### Namespace ###
kind: Namespace
apiVersion: v1
metadata:
  name: other
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: linkerd-other-cni
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    rule: RunAsAny
  hostNetwork: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - hostPath
  - secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: linkerd-cni
  namespace: other
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: linkerd-cni
  namespace: other
rules:
- apiGroups: ['extensions', 'policy']
  resources: ['podsecuritypolicies']
  resourceNames:
  - linkerd-other-cni
  verbs: ['use']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: linkerd-cni
  namespace: other
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: linkerd-cni
subjects:
- kind: ServiceAccount
  name: linkerd-cni
  namespace: other
---
# Include a clusterrole for the linkerd CNI DaemonSet,
# and bind it to the linkerd-cni serviceaccount.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: linkerd-cni
rules:
- apiGroups: [""]
  resources: ["pods", "nodes", "namespaces"]
  verbs: ["list", "get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: linkerd-cni
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: linkerd-cni
subjects:
- kind: ServiceAccount
  name: linkerd-cni
  namespace: other
---
# This ConfigMap is used to configure a self-hosted linkerd CNI installation.
kind: ConfigMap
apiVersion: v1
metadata:
  name: linkerd-cni-config
  namespace: other
data:
  incoming_proxy_port: "5143"
  outgoing_proxy_port: "5140"
  proxy_uid: "12102"
  inbound_ports_to_ignore: "5190,5191"
  outbound_ports_to_ignore: ""
  simulate: "false"
  log_level: "debug"
  dest_cni_net_dir: "/etc/kubernetes/cni/net.d"
  dest_cni_bin_dir: "/etc/kubernetes/cni/net.d"
  # The CNI network configuration to install on each node. The special
  # values in this config will be automatically populated.
  cni_network_config: |-
    {
      "name": "linkerd-cni",
      "type": "linkerd-cni",
      "log_level": "__LOG_LEVEL__",
      "policy": {
          "type": "k8s",
          "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
          "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
      },
      "kubernetes": {
          "kubeconfig": "__KUBECONFIG_FILEPATH__"
      },
      "linkerd": {
        "incoming-proxy-port": __INCOMING_PROXY_PORT__,
        "outgoing-proxy-port": __OUTGOING_PROXY_PORT__,
        "proxy-uid": __PROXY_UID__,
        "ports-to-redirect": [__PORTS_TO_REDIRECT__],
        "inbound-ports-to-ignore": [__INBOUND_PORTS_TO_IGNORE__],
        "outbound-ports-to-ignore": [__OUTBOUND_PORTS_TO_IGNORE__],
        "simulate": __SIMULATE__
      }
    }
---
# This manifest installs the linkerd CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: linkerd-cni
  namespace: other
  labels:
    k8s-app: linkerd-cni
  annotations:
    linkerd.io/created-by: linkerd/cli dev-undefined
spec:
  selector:
    matchLabels:
      k8s-app: linkerd-cni
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        k8s-app: linkerd-cni
      annotations:
        linkerd.io/created-by: linkerd/cli dev-undefined
    spec:
      nodeSelector:
        beta.kubernetes.io/os: linux
      hostNetwork: true
      serviceAccountName: linkerd-cni
      containers:
      # This container installs the linkerd CNI binaries
      # and CNI network config file on each node. The install
      # script copies the files into place and then sleeps so
      # that Kubernetes doesn't keep trying to restart it.
      - name: install-cni
        image: my-docker-registry.io/awesome/cni-plugin-test-image:awesome-linkerd-version.1
        env:
        - name: DEST_CNI_NET_DIR
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: dest_cni_net_dir
        - name: DEST_CNI_BIN_DIR
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: dest_cni_bin_dir
        # The CNI network config to install on each node.
        - name: CNI_NETWORK_CONFIG
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: cni_network_config
        - name: INCOMING_PROXY_PORT
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: incoming_proxy_port
        - name: OUTGOING_PROXY_PORT
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: outgoing_proxy_port
        - name: PROXY_UID
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: proxy_uid
        - name: INBOUND_PORTS_TO_IGNORE
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: inbound_ports_to_ignore
        - name: LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: linkerd-cni-config
              key: log_level
        - name: SLEEP
          value: "true"
        lifecycle:
          preStop:
            exec:
              command: ["kill","-15","1"]
        volumeMounts:
        - mountPath: /host/etc/kubernetes/cni/net.d
          name: cni-net-dir
      volumes:
      # Used to install CNI.
      - name: cni-net-dir
        hostPath:
          path: /etc/kubernetes/cni/net.d
---