mirror of https://github.com/linkerd/linkerd2.git
3641 lines
105 KiB
Plaintext
3641 lines
105 KiB
Plaintext
---
|
|
# Source: linkerd2/templates/namespace.yaml
|
|
---
|
|
###
|
|
### Linkerd Namespace
|
|
###
|
|
---
|
|
kind: Namespace
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd
|
|
annotations:
|
|
linkerd.io/inject: disabled
|
|
labels:
|
|
linkerd.io/is-control-plane: "true"
|
|
config.linkerd.io/admission-webhooks: disabled
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/identity-rbac.yaml
|
|
---
|
|
###
|
|
### Identity Controller Service RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-identity
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ["authentication.k8s.io"]
|
|
resources: ["tokenreviews"]
|
|
verbs: ["create"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-identity
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-identity
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-identity
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-identity
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/controller-rbac.yaml
|
|
---
|
|
###
|
|
### Controller RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-controller
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["list" , "get", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["linkerd.io"]
|
|
resources: ["serviceprofiles"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["split.smi-spec.io"]
|
|
resources: ["trafficsplits"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-controller
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-controller
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-controller
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/destination-rbac.yaml
|
|
---
|
|
###
|
|
### Destination Controller Service
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-destination
|
|
labels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["batch"]
|
|
resources: ["jobs"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods", "endpoints", "services"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["linkerd.io"]
|
|
resources: ["serviceprofiles"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["split.smi-spec.io"]
|
|
resources: ["trafficsplits"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-destination
|
|
labels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-destination
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-destination
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-destination
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/heartbeat-rbac.yaml
|
|
---
|
|
###
|
|
### Heartbeat RBAC
|
|
###
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
resourceNames: ["linkerd-config"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
kind: Role
|
|
name: linkerd-heartbeat
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: heartbeat
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/web-rbac.yaml
|
|
---
|
|
###
|
|
### Web RBAC
|
|
###
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
resourceNames: ["linkerd-config"]
|
|
- apiGroups: [""]
|
|
resources: ["namespaces", "configmaps"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts", "pods"]
|
|
verbs: ["list"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
kind: Role
|
|
name: linkerd-web
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: linkerd-linkerd-web-check
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["clusterroles", "clusterrolebindings"]
|
|
verbs: ["list"]
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions"]
|
|
verbs: ["list"]
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
|
|
verbs: ["list"]
|
|
- apiGroups: ["policy"]
|
|
resources: ["podsecuritypolicies"]
|
|
verbs: ["list"]
|
|
- apiGroups: ["linkerd.io"]
|
|
resources: ["serviceprofiles"]
|
|
verbs: ["list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-linkerd-web-check
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-web-check
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-web-admin
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-tap-admin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/serviceprofile-crd.yaml
|
|
---
|
|
###
|
|
### Service Profile CRD
|
|
###
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: serviceprofiles.linkerd.io
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
spec:
|
|
group: linkerd.io
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: false
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
scope: Namespaced
|
|
names:
|
|
plural: serviceprofiles
|
|
singular: serviceprofile
|
|
kind: ServiceProfile
|
|
shortNames:
|
|
- sp
|
|
---
|
|
# Source: linkerd2/templates/trafficsplit-crd.yaml
|
|
---
|
|
###
|
|
### TrafficSplit CRD
|
|
### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml
|
|
###
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: trafficsplits.split.smi-spec.io
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
spec:
|
|
group: split.smi-spec.io
|
|
version: v1alpha1
|
|
scope: Namespaced
|
|
names:
|
|
kind: TrafficSplit
|
|
shortNames:
|
|
- ts
|
|
plural: trafficsplits
|
|
singular: trafficsplit
|
|
additionalPrinterColumns:
|
|
- name: Service
|
|
type: string
|
|
description: The apex service of this split.
