @@ var expectedResources = []expectedData{ memLimit: "200Mi", memRequest: "104Mi", }, - { - pod: "linkerd-prometheus", - cpuLimit: "1050m", - cpuRequest: "20m", - memLimit: "200Mi", - memRequest: "105Mi", - }, { pod: "linkerd-proxy-injector", cpuLimit: "1060m", @@ -633,20 +683,6 @@ var expectedResources = []expectedData{ memLimit: "200Mi", memRequest: "108Mi", }, - { - pod: "linkerd-tap", - cpuLimit: "1090m", - cpuRequest: "20m", - memLimit: "200Mi", - memRequest: "109Mi", - }, - { - pod: "linkerd-web", - cpuLimit: "1100m", - cpuRequest: "20m", - memLimit: "200Mi", - memRequest: "110Mi", - }, } func TestComponentProxyResources(t *testing.T) { @@ -935,8 +971,8 @@ func TestCheckProxy(t *testing.T) { } func TestRestarts(t *testing.T) { - for deploy, spec := range testutil.LinkerdDeployReplicas { - if err := TestHelper.CheckPods(context.Background(), TestHelper.GetLinkerdNamespace(), deploy, spec.Replicas); err != nil { + for deploy, spec := range testutil.LinkerdDeployReplicasEdge { + if err := TestHelper.CheckPods(context.Background(), spec.Namespace, deploy, spec.Replicas); err != nil { if rce, ok := err.(*testutil.RestartCountError); ok { testutil.AnnotatedWarn(t, "CheckPods timed-out", rce) } else { diff --git a/test/integration/routes/routes_test.go b/test/integration/routes/routes_test.go index 1822f1645..503158037 100644 --- a/test/integration/routes/routes_test.go +++ b/test/integration/routes/routes_test.go @@ -43,19 +43,12 @@ func TestRoutes(t *testing.T) { {"linkerd-destination", 1}, {"linkerd-dst", 6}, {"linkerd-dst-headless", 3}, - {"linkerd-grafana", 13}, {"linkerd-identity", 3}, {"linkerd-identity-headless", 1}, - {"linkerd-prometheus", 5}, - {"linkerd-web", 2}, {"POST /api/v1/ListPods", 1}, - {"POST /api/v1/", 7}, + {"POST /api/v1/", 6}, {"POST /io.linkerd.proxy.destination.Destination/Get", 4}, - {"GET /api/annotations", 1}, - {"GET /api/", 9}, - {"GET /public/", 3}, - {"GET /api/v1/", 2}, } for _, r := range routeStrings { diff --git a/test/integration/smimetrics/smi-metrics_test.go b/test/integration/smimetrics/smi-metrics_test.go index e938a0709..e7ddf93e3 100644 --- a/test/integration/smimetrics/smi-metrics_test.go +++ b/test/integration/smimetrics/smi-metrics_test.go @@ -28,6 +28,8 @@ func TestMain(m *testing.M) { func TestSMIMetrics(t *testing.T) { + t.Skip("Skipped, as SMI-Metrics currently hardcodes the prometheusUrl of Linkerd which changed") + ctx := context.Background() if os.Getenv("RUN_ARM_TEST") != "" { diff --git a/test/integration/stat/stat_test.go b/test/integration/stat/stat_test.go index 72b9376c8..f13b6f1f4 100644 --- a/test/integration/stat/stat_test.go +++ b/test/integration/stat/stat_test.go @@ -36,7 +36,7 @@ func TestMain(m *testing.M) { func TestCliStatForLinkerdNamespace(t *testing.T) { ctx := context.Background() - pods, err := TestHelper.GetPodNamesForDeployment(ctx, TestHelper.GetLinkerdNamespace(), "linkerd-prometheus") + pods, err := TestHelper.GetPodNamesForDeployment(ctx, TestHelper.GetVizNamespace(), "linkerd-prometheus") if err != nil { testutil.AnnotatedFatalf(t, "failed to get pods for prometheus", "failed to get pods for prometheus: %s", err) @@ -56,7 +56,7 @@ func TestCliStatForLinkerdNamespace(t *testing.T) { } controllerPod := pods[0] - prometheusAuthority := "linkerd-prometheus." + TestHelper.GetLinkerdNamespace() + ".svc.cluster.local:9090" + prometheusAuthority := "linkerd-prometheus." + TestHelper.GetVizNamespace() + ".svc.cluster.local:9090" for _, tt := range []struct { args []string @@ -68,36 +68,41 @@ func TestCliStatForLinkerdNamespace(t *testing.T) { expectedRows: map[string]string{ "linkerd-controller": "1/1", "linkerd-destination": "1/1", - "linkerd-grafana": "1/1", "linkerd-identity": "1/1", - "linkerd-prometheus": "1/1", "linkerd-proxy-injector": "1/1", "linkerd-sp-validator": "1/1", - "linkerd-tap": "1/1", - "linkerd-web": "1/1", }, }, { - args: []string{"stat", fmt.Sprintf("po/%s", prometheusPod), "-n", TestHelper.GetLinkerdNamespace(), "--from", fmt.Sprintf("po/%s", controllerPod)}, + args: []string{"stat", "deploy", "-n", TestHelper.GetVizNamespace()}, + expectedRows: map[string]string{ + "linkerd-grafana": "1/1", + "linkerd-prometheus": "1/1", + "linkerd-tap": "1/1", + "linkerd-web": "1/1", + }, + }, + { + args: []string{"stat", fmt.Sprintf("po/%s", prometheusPod), "-n", TestHelper.GetVizNamespace(), "--from", fmt.Sprintf("po/%s", controllerPod), "--from-namespace", TestHelper.GetLinkerdNamespace()}, expectedRows: map[string]string{ prometheusPod: "1/1", }, status: "Running", }, { - args: []string{"stat", "deploy", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("po/%s", prometheusPod)}, + args: []string{"stat", "deploy", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("po/%s", prometheusPod), "--to-namespace", TestHelper.GetVizNamespace()}, expectedRows: map[string]string{ "linkerd-controller": "1/1", }, }, { - args: []string{"stat", "svc", "linkerd-prometheus", "-n", TestHelper.GetLinkerdNamespace(), "--from", "deploy/linkerd-controller"}, + args: []string{"stat", "svc", "linkerd-prometheus", "-n", TestHelper.GetVizNamespace(), "--from", "deploy/linkerd-controller", "--from-namespace", TestHelper.GetLinkerdNamespace()}, expectedRows: map[string]string{ "linkerd-prometheus": "1/1", }, }, { - args: []string{"stat", "deploy", "-n", TestHelper.GetLinkerdNamespace(), "--to", "svc/linkerd-prometheus"}, + args: []string{"stat", "deploy", "-n", TestHelper.GetLinkerdNamespace(), "--to", "svc/linkerd-prometheus", "--to-namespace", TestHelper.GetVizNamespace()}, expectedRows: map[string]string{ "linkerd-controller": "1/1", }, @@ -105,18 +110,24 @@ func TestCliStatForLinkerdNamespace(t *testing.T) { { args: []string{"stat", "ns", TestHelper.GetLinkerdNamespace()}, expectedRows: map[string]string{ - TestHelper.GetLinkerdNamespace(): "9/9", + TestHelper.GetLinkerdNamespace(): "5/5", }, }, { - args: []string{"stat", "po", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("au/%s", prometheusAuthority)}, + args: []string{"stat", "ns", TestHelper.GetVizNamespace()}, + expectedRows: map[string]string{ + TestHelper.GetVizNamespace(): "4/4", + }, + }, + { + args: []string{"stat", "po", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("au/%s", prometheusAuthority), "--to-namespace", TestHelper.GetVizNamespace()}, expectedRows: map[string]string{ controllerPod: "1/1", }, status: "Running", }, { - args: []string{"stat", "au", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("po/%s", prometheusPod)}, + args: []string{"stat", "au", "-n", TestHelper.GetLinkerdNamespace(), "--to", fmt.Sprintf("po/%s", prometheusPod), "--to-namespace", TestHelper.GetVizNamespace()}, expectedRows: map[string]string{ prometheusAuthority: "-", }, diff --git a/test/integration/testdata/check.cni.golden b/test/integration/testdata/check.cni.golden index 9a2e25a09..0a2f3233a 100644 --- a/test/integration/testdata/check.cni.golden +++ b/test/integration/testdata/check.cni.golden @@ -54,8 +54,6 @@ linkerd-identity linkerd-webhooks-and-apisvc-tls ------------------------------- -√ tap API server has valid cert -√ tap API server cert is valid for at least 60 days √ proxy-injector webhook has valid cert √ proxy-injector cert is valid for at least 60 days √ sp-validator webhook has valid cert @@ -67,7 +65,6 @@ linkerd-api √ control plane self-check √ [kubernetes] control plane can talk to Kubernetes √ [prometheus] control plane can talk to Prometheus -√ tap api service is running linkerd-version --------------- @@ -79,16 +76,4 @@ control-plane-version √ control plane is up-to-date √ control plane and cli versions match -linkerd-prometheus ------------------- -√ prometheus add-on service account exists -√ prometheus add-on config map exists -√ prometheus pod is running - -linkerd-grafana ---------------- -√ grafana add-on service account exists -√ grafana add-on config map exists -√ grafana pod is running - Status check results are √ diff --git a/test/integration/testdata/check.cni.proxy.golden b/test/integration/testdata/check.cni.proxy.golden index 7edfbe683..c3d60a74e 100644 --- a/test/integration/testdata/check.cni.proxy.golden +++ b/test/integration/testdata/check.cni.proxy.golden @@ -54,8 +54,6 @@ linkerd-identity linkerd-webhooks-and-apisvc-tls ------------------------------- -√ tap API server has valid cert -√ tap API server cert is valid for at least 60 days √ proxy-injector webhook has valid cert √ proxy-injector cert is valid for at least 60 days √ sp-validator webhook has valid cert @@ -71,7 +69,6 @@ linkerd-api √ control plane self-check √ [kubernetes] control plane can talk to Kubernetes √ [prometheus] control plane can talk to Prometheus -√ tap api service is running linkerd-version --------------- @@ -82,20 +79,7 @@ linkerd-data-plane ------------------ √ data plane namespace exists √ data plane proxies are ready -√ data plane proxy metrics are present in Prometheus √ data plane is up-to-date √ data plane and cli versions match -linkerd-prometheus ------------------- -√ prometheus add-on service account exists -√ prometheus add-on config map exists -√ prometheus pod is running - -linkerd-grafana ---------------- -√ grafana add-on service account exists -√ grafana add-on config map exists -√ grafana pod is running - Status check results are √ diff --git a/test/integration/testdata/check.golden b/test/integration/testdata/check.golden index 1615f007e..912b24960 100644 --- a/test/integration/testdata/check.golden +++ b/test/integration/testdata/check.golden @@ -42,8 +42,6 @@ linkerd-identity linkerd-webhooks-and-apisvc-tls ------------------------------- -√ tap API server has valid cert -√ tap API server cert is valid for at least 60 days √ proxy-injector webhook has valid cert √ proxy-injector cert is valid for at least 60 days √ sp-validator webhook has valid cert @@ -55,7 +53,6 @@ linkerd-api √ control plane self-check √ [kubernetes] control plane can talk to Kubernetes √ [prometheus] control plane can talk to Prometheus -√ tap api service is running linkerd-version --------------- @@ -67,16 +64,4 @@ control-plane-version √ control plane is up-to-date √ control plane and cli versions match -linkerd-prometheus ------------------- -√ prometheus add-on service account exists -√ prometheus add-on config map exists -√ prometheus pod is running - -linkerd-grafana ---------------- -√ grafana add-on service account exists -√ grafana add-on config map exists -√ grafana pod is running - Status check results are √ diff --git a/test/integration/testdata/check.multicluster.proxy.golden b/test/integration/testdata/check.multicluster.proxy.golden index 2a9c529ed..60b51024b 100644 --- a/test/integration/testdata/check.multicluster.proxy.golden +++ b/test/integration/testdata/check.multicluster.proxy.golden @@ -42,8 +42,6 @@ linkerd-identity linkerd-webhooks-and-apisvc-tls ------------------------------- -√ tap API server has valid cert -√ tap API server cert is valid for at least 60 days √ proxy-injector webhook has valid cert √ proxy-injector cert is valid for at least 60 days √ sp-validator webhook has valid cert @@ -59,7 +57,6 @@ linkerd-api √ control plane self-check √ [kubernetes] control plane can talk to Kubernetes √ [prometheus] control plane can talk to Prometheus -√ tap api service is running linkerd-version --------------- @@ -70,22 +67,9 @@ linkerd-data-plane ------------------ √ data plane namespace exists √ data plane proxies are ready -√ data plane proxy metrics are present in Prometheus √ data plane is up-to-date √ data plane and cli versions match -linkerd-prometheus ------------------- -√ prometheus add-on service account exists -√ prometheus add-on config map exists -√ prometheus pod is running - -linkerd-grafana ---------------- -√ grafana add-on service account exists -√ grafana add-on config map exists -√ grafana pod is running - linkerd-multicluster -------------------- √ Link CRD exists diff --git a/test/integration/testdata/check.proxy.golden b/test/integration/testdata/check.proxy.golden index 62ca666df..3fc9f3dd4 100644 --- a/test/integration/testdata/check.proxy.golden +++ b/test/integration/testdata/check.proxy.golden @@ -42,8 +42,6 @@ linkerd-identity linkerd-webhooks-and-apisvc-tls ------------------------------- -√ tap API server has valid cert -√ tap API server cert is valid for at least 60 days √ proxy-injector webhook has valid cert √ proxy-injector cert is valid for at least 60 days √ sp-validator webhook has valid cert @@ -59,7 +57,6 @@ linkerd-api √ control plane self-check √ [kubernetes] control plane can talk to Kubernetes √ [prometheus] control plane can talk to Prometheus -√ tap api service is running linkerd-version --------------- @@ -70,20 +67,7 @@ linkerd-data-plane ------------------ √ data plane namespace exists √ data plane proxies are ready -√ data plane proxy metrics are present in Prometheus √ data plane is up-to-date √ data plane and cli versions match -linkerd-prometheus ------------------- -√ prometheus add-on service account exists -√ prometheus add-on config map exists -√ prometheus pod is running - -linkerd-grafana ---------------- -√ grafana add-on service account exists -√ grafana add-on config map exists -√ grafana pod is running - Status check results are √ diff --git a/test/integration/uninstall/uninstall_test.go b/test/integration/uninstall/uninstall_test.go index cf6ef624c..4b1e52aa8 100644 --- a/test/integration/uninstall/uninstall_test.go +++ b/test/integration/uninstall/uninstall_test.go @@ -38,6 +38,26 @@ func TestInstall(t *testing.T) { testutil.AnnotatedFatalf(t, "'kubectl apply' command failed", "'kubectl apply' command failed\n%s", out) } + + var ( + vizCmd = []string{"viz", "install"} + vizArgs = []string{ + "--set", fmt.Sprintf("namespace=%s", TestHelper.GetVizNamespace())} + ) + + // Install Linkerd Viz Extension + exec := append(vizCmd, vizArgs...) + out, err = TestHelper.LinkerdRun(exec...) + if err != nil { + testutil.AnnotatedFatal(t, "'linkerd viz install' command failed", err) + } + + out, err = TestHelper.KubectlApply(out, "") + if err != nil { + testutil.AnnotatedFatalf(t, "'kubectl apply' command failed", + "'kubectl apply' command failed\n%s", out) + } + } func TestResourcesPostInstall(t *testing.T) { @@ -50,15 +70,21 @@ func TestResourcesPostInstall(t *testing.T) { } // Tests Pods and Deployments - for deploy, spec := range testutil.LinkerdDeployReplicas { - if err := TestHelper.CheckPods(ctx, TestHelper.GetLinkerdNamespace(), deploy, spec.Replicas); err != nil { + + expectedDeployments := testutil.LinkerdDeployReplicasEdge + // Upgrade Case + if TestHelper.UpgradeHelmFromVersion() != "" { + expectedDeployments = testutil.LinkerdDeployReplicasStable + } + for deploy, spec := range expectedDeployments { + if err := TestHelper.CheckPods(ctx, spec.Namespace, deploy, spec.Replicas); err != nil { if rce, ok := err.(*testutil.RestartCountError); ok { testutil.AnnotatedWarn(t, "CheckPods timed-out", rce) } else { testutil.AnnotatedError(t, "CheckPods timed-out", err) } } - if err := TestHelper.CheckDeployment(ctx, TestHelper.GetLinkerdNamespace(), deploy, spec.Replicas); err != nil { + if err := TestHelper.CheckDeployment(ctx, spec.Namespace, deploy, spec.Replicas); err != nil { testutil.AnnotatedFatalf(t, "CheckDeployment timed-out", "Error validating deployment [%s]:\n%s", deploy, err) } } diff --git a/testutil/install.go b/testutil/install.go index 5ca6a9c3f..f776ab7bb 100644 --- a/testutil/install.go +++ b/testutil/install.go @@ -7,7 +7,7 @@ import ( ) // TestResourcesPostInstall tests resources post control plane installation -func TestResourcesPostInstall(namespace string, services []string, deploys map[string]DeploySpec, h *TestHelper, t *testing.T) { +func TestResourcesPostInstall(namespace string, services []Service, deploys map[string]DeploySpec, h *TestHelper, t *testing.T) { ctx := context.Background() // Tests Namespace err := h.CheckIfNamespaceExists(ctx, namespace) @@ -18,22 +18,22 @@ func TestResourcesPostInstall(namespace string, services []string, deploys map[s // Tests Services for _, svc := range services { - if err := h.CheckService(ctx, namespace, svc); err != nil { - AnnotatedErrorf(t, fmt.Sprintf("error validating service [%s]", svc), - "error validating service [%s]:\n%s", svc, err) + if err := h.CheckService(ctx, svc.Namespace, svc.Name); err != nil { + AnnotatedErrorf(t, fmt.Sprintf("error validating service [%s/%s]", svc.Namespace, svc.Name), + "error validating service [%s/%s]:\n%s", svc.Namespace, svc.Name, err) } } // Tests Pods and Deployments for deploy, spec := range deploys { - if err := h.CheckPods(ctx, namespace, deploy, spec.Replicas); err != nil { + if err := h.CheckPods(ctx, spec.Namespace, deploy, spec.Replicas); err != nil { if rce, ok := err.(*RestartCountError); ok { AnnotatedWarn(t, "CheckPods timed-out", rce) } else { AnnotatedFatal(t, "CheckPods timed-out", err) } } - if err := h.CheckDeployment(ctx, namespace, deploy, spec.Replicas); err != nil { + if err := h.CheckDeployment(ctx, spec.Namespace, deploy, spec.Replicas); err != nil { AnnotatedFatalf(t, "CheckDeployment timed-out", "Error validating deployment [%s]:\n%s", deploy, err) } } diff --git a/testutil/test_helper.go b/testutil/test_helper.go index 3e803b3dc..5fff66ff8 100644 --- a/testutil/test_helper.go +++ b/testutil/test_helper.go @@ -26,6 +26,7 @@ type TestHelper struct { linkerd string version string namespace string + vizNamespace string upgradeFromVersion string clusterDomain string externalIssuer bool @@ -43,6 +44,7 @@ type helm struct { path string chart string multiclusterChart string + vizChart string stableChart string releaseName string multiclusterReleaseName string @@ -51,22 +53,43 @@ type helm struct { // DeploySpec is used to hold information about what deploys we should verify during testing type DeploySpec struct { + Namespace string Replicas int Containers []string } -// LinkerdDeployReplicas is a map containing the number of replicas for each Deployment and the main +// Service is used to hold information about a Service we should verify during testing +type Service struct { + Namespace string + Name string +} + +// LinkerdDeployReplicasStable is a map containing the number of replicas for each Deployment and the main // container name -var LinkerdDeployReplicas = map[string]DeploySpec{ - "linkerd-controller": {1, []string{"public-api"}}, - "linkerd-destination": {1, []string{"destination"}}, - "linkerd-tap": {1, []string{"tap"}}, - "linkerd-grafana": {1, []string{}}, - "linkerd-identity": {1, []string{"identity"}}, - "linkerd-prometheus": {1, []string{}}, - "linkerd-sp-validator": {1, []string{"sp-validator"}}, - "linkerd-web": {1, []string{"web"}}, - "linkerd-proxy-injector": {1, []string{"proxy-injector"}}, +var LinkerdDeployReplicasStable = map[string]DeploySpec{ + "linkerd-controller": {"linkerd", 1, []string{"public-api"}}, + "linkerd-destination": {"linkerd", 1, []string{"destination"}}, + "linkerd-tap": {"linkerd", 1, []string{"tap"}}, + "linkerd-grafana": {"linkerd", 1, []string{}}, + "linkerd-identity": {"linkerd", 1, []string{"identity"}}, + "linkerd-prometheus": {"linkerd", 1, []string{}}, + "linkerd-sp-validator": {"linkerd", 1, []string{"sp-validator"}}, + "linkerd-web": {"linkerd", 1, []string{"web"}}, + "linkerd-proxy-injector": {"linkerd", 1, []string{"proxy-injector"}}, +} + +// LinkerdDeployReplicasEdge is a map containing the number of replicas for each Deployment and the main +// container name, in the current code-base +var LinkerdDeployReplicasEdge = map[string]DeploySpec{ + "linkerd-controller": {"linkerd", 1, []string{"public-api"}}, + "linkerd-destination": {"linkerd", 1, []string{"destination"}}, + "linkerd-tap": {"linkerd-viz", 1, []string{"tap"}}, + "linkerd-grafana": {"linkerd-viz", 1, []string{}}, + "linkerd-identity": {"linkerd", 1, []string{"identity"}}, + "linkerd-prometheus": {"linkerd-viz", 1, []string{}}, + "linkerd-sp-validator": {"linkerd", 1, []string{"sp-validator"}}, + "linkerd-web": {"linkerd-viz", 1, []string{"web"}}, + "linkerd-proxy-injector": {"linkerd", 1, []string{"proxy-injector"}}, } // NewGenericTestHelper returns a new *TestHelper from the options provided as function parameters. @@ -77,6 +100,7 @@ func NewGenericTestHelper( linkerd, version, namespace, + vizNamespace, upgradeFromVersion, clusterDomain, helmPath, @@ -97,6 +121,7 @@ func NewGenericTestHelper( linkerd: linkerd, version: version, namespace: namespace, + vizNamespace: vizNamespace, upgradeFromVersion: upgradeFromVersion, helm: helm{ path: helmPath, @@ -121,7 +146,7 @@ func NewGenericTestHelper( // MulticlusterDeployReplicas is a map containing the number of replicas for each Deployment and the main // container name for multicluster components var MulticlusterDeployReplicas = map[string]DeploySpec{ - "linkerd-gateway": {1, []string{"nginx"}}, + "linkerd-gateway": {"linkerd-multicluster", 1, []string{"nginx"}}, } // NewTestHelper creates a new instance of TestHelper for the current test run. @@ -135,10 +160,12 @@ func NewTestHelper() *TestHelper { k8sContext := flag.String("k8s-context", "", "kubernetes context associated with the test cluster") linkerd := flag.String("linkerd", "", "path to the linkerd binary to test") namespace := flag.String("linkerd-namespace", "linkerd", "the namespace where linkerd is installed") + vizNamespace := flag.String("viz-namespace", "linkerd-viz", "the namespace where linkerd viz extension is installed") multicluster := flag.Bool("multicluster", false, "when specified the multicluster install functionality is tested") helmPath := flag.String("helm-path", "target/helm", "path of the Helm binary") helmChart := flag.String("helm-chart", "charts/linkerd2", "path to linkerd2's Helm chart") multiclusterHelmChart := flag.String("multicluster-helm-chart", "charts/linkerd2-multicluster", "path to linkerd2's multicluster Helm chart") + vizHelmChart := flag.String("viz-helm-chart", "charts/linkerd-viz", "path to linkerd2's viz extension Helm chart") helmStableChart := flag.String("helm-stable-chart", "linkerd/linkerd2", "path to linkerd2's stable Helm chart") helmReleaseName := flag.String("helm-release", "", "install linkerd via Helm using this release name") multiclusterHelmReleaseName := flag.String("multicluster-helm-release", "", "install linkerd multicluster via Helm using this release name") @@ -180,12 +207,14 @@ func NewTestHelper() *TestHelper { testHelper := &TestHelper{ linkerd: *linkerd, namespace: *namespace, + vizNamespace: *vizNamespace, upgradeFromVersion: *upgradeFromVersion, multicluster: *multicluster, helm: helm{ path: *helmPath, chart: *helmChart, multiclusterChart: *multiclusterHelmChart, + vizChart: *vizHelmChart, stableChart: *helmStableChart, releaseName: *helmReleaseName, multiclusterReleaseName: *multiclusterHelmReleaseName, @@ -231,6 +260,12 @@ func (h *TestHelper) GetLinkerdNamespace() string { return h.namespace } +// GetVizNamespace returns the namespace where linkerd Viz Extension is installed. Set the +// namespace using the -linkerd-namespace command line flag. +func (h *TestHelper) GetVizNamespace() string { + return h.vizNamespace +} + // GetMulticlusterNamespace returns the namespace where multicluster // components are installed. func (h *TestHelper) GetMulticlusterNamespace() string { @@ -263,6 +298,11 @@ func (h *TestHelper) GetMulticlusterHelmChart() string { return h.helm.multiclusterChart } +// GetLinkerdVizHelmChart returns the path to the Linkerd viz Helm chart +func (h *TestHelper) GetLinkerdVizHelmChart() string { + return h.helm.vizChart +} + // GetHelmStableChart returns the path to the Linkerd Helm stable chart func (h *TestHelper) GetHelmStableChart() string { return h.helm.stableChart @@ -436,6 +476,18 @@ func (h *TestHelper) HelmInstall(chart string, arg ...string) (string, string, e return combinedOutput("", h.helm.path, withParams...) } +// HelmInstallPlain runs the helm install subcommand, with the provided arguments and no defaults +func (h *TestHelper) HelmInstallPlain(chart string, releaseName string, arg ...string) (string, string, error) { + withParams := append([]string{ + "install", + releaseName, + chart, + "--kube-context", h.k8sContext, + }, arg...) + + return combinedOutput("", h.helm.path, withParams...) +} + // HelmInstallMulticluster runs the helm install subcommand for multicluster, with the provided arguments func (h *TestHelper) HelmInstallMulticluster(chart string, arg ...string) (string, string, error) { withParams := append([]string{ diff --git a/charts/add-ons/grafana/.helmignore b/viz/charts/linkerd-viz/.helmignore similarity index 97% rename from charts/add-ons/grafana/.helmignore rename to viz/charts/linkerd-viz/.helmignore index 50af03172..79c90a806 100644 --- a/charts/add-ons/grafana/.helmignore +++ b/viz/charts/linkerd-viz/.helmignore @@ -2,6 +2,7 @@ # This supports shell glob matching, relative path matching, and # negation (prefixed with !). Only one pattern per line. .DS_Store +OWNERS # Common VCS dirs .git/ .gitignore @@ -19,4 +20,3 @@ .project .idea/ *.tmproj -.vscode/ diff --git a/viz/charts/linkerd-viz/Chart.yaml b/viz/charts/linkerd-viz/Chart.yaml new file mode 100644 index 000000000..e7490b329 --- /dev/null +++ b/viz/charts/linkerd-viz/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: "v1" +# this version will be updated by the CI before publishing the Helm tarball +appVersion: edge-XX.X.X +description: | + Linkerd Viz extension contains the observability and visualization + components that can be integrated directly. +home: https://linkerd.io +keywords: +- service-mesh +kubeVersion: ">=1.13.0-0" +name: "linkerd-viz" +sources: +- https://github.com/linkerd/linkerd2/ +# this version will be updated by the CI before publishing the Helm tarball +version: 0.1.0 +icon: https://linkerd.io/images/logo-only-200h.png +maintainers: + - name: Linkerd authors + email: cncf-linkerd-dev@lists.cncf.io + url: https://linkerd.io/ diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md new file mode 100644 index 000000000..e58a8b3cb --- /dev/null +++ b/viz/charts/linkerd-viz/README.md @@ -0,0 +1,135 @@ +# linkerd-viz + +Linkerd Viz extension contains the observability and visualization +components that can be integrated directly. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes 1.13+ cluster in a matter of seconds. See +the [Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: Linkerd Core Control-Plane + +Before installing the Linkerd Viz extension, The core control-plane has to +be installed first by following the [Linkerd Install +Guide](https://linkerd.io/2/tasks/install/). + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd2 stable releases: +helm repo add linkerd https://helm.linkerd.io/stable +# To add the repo for Linkerd2 edge releases: +helm repo add linkerd-edge https://helm.linkerd.io/edge +``` + +The following instructions use the `linkerd` repo. For installing an edge +release, just replace with `linkerd-edge`. + +## Installing the Viz Extension Chart + +```bash +helm install linkerd/linkerd-viz +``` + +## Get involved + +* Check out Linkerd's source code at [Github][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[cncf]: https://www.cncf.io/ +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Requirements + +Kubernetes: `>=1.13.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../../../charts/partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| createdByAnnotation | string | `"linkerd.io/created-by"` | | +| dashboard.UID | int | `2103` | | +| dashboard.enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | +| dashboard.image.name | string | `"ghcr.io/linkerd/web"` | Docker image name for the web instance | +| dashboard.image.tag | string | `"linkerdVersionValue"` | Docker image tag for the web instance | +| dashboard.logLevel | string | `"info"` | log level of the dashboard component | +| dashboard.replicas | int | `1` | Number of replicas of dashboard | +| dashboard.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the web container can use | +| dashboard.resources.cpu.request | string | `nil` | Amount of CPU units that the web container requests | +| dashboard.resources.memory.limit | string | `nil` | Maximum amount of memory that web container can use | +| dashboard.resources.memory.request | string | `nil` | Amount of memory that the web container requests | +| dashboard.restrictPrivileges | bool | `false` | Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check | +| extensionAnnotation | string | `"linkerd.io/extension"` | | +| globalLogLevel | string | `"info"` | Log level for all the viz components | +| globalUID | int | `2103` | UID for all the viz components | +| grafana.enabled | bool | `true` | toggle field to enable or disable grafana | +| grafana.image.name | string | `"ghcr.io/linkerd/grafana"` | Docker image name for the grafana instance | +| grafana.image.tag | string | `"linkerdVersionValue"` | Docker image tag for the grafana instance | +| grafana.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the grafana container can use | +| grafana.resources.cpu.request | string | `nil` | Amount of CPU units that the grafana container requests | +| grafana.resources.memory.limit | string | `nil` | Maximum amount of memory that grafana container can use | +| grafana.resources.memory.request | string | `nil` | Amount of memory that the grafana container requests | +| identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | +| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install | +| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| namespace | string | `"linkerd-viz"` | Namespace in which the Linkerd Viz extension has to be installed | +| nodeSelector | object | `{"beta.kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| prometheus.alertManagers | string | `nil` | Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. | +| prometheus.alertRelabelConfigs | string | `nil` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. | +| prometheus.args | object | `{"config.file":"/etc/prometheus/prometheus.yml","log.level":"info","storage.tsdb.path":"/data","storage.tsdb.retention.time":"6h"}` | Command line options for Prometheus binary | +| prometheus.enabled | bool | `true` | toggle field to enable or disable prometheus | +| prometheus.globalConfig | object | `{"evaluation_interval":"10s","scrape_interval":"10s","scrape_timeout":"10s"}` | The global configuration specifies parameters that are valid in all other configuration contexts. | +| prometheus.image.name | string | `"prom/prometheus"` | Docker image name for the prometheus instance | +| prometheus.image.pullPolicy | string | `"Always"` | | +| prometheus.image.tag | string | `"v2.19.3"` | Docker image tag for the prometheus instance | +| prometheus.remoteWrite | string | `nil` | Allows transparently sending samples to an endpoint. Mostly used for long term storage. | +| prometheus.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the prometheus container can use | +| prometheus.resources.cpu.request | string | `nil` | Amount of CPU units that the prometheus container requests | +| prometheus.resources.memory.limit | string | `nil` | Maximum amount of memory that prometheus container can use | +| prometheus.resources.memory.request | string | `nil` | Amount of memory that the prometheus container requests | +| prometheus.ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) | +| prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | +| prometheus.sideCarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | +| proxyInjectAnnotation | string | `"linkerd.io/inject"` | | +| tap.UID | int | `2103` | | +| tap.caBundle | string | `""` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. | +| tap.crtPEM | string | `""` | Certificate for the Tap component. If not provided then Helm will generate one. | +| tap.externalSecret | bool | `false` | Do not create a secret resource for the Tap component. If this is set to `true`, the value `tap.caBundle` must be set (see below). | +| tap.image.name | string | `"ghcr.io/linkerd/controller"` | Docker image name for the grafana instance | +| tap.image.tag | string | `"linkerdVersionValue"` | Docker image tag for the grafana instance | +| tap.keyPEM | string | `""` | Certificate key for Tap component. If not provided then Helm will generate one. | +| tap.logLevel | string | `"info"` | log level of the tap component | +| tap.replicas | int | `1` | | +| tap.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the tap container can use | +| tap.resources.cpu.request | string | `nil` | Amount of CPU units that the tap container requests | +| tap.resources.memory.limit | string | `nil` | Maximum amount of memory that tap container can use | +| tap.resources.memory.request | string | `nil` | Amount of memory that the tap container requests | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/viz/charts/linkerd-viz/README.md.gotmpl b/viz/charts/linkerd-viz/README.md.gotmpl new file mode 100644 index 000000000..1c129ed26 --- /dev/null +++ b/viz/charts/linkerd-viz/README.md.gotmpl @@ -0,0 +1,64 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes 1.13+ cluster in a matter of seconds. See +the [Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: Linkerd Core Control-Plane + +Before installing the Linkerd Viz extension, The core control-plane has to +be installed first by following the [Linkerd Install +Guide](https://linkerd.io/2/tasks/install/). + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd2 stable releases: +helm repo add linkerd https://helm.linkerd.io/stable +# To add the repo for Linkerd2 edge releases: +helm repo add linkerd-edge https://helm.linkerd.io/edge +``` + +The following instructions use the `linkerd` repo. For installing an edge +release, just replace with `linkerd-edge`. + +## Installing the Viz Extension Chart + +```bash +helm install linkerd/linkerd-viz +``` + +## Get involved + +* Check out Linkerd's source code at [Github][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[cncf]: https://www.cncf.io/ +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/viz/charts/linkerd-viz/requirements.lock b/viz/charts/linkerd-viz/requirements.lock new file mode 100644 index 000000000..3187cab42 --- /dev/null +++ b/viz/charts/linkerd-viz/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../../../charts/partials + version: 0.1.0 +digest: sha256:e2c1d0d581afb33df46411df7a89fca2628328fc7bd0975167e7812bf128e27f +generated: "2020-12-07T13:36:20.311112349Z" diff --git a/viz/charts/linkerd-viz/requirements.yaml b/viz/charts/linkerd-viz/requirements.yaml new file mode 100644 index 000000000..585d71bbc --- /dev/null +++ b/viz/charts/linkerd-viz/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: partials + version: 0.1.0 + repository: file://../../../charts/partials diff --git a/viz/charts/linkerd-viz/templates/grafana-rbac.yaml b/viz/charts/linkerd-viz/templates/grafana-rbac.yaml new file mode 100644 index 000000000..db4b694ab --- /dev/null +++ b/viz/charts/linkerd-viz/templates/grafana-rbac.yaml @@ -0,0 +1,17 @@ +{{ if .Values.grafana.enabled -}} +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + namespace: {{.Values.namespace}} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +{{ end -}} diff --git a/viz/charts/linkerd-viz/templates/grafana.yaml b/viz/charts/linkerd-viz/templates/grafana.yaml new file mode 100644 index 000000000..391b2814d --- /dev/null +++ b/viz/charts/linkerd-viz/templates/grafana.yaml @@ -0,0 +1,170 @@ +{{ if .Values.grafana.enabled -}} +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + namespace: {{.Values.namespace}} + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} +data: + grafana.ini: |- + instance_name = linkerd-grafana + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + [auth] + disable_login_form = true + [auth.anonymous] + enabled = true + org_role = Editor + [auth.basic] + enabled = false + [analytics] + check_for_updates = false + [panels] + disable_sanitize_html = true + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + {{- if .Values.prometheusUrl }} + url: {{.Values.prometheusUrl}} + {{- else }} + url: http://linkerd-prometheus.{{.Values.namespace}}.svc.{{.Values.clusterDomain}}:9090 + {{- end }} + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + namespace: {{.Values.namespace}} + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} +spec: + type: ClusterIP + selector: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} + component: grafana + namespace: {{.Values.namespace}} + name: linkerd-grafana + namespace: {{.Values.namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + namespace: {{.Values.namespace}} + template: + metadata: + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: grafana + namespace: {{.Values.namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + containers: + - env: + - name: GF_PATHS_DATA + value: /data + # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments + # see https://github.com/grafana/grafana/issues/20096 + - name: GODEBUG + value: netdns=go + image: {{.Values.grafana.image.name}}:{{ default (default .Values.linkerdVersion .Values.controllerImageVersion) .Values.grafana.image.tag}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + {{- if .Values.grafana.resources -}} + {{- include "partials.resources" .Values.grafana.resources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config +{{ end -}} diff --git a/viz/charts/linkerd-viz/templates/namespace.yaml b/viz/charts/linkerd-viz/templates/namespace.yaml new file mode 100644 index 000000000..f436f5d33 --- /dev/null +++ b/viz/charts/linkerd-viz/templates/namespace.yaml @@ -0,0 +1,13 @@ +--- +### +### Linkerd Viz Extension Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + annotations: + {{.Values.proxyInjectAnnotation}}: enabled diff --git a/viz/charts/linkerd-viz/templates/prometheus-rbac.yaml b/viz/charts/linkerd-viz/templates/prometheus-rbac.yaml new file mode 100644 index 000000000..4bd8efd13 --- /dev/null +++ b/viz/charts/linkerd-viz/templates/prometheus-rbac.yaml @@ -0,0 +1,45 @@ +{{ if .Values.prometheus.enabled -}} +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Values.namespace}}-prometheus + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Values.namespace}}-prometheus + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Values.namespace}}-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Values.namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus + namespace: {{.Values.namespace}} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +{{ end -}} diff --git a/charts/add-ons/prometheus/templates/prometheus.yaml b/viz/charts/linkerd-viz/templates/prometheus.yaml similarity index 59% rename from charts/add-ons/prometheus/templates/prometheus.yaml rename to viz/charts/linkerd-viz/templates/prometheus.yaml index f9b4f9ddd..aab1cc3b1 100644 --- a/charts/add-ons/prometheus/templates/prometheus.yaml +++ b/viz/charts/linkerd-viz/templates/prometheus.yaml @@ -1,3 +1,4 @@ +{{ if .Values.prometheus.enabled -}} --- ### ### Prometheus @@ -7,17 +8,18 @@ kind: ConfigMap apiVersion: v1 metadata: name: linkerd-prometheus-config - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus + namespace: {{.Values.namespace}} annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} data: prometheus.yml: |- global: - {{- if .Values.globalConfig -}} - {{- toYaml .Values.globalConfig | trim | nindent 6 }} + {{- if .Values.prometheus.globalConfig -}} + {{- toYaml .Values.prometheus.globalConfig | trim | nindent 6 }} {{- end}} rule_files: @@ -29,16 +31,18 @@ data: static_configs: - targets: ['localhost:9090'] + {{ if .Values.grafana.enabled -}} - job_name: 'grafana' kubernetes_sd_configs: - role: pod namespaces: - names: ['{{.Values.global.namespace}}'] + names: ['{{.Values.namespace}}'] relabel_configs: - source_labels: - __meta_kubernetes_pod_container_name action: keep regex: ^grafana$ + {{- end }} # Required for: https://grafana.com/grafana/dashboards/315 - job_name: 'kubernetes-nodes-cadvisor' @@ -70,7 +74,7 @@ data: kubernetes_sd_configs: - role: pod namespaces: - names: ['{{.Values.global.namespace}}'] + names: ['{{.Values.linkerdNamespace}}'] relabel_configs: - source_labels: - __meta_kubernetes_pod_label_linkerd_io_control_plane_component @@ -103,7 +107,7 @@ data: - __meta_kubernetes_pod_container_port_name - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns action: keep - regex: ^{{default .Values.global.proxyContainerName "linkerd-proxy" .Values.global.proxyContainerName}};linkerd-admin;{{.Values.global.namespace}}$ + regex: ^{{default .Values.proxyContainerName "linkerd-proxy" .Values.proxyContainerName}};linkerd-admin;{{.Values.linkerdNamespace}}$ - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace @@ -146,86 +150,83 @@ data: - action: labelmap regex: __tmp_pod_label_(.+) - {{- if .Values.scrapeConfigs }} - {{- toYaml .Values.scrapeConfigs | trim | nindent 4 }} + {{- if .Values.prometheus.scrapeConfigs }} + {{- toYaml .Values.prometheus.scrapeConfigs | trim | nindent 4 }} {{- end }} - {{- if (or .Values.alertManagers .Values.alertRelabelConfigs) }} + {{- if (or .Values.prometheus.alertManagers .Values.prometheus.alertRelabelConfigs) }} alerting: alert_relabel_configs: - {{- if .Values.alertRelabelConfigs }} - {{- toYaml .Values.alertRelabelConfigs | trim | nindent 6 }} + {{- if .Values.prometheus.alertRelabelConfigs }} + {{- toYaml .Values.prometheus.alertRelabelConfigs | trim | nindent 6 }} {{- end }} alertmanagers: - {{- if .Values.alertManagers }} - {{- toYaml .Values.alertManagers | trim | nindent 6 }} + {{- if .Values.prometheus.alertManagers }} + {{- toYaml .Values.prometheus.alertManagers | trim | nindent 6 }} {{- end }} {{- end }} - {{- if .Values.remoteWrite }} + {{- if .Values.prometheus.remoteWrite }} remote_write: - {{- toYaml .Values.remoteWrite | trim | nindent 4 }} + {{- toYaml .Values.prometheus.remoteWrite | trim | nindent 4 }} {{- end }} --- kind: Service apiVersion: v1 metadata: name: linkerd-prometheus - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus + namespace: {{.Values.namespace}} annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} spec: type: ClusterIP selector: - {{.Values.global.controllerComponentLabel}}: prometheus + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus ports: - name: admin-http port: 9090 targetPort: 9090 --- -{{- $tree := deepCopy . }} -{{ $_ := set $tree.Values.global.proxy "workloadKind" "deployment" -}} -{{ $_ := set $tree.Values.global.proxy "component" "linkerd-prometheus" -}} -{{ include "linkerd.proxy.validation" .Values.global.proxy -}} apiVersion: apps/v1 kind: Deployment metadata: annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} labels: + {{.Values.extensionAnnotation}}: linkerd-viz app.kubernetes.io/name: prometheus app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: {{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} + component: prometheus + namespace: {{.Values.namespace}} name: linkerd-prometheus - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} spec: replicas: 1 - {{- if .Values.persistence }} + {{- if .Values.prometheus.persistence }} strategy: type: Recreate {{- end }} selector: matchLabels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 6}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus + namespace: {{.Values.namespace}} template: metadata: annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} - {{- include "partials.proxy.annotations" .Values.global.proxy| nindent 8}} - {{- with .Values.global.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + {{- with .Values.podAnnotations }}{{ . | trim | nindent 8 }}{{- end }} labels: - {{.Values.global.controllerComponentLabel}}: prometheus - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} - {{.Values.global.workloadNamespaceLabel}}: {{.Values.global.namespace}} - {{- include "partials.proxy.labels" $tree.Values.global.proxy | nindent 8}} - {{- with .Values.global.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + {{.Values.extensionAnnotation}}: linkerd-viz + component: prometheus + namespace: {{.Values.namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: {{- if .Values.tolerations -}} {{- include "linkerd.tolerations" . | nindent 6 }} @@ -234,15 +235,15 @@ spec: securityContext: fsGroup: 65534 containers: - {{- if .Values.sidecarContainers -}} - {{- toYaml .Values.sidecarContainers | trim | nindent 6 }} + {{- if .Values.prometheus.sidecarContainers -}} + {{- toYaml .Values.prometheus.sidecarContainers | trim | nindent 6 }} {{- end}} - args: - {{- range $key, $value := .Values.args}} + {{- range $key, $value := .Values.prometheus.args}} - --{{ $key }}{{ if $value }}={{ $value }}{{ end }} {{- end }} - image: {{.Values.image}} - imagePullPolicy: {{.Values.global.imagePullPolicy}} + image: {{.Values.prometheus.image.name}}:{{.Values.prometheus.image.tag}} + imagePullPolicy: {{.Values.prometheus.imagepullPolicy}} livenessProbe: httpGet: path: /-/healthy @@ -259,15 +260,15 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - {{- if .Values.resources -}} - {{- include "partials.resources" .Values.resources | nindent 8 }} + {{- if .Values.prometheus.resources -}} + {{- include "partials.resources" .Values.prometheus.resources | nindent 8 }} {{- end }} securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 volumeMounts: - {{- range .Values.ruleConfigMapMounts }} + {{- range .Values.prometheus.ruleConfigMapMounts }} - name: {{ .name }} mountPath: /etc/prometheus/{{ .subPath }} subPath: {{ .subPath }} @@ -279,26 +280,15 @@ spec: name: prometheus-config subPath: prometheus.yml readOnly: true - {{- if not (empty .Values.proxy) }} - {{- if not (empty .Values.proxy.resources) }} - {{- $r := merge .Values.proxy.resources .Values.global.proxy.resources }} - {{- $_ := set $tree.Values.global.proxy "resources" $r }} - {{- end }} - {{- end }} - - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - {{ if not .Values.global.cniEnabled -}} - initContainers: - - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} serviceAccountName: linkerd-prometheus volumes: - {{- range .Values.ruleConfigMapMounts }} + {{- range .Values.prometheus.ruleConfigMapMounts }} - name: {{ .name }} configMap: name: {{ .configMap }} {{- end }} - name: data - {{- if .Values.persistence }} + {{- if .Values.prometheus.persistence }} persistentVolumeClaim: claimName: linkerd-prometheus {{- else }} @@ -307,29 +297,27 @@ spec: - configMap: name: linkerd-prometheus-config name: prometheus-config - {{ if not .Values.global.cniEnabled -}} - - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} - {{ end -}} - - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} -{{- if .Values.persistence }} +{{- if .Values.prometheus.persistence }} --- kind: PersistentVolumeClaim apiVersion: v1 metadata: labels: + {{.Values.extensionAnnotation}}: linkerd-viz app.kubernetes.io/name: prometheus app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: {{default .Values.global.linkerdVersion .Values.global.controllerImageVersion}} - {{.Values.global.controllerComponentLabel}}: prometheus + app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} + component: prometheus name: linkerd-prometheus - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} spec: accessModes: - - {{ .Values.persistence.accessMode | quote }} + - {{ .Values.prometheus.persistence.accessMode | quote }} resources: requests: - storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} - storageClassName: "{{ .Values.persistence.storageClass }}" + storage: {{ .Values.prometheus.persistence.size | quote }} +{{- if .Values.prometheus.persistence.storageClass }} + storageClassName: "{{ .Values.prometheus.persistence.storageClass }}" {{- end }} {{- end }} +{{ end -}} diff --git a/viz/charts/linkerd-viz/templates/psp.yaml b/viz/charts/linkerd-viz/templates/psp.yaml new file mode 100644 index 000000000..4d8d6b450 --- /dev/null +++ b/viz/charts/linkerd-viz/templates/psp.