mirror of https://github.com/linkerd/linkerd2.git
444 lines
12 KiB
Plaintext
444 lines
12 KiB
Plaintext
kind: Namespace
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
pod-security.kubernetes.io/enforce: privileged
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
labels:
|
|
app.kubernetes.io/name: gateway
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerdVersionValue
|
|
component: gateway
|
|
app: linkerd-gateway
|
|
linkerd.io/extension: multicluster
|
|
name: linkerd-gateway
|
|
namespace: linkerd-multicluster
|
|
spec:
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: linkerd-gateway
|
|
strategy:
|
|
rollingUpdate:
|
|
maxUnavailable: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
linkerd.io/inject: enabled
|
|
config.linkerd.io/proxy-require-identity-inbound-ports: "4143"
|
|
config.linkerd.io/enable-gateway: "true"
|
|
config.linkerd.io/default-inbound-policy: all-authenticated
|
|
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
|
|
labels:
|
|
app: linkerd-gateway
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- linkerd-gateway
|
|
topologyKey: failure-domain.beta.kubernetes.io/zone
|
|
weight: 100
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- linkerd-gateway
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- name: pause
|
|
image: gcr.io/google_containers/pause:3.2
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
runAsNonRoot: true
|
|
runAsUser: 2103
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: linkerd-gateway
|
|
---
|
|
kind: PodDisruptionBudget
|
|
apiVersion: policy/v1
|
|
metadata:
|
|
name: linkerd-gateway
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
maxUnavailable: 1
|
|
selector:
|
|
matchLabels:
|
|
app: linkerd-gateway
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: linkerd-gateway
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
mirror.linkerd.io/gateway-identity: linkerd-gateway.linkerd-multicluster.serviceaccount.identity.linkerd.cluster.local
|
|
mirror.linkerd.io/probe-period: "3"
|
|
mirror.linkerd.io/probe-path: /ready
|
|
mirror.linkerd.io/multicluster-gateway: "true"
|
|
component: gateway
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
ports:
|
|
- name: mc-gateway
|
|
port: 4143
|
|
protocol: TCP
|
|
- name: mc-probe
|
|
port: 4191
|
|
protocol: TCP
|
|
selector:
|
|
app: linkerd-gateway
|
|
type: LoadBalancer
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-gateway
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
---
|
|
apiVersion: policy.linkerd.io/v1beta1
|
|
kind: Server
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: linkerd-gateway
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: linkerd-gateway
|
|
port: linkerd-proxy
|
|
---
|
|
apiVersion: policy.linkerd.io/v1alpha1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: linkerd-gateway
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
targetRef:
|
|
group: policy.linkerd.io
|
|
kind: Server
|
|
name: linkerd-gateway
|
|
requiredAuthenticationRefs:
|
|
- group: policy.linkerd.io
|
|
kind: MeshTLSAuthentication
|
|
name: any-meshed
|
|
namespace: linkerd-multicluster
|
|
- group: policy.linkerd.io
|
|
kind: NetworkAuthentication
|
|
name: source-cluster
|
|
namespace: linkerd-multicluster
|
|
---
|
|
apiVersion: policy.linkerd.io/v1alpha1
|
|
kind: MeshTLSAuthentication
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: any-meshed
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
identities:
|
|
- '*'
|
|
---
|
|
apiVersion: policy.linkerd.io/v1alpha1
|
|
kind: NetworkAuthentication
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: source-cluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
networks:
|
|
# Change this to the source cluster cidrs pointing to this gateway.
|
|
# Note that the source IP in some providers (e.g. GKE) will be the local
|
|
# node's IP and not the source cluster's
|
|
- cidr: "0.0.0.0/0"
|
|
- cidr: "::/0"
|
|
---
|
|
apiVersion: policy.linkerd.io/v1alpha1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: linkerd-gateway-probe
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
app: linkerd-gateway
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
targetRef:
|
|
group: policy.linkerd.io
|
|
kind: Server
|
|
name: linkerd-gateway
|
|
requiredAuthenticationRefs:
|
|
# allows probes from outside the cluster, as long as they have an identity
|
|
- group: policy.linkerd.io
|
|
kind: MeshTLSAuthentication
|
|
name: any-meshed
|
|
namespace: linkerd-multicluster
|
|
- group: policy.linkerd.io
|
|
kind: NetworkAuthentication
|
|
name: source-cluster
|
|
namespace: linkerd-multicluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: psp
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
rules:
|
|
- apiGroups: ['policy', 'extensions']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames:
|
|
- linkerd-linkerd-control-plane
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-multicluster-psp
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
namespace: linkerd-multicluster
|
|
roleRef:
|
|
kind: Role
|
|
name: psp
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-gateway
|
|
namespace: linkerd-multicluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: linkerd-service-mirror-remote-access-default
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services", "endpoints"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
resourceNames: ["linkerd-config"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: linkerd-service-mirror-remote-access-default
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: linkerd-service-mirror-remote-access-default-token
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
kubernetes.io/service-account.name: linkerd-service-mirror-remote-access-default
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
type: kubernetes.io/service-account-token
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-service-mirror-remote-access-default
|
|
namespace: linkerd-multicluster
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-service-mirror-remote-access-default
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-service-mirror-remote-access-default
|
|
namespace: linkerd-multicluster
|
|
---
|
|
###
|
|
### Link CRD
|
|
###
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: links.multicluster.linkerd.io
|
|
labels:
|
|
linkerd.io/extension: multicluster
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
|
spec:
|
|
group: multicluster.linkerd.io
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: true
|
|
schema:
|
|
openAPIV3Schema:
|
|
type: object
|
|
properties:
|
|
spec:
|
|
type: object
|
|
properties:
|
|
clusterCredentialsSecret:
|
|
description: Kubernetes secret of target cluster
|
|
type: string
|
|
gatewayAddress:
|
|
description: Gateway address of target cluster
|
|
type: string
|
|
gatewayIdentity:
|
|
description: Gateway Identity FQDN
|
|
type: string
|
|
gatewayPort:
|
|
description: Gateway Port
|
|
type: string
|
|
probeSpec:
|
|
description: Spec for gateway health probe
|
|
type: object
|
|
properties:
|
|
path:
|
|
description: Path of remote gateway health endpoint
|
|
type: string
|
|
period:
|
|
description: Interval in between probe requests
|
|
type: string
|
|
port:
|
|
description: Port of remote gateway health endpoint
|
|
type: string
|
|
selector:
|
|
description: Kubernetes Label Selector
|
|
type: object
|
|
properties:
|
|
matchLabels:
|
|
type: object
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
matchExpressions:
|
|
description: List of selector requirements
|
|
type: array
|
|
items:
|
|
description: A selector item requires a key and an operator
|
|
type: object
|
|
required:
|
|
- key
|
|
- operator
|
|
properties:
|
|
key:
|
|
description: Label key that selector should apply to
|
|
type: string
|
|
operator:
|
|
description: Evaluation of a label in relation to set
|
|
type: string
|
|
enum: [In, NotIn, Exists, DoesNotExist]
|
|
values:
|
|
type: array
|
|
items:
|
|
type: string
|
|
targetClusterName:
|
|
description: Name of target cluster to link to
|
|
type: string
|
|
targetClusterDomain:
|
|
description: Domain name of target cluster to link to
|
|
type: string
|
|
targetClusterLinkerdNamespace:
|
|
description: Name of namespace Linkerd control plane is installed in on target cluster
|
|
type: string
|
|
scope: Namespaced
|
|
names:
|
|
plural: links
|
|
singular: link
|
|
kind: Link
|
|
---
|
|
apiVersion: policy.linkerd.io/v1beta1
|
|
kind: Server
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: service-mirror
|
|
labels:
|
|
component: linkerd-service-mirror
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
component: linkerd-service-mirror
|
|
port: admin-http
|
|
proxyProtocol: HTTP/1
|
|
---
|
|
apiVersion: policy.linkerd.io/v1alpha1
|
|
kind: AuthorizationPolicy
|
|
metadata:
|
|
namespace: linkerd-multicluster
|
|
name: service-mirror
|
|
labels:
|
|
component: linkerd-service-mirror
|
|
spec:
|
|
targetRef:
|
|
group: policy.linkerd.io
|
|
kind: Server
|
|
name: service-mirror
|
|
requiredAuthenticationRefs:
|
|
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
|
|
# to be able to reach the service-mirror. In order to also have a separate
|
|
# Prometheus scrape the service-mirror an additional AuthorizationPolicy
|
|
# resource should be created.
|
|
- kind: ServiceAccount
|
|
name: prometheus
|
|
namespace: linkerd-viz
|
|
---
|