mirror of https://github.com/linkerd/linkerd2.git
135 lines
3.8 KiB
YAML
135 lines
3.8 KiB
YAML
---
|
|
###
|
|
### Tap RBAC
|
|
###
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-tap
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["list" , "get", "watch"]
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-tap-admin
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
rules:
|
|
- apiGroups: ["tap.linkerd.io"]
|
|
resources: ["*"]
|
|
verbs: ["watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-tap
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-{{.Values.namespace}}-tap
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: {{.Values.namespace}}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-tap-auth-delegator
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: {{.Values.namespace}}
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-tap
|
|
namespace: {{.Values.namespace}}
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
namespace: {{.Values.namespace}}
|
|
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-{{.Values.namespace}}-tap-auth-reader
|
|
namespace: kube-system
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
namespace: {{.Values.namespace}}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: {{.Values.namespace}}
|
|
---
|
|
{{- $host := printf "linkerd-tap.%s.svc" .Values.namespace }}
|
|
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
|
|
{{- if (not .Values.tap.externalSecret) }}
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-tap-k8s-tls
|
|
namespace: {{ .Values.namespace }}
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
namespace: {{.Values.namespace}}
|
|
annotations:
|
|
{{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}}
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.crtPEM)) (empty .Values.tap.crtPEM) }}
|
|
tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.tap.keyPEM)) (empty .Values.tap.keyPEM) }}
|
|
---
|
|
{{- end }}
|
|
apiVersion: apiregistration.k8s.io/v1
|
|
kind: APIService
|
|
metadata:
|
|
name: v1alpha1.tap.linkerd.io
|
|
labels:
|
|
{{.Values.extensionAnnotation}}: linkerd-viz
|
|
component: tap
|
|
spec:
|
|
group: tap.linkerd.io
|
|
version: v1alpha1
|
|
groupPriorityMinimum: 1000
|
|
versionPriority: 100
|
|
service:
|
|
name: linkerd-tap
|
|
namespace: {{.Values.namespace}}
|
|
{{- if and (.Values.tap.externalSecret) (empty .Values.tap.caBundle) }}
|
|
{{- fail "If tap.externalSecret is true then you need to provide tap.caBundle" }}
|
|
{{- end }}
|
|
caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.caBundle)) (empty .Values.tap.caBundle) }}
|