Make the auto-injector required and removed proxy-auto-inject flag (#2733)

Make the auto-injector required and removed proxy-auto-inject flag Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
2019-04-24 13:06:51 -05:00 · 2019-04-24 13:06:51 -05:00 · 53bb7c47f6
parent c062cf433c
commit 53bb7c47f6
25 changed files with 1542 additions and 1892 deletions
--- a/bin/test-run
+++ b/bin/test-run
@ -63,7 +63,7 @@ function run_upgrade_test() {
    install_edge $edge_namespace
    printf "Upgrading release [%s] to [%s]\n" "$edge_version" "$linkerd_version"
-    run_test "$test_directory/install_test.go" --upgrade-from-version=$edge_version --linkerd-namespace=$edge_namespace --proxy-auto-inject || exit_code=$?
+    run_test "$test_directory/install_test.go" --upgrade-from-version=$edge_version --linkerd-namespace=$edge_namespace || exit_code=$?
 }
 linkerd_path=$1
--- a/chart/templates/namespace.yaml
+++ b/chart/templates/namespace.yaml
@ -8,8 +8,6 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: {{.Namespace}}
  {{- if .ProxyAutoInjectEnabled }}
  annotations:
    {{.ProxyInjectAnnotation}}: {{.ProxyInjectDisabled}}
  {{- end }}
 {{end -}}
--- a/chart/templates/proxy_injector-rbac.yaml
+++ b/chart/templates/proxy_injector-rbac.yaml
@ -1,5 +1,4 @@
 {{with .Values -}}
 {{if .ProxyAutoInjectEnabled -}}
 ---
 ###
 ### Proxy Injector RBAC
@ -43,4 +42,3 @@ roleRef:
  name: linkerd-{{.Namespace}}-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 {{end -}}
 {{end -}}
--- a/chart/templates/proxy_injector.yaml
+++ b/chart/templates/proxy_injector.yaml
@ -1,5 +1,4 @@
 {{with .Values -}}
 {{if .ProxyAutoInjectEnabled -}}
 ---
 ###
 ### Proxy Injector
@ -78,6 +77,4 @@ spec:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 {{end -}}
 {{end -}}
--- a/cli/cmd/install.go
+++ b/cli/cmd/install.go
@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
 	"strings"
 	"time"
 	"github.com/golang/protobuf/ptypes"
@ -52,7 +53,6 @@ type (
 		ControllerComponentLabel string
 		CreatedByAnnotation      string
 		ProxyContainerName       string
 		ProxyAutoInjectEnabled   bool
 		ProxyInjectAnnotation    string
 		ProxyInjectDisabled      string
 		ControllerUID            int64
@ -108,7 +108,6 @@ type (
 		controlPlaneVersion string
 		controllerReplicas  uint
 		controllerLogLevel  string
 		proxyAutoInject     bool
 		highAvailability    bool
 		controllerUID       int64
 		disableH2Upgrade    bool
@ -158,7 +157,6 @@ func newInstallOptionsWithDefaults() *installOptions {
 		controlPlaneVersion: version.Version,
 		controllerReplicas:  defaultControllerReplicas,
 		controllerLogLevel:  "info",
 		proxyAutoInject:     false,
 		highAvailability:    false,
 		controllerUID:       2103,
 		disableH2Upgrade:    false,
@ -308,10 +306,6 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet {
 		&options.controllerLogLevel, "controller-log-level", options.controllerLogLevel,
 		"Log level for the controller and web components",
 	)
 	flags.BoolVar(
 		&options.proxyAutoInject, "proxy-auto-inject", options.proxyAutoInject,
 		"Enable proxy sidecar auto-injection via a webhook (default false)",
 	)
 	flags.BoolVar(
 		&options.highAvailability, "ha", options.highAvailability,
 		"Experimental: Enable HA deployment config for the control plane (default false)",
@ -463,7 +457,6 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins
 		ControllerUID:      options.controllerUID,
 		EnableH2Upgrade:    !options.disableH2Upgrade,
 		NoInitContainer:    options.noInitContainer,
 		ProxyAutoInjectEnabled: options.proxyAutoInject,
 		PrometheusLogLevel: toPromLogLevel(options.controllerLogLevel),
 		Configs: configJSONs{
@ -635,14 +628,8 @@ func (options *installOptions) configs(identity *pb.IdentityContext) *pb.All {
 }
 func (options *installOptions) globalConfig(identity *pb.IdentityContext) *pb.Global {
 	var autoInjectContext *pb.AutoInjectContext
 	if options.proxyAutoInject {
 		autoInjectContext = &pb.AutoInjectContext{}
 	}
 	return &pb.Global{
 		LinkerdNamespace: controlPlaneNamespace,
 		AutoInjectContext: autoInjectContext,
 		CniEnabled:       options.noInitContainer,
 		Version:          options.controlPlaneVersion,
 		IdentityContext:  identity,
@ -933,18 +920,14 @@ func validateArgs(args []string, flags *pflag.FlagSet, installOnlyFlags *pflag.F
 		combinedFlags.AddFlagSet(flags)
 		combinedFlags.AddFlagSet(installOnlyFlags)
-		var err error
+		invalidFlags := make([]string, 0)
 		combinedFlags.VisitAll(func(f *pflag.Flag) {
 			if f.Changed {
-				switch f.Name {
+				invalidFlags = append(invalidFlags, f.Name)
 				// TODO: remove "proxy-auto-inject" when it becomes default
 				case "proxy-auto-inject":
 				default:
 					err = fmt.Errorf("flag not available for config stage: --%s", f.Name)
 				}
 			}
 		})
-		if err != nil {
+		if len(invalidFlags) > 0 {
 			err := fmt.Errorf("flags not available for config stage: --%s", strings.Join(invalidFlags, ", --"))
 			return "", err
 		}
 	}
--- a/cli/cmd/install_test.go
+++ b/cli/cmd/install_test.go
@ -45,7 +45,6 @@ func TestRender(t *testing.T) {
 		ControllerComponentLabel: "ControllerComponentLabel",
 		CreatedByAnnotation:      "CreatedByAnnotation",
 		ProxyContainerName:       "ProxyContainerName",
 		ProxyAutoInjectEnabled:   true,
 		ProxyInjectAnnotation:    "ProxyInjectAnnotation",
 		ProxyInjectDisabled:      "ProxyInjectDisabled",
 		ControllerUID:            2103,
@ -83,15 +82,6 @@ func TestRender(t *testing.T) {
 	noInitContainerOptions.noInitContainer = true
 	noInitContainerValues, noInitContainerConfig, _ := noInitContainerOptions.validateAndBuild("", nil)
 	noInitContainerWithProxyAutoInjectOptions := testInstallOptions()
 	noInitContainerWithProxyAutoInjectOptions.recordedFlags = []*config.Install_Flag{
 		{Name: "linkerd-cni-enabled", Value: "true"},
 		{Name: "proxy-auto-inject", Value: "true"},
 	}
 	noInitContainerWithProxyAutoInjectOptions.noInitContainer = true
 	noInitContainerWithProxyAutoInjectOptions.proxyAutoInject = true
 	noInitContainerWithProxyAutoInjectValues, noInitContainerWithProxyAutoInjectConfig, _ := noInitContainerWithProxyAutoInjectOptions.validateAndBuild("", nil)
 	testCases := []struct {
 		values         *installValues
 		configs        *config.All
@ -104,7 +94,6 @@ func TestRender(t *testing.T) {
 		{haValues, haConfig, "install_ha_output.golden"},
 		{haWithOverridesValues, haWithOverridesConfig, "install_ha_with_overrides_output.golden"},
 		{noInitContainerValues, noInitContainerConfig, "install_no_init_container.golden"},
 		{noInitContainerWithProxyAutoInjectValues, noInitContainerWithProxyAutoInjectConfig, "install_no_init_container_auto_inject.golden"},
 	}
 	for i, tc := range testCases {
--- a/cli/cmd/testdata/install_config.golden
+++ b/cli/cmd/testdata/install_config.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
--- a/cli/cmd/testdata/install_control-plane.golden
+++ b/cli/cmd/testdata/install_control-plane.golden
@ -1245,6 +1245,199 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: install-proxy-version
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:install-control-plane-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources: {}
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
            LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
            AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
            xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
            6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
            BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
            AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
            OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:install-proxy-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources: {}
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        - --outbound-ports-to-ignore
        - "443"
        image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/testdata/install_default.golden
+++ b/cli/cmd/testdata/install_default.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
@ -1416,6 +1460,199 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: install-proxy-version
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:install-control-plane-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources: {}
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
            LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
            AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
            xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
            6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
            BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
            AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
            OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:install-proxy-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources: {}
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        - --outbound-ports-to-ignore
        - "443"
        image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/testdata/install_ha_output.golden
