From 500c1cc2d756e150466558750de6ecb48a9e6325 Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Tue, 13 Oct 2020 16:08:56 -0700 Subject: [PATCH] Expose namespaceSelector for admission webhooks in helm chart (#5074) Closes (#5026) Signed-off-by: Alex Leong Co-authored-by: Raphael Taylor-Davies --- charts/linkerd2/README.md | 6 +- .../templates/proxy-injector-rbac.yaml | 6 +- .../linkerd2/templates/sp-validator-rbac.yaml | 6 +- charts/linkerd2/values.yaml | 18 + cli/cmd/install_helm_test.go | 22 + cli/cmd/testdata/install_addon.golden | 12 + cli/cmd/testdata/install_control-plane.golden | 12 + ...install_controlplane_tracing_output.golden | 12 + .../testdata/install_custom_registry.golden | 12 + cli/cmd/testdata/install_default.golden | 12 + ...stall_default_override_dst_get_nets.golden | 12 + .../testdata/install_grafana_existing.golden | 12 + cli/cmd/testdata/install_ha_output.golden | 12 + .../install_ha_with_overrides_output.golden | 12 + .../install_heartbeat_disabled_output.golden | 12 + cli/cmd/testdata/install_helm_output.golden | 12 + .../install_helm_output_addons.golden | 12 + .../testdata/install_helm_output_ha.golden | 12 + .../install_helm_output_ha_labels.golden | 12 + ...l_helm_output_ha_namespace_selector.golden | 4168 +++++++++++++++++ .../testdata/install_no_init_container.golden | 12 + cli/cmd/testdata/install_output.golden | 12 + .../install_prometheus_overwrite.golden | 12 + cli/cmd/testdata/install_proxy_ignores.golden | 12 + .../install_restricted_dashboard.golden | 12 + cli/cmd/testdata/install_tracing.golden | 12 + .../testdata/install_tracing_overwrite.golden | 12 + pkg/charts/linkerd2/values.go | 8 +- pkg/charts/linkerd2/values_test.go | 16 +- pkg/tree/tree.go | 28 +- 30 files changed, 4505 insertions(+), 25 deletions(-) create mode 100644 cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden diff --git a/charts/linkerd2/README.md b/charts/linkerd2/README.md index 951900000..e613203d5 100644 --- a/charts/linkerd2/README.md +++ b/charts/linkerd2/README.md @@ -156,13 +156,15 @@ their default values. | `identityPoxyResources` | CPU and Memory resources required by proxy injected into identity pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | | `installNamespace` | Set to false when installing Linkerd in a custom namespace. See the [Linkerd documentation](https://linkerd.io/2/tasks/install-helm/#customizing-the-namespace) for more information. | `true` | | `omitWebhookSideEffects` | Omit the `sideEffects` flag in the webhook manifests | `false` | -| `proxyInjector.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below). | false | +| `proxyInjector.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below). | `false` | +| `proxyInjector.namespaceSelector` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation `config.linkerd.io/admission-webhooks=disabled` | | | `proxyInjector.crtPEM` | Certificate for the proxy injector. If not provided then Helm will generate one. | | | `proxyInjector.keyPEM` | Certificate key for the proxy injector. If not provided then Helm will generate one. | | | `proxyInjector.caBundle` | Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. | | | `proxyInjectorResources` | CPU and Memory resources required by the proxy injector (see `global.proxy.resources` for sub-fields) | | | `proxyInjectorProxyResources` | CPU and Memory resources required by proxy injected into the proxy injector pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `profileValidator.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). | false | +| `profileValidator.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). | false | +| `profileValidator.namespaceSelector` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation `config.linkerd.io/admission-webhooks=disabled` | | | `profileValidator.crtPEM` | Certificate for the service profile validator. If not provided then Helm will generate one. | | | `profileValidator.keyPEM` | Certificate key for the service profile validator. If not provided then Helm will generate one. | | | `profileValidator.caBundle` | Bundle of CA certificates for service profile validator. If not provided then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value must be set, as no certificate will be generated. | | diff --git a/charts/linkerd2/templates/proxy-injector-rbac.yaml b/charts/linkerd2/templates/proxy-injector-rbac.yaml index 8cb536012..e5de7b070 100644 --- a/charts/linkerd2/templates/proxy-injector-rbac.yaml +++ b/charts/linkerd2/templates/proxy-injector-rbac.yaml @@ -83,11 +83,7 @@ metadata: webhooks: - name: linkerd-proxy-injector.linkerd.io namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled + {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }} clientConfig: service: name: linkerd-proxy-injector diff --git a/charts/linkerd2/templates/sp-validator-rbac.yaml b/charts/linkerd2/templates/sp-validator-rbac.yaml index 1b2e5539a..2ad85b0f5 100644 --- a/charts/linkerd2/templates/sp-validator-rbac.yaml +++ b/charts/linkerd2/templates/sp-validator-rbac.yaml @@ -71,11 +71,7 @@ metadata: webhooks: - name: linkerd-sp-validator.linkerd.io namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled + {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }} clientConfig: service: name: linkerd-sp-validator diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 6d1d64220..6bb97c913 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -178,6 +178,15 @@ heartbeatSchedule: "0 0 * * *" # proxy injector configuration proxyInjector: externalSecret: false + + # Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + # if empty, Helm will auto-generate these fields crtPEM: | @@ -194,6 +203,15 @@ proxyInjector: # service profile validator configuration profileValidator: externalSecret: false + + # Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + # if empty, Helm will auto-generate these fields crtPEM: | diff --git a/cli/cmd/install_helm_test.go b/cli/cmd/install_helm_test.go index 416941bf2..e07b1298b 100644 --- a/cli/cmd/install_helm_test.go +++ b/cli/cmd/install_helm_test.go @@ -58,6 +58,28 @@ global: chartControlPlane := chartControlPlane(t, ha, additionalConfig, "333", "444") testRenderHelm(t, chartControlPlane, "install_helm_output_ha_labels.golden") }) + + t.Run("HA mode with custom namespaceSelector", func(t *testing.T) { + ha := true + additionalConfig := ` +proxyInjector: + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled +profileValidator: + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled +` + chartControlPlane := chartControlPlane(t, ha, additionalConfig, "111", "222") + testRenderHelm(t, chartControlPlane, "install_helm_output_ha_namespace_selector.golden") + }) } func testRenderHelm(t *testing.T, chart *pb.Chart, goldenFileName string) { diff --git a/cli/cmd/testdata/install_addon.golden b/cli/cmd/testdata/install_addon.golden index 6caf51d36..98284edae 100644 --- a/cli/cmd/testdata/install_addon.golden +++ b/cli/cmd/testdata/install_addon.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_control-plane.golden b/cli/cmd/testdata/install_control-plane.golden index 87d4ec6aa..b90937ea0 100644 --- a/cli/cmd/testdata/install_control-plane.golden +++ b/cli/cmd/testdata/install_control-plane.golden @@ -165,12 +165,24 @@ data: caBundle: "" crtPEM: "" externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: "" crtPEM: "" externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index 55f630699..18f66d4d1 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index a7d90b425..a1272e44f 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index f2336aa6b..603677614 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 42c84c849..e8ef3cb12 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_grafana_existing.golden b/cli/cmd/testdata/install_grafana_existing.golden index a6b9ba518..01cbbcd54 100644 --- a/cli/cmd/testdata/install_grafana_existing.golden +++ b/cli/cmd/testdata/install_grafana_existing.golden @@ -944,12 +944,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 59b58a1e5..98180bd31 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -972,6 +972,12 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true resources: @@ -985,6 +991,12 @@ data: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: cpu: diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 2c4ea4c05..f4a8fcf09 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -972,6 +972,12 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true resources: @@ -985,6 +991,12 @@ data: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: cpu: diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 9a67db09d..96c565cfe 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -903,12 +903,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index 2035113b9..1f6536acb 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -1122,6 +1122,12 @@ data: caBundle: test-profile-validator-ca-bundle crtPEM: test-profile-validator-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: args: config.file: /etc/prometheus/prometheus.yml @@ -1309,6 +1315,12 @@ data: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_helm_output_addons.golden b/cli/cmd/testdata/install_helm_output_addons.golden index 707ade76c..ba2c572ac 100644 --- a/cli/cmd/testdata/install_helm_output_addons.golden +++ b/cli/cmd/testdata/install_helm_output_addons.golden @@ -1122,6 +1122,12 @@ data: caBundle: test-profile-validator-ca-bundle crtPEM: test-profile-validator-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: args: config.file: /etc/prometheus/prometheus.yml @@ -1309,6 +1315,12 @@ data: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index 904d0d239..8c5aa463b 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -1145,6 +1145,12 @@ data: caBundle: test-profile-validator-ca-bundle crtPEM: test-profile-validator-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: args: config.file: /etc/prometheus/prometheus.yml @@ -1337,6 +1343,12 @@ data: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: cpu: diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 2d0ccf223..547ad5b65 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -1157,6 +1157,12 @@ data: caBundle: test-profile-validator-ca-bundle crtPEM: test-profile-validator-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: args: config.file: /etc/prometheus/prometheus.yml @@ -1357,6 +1363,12 @@ data: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: cpu: diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden new file mode 100644 index 000000000..ec67750ec --- /dev/null +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -0,0 +1,4168 @@ +--- +# Source: linkerd2/templates/namespace.yaml +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/identity-rbac.yaml +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/controller-rbac.yaml +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/destination-rbac.yaml +--- +### +### Destination Controller Service +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/heartbeat-rbac.yaml +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/web-rbac.yaml +--- +### +### Web RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +- apiGroups: [""] + resources: ["namespaces", "configmaps"] + verbs: ["get"] +- apiGroups: [""] + resources: ["serviceaccounts", "pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-web + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: ClusterRole + name: linkerd-linkerd-web-check + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/serviceprofile-crd.yaml +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +--- +# Source: linkerd2/templates/trafficsplit-crd.yaml +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +--- +# Source: linkerd2/templates/proxy-injector-rbac.yaml +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-k8s-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: kubernetes.io/tls +data: + tls.crt: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt + tls.key: dGVzdC1wcm94eS1pbmplY3Rvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled + clientConfig: + service: + name: linkerd-proxy-injector + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU= + failurePolicy: Fail + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +# Source: linkerd2/templates/sp-validator-rbac.yaml +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-k8s-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: kubernetes.io/tls +data: + tls.crt: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt + tls.key: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled + clientConfig: + service: + name: linkerd-sp-validator + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU= + failurePolicy: Fail + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +# Source: linkerd2/templates/tap-rbac.yaml +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-tap-auth-delegator + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-k8s-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: kubernetes.io/tls +data: + tls.crt: dGVzdC10YXAtY3J0LXBlbQ== + tls.key: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd + caBundle: dGVzdC10YXAtY2EtYnVuZGxl +--- +# Source: linkerd2/templates/psp.yaml +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane + labels: + linkerd.io/control-plane-ns: linkerd +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +# Source: linkerd2/templates/config.yaml +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + values: | + controllerImage: ghcr.io/linkerd/controller + controllerImageVersion: dev-undefined + controllerReplicas: 3 + controllerUID: 2103 + dashboard: + replicas: 1 + debugContainer: + image: + name: ghcr.io/linkerd/debug + pullPolicy: IfNotPresent + version: test-debug-version + destinationProxyResources: null + destinationResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + disableHeartBeat: false + enableH2Upgrade: true + enablePodAntiAffinity: true + global: + cliVersion: "" + clusterDomain: cluster.local + cniEnabled: false + controlPlaneTracing: false + controllerComponentLabel: linkerd.io/control-plane-component + controllerImageVersion: linkerd-version + controllerLogLevel: info + controllerNamespaceLabel: linkerd.io/control-plane-ns + createdByAnnotation: linkerd.io/created-by + enableEndpointSlices: false + grafanaUrl: "" + highAvailability: false + identityTrustAnchorsPEM: test-trust-anchor + identityTrustDomain: test.trust.domain + imagePullPolicy: IfNotPresent + imagePullSecrets: null + linkerdNamespaceLabel: linkerd.io/is-control-plane + linkerdVersion: linkerd-version + namespace: linkerd + podAnnotations: {} + podLabels: {} + prometheusUrl: "" + proxy: + capabilities: null + component: linkerd-controller + destinationGetNetworks: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + disableIdentity: false + disableTap: false + enableExternalProfiles: false + image: + name: ghcr.io/linkerd/proxy + pullPolicy: IfNotPresent + version: test-proxy-version + inboundConnectTimeout: 100ms + isGateway: false + logFormat: plain + logLevel: warn,linkerd=info + opaquePorts: "" + outboundConnectTimeout: 1000ms + ports: + admin: 4191 + control: 4190 + inbound: 4143 + outbound: 4140 + requireIdentityOnInboundPorts: "" + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 20Mi + saMountPath: null + trace: + collectorSvcAccount: default + collectorSvcAddr: "" + uid: 2102 + waitBeforeExitSeconds: 0 + workloadKind: deployment + proxyContainerName: linkerd-proxy + proxyInit: + capabilities: null + closeWaitTimeoutSecs: 0 + ignoreInboundPorts: "222" + ignoreOutboundPorts: "111" + image: + name: ghcr.io/linkerd/proxy-init + pullPolicy: IfNotPresent + version: test-proxy-init-version + resources: + cpu: + limit: 100m + request: 10m + memory: + limit: 50Mi + request: 10Mi + saMountPath: null + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + readOnly: false + proxyInjectAnnotation: linkerd.io/inject + proxyInjectDisabled: disabled + workloadNamespaceLabel: linkerd.io/workload-ns + grafana: + enabled: true + global: + cliVersion: "" + clusterDomain: cluster.local + cniEnabled: false + controlPlaneTracing: false + controllerComponentLabel: linkerd.io/control-plane-component + controllerImageVersion: linkerd-version + controllerLogLevel: info + controllerNamespaceLabel: linkerd.io/control-plane-ns + createdByAnnotation: linkerd.io/created-by + enableEndpointSlices: false + grafanaUrl: "" + highAvailability: false + identityTrustAnchorsPEM: test-trust-anchor + identityTrustDomain: test.trust.domain + imagePullPolicy: IfNotPresent + linkerdNamespaceLabel: linkerd.io/is-control-plane + linkerdVersion: linkerd-version + namespace: linkerd + podAnnotations: {} + podLabels: {} + prometheusUrl: "" + proxy: + capabilities: null + component: linkerd-controller + destinationGetNetworks: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + disableIdentity: false + disableTap: false + enableExternalProfiles: false + image: + name: ghcr.io/linkerd/proxy + pullPolicy: IfNotPresent + version: test-proxy-version + inboundConnectTimeout: 100ms + isGateway: false + logFormat: plain + logLevel: warn,linkerd=info + opaquePorts: "" + outboundConnectTimeout: 1000ms + ports: + admin: 4191 + control: 4190 + inbound: 4143 + outbound: 4140 + requireIdentityOnInboundPorts: "" + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 20Mi + saMountPath: null + trace: + collectorSvcAccount: default + collectorSvcAddr: "" + uid: 2102 + waitBeforeExitSeconds: 0 + workloadKind: deployment + proxyContainerName: linkerd-proxy + proxyInit: + capabilities: null + closeWaitTimeoutSecs: 0 + ignoreInboundPorts: "222" + ignoreOutboundPorts: "111" + image: + name: ghcr.io/linkerd/proxy-init + pullPolicy: IfNotPresent + version: test-proxy-init-version + resources: + cpu: + limit: 100m + request: 10m + memory: + limit: 50Mi + request: 10Mi + saMountPath: null + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + readOnly: false + proxyInjectAnnotation: linkerd.io/inject + proxyInjectDisabled: disabled + workloadNamespaceLabel: linkerd.io/workload-ns + image: + name: ghcr.io/linkerd/grafana + partials: + global: + cliVersion: "" + clusterDomain: cluster.local + cniEnabled: false + controlPlaneTracing: false + controllerComponentLabel: linkerd.io/control-plane-component + controllerImageVersion: linkerd-version + controllerLogLevel: info + controllerNamespaceLabel: linkerd.io/control-plane-ns + createdByAnnotation: linkerd.io/created-by + enableEndpointSlices: false + grafanaUrl: "" + highAvailability: false + identityTrustAnchorsPEM: test-trust-anchor + identityTrustDomain: test.trust.domain + imagePullPolicy: IfNotPresent + linkerdNamespaceLabel: linkerd.io/is-control-plane + linkerdVersion: linkerd-version + namespace: linkerd + podAnnotations: {} + podLabels: {} + prometheusUrl: "" + proxy: + capabilities: null + component: linkerd-controller + destinationGetNetworks: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + disableIdentity: false + disableTap: false + enableExternalProfiles: false + image: + name: ghcr.io/linkerd/proxy + pullPolicy: IfNotPresent + version: test-proxy-version + inboundConnectTimeout: 100ms + isGateway: false + logFormat: plain + logLevel: warn,linkerd=info + opaquePorts: "" + outboundConnectTimeout: 1000ms + ports: + admin: 4191 + control: 4190 + inbound: 4143 + outbound: 4140 + requireIdentityOnInboundPorts: "" + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 20Mi + saMountPath: null + trace: + collectorSvcAccount: default + collectorSvcAddr: "" + uid: 2102 + waitBeforeExitSeconds: 0 + workloadKind: deployment + proxyContainerName: linkerd-proxy + proxyInit: + capabilities: null + closeWaitTimeoutSecs: 0 + ignoreInboundPorts: "222" + ignoreOutboundPorts: "111" + image: + name: ghcr.io/linkerd/proxy-init + pullPolicy: IfNotPresent + version: test-proxy-init-version + resources: + cpu: + limit: 100m + request: 10m + memory: + limit: 50Mi + request: 10Mi + saMountPath: null + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + readOnly: false + proxyInjectAnnotation: linkerd.io/inject + proxyInjectDisabled: disabled + workloadNamespaceLabel: linkerd.io/workload-ns + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 1024Mi + request: 50Mi + heartbeatResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + heartbeatSchedule: 0 0 * * * + identity: + issuer: + clockSkewAllowance: 20s + crtExpiry: Jul 30 17:21:14 2020 + crtExpiryAnnotation: linkerd.io/identity-issuer-expiry + issuanceLifetime: 24h0m0s + scheme: linkerd.io/tls + tls: + crtPEM: test-crt-pem + identityProxyResources: null + identityResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 10Mi + installNamespace: true + nodeSelector: + beta.kubernetes.io/os: linux + omitWebhookSideEffects: false + profileValidator: + caBundle: test-profile-validator-ca-bundle + crtPEM: test-profile-validator-crt-pem + externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled + prometheus: + args: + config.file: /etc/prometheus/prometheus.yml + log.level: info + storage.tsdb.path: /data + storage.tsdb.retention.time: 6h + enabled: true + global: + cliVersion: "" + clusterDomain: cluster.local + cniEnabled: false + controlPlaneTracing: false + controllerComponentLabel: linkerd.io/control-plane-component + controllerImageVersion: linkerd-version + controllerLogLevel: info + controllerNamespaceLabel: linkerd.io/control-plane-ns + createdByAnnotation: linkerd.io/created-by + enableEndpointSlices: false + grafanaUrl: "" + highAvailability: false + identityTrustAnchorsPEM: test-trust-anchor + identityTrustDomain: test.trust.domain + imagePullPolicy: IfNotPresent + linkerdNamespaceLabel: linkerd.io/is-control-plane + linkerdVersion: linkerd-version + namespace: linkerd + podAnnotations: {} + podLabels: {} + prometheusUrl: "" + proxy: + capabilities: null + component: linkerd-controller + destinationGetNetworks: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + disableIdentity: false + disableTap: false + enableExternalProfiles: false + image: + name: ghcr.io/linkerd/proxy + pullPolicy: IfNotPresent + version: test-proxy-version + inboundConnectTimeout: 100ms + isGateway: false + logFormat: plain + logLevel: warn,linkerd=info + opaquePorts: "" + outboundConnectTimeout: 1000ms + ports: + admin: 4191 + control: 4190 + inbound: 4143 + outbound: 4140 + requireIdentityOnInboundPorts: "" + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 20Mi + saMountPath: null + trace: + collectorSvcAccount: default + collectorSvcAddr: "" + uid: 2102 + waitBeforeExitSeconds: 0 + workloadKind: deployment + proxyContainerName: linkerd-proxy + proxyInit: + capabilities: null + closeWaitTimeoutSecs: 0 + ignoreInboundPorts: "222" + ignoreOutboundPorts: "111" + image: + name: ghcr.io/linkerd/proxy-init + pullPolicy: IfNotPresent + version: test-proxy-init-version + resources: + cpu: + limit: 100m + request: 10m + memory: + limit: 50Mi + request: 10Mi + saMountPath: null + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + readOnly: false + proxyInjectAnnotation: linkerd.io/inject + proxyInjectDisabled: disabled + workloadNamespaceLabel: linkerd.io/workload-ns + globalConfig: + evaluation_interval: 10s + scrape_interval: 10s + scrape_timeout: 10s + image: prom/prometheus:v2.19.3 + partials: + global: + cliVersion: "" + clusterDomain: cluster.local + cniEnabled: false + controlPlaneTracing: false + controllerComponentLabel: linkerd.io/control-plane-component + controllerImageVersion: linkerd-version + controllerLogLevel: info + controllerNamespaceLabel: linkerd.io/control-plane-ns + createdByAnnotation: linkerd.io/created-by + enableEndpointSlices: false + grafanaUrl: "" + highAvailability: false + identityTrustAnchorsPEM: test-trust-anchor + identityTrustDomain: test.trust.domain + imagePullPolicy: IfNotPresent + linkerdNamespaceLabel: linkerd.io/is-control-plane + linkerdVersion: linkerd-version + namespace: linkerd + podAnnotations: {} + podLabels: {} + prometheusUrl: "" + proxy: + capabilities: null + component: linkerd-controller + destinationGetNetworks: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + disableIdentity: false + disableTap: false + enableExternalProfiles: false + image: + name: ghcr.io/linkerd/proxy + pullPolicy: IfNotPresent + version: test-proxy-version + inboundConnectTimeout: 100ms + isGateway: false + logFormat: plain + logLevel: warn,linkerd=info + opaquePorts: "" + outboundConnectTimeout: 1000ms + ports: + admin: 4191 + control: 4190 + inbound: 4143 + outbound: 4140 + requireIdentityOnInboundPorts: "" + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 20Mi + saMountPath: null + trace: + collectorSvcAccount: default + collectorSvcAddr: "" + uid: 2102 + waitBeforeExitSeconds: 0 + workloadKind: deployment + proxyContainerName: linkerd-proxy + proxyInit: + capabilities: null + closeWaitTimeoutSecs: 0 + ignoreInboundPorts: "222" + ignoreOutboundPorts: "111" + image: + name: ghcr.io/linkerd/proxy-init + pullPolicy: IfNotPresent + version: test-proxy-init-version + resources: + cpu: + limit: 100m + request: 10m + memory: + limit: 50Mi + request: 10Mi + saMountPath: null + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + readOnly: false + proxyInjectAnnotation: linkerd.io/inject + proxyInjectDisabled: disabled + workloadNamespaceLabel: linkerd.io/workload-ns + resources: + cpu: + limit: "4" + request: 300m + memory: + limit: 8192Mi + request: 300Mi + proxyInjector: + caBundle: test-proxy-injector-ca-bundle + crtPEM: test-proxy-injector-crt-pem + externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: In + values: + - enabled + proxyInjectorProxyResources: null + proxyInjectorResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + publicAPIProxyResources: null + publicAPIResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + restrictDashboardPrivileges: false + spValidatorProxyResources: null + spValidatorResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + tap: + caBundle: test-tap-ca-bundle + crtPEM: test-tap-crt-pem + externalSecret: false + tapProxyResources: null + tapResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + tolerations: null + tracing: + enabled: false + webImage: ghcr.io/linkerd/web + webProxyResources: null + webResources: + cpu: + limit: "1" + request: 100m + memory: + limit: 250Mi + request: 50Mi + webhookFailurePolicy: Fail +--- +# Source: linkerd2/templates/identity.yaml +--- +### +### Identity Controller Service +### +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-issuer-expiry: Jul 30 17:21:14 2020 +data: + crt.pem: dGVzdC1jcnQtcGVt + key.pem: dGVzdC1rZXktcGVt +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity-headless + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + name: linkerd-identity + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - identity + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - identity + topologyKey: kubernetes.io/hostname + containers: + - args: + - identity + - -log-level=info + - -controller-namespace=linkerd + - -identity-trust-domain=test.trust.domain + - -identity-issuance-lifetime=24h0m0s + - -identity-clock-skew-allowance=20s + - -identity-trust-anchors-pem=dGVzdC10cnVzdC1hbmNob3I= + - -identity-scheme=linkerd.io/tls + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "10Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: localhost.:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-identity + volumes: + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/controller.yaml +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + name: linkerd-controller + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - controller + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + containers: + - args: + - public-api + - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 + - -controller-namespace=linkerd + - -log-level=info + - -cluster-domain=cluster.local + - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-controller + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/destination.yaml +--- +### +### Destination Controller Service +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst-headless + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + name: linkerd-destination + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - destination + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - destination + topologyKey: kubernetes.io/hostname + containers: + - args: + - destination + - -addr=:8086 + - -controller-namespace=linkerd + - -enable-h2-upgrade=true + - -log-level=info + - -enable-endpoint-slices=false + - -cluster-domain=cluster.local + - -identity-trust-domain=test.trust.domain + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-destination + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/heartbeat.yaml +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + schedule: "0 0 * * *" + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/workload-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + spec: + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + args: + - "heartbeat" + - "-controller-namespace=linkerd" + - "-log-level=info" + - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 +--- +# Source: linkerd2/templates/web.yaml +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + name: linkerd-web + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -cluster-domain=cluster.local + - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ + image: ghcr.io/linkerd/web:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-web + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/proxy-injector.yaml +--- +### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + checksum/config: 17f16362a31b48351c3f9d0e8f411e44bf9d2f13c3500e8963e3b8bda7791ad3 + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - proxy-injector + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - proxy-injector + topologyKey: kubernetes.io/hostname + containers: + - args: + - proxy-injector + - -log-level=info + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-k8s-tls + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +# Source: linkerd2/templates/sp-validator.yaml +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: sp-validator + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + name: linkerd-sp-validator + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: sp-validator + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + checksum/config: 62cee90f53f5bf97cd62ab0bafefb8b4a419ee9ddc899990b11a51adb1164756 + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-sp-validator + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - sp-validator + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - sp-validator + topologyKey: kubernetes.io/hostname + containers: + - args: + - sp-validator + - -log-level=info + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-k8s-tls + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/tap.yaml +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + name: linkerd-tap + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + strategy: + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + annotations: + checksum/config: 494b55fb8f6819248b77bc13baf3fd41675475ad771fbe9696ff25fdc6e7405a + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + spec: + nodeSelector: + beta.kubernetes.io/os: linux + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - tap + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - tap + topologyKey: kubernetes.io/hostname + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + - -identity-trust-domain=test.trust.domain + image: ghcr.io/linkerd/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-tap + volumes: + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: tls + secret: + secretName: linkerd-tap-k8s-tls + +--- +# Source: linkerd2/templates/linkerd-config-addons.yaml +--- +### +### linkerd add-ons configuration +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config-addons + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + values: |- + global: + prometheusUrl: "" + grafanaUrl: "" + grafana: + enabled: true + image: + name: ghcr.io/linkerd/grafana + resources: + cpu: + limit: "1" + request: 100m + memory: + limit: 1024Mi + request: 50Mi + prometheus: + args: + config.file: /etc/prometheus/prometheus.yml + log.level: info + storage.tsdb.path: /data + storage.tsdb.retention.time: 6h + enabled: true + globalConfig: + evaluation_interval: 10s + scrape_interval: 10s + scrape_timeout: 10s + image: prom/prometheus:v2.19.3 + resources: + cpu: + limit: "4" + request: 300m + memory: + limit: 8192Mi + request: 300Mi + tracing: + enabled: false +--- +# Source: linkerd2/charts/grafana/templates/grafana-rbac.yaml +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/charts/grafana/templates/grafana.yaml +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + name: linkerd-grafana + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + spec: + nodeSelector: + null + containers: + - env: + - name: GF_PATHS_DATA + value: /data + # Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments + # see https://github.com/grafana/grafana/issues/20096 + - name: GODEBUG + value: netdns=go + image: ghcr.io/linkerd/grafana:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + limits: + cpu: "1" + memory: "1024Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/charts/prometheus/templates/prometheus-rbac.yaml +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/charts/prometheus/templates/prometheus.yaml +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + prometheus.yml: |- + global: + evaluation_interval: 10s + scrape_interval: 10s + scrape_timeout: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + - /etc/prometheus/*_rules.yaml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + metric_relabel_configs: + - source_labels: [__name__] + regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' + action: keep + - source_labels: [__name__] + regex: 'container_memory_failures_total' # unneeded large metric + action: drop + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-service-mirror' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + # Copy all pod labels to tmp labels + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + # Take `linkerd_io_` prefixed labels and copy them without the prefix + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + # Drop the `linkerd_io_` originals + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + # Copy tmp labels into real labels + - action: labelmap + regex: __tmp_pod_label_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: linkerd-version + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + name: linkerd-prometheus + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/workload-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + spec: + nodeSelector: + null + securityContext: + fsGroup: 65534 + containers: + - args: + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + image: prom/prometheus:v2.19.3 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: + limits: + cpu: "4" + memory: "8192Mi" + requests: + cpu: "300m" + memory: "300Mi" + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus/prometheus.yml + name: prometheus-config + subPath: prometheus.yml + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_LOG_FORMAT + value: plain + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst-headless.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: "100ms" + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: "1000ms" + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity-headless.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: ghcr.io/linkerd/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /live + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191,222 + - --outbound-ports-to-ignore + - 443,111 + image: ghcr.io/linkerd/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /run + name: linkerd-proxy-init-xtables-lock + serviceAccountName: linkerd-prometheus + volumes: + - name: data + emptyDir: {} + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - emptyDir: {} + name: linkerd-proxy-init-xtables-lock + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index f9676f490..f94883101 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -944,12 +944,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 1980b75c0..f5affcf10 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -947,6 +947,12 