From 288fbefe022eb394237183229a1de9f6f5027950 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Fri, 22 Jan 2021 00:48:16 +0530 Subject: [PATCH] viz: cleanup helm values.yaml (#5546) * viz: cleanup helm values.yaml This branch fixes some nits around naming of default variables i.e replace the usage of global with default. Renames globalLogLevel to defaultLogLevel and globalUID to defaultUID along with some chart README updates. Signed-off-by: Tarun Pothulapati --- viz/charts/linkerd-viz/README.md | 16 +- viz/charts/linkerd-viz/values.yaml | 56 +- viz/cmd/install_test.go | 24 + .../testdata/install_proxy_resources.golden | 1106 +++++++++++++++++ 4 files changed, 1168 insertions(+), 34 deletions(-) create mode 100644 viz/cmd/testdata/install_proxy_resources.golden diff --git a/viz/charts/linkerd-viz/README.md b/viz/charts/linkerd-viz/README.md index 922701e4d..d92a6cc09 100644 --- a/viz/charts/linkerd-viz/README.md +++ b/viz/charts/linkerd-viz/README.md @@ -71,7 +71,7 @@ Kubernetes: `>=1.13.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | | createdByAnnotation | string | `"linkerd.io/created-by"` | | | dashboard.UID | int | `2103` | | | dashboard.enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | @@ -86,10 +86,11 @@ Kubernetes: `>=1.13.0-0` | dashboard.resources.memory.limit | string | `nil` | Maximum amount of memory that web container can use | | dashboard.resources.memory.request | string | `nil` | Amount of memory that the web container requests | | dashboard.restrictPrivileges | bool | `false` | Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check | -| defaultRegistry | string | `"ghcr.io/linkerd"` | Default Docker Registry | +| defaultLogLevel | string | `"info"` | Log level for all the viz components | +| defaultRegistry | string | `"ghcr.io/linkerd"` | Docker registry for all viz components | +| defaultUID | int | `2103` | UID for all the viz components | +| enablePodAntiAffinity | bool | `false` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. | | extensionAnnotation | string | `"linkerd.io/extension"` | | -| globalLogLevel | string | `"info"` | Log level for all the viz components | -| globalUID | int | `2103` | UID for all the viz components | | grafana.enabled | bool | `true` | toggle field to enable or disable grafana | | grafana.image.name | string | `"grafana"` | Docker image name for the grafana instance | | grafana.image.registry | string | `"ghcr.io/linkerd"` | Docker registry for the grafana instance | @@ -99,9 +100,10 @@ Kubernetes: `>=1.13.0-0` | grafana.resources.cpu.request | string | `nil` | Amount of CPU units that the grafana container requests | | grafana.resources.memory.limit | string | `nil` | Maximum amount of memory that grafana container can use | | grafana.resources.memory.request | string | `nil` | Amount of memory that the grafana container requests | -| identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | +| identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | | installNamespace | bool | `true` | Set to false when installing in a custom namespace. | +| jaegerUrl | string | `""` | url of external jaeger instance Set this to `jaeger.linkerd-jaeger.svc.` if you plan to use jaeger extension | | linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install | | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | | namespace | string | `"linkerd-viz"` | Namespace in which the Linkerd Viz extension has to be installed | @@ -124,6 +126,7 @@ Kubernetes: `>=1.13.0-0` | prometheus.ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) | | prometheus.scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | | prometheus.sideCarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | +| prometheusUrl | string | `""` | url of external prometheus instance | | proxyInjectAnnotation | string | `"linkerd.io/inject"` | | | tap.UID | int | `2103` | | | tap.caBundle | string | `""` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. | @@ -135,7 +138,7 @@ Kubernetes: `>=1.13.0-0` | tap.keyPEM | string | `""` | Certificate key for Tap component. If not provided then Helm will generate one. | | tap.logLevel | string | `"info"` | log level of the tap component | | tap.proxy | string | `nil` | | -| tap.replicas | int | `1` | | +| tap.replicas | int | `1` | Number of tap component replicas | | tap.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the tap container can use | | tap.resources.cpu.request | string | `nil` | Amount of CPU units that the tap container requests | | tap.resources.memory.limit | string | `nil` | Maximum amount of memory that tap container can use | @@ -157,6 +160,7 @@ Kubernetes: `>=1.13.0-0` | tapInjector.resources.cpu.request | string | `nil` | Amount of CPU units that the tapInjector container requests | | tapInjector.resources.memory.limit | string | `nil` | Maximum amount of memory that tapInjector container can use | | tapInjector.resources.memory.request | string | `nil` | Amount of memory that the tapInjector container requests | +| tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/viz/charts/linkerd-viz/values.yaml b/viz/charts/linkerd-viz/values.yaml index 1b504bdbd..6b5801306 100644 --- a/viz/charts/linkerd-viz/values.yaml +++ b/viz/charts/linkerd-viz/values.yaml @@ -6,38 +6,31 @@ # -- control plane version. See Proxy section for proxy version linkerdVersion: &linkerd_version linkerdVersionValue - -# -- Default Docker Registry -defaultRegistry: &default_registry ghcr.io/linkerd - -# -- Kubernetes DNS Domain name to use +# -- Kubernetes DNS Domain name to use clusterDomain: &cluster_domain cluster.local - -# -- Trust domain used for identity +# -- Trust domain used for identity identityTrustDomain: *cluster_domain - -# -- Namespace of the Linkerd core control-plane install -linkerdNamespace: linkerd - -# -- Log level for all the viz components -globalLogLevel: &log_level info - -# -- UID for all the viz components -globalUID: &uid 2103 - # Annotation labels. Do not edit. createdByAnnotation: linkerd.io/created-by proxyInjectAnnotation: linkerd.io/inject extensionAnnotation: linkerd.io/extension +# -- Docker registry for all viz components +defaultRegistry: ®istry ghcr.io/linkerd +# -- Log level for all the viz components +defaultLogLevel: &log_level info +# -- UID for all the viz components +defaultUID: &uid 2103 + +# -- Namespace of the Linkerd core control-plane install +linkerdNamespace: linkerd # -- Set to false when installing in a custom namespace. installNamespace: true # -- Namespace in which the Linkerd Viz extension has to be installed namespace: linkerd-viz -# -- NodeSelector section, See the [K8S -# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) -# for more information +# -- NodeSelector section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information nodeSelector: beta.kubernetes.io/os: linux @@ -46,26 +39,32 @@ nodeSelector: imagePullSecrets: [] # - name: my-private-docker-registry-login-secret -# -|- Tolerations section, See the +# -- Tolerations section, See the # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) # for more information -# tolerations: +tolerations: + +# -- Enables Pod Anti Affinity logic to balance the placement of replicas +# across hosts and zones for High Availability. +# Enable this only when you have multiple replicas of components. +enablePodAntiAffinity: false # -- url of external prometheus instance -# prometheusUrl: +prometheusUrl: "" # -- url of external jaeger instance # Set this to `jaeger.linkerd-jaeger.svc.` if you plan to use jaeger extension -# jaegerUrl: +jaegerUrl: "" # tap configuration tap: + # -- Number of tap component replicas replicas: 1 # -- log level of the tap component logLevel: *log_level image: # -- Docker registry for the tap instance - registry: *default_registry + registry: *registry # -- Docker image name for the tap instance name: controller # -- Docker image tag for the tap instance @@ -104,6 +103,7 @@ tap: # into the tap component # resources: + # UID for the dashboard resource UID: *uid # tapInjector configuration @@ -112,7 +112,7 @@ tapInjector: replicas: 1 image: # -- Docker registry for the tapInjector instance - registry: *default_registry + registry: *registry # -- Docker image name for the tapInjector instance name: controller # -- Docker image tag for the tapInjector instance @@ -168,7 +168,7 @@ dashboard: logLevel: *log_level image: # -- Docker registry for the web instance - registry: *default_registry + registry: *registry # -- Docker image name for the web instance name: web # -- Docker image tag for the web instance @@ -206,7 +206,7 @@ grafana: enabled: true image: # -- Docker registry for the grafana instance - registry: *default_registry + registry: *registry # -- Docker image name for the grafana instance name: grafana # -- Docker image tag for the grafana instance diff --git a/viz/cmd/install_test.go b/viz/cmd/install_test.go index 6d77c7167..1c9848e91 100644 --- a/viz/cmd/install_test.go +++ b/viz/cmd/install_test.go @@ -24,6 +24,21 @@ func TestRender(t *testing.T) { }, } + proxyResources := map[string]interface{}{ + "proxy": map[string]interface{}{ + "resources": map[string]interface{}{ + "cpu": map[string]interface{}{ + "request": "500m", + "limit": "100m", + }, + "memory": map[string]interface{}{ + "request": "20Mi", + "limit": "250Mi", + }, + }, + }, + } + testCases := []struct { values map[string]interface{} goldenFileName string @@ -39,6 +54,15 @@ func TestRender(t *testing.T) { }, "install_prometheus_disabled.golden", }, + { + map[string]interface{}{ + "prometheus": proxyResources, + "tap": proxyResources, + "grafana": proxyResources, + "dashboard": proxyResources, + }, + "install_proxy_resources.golden", + }, } for i, tc := range testCases { diff --git a/viz/cmd/testdata/install_proxy_resources.golden b/viz/cmd/testdata/install_proxy_resources.golden new file mode 100644 index 000000000..796a12570 --- /dev/null +++ b/viz/cmd/testdata/install_proxy_resources.golden @@ -0,0 +1,1106 @@ +--- +### +### Linkerd Viz Extension Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + annotations: + linkerd.io/inject: enabled +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-prometheus + labels: + linkerd.io/extension: linkerd-viz + component: prometheus +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-prometheus + labels: + linkerd.io/extension: linkerd-viz + component: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap + labels: + linkerd.io/extension: linkerd-viz + component: tap +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap-admin + labels: + linkerd.io/extension: linkerd-viz + component: tap +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-tap + labels: + linkerd.io/extension: linkerd-viz + component: tap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-viz-tap-auth-delegator + labels: + linkerd.io/extension: linkerd-viz + component: tap +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-viz-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-k8s-tls + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +type: kubernetes.io/tls +data: + tls.crt: dGVzdC10YXAtY3J0LXBlbQ== + tls.key: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/extension: linkerd-viz + component: tap +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd-viz + caBundle: dGVzdC10YXAtY2EtYnVuZGxl +--- +### +### Web RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +- apiGroups: [""] + resources: ["namespaces", "configmaps"] + verbs: ["get"] +- apiGroups: [""] + resources: ["serviceaccounts", "pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd +roleRef: + kind: Role + name: linkerd-web + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-linkerd-viz-web-check + labels: + linkerd.io/extension: linkerd-viz + component: web +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-viz-web-check + labels: + linkerd.io/extension: linkerd-viz + component: web +roleRef: + kind: ClusterRole + name: linkerd-linkerd-viz-web-check + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-viz-web-admin + labels: + linkerd.io/extension: linkerd-viz + component: web +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-viz-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-viz-psp + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + namespace: linkerd-viz +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd-viz +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd-viz +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +data: + grafana.ini: |- + instance_name = linkerd-grafana + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + [auth] + disable_login_form = true + [auth.anonymous] + enabled = true + org_role = Editor + [auth.basic] + enabled = false + [analytics] + check_for_updates = false + [panels] + disable_sanitize_html = true + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: grafana + namespace: linkerd-viz + name: linkerd-grafana + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: grafana + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - env: + - name: GF_PATHS_DATA + value: /data + # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments + # see https://github.com/grafana/grafana/issues/20096 + - name: GODEBUG + value: netdns=go + image: ghcr.io/linkerd/grafana:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +data: + prometheus.yml: |- + global: + evaluation_interval: 10s + scrape_interval: 10s + scrape_timeout: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + - /etc/prometheus/*_rules.yaml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd-viz'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + metric_relabel_configs: + - source_labels: [__name__] + regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' + action: keep + - source_labels: [__name__] + regex: 'container_memory_failures_total' # unneeded large metric + action: drop + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-service-mirror' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + # Copy all pod labels to tmp labels + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + # Take `linkerd_io_` prefixed labels and copy them without the prefix + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + # Drop the `linkerd_io_` originals + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + # Copy tmp labels into real labels + - action: labelmap + regex: __tmp_pod_label_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: prometheus + namespace: linkerd-viz + name: linkerd-prometheus + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: prometheus + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + securityContext: + fsGroup: 65534 + containers: + - args: + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + image: prom/prometheus:v2.19.3 + imagePullPolicy: + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus/prometheus.yml + name: prometheus-config + subPath: prometheus.yml + readOnly: true + serviceAccountName: linkerd-prometheus + volumes: + - name: data + emptyDir: {} + - configMap: + name: linkerd-prometheus-config + name: prometheus-config +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: tap + namespace: linkerd-viz + name: linkerd-tap + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + template: + metadata: + annotations: + checksum/config: 1396a8de42cb50dca5caf85bdb2b7ae7ad08152d0c107ec3586c366912d36aff + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: tap + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + - -identity-trust-domain=cluster.local + image: ghcr.io/linkerd/controller:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + resources: + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + serviceAccountName: linkerd-tap + volumes: + - name: tls + secret: + secretName: linkerd-tap-k8s-tls + +### +### Tap Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-tap-injector + labels: + linkerd.io/extension: linkerd-viz +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-tap-injector + labels: + linkerd.io/extension: linkerd-viz +subjects: +- kind: ServiceAccount + name: tap-injector + namespace: linkerd-viz +roleRef: + kind: ClusterRole + name: linkerd-tap-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: tap-injector + namespace: linkerd-viz +--- +kind: Secret +apiVersion: v1 +metadata: + name: tap-injector-k8s-tls + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +type: kubernetes.io/tls +data: + tls.crt: dGVzdC10YXAtY3J0LXBlbQ== + tls.key: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-tap-injector-webhook-config + labels: + linkerd.io/extension: linkerd-viz +webhooks: +- name: tap-injector.linkerd.io + clientConfig: + service: + name: tap-injector + namespace: linkerd-viz + path: "/" + caBundle: dGVzdC10YXAtY2EtYnVuZGxl + failurePolicy: Ignore + reinvocationPolicy: IfNeeded + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +### +### Tap Injector +### +--- +kind: Service +apiVersion: v1 +metadata: + name: tap-injector + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: tap-injector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + component: tap-injector + ports: + - name: tap-injector + port: 443 + targetPort: tap-injector +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: tap-injector + app.kubernetes.io/part-of: Linkerd + component: tap-injector + name: tap-injector + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + component: tap-injector + template: + metadata: + annotations: + checksum/config: 33e988bace52d67983db9661563009d9e7f2a4877dd05add7300d2f25d2579ba + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + component: tap-injector + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap-injector + - -tap-service-name=linkerd-tap.linkerd-viz.serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/controller:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: tap-injector + ports: + - containerPort: 8443 + name: tap-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + serviceAccountName: tap-injector + volumes: + - name: tls + secret: + secretName: tap-injector-k8s-tls +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd-viz + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/extension: linkerd-viz + component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + labels: + linkerd.io/extension: linkerd-viz + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: dev-undefined + component: web + namespace: linkerd-viz + name: linkerd-web + namespace: linkerd-viz +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined + config.linkerd.io/proxy-cpu-request: "500m" + config.linkerd.io/proxy-cpu-limit: "100m" + config.linkerd.io/proxy-memory-request: "20Mi" + config.linkerd.io/proxy-memory-limit: "250Mi" + labels: + linkerd.io/extension: linkerd-viz + component: web + namespace: linkerd-viz + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -cluster-domain=cluster.local + - -grafana-addr=linkerd-grafana.linkerd-viz.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd-viz\.svc\.cluster\.local|linkerd-web\.linkerd-viz\.svc|\[::1\])(:\d+)?$ + image: ghcr.io/linkerd/web:dev-undefined + imagePullPolicy: + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + resources: + securityContext: + runAsUser: 2103 + serviceAccountName: linkerd-web