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-viz-psp + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + namespace: {{.Values.namespace}} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Values.namespace}} +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Values.namespace}} +{{ if .Values.grafana.enabled -}} +- kind: ServiceAccount + name: linkerd-grafana + namespace: {{.Values.namespace}} +{{ end -}} +{{ if .Values.prometheus.enabled -}} +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Values.namespace}} +{{ end -}} diff --git a/charts/linkerd2/templates/tap-rbac.yaml b/viz/charts/linkerd-viz/templates/tap-rbac.yaml similarity index 56% rename from charts/linkerd2/templates/tap-rbac.yaml rename to viz/charts/linkerd-viz/templates/tap-rbac.yaml index 5a7cf6263..26ebc2ad1 100644 --- a/charts/linkerd2/templates/tap-rbac.yaml +++ b/viz/charts/linkerd-viz/templates/tap-rbac.yaml @@ -6,10 +6,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: linkerd-{{.Values.global.namespace}}-tap + name: linkerd-{{.Values.namespace}}-tap labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap rules: - apiGroups: [""] resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] @@ -24,10 +24,10 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: linkerd-{{.Values.global.namespace}}-tap-admin + name: linkerd-{{.Values.namespace}}-tap-admin labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap rules: - apiGroups: ["tap.linkerd.io"] resources: ["*"] @@ -36,26 +36,26 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: linkerd-{{.Values.global.namespace}}-tap + name: linkerd-{{.Values.namespace}}-tap labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: linkerd-{{.Values.global.namespace}}-tap + name: linkerd-{{.Values.namespace}}-tap subjects: - kind: ServiceAccount name: linkerd-tap - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: linkerd-{{.Values.global.namespace}}-tap-auth-delegator + name: linkerd-{{.Values.namespace}}-tap-auth-delegator labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -63,26 +63,28 @@ roleRef: subjects: - kind: ServiceAccount name: linkerd-tap - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-tap - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: linkerd-{{.Values.global.namespace}}-tap-auth-reader + name: linkerd-{{.Values.namespace}}-tap-auth-reader namespace: kube-system labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -90,21 +92,22 @@ roleRef: subjects: - kind: ServiceAccount name: linkerd-tap - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- -{{- $host := printf "linkerd-tap.%s.svc" .Values.global.namespace }} +{{- $host := printf "linkerd-tap.%s.svc" .Values.namespace }} {{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} {{- if (not .Values.tap.externalSecret) }} kind: Secret apiVersion: v1 metadata: name: linkerd-tap-k8s-tls - namespace: {{ .Values.global.namespace }} + namespace: {{ .Values.namespace }} labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} annotations: - {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} type: kubernetes.io/tls data: tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.crtPEM)) (empty .Values.tap.crtPEM) }} @@ -116,8 +119,8 @@ kind: APIService metadata: name: v1alpha1.tap.linkerd.io labels: - {{.Values.global.controllerComponentLabel}}: tap - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap spec: group: tap.linkerd.io version: v1alpha1 @@ -125,7 +128,7 @@ spec: versionPriority: 100 service: name: linkerd-tap - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} {{- if and (.Values.tap.externalSecret) (empty .Values.tap.caBundle) }} {{- fail "If tap.externalSecret is true then you need to provide tap.caBundle" }} {{- end }} diff --git a/viz/charts/linkerd-viz/templates/tap.yaml b/viz/charts/linkerd-viz/templates/tap.yaml new file mode 100644 index 000000000..cbca18e07 --- /dev/null +++ b/viz/charts/linkerd-viz/templates/tap.yaml @@ -0,0 +1,118 @@ +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} +spec: + type: ClusterIP + selector: + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} + component: tap + namespace: {{.Values.namespace}} + name: linkerd-tap + namespace: {{.Values.namespace}} +spec: + replicas: {{.Values.tap.replicas}} + selector: + matchLabels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} + {{- if .Values.enablePodAntiAffinity }} + strategy: + rollingUpdate: + maxUnavailable: 1 + {{- end }} + template: + metadata: + annotations: + {{- if empty .Values.cliVersion }} + checksum/config: {{ include (print $.Template.BasePath "/tap-rbac.yaml") . | sha256sum }} + {{- end }} + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: tap + namespace: {{.Values.namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- if .Values.enablePodAntiAffinity -}} + {{- $local := dict "component" "tap" "label" .Values.controllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - tap + - -controller-namespace={{.Values.linkerdNamespace}} + - -log-level={{.Values.tap.logLevel}} + - -identity-trust-domain={{.Values.identityTrustDomain}} + image: {{.Values.tap.image.name}}:{{ default (default .Values.linkerdVersion .Values.controllerImageVersion) .Values.tap.image.tag}} + imagePullPolicy: {{.Values.tap.image.pullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + {{- if .Values.tapResources -}} + {{- include "partials.resources" .Values.tapResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.Values.tap.UID}} + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + serviceAccountName: linkerd-tap + volumes: + - name: tls + secret: + secretName: linkerd-tap-k8s-tls + diff --git a/charts/linkerd2/templates/web-rbac.yaml b/viz/charts/linkerd-viz/templates/web-rbac.yaml similarity index 56% rename from charts/linkerd2/templates/web-rbac.yaml rename to viz/charts/linkerd-viz/templates/web-rbac.yaml index 30b986762..16227e452 100644 --- a/charts/linkerd2/templates/web-rbac.yaml +++ b/viz/charts/linkerd-viz/templates/web-rbac.yaml @@ -7,16 +7,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.linkerdNamespace}} labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.linkerdNamespace}} rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] - {{- if not .Values.restrictDashboardPrivileges }} + {{- if not .Values.dashboard.restrictPrivileges }} - apiGroups: [""] resources: ["namespaces", "configmaps"] verbs: ["get"] @@ -32,10 +33,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.linkerdNamespace}} labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.linkerdNamespace}} roleRef: kind: Role name: linkerd-web @@ -43,16 +45,16 @@ roleRef: subjects: - kind: ServiceAccount name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- -{{- if not .Values.restrictDashboardPrivileges }} +{{- if not .Values.dashboard.restrictPrivileges }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: linkerd-{{.Values.global.namespace}}-web-check + name: linkerd-{{.Values.namespace}}-web-check labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings"] @@ -76,42 +78,43 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: linkerd-{{.Values.global.namespace}}-web-check + name: linkerd-{{.Values.namespace}}-web-check labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web roleRef: kind: ClusterRole - name: linkerd-{{.Values.global.namespace}}-web-check + name: linkerd-{{.Values.namespace}}-web-check apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: linkerd-{{.Values.global.namespace}}-web-admin + name: linkerd-{{.Values.namespace}}-web-admin labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: linkerd-{{.Values.global.namespace}}-tap-admin + name: linkerd-{{.Values.namespace}}-tap-admin subjects: - kind: ServiceAccount name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} --- {{- end}} kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-web - namespace: {{.Values.global.namespace}} + namespace: {{.Values.namespace}} labels: - {{.Values.global.controllerComponentLabel}}: web - {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} -{{- include "partials.image-pull-secrets" . }} + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.namespace}} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} diff --git a/viz/charts/linkerd-viz/templates/web.yaml b/viz/charts/linkerd-viz/templates/web.yaml new file mode 100644 index 000000000..1ced39e46 --- /dev/null +++ b/viz/charts/linkerd-viz/templates/web.yaml @@ -0,0 +1,110 @@ +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: {{.Values.namespace}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.namespace}} + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} +spec: + type: ClusterIP + selector: + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} + component: web + namespace: {{.Values.namespace}} + name: linkerd-web + namespace: {{.Values.namespace}} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.namespace}} + template: + metadata: + annotations: + {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + labels: + {{.Values.extensionAnnotation}}: linkerd-viz + component: web + namespace: {{.Values.namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + containers: + - args: + - -api-addr=linkerd-controller-api.{{.Values.linkerdNamespace}}.svc.{{.Values.clusterDomain}}:8085 + - -cluster-domain={{.Values.clusterDomain}} + {{- if .Values.grafanaUrl }} + - -grafana-addr={{.Values.grafanaUrl}} + {{- else if .Values.grafana.enabled }} + - -grafana-addr=linkerd-grafana.{{.Values.namespace}}.svc.{{.Values.clusterDomain}}:3000 + {{- end}} + {{- if .Values.jaegerUrl }} + - -jaeger-addr={{.Values.jaegerUrl}} + {{- end}} + - -controller-namespace={{.Values.linkerdNamespace}} + - -log-level={{.Values.dashboard.logLevel}} + {{- if .Values.dashboard.enforcedHostRegexp }} + - -enforced-host={{.Values.dashboard.enforcedHostRegexp}} + {{- else -}} + {{- $hostFull := replace "." "\\." (printf "linkerd-web.%s.svc.%s" .Values.namespace .Values.clusterDomain) }} + {{- $hostAbbrev := replace "." "\\." (printf "linkerd-web.%s.svc" .Values.namespace) }} + - -enforced-host=^(localhost|127\.0\.0\.1|{{ $hostFull }}|{{ $hostAbbrev }}|\[::1\])(:\d+)?$ + {{- end}} + image: {{.Values.dashboard.image.name}}:{{ default (default .Values.linkerdVersion .Values.controllerImageVersion) .Values.dashboard.image.tag}} + imagePullPolicy: {{.Values.dashboard.image.pullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + {{- if .Values.dashboard.resources -}} + {{- include "partials.resources" .Values.dashboard.resources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.Values.dashboard.UID}} + serviceAccountName: linkerd-web diff --git a/viz/charts/linkerd-viz/values-ha.yaml b/viz/charts/linkerd-viz/values-ha.yaml new file mode 100644 index 000000000..ba278b0b3 --- /dev/null +++ b/viz/charts/linkerd-viz/values-ha.yaml @@ -0,0 +1,41 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values.yaml -f values-ha.yaml + +enablePodAntiAffinity: true + +resources: &ha_resources + cpu: &ha_resources_cpu + limit: "" + request: 100m + memory: + limit: 250Mi + request: 50Mi + + +# tap configuration +tap: + replicas: 3 + resources: *ha_resources + +# web configuration +dashboard: + resources: *ha_resources + +# grafana configuration +grafana: + resources: + cpu: *ha_resources_cpu + memory: + limit: 1024Mi + request: 50Mi + +# prometheus configuration +prometheus: + resources: + cpu: + limit: "" + request: 300m + memory: + limit: 8192Mi + request: 300Mi \ No newline at end of file diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml new file mode 100644 index 000000000..75d9015c9 --- /dev/null +++ b/viz/charts/linkerd-viz/values.yaml @@ -0,0 +1,268 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Fields that should be common with the core control plane + +# -- control plane version. See Proxy section for proxy version +linkerdVersion: &linkerd_version linkerdVersionValue + +# -- Kubernetes DNS Domain name to use +clusterDomain: &cluster_domain cluster.local + +# -- Trust domain used for identity +identityTrustDomain: *cluster_domain + +# -- Namespace of the Linkerd core control-plane install +linkerdNamespace: linkerd + +# -- Log level for all the viz components +globalLogLevel: &log_level info + +# -- UID for all the viz components +globalUID: &uid 2103 + +# Annotation labels. Do not edit. +createdByAnnotation: linkerd.io/created-by +proxyInjectAnnotation: linkerd.io/inject +extensionAnnotation: linkerd.io/extension + +# -- Namespace in which the Linkerd Viz extension has to be installed +namespace: linkerd-viz + +# -- NodeSelector section, See the [K8S +# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) +# for more information +nodeSelector: + beta.kubernetes.io/os: linux + +# -- For Private docker registries, authentication is needed. +# Registry secrets are applied to the respective service accounts +imagePullSecrets: [] +# - name: my-private-docker-registry-login-secret + +# -|- Tolerations section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +# for more information +# tolerations: + +# -- url of external prometheus instance +# prometheusUrl: + +# -- url of external jaeger instance +# Set this to `jaeger.linkerd-jaeger.svc.` if you plan to use jaeger extension +# jaegerUrl: + +# tap configuration +tap: + replicas: 1 + # -- log level of the tap component + logLevel: *log_level + image: + # -- Docker image name for the grafana instance + name: ghcr.io/linkerd/controller + # -- Docker image tag for the grafana instance + tag: *linkerd_version + # -- Do not create a secret resource for the Tap component. If this is set to + # `true`, the value `tap.caBundle` must be set (see below). + externalSecret: false + # -- Certificate for the Tap component. If not provided then Helm will + # generate one. + crtPEM: | + + # -- Certificate key for Tap component. If not provided then Helm will + # generate one. + keyPEM: | + + # -- Bundle of CA certificates for Tap component. If not provided then Helm + # will use the certificate generated for `tap.crtPEM`. If + # `tap.externalSecret` is set to true, this value must be set, as no + # certificate will be generated. + caBundle: | + + resources: + cpu: + # -- Maximum amount of CPU units that the tap container can use + limit: + # -- Amount of CPU units that the tap container requests + request: + memory: + # -- Maximum amount of memory that tap container can use + limit: + # -- Amount of memory that the tap container requests + request: + + UID: *uid + +# web dashboard configuration +dashboard: + # -- Number of replicas of dashboard + replicas: 1 + # -- log level of the dashboard component + logLevel: *log_level + image: + # -- Docker image name for the web instance + name: ghcr.io/linkerd/web + # -- Docker image tag for the web instance + tag: *linkerd_version + + # UID for the dashboard resource + UID: *uid + + # -- Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check + restrictPrivileges: false + + # -- Host header validation regex for the dashboard. See the [Linkerd + # documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more + # information + enforcedHostRegexp: "" + resources: + cpu: + # -- Maximum amount of CPU units that the web container can use + limit: + # -- Amount of CPU units that the web container requests + request: + memory: + # -- Maximum amount of memory that web container can use + limit: + # -- Amount of memory that the web container requests + request: + +grafana: + # -- toggle field to enable or disable grafana + enabled: true + image: + # -- Docker image name for the grafana instance + name: ghcr.io/linkerd/grafana + # -- Docker image tag for the grafana instance + tag: *linkerd_version + + resources: + cpu: + # -- Maximum amount of CPU units that the grafana container can use + limit: + # -- Amount of CPU units that the grafana container requests + request: + memory: + # -- Maximum amount of memory that grafana container can use + limit: + # -- Amount of memory that the grafana container requests + request: + +prometheus: + # -- toggle field to enable or disable prometheus + enabled: true + image: + # -- Docker image name for the prometheus instance + name: prom/prometheus + # -- Docker image tag for the prometheus instance + tag: v2.19.3 + # == Pull policy for the prometheus instance + pullPolicy: Always + + # -- Command line options for Prometheus binary + args: + storage.tsdb.path: /data + storage.tsdb.retention.time: 6h + config.file: /etc/prometheus/prometheus.yml + log.level: *log_level + # -- The global configuration specifies parameters that are valid in all other + # configuration contexts. + globalConfig: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + # -- Alert relabeling is applied to alerts before they are sent to the + # Alertmanager. + alertRelabelConfigs: + # Ex: + # - action: labeldrop + # regex: prometheus_replica + + # -- Alertmanager instances the Prometheus server sends alerts to configured via + # the static_configs parameter. + alertManagers: + # Ex: + # - scheme: http + # static_configs: + # - targets: + # - "alertmanager.linkerd.svc:9093" + + # -- Allows transparently sending samples to an endpoint. Mostly used for long + # term storage. + remoteWrite: + + # -- Alerting/recording rule ConfigMap mounts (sub-path names must end in + # ´_rules.yml´ or ´_rules.yaml´) + ruleConfigMapMounts: + # Ex: + # - name: alerting-rules + # subPath: alerting_rules.yml + # configMap: linkerd-prometheus-rules + # - name: recording-rules + # subPath: recording_rules.yml + # configMap: linkerd-prometheus-rules + + # -- A scrapeConfigs section specifies a set of targets and parameters + # describing how to scrape them. + scrapeConfigs: + # Ex: + # - job_name: 'kubernetes-nodes' + # scheme: https + # tls_config: + # ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # kubernetes_sd_configs: + # - role: node + # relabel_configs: + # - action: labelmap + # regex: __meta_kubernetes_node_label_(.