diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 922701e4d..d92a6cc09 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -71,7 +71,7 @@ Kubernetes: `>=1.13.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | | createdByAnnotation | string | `"linkerd.io/created-by"` | | | dashboard.UID | int | `2103` | | | dashboard.enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | @@ -86,10 +86,11 @@ Kubernetes: `>=1.13.0-0` | dashboard.resources.memory.limit | string | `nil` | Maximum amount of memory that web container can use | | dashboard.resources.memory.request | string | `nil` | Amount of memory that the web container requests | | dashboard.restrictPrivileges | bool | `false` | Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check | -| defaultRegistry | string | `"ghcr.io/linkerd"` | Default Docker Registry | +| defaultLogLevel | string | `"info"` | Log level for all the viz components | +| defaultRegistry | string | `"ghcr.io/linkerd"` | Docker registry for all viz components | +| defaultUID | int | `2103` | UID for all the viz components | +| enablePodAntiAffinity | bool | `false` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. | | extensionAnnotation | string | `"linkerd.io/extension"` | | -| globalLogLevel | string | `"info"` | Log level for all the viz components | -| globalUID | int | `2103` | UID for all the viz components | | grafana.enabled | bool | `true` | toggle field to enable or disable grafana | | grafana.image.name | string | `"grafana"` | Docker image name for the grafana instance | | grafana.image.registry | string | `"ghcr.io/linkerd"` | Docker registry for the grafana instance | @@ -99,9 +100,10 @@ Kubernetes: `>=1.13.0-0` | grafana.resources.cpu.request | string | `nil` | Amount of CPU units that the grafana container requests | | grafana.resources.memory.limit | string | `nil` | Maximum amount of memory that grafana container can use | | grafana.resources.memory.request | string | `nil` | Amount of memory that the grafana container requests | -| identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | +| identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | | installNamespace | bool | `true` | Set to false when installing in a custom namespace. | +| jaegerUrl | string | `""` | url of external jaeger instance Set this to `jaeger.linkerd-jaeger.svc.` if you plan to use jaeger extension | | linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install | | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | | namespace | string | `"linkerd-viz"` | Namespace in which the Linkerd Viz extension has to be installed | @@ -124,6 +126,7 @@ Kubernetes: `>=1.13.0-0` | prometheus.ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) | | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | | prometheus.sideCarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | +| prometheusUrl | string | `""` | url of external prometheus instance | | proxyInjectAnnotation | string | `"linkerd.io/inject"` | | | tap.UID | int | `2103` | | | tap.caBundle | string | `""` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. | @@ -135,7 +138,7 @@ Kubernetes: `>=1.13.0-0` | tap.keyPEM | string | `""` | Certificate key for Tap component. If not provided then Helm will generate one. | | tap.logLevel | string | `"info"` | log level of the tap component | | tap.proxy | string | `nil` | | -| tap.replicas | int | `1` | | +| tap.replicas | int | `1` | Number of tap component replicas | | tap.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the tap container can use | | tap.resources.cpu.request | string | `nil` | Amount of CPU units that the tap container requests | | tap.resources.memory.limit | string | `nil` | Maximum amount of memory that tap container can use | @@ -157,6 +160,7 @@ Kubernetes: `>=1.13.0-0` | tapInjector.resources.cpu.request | string | `nil` | Amount of CPU units that the tapInjector container requests | | tapInjector.resources.memory.limit | string | `nil` | Maximum amount of memory that tapInjector container can use | | tapInjector.resources.memory.request | string | `nil` | Amount of memory that the tapInjector container requests | +| tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml index 1b504bdbd..6b5801306 100644 --- a/viz/charts/linkerd-viz/values.yaml +++ b/viz/charts/linkerd-viz/values.yaml @@ -6,38 +6,31 @@ # -- control plane version. See Proxy section for proxy version linkerdVersion: &linkerd_version linkerdVersionValue - -# -- Default Docker Registry -defaultRegistry: &default_registry ghcr.io/linkerd - -# -- Kubernetes DNS Domain name to use +# -- Kubernetes DNS Domain name to use clusterDomain: &cluster_domain cluster.local - -# -- Trust domain used for identity +# -- Trust domain used for identity identityTrustDomain: *cluster_domain - -# -- Namespace of the Linkerd core control-plane install -linkerdNamespace: linkerd - -# -- Log level for all the viz components -globalLogLevel: &log_level info - -# -- UID for all the viz components -globalUID: &uid 2103 - # Annotation labels. Do not edit. createdByAnnotation: linkerd.io/created-by proxyInjectAnnotation: linkerd.io/inject extensionAnnotation: linkerd.io/extension +# -- Docker registry for all viz components +defaultRegistry: ®istry ghcr.io/linkerd +# -- Log level for all the viz components +defaultLogLevel: &log_level info +# -- UID for all the viz components +defaultUID: &uid 2103 + +# -- Namespace of the Linkerd core control-plane install +linkerdNamespace: linkerd # -- Set to false when installing in a custom namespace. installNamespace: true # -- Namespace in which the Linkerd Viz extension has to be installed namespace: linkerd-viz -# -- NodeSelector section, See the [K8S -# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) -# for more information +# -- NodeSelector section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information nodeSelector: beta.kubernetes.io/os: linux @@ -46,26 +39,32 @@ nodeSelector: imagePullSecrets: [] # - name: my-private-docker-registry-login-secret -# -|- Tolerations section, See the +# -- Tolerations section, See the # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) # for more information -# tolerations: +tolerations: + +# -- Enables Pod Anti Affinity logic to balance the placement of replicas +# across hosts and zones for High Availability. +# Enable this only when you have multiple replicas of components. +enablePodAntiAffinity: false # -- url of external prometheus instance -# prometheusUrl: +prometheusUrl: "" # -- url of external jaeger instance # Set this to `jaeger.linkerd-jaeger.svc.