+++ b/cli/cmd/testdata/install_ha_output.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
@ -1452,6 +1496,205 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: install-proxy-version
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:install-control-plane-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources:
          requests:
            cpu: 100m
            memory: 50Mi
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
            LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
            AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
            xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
            6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
            BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
            AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
            OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:install-proxy-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources:
          requests:
            cpu: 100m
            memory: 20Mi
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        - --outbound-ports-to-ignore
        - "443"
        image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/testdata/install_ha_with_overrides_output.golden
+++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
@ -1452,6 +1496,205 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: install-proxy-version
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:install-control-plane-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources:
          requests:
            cpu: 100m
            memory: 50Mi
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
            LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
            AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
            xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
            6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
            BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
            AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
            OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:install-proxy-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources:
          requests:
            cpu: 400m
            memory: 300Mi
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        - --outbound-ports-to-ignore
        - "443"
        image: gcr.io/linkerd-io/proxy-init:install-control-plane-version
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/testdata/install_no_init_container.golden
+++ b/cli/cmd/testdata/install_no_init_container.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
@ -1296,6 +1340,175 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: install-proxy-version
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:install-control-plane-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources: {}
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy
            LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE
            AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0
            xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364
            6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF
            BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE
            AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv
            OLO4Zsk1XrGZHGsmyiEyvYF9lpY=
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:install-proxy-version
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources: {}
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/testdata/install_no_init_container_auto_inject.golden
+++ b/cli/cmd/testdata/install_no_init_container_auto_inject.golden
--- a/cli/cmd/testdata/install_output.golden
+++ b/cli/cmd/testdata/install_output.golden
@ -1442,7 +1442,6 @@ spec:
    port: 443
    targetPort: proxy-injector
 ---
 ---
 ###
 ### Service Profile Validator
 ###
--- a/cli/cmd/testdata/upgrade_default.golden
+++ b/cli/cmd/testdata/upgrade_default.golden
@ -7,6 +7,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: linkerd
  annotations:
    linkerd.io/inject: disabled
 ---
 ###
 ### Identity Controller Service RBAC
@ -135,6 +137,48 @@ subjects:
  namespace: linkerd
 ---
 ###
 ### Proxy Injector RBAC
 ###
 ---
 kind: ServiceAccount
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 rules:
 - apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["create", "get", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
 - apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: linkerd-linkerd-proxy-injector
 subjects:
 - kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: linkerd
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: linkerd-linkerd-proxy-injector
  apiGroup: rbac.authorization.k8s.io
 ---
 ###
 ### Service Profile Validator RBAC
 ###
 ---
@ -1421,6 +1465,200 @@ spec:
 status: {}
 ---
 ###
 ### Proxy Injector
 ###
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
  creationTimestamp: null
  labels:
    linkerd.io/control-plane-component: proxy-injector
  name: linkerd-proxy-injector
  namespace: linkerd
 spec:
  replicas: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
        linkerd.io/identity-mode: default
        linkerd.io/proxy-version: UPGRADE-PROXY-VERSION
      creationTimestamp: null
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: linkerd-proxy-injector
    spec:
      containers:
      - args:
        - proxy-injector
        - -controller-namespace=linkerd
        - -log-level=info
        image: gcr.io/linkerd-io/controller:UPGRADE-CONTROL-PLANE-VERSION
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        resources: {}
        securityContext:
          runAsUser: 2103
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
          value: linkerd-destination.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
          value: 0.0.0.0:4190
        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
          value: 0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
          value: 127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
          value: 0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: svc.cluster.local.
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: _pod_ns
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
          value: ns:$(_pod_ns)
        - name: LINKERD2_PROXY_IDENTITY_DIR
          value: /var/run/linkerd/identity/end-entity
        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
          value: |
            -----BEGIN CERTIFICATE-----
            MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0
            eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz
            MjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j
            YWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg
            EMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw
            QDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
            MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW
            YmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj
            +U9K4WlbzA==
            -----END CERTIFICATE-----
        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
          value: /var/run/secrets/kubernetes.io/serviceaccount/token
        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
          value: linkerd-identity.linkerd.svc.cluster.local:8080
        - name: _pod_sa
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: _l5d_ns
          value: linkerd
        - name: _l5d_trustdomain
          value: cluster.local
        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
          value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
          value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
        image: gcr.io/linkerd-io/proxy:UPGRADE-PROXY-VERSION
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-admin
        readinessProbe:
          httpGet:
            path: /ready
            port: 4191
          initialDelaySeconds: 2
        resources: {}
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/end-entity
          name: linkerd-identity-end-entity
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        - --outbound-ports-to-ignore
        - "443"
        image: gcr.io/linkerd-io/proxy-init:UPGRADE-CONTROL-PLANE-VERSION
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - emptyDir:
          medium: Memory
        name: linkerd-identity-end-entity
 status: {}
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: linkerd-proxy-injector
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: proxy-injector
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
 spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
 ---
 ###
 ### Service Profile Validator
 ###
 ---
--- a/cli/cmd/upgrade.go
+++ b/cli/cmd/upgrade.go
@ -138,9 +138,6 @@ func (options *upgradeOptions) validateAndBuild(k kubernetes.Interface, flags *p
 	// Update the configs from the synthesized options.
