From 2bbf26748f7735fb763dab33d65cdaeb2e150499 Mon Sep 17 00:00:00 2001 From: Ivan Sim <1330522+ihcsim@users.noreply.github.com> Date: Tue, 6 Aug 2019 09:18:19 -0700 Subject: [PATCH] Add Control Plane Helm Templates And Proxy Partials (#3146) * Updated controller template with proxy partials * Declare dependency in requirements.yaml * Add partial template for proxy's metadata * Add proxy-init partial template * Script to lint Helm charts and update their dependencies * Update partials chart Chart.yaml * Add proxy-init and resource partial templates * Replace hard coded namespace variable in proxy env var * Ignore chart dependencies .tgz files * Add missing fields and re-order YAML elements to match CLI output * Reuse control plane's resource partial template in 'partials' chart * Set the proxy's destination service address env var * Add Grafana's template * Update api version of controller RBAC * Add Heartbeat template * Remove duplicated resources partial template * Add remainder control plane components templates * Add template for the 'linkerd-config' config map * Add debug container template * Update proxy partial with 'disable-identity' and 'disable-tap' variables Note that these are inject-only variables. Also added the LINKERD2_PROXY_TAP_SVC_NAME env var. * Add validation conditions to ensure identity and tap aren't disabled for control plane components * Add partials for service account token mount path and security context capabilities * Change proxy and proxy-init templates to use global scope Some of the nested variables are removed from values.yaml to ensure changes made to root-level variables are propagated directly into the partial templates. The previous approach of using YAML anchors in the values.yaml to share common values can get out-of-sync when values are changed via the Helm's `--set` option. * Update templates and values file to match #3161 * Perform a dry run installation if there is a local Tiller * Reorder JSON elements in linkerd-config * Re-adjust nested partials indentation to work with inject 'patch' chart Previously, the partials will render their content as an element in the list. While it works for installation, the toJson function in the 'inject' patch code ends up converting it into a JSON list, instead of the expected JSON object. * Trap the last fail command in the Helm shell script * Add the identity trust anchor * Address Thomas' feedback on handling HA All the HA-related variables are moved to values-ha.yaml * Convert ignore ports string to JSON list in linkerd-config Also fixed some indentation issues. * Add values-ha.yaml * Include the service account token mount path only if identity is enabled * Fixed malformed JSON in linkerd-config config map * Rename chart to 'linkerd2' * Add NOTES.txt * Fix incorrect variable path in proxy template * Remove fake TLS assets * Add 'required' constraint to identity trust anchors variable * Update tap templates per #3167 * Bump default version to edge-19.8.1 due to dependency on RSA support Signed-off-by: Ivan Sim --- .gitignore | 1 + bin/helm.sh | 23 +++ charts/linkerd2/.helmignore | 21 ++ charts/linkerd2/Chart.yaml | 11 + charts/linkerd2/requirements.lock | 6 + charts/linkerd2/requirements.yaml | 4 + charts/linkerd2/templates/NOTES.txt | 14 ++ charts/linkerd2/templates/_affinity.tpl | 22 ++ charts/linkerd2/templates/_config.tpl | 80 ++++++++ charts/linkerd2/templates/_helpers.tpl | 32 +++ charts/linkerd2/templates/_validate.tpl | 9 + charts/linkerd2/templates/config.yaml | 38 ++++ .../linkerd2/templates/controller-rbac.yaml | 55 +++++ charts/linkerd2/templates/controller.yaml | 153 ++++++++++++++ charts/linkerd2/templates/grafana-rbac.yaml | 15 ++ charts/linkerd2/templates/grafana.yaml | 164 +++++++++++++++ charts/linkerd2/templates/heartbeat-rbac.yaml | 44 ++++ charts/linkerd2/templates/heartbeat.yaml | 44 ++++ charts/linkerd2/templates/identity-rbac.yaml | 45 ++++ charts/linkerd2/templates/identity.yaml | 125 +++++++++++ charts/linkerd2/templates/namespace.yaml | 15 ++ .../linkerd2/templates/prometheus-rbac.yaml | 43 ++++ charts/linkerd2/templates/prometheus.yaml | 194 ++++++++++++++++++ .../templates/proxy-injector-rbac.yaml | 95 +++++++++ charts/linkerd2/templates/proxy-injector.yaml | 105 ++++++++++ charts/linkerd2/templates/psp.yaml | 115 +++++++++++ .../templates/serviceprofile-crd.yaml | 31 +++ .../linkerd2/templates/sp-validator-rbac.yaml | 85 ++++++++ charts/linkerd2/templates/sp-validator.yaml | 100 +++++++++ charts/linkerd2/templates/tap-rbac.yaml | 115 +++++++++++ charts/linkerd2/templates/tap.yaml | 106 ++++++++++ .../linkerd2/templates/trafficsplit-crd.yaml | 31 +++ charts/linkerd2/templates/web-rbac.yaml | 15 ++ charts/linkerd2/templates/web.yaml | 100 +++++++++ charts/linkerd2/values-ha.yaml | 63 ++++++ charts/linkerd2/values.yaml | 105 ++++++++++ charts/partials/.helmignore | 21 ++ charts/partials/Chart.yaml | 5 + charts/partials/templates/NOTES.txt | 0 charts/partials/templates/_capabilities.tpl | 16 ++ charts/partials/templates/_debug.tpl | 6 + charts/partials/templates/_helpers.tpl | 32 +++ charts/partials/templates/_metadata.tpl | 8 + charts/partials/templates/_proxy-init.tpl | 46 +++++ charts/partials/templates/_proxy.tpl | 108 ++++++++++ charts/partials/templates/_resources.tpl | 21 ++ charts/partials/templates/_volumes.tpl | 5 + charts/partials/values.yaml | 0 48 files changed, 2492 insertions(+) create mode 100755 bin/helm.sh create mode 100644 charts/linkerd2/.helmignore create mode 100644 charts/linkerd2/Chart.yaml create mode 100644 charts/linkerd2/requirements.lock create mode 100644 charts/linkerd2/requirements.yaml create mode 100644 charts/linkerd2/templates/NOTES.txt create mode 100644 charts/linkerd2/templates/_affinity.tpl create mode 100644 charts/linkerd2/templates/_config.tpl create mode 100644 charts/linkerd2/templates/_helpers.tpl create mode 100644 charts/linkerd2/templates/_validate.tpl create mode 100644 charts/linkerd2/templates/config.yaml create mode 100644 charts/linkerd2/templates/controller-rbac.yaml create mode 100644 charts/linkerd2/templates/controller.yaml create mode 100644 charts/linkerd2/templates/grafana-rbac.yaml create mode 100644 charts/linkerd2/templates/grafana.yaml create mode 100644 charts/linkerd2/templates/heartbeat-rbac.yaml create mode 100644 charts/linkerd2/templates/heartbeat.yaml create mode 100644 charts/linkerd2/templates/identity-rbac.yaml create mode 100644 charts/linkerd2/templates/identity.yaml create mode 100644 charts/linkerd2/templates/namespace.yaml create mode 100644 charts/linkerd2/templates/prometheus-rbac.yaml create mode 100644 charts/linkerd2/templates/prometheus.yaml create mode 100644 charts/linkerd2/templates/proxy-injector-rbac.yaml create mode 100644 charts/linkerd2/templates/proxy-injector.yaml create mode 100644 charts/linkerd2/templates/psp.yaml create mode 100644 charts/linkerd2/templates/serviceprofile-crd.yaml create mode 100644 charts/linkerd2/templates/sp-validator-rbac.yaml create mode 100644 charts/linkerd2/templates/sp-validator.yaml create mode 100644 charts/linkerd2/templates/tap-rbac.yaml create mode 100644 charts/linkerd2/templates/tap.yaml create mode 100644 charts/linkerd2/templates/trafficsplit-crd.yaml create mode 100644 charts/linkerd2/templates/web-rbac.yaml create mode 100644 charts/linkerd2/templates/web.yaml create mode 100644 charts/linkerd2/values-ha.yaml create mode 100644 charts/linkerd2/values.yaml create mode 100644 charts/partials/.helmignore create mode 100644 charts/partials/Chart.yaml create mode 100644 charts/partials/templates/NOTES.txt create mode 100644 charts/partials/templates/_capabilities.tpl create mode 100644 charts/partials/templates/_debug.tpl create mode 100644 charts/partials/templates/_helpers.tpl create mode 100644 charts/partials/templates/_metadata.tpl create mode 100644 charts/partials/templates/_proxy-init.tpl create mode 100644 charts/partials/templates/_proxy.tpl create mode 100644 charts/partials/templates/_resources.tpl create mode 100644 charts/partials/templates/_volumes.tpl create mode 100644 charts/partials/values.yaml diff --git a/.gitignore b/.gitignore index fbc008841f8c5..87f6dfee4f7cc 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ web/app/yarn-error.log .golangci-lint* **/*.gogen* **/*.swp +charts/*/charts/ diff --git a/bin/helm.sh b/bin/helm.sh new file mode 100755 index 0000000000000..af9786ce31c45 --- /dev/null +++ b/bin/helm.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +# trap the last failed command +trap 'printf "Error on exit:\n Exit code: $?\n Failed command: \"$BASH_COMMAND\"\n"' ERR + +bindir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +rootdir="$( cd $bindir/.. && pwd )" + +helm lint $rootdir/charts/partials + +helm dep up $rootdir/charts/linkerd2 +helm lint --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 + +# if tiller is deployed, perform a dry run installation to check for errors +if tiller=`kubectl get po -l app=helm,name=tiller --all-namespaces`; then + echo "Performing dry run installation" + helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" $rootdir/charts/linkerd2 2> /dev/null + + echo "Performing dry run installation (HA mode)" + helm install --name=linkerd --dry-run --set Identity.TrustAnchorsPEM="fake-trust" --set Identity.Issuer.CrtPEM="fake-cert" --set Identity.Issuer.KeyPEM="fake-key" --set Identity.Issuer.CrtExpiry="fake-expiry-date" -f $rootdir/charts/linkerd2/values.yaml -f $rootdir/charts/linkerd2/values-ha.yaml charts/linkerd2 2> /dev/null +fi diff --git a/charts/linkerd2/.helmignore b/charts/linkerd2/.helmignore new file mode 100644 index 0000000000000..f0c1319444416 --- /dev/null +++ b/charts/linkerd2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd2/Chart.yaml b/charts/linkerd2/Chart.yaml new file mode 100644 index 0000000000000..5630436730afb --- /dev/null +++ b/charts/linkerd2/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: "v1" +appVersion: edge-19.8.1 +description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. +home: https://linkerd.io +keywords: +- service-mesh +kubeVersion: ">=1.12.0-0" +name: "linkerd2" +sources: +- https://github.com/linkerd/linkerd2/ +version: 0.1.0 diff --git a/charts/linkerd2/requirements.lock b/charts/linkerd2/requirements.lock new file mode 100644 index 0000000000000..b82d2145b2849 --- /dev/null +++ b/charts/linkerd2/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:3a86b96a2966f03ba04518723838b49719a3277dfb9bea0b3f067e83d370e0b3 +generated: 2019-07-24T19:51:15.04322926-07:00 diff --git a/charts/linkerd2/requirements.yaml b/charts/linkerd2/requirements.yaml new file mode 100644 index 0000000000000..a17d782a8b996 --- /dev/null +++ b/charts/linkerd2/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- name: partials + version: 0.1.0 + repository: file://../partials diff --git a/charts/linkerd2/templates/NOTES.txt b/charts/linkerd2/templates/NOTES.txt new file mode 100644 index 0000000000000..95037b8055bf8 --- /dev/null +++ b/charts/linkerd2/templates/NOTES.txt @@ -0,0 +1,14 @@ +Linkerd was successfully installed 🎉 + +Add the linkerd CLI to your path with: + + export PATH=\$PATH:\$HOME/.linkerd2/bin + +Now run: + + linkerd check --pre # validate that Linkerd can be installed + linkerd install | kubectl apply -f - # install the control plane into the 'linkerd' namespace + linkerd check # validate everything worked! + linkerd dashboard # launch the dashboard + +Looking for more? Visit https://linkerd.io/2/next-steps diff --git a/charts/linkerd2/templates/_affinity.tpl b/charts/linkerd2/templates/_affinity.tpl new file mode 100644 index 0000000000000..2d3d80451e0fd --- /dev/null +++ b/charts/linkerd2/templates/_affinity.tpl @@ -0,0 +1,22 @@ +{{ define "linkerd.pod-affinity" -}} +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ .Label }} + operator: In + values: + - {{ .Component }} + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ .Label }} + operator: In + values: + - {{ .Component }} + topologyKey: kubernetes.io/hostname +{{- end }} diff --git a/charts/linkerd2/templates/_config.tpl b/charts/linkerd2/templates/_config.tpl new file mode 100644 index 0000000000000..915ce44319362 --- /dev/null +++ b/charts/linkerd2/templates/_config.tpl @@ -0,0 +1,80 @@ +{{- define "linkerd.configs.global" -}} +{ + "linkerdNamespace": "{{.Namespace}}", + "cniEnabled": false, + "version": "{{.LinkerdVersion}}", + "identityContext":{ + "trustDomain": "{{.Identity.TrustDomain}}", + "trustAnchorsPem": "{{required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | replace "\n" "\\n"}}", + "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", + "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}" + }, + "autoInjectContext": null, + "omitWebhookSideEffects": {{.OmitWebhookSideEffects}}, + "clusterDomain": "{{.ClusterDomain}}" +} +{{- end -}} + +{{- define "linkerd.configs.proxy" -}} +{ + "proxyImage":{ + "imageName":"{{.Proxy.Image.Name}}", + "pullPolicy":"{{.Proxy.Image.PullPolicy}}" + }, + "proxyInitImage":{ + "imageName":"{{.ProxyInit.Image.Name}}", + "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" + }, + "controlPort":{ + "port": {{.Proxy.Ports.Control}} + }, + "ignoreInboundPorts":[ + {{- $ports := splitList "," .ProxyInit.IgnoreInboundPorts -}} + {{- if gt (len $ports) 1}} + {{- $last := sub (len $ports) 1 -}} + {{- range $i,$port := $ports -}} + {"port":{{$port}}}{{ternary "," "" (ne $i $last)}} + {{- end -}} + {{- end -}} + ], + "ignoreOutboundPorts":[ + {{- $ports := splitList "," .ProxyInit.IgnoreOutboundPorts -}} + {{- if gt (len $ports) 1}} + {{- $last := sub (len $ports) 1 -}} + {{- range $i,$port := $ports -}} + {"port":{{$port}}}{{ternary "," "" (ne $i $last)}} + {{- end -}} + {{- end -}} + ], + "inboundPort":{ + "port": {{.Proxy.Ports.Inbound}} + }, + "adminPort":{ + "port": {{.Proxy.Ports.Admin}} + }, + "outboundPort":{ + "port": {{.Proxy.Ports.Outbound}} + }, + "resource":{ + "requestCpu": "{{.Proxy.Resources.CPU.Request}}", + "limitCpu": "{{.Proxy.Resources.CPU.Limit}}", + "requestMemory": "{{.Proxy.Resources.Memory.Request}}", + "limitMemory": "{{.Proxy.Resources.Memory.Limit}}" + }, + "proxyUid": {{.Proxy.UID}}, + "logLevel":{ + "level": "{{.Proxy.LogLevel}}" + }, + "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, + "proxyVersion": "{{.Proxy.Image.Version}}", + "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}" +} +{{- end -}} + +{{- define "linkerd.configs.install" -}} +{ + "uuid":"{{ uuidv4 }}", + "cliVersion":"{{ .LinkerdVersion }}", + "flags":[] +} +{{- end -}} diff --git a/charts/linkerd2/templates/_helpers.tpl b/charts/linkerd2/templates/_helpers.tpl new file mode 100644 index 0000000000000..c0087d71c8dad --- /dev/null +++ b/charts/linkerd2/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "linkerd.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "linkerd.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "linkerd.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/linkerd2/templates/_validate.tpl b/charts/linkerd2/templates/_validate.tpl new file mode 100644 index 0000000000000..959a98a6bd696 --- /dev/null +++ b/charts/linkerd2/templates/_validate.tpl @@ -0,0 +1,9 @@ +{{- define "linkerd.proxy.validation" -}} +{{- if .DisableIdentity -}} +{{- fail (printf "Can't disable identity mTLS for %s. Set '.Values.Proxy.DisableIdentity' to 'false'" .Component) -}} +{{- end -}} + +{{- if .DisableTap -}} +{{- fail (printf "Can't disable tap for %s. Set '.Values.Proxy.DisableTap' to 'false'" .Component) -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd2/templates/config.yaml b/charts/linkerd2/templates/config.yaml new file mode 100644 index 0000000000000..602164a97ae5c --- /dev/null +++ b/charts/linkerd2/templates/config.yaml @@ -0,0 +1,38 @@ +{{with .Values -}} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +data: + global: | + {{- if .Configs -}} + {{- if .Configs.Global -}} + {{.Configs.Global}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.global" . | nindent 4}} + {{- end }} + proxy: | + {{- if .Configs -}} + {{- if .Configs.Proxy -}} + {{.Configs.Proxy}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.proxy" . | nindent 4}} + {{- end }} + install: | + {{- if .Configs -}} + {{- if .Configs.Install -}} + {{.Configs.Instal}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.install" . | nindent 4}} + {{- end }} +{{- end -}} diff --git a/charts/linkerd2/templates/controller-rbac.yaml b/charts/linkerd2/templates/controller-rbac.yaml new file mode 100644 index 0000000000000..e122f4610692c --- /dev/null +++ b/charts/linkerd2/templates/controller-rbac.yaml @@ -0,0 +1,55 @@ +{{with .Values -}} +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-controller + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-controller + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/controller.yaml b/charts/linkerd2/templates/controller.yaml new file mode 100644 index 0000000000000..9e2d85b5f2956 --- /dev/null +++ b/charts/linkerd2/templates/controller.yaml @@ -0,0 +1,153 @@ +{{with .Values -}} +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: controller + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-controller" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-controller + namespace: {{.Namespace}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: controller + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if .EnablePodAntiAffinity -}} + {{- $local := dict "Component" "controller" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - public-api + - -prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090 + - -tap-addr=linkerd-tap.{{.Namespace}}.svc.{{.ClusterDomain}}:8088 + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- if .PublicAPIResources -}} + {{- include "partials.resources" .PublicAPIResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - args: + - destination + - -addr=:8086 + - -controller-namespace={{.Namespace}} + - -enable-h2-upgrade={{.EnableH2Upgrade}} + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + {{- if .DestinationResources -}} + {{- include "partials.resources" .DestinationResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-controller + volumes: + - configMap: + name: linkerd-config + name: config + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{end -}} diff --git a/charts/linkerd2/templates/grafana-rbac.yaml b/charts/linkerd2/templates/grafana-rbac.yaml new file mode 100644 index 0000000000000..e1803535e24b4 --- /dev/null +++ b/charts/linkerd2/templates/grafana-rbac.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/grafana.yaml b/charts/linkerd2/templates/grafana.yaml new file mode 100644 index 0000000000000..81584fd5ff7bb --- /dev/null +++ b/charts/linkerd2/templates/grafana.yaml @@ -0,0 +1,164 @@ +{{with .Values -}} +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-grafana" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-grafana + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: grafana + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: {{.GrafanaImage}}:{{default .LinkerdVersion .GrafanaImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + {{- if .GrafanaResources -}} + {{- include "partials.resources" .GrafanaResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{end -}} diff --git a/charts/linkerd2/templates/heartbeat-rbac.yaml b/charts/linkerd2/templates/heartbeat-rbac.yaml new file mode 100644 index 0000000000000..cded3e5be7b47 --- /dev/null +++ b/charts/linkerd2/templates/heartbeat-rbac.yaml @@ -0,0 +1,44 @@ +{{with .Values -}} +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: heartbeat + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/heartbeat.yaml b/charts/linkerd2/templates/heartbeat.yaml new file mode 100644 index 0000000000000..3a54c9c9f6d55 --- /dev/null +++ b/charts/linkerd2/templates/heartbeat.yaml @@ -0,0 +1,44 @@ +{{with .Values -}} +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: heartbeat + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + schedule: "{{.HeartbeatSchedule}}" + jobTemplate: + spec: + template: + metadata: + labels: + {{.ControllerComponentLabel}}: heartbeat + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + spec: + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.{{.Namespace}}.svc.{{.ClusterDomain}}:9090" + - "-controller-namespace={{.Namespace}}" + - "-log-level={{.ControllerLogLevel}}" + {{- if .HeartbeatResources -}} + {{- include "partials.resources" .HeartbeatResources | nindent 12 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} +{{- end -}} diff --git a/charts/linkerd2/templates/identity-rbac.yaml b/charts/linkerd2/templates/identity-rbac.yaml new file mode 100644 index 0000000000000..4d70f95804380 --- /dev/null +++ b/charts/linkerd2/templates/identity-rbac.yaml @@ -0,0 +1,45 @@ +{{with .Values -}} +{{if .Identity -}} +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-identity + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-identity + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd2/templates/identity.yaml b/charts/linkerd2/templates/identity.yaml new file mode 100644 index 0000000000000..922603a96b28d --- /dev/null +++ b/charts/linkerd2/templates/identity.yaml @@ -0,0 +1,125 @@ +{{with .Values -}} +{{if .Identity -}} +--- +### +### Identity Controller Service +### +{{ if .Identity.Issuer -}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- if .Identity.Issuer.CrtExpiryAnnotation}} + {{.Identity.Issuer.CrtExpiryAnnotation}}: {{required "Please provide the identity issuer certificate expiry date" .Identity.Issuer.CrtExpiry}} + {{- end}} +data: + crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Identity.Issuer.CrtPEM)}} + key.pem: {{b64enc (required "Please provide the identity issue private key" .Identity.Issuer.KeyPEM)}} +{{- end}} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-identity" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-identity + namespace: {{.Namespace}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: identity + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if .EnablePodAntiAffinity -}} + {{- $local := dict "Component" "identity" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - identity + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + {{- if .Identity.Resources -}} + {{- include "partials.resources" .Identity.Resources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{end -}} +{{end -}} diff --git a/charts/linkerd2/templates/namespace.yaml b/charts/linkerd2/templates/namespace.yaml new file mode 100644 index 0000000000000..a1da0cca015ac --- /dev/null +++ b/charts/linkerd2/templates/namespace.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Namespace }} + annotations: + {{.ProxyInjectAnnotation}}: {{.ProxyInjectDisabled}} + labels: + {{.LinkerdNamespaceLabel}}: "true" +{{- end -}} diff --git a/charts/linkerd2/templates/prometheus-rbac.yaml b/charts/linkerd2/templates/prometheus-rbac.yaml new file mode 100644 index 0000000000000..26e37adf1f40a --- /dev/null +++ b/charts/linkerd2/templates/prometheus-rbac.yaml @@ -0,0 +1,43 @@ +{{with .Values -}} +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-prometheus + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-prometheus + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/prometheus.yaml b/charts/linkerd2/templates/prometheus.yaml new file mode 100644 index 0000000000000..f06d0bfe4a2ff --- /dev/null +++ b/charts/linkerd2/templates/prometheus.yaml @@ -0,0 +1,194 @@ +{{with .Values -}} +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['{{.Namespace}}'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['{{.Namespace}}'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^{{default .ProxyContainerName "linkerd-proxy" .ProxyContainerName}};linkerd-admin;{{.Namespace}}$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +{{ if empty .Proxy.Image.Version -}} +{{ $_ := set .Proxy.Image "Version" .LinkerdVersion -}} +{{ end -}} +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-prometheus" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-prometheus + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: prometheus + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level={{lower .PrometheusLogLevel}} + image: {{.PrometheusImage}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + {{- if .PrometheusResources -}} + {{- include "partials.resources" .PrometheusResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{ end -}} diff --git a/charts/linkerd2/templates/proxy-injector-rbac.yaml b/charts/linkerd2/templates/proxy-injector-rbac.yaml new file mode 100644 index 0000000000000..0c5436ef91bc7 --- /dev/null +++ b/charts/linkerd2/templates/proxy-injector-rbac.yaml @@ -0,0 +1,95 @@ +{{with .Values -}} +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-proxy-injector + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-proxy-injector + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Namespace}}-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: {{ .Namespace }} + labels: + {{ .ControllerComponentLabel }}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-proxy-injector.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: linkerd.io/is-control-plane + operator: DoesNotExist + clientConfig: + service: + name: linkerd-proxy-injector + namespace: {{ .Namespace }} + path: "/" + caBundle: {{ b64enc $ca.Cert }} + failurePolicy: {{.WebhookFailurePolicy}} + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + {{- if not .OmitWebhookSideEffects }} + sideEffects: None + {{- end -}} +{{end -}} diff --git a/charts/linkerd2/templates/proxy-injector.yaml b/charts/linkerd2/templates/proxy-injector.yaml new file mode 100644 index 0000000000000..4129969f5c500 --- /dev/null +++ b/charts/linkerd2/templates/proxy-injector.yaml @@ -0,0 +1,105 @@ +{{with .Values -}} +--- +### +### Proxy Injector +### +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-proxy-injector" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-proxy-injector + namespace: {{.Namespace}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if .EnablePodAntiAffinity -}} + {{- $local := dict "Component" "proxy-injector" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - proxy-injector + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- if .ProxyInjectorResources -}} + {{- include "partials.resources" .ProxyInjectorResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: proxy-injector + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +{{- end -}} diff --git a/charts/linkerd2/templates/psp.yaml b/charts/linkerd2/templates/psp.yaml new file mode 100644 index 0000000000000..f89d2c518de9f --- /dev/null +++ b/charts/linkerd2/templates/psp.yaml @@ -0,0 +1,115 @@ +{{with .Values -}} +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Namespace}}-control-plane + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + {{- if empty .NoInitContainer }} + allowedCapabilities: + - NET_ADMIN + - NET_RAW + {{- end}} + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + {{- if .NoInitContainer }} + rule: MustRunAsNonRoot + {{- else }} + rule: RunAsAny + {{- end }} + supplementalGroups: + rule: MustRunAs + ranges: + {{- if .NoInitContainer }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + fsGroup: + rule: MustRunAs + ranges: + {{- if .NoInitContainer }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{.Namespace}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-grafana + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-prometheus + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +- kind: ServiceAccount + name: linkerd-web + namespace: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/serviceprofile-crd.yaml b/charts/linkerd2/templates/serviceprofile-crd.yaml new file mode 100644 index 0000000000000..8ef4fff8c31b1 --- /dev/null +++ b/charts/linkerd2/templates/serviceprofile-crd.yaml @@ -0,0 +1,31 @@ +{{with .Values -}} +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +{{- end -}} diff --git a/charts/linkerd2/templates/sp-validator-rbac.yaml b/charts/linkerd2/templates/sp-validator-rbac.yaml new file mode 100644 index 0000000000000..7792a503c3fae --- /dev/null +++ b/charts/linkerd2/templates/sp-validator-rbac.yaml @@ -0,0 +1,85 @@ +{{with .Values -}} +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-sp-validator + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-sp-validator + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: {{.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Namespace}}-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: {{ .Namespace }} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-sp-validator.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} +webhooks: +- name: linkerd-sp-validator.linkerd.io + clientConfig: + service: + name: linkerd-sp-validator + namespace: {{ .Namespace }} + path: "/" + caBundle: {{ b64enc $ca.Cert }} + failurePolicy: {{.WebhookFailurePolicy}} + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + {{- if not .OmitWebhookSideEffects }} + sideEffects: None + {{- end -}} +{{end -}} diff --git a/charts/linkerd2/templates/sp-validator.yaml b/charts/linkerd2/templates/sp-validator.yaml new file mode 100644 index 0000000000000..85a2901ba5f42 --- /dev/null +++ b/charts/linkerd2/templates/sp-validator.yaml @@ -0,0 +1,100 @@ +{{with .Values -}} +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-sp-validator" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-sp-validator + namespace: {{.Namespace}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: sp-validator + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if .EnablePodAntiAffinity -}} + {{- $local := dict "Component" "sp-validator" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - sp-validator + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + {{- if .SPValidatorResources -}} + {{- include "partials.resources" .SPValidatorResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{end -}} diff --git a/charts/linkerd2/templates/tap-rbac.yaml b/charts/linkerd2/templates/tap-rbac.yaml new file mode 100644 index 0000000000000..2e241804e2567 --- /dev/null +++ b/charts/linkerd2/templates/tap-rbac.yaml @@ -0,0 +1,115 @@ +{{with .Values -}} +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-tap + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Namespace}}-tap + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Namespace}}-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-{{.Namespace}}-tap-auth-delegator + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-{{.Namespace}}-tap-auth-reader + namespace: kube-system + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: {{.Namespace}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: {{ .Namespace }} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{ .CreatedByAnnotation }}: {{ .CliVersion }} +type: Opaque +data: + {{ $ca := genCA (printf "linkerd-tap.%s.svc" .Namespace) 365 -}} + crt.pem: {{ b64enc $ca.Cert }} + key.pem: {{ b64enc $ca.Key }} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: {{.Namespace}} + caBundle: {{ b64enc $ca.Cert }} +{{end -}} diff --git a/charts/linkerd2/templates/tap.yaml b/charts/linkerd2/templates/tap.yaml new file mode 100644 index 0000000000000..7468e2f1ba8a6 --- /dev/null +++ b/charts/linkerd2/templates/tap.yaml @@ -0,0 +1,106 @@ +{{with .Values -}} +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-tap" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-tap + namespace: {{.Namespace}} +spec: + replicas: {{.ControllerReplicas}} + selector: + matchLabels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: tap + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + {{- if .EnablePodAntiAffinity -}} + {{- $local := dict "Component" "tap" "Label" .ControllerComponentLabel -}} + {{- include "linkerd.pod-affinity" $local | nindent 6 -}} + {{- end }} + containers: + - args: + - tap + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} + image: {{.ControllerImage}}:{{default .LinkerdVersion .ControllerImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + {{- if .TapResources -}} + {{- include "partials.resources" .TapResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-tap + volumes: + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} + - name: tls + secret: + secretName: linkerd-tap-tls +{{- end -}} diff --git a/charts/linkerd2/templates/trafficsplit-crd.yaml b/charts/linkerd2/templates/trafficsplit-crd.yaml new file mode 100644 index 0000000000000..12009f495ce4f --- /dev/null +++ b/charts/linkerd2/templates/trafficsplit-crd.yaml @@ -0,0 +1,31 @@ +{{with .Values -}} +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerNamespaceLabel}}: {{.Namespace}} +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +{{- end -}} diff --git a/charts/linkerd2/templates/web-rbac.yaml b/charts/linkerd2/templates/web-rbac.yaml new file mode 100644 index 0000000000000..32b6a3b39859f --- /dev/null +++ b/charts/linkerd2/templates/web-rbac.yaml @@ -0,0 +1,15 @@ +{{with .Values -}} +--- +### +### Web RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} +{{- end -}} diff --git a/charts/linkerd2/templates/web.yaml b/charts/linkerd2/templates/web.yaml new file mode 100644 index 0000000000000..49b379d51deee --- /dev/null +++ b/charts/linkerd2/templates/web.yaml @@ -0,0 +1,100 @@ +{{with .Values -}} +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: {{.Namespace}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} +spec: + type: ClusterIP + selector: + {{.ControllerComponentLabel}}: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +{{ $_ := set .Proxy "WorkloadKind" "deployment" -}} +{{ $_ := set .Proxy "Component" "linkerd-web" -}} +{{ include "linkerd.proxy.validation" .Proxy -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + name: linkerd-web + namespace: {{.Namespace}} +spec: + replicas: 1 + selector: + matchLabels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 6}} + template: + metadata: + annotations: + {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} + {{- include "partials.proxy.annotations" .Proxy| nindent 8}} + labels: + {{.ControllerComponentLabel}}: web + {{.ControllerNamespaceLabel}}: {{.Namespace}} + {{- include "partials.proxy.labels" .Proxy | nindent 8}} + spec: + containers: + - args: + - -api-addr=linkerd-controller-api.{{.Namespace}}.svc.{{.ClusterDomain}}:8085 + - -grafana-addr=linkerd-grafana.{{.Namespace}}.svc.{{.ClusterDomain}}:3000 + - -controller-namespace={{.Namespace}} + - -log-level={{.ControllerLogLevel}} + image: {{.WebImage}}:{{default .LinkerdVersion .WebImageVersion}} + imagePullPolicy: {{.ImagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + {{- if .WebResources -}} + {{- include "partials.resources" .WebResources | nindent 8 }} + {{- end }} + securityContext: + runAsUser: {{.ControllerUID}} + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - {{- include "partials.proxy" . | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + - {{- include "partials.proxy-init" . | indent 8 | trimPrefix (repeat 7 " ") }} + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") -}} +{{end -}} diff --git a/charts/linkerd2/values-ha.yaml b/charts/linkerd2/values-ha.yaml new file mode 100644 index 0000000000000..05bd5ab74ae24 --- /dev/null +++ b/charts/linkerd2/values-ha.yaml @@ -0,0 +1,63 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values.yaml -f values-ha.yaml + +EnablePodAntiAffinity: true + +# controller configuration +ControllerReplicas: 3 +ControllerResources: &controller_resources + CPU: &controller_resources_cpu + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 50Mi +DestinationResources: *controller_resources +PublicAPIResources: *controller_resources + +# identity configuration +Identity: + Resources: + CPU: *controller_resources_cpu + Memory: + Limit: 250Mi + Request: 10Mi + +# grafana configuration +GrafanaResources: *controller_resources + +# heartbeat configuration +HeartbeatResources: *controller_resources + +# prometheus configuration +PrometheusResources: + CPU: + Limit: "4" + Request: 300m + Memory: + Limit: 8192Mi + Request: 300Mi + +# proxy configuration +Proxy: + Resources: + CPU: + Limit: "1" + Request: 100m + Memory: + Limit: 250Mi + Request: 20Mi + +# proxy injector configuration +ProxyInjectorResources: *controller_resources +WebhookFailurePolicy: Fail + +# service profile validator configuration +SPValidatorResources: *controller_resources + +# tap configuration +TapResources: *controller_resources + +# web configuration +WebResources: *controller_resources diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml new file mode 100644 index 0000000000000..be57b65ce8abd --- /dev/null +++ b/charts/linkerd2/values.yaml @@ -0,0 +1,105 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +ClusterDomain: &cluster_domain cluster.local +EnableH2Upgrade: true +EnablePodAntiAffinity: false +ImagePullPolicy: &image_pull_policy IfNotPresent + +# control plane version. See Proxy section for proxy version +LinkerdVersion: &linkerd_version edge-19.8.1 + +Namespace: linkerd +OmitWebhookSideEffects: false +WebhookFailurePolicy: Ignore + +# controller configuration +ControllerImage: gcr.io/linkerd-io/controller +ControllerLogLevel: &controller_log_level info +ControllerReplicas: 1 +ControllerUID: 2103 + +# identity configuration +Identity: + Issuer: + ClockSkewAllowance: 20s + + # PEM-encoded certificate + CrtPEM: | + + # must match the expiry date in CrtPEM + CrtExpiry: + + # control plane annotation - do not edit + CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry + + IssuanceLifeTime: 86400s + + # PEM-encoded ECDSA private key + KeyPEM: | + + TrustAnchorsPEM: | + + TrustDomain: *cluster_domain + +# grafana configuration +GrafanaImage: gcr.io/linkerd-io/grafana + +# heartbeat configuration +HeartbeatSchedule: "0 0 * * * " + +# prometheus configuration +PrometheusImage: prom/prometheus:v2.11.1 +PrometheusLogLevel: *controller_log_level + +# proxy configuration +Proxy: + EnableExternalProfile: false + Image: + Name: gcr.io/linkerd-io/proxy + PullPolicy: *image_pull_policy + Version: *linkerd_version + LogLevel: warn,linkerd2_proxy=info + Ports: + Admin: 4191 + Control: 4190 + Inbound: 4143 + Outbound: 4140 + Resources: + CPU: + Limit: "" + Request: "" + Memory: + Limit: "" + Request: "" + UID: 2102 + +# proxy-init configuration +ProxyInit: + IgnoreInboundPorts: "" + IgnoreOutboundPorts: "" + Image: + Name: gcr.io/linkerd-io/proxy-init + PullPolicy: *image_pull_policy + Version: v1.0.0 + Resources: + CPU: + Limit: 100m + Request: 10m + Memory: + Limit: 50Mi + Request: 10Mi + +# web configuration +WebImage: gcr.io/linkerd-io/web + +# control plane annotations - do not edit +CreatedByAnnotation: linkerd.io/created-by +ProxyInjectAnnotation: linkerd.io/inject +ProxyInjectDisabled: disabled + +# control plane labels - do not edit +ControllerComponentLabel: linkerd.io/control-plane-component +ControllerNamespaceLabel: linkerd.io/control-plane-ns +LinkerdNamespaceLabel: linkerd.io/is-control-plane diff --git a/charts/partials/.helmignore b/charts/partials/.helmignore new file mode 100644 index 0000000000000..f0c1319444416 --- /dev/null +++ b/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/partials/Chart.yaml b/charts/partials/Chart.yaml new file mode 100644 index 0000000000000..3a753e689f302 --- /dev/null +++ b/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: stable-2.4.0 +description: A Helm chart containing Linkerd partial templates, depended by the 'linkerd' and 'patch' charts. +name: partials +version: 0.1.0 diff --git a/charts/partials/templates/NOTES.txt b/charts/partials/templates/NOTES.txt new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/charts/partials/templates/_capabilities.tpl b/charts/partials/templates/_capabilities.tpl new file mode 100644 index 0000000000000..49d47fe542222 --- /dev/null +++ b/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Capabilities.Add }} + add: + {{- toYaml .Capabilities.Add | trim | nindent 4 }} + {{- end }} + {{- if .Capabilities.Drop }} + drop: + {{- toYaml .Capabilities.Drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Capabilities.Drop | trim }} +{{- end -}} diff --git a/charts/partials/templates/_debug.tpl b/charts/partials/templates/_debug.tpl new file mode 100644 index 0000000000000..5e984c8842176 --- /dev/null +++ b/charts/partials/templates/_debug.tpl @@ -0,0 +1,6 @@ +{{- define "partials.debug" -}} +image: {{.Image.Name}}:{{.Image.Version}} +imagePullPolicy: {{.Image.PullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +{{- end -}} diff --git a/charts/partials/templates/_helpers.tpl b/charts/partials/templates/_helpers.tpl new file mode 100644 index 0000000000000..77a242db1eceb --- /dev/null +++ b/charts/partials/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "partials.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "partials.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "partials.