` if you plan to use jaeger extension -# jaegerUrl: +jaegerUrl: "" # tap configuration tap: + # -- Number of tap component replicas replicas: 1 # -- log level of the tap component logLevel: *log_level image: # -- Docker registry for the tap instance - registry: *default_registry + registry: *registry # -- Docker image name for the tap instance name: controller # -- Docker image tag for the tap instance @@ -104,6 +103,7 @@ tap: # into the tap component # resources: + # UID for the dashboard resource UID: *uid # tapInjector configuration @@ -112,7 +112,7 @@ tapInjector: replicas: 1 image: # -- Docker registry for the tapInjector instance - registry: *default_registry + registry: *registry # -- Docker image name for the tapInjector instance name: controller # -- Docker image tag for the tapInjector instance @@ -168,7 +168,7 @@ dashboard: logLevel: *log_level image: # -- Docker registry for the web instance - registry: *default_registry + registry: *registry # -- Docker image name for the web instance name: web # -- Docker image tag for the web instance @@ -206,7 +206,7 @@ grafana: enabled: true image: # -- Docker registry for the grafana instance - registry: *default_registry + registry: *registry # -- Docker image name for the grafana instance name: grafana # -- Docker image tag for the grafana instance diff --git a/viz/cmd/install_test.go b/viz/cmd/install_test.go index 6d77c7167..1c9848e91 100644 --- a/viz/cmd/install_test.go +++ b/viz/cmd/install_test.go @@ -24,6 +24,21 @@ func TestRender(t *testing.T) { }, } + proxyResources := map[string]interface{}{ + "proxy": map[string]interface{}{ + "resources": map[string]interface{}{ + "cpu": map[string]interface{}{ + "request": "500m", + "limit": "100m", + }, + "memory": map[string]interface{}{ + "request": "20Mi", + "limit": "250Mi", + }, + }, + }, + } + testCases := []struct { values map[string]interface{} goldenFileName string @@ -39,6 +54,15 @@ func TestRender(t *testing.T) { }, "install_prometheus_disabled.golden", }, + { + map[string]interface{}{ + "prometheus": proxyResources, + "tap": proxyResources, + "grafana": proxyResources, + "dashboard": proxyResources, + }, + "install_proxy_resources.golden", + }, } for i, tc := range testCases { diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden new file mode 100644 index 000000000..796a12570 --- /dev/null +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -0,0 +1,1106 @@ +--- +### +### Linkerd Viz Extension Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + annotations: + linkerd.io/inject: enabled +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-prometheus + labels: + linkerd.io/extension: linkerd-viz + component: prometheus +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-prometheus + labels: + linkerd.io/extension: linkerd-viz + component: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap + labels: + linkerd.io/extension: linkerd-viz + component: tap +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap-admin + labels: + linkerd.io/extension: linkerd-viz + component: tap +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap + labels: + linkerd.io/extension: linkerd-viz + component: tap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-viz-tap-auth-delegator + labels: + linkerd.io/extension: linkerd-viz + component: tap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-viz-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-k8s-tls + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +type: kubernetes.io/tls +data: + tls.crt: dGVzdC10YXAtY3J0LXBlbQ== + tls.key: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/extension: linkerd-viz + component: tap +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd-viz + caBundle: dGVzdC10YXAtY2EtYnVuZGxl +--- +### +### Web RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +- apiGroups: [""] + resources: ["namespaces", "configmaps"] + verbs: ["get"] +- apiGroups: [""] + resources: ["serviceaccounts", "pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd +roleRef: + kind: Role + name: linkerd-web + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-linkerd-viz-web-check + labels: + linkerd.io/extension: linkerd-viz + component: web +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-viz-web-check + labels: + linkerd.io/extension: linkerd-viz + component: web +roleRef: + kind: ClusterRole + name: linkerd-linkerd-viz-web-check + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-web-admin + labels: + linkerd.io/extension: linkerd-viz + component: web +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-viz-psp + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + namespace: linkerd-viz +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd-viz +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +data: + grafana.ini: |- + instance_name = linkerd-grafana + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + [auth] + disable_login_form = true + [auth.anonymous] + enabled = true + org_role = Editor + [auth.basic] + enabled = false + [analytics] + check_for_updates = false + [panels] + disable_sanitize_html = true + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: grafana + namespace: linkerd-viz + name: linkerd-grafana + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - env: + - name: GF_PATHS_DATA + value: /data + # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments + # see https://github.com/grafana/grafana/issues/20096 + - name: GODEBUG + value: netdns=go + image: ghcr.io/linkerd/grafana:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +data: + prometheus.yml: |- + global: + evaluation_interval: 10s + scrape_interval: 10s + scrape_timeout: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + - /etc/prometheus/*_rules.yaml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd-viz'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + metric_relabel_configs: + - source_labels: [__name__] + regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' + action: keep + - source_labels: [__name__] + regex: 'container_memory_failures_total' # unneeded large metric + action: drop + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-service-mirror' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + # Copy all pod labels to tmp labels + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + # Take `linkerd_io_` prefixed labels and copy them without the prefix + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + # Drop the `linkerd_io_` originals + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + # Copy tmp labels into real labels + - action: labelmap + regex: __tmp_pod_label_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: prometheus + namespace: linkerd-viz + name: linkerd-prometheus + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + securityContext: + fsGroup: 65534 + containers: + - args: + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + image: prom/prometheus:v2.19.3 + imagePullPolicy: + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus/prometheus.yml + name: prometheus-config + subPath: prometheus.yml + readOnly: true + serviceAccountName: linkerd-prometheus + volumes: + - name: data + emptyDir: {} + - configMap: + name: linkerd-prometheus-config + name: prometheus-config +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: tap + namespace: linkerd-viz + name: linkerd-tap + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + template: + metadata: + annotations: + checksum/config: 1396a8de42cb50dca5caf85bdb2b7ae7ad08152d0c107ec3586c366912d36aff + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + - -identity-trust-domain=cluster.local + image: ghcr.io/linkerd/controller:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + resources: + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + serviceAccountName: linkerd-tap + volumes: + - name: tls + secret: + secretName: linkerd-tap-k8s-tls + +### +### Tap Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-tap-injector + labels: + linkerd.io/extension: linkerd-viz +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-tap-injector + labels: + linkerd.io/extension: linkerd-viz +subjects: +- kind: ServiceAccount + name: tap-injector + namespace: linkerd-viz +roleRef: + kind: ClusterRole + name: linkerd-tap-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: tap-injector + namespace: linkerd-viz +--- +kind: Secret +apiVersion: v1 +metadata: + name: tap-injector-k8s-tls + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +type: kubernetes.io/tls +data: + tls.crt: dGVzdC10YXAtY3J0LXBlbQ== + tls.key: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-tap-injector-webhook-config + labels: + linkerd.io/extension: linkerd-viz +webhooks: +- name: tap-injector.linkerd.io + clientConfig: + service: + name: tap-injector + namespace: linkerd-viz + path: "/" + caBundle: dGVzdC10YXAtY2EtYnVuZGxl + failurePolicy: Ignore + reinvocationPolicy: IfNeeded + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +### +### Tap Injector +### +--- +kind: Service +apiVersion: v1 +metadata: + name: tap-injector + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap-injector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + component: tap-injector + ports: + - name: tap-injector + port: 443 + targetPort: tap-injector +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: tap-injector + app.kubernetes.io/part-of: Linkerd + component: tap-injector + name: tap-injector + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + component: tap-injector + template: + metadata: + annotations: + checksum/config: 33e988bace52d67983db9661563009d9e7f2a4877dd05add7300d2f25d2579ba + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + component: tap-injector + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap-injector + - -tap-service-name=linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/controller:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: tap-injector + ports: + - containerPort: 8443 + name: tap-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + serviceAccountName: tap-injector + volumes: + - name: tls + secret: + secretName: tap-injector-k8s-tls +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: web + namespace: linkerd-viz + name: linkerd-web + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -cluster-domain=cluster.local + - -grafana-addr=linkerd-grafana.linkerd-viz.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd-viz\.svc\.cluster\.local|linkerd-web\.linkerd-viz\.svc|\[::1\])(:\d+)?$ + image: ghcr.io/linkerd/web:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + resources: + securityContext: + runAsUser: 2103 + serviceAccountName: linkerd-web