 	options.overrideConfigs(configs, map[string]string{})
 	if options.proxyAutoInject {
 		configs.GetGlobal().AutoInjectContext = &pb.AutoInjectContext{}
 	}
 	if options.controlPlaneVersion != "" {
 		configs.GetGlobal().Version = options.controlPlaneVersion
 	}
--- a/cli/cmd/upgrade_test.go
+++ b/cli/cmd/upgrade_test.go
@ -46,7 +46,7 @@ metadata:
    linkerd.io/created-by: linkerd/cli edge-19.4.1
 data:
  global: |
-    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0\neS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz\nMjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j\nYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg\nEMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw\nQDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW\nYmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj\n+U9K4WlbzA==\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
+    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0\neS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDA0MjM1MzM3WhcNMjAwNDAz\nMjM1MzU3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9j\nYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+Sb5X4wi4XP0X3rJwMp23VBdg\nEMMU8EU+KG8UI2LmC5Vjg5RWLOW6BJjBmjXViKM+b+1/oKAeOg6FrJk8qyFlo0Iw\nQDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC\nMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAKUFG3sYOS++bakW\nYmJZU45iCdTLtaelMDSFiHoC9eBKAiBDWzzo+/CYLLmn33bAEn8pQnogP4Fx06aj\n+U9K4WlbzA==\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
  proxy: |
    {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true}
  install: |
@ -118,7 +118,7 @@ metadata:
    linkerd.io/created-by: linkerd/cli edge-19.4.1
 data:
  global: |
-    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":null,"autoInjectContext":null}
+    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"edge-19.4.1","identityContext":null}
  proxy: |
    {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true}
  install: |
@ -127,7 +127,6 @@ data:
 	}
 	options := testUpgradeOptions()
 	options.proxyAutoInject = true
 	flags := options.recordableFlagSet()
 	clientset, _, err := k8s.NewFakeClientSets(k8sConfigs...)
@ -151,9 +150,6 @@ data:
 	if configs.GetGlobal().GetIdentityContext().GetTrustAnchorsPem() == "" {
 		t.Errorf("identity config not generated")
 	}
 	if configs.GetGlobal().GetAutoInjectContext() == nil {
 		t.Errorf("autoinject config not generated")
 	}
 	global := pb.Global{}
 	if err := json.Unmarshal([]byte(values.Configs.Global), &global); err != nil {
@ -162,9 +158,6 @@ data:
 	if configs.GetGlobal().GetIdentityContext().GetTrustAnchorsPem() == "" {
 		t.Errorf("identity config not serialized")
 	}
 	if configs.GetGlobal().GetAutoInjectContext() == nil {
 		t.Errorf("autoinject config not serialized")
 	}
 }
 func TestFetchConfigs(t *testing.T) {
@ -188,7 +181,7 @@ metadata:
  namespace: linkerd
 data:
  global: |
-    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"},"autoInjectContext":null}
+    {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s"}}
  proxy: |
    {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd2_proxy=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version"}
  install: |
--- a/controller/gen/config/config.pb.go
+++ b/controller/gen/config/config.pb.go
@ -32,7 +32,7 @@ func (m *All) Reset()         { *m = All{} }
 func (m *All) String() string { return proto.CompactTextString(m) }
 func (*All) ProtoMessage()    {}
 func (*All) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{0}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{0}
 }
 func (m *All) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_All.Unmarshal(m, b)
@ -80,9 +80,7 @@ type Global struct {
 	Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
 	// If present, configures identity.
 	IdentityContext      *IdentityContext   `protobuf:"bytes,4,opt,name=identity_context,json=identityContext,proto3" json:"identity_context,omitempty"`
-	// If present, indicates that the Mutating Webhook Admission Controller should
+	AutoInjectContext    *AutoInjectContext `protobuf:"bytes,6,opt,name=auto_inject_context,json=autoInjectContext,proto3" json:"auto_inject_context,omitempty"` // Deprecated: Do not use.
 	// be configured to automatically inject proxies.
 	AutoInjectContext    *AutoInjectContext `protobuf:"bytes,6,opt,name=auto_inject_context,json=autoInjectContext,proto3" json:"auto_inject_context,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
 	XXX_unrecognized     []byte             `json:"-"`
 	XXX_sizecache        int32              `json:"-"`
@ -92,7 +90,7 @@ func (m *Global) Reset()         { *m = Global{} }
 func (m *Global) String() string { return proto.CompactTextString(m) }
 func (*Global) ProtoMessage()    {}
 func (*Global) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{1}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{1}
 }
 func (m *Global) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Global.Unmarshal(m, b)
@ -140,6 +138,7 @@ func (m *Global) GetIdentityContext() *IdentityContext {
 	return nil
 }
 // Deprecated: Do not use.
 func (m *Global) GetAutoInjectContext() *AutoInjectContext {
 	if m != nil {
 		return m.AutoInjectContext
@ -170,7 +169,7 @@ func (m *Proxy) Reset()         { *m = Proxy{} }
 func (m *Proxy) String() string { return proto.CompactTextString(m) }
 func (*Proxy) ProtoMessage()    {}
 func (*Proxy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{2}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{2}
 }
 func (m *Proxy) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Proxy.Unmarshal(m, b)
@ -293,7 +292,7 @@ func (m *Image) Reset()         { *m = Image{} }
 func (m *Image) String() string { return proto.CompactTextString(m) }
 func (*Image) ProtoMessage()    {}
 func (*Image) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{3}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{3}
 }
 func (m *Image) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Image.Unmarshal(m, b)
@ -338,7 +337,7 @@ func (m *Port) Reset()         { *m = Port{} }
 func (m *Port) String() string { return proto.CompactTextString(m) }
 func (*Port) ProtoMessage()    {}
 func (*Port) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{4}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{4}
 }
 func (m *Port) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Port.Unmarshal(m, b)
@ -379,7 +378,7 @@ func (m *ResourceRequirements) Reset()         { *m = ResourceRequirements{} }
 func (m *ResourceRequirements) String() string { return proto.CompactTextString(m) }
 func (*ResourceRequirements) ProtoMessage()    {}
 func (*ResourceRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{5}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{5}
 }
 func (m *ResourceRequirements) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ResourceRequirements.Unmarshal(m, b)
@ -427,7 +426,7 @@ func (m *ResourceRequirements) GetLimitMemory() string {
 	return ""
 }
-// Currently, this is basically a boolean.