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/partials/templates/_metadata.tpl b/charts/partials/templates/_metadata.tpl new file mode 100644 index 0000000000000..0ccff6b2c8f16 --- /dev/null +++ b/charts/partials/templates/_metadata.tpl @@ -0,0 +1,8 @@ +{{- define "partials.proxy.annotations" -}} +linkerd.io/identity-mode: {{ternary "default" "disabled" (not .DisableIdentity)}} +linkerd.io/proxy-version: {{.Image.Version}} +{{- end -}} + +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.WorkloadKind}}: {{.Component}} +{{- end -}} diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 0000000000000..39dd27093f2e9 --- /dev/null +++ b/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,46 @@ +{{- define "partials.proxy-init" -}} +args: +- --incoming-proxy-port +- {{.Proxy.Ports.Inbound | quote}} +- --outgoing-proxy-port +- {{.Proxy.Ports.Outbound | quote}} +- --proxy-uid +- {{.Proxy.UID | quote}} +- --inbound-ports-to-ignore +- {{.Proxy.Ports.Control}},{{.Proxy.Ports.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (not (empty .ProxyInit.IgnoreInboundPorts)) }} +{{- if hasPrefix "linkerd-" .Proxy.Component }} +- --outbound-ports-to-ignore +- {{ternary (printf "443,%s" .ProxyInit.IgnoreOutboundPorts) (quote "443") (not (empty .ProxyInit.IgnoreOutboundPorts)) }} +{{- else if .ProxyInit.IgnoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.ProxyInit.IgnoreOutboundPorts | quote}} +{{- end }} +image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} +imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} +name: linkerd-init +{{ include "partials.resources" .ProxyInit.Resources }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .ProxyInit.Capabilities -}} + {{- if .ProxyInit.Capabilities.Add }} + {{- toYaml .ProxyInit.Capabilities.Add | trim | nindent 4 }} + {{- end }} + {{- if .ProxyInit.Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" .ProxyInit | nindent 4 -}} + {{- end }} + {{- end }} + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 +terminationMessagePolicy: FallbackToLogsOnError +{{- if .ProxyInit.SAMountPath }} +volumeMounts: +- mountPath:{{.Proxy.SAMountPath.MountPath}} + name:{{.Proxy.SAMountPath.Name}} +{{- end -}} +{{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl new file mode 100644 index 0000000000000..ab947da0d7ec5 --- /dev/null +++ b/charts/partials/templates/_proxy.tpl @@ -0,0 +1,108 @@ +{{ define "partials.proxy" -}} +env: +- name: LINKERD2_PROXY_LOG + value: {{.Proxy.LogLevel}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Control}} +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Admin}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:{{.Proxy.Ports.Outbound}} +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:{{.Proxy.Ports.Inbound}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} + value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) +{{ if eq .Proxy.Component "linkerd-prometheus" -}} +- name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" +{{ end -}} +{{ if .Proxy.DisableIdentity -}} +- name: LINKERD2_PROXY_IDENTITY_DISABLED + value: disabled +{{ else -}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + {{- required "Please provide the identity trust anchors" .Identity.TrustAnchorsPEM | trim | nindent 4 }} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .Namespace .ClusterDomain }} + value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Proxy.Component "linkerd-identity")}} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Namespace}} +- name: _l5d_trustdomain + value: {{.Identity.TrustDomain}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +{{ end -}} +{{ if .Proxy.DisableTap -}} +- name: LINKERD2_PROXY_TAP_DISABLED + value: "true" +{{ else -}} +- name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) +{{ end -}} +image: {{.Proxy.Image.Name}}:{{.Proxy.Image.Version}} +imagePullPolicy: {{.Proxy.Image.PullPolicy}} +livenessProbe: + httpGet: + path: /metrics + port: {{.Proxy.Ports.Admin}} + initialDelaySeconds: 10 +name: linkerd-proxy +ports: +- containerPort: {{.Proxy.Ports.Inbound}} + name: linkerd-proxy +- containerPort: {{.Proxy.Ports.Admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Proxy.Ports.Admin}} + initialDelaySeconds: 2 +{{- if .Proxy.Resources }} +{{ include "partials.resources" .Proxy.Resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Proxy.Capabilities -}} + {{- include "partials.proxy.capabilities" .Proxy | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsUser: {{.Proxy.UID}} +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Proxy.DisableIdentity) (.Proxy.SAMountPath) }} +volumeMounts: +{{- if not .Proxy.DisableIdentity }} +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- end -}} +{{- if .Proxy.SAMountPath }} +- mountPath:{{.Proxy.SAMountPath.MountPath}} + name:{{.Proxy.SAMountPath.Name}} +{{- end -}} +{{- end -}} +{{- end }} diff --git a/charts/partials/templates/_resources.tpl b/charts/partials/templates/_resources.tpl new file mode 100644 index 0000000000000..3aa24b9433a0c --- /dev/null +++ b/charts/partials/templates/_resources.tpl @@ -0,0 +1,21 @@ +{{- define "partials.resources" -}} +resources: + {{- if or .CPU.Limit .Memory.Limit }} + limits: + {{- with .CPU.Limit }} + cpu: {{. | quote}} + {{- end }} + {{- with .Memory.Limit }} + memory: {{. | quote}} + {{- end }} + {{- end }} + {{- if or .CPU.Request .Memory.Request }} + requests: + {{- with .CPU.Request }} + cpu: {{. | quote}} + {{- end }} + {{- with .Memory.Request }} + memory: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/partials/templates/_volumes.tpl b/charts/partials/templates/_volumes.tpl new file mode 100644 index 0000000000000..9162167164c50 --- /dev/null +++ b/charts/partials/templates/_volumes.tpl @@ -0,0 +1,5 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} diff --git a/charts/partials/values.yaml b/charts/partials/values.yaml new file mode 100644 index 0000000000000..e69de29bb2d1d