diff --git a/Dockerfile-proxy b/Dockerfile-proxy index 26ab2204f464f..abc54867fd552 100644 --- a/Dockerfile-proxy +++ b/Dockerfile-proxy @@ -9,7 +9,7 @@ RUN (proxy=$(bin/fetch-proxy $(cat proxy-version)) && \ mv "$proxy" linkerd2-proxy) ## compile proxy-identity agent -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build COPY pkg/flags pkg/flags COPY pkg/tls pkg/tls diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index cd25cfd6b0562..74702eb5d38a1 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -47,7 +47,7 @@ Identity: GrafanaImage: gcr.io/linkerd-io/grafana # heartbeat configuration -HeartbeatSchedule: "0 0 * * * " +HeartbeatSchedule: "0 0 * * *" # prometheus configuration PrometheusImage: prom/prometheus:v2.11.1 diff --git a/cli/Dockerfile-bin b/cli/Dockerfile-bin index eb3bde9707b59..e7f13a7316dee 100644 --- a/cli/Dockerfile-bin +++ b/cli/Dockerfile-bin @@ -1,5 +1,5 @@ ## compile binaries -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build COPY cli cli COPY charts charts diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 9d3a8e8b1777a..234d8d6970497 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -30,63 +30,6 @@ import ( ) type ( - installValues struct { - stage string - Namespace string - ClusterDomain string - ControllerImage string - ControllerImageVersion string - WebImage string - PrometheusImage string - GrafanaImage string - ImagePullPolicy string - UUID string - CliVersion string - ControllerReplicas uint - ControllerLogLevel string - PrometheusLogLevel string - ControllerComponentLabel string - ControllerNamespaceLabel string - CreatedByAnnotation string - ProxyContainerName string - ProxyInjectAnnotation string - ProxyInjectDisabled string - LinkerdNamespaceLabel string - ControllerUID int64 - EnableH2Upgrade bool - EnablePodAntiAffinity bool - HighAvailability bool - NoInitContainer bool - WebhookFailurePolicy string - OmitWebhookSideEffects bool - RestrictDashboardPrivileges bool - HeartbeatSchedule string - - Configs configJSONs - - DestinationResources, - GrafanaResources, - HeartbeatResources, - IdentityResources, - PrometheusResources, - ProxyInjectorResources, - PublicAPIResources, - SPValidatorResources, - TapResources, - WebResources *charts.Resources - - Identity *installIdentityValues - ProxyInjector *charts.ProxyInjector - ProfileValidator *charts.ProfileValidator - Tap *charts.Tap - Proxy *charts.Proxy - ProxyInit *charts.ProxyInit - } - - configJSONs struct{ Global, Proxy, Install string } - - installIdentityValues charts.Identity - // installOptions holds values for command line flags that apply to the install // command. All fields in this struct should have corresponding flags added in // the newCmdInstall func later in this file. It also embeds proxyConfigOptions @@ -149,15 +92,60 @@ Otherwise, you can use the --ignore-cluster flag to overwrite the existing globa errMsgGlobalResourcesMissing = "Can't install the Linkerd control plane in the '%s' namespace. The required Linkerd global resources are missing.\nIf this is expected, use the --skip-checks flag to continue the installation.\n" ) +var ( + templatesConfigStage = []string{ + "templates/namespace.yaml", + "templates/identity-rbac.yaml", + "templates/controller-rbac.yaml", + "templates/heartbeat-rbac.yaml", + "templates/web-rbac.yaml", + "templates/serviceprofile-crd.yaml", + "templates/trafficsplit-crd.yaml", + "templates/prometheus-rbac.yaml", + "templates/grafana-rbac.yaml", + "templates/proxy-injector-rbac.yaml", + "templates/sp-validator-rbac.yaml", + "templates/tap-rbac.yaml", + "templates/psp.yaml", + } + + templatesControlPlaneStage = []string{ + "templates/_validate.tpl", + "templates/_affinity.tpl", + "templates/_config.tpl", + "templates/_helpers.tpl", + "templates/config.yaml", + "templates/identity.yaml", + "templates/controller.yaml", + "templates/heartbeat.yaml", + "templates/web.yaml", + "templates/prometheus.yaml", + "templates/grafana.yaml", + "templates/proxy-injector.yaml", + "templates/sp-validator.yaml", + "templates/tap.yaml", + } +) + // newInstallOptionsWithDefaults initializes install options with default -// control plane and proxy options. +// control plane and proxy options. These defaults are read from the Helm +// values.yaml and values-ha.yaml files. // // These options may be overridden on the CLI at install-time and will be // persisted in Linkerd's control plane configuration to be used at // injection-time. func newInstallOptionsWithDefaults() (*installOptions, error) { - chartDir := fmt.Sprintf("%s/", helmDefaultChartDir) - defaults, err := charts.ReadDefaults(chartDir, false) + defaults, err := charts.NewValues(false) + if err != nil { + return nil, err + } + + issuanceLifetime, err := time.ParseDuration(defaults.Identity.Issuer.IssuanceLifetime) + if err != nil { + return nil, err + } + + clockSkewAllowance, err := time.ParseDuration(defaults.Identity.Issuer.ClockSkewAllowance) if err != nil { return nil, err } @@ -166,38 +154,38 @@ func newInstallOptionsWithDefaults() (*installOptions, error) { controlPlaneVersion: version.Version, controllerReplicas: defaults.ControllerReplicas, controllerLogLevel: defaults.ControllerLogLevel, - highAvailability: false, + highAvailability: defaults.HighAvailability, controllerUID: defaults.ControllerUID, disableH2Upgrade: !defaults.EnableH2Upgrade, - noInitContainer: false, + noInitContainer: defaults.NoInitContainer, omitWebhookSideEffects: defaults.OmitWebhookSideEffects, - restrictDashboardPrivileges: false, + restrictDashboardPrivileges: defaults.RestrictDashboardPrivileges, proxyConfigOptions: &proxyConfigOptions{ proxyVersion: version.Version, ignoreCluster: false, - proxyImage: defaults.ProxyImageName, - initImage: defaults.ProxyInitImageName, + proxyImage: defaults.Proxy.Image.Name, + initImage: defaults.ProxyInit.Image.Name, initImageVersion: version.ProxyInitVersion, dockerRegistry: defaultDockerRegistry, imagePullPolicy: defaults.ImagePullPolicy, ignoreInboundPorts: nil, ignoreOutboundPorts: nil, - proxyUID: defaults.ProxyUID, - proxyLogLevel: defaults.ProxyLogLevel, - proxyControlPort: defaults.ProxyControlPort, - proxyAdminPort: defaults.ProxyAdminPort, - proxyInboundPort: defaults.ProxyInboundPort, - proxyOutboundPort: defaults.ProxyOutboundPort, - proxyCPURequest: defaults.ProxyCPURequest, - proxyMemoryRequest: defaults.ProxyMemoryRequest, - proxyCPULimit: defaults.ProxyCPULimit, - proxyMemoryLimit: defaults.ProxyMemoryLimit, - enableExternalProfiles: defaults.EnableExternalProfiles, + proxyUID: defaults.Proxy.UID, + proxyLogLevel: defaults.Proxy.LogLevel, + proxyControlPort: uint(defaults.Proxy.Ports.Control), + proxyAdminPort: uint(defaults.Proxy.Ports.Admin), + proxyInboundPort: uint(defaults.Proxy.Ports.Inbound), + proxyOutboundPort: uint(defaults.Proxy.Ports.Outbound), + proxyCPURequest: defaults.Proxy.Resources.CPU.Request, + proxyMemoryRequest: defaults.Proxy.Resources.Memory.Request, + proxyCPULimit: defaults.Proxy.Resources.CPU.Limit, + proxyMemoryLimit: defaults.Proxy.Resources.Memory.Limit, + enableExternalProfiles: defaults.Proxy.EnableExternalProfiles, }, identityOptions: &installIdentityOptions{ - trustDomain: defaults.IdentityTrustDomain, - issuanceLifetime: defaults.IdentityIssuerIssuanceLifetime, - clockSkewAllowance: defaults.IdentityIssuerClockSkewAllowance, + trustDomain: defaults.Identity.TrustDomain, + issuanceLifetime: issuanceLifetime, + clockSkewAllowance: clockSkewAllowance, }, generateUUID: func() string { @@ -368,10 +356,10 @@ func installRunE(options *installOptions, stage string, flags *pflag.FlagSet) er return err } - return values.render(os.Stdout, configs) + return render(os.Stdout, values, configs) } -func (options *installOptions) validateAndBuild(stage string, flags *pflag.FlagSet) (*installValues, *pb.All, error) { +func (options *installOptions) validateAndBuild(stage string, flags *pflag.FlagSet) (*charts.Values, *pb.All, error) { if err := options.validate(); err != nil { return nil, nil, err } @@ -382,16 +370,14 @@ func (options *installOptions) validateAndBuild(stage string, flags *pflag.FlagS if err != nil { return nil, nil, err } - - configs := options.configs(identityValues.toIdentityContext()) + configs := options.configs(toIdentityContext(identityValues)) values, err := options.buildValuesWithoutIdentity(configs) if err != nil { return nil, nil, err } values.Identity = identityValues - - values.stage = stage + values.Stage = stage return values, configs, nil } @@ -545,49 +531,42 @@ func (options *installOptions) validate() error { return nil } -func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*installValues, error) { - // install values that can't be overridden by CLI options will be assigned - // defaults from the values.yaml and values-ha.yaml files - chartDir := fmt.Sprintf("%s/", helmDefaultChartDir) - defaults, err := charts.ReadDefaults(chartDir, options.highAvailability) +// buildValuesWithoutIdentity builds the values that will be used to render +// the Helm templates. It overrides the defaults values with CLI