+// Deprecated: Do not use.
 type AutoInjectContext struct {
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@ -438,7 +437,7 @@ func (m *AutoInjectContext) Reset()         { *m = AutoInjectContext{} }
 func (m *AutoInjectContext) String() string { return proto.CompactTextString(m) }
 func (*AutoInjectContext) ProtoMessage()    {}
 func (*AutoInjectContext) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{6}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{6}
 }
 func (m *AutoInjectContext) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_AutoInjectContext.Unmarshal(m, b)
@ -472,7 +471,7 @@ func (m *IdentityContext) Reset()         { *m = IdentityContext{} }
 func (m *IdentityContext) String() string { return proto.CompactTextString(m) }
 func (*IdentityContext) ProtoMessage()    {}
 func (*IdentityContext) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{7}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{7}
 }
 func (m *IdentityContext) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_IdentityContext.Unmarshal(m, b)
@ -531,7 +530,7 @@ func (m *LogLevel) Reset()         { *m = LogLevel{} }
 func (m *LogLevel) String() string { return proto.CompactTextString(m) }
 func (*LogLevel) ProtoMessage()    {}
 func (*LogLevel) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{8}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{8}
 }
 func (m *LogLevel) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_LogLevel.Unmarshal(m, b)
@ -578,7 +577,7 @@ func (m *Install) Reset()         { *m = Install{} }
 func (m *Install) String() string { return proto.CompactTextString(m) }
 func (*Install) ProtoMessage()    {}
 func (*Install) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{9}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{9}
 }
 func (m *Install) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Install.Unmarshal(m, b)
@ -631,7 +630,7 @@ func (m *Install_Flag) Reset()         { *m = Install_Flag{} }
 func (m *Install_Flag) String() string { return proto.CompactTextString(m) }
 func (*Install_Flag) ProtoMessage()    {}
 func (*Install_Flag) Descriptor() ([]byte, []int) {
-	return fileDescriptor_config_1dc3723f04bb94b9, []int{9, 0}
+	return fileDescriptor_config_42b83b762b43f0a0, []int{9, 0}
 }
 func (m *Install_Flag) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Install_Flag.Unmarshal(m, b)
@ -679,67 +678,67 @@ func init() {
 	proto.RegisterType((*Install_Flag)(nil), "linkerd2.config.Install.Flag")
 }
-func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_1dc3723f04bb94b9) }
+func init() { proto.RegisterFile("config/config.proto", fileDescriptor_config_42b83b762b43f0a0) }
-var fileDescriptor_config_1dc3723f04bb94b9 = []byte{
+var fileDescriptor_config_42b83b762b43f0a0 = []byte{
-	// 929 bytes of a gzipped FileDescriptorProto
+	// 938 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x55, 0xcf, 0x73, 0x1b, 0x35,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x55, 0x5d, 0x6f, 0x23, 0x35,
-	0x14, 0x1e, 0xd7, 0x76, 0x62, 0x3f, 0xdb, 0x4d, 0xac, 0xa4, 0x74, 0x13, 0xa6, 0x60, 0x96, 0xe9,
+	0x14, 0x55, 0xbe, 0xda, 0xe4, 0x26, 0xd9, 0x36, 0x6e, 0x97, 0x4e, 0x8b, 0x16, 0xc2, 0xa0, 0x95,
-	0x4c, 0x07, 0x18, 0x1b, 0x12, 0x06, 0x3a, 0x3d, 0x61, 0xfa, 0x23, 0xe3, 0x69, 0x80, 0x8c, 0x18,
+	0x56, 0x80, 0x12, 0x68, 0x11, 0xac, 0xfa, 0x44, 0xf6, 0xab, 0x8a, 0xb6, 0x40, 0x65, 0xc4, 0x3e,
-	0x38, 0x70, 0xd9, 0x59, 0xef, 0xca, 0x5b, 0x11, 0xad, 0xe4, 0x6a, 0xa5, 0x24, 0xfd, 0x33, 0xb8,
+	0xf0, 0x32, 0x9a, 0xcc, 0x38, 0xb3, 0xa6, 0x1e, 0x3b, 0xeb, 0xf1, 0xb4, 0xdd, 0x1f, 0x82, 0xc4,