|
|
JSONPath: .spec.service
|
|
---
|
|
# Source: linkerd2/templates/prometheus-rbac.yaml
|
|
---
|
|
###
|
|
### Prometheus RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-prometheus
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["nodes", "nodes/proxy", "pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-prometheus
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-prometheus
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-prometheus
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-prometheus
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/grafana-rbac.yaml
|
|
---
|
|
###
|
|
### Grafana RBAC
|
|
###
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-grafana
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/templates/proxy-injector-rbac.yaml
|
|
---
|
|
###
|
|
### Proxy Injector RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-proxy-injector
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["create", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["namespaces", "replicationcontrollers"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["list", "watch"]
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["list", "get", "watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-proxy-injector
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-proxy-injector
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-proxy-injector-tls
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
type: Opaque
|
|
data:
|
|
crt.pem: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt
|
|
key.pem: dGVzdC1wcm94eS1pbmplY3Rvci1rZXktcGVt
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: MutatingWebhookConfiguration
|
|
metadata:
|
|
name: linkerd-proxy-injector-webhook-config
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
webhooks:
|
|
- name: linkerd-proxy-injector.linkerd.io
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: config.linkerd.io/admission-webhooks
|
|
operator: NotIn
|
|
values:
|
|
- disabled
|
|
clientConfig:
|
|
service:
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
path: "/"
|
|
caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt
|
|
failurePolicy: Ignore
|
|
rules:
|
|
- operations: [ "CREATE" ]
|
|
apiGroups: [""]
|
|
apiVersions: ["v1"]
|
|
resources: ["pods"]
|
|
sideEffects: None
|
|
---
|
|
# Source: linkerd2/templates/sp-validator-rbac.yaml
|
|
---
|
|
###
|
|
### Service Profile Validator RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-sp-validator
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["list"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-sp-validator
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-sp-validator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-sp-validator-tls
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
type: Opaque
|
|
data:
|
|
crt.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt
|
|
key.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1rZXktcGVt
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: linkerd-sp-validator-webhook-config
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
webhooks:
|
|
- name: linkerd-sp-validator.linkerd.io
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: config.linkerd.io/admission-webhooks
|
|
operator: NotIn
|
|
values:
|
|
- disabled
|
|
clientConfig:
|
|
service:
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
path: "/"
|
|
caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt
|
|
failurePolicy: Ignore
|
|
rules:
|
|
- operations: [ "CREATE" , "UPDATE" ]
|
|
apiGroups: ["linkerd.io"]
|
|
apiVersions: ["v1alpha1", "v1alpha2"]
|
|
resources: ["serviceprofiles"]
|
|
sideEffects: None
|
|
---
|
|
# Source: linkerd2/templates/tap-rbac.yaml
|
|
---
|
|
###
|
|
### Tap RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-tap
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
|
|
verbs: ["list", "get", "watch"]
|
|
- apiGroups: ["extensions", "batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["list" , "get", "watch"]
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-tap-admin
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ["tap.linkerd.io"]
|
|
resources: ["*"]
|
|
verbs: ["watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-linkerd-tap
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: linkerd-linkerd-tap
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: linkerd-linkerd-tap-auth-delegator
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-linkerd-tap-auth-reader
|
|
namespace: kube-system
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
---
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-tap-tls
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
type: Opaque
|
|
data:
|
|
crt.pem: dGVzdC10YXAtY3J0LXBlbQ==
|
|
key.pem: dGVzdC10YXAta2V5LXBlbQ==
|
|
---
|
|
apiVersion: apiregistration.k8s.io/v1
|
|
kind: APIService
|
|
metadata:
|
|
name: v1alpha1.tap.linkerd.io
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
spec:
|
|
group: tap.linkerd.io
|
|
version: v1alpha1
|
|
groupPriorityMinimum: 1000
|
|
versionPriority: 100
|
|
service:
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
caBundle: dGVzdC10YXAtY3J0LXBlbQ==
|
|
---
|
|
# Source: linkerd2/templates/psp.yaml
|
|
---
|
|
###
|
|
### Control Plane PSP
|
|
###
|
|
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: linkerd-linkerd-control-plane
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
spec:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
allowedCapabilities:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
requiredDropCapabilities:
|
|
- ALL
|
|
hostNetwork: false
|
|
hostIPC: false
|
|
hostPID: false
|
|
seLinux:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: MustRunAs
|
|
ranges:
|
|
- min: 1
|
|
max: 65535
|
|
fsGroup:
|
|
rule: MustRunAs
|
|
ranges:
|
|
- min: 1
|
|
max: 65535
|
|
volumes:
|
|
- configMap
|
|
- emptyDir
|
|
- secret
|
|
- projected
|
|
- downwardAPI
|
|
- persistentVolumeClaim
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: linkerd-psp
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
rules:
|
|
- apiGroups: ['policy', 'extensions']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames:
|
|
- linkerd-linkerd-control-plane
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: linkerd-psp
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
roleRef:
|
|
kind: Role
|
|
name: linkerd-psp
|
|
apiGroup: rbac.authorization.k8s.io
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-controller
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-destination
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-grafana
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-identity
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-prometheus
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
- kind: ServiceAccount
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
---
|
|
# Source: linkerd2/templates/smi-metrics-rbac.yaml
|
|
|
|
---
|
|
# Source: linkerd2/templates/config.yaml
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-config
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
data:
|
|
global: |
|
|
{
|
|
"linkerdNamespace": "linkerd",
|
|
"cniEnabled": false,
|
|
"version": "linkerd-version",
|
|
"identityContext":{
|
|
"trustDomain": "test.trust.domain",
|
|
"trustAnchorsPem": "test-trust-anchor",
|
|
"issuanceLifetime": "86400s",
|
|
"clockSkewAllowance": "20s",
|
|
"scheme": "linkerd.io/tls"
|
|
},
|
|
"autoInjectContext": null,
|
|
"omitWebhookSideEffects": false,
|
|
"clusterDomain": "cluster.local"
|
|
}
|
|
proxy: |
|
|
{
|
|
"proxyImage":{
|
|
"imageName":"gcr.io/linkerd-io/proxy",
|
|
"pullPolicy":"IfNotPresent"
|
|
},
|
|
"proxyInitImage":{
|
|
"imageName":"gcr.io/linkerd-io/proxy-init",
|
|
"pullPolicy":"IfNotPresent"
|
|
},
|
|
"controlPort":{
|
|
"port": 4190
|
|
},
|
|
"ignoreInboundPorts":[{"port":222}],
|
|
"ignoreOutboundPorts":[{"port":111}],
|
|
"inboundPort":{
|
|
"port": 4143
|
|
},
|
|
"adminPort":{
|
|
"port": 4191
|
|
},
|
|
"outboundPort":{
|
|
"port": 4140
|
|
},
|
|
"resource":{
|
|
"requestCpu": "",
|
|
"limitCpu": "",
|
|
"requestMemory": "",
|
|
"limitMemory": ""
|
|
},
|
|
"proxyUid": 2102,
|
|
"logLevel":{
|
|
"level": "warn,linkerd=info"
|
|
},
|
|
"disableExternalProfiles": true,
|
|
"proxyVersion": "test-proxy-version",
|
|
"proxyInitImageVersion": "test-proxy-init-version",
|
|
"debugImage":{
|
|
"imageName":"gcr.io/linkerd-io/debug",
|
|
"pullPolicy":"IfNotPresent"
|
|
},
|
|
"debugImageVersion": "test-debug-version"
|
|
}
|
|
install: |
|
|
{
|
|
"cliVersion":"linkerd-version",
|
|
"flags":[]
|
|
}
|
|
---
|
|
# Source: linkerd2/templates/identity.yaml
|
|
---
|
|
###
|
|
### Identity Controller Service
|
|
###
|
|
---
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-identity-issuer
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-issuer-expiry: Jul 30 17:21:14 2020
|
|
data:
|
|
crt.pem: dGVzdC1jcnQtcGVt
|
|
key.pem: dGVzdC1rZXktcGVt
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-identity
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: identity
|
|
ports:
|
|
- name: grpc
|
|
port: 8080
|
|
targetPort: 8080
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: identity
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-identity
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-identity
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: identity
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-identity
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- identity
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9990
|
|
initialDelaySeconds: 10
|
|
name: identity
|
|
ports:
|
|
- containerPort: 8080
|
|
name: grpc
|
|
- containerPort: 9990
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9990
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- mountPath: /var/run/linkerd/identity/issuer
|
|
name: identity-issuer
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: localhost.:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-identity
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- name: identity-issuer
|
|
secret:
|
|
secretName: linkerd-identity-issuer
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/controller.yaml
|
|
---
|
|
###
|
|
### Controller
|
|
###
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-controller-api
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: controller
|
|
ports:
|
|
- name: http
|
|
port: 8085
|
|
targetPort: 8085
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: controller
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-controller
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-controller
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: controller
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-controller
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- public-api
|
|
- -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090
|
|
- -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- -controller-namespace=linkerd
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9995
|
|
initialDelaySeconds: 10
|
|
name: public-api
|
|
ports:
|
|
- containerPort: 8085
|
|
name: http
|
|
- containerPort: 9995
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9995
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-controller
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/destination.yaml
|
|
---
|
|
###
|
|
### Destination Controller Service
|
|
###
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-dst
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: destination
|
|
ports:
|
|
- name: grpc
|
|
port: 8086
|
|
targetPort: 8086
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: destination
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-destination
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-destination
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: destination
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-destination
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- destination
|
|
- -addr=:8086
|
|
- -controller-namespace=linkerd
|
|
- -enable-h2-upgrade=true
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9996
|
|
initialDelaySeconds: 10
|
|
name: destination
|
|
ports:
|
|
- containerPort: 8086
|
|
name: grpc
|
|
- containerPort: 9996
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9996
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: localhost.:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-destination
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/heartbeat.yaml
|
|
---
|
|
###
|
|
### Heartbeat
|
|
###
|
|
---
|
|
apiVersion: batch/v1beta1
|
|
kind: CronJob
|
|
metadata:
|
|
name: linkerd-heartbeat
|
|
namespace: linkerd
|
|
labels:
|
|
app.kubernetes.io/name: heartbeat
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: heartbeat
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
schedule: "0 0 * * *"
|
|
successfulJobsHistoryLimit: 0
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
linkerd.io/control-plane-component: heartbeat
|
|
linkerd.io/workload-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
serviceAccountName: linkerd-heartbeat
|
|
restartPolicy: Never
|
|
containers:
|
|
- name: heartbeat
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- "heartbeat"
|
|
- "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090"
|
|
- "-controller-namespace=linkerd"
|
|
- "-log-level=info"
|
|
securityContext:
|
|
runAsUser: 2103
|
|
---
|
|
# Source: linkerd2/templates/web.yaml
|
|
---
|
|
###
|
|
### Web
|
|
###
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: web
|
|
ports:
|
|
- name: http
|
|
port: 8084
|
|
targetPort: 8084
|
|
- name: admin-http
|
|
port: 9994
|
|
targetPort: 9994
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: web
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-web
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-web
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: web
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-web
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085
|
|
