linkerd2/chart/templates/proxy_injector.yaml

122 lines
2.8 KiB
YAML

{{with .Values -}}
{{if .ProxyAutoInjectEnabled -}}
---
###
### Proxy Injector
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Namespace}}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Namespace}}-proxy-injector
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["create", "get", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Namespace}}-proxy-injector
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: {{.Namespace}}
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-{{.Namespace}}-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: proxy-injector
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
replicas: 1
selector:
matchLabels:
{{.ControllerComponentLabel}}: proxy-injector
template:
metadata:
labels:
{{.ControllerComponentLabel}}: proxy-injector
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
serviceAccountName: linkerd-proxy-injector
containers:
- name: proxy-injector
image: {{.ControllerImage}}
imagePullPolicy: {{.ImagePullPolicy}}
args:
- "proxy-injector"
- "-controller-namespace={{.Namespace}}"
- "-log-level={{.ControllerLogLevel}}"
ports:
- name: proxy-injector
containerPort: 8443
volumeMounts:
- name: config
mountPath: /var/run/linkerd/config
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 9995
failureThreshold: 7
{{ with .ProxyInjectorResources -}}
{{- template "resources" . }}
{{ end -}}
securityContext:
runAsUser: {{.ControllerUID}}
volumes:
- name: config
configMap:
name: linkerd-config
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Namespace}}
labels:
{{.ControllerComponentLabel}}: proxy-injector
annotations:
{{.CreatedByAnnotation}}: {{.CliVersion}}
spec:
type: ClusterIP
selector:
{{.ControllerComponentLabel}}: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
{{end -}}
{{end -}}