-	0x71, 0xe2, 0xc6, 0x9f, 0xc8, 0x9d, 0xd1, 0x93, 0x36, 0xa4, 0x59, 0xe2, 0xd3, 0x4a, 0xdf, 0xfb,
+	0x13, 0x6f, 0xfc, 0xc4, 0x7d, 0x47, 0xbe, 0xf6, 0x94, 0xb6, 0xb3, 0xcd, 0xd3, 0xd8, 0xe7, 0x9e,
-	0xbe, 0x4f, 0x6f, 0xa5, 0xa7, 0x27, 0xd8, 0xcb, 0x94, 0x5c, 0xf1, 0x62, 0xe6, 0x3f, 0xd3, 0xb5,
+	0x73, 0x7c, 0xc7, 0xbe, 0xbe, 0x86, 0x9d, 0x44, 0xc9, 0x25, 0xcf, 0xa6, 0xee, 0x33, 0x59, 0x69,
-	0x56, 0x46, 0x91, 0x1d, 0xc1, 0xe5, 0x39, 0xd3, 0xf9, 0xd1, 0xd4, 0xc3, 0x87, 0x1f, 0x15, 0x4a,
+	0x65, 0x14, 0xd9, 0x12, 0x5c, 0x9e, 0x33, 0x9d, 0x1e, 0x4e, 0x1c, 0x7c, 0xf0, 0x59, 0xa6, 0x54,
-	0x15, 0x82, 0xcd, 0x30, 0xbc, 0xb4, 0xab, 0x59, 0x6e, 0x75, 0x6a, 0xb8, 0x92, 0x5e, 0x10, 0xff,
+	0x26, 0xd8, 0x14, 0xc3, 0x8b, 0x72, 0x39, 0x4d, 0x4b, 0x1d, 0x1b, 0xae, 0xa4, 0x13, 0x84, 0x7f,
-	0xd9, 0x82, 0xf6, 0x5c, 0x08, 0x32, 0x83, 0xad, 0x42, 0xa8, 0x65, 0x2a, 0xa2, 0xd6, 0xa4, 0xf5,
+	0x37, 0xa0, 0x35, 0x13, 0x82, 0x4c, 0x61, 0x23, 0x13, 0x6a, 0x11, 0x8b, 0xa0, 0x31, 0x6e, 0x3c,
-	0x64, 0x70, 0xf4, 0x70, 0x7a, 0xcb, 0x69, 0x7a, 0x82, 0x61, 0x1a, 0x68, 0xe4, 0x0b, 0xe8, 0xae,
+	0xe9, 0x1f, 0xee, 0x4d, 0xee, 0x38, 0x4d, 0x4e, 0x30, 0x4c, 0x3d, 0x8d, 0x7c, 0x03, 0x9d, 0x95,
-	0xb5, 0xba, 0x7a, 0x17, 0xdd, 0x43, 0xfe, 0x07, 0x0d, 0xfe, 0x99, 0x8b, 0x52, 0x4f, 0x22, 0x47,
+	0x56, 0x57, 0xef, 0x83, 0x26, 0xf2, 0x3f, 0xa9, 0xf1, 0xcf, 0x6c, 0x94, 0x3a, 0x12, 0x39, 0x84,
-	0xb0, 0xcd, 0x65, 0x65, 0x52, 0x21, 0xa2, 0x36, 0xf2, 0xa3, 0x06, 0x7f, 0xe1, 0xe3, 0xb4, 0x26,
+	0x4d, 0x2e, 0x0b, 0x13, 0x0b, 0x11, 0xb4, 0x90, 0x1f, 0xd4, 0xf8, 0x73, 0x17, 0xa7, 0x15, 0x31,
-	0xc6, 0x7f, 0xdc, 0x83, 0x2d, 0xbf, 0x28, 0xf9, 0x1c, 0xc6, 0x81, 0x9e, 0xc8, 0xb4, 0x64, 0xd5,
+	0xfc, 0xab, 0x09, 0x1b, 0x6e, 0x51, 0xf2, 0x35, 0x8c, 0x3c, 0x3d, 0x92, 0x71, 0xce, 0x8a, 0x55,
-	0x3a, 0xcd, 0x18, 0x26, 0xda, 0xa7, 0xbb, 0x21, 0xf0, 0x63, 0x8d, 0x93, 0x8f, 0x61, 0x90, 0x49,
+	0x9c, 0x30, 0x4c, 0xb4, 0x47, 0xb7, 0x7d, 0xe0, 0x97, 0x0a, 0x27, 0x9f, 0x43, 0x3f, 0x91, 0x3c,
-	0x9e, 0x30, 0x99, 0x2e, 0x05, 0xcb, 0x31, 0xbf, 0x1e, 0x85, 0x4c, 0xf2, 0x97, 0x1e, 0x21, 0x11,
+	0x62, 0x32, 0x5e, 0x08, 0x96, 0x62, 0x7e, 0x5d, 0x0a, 0x89, 0xe4, 0x2f, 0x1d, 0x42, 0x02, 0xd8,
-	0x6c, 0x5f, 0x30, 0x5d, 0x71, 0x25, 0x31, 0x99, 0x3e, 0xad, 0xa7, 0xe4, 0x35, 0xec, 0xf2, 0x9c,
+	0xbc, 0x60, 0xba, 0xe0, 0x4a, 0x62, 0x32, 0x3d, 0x5a, 0x4d, 0xc9, 0x6b, 0xd8, 0xe6, 0x29, 0x93,
-	0x49, 0xc3, 0xcd, 0xbb, 0x24, 0x53, 0xd2, 0xb0, 0x2b, 0x13, 0x75, 0x30, 0xdf, 0x49, 0x33, 0xdf,
+	0x86, 0x9b, 0xf7, 0x51, 0xa2, 0xa4, 0x61, 0x57, 0x26, 0x68, 0x63, 0xbe, 0xe3, 0x7a, 0xbe, 0x9e,
-	0x40, 0x7c, 0xee, 0x79, 0x74, 0x87, 0xbf, 0x0f, 0x10, 0x0a, 0x7b, 0xa9, 0x35, 0x2a, 0xe1, 0xf2,
+	0xf8, 0xdc, 0xf1, 0xe8, 0x16, 0xbf, 0x0d, 0x90, 0x37, 0xb0, 0x13, 0x97, 0x46, 0x45, 0x5c, 0xfe,
-	0x77, 0x96, 0x99, 0x6b, 0xbf, 0x2d, 0xf4, 0x8b, 0x1b, 0x7e, 0x73, 0x6b, 0xd4, 0x02, 0xa9, 0xb5,
+	0xc9, 0x12, 0x73, 0xed, 0xb7, 0x81, 0x7e, 0x61, 0xcd, 0x6f, 0x56, 0x1a, 0x35, 0x47, 0xaa, 0x37,
-	0xe3, 0x38, 0xbd, 0x0d, 0xc5, 0xff, 0x74, 0xa1, 0x8b, 0x1b, 0x4b, 0xbe, 0x85, 0x01, 0x6e, 0x6d,
+	0x78, 0xd6, 0x0c, 0x1a, 0x74, 0x14, 0xdf, 0x85, 0xc3, 0x0f, 0x1d, 0xe8, 0xe0, 0xe6, 0x92, 0x1f,
-	0xc2, 0xcb, 0xb4, 0x60, 0xe1, 0xd4, 0x9a, 0xa7, 0xb0, 0x70, 0x51, 0x0a, 0x48, 0xc5, 0x31, 0xf9,
+	0xa1, 0x8f, 0xdb, 0x1b, 0xf1, 0x3c, 0xce, 0x98, 0x3f, 0xb9, 0xfa, 0x49, 0xcc, 0x6d, 0x94, 0x02,
-	0x0e, 0x76, 0x83, 0x50, 0x72, 0x13, 0xd4, 0xf7, 0x36, 0xaa, 0xef, 0x7b, 0xb5, 0xe4, 0xc6, 0x3b,
+	0x52, 0x71, 0x4c, 0x7e, 0x82, 0x6d, 0x2f, 0x94, 0xdc, 0x78, 0x75, 0x73, 0xad, 0xfa, 0x81, 0x53,
-	0x3c, 0x85, 0xa1, 0xfb, 0x19, 0xad, 0x44, 0xb2, 0x56, 0xda, 0x84, 0x13, 0x7d, 0xd0, 0xac, 0x00,
