linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/viz/charts/linkerd-viz/templates/tap-injector-rbac.yaml

88 lines
2.7 KiB
YAML
Raw Blame History

---
###
### Tap Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-tap-injector
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-tap-injector
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
subjects:
- kind: ServiceAccount
name: tap-injector
namespace: {{.Values.namespace}}
roleRef:
kind: ClusterRole
name: linkerd-tap-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: tap-injector
namespace: {{.Values.namespace}}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
---
{{- $host := printf "tap-injector.%s.svc" .Values.namespace }}
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
{{- if (not .Values.tapInjector.externalSecret) }}
kind: Secret
apiVersion: v1
metadata:
name: tap-injector-k8s-tls
namespace: {{ .Values.namespace }}
annotations:
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
type: kubernetes.io/tls
data:
tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tapInjector.crtPEM)) (empty .Values.tapInjector.crtPEM) }}
tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.tapInjector.keyPEM)) (empty .Values.tapInjector.keyPEM) }}
---
{{- end }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-tap-injector-webhook-config
labels:
{{.Values.extensionAnnotation}}: linkerd-viz
webhooks:
- name: tap-injector.linkerd.io
{{- if .Values.tapInjector.namespaceSelector }}
namespaceSelector:
{{ toYaml .Values.tapInjector.namespaceSelector | trim | indent 4 -}}
{{- end }}
{{- if .Values.tapInjector.objectSelector }}
objectSelector:
{{ toYaml .Values.tapInjector.objectSelector | trim | indent 4 -}}
{{- end }}
clientConfig:
service:
name: tap-injector
namespace: {{ .Values.namespace }}
path: "/"
{{- if and (.Values.tapInjector.externalSecret) (empty .Values.tapInjector.caBundle) }}
{{- fail "If tapInjector.externalSecret is true then you need to provide tapInjector.caBundle" }}
{{- end }}
caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tapInjector.caBundle)) (empty .Values.tapInjector.caBundle) }}
failurePolicy: {{.Values.tapInjector.failurePolicy}}
admissionReviewVersions: ["v1", "v1beta1"]
reinvocationPolicy: IfNeeded
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
sideEffects: None
Reference in New Issue View Git Blame Copy Permalink