{{with .Values -}} --- ### ### Service Profile Validator RBAC ### --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-sp-validator labels: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} rules: - apiGroups: [""] resources: ["pods"] verbs: ["list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-{{.Namespace}}-sp-validator labels: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} subjects: - kind: ServiceAccount name: linkerd-sp-validator namespace: {{.Namespace}} apiGroup: "" roleRef: kind: ClusterRole name: linkerd-{{.Namespace}}-sp-validator apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-sp-validator namespace: {{.Namespace}} labels: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} --- kind: Secret apiVersion: v1 metadata: name: linkerd-sp-validator-tls namespace: {{ .Namespace }} labels: {{.ControllerComponentLabel}}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} annotations: {{ .CreatedByAnnotation }}: {{ .CliVersion }} type: Opaque data: crt.pem: {{ b64enc .ProfileValidator.CrtPEM }} key.pem: {{ b64enc .ProfileValidator.KeyPEM }} --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: linkerd-sp-validator-webhook-config labels: {{ .ControllerComponentLabel }}: sp-validator {{.ControllerNamespaceLabel}}: {{.Namespace}} webhooks: - name: linkerd-sp-validator.linkerd.io clientConfig: service: name: linkerd-sp-validator namespace: {{ .Namespace }} path: "/" caBundle: {{ b64enc .ProfileValidator.CrtPEM }} failurePolicy: {{ .WebhookFailurePolicy }} rules: - operations: [ "CREATE" , "UPDATE" ] apiGroups: ["linkerd.io"] apiVersions: ["v1alpha1", "v1alpha2"] resources: ["serviceprofiles"] {{- if not .OmitWebhookSideEffects }} sideEffects: None {{- end }} {{end -}}