+	0x4b, 0x6e, 0x9c, 0xc3, 0x53, 0x18, 0xd8, 0x1f, 0xd2, 0x4a, 0x44, 0x2b, 0xa5, 0x8d, 0x3f, 0xd5,
-	0xa5, 0x0d, 0x1d, 0x04, 0xaa, 0x9b, 0x90, 0x13, 0xd8, 0xe7, 0x85, 0x54, 0x9a, 0x25, 0x5c, 0x2e,
+	0x87, 0xf5, 0x2a, 0x50, 0xda, 0xd0, 0xbe, 0xa7, 0xda, 0x09, 0x39, 0x81, 0x5d, 0x9e, 0x49, 0xa5,
-	0x95, 0x95, 0x39, 0x1a, 0x54, 0x51, 0x67, 0xd2, 0xbe, 0xdb, 0x81, 0x78, 0xc9, 0xc2, 0x2b, 0x1c,
+	0x59, 0xc4, 0xe5, 0x42, 0x95, 0x32, 0x45, 0x83, 0x22, 0x68, 0x8f, 0x5b, 0xf7, 0x3b, 0x10, 0x27,
-	0x54, 0x91, 0x05, 0x3c, 0x08, 0x46, 0xca, 0x9a, 0x9b, 0x4e, 0xdd, 0x4d, 0x4e, 0x7b, 0x5e, 0xf3,
+	0x99, 0x3b, 0x85, 0x85, 0x0a, 0x32, 0x87, 0x87, 0xde, 0x48, 0x95, 0xe6, 0xa6, 0x53, 0x67, 0x9d,
-	0x53, 0x90, 0x78, 0xab, 0xa7, 0x30, 0xbc, 0x99, 0x4c, 0x38, 0x9f, 0xbb, 0xfe, 0x86, 0xff, 0x97,
+	0xd3, 0x8e, 0xd3, 0xfc, 0xea, 0x25, 0xce, 0xea, 0x29, 0x0c, 0x6e, 0x26, 0xe3, 0xcf, 0xe8, 0xbe,
-	0x05, 0xf9, 0x1a, 0x20, 0xcd, 0x4b, 0x2e, 0xbd, 0x6e, 0x7b, 0x93, 0xae, 0x8f, 0x44, 0x54, 0x3d,
+	0xbf, 0xe1, 0xff, 0x67, 0x41, 0xbe, 0x07, 0x88, 0xd3, 0x9c, 0x4b, 0xa7, 0xdb, 0x5c, 0xa7, 0xeb,
-	0x83, 0xd1, 0x7b, 0x39, 0x47, 0xbd, 0x4d, 0xc2, 0xa1, 0xba, 0x91, 0x2c, 0x99, 0x43, 0x4f, 0xb3,
+	0x21, 0x11, 0x55, 0xc7, 0x30, 0xbc, 0x95, 0x73, 0xd0, 0x5d, 0x27, 0x1c, 0xa8, 0x1b, 0xc9, 0x92,
-	0x4a, 0x59, 0x9d, 0xb1, 0xa8, 0x8f, 0xb2, 0xc7, 0x0d, 0x19, 0x0d, 0x04, 0xca, 0xde, 0x5a, 0xae,
+	0x19, 0x74, 0x35, 0x2b, 0x54, 0xa9, 0x13, 0x16, 0xf4, 0x50, 0xf6, 0xb8, 0x26, 0xa3, 0x9e, 0x40,
-	0x59, 0xc9, 0xa4, 0xa9, 0xe8, 0xb5, 0x8c, 0x7c, 0x08, 0x7d, 0x7f, 0xfc, 0x96, 0xe7, 0x11, 0x4c,
+	0xd9, 0xbb, 0x92, 0x6b, 0x96, 0x33, 0x69, 0x0a, 0x7a, 0x2d, 0x23, 0x9f, 0x42, 0xcf, 0x1d, 0x7f,
-	0x5a, 0x4f, 0xda, 0xb4, 0x87, 0xc0, 0x2f, 0x3c, 0x27, 0xdf, 0x40, 0x5f, 0xa8, 0x22, 0x11, 0xec,
+	0xc9, 0xd3, 0x00, 0xc6, 0x8d, 0x27, 0x2d, 0xda, 0x45, 0xe0, 0x77, 0x9e, 0x92, 0x1f, 0xa0, 0x27,
-	0x82, 0x89, 0x68, 0x80, 0x0b, 0x1c, 0x34, 0x16, 0x38, 0x55, 0xc5, 0xa9, 0x23, 0xd0, 0x9e, 0x08,
+	0x54, 0x16, 0x09, 0x76, 0xc1, 0x44, 0xd0, 0xc7, 0x05, 0xf6, 0x6b, 0x0b, 0x9c, 0xaa, 0xec, 0xd4,
-	0x23, 0xf2, 0x0c, 0x0e, 0x72, 0x5e, 0xb9, 0xdb, 0x95, 0xb0, 0x2b, 0xc3, 0xb4, 0x4c, 0x45, 0xb2,
+	0x12, 0x68, 0x57, 0xf8, 0x11, 0x39, 0x86, 0xfd, 0x94, 0x17, 0xf6, 0x86, 0x45, 0xec, 0xca, 0x30,
-	0xd6, 0x6a, 0xc5, 0x05, 0xab, 0xa2, 0x21, 0x5e, 0xc0, 0x87, 0x81, 0xf0, 0x32, 0xc4, 0xcf, 0x42,
+	0x2d, 0x63, 0x11, 0xad, 0xb4, 0x5a, 0x72, 0xc1, 0x8a, 0x60, 0x80, 0x97, 0x70, 0xcf, 0x13, 0x5e,
-	0x98, 0x7c, 0x0a, 0x23, 0x9f, 0x50, 0x7d, 0x27, 0x47, 0x78, 0x27, 0x87, 0x08, 0xfe, 0xea, 0xb1,
+	0xfa, 0xf8, 0x99, 0x0f, 0x93, 0x2f, 0x61, 0xe8, 0x12, 0xaa, 0xee, 0xe5, 0x10, 0xef, 0xe5, 0x00,
-	0xf8, 0x04, 0xba, 0xbe, 0xf6, 0x1e, 0x01, 0x60, 0xc9, 0x62, 0x1f, 0x08, 0x2d, 0xa0, 0x8f, 0x88,
+	0xc1, 0x37, 0x0e, 0x0b, 0x4f, 0xa0, 0xe3, 0x6a, 0xef, 0x11, 0x00, 0x96, 0x2c, 0xf6, 0x02, 0xdf,
-	0x6b, 0x00, 0xee, 0xee, 0xaf, 0xad, 0x70, 0x75, 0x29, 0x78, 0xe6, 0x7b, 0x53, 0x9f, 0x82, 0x83,
+	0x06, 0x7a, 0x88, 0xd8, 0x26, 0x60, 0xef, 0xff, 0xaa, 0x14, 0xb6, 0x2e, 0x05, 0x4f, 0x5c, 0x7f,
-	0xce, 0x10, 0x89, 0x0f, 0xa1, 0x83, 0x3b, 0x49, 0xa0, 0x83, 0x9b, 0xef, 0x1c, 0x46, 0x14, 0xc7,
+	0xea, 0x51, 0xb0, 0xd0, 0x19, 0x22, 0xe1, 0x01, 0xb4, 0x71, 0x27, 0x09, 0xb4, 0x71, 0xf3, 0xad,
-	0xf1, 0x5f, 0x2d, 0xd8, 0xff, 0xbf, 0xdd, 0x73, 0xae, 0x9a, 0xbd, 0xb5, 0xac, 0x32, 0x49, 0xb6,
+	0xc3, 0x90, 0xe2, 0x38, 0xfc, 0xa7, 0x01, 0xbb, 0x1f, 0xdb, 0x3d, 0xeb, 0xaa, 0xd9, 0xbb, 0x92,
-	0xb6, 0x61, 0x55, 0x08, 0xd0, 0xf3, 0xb5, 0x25, 0x8f, 0xe1, 0x7e, 0x4d, 0x28, 0x59, 0xa9, 0x74,
+	0x15, 0x26, 0x4a, 0x56, 0xa5, 0x5f, 0x15, 0x3c, 0xf4, 0x7c, 0x55, 0x92, 0xc7, 0xf0, 0xa0, 0x22,