+) + + # -- A sidecarContainers section specifies a list of secondary containers to run + # in the prometheus pod e.g. to export data to non-prometheus systems + sideCarContainers: + # Ex: + # - name: sidecar + # image: gcr.io/myproject/stackdriver-prometheus-sidecar + # imagePullPolicy: Always + # command: + # - /bin/sh + # - -c + # - | + # exec /bin/stackdriver-prometheus-sidecar \ + # --stackdriver.project-id=myproject \ + # --stackdriver.kubernetes.location=us-central1 \ + # --stackdriver.kubernetes.cluster-name=mycluster \ + # --prometheus.wal-directory=/data/wal \ + # --log.level=info + # volumeMounts: + # - mountPath: /data + # name: data + # ports: + # - name: foo + # containerPort: 9091 + # protocol: TCP + ### WARNING: persistence is experimental and has not been tested/vetted by the Linkerd team. + ### As such, please refer to https://linkerd.io/2/tasks/exporting-metrics/ for the recommended approach to metrics data retention. + # if enabled, creates a persistent volume claim for prometheus data + # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims + #persistence: + # -- Storage class used to create prometheus data PV. + # storageClass: + # -- PVC access mode. + # accessMode: + # -- Prometheus data volume size. + # size: + + resources: + cpu: + # -- Maximum amount of CPU units that the prometheus container can use + limit: + # -- Amount of CPU units that the prometheus container requests + request: + memory: + # -- Maximum amount of memory that prometheus container can use + limit: + # -- Amount of memory that the prometheus container requests + request: diff --git a/viz/cmd/install.go b/viz/cmd/install.go new file mode 100644 index 000000000..abd06c865 --- /dev/null +++ b/viz/cmd/install.go @@ -0,0 +1,157 @@ +package cmd + +import ( + "bytes" + "fmt" + "io" + "os" + "path" + + "github.com/linkerd/linkerd2/pkg/charts" + partials "github.com/linkerd/linkerd2/pkg/charts/static" + "github.com/linkerd/linkerd2/pkg/flags" + "github.com/linkerd/linkerd2/pkg/healthcheck" + "github.com/linkerd/linkerd2/pkg/k8s" + "github.com/linkerd/linkerd2/viz/static" + "github.com/spf13/cobra" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/cli/values" + "helm.sh/helm/v3/pkg/engine" +) + +var ( + templatesVIz = []string{ + "templates/namespace.yaml", + "templates/grafana-rbac.yaml", + "templates/prometheus-rbac.yaml", + "templates/tap-rbac.yaml", + "templates/web-rbac.yaml", + "templates/psp.yaml", + "templates/grafana.yaml", + "templates/prometheus.yaml", + "templates/tap.yaml", + "templates/web.yaml", + } +) + +func newCmdInstall() *cobra.Command { + var skipChecks bool + var options values.Options + + cmd := &cobra.Command{ + Use: "install [flags]", + Args: cobra.NoArgs, + Short: "Output Kubernetes resources to install linkerd-viz extension", + Long: `Output Kubernetes resources to install linkerd-viz extension.`, + Example: ` # Default install. + linkerd viz install | kubectl apply -f -`, + RunE: func(cmd *cobra.Command, args []string) error { + if !skipChecks { + // Ensure there is a Linkerd installation. + kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, impersonateGroup, 0) + if err != nil { + return err + } + + exists, err := healthcheck.CheckIfLinkerdExists(cmd.Context(), kubeAPI, controlPlaneNamespace) + if err != nil { + return fmt.Errorf("could not check for Linkerd existence: %s", err) + } + + if !exists { + return fmt.Errorf("could not find a Linkerd installation") + } + } + + return install(os.Stdout, options) + }, + } + + cmd.Flags().BoolVar( + &skipChecks, "skip-checks", false, + `Skip checks for namespace existence`, + ) + + flags.AddValueOptionsFlags(cmd.Flags(), &options) + + return cmd +} + +func install(w io.Writer, options values.Options) error { + + // Create values override + valuesOverrides, err := options.MergeValues(nil) + if err != nil { + return err + } + + // TODO: Add any validation logic here + + return render(w, valuesOverrides) +} + +func render(w io.Writer, valuesOverrides map[string]interface{}) error { + + files := []*loader.BufferedFile{ + {Name: chartutil.ChartfileName}, + {Name: chartutil.ValuesfileName}, + } + + for _, template := range templatesVIz { + files = append(files, + &loader.BufferedFile{Name: template}, + ) + } + + var partialFiles []*loader.BufferedFile + for _, template := range charts.L5dPartials { + partialFiles = append(partialFiles, + &loader.BufferedFile{Name: template}, + ) + } + + // Load all Viz chart files into buffer + if err := charts.FilesReader(static.Templates, "linkerd-viz/", files); err != nil { + return err + } + + // Load all partial chart files into buffer + if err := charts.FilesReader(partials.Templates, "", partialFiles); err != nil { + return err + } + + // Create a Chart obj from the files + chart, err := loader.LoadFiles(append(files, partialFiles...)) + if err != nil { + return err + } + + vals, err := chartutil.CoalesceValues(chart, valuesOverrides) + if err != nil { + return err + } + + vals, err = charts.InsertVersionValues(vals) + if err != nil { + return err + } + + // Attach the final values into the `Values` field for rendering to work + renderedTemplates, err := engine.Render(chart, map[string]interface{}{"Values": vals}) + if err != nil { + return err + } + + // Merge templates and inject + var buf bytes.Buffer + for _, tmpl := range chart.Templates { + t := path.Join(chart.Metadata.Name, tmpl.Name) + if _, err := buf.WriteString(renderedTemplates[t]); err != nil { + return err + } + } + + _, err = w.Write(buf.Bytes()) + return err +} diff --git a/viz/cmd/root.go b/viz/cmd/root.go new file mode 100644 index 000000000..54a296a45 --- /dev/null +++ b/viz/cmd/root.go @@ -0,0 +1,64 @@ +package cmd + +import ( + "fmt" + "regexp" + + log "github.com/sirupsen/logrus" + "github.com/spf13/cobra" +) + +const ( + defaultLinkerdNamespace = "linkerd" + defaultVizNamespace = "linkerd-viz" +) + +var ( + apiAddr string // An empty value means "use the Kubernetes configuration" + controlPlaneNamespace string + namespace string + kubeconfigPath string + kubeContext string + impersonate string + impersonateGroup []string + verbose bool + + // These regexs are not as strict as they could be, but are a quick and dirty + // sanity check against illegal characters. + alphaNumDash = regexp.MustCompile(`^[a-zA-Z0-9-]+$`) +) + +// NewCmdViz returns a new jeager command +func NewCmdViz() *cobra.Command { + vizCmd := &cobra.Command{ + Use: "viz", + Short: "viz manages the linkerd-viz extension of Linkerd service mesh", + Long: `viz manages the linkerd-viz extension of Linkerd service mesh.`, + PersistentPreRunE: func(cmd *cobra.Command, args []string) error { + // enable / disable logging + if verbose { + log.SetLevel(log.DebugLevel) + } else { + log.SetLevel(log.PanicLevel) + } + + if !alphaNumDash.MatchString(controlPlaneNamespace) { + return fmt.Errorf("%s is not a valid namespace", controlPlaneNamespace) + } + + return nil + }, + } + + vizCmd.PersistentFlags().StringVarP(&controlPlaneNamespace, "linkerd-namespace", "L", defaultLinkerdNamespace, "Namespace in which Linkerd is installed") + vizCmd.PersistentFlags().StringVarP(&namespace, "namespace", "n", defaultVizNamespace, "Namespace in which viz extension is installed") + vizCmd.PersistentFlags().StringVar(&kubeconfigPath, "kubeconfig", "", "Path to the kubeconfig file to use for CLI requests") + vizCmd.PersistentFlags().StringVar(&kubeContext, "context", "", "Name of the kubeconfig context to use") + vizCmd.PersistentFlags().StringVar(&impersonate, "as", "", "Username to impersonate for Kubernetes operations") + vizCmd.PersistentFlags().StringArrayVar(&impersonateGroup, "as-group", []string{}, "Group to impersonate for Kubernetes operations") + vizCmd.PersistentFlags().StringVar(&apiAddr, "api-addr", "", "Override kubeconfig and communicate directly with the control plane at host:port (mostly for testing)") + vizCmd.PersistentFlags().BoolVar(&verbose, "verbose", false, "Turn on debug logging") + vizCmd.AddCommand(newCmdInstall()) + + return vizCmd +} diff --git a/viz/static/generate.go b/viz/static/generate.go new file mode 100644 index 000000000..dda2eb447 --- /dev/null +++ b/viz/static/generate.go @@ -0,0 +1,21 @@ +// +build ignore + +package main + +import ( + "github.com/linkerd/linkerd2/viz/static" + "github.com/shurcooL/vfsgen" + log "github.com/sirupsen/logrus" +) + +func main() { + err := vfsgen.Generate(static.Templates, vfsgen.Options{ + Filename: "generated_viz_templates.gogen.go", + PackageName: "static", + BuildTags: "prod", + VariableName: "Templates", + }) + if err != nil { + log.Fatalln(err) + } +} diff --git a/viz/static/templates.go b/viz/static/templates.go new file mode 100644 index 000000000..34917a42a --- /dev/null +++ b/viz/static/templates.go @@ -0,0 +1,15 @@ +//go:generate go run generate.go +// +build !prod + +package static + +import ( + "net/http" + "path" + + "github.com/linkerd/linkerd2/pkg/charts/static" +) + +// Templates that will be rendered by `linkerd viz install`. This is only used on +// dev builds. +var Templates http.FileSystem = http.Dir(path.Join(static.GetRepoRoot(), "viz/charts"))