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true image: PrometheusImage @@ -954,6 +960,12 @@ data: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_prometheus_overwrite.golden b/cli/cmd/testdata/install_prometheus_overwrite.golden index 747eca48b..e18f1ce10 100644 --- a/cli/cmd/testdata/install_prometheus_overwrite.golden +++ b/cli/cmd/testdata/install_prometheus_overwrite.golden @@ -947,6 +947,12 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: alertManagers: - scheme: http @@ -1010,6 +1016,12 @@ data: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index a2cea4a8e..55727deea 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_restricted_dashboard.golden b/cli/cmd/testdata/install_restricted_dashboard.golden index 57af26cfb..515a2a66f 100644 --- a/cli/cmd/testdata/install_restricted_dashboard.golden +++ b/cli/cmd/testdata/install_restricted_dashboard.golden @@ -879,12 +879,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden index 6caf51d36..98284edae 100644 --- a/cli/cmd/testdata/install_tracing.golden +++ b/cli/cmd/testdata/install_tracing.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/cli/cmd/testdata/install_tracing_overwrite.golden b/cli/cmd/testdata/install_tracing_overwrite.golden index e5ef7d548..c7f11bf0a 100644 --- a/cli/cmd/testdata/install_tracing_overwrite.golden +++ b/cli/cmd/testdata/install_tracing_overwrite.golden @@ -947,12 +947,24 @@ data: caBundle: profile validator CA bundle crtPEM: profile validator crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled prometheus: enabled: true proxyInjector: caBundle: proxy injector CA bundle crtPEM: proxy injector crt externalSecret: false + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 84177bd44..69b31c360 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -4,6 +4,8 @@ import ( "fmt" "time" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "github.com/imdario/mergo" "github.com/linkerd/linkerd2/pkg/charts" "github.com/linkerd/linkerd2/pkg/k8s" @@ -214,11 +216,13 @@ type ( // ProxyInjector has all the proxy injector's Helm variables ProxyInjector struct { *TLS + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"` } // ProfileValidator has all the profile validator's Helm variables ProfileValidator struct { *TLS + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"` } // Tap has all the Tap's Helm variables @@ -262,8 +266,8 @@ func NewValues(ha bool) (*Values, error) { v.Global.Proxy.Image.Version = version.Version v.DebugContainer.Image.Version = version.Version v.Global.CliVersion = k8s.CreatedByAnnotationValue() - v.ProfileValidator = &ProfileValidator{TLS: &TLS{}} - v.ProxyInjector = &ProxyInjector{TLS: &TLS{}} + v.ProfileValidator.TLS = &TLS{} + v.ProxyInjector.TLS = &TLS{} v.Global.ProxyContainerName = k8s.ProxyContainerName v.Tap = &Tap{TLS: &TLS{}} diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 4a2814b2d..bb2dd0ffa 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -4,6 +4,8 @@ import ( "reflect" "testing" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "github.com/linkerd/linkerd2/pkg/version" ) @@ -15,6 +17,16 @@ func TestNewValues(t *testing.T) { testVersion := "linkerd-dev" + namespaceSelector := &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "config.linkerd.io/admission-webhooks", + Operator: "NotIn", + Values: []string{"disabled"}, + }, + }, + } + expected := &Values{ ControllerImage: "ghcr.io/linkerd/controller", ControllerImageVersion: testVersion, @@ -134,8 +146,8 @@ func TestNewValues(t *testing.T) { }, }, - ProxyInjector: &ProxyInjector{TLS: &TLS{}}, - ProfileValidator: &ProfileValidator{TLS: &TLS{}}, + ProxyInjector: &ProxyInjector{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, + ProfileValidator: &ProfileValidator{TLS: &TLS{}, NamespaceSelector: namespaceSelector}, Tap: &Tap{TLS: &TLS{}}, Grafana: Grafana{ "enabled": true, diff --git a/pkg/tree/tree.go b/pkg/tree/tree.go index 4cf42da9e..2fc3cd967 100644 --- a/pkg/tree/tree.go +++ b/pkg/tree/tree.go @@ -152,20 +152,30 @@ func Diff(x interface{}, y interface{}) (Tree, error) { return xTree.Diff(yTree) } +// coerceTreeValue accepts a value and returns a value where all child values +// have been coerced to a Tree where such a coercion is possible +func coerceTreeValue(v interface{}) interface{} { + if vt, ok := v.(Tree); ok { + vt.coerceToTree() + } else if vm, ok := v.(map[string]interface{}); ok { + tree := Tree(vm) + tree.coerceToTree() + return tree + } else if va, ok := v.([]interface{}); ok { + for i, v := range va { + va[i] = coerceTreeValue(v) + } + } + return v +} + // coerceToTree recursively casts all instances of map[string]interface{} into // Tree within this Tree. When a tree document is unmarshaled, the subtrees // will typically be unmarshaled as map[string]interface{} values. We cast // each of these into the Tree newtype so that the Tree type is used uniformly -// throughout the tree. +// throughout the tree. Will additionally recurse through arrays func (t Tree) coerceToTree() { for k, v := range t { - if vt, ok := v.(Tree); ok { - vt.coerceToTree() - } - if vm, ok := v.(map[string]interface{}); ok { - vt := Tree(vm) - vt.coerceToTree() - t[k] = vt - } + t[k] = coerceTreeValue(v) } }