-	0xbd, 0xf2, 0x28, 0xa0, 0x3f, 0x20, 0xe8, 0xf6, 0x5e, 0xf0, 0x92, 0x7b, 0x17, 0xdf, 0x7a, 0x7a,
+	0xe4, 0x2c, 0x57, 0xba, 0x5a, 0x79, 0xe8, 0xd1, 0x9f, 0x11, 0xb4, 0x7b, 0x2f, 0x78, 0xce, 0x9d,
-	0x08, 0x38, 0x8f, 0x4f, 0x60, 0xe8, 0x83, 0xc1, 0xa1, 0x83, 0xf1, 0x01, 0x62, 0x5e, 0x1f, 0xef,
+	0x8b, 0x6b, 0x3f, 0x5d, 0x04, 0xac, 0xc7, 0x17, 0x30, 0x70, 0x41, 0xef, 0xd0, 0xc6, 0x78, 0x1f,
-	0xc1, 0x78, 0xde, 0x6c, 0x09, 0x2d, 0xd8, 0xb9, 0xd5, 0x8b, 0x9c, 0x97, 0xd1, 0xb6, 0x32, 0x49,
+	0x31, 0xa7, 0x0f, 0xf7, 0x60, 0x54, 0xeb, 0x14, 0xc7, 0xcd, 0xa0, 0x11, 0x7e, 0x68, 0xc0, 0xd6,
-	0xae, 0xca, 0x94, 0xcb, 0x90, 0xf1, 0x00, 0xb1, 0x17, 0x08, 0x91, 0xcf, 0x60, 0xec, 0x29, 0xa9,
+	0x9d, 0x9e, 0x64, 0xfd, 0x8c, 0x2e, 0x0b, 0x13, 0xa5, 0x2a, 0x8f, 0xb9, 0xf4, 0x59, 0xf7, 0x11,
-	0xcc, 0xde, 0x28, 0x5d, 0x25, 0x6b, 0x56, 0x86, 0xac, 0x77, 0x30, 0x30, 0xf7, 0xf8, 0x19, 0x2b,
+	0x7b, 0x81, 0x10, 0xf9, 0x0a, 0x46, 0x8e, 0x12, 0xcb, 0xe4, 0xad, 0xd2, 0x45, 0xb4, 0x62, 0xb9,
-	0xc9, 0x2b, 0x18, 0xf3, 0xaa, 0xb2, 0xa9, 0xcc, 0x58, 0x22, 0xf8, 0x8a, 0x19, 0x5e, 0xb2, 0x70,
+	0xcf, 0x7c, 0x0b, 0x03, 0x33, 0x87, 0x9f, 0xb1, 0x9c, 0xbc, 0x82, 0x11, 0x2f, 0x8a, 0x32, 0x96,
-	0xeb, 0x0f, 0xa6, 0xfe, 0x81, 0x99, 0xd6, 0x0f, 0xcc, 0xf4, 0x45, 0x78, 0x60, 0xe8, 0x6e, 0xad,
+	0x09, 0x8b, 0x04, 0x5f, 0x32, 0xc3, 0x73, 0xe6, 0x6f, 0xfe, 0xfe, 0xc4, 0x3d, 0x34, 0x93, 0xea,
-	0x39, 0x0d, 0x12, 0xf2, 0x1a, 0xf6, 0x33, 0xa1, 0xb2, 0xf3, 0xa4, 0x3a, 0x67, 0x97, 0x49, 0x2a,
+	0xa1, 0x99, 0xbc, 0xf0, 0x0f, 0x0d, 0xdd, 0xae, 0x34, 0xa7, 0x5e, 0x42, 0x5e, 0xc3, 0x6e, 0x22,
-	0x84, 0xba, 0x74, 0xf1, 0xd0, 0x62, 0x37, 0x58, 0x11, 0x94, 0xfd, 0x7c, 0xce, 0x2e, 0xe7, 0xb5,
+	0x54, 0x72, 0x1e, 0x15, 0xe7, 0xec, 0x32, 0x8a, 0x85, 0x50, 0x97, 0x36, 0xee, 0x5b, 0xed, 0x1a,
-	0x28, 0x9e, 0x40, 0xaf, 0xae, 0x44, 0xb2, 0x0f, 0x5d, 0x5f, 0xb3, 0xfe, 0x47, 0xfd, 0x24, 0xfe,
+	0x2b, 0x82, 0xb2, 0xdf, 0xce, 0xd9, 0xe5, 0xac, 0x12, 0x85, 0x63, 0xe8, 0x56, 0xd5, 0x48, 0x76,
-	0xbb, 0x05, 0xdb, 0xe1, 0x55, 0x71, 0xe7, 0x6d, 0x5d, 0xc5, 0x7b, 0x02, 0x8e, 0xf1, 0xa1, 0x10,
+	0xa1, 0xe3, 0xea, 0xd6, 0xfd, 0xa8, 0x9b, 0x84, 0xff, 0x36, 0x60, 0xd3, 0xbf, 0x2e, 0xf6, 0xcc,
-	0xfc, 0xba, 0xee, 0x42, 0xb1, 0x64, 0x82, 0x87, 0xaa, 0x23, 0xc7, 0xd0, 0x5d, 0x89, 0xb4, 0xa8,
+	0x4b, 0x5b, 0xf5, 0x8e, 0x80, 0x63, 0x7c, 0x30, 0x04, 0xbf, 0xae, 0x3d, 0x5f, 0x30, 0x89, 0xe0,
-	0xa2, 0x36, 0x76, 0x95, 0x47, 0x77, 0xbd, 0x59, 0xd3, 0x57, 0x22, 0x2d, 0xa8, 0xe7, 0x1e, 0x7e,
+	0xbe, 0xf2, 0xc8, 0x11, 0x74, 0x96, 0x22, 0xce, 0x8a, 0xa0, 0x85, 0x9d, 0xe5, 0xd1, 0x7d, 0x6f,
-	0x09, 0x1d, 0x37, 0x75, 0x2b, 0xde, 0xa8, 0x51, 0x1c, 0xbb, 0x3c, 0x2f, 0x52, 0x61, 0x59, 0x58,
+	0xd7, 0xe4, 0x95, 0x88, 0x33, 0xea, 0xb8, 0x07, 0xdf, 0x42, 0xdb, 0x4e, 0xed, 0x8a, 0x37, 0xea,
-	0xcb, 0x4f, 0xbe, 0x3f, 0xfe, 0xed, 0xab, 0x82, 0x9b, 0x37, 0x76, 0x39, 0xcd, 0x54, 0x39, 0x0b,
+	0x14, 0xc7, 0x36, 0xcf, 0x8b, 0x58, 0x94, 0xcc, 0xaf, 0xe5, 0x26, 0xcf, 0x8e, 0xfe, 0xf8, 0x2e,
-	0x6b, 0xd4, 0xdf, 0xa3, 0x59, 0x68, 0xa0, 0x82, 0xe9, 0x59, 0xc1, 0x64, 0x78, 0xef, 0x97, 0x5b,
+	0xe3, 0xe6, 0x6d, 0xb9, 0x98, 0x24, 0x2a, 0x9f, 0xfa, 0x35, 0xaa, 0xef, 0xe1, 0xd4, 0x37, 0x51,
-	0xb8, 0x4b, 0xc7, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xa2, 0x59, 0xbd, 0x38, 0x07, 0x08, 0x00,
+	0xc1, 0xf4, 0x34, 0x63, 0xd2, 0xbf, 0xfb, 0x8b, 0x0d, 0xdc, 0xa5, 0xa3, 0xff, 0x02, 0x00, 0x00,
-	0x00,
+	0xff, 0xff, 0xd2, 0x4a, 0xdf, 0x3e, 0x0f, 0x08, 0x00, 0x00,
 }
--- a/proto/config/config.proto
+++ b/proto/config/config.proto
@ -22,9 +22,7 @@ message Global {
  // If present, configures identity.