- -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000
|
|
- -controller-namespace=linkerd
|
|
- -log-level=info
|
|
- -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$
|
|
image: gcr.io/linkerd-io/web:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9994
|
|
initialDelaySeconds: 10
|
|
name: web
|
|
ports:
|
|
- containerPort: 8084
|
|
name: http
|
|
- containerPort: 9994
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9994
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-web
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/prometheus.yaml
|
|
---
|
|
###
|
|
### Prometheus
|
|
###
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-prometheus-config
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
data:
|
|
prometheus.yml: |-
|
|
global:
|
|
scrape_interval: 10s
|
|
scrape_timeout: 10s
|
|
evaluation_interval: 10s
|
|
|
|
rule_files:
|
|
- /etc/prometheus/*_rules.yml
|
|
|
|
scrape_configs:
|
|
- job_name: 'prometheus'
|
|
static_configs:
|
|
- targets: ['localhost:9090']
|
|
|
|
- job_name: 'grafana'
|
|
kubernetes_sd_configs:
|
|
- role: pod
|
|
namespaces:
|
|
names: ['linkerd']
|
|
relabel_configs:
|
|
- source_labels:
|
|
- __meta_kubernetes_pod_container_name
|
|
action: keep
|
|
regex: ^grafana$
|
|
|
|
# Required for: https://grafana.com/grafana/dashboards/315
|
|
- job_name: 'kubernetes-nodes-cadvisor'
|
|
scheme: https
|
|
tls_config:
|
|
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
insecure_skip_verify: true
|
|
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
|
|
kubernetes_sd_configs:
|
|
- role: node
|
|
relabel_configs:
|
|
- action: labelmap
|
|
regex: __meta_kubernetes_node_label_(.+)
|
|
- target_label: __address__
|
|
replacement: kubernetes.default.svc:443
|
|
- source_labels: [__meta_kubernetes_node_name]
|
|
regex: (.+)
|
|
target_label: __metrics_path__
|
|
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
|
|
metric_relabel_configs:
|
|
- source_labels: [__name__]
|
|
regex: '(container|machine)_(cpu|memory|network|fs)_(.+)'
|
|
action: keep
|
|
- source_labels: [__name__]
|
|
regex: 'container_memory_failures_total' # unneeded large metric
|
|
action: drop
|
|
|
|
- job_name: 'linkerd-controller'
|
|
kubernetes_sd_configs:
|
|
- role: pod
|
|
namespaces:
|
|
names: ['linkerd']
|
|
relabel_configs:
|
|
- source_labels:
|
|
- __meta_kubernetes_pod_label_linkerd_io_control_plane_component
|
|
- __meta_kubernetes_pod_container_port_name
|
|
action: keep
|
|
regex: (.*);admin-http$
|
|
- source_labels: [__meta_kubernetes_pod_container_name]
|
|
action: replace
|
|
target_label: component
|
|
|
|
- job_name: 'linkerd-service-mirror'
|
|
kubernetes_sd_configs:
|
|
- role: pod
|
|
relabel_configs:
|
|
- source_labels:
|
|
- __meta_kubernetes_pod_label_linkerd_io_control_plane_component
|
|
- __meta_kubernetes_pod_container_port_name
|
|
action: keep
|
|
regex: linkerd-service-mirror;admin-http$
|
|
- source_labels: [__meta_kubernetes_pod_container_name]
|
|
action: replace
|
|
target_label: component
|
|
|
|
- job_name: 'linkerd-proxy'
|
|
kubernetes_sd_configs:
|
|
- role: pod
|
|
relabel_configs:
|
|
- source_labels:
|
|
- __meta_kubernetes_pod_container_name
|
|
- __meta_kubernetes_pod_container_port_name
|
|
- __meta_kubernetes_pod_label_linkerd_io_control_plane_ns
|
|
action: keep
|
|
regex: ^linkerd-proxy;linkerd-admin;linkerd$
|
|
- source_labels: [__meta_kubernetes_namespace]
|
|
action: replace
|
|
target_label: namespace
|
|
- source_labels: [__meta_kubernetes_pod_name]
|
|
action: replace
|
|
target_label: pod
|
|
# special case k8s' "job" label, to not interfere with prometheus' "job"
|
|
# label
|
|
# __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo =>
|
|
# k8s_job=foo
|
|
- source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job]
|
|
action: replace
|
|
target_label: k8s_job
|
|
# drop __meta_kubernetes_pod_label_linkerd_io_proxy_job
|
|
- action: labeldrop
|
|
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job
|
|
# __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo =>
|
|
# deployment=foo
|
|
- action: labelmap
|
|
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
|
|
# drop all labels that we just made copies of in the previous labelmap
|
|
- action: labeldrop
|
|
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
|
|
# __meta_kubernetes_pod_label_linkerd_io_foo=bar =>
|
|
# foo=bar
|
|
- action: labelmap
|
|
regex: __meta_kubernetes_pod_label_linkerd_io_(.+)
|
|
# Copy all pod labels to tmp labels
|
|
- action: labelmap
|
|
regex: __meta_kubernetes_pod_label_(.+)
|
|
replacement: __tmp_pod_label_$1
|
|
# Take `linkerd_io_` prefixed labels and copy them without the prefix
|
|
- action: labelmap
|
|
regex: __tmp_pod_label_linkerd_io_(.+)
|
|
replacement: __tmp_pod_label_$1
|
|
# Drop the `linkerd_io_` originals
|
|
- action: labeldrop
|
|
regex: __tmp_pod_label_linkerd_io_(.+)
|
|
# Copy tmp labels into real labels
|
|
- action: labelmap
|
|
regex: __tmp_pod_label_(.+)
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-prometheus
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: prometheus
|
|
ports:
|
|
- name: admin-http
|
|
port: 9090
|
|
targetPort: 9090
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: prometheus
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-prometheus
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-prometheus
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: prometheus
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-prometheus
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- --storage.tsdb.path=/data
|
|
- --storage.tsdb.retention.time=6h
|
|
- --config.file=/etc/prometheus/prometheus.yml
|
|
- --log.level=info
|
|
image: prom/prometheus:v2.15.2
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /-/healthy
|
|
port: 9090
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 30
|
|
name: prometheus
|
|
ports:
|
|
- containerPort: 9090
|
|
name: admin-http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /-/ready
|
|
port: 9090
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 30
|
|
securityContext:
|
|
runAsUser: 65534
|
|
volumeMounts:
|
|
- mountPath: /data
|
|
name: data
|
|
- mountPath: /etc/prometheus
|
|
name: prometheus-config
|
|
readOnly: true
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY
|
|
value: "10000"
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-prometheus
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: data
|
|
- configMap:
|
|
name: linkerd-prometheus-config
|
|
name: prometheus-config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/grafana.yaml
|
|
---
|
|
###
|
|
### Grafana
|
|
###
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-grafana-config
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
data:
|
|
grafana.ini: |-
|
|
instance_name = linkerd-grafana
|
|
|
|
[server]
|
|
root_url = %(protocol)s://%(domain)s:/grafana/
|
|
|
|
[auth]
|
|
disable_login_form = true
|
|
|
|
[auth.anonymous]
|
|
enabled = true
|
|
org_role = Editor
|
|
|
|
[auth.basic]
|
|
enabled = false
|
|
|
|
[analytics]
|
|
check_for_updates = false
|
|
|
|
[panels]
|
|
disable_sanitize_html = true
|
|
|
|
datasources.yaml: |-
|
|
apiVersion: 1
|
|
datasources:
|
|
- name: prometheus
|
|
type: prometheus
|
|
access: proxy
|
|
orgId: 1
|
|
url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090
|
|
isDefault: true
|
|
jsonData:
|
|
timeInterval: "5s"
|
|
version: 1
|
|
editable: true
|
|
|
|
dashboards.yaml: |-
|
|
apiVersion: 1
|
|
providers:
|
|
- name: 'default'
|
|
orgId: 1
|
|
folder: ''
|
|
type: file
|
|
disableDeletion: true
|
|
editable: true
|
|
options:
|
|
path: /var/lib/grafana/dashboards
|
|
homeDashboardId: linkerd-top-line
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-grafana
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: grafana
|
|
ports:
|
|
- name: http
|
|
port: 3000
|
|
targetPort: 3000
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: grafana
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-grafana
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-grafana
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: grafana
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-grafana
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- env:
|
|
- name: GF_PATHS_DATA
|
|
value: /data
|
|
image: gcr.io/linkerd-io/grafana:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /api/health
|
|
port: 3000
|
|
initialDelaySeconds: 30
|
|
name: grafana
|
|
ports:
|
|
- containerPort: 3000
|
|
name: http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /api/health
|
|
port: 3000
|
|
securityContext:
|
|
runAsUser: 472
|
|
volumeMounts:
|
|
- mountPath: /data
|
|
name: data
|
|
- mountPath: /etc/grafana
|
|
name: grafana-config
|
|
readOnly: true
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-grafana
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: data
|
|
- configMap:
|
|
items:
|
|
- key: grafana.ini
|
|
path: grafana.ini
|
|
- key: datasources.yaml
|
|
path: provisioning/datasources/datasources.yaml
|
|
- key: dashboards.yaml
|
|
path: provisioning/dashboards/dashboards.yaml
|
|
name: linkerd-grafana-config
|
|
name: grafana-config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/proxy-injector.yaml
|
|
---
|
|
###
|
|
### Proxy Injector
|
|
###
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: proxy-injector
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/helm-release-version: "0"
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-proxy-injector
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- proxy-injector
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9995
|
|
initialDelaySeconds: 10
|
|
name: proxy-injector
|
|
ports:
|
|
- containerPort: 8443
|
|
name: proxy-injector
|
|
- containerPort: 9995
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9995
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- mountPath: /var/run/linkerd/tls
|
|
name: tls
|
|
readOnly: true
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-proxy-injector
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- name: tls
|
|
secret:
|
|
secretName: linkerd-proxy-injector-tls
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-proxy-injector
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: proxy-injector
|
|
ports:
|
|
- name: proxy-injector
|
|
port: 443
|
|
targetPort: proxy-injector
|
|
---
|
|
# Source: linkerd2/templates/sp-validator.yaml
|
|
---
|
|
###
|
|
### Service Profile Validator
|
|
###
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
ports:
|
|
- name: sp-validator
|
|
port: 443
|
|
targetPort: sp-validator
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: sp-validator
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-sp-validator
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/helm-release-version: "0"
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: sp-validator
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-sp-validator
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- sp-validator
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9997
|
|
initialDelaySeconds: 10
|
|
name: sp-validator
|
|
ports:
|
|
- containerPort: 8443
|
|
name: sp-validator
|
|
- containerPort: 9997
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9997
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/tls
|
|
name: tls
|
|
readOnly: true
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-sp-validator
|
|
volumes:
|
|
- name: tls
|
|
secret:
|
|
secretName: linkerd-sp-validator-tls
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
# Source: linkerd2/templates/tap.yaml
|
|
---
|
|
###
|
|
### Tap
|
|
###
|
|
---
|
|
kind: Service
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: tap
|
|
ports:
|
|
- name: grpc
|
|
port: 8088
|
|
targetPort: 8088
|
|
- name: apiserver
|
|
port: 443
|
|
targetPort: apiserver
|
|
---
|
|
kind: Deployment
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: tap
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-tap
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-tap
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/helm-release-version: "0"
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
labels:
|
|
linkerd.io/control-plane-component: tap
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-tap
|
|
spec:
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
containers:
|
|
- args:
|
|
- tap
|
|
- -controller-namespace=linkerd
|
|
- -log-level=info
|
|
image: gcr.io/linkerd-io/controller:linkerd-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: 9998
|
|
initialDelaySeconds: 10
|
|
name: tap
|
|
ports:
|
|
- containerPort: 8088
|
|
name: grpc
|
|
- containerPort: 8089
|
|
name: apiserver
|
|
- containerPort: 9998
|
|
name: admin-http
|
|
readinessProbe:
|
|
failureThreshold: 7
|
|
httpGet:
|
|
path: /ready
|
|
port: 9998
|
|
securityContext:
|
|
runAsUser: 2103
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/tls
|
|
name: tls
|
|
readOnly: true
|
|
- mountPath: /var/run/linkerd/config
|
|
name: config
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-tap
|
|
volumes:
|
|
- configMap:
|
|
name: linkerd-config
|
|
name: config
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
- name: tls
|
|
secret:
|
|
secretName: linkerd-tap-tls
|
|
---
|
|
# Source: linkerd2/templates/smi-metrics.yaml
|
|
|
|
---
|
|
# Source: linkerd2/templates/linkerd-values.yaml
|
|
---
|
|
###
|
|
### linkerd values
|
|
###
|
|
---
|
|
kind: ConfigMap
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-values
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
data:
|
|
values: |-
|
|
tracing:
|
|
enabled: true
|
|
collector:
|
|
image: omnition/opencensus-collector:0.1.11
|
|
name: linkerd-collector
|
|
resources: null
|
|
jaeger:
|
|
image: jaegertracing/all-in-one:1.17.1
|
|
name: linkerd-jaeger
|
|
resources: null
|
|
---
|
|
# Source: linkerd2/charts/tracing/templates/tracing-rbac.yaml
|
|
---
|
|
###
|
|
### linkerd-collector RBAC
|
|
###
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-collector
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
###
|
|
### linkerd-jaeger RBAC
|
|
###
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-jaeger
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
linkerd.io/control-plane-ns: linkerd
|
|
---
|
|
# Source: linkerd2/charts/tracing/templates/tracing.yaml
|
|
---
|
|
###
|
|
### Tracing Collector Service
|
|
###
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: linkerd-collector-config
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
data:
|
|
linkerd-collector-config: |
|
|
receivers:
|
|
opencensus:
|
|
port: 55678
|
|
zipkin:
|
|
port: 9411
|
|
queued-exporters:
|
|
jaeger-all-in-one:
|
|
num-workers: 4
|
|
queue-size: 100
|
|
retry-on-failure: true
|
|
sender-type: jaeger-thrift-http
|
|
jaeger-thrift-http:
|
|
collector-endpoint: http://linkerd-jaeger.linkerd:14268/api/traces
|
|
timeout: 5s
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: linkerd-collector
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- name: opencensus
|
|
port: 55678
|
|
protocol: TCP
|
|
targetPort: 55678
|
|
- name: zipkin
|
|
port: 9411
|
|
protocol: TCP
|
|
targetPort: 9411
|
|
selector:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: linkerd-collector
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-collector
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-collector
|
|
minReadySeconds: 5
|
|
progressDeadlineSeconds: 120
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
prometheus.io/path: /metrics
|
|
prometheus.io/port: "8888"
|
|
prometheus.io/scrape: "true"
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-collector
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-collector
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- /occollector_linux
|
|
- --config=/conf/linkerd-collector-config.yaml
|
|
env:
|
|
- name: GOGC
|
|
value: "80"
|
|
image: omnition/opencensus-collector:0.1.11
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 13133
|
|
name: oc-collector
|
|
ports:
|
|
- containerPort: 55678
|
|
- containerPort: 9411
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 13133
|
|
volumeMounts:
|
|
- mountPath: /conf
|
|
name: linkerd-collector-config-val
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
serviceAccountName: linkerd-collector
|
|
volumes:
|
|
- configMap:
|
|
items:
|
|
- key: linkerd-collector-config
|
|
path: linkerd-collector-config.yaml
|
|
name: linkerd-collector-config
|
|
name: linkerd-collector-config-val
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|
|
###
|
|
### Tracing Jaeger Service
|
|
###
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: linkerd-jaeger
|
|
namespace: linkerd
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
linkerd.io/control-plane-ns: linkerd
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
ports:
|
|
- name: collection
|
|
port: 14268
|
|
- name: ui
|
|
port: 16686
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
labels:
|
|
app.kubernetes.io/name: linkerd-jaeger
|
|
app.kubernetes.io/part-of: Linkerd
|
|
app.kubernetes.io/version: linkerd-version
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
linkerd.io/control-plane-ns: linkerd
|
|
name: linkerd-jaeger
|
|
namespace: linkerd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-jaeger
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/created-by: linkerd/helm linkerd-version
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-proxy-version
|
|
prometheus.io/path: /metrics
|
|
prometheus.io/port: "8888"
|
|
prometheus.io/scrape: "true"
|
|
labels:
|
|
linkerd.io/control-plane-component: linkerd-jaeger
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: linkerd
|
|
linkerd.io/proxy-deployment: linkerd-jaeger
|
|
spec:
|
|
containers:
|
|
- image: jaegertracing/all-in-one:1.17.1
|
|
imagePullPolicy: IfNotPresent
|
|
name: jaeger
|
|
ports:
|
|
- containerPort: 14268
|
|
name: collection
|
|
- containerPort: 16686
|
|
name: ui
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
|
|
value: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: ns:$(_pod_ns)
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
test-trust-anchor
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: test.trust.domain
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: gcr.io/linkerd-io/proxy:test-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
resources:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,222
|
|
- --outbound-ports-to-ignore
|
|
- 443,111
|
|
image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "50Mi"
|
|
requests:
|
|
cpu: "10m"
|
|
memory: "10Mi"
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
dnsPolicy: ClusterFirst
|
|
serviceAccountName: linkerd-jaeger
|
|
volumes:
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|