linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/chart/templates/proxy_injector.yaml

261 lines
8.1 KiB
YAML
Raw Blame History

{{ if .Values.ProxyAutoInjectEnabled }}
---
###
### Proxy Injector
###
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Values.Namespace}}
labels:
{{.Values.ControllerComponentLabel}}: proxy-injector
annotations:
{{.Values.CreatedByAnnotation}}: {{.Values.CliVersion}}
spec:
replicas: 1
selector:
matchLabels:
{{.Values.ControllerComponentLabel}}: proxy-injector
template:
metadata:
labels:
{{.Values.ControllerComponentLabel}}: proxy-injector
annotations:
{{.Values.CreatedByAnnotation}}: {{.Values.CliVersion}}
spec:
serviceAccountName: linkerd-proxy-injector
containers:
- name: proxy-injector
image: {{.Values.ControllerImage}}
imagePullPolicy: {{.Values.ImagePullPolicy}}
args:
- "proxy-injector"
- "-controller-namespace={{.Values.Namespace}}"
- "-log-level={{.Values.ControllerLogLevel}}"
- "-no-init-container={{.Values.NoInitContainer}}"
- "-tls-enabled={{.Values.EnableTLS}}"
ports:
- name: proxy-injector
containerPort: 8443
volumeMounts:
- name: proxy-spec
mountPath: /var/linkerd-io/config
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 9995
failureThreshold: 7
{{- if .Values.EnableHA }}
resources:
requests:
cpu: 20m
memory: 50Mi
{{- end }}
securityContext:
runAsUser: {{.Values.ControllerUID}}
volumes:
- name: proxy-spec
configMap:
name: linkerd-proxy-injector-sidecar-config
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Values.Namespace}}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Values.Namespace}}-proxy-injector
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["create", "update", "get", "watch"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-{{.Values.Namespace}}-proxy-injector
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: {{.Values.Namespace}}
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-{{.Values.Namespace}}-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Values.Namespace}}
labels:
{{.Values.ControllerComponentLabel}}: proxy-injector
annotations:
{{.Values.CreatedByAnnotation}}: {{.Values.CliVersion}}
spec:
type: ClusterIP
selector:
{{.Values.ControllerComponentLabel}}: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-proxy-injector-sidecar-config
namespace: {{.Values.Namespace}}
labels:
{{.Values.ControllerComponentLabel}}: proxy-injector
annotations:
{{.Values.CreatedByAnnotation}}: {{.Values.CliVersion}}
data:
{{.Values.ProxyInitSpecFileName}}: |
args:
- --incoming-proxy-port
- {{.Values.InboundPort}}
- --outgoing-proxy-port
- {{.Values.OutboundPort}}
- --proxy-uid
- {{.Values.ProxyUID}}
{{- if ne (len .Values.IgnoreInboundPorts) 0}}
- --inbound-ports-to-ignore
- {{.Values.IgnoreInboundPorts}}
{{- end }}
{{- if ne (len .Values.IgnoreOutboundPorts) 0}}
- --outbound-ports-to-ignore
- {{.Values.IgnoreOutboundPorts}}
{{- end}}
image: {{.Values.ProxyInitImage}}
imagePullPolicy: IfNotPresent
name: linkerd-init
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
{{.Values.ProxySpecFileName}}: |
env:
- name: LINKERD2_PROXY_LOG
value: {{.Values.ProxyLogLevel}}
- name: LINKERD2_PROXY_CONTROL_URL
value: tcp://linkerd-destination.{{.Values.Namespace}}.svc.cluster.local:{{.Values.DestinationAPIPort}}
- name: LINKERD2_PROXY_CONTROL_LISTENER
value: tcp://0.0.0.0:{{.Values.ProxyControlPort}}
- name: LINKERD2_PROXY_METRICS_LISTENER
value: tcp://0.0.0.0:{{.Values.ProxyMetricsPort}}
- name: LINKERD2_PROXY_OUTBOUND_LISTENER
value: tcp://127.0.0.1:{{.Values.OutboundPort}}
- name: LINKERD2_PROXY_INBOUND_LISTENER
value: tcp://0.0.0.0:{{.Values.InboundPort}}
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: {{.Values.ProfileSuffixes}}
- name: LINKERD2_PROXY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.InboundAcceptKeepaliveMs }}
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: {{.Values.InboundAcceptKeepaliveMs}}ms
{{- end}}
{{- if .Values.OutboundConnectKeepaliveMs }}
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: {{.Values.OutboundConnectKeepaliveMs}}ms
{{- end}}
- name: LINKERD2_PROXY_ID
value: "" # this value will be computed by the webhook
{{- if .Values.EnableTLS }}
- name: LINKERD2_PROXY_TLS_TRUST_ANCHORS
value: /var/linkerd-io/trust-anchors/{{.Values.TLSTrustAnchorFileName}}
- name: LINKERD2_PROXY_TLS_CERT
value: /var/linkerd-io/identity/{{.Values.TLSCertFileName}}
- name: LINKERD2_PROXY_TLS_PRIVATE_KEY
value: /var/linkerd-io/identity/{{.Values.TLSPrivateKeyFileName}}
- name: LINKERD2_PROXY_TLS_POD_IDENTITY
value: "" # this value will be computed by the webhook
- name: LINKERD2_PROXY_CONTROLLER_NAMESPACE
value: {{.Values.Namespace}}
- name: LINKERD2_PROXY_TLS_CONTROLLER_IDENTITY
value: "" # this value will be computed by the webhook
{{- end}}
image: {{.Values.ProxyImage}}
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /metrics
port: {{.Values.ProxyMetricsPort}}
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: {{.Values.InboundPort}}
name: linkerd-proxy
- containerPort: {{.Values.ProxyMetricsPort}}
name: linkerd-metrics
readinessProbe:
httpGet:
path: /metrics
port: {{.Values.ProxyMetricsPort}}
initialDelaySeconds: 10
{{- if or .Values.ProxyResourceRequestCPU .Values.ProxyResourceRequestMemory .Values.ProxyResourceLimitCPU .Values.ProxyResourceLimitMemory }}
resources:
{{- if or .Values.ProxyResourceRequestCPU .Values.ProxyResourceRequestMemory }}
requests:
{{- if .Values.ProxyResourceRequestCPU }}
cpu: {{.Values.ProxyResourceRequestCPU}}
{{- end }}
{{- if .Values.ProxyResourceRequestMemory }}
memory: {{.Values.ProxyResourceRequestMemory}}
{{- end }}
{{- end }}
{{- if or .Values.ProxyResourceLimitCPU .Values.ProxyResourceLimitMemory }}
limits:
{{- if .Values.ProxyResourceLimitCPU }}
cpu: {{.Values.ProxyResourceLimitCPU}}
{{- end }}
{{- if .Values.ProxyResourceLimitMemory }}
memory: {{.Values.ProxyResourceLimitMemory}}
{{- end }}
{{- end }}
{{- end }}
securityContext:
runAsUser: {{.Values.ProxyUID}}
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.EnableTLS }}
volumeMounts:
- mountPath: /var/linkerd-io/trust-anchors
name: {{.Values.TLSTrustAnchorVolumeName}}
readOnly: true
- mountPath: /var/linkerd-io/identity
name: {{.Values.TLSSecretsVolumeName}}
readOnly: true
{{- end }}
{{.Values.TLSTrustAnchorVolumeSpecFileName}}: |
name: {{.Values.TLSTrustAnchorVolumeName}}
configMap:
name: {{.Values.TLSTrustAnchorConfigMapName}}
optional: true
{{.Values.TLSIdentityVolumeSpecFileName}}: |
name: {{.Values.TLSSecretsVolumeName}}
secret:
secretName: "" # this value will be computed by the webhook
optional: true
{{ end -}}
Reference in New Issue View Git Blame Copy Permalink