options. +func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*charts.Values, error) { + installValues, err := charts.NewValues(options.highAvailability) if err != nil { return nil, err } - controllerResources := &charts.Resources{} - identityResources := &charts.Resources{} - grafanaResources := &charts.Resources{} - prometheusResources := &charts.Resources{} - - // if HA mode, use HA defaults from values-ha.yaml if options.highAvailability { - // should have at least more than 1 replicas + // use the HA defaults if CLI options aren't provided if options.controllerReplicas == 1 { - options.controllerReplicas = defaults.ControllerReplicas + options.controllerReplicas = installValues.ControllerReplicas } if options.proxyCPURequest == "" { - options.proxyCPURequest = defaults.ProxyCPURequest + options.proxyCPURequest = installValues.Proxy.Resources.CPU.Request } if options.proxyMemoryRequest == "" { - options.proxyMemoryRequest = defaults.ProxyMemoryRequest + options.proxyMemoryRequest = installValues.Proxy.Resources.Memory.Request } if options.proxyCPULimit == "" { - options.proxyCPULimit = defaults.ProxyCPULimit + options.proxyCPULimit = installValues.Proxy.Resources.CPU.Limit } if options.proxyMemoryLimit == "" { - options.proxyMemoryLimit = defaults.ProxyMemoryLimit + options.proxyMemoryLimit = installValues.Proxy.Resources.Memory.Limit } + // `configs` was built before the HA option is evaluated, so we need + // to make sure the HA proxy resources are added here. if configs.Proxy.Resource.RequestCpu == "" { configs.Proxy.Resource.RequestCpu = options.proxyCPURequest } - // `configs` was built before the HA option is evaluated, so we need - // to make sure the HA proxy resources are added here. if configs.Proxy.Resource.RequestMemory == "" { configs.Proxy.Resource.RequestMemory = options.proxyMemoryRequest } @@ -601,50 +580,6 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins } options.identityOptions.replicas = options.controllerReplicas - - controllerResources = &charts.Resources{ - CPU: charts.Constraints{ - Request: defaults.ControllerCPURequest, - Limit: defaults.ControllerCPULimit, - }, - Memory: charts.Constraints{ - Request: defaults.ControllerMemoryRequest, - Limit: defaults.ControllerMemoryLimit, - }, - } - - grafanaResources = &charts.Resources{ - CPU: charts.Constraints{ - Limit: defaults.GrafanaCPULimit, - Request: defaults.GrafanaCPURequest, - }, - Memory: charts.Constraints{ - Limit: defaults.GrafanaMemoryLimit, - Request: defaults.GrafanaMemoryRequest, - }, - } - - identityResources = &charts.Resources{ - CPU: charts.Constraints{ - Limit: defaults.IdentityCPULimit, - Request: defaults.IdentityCPURequest, - }, - Memory: charts.Constraints{ - Limit: defaults.IdentityMemoryLimit, - Request: defaults.IdentityMemoryRequest, - }, - } - - prometheusResources = &charts.Resources{ - CPU: charts.Constraints{ - Limit: defaults.PrometheusCPULimit, - Request: defaults.PrometheusCPURequest, - }, - Memory: charts.Constraints{ - Limit: defaults.PrometheusMemoryLimit, - Request: defaults.PrometheusMemoryRequest, - }, - } } globalJSON, proxyJSON, installJSON, err := config.ToJSON(configs) @@ -652,124 +587,73 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*ins return nil, err } - values := &installValues{ - // Container images: - ControllerImage: fmt.Sprintf("%s/controller", options.dockerRegistry), - ControllerImageVersion: configs.GetGlobal().GetVersion(), - WebImage: fmt.Sprintf("%s/web", options.dockerRegistry), - GrafanaImage: fmt.Sprintf("%s/grafana", options.dockerRegistry), - PrometheusImage: defaults.PrometheusImage, - ImagePullPolicy: options.imagePullPolicy, - - // Kubernetes labels/annotations/resources: - CreatedByAnnotation: k8s.CreatedByAnnotation, - CliVersion: k8s.CreatedByAnnotationValue(), - ControllerComponentLabel: k8s.ControllerComponentLabel, - ControllerNamespaceLabel: k8s.ControllerNSLabel, - ProxyContainerName: k8s.ProxyContainerName, - ProxyInjectAnnotation: k8s.ProxyInjectAnnotation, - ProxyInjectDisabled: k8s.ProxyInjectDisabled, - LinkerdNamespaceLabel: k8s.LinkerdNamespaceLabel, - - // Controller configuration: - Namespace: controlPlaneNamespace, - ClusterDomain: configs.GetGlobal().GetClusterDomain(), - UUID: configs.GetInstall().GetUuid(), - ControllerReplicas: options.controllerReplicas, - ControllerLogLevel: options.controllerLogLevel, - ControllerUID: options.controllerUID, - HighAvailability: options.highAvailability, - EnablePodAntiAffinity: options.highAvailability, - EnableH2Upgrade: !options.disableH2Upