Add remainder control plane components templates

Signed-off-by: ihcsim <ihcsim@gmail.com>
linkerd · Jul 29, 2019 · 11fd5db · 11fd5db
1 parent 430a5d5
commit 11fd5db
Show file tree

Hide file tree

Showing 23 changed files with 1,356 additions and 58 deletions.
diff --git a/charts/linkerd/Chart.yaml b/charts/linkerd/Chart.yaml
@@ -1,10 +1,11 @@
 apiVersion: "v1"
 appVersion: stable-2.4.0
-name: "linkerd"
-version: 0.1.0
 description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required.
+home: https://linkerd.io
 keywords:
 - service-mesh
-home: https://linkerd.io
+kubeVersion: ">=1.12.0-0"
+name: "linkerd"
 sources:
 - https://github.com/linkerd/linkerd2/
+version: 0.1.0
diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml
@@ -42,11 +42,11 @@ spec:
     port: 8086
     targetPort: 8086
 ---
-{{ if not .Proxy.Image.Version -}}
+{{ if empty .Proxy.Image.Version -}}
 {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}}
 {{ end -}}
 {{ $_ := set .Proxy "WorkloadKind" "deployment" -}}
-{{ $_ := set .Proxy "Component" "controller" -}}
+{{ $_ := set .Proxy "Component" "linkerd-controller" -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -80,11 +80,11 @@ spec:
       {{- end }}
       containers:
       - args:
-        - "public-api"
-        - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.cluster.local:9090"
-        - "-tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088"
-        - "-controller-namespace={{.Namespace}}"
-        - "-log-level={{.ControllerLogLevel}}"
+        - public-api
+        - -prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090
+        - -tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088
+        - -controller-namespace={{.Namespace}}
+        - -log-level={{.ControllerLogLevel}}
         image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}}
         imagePullPolicy: {{.ImagePullPolicy}}
         livenessProbe:
@@ -112,11 +112,11 @@ spec:
         - mountPath: /var/run/linkerd/config
           name: config
       - args:
-        - "destination"
-        - "-addr=:8086"
-        - "-controller-namespace={{.Namespace}}"
-        - "-enable-h2-upgrade={{.EnableH2Upgrade}}"
-        - "-log-level={{.ControllerLogLevel}}"
+        - destination
+        - -addr=:8086
+        - -controller-namespace={{.Namespace}}
+        - -enable-h2-upgrade={{.EnableH2Upgrade}}
+        - -log-level={{.ControllerLogLevel}}
         image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}}
         imagePullPolicy: {{.ImagePullPolicy}}
         livenessProbe:
@@ -148,8 +148,8 @@ spec:
       {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
       serviceAccountName: linkerd-controller
       volumes:
-      - name: config
-        configMap:
+      - configMap:
           name: linkerd-config
-      {{- include "partials.proxy-identity-volume" . | nindent 6 -}}
+        name: config
+      {{- include "partials.proxy.volumes.identity" . | nindent 6 -}}
 {{end -}}
diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml
@@ -83,7 +83,7 @@ spec:
     port: 3000
     targetPort: 3000
 ---
-{{ if not .Proxy.Image.Version -}}
+{{ if empty .Proxy.Image.Version -}}
 {{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}}
 {{ end -}}
 {{ $_ := set .Proxy "WorkloadKind" "deployment" -}}
@@ -162,5 +162,5 @@ spec:
             path: provisioning/dashboards/dashboards.yaml
           name: linkerd-grafana-config
         name: grafana-config
-      {{- include "partials.proxy-identity-volume" . | nindent 6 -}}
+      {{- include "partials.proxy.volumes.identity" . | nindent 6 -}}
 {{end -}}
diff --git a/charts/linkerd/templates/heartbeat.yaml b/charts/linkerd/templates/heartbeat.yaml
@@ -36,9 +36,11 @@ spec:
             - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090"
             - "-controller-namespace={{.Namespace}}"
             - "-log-level={{.ControllerLogLevel}}"
+            image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}}
+            imagePullPolicy: {{.ImagePullPolicy}}
             {{- if eq .HighAvailability true -}}
             {{- include "partials.resources" .HeartbeatResources | nindent 12 }}
-            {{- end -}}
+            {{- end }}
             securityContext:
               runAsUser: {{.ControllerUID}}
-{{end -}}
+{{- end -}}
diff --git a/charts/linkerd/templates/identity-rbac.yaml b/charts/linkerd/templates/identity-rbac.yaml
@@ -0,0 +1,45 @@
+{{with .Values -}}
+{{if .Identity -}}
+---
+###
+### Identity Controller Service RBAC
+###
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-identity
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-identity
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: linkerd-{{.Namespace}}-identity
+subjects:
+- kind: ServiceAccount
+  name: linkerd-identity
+  namespace: {{.Namespace}}
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-identity
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml
@@ -0,0 +1,127 @@
+{{with .Values -}}
+{{if .Identity -}}
+---
+###
+### Identity Controller Service
+###
+{{ if .Identity.Issuer -}}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-identity-issuer
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+  annotations:
+    {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}}
+    {{- if .Identity.Issuer.CrtExpiryAnnotation}}
+    {{.Identity.Issuer.CrtExpiryAnnotation}}: {{required "Please provide the identity issuer certificate expiry date" .Identity.Issuer.CrtExpiry}}
+    {{- end}}
+data:
+  crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Identity.Issuer.CrtPEM)}}
+  key.pem: {{b64enc (required "Please provide the identity issue private key" .Identity.Issuer.KeyPEM)}}
+{{- end}}
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-identity
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+  annotations:
+    {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}}
+spec:
+  type: ClusterIP
+  selector:
+    {{.ControllerComponentLabel}}: identity
+  ports:
+  - name: grpc
+    port: 8080
+    targetPort: 8080
+---
+{{ if empty .Proxy.Image.Version -}}
+{{ $_ := set .Proxy.Image "Version" $.Chart.AppVersion -}}
+{{ end -}}
+{{ $_ := set .Proxy "WorkloadKind" "deployment" -}}
+{{ $_ := set .Proxy "Component" "linkerd-identity" -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}}
+  labels:
+    {{.ControllerComponentLabel}}: identity
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+  name: linkerd-identity
+  namespace: {{.Namespace}}
+spec:
+  replicas: {{ternary .ControllerReplicas 1 (eq .HighAvailability true)}}
+  selector:
+    matchLabels:
+      {{.ControllerComponentLabel}}: identity
+      {{.ControllerNamespaceLabel}}: {{.Namespace}}
+      {{- include "partials.proxy.labels" .Proxy | nindent 6}}
+  template:
+    metadata:
+      annotations:
+        {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" $.Chart.Version) .CliVersion}}
+        {{- include "partials.proxy.annotations" .Proxy| nindent 8}}
+      labels:
+        {{.ControllerComponentLabel}}: identity
+        {{.ControllerNamespaceLabel}}: {{.Namespace}}
+        {{- include "partials.proxy.labels" .Proxy | nindent 8}}
+    spec:
+      {{- if eq .HighAvailability true -}}
+      {{- $local := dict "Component" "identity" "Label" .ControllerComponentLabel -}}
+      {{- include "linkerd.pod-affinity" $local | nindent 6 -}}
+      {{- end }}
+      containers:
+      - args:
+        - identity
+        - -log-level={{.ControllerLogLevel}}
+        image: {{.ControllerImage}}:{{default $.Chart.AppVersion .ControllerImageVersion}}
+        imagePullPolicy: {{.ImagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9990
+          initialDelaySeconds: 10
+        name: identity
+        ports:
+        - containerPort: 8080
+          name: grpc
+        - containerPort: 9990
+          name: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9990
+        {{- if eq .HighAvailability true -}}
+        {{- include "partials.resources" .Identity.Resources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          runAsUser: {{.ControllerUID}}
+        volumeMounts:
+        - mountPath: /var/run/linkerd/config
+          name: config
+        - mountPath: /var/run/linkerd/identity/issuer
+          name: identity-issuer
+      {{- include "partials.proxy" .Proxy | nindent 6 -}}
+      initContainers:
+      {{- include "partials.proxy-init" .ProxyInit | nindent 6 }}
+      serviceAccountName: linkerd-identity
+      volumes:
+      - configMap:
+          name: linkerd-config
+        name: config
+      - name: identity-issuer
+        secret:
+          secretName: linkerd-identity-issuer
+      {{- include "partials.proxy.volumes.identity" . | nindent 6 -}}
+{{end -}}
+{{end -}}
diff --git a/charts/linkerd/templates/prometheus-rbac.yaml b/charts/linkerd/templates/prometheus-rbac.yaml
@@ -0,0 +1,43 @@
+{{with .Values -}}
+---
+###
+### Prometheus RBAC
+###
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-prometheus
+  labels:
+    {{.ControllerComponentLabel}}: prometheus
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Namespace}}-prometheus
+  labels:
+    {{.ControllerComponentLabel}}: prometheus
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: linkerd-{{.Namespace}}-prometheus
+subjects:
+- kind: ServiceAccount
+  name: linkerd-prometheus
+  namespace: {{.Namespace}}
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-prometheus
+  namespace: {{.Namespace}}
+  labels:
+    {{.ControllerComponentLabel}}: prometheus
+    {{.ControllerNamespaceLabel}}: {{.Namespace}}
+{{- end -}}