  IdentityContext identity_context = 4;
-  // If present, indicates that the Mutating Webhook Admission Controller should
+  AutoInjectContext auto_inject_context = 6 [deprecated=true];
  // be configured to automatically inject proxies.
  AutoInjectContext auto_inject_context = 6;
 }
 message Proxy {
@ -63,8 +61,7 @@ message ResourceRequirements {
  string limit_memory = 4;
 }
-// Currently, this is basically a boolean.
+message AutoInjectContext { option deprecated = true; }
 message AutoInjectContext {}
 message IdentityContext {
  string trust_domain = 1;
--- a/test/get/get_test.go
+++ b/test/get/get_test.go
@ -37,6 +37,7 @@ var (
 		"linkerd-grafana":        1,
 		"linkerd-identity":       1,
 		"linkerd-prometheus":     1,
 		"linkerd-proxy-injector": 1,
 		"linkerd-sp-validator":   1,
 		"linkerd-web":            1,
 	}
--- a/test/inject/inject_test.go
+++ b/test/inject/inject_test.go
@ -87,8 +87,6 @@ func TestInjectParams(t *testing.T) {
 	}
 }
 // TestAnnotationPermutations assumes a control-plane installed with
 // `--proxy-auto-inject` was installed via `install_test.go`.
 func TestAnnotationPermutations(t *testing.T) {
 	injectYAML, err := testutil.ReadFile("testdata/inject_test.yaml")
 	if err != nil {
--- a/test/install_test.go
+++ b/test/install_test.go
@ -46,6 +46,7 @@ var (
 		"linkerd-prometheus":     {1, []string{}},
 		"linkerd-sp-validator":   {1, []string{"sp-validator"}},
 		"linkerd-web":            {1, []string{"web"}},
 		"linkerd-proxy-injector": {1, []string{"proxy-injector"}},
 	}
 	// Linkerd commonly logs these errors during testing, remove these once
@ -125,11 +126,6 @@ func TestInstallOrUpgrade(t *testing.T) {
 		cmd = "upgrade"
 	}
 	if TestHelper.AutoInject() {
 		args = append(args, "--proxy-auto-inject")
 		linkerdDeployReplicas["linkerd-proxy-injector"] = deploySpec{1, []string{"proxy-injector"}}
 	}
 	exec := append([]string{cmd}, args...)
 	out, _, err := TestHelper.LinkerdRun(exec...)
 	if err != nil {
@ -268,7 +264,6 @@ func TestInject(t *testing.T) {
 	prefixedNs := TestHelper.GetTestNamespace("smoke-test")
 	if TestHelper.AutoInject() {
 	out, err = testutil.ReadFile("testdata/smoke_test.yaml")
 	if err != nil {
 		t.Fatalf("failed to read smoke test file: %s", err)
@ -277,21 +272,7 @@ func TestInject(t *testing.T) {
 		k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled,
 	})
 	if err != nil {
-			t.Fatalf("failed to create %s namespace with auto inject enabled: %s", prefixedNs, err)
+		t.Fatalf("failed to create %s namespace: %s", prefixedNs, err)
 		}
 	} else {
 		cmd := []string{"inject", "--manual", "testdata/smoke_test.yaml"}
 		var injectReport string
 		out, injectReport, err = TestHelper.LinkerdRun(cmd...)
 		if err != nil {
 			t.Fatalf("linkerd inject command failed: %s\n%s", err, out)
 		}
 		err = TestHelper.ValidateOutput(injectReport, "inject.report.golden")
 		if err != nil {
 			t.Fatalf("Received unexpected output\n%s", err.Error())
 		}
 	}
 	out, err = TestHelper.KubectlApply(out, prefixedNs)
--- a/test/stat/stat_test.go
+++ b/test/stat/stat_test.go
@ -76,6 +76,7 @@ func TestCliStatForLinkerdNamespace(t *testing.T) {
 				"linkerd-grafana":        "1/1",
 				"linkerd-identity":       "1/1",
 				"linkerd-prometheus":     "1/1",
 				"linkerd-proxy-injector": "1/1",
 				"linkerd-sp-validator":   "1/1",
 				"linkerd-web":            "1/1",
 			},
@ -107,7 +108,7 @@ func TestCliStatForLinkerdNamespace(t *testing.T) {
 		{
 			args: []string{"stat", "ns", TestHelper.GetLinkerdNamespace()},
 			expectedRows: map[string]string{
-				TestHelper.GetLinkerdNamespace(): "6/6",
+				TestHelper.GetLinkerdNamespace(): "7/7",
 			},
 		},
 		{
--- a/test/testdata/inject.report.golden
+++ b/test/testdata/inject.report.golden
@ -1,6 +0,0 @@
 deployment "smoke-test-terminus" injected
 service "smoke-test-terminus-svc" skipped
 deployment "smoke-test-gateway" injected
 service "smoke-test-gateway-svc" skipped
--- a/testutil/test_helper.go
+++ b/testutil/test_helper.go
@ -20,7 +20,6 @@ type TestHelper struct {
 	linkerd            string
 	version            string
 	namespace          string
 	autoInject         bool
 	upgradeFromVersion string
 	httpClient         http.Client
 	KubernetesHelper
@ -37,7 +36,6 @@ func NewTestHelper() *TestHelper {
 	k8sContext := flag.String("k8s-context", "", "kubernetes context associated with the test cluster")
 	linkerd := flag.String("linkerd", "", "path to the linkerd binary to test")
 	namespace := flag.String("linkerd-namespace", "l5d-integration", "the namespace where linkerd is installed")
 	autoInject := flag.Bool("proxy-auto-inject", false, "enable proxy sidecar auto-injection in tests")
 	upgradeFromVersion := flag.String("upgrade-from-version", "", "when specified, the upgrade test uses it as the base version of the upgrade")
 	runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests")
 	verbose := flag.Bool("verbose", false, "turn on debug logging")
@ -69,7 +67,6 @@ func NewTestHelper() *TestHelper {
 	testHelper := &TestHelper{
 		linkerd:            *linkerd,
 		namespace:          *namespace,
 		autoInject:         *autoInject,
 		upgradeFromVersion: *upgradeFromVersion,
 	}
@ -111,12 +108,6 @@ func (h *TestHelper) GetTestNamespace(testName string) string {
 	return h.namespace + "-" + testName
 }
 // AutoInject returns whether or not Proxy Auto Inject is enabled for the given
 // test.
 func (h *TestHelper) AutoInject() bool {
 	return h.autoInject
 }
 // UpgradeFromVersion returns the base version of the upgrade test.
 func (h *TestHelper) UpgradeFromVersion() string {
 	return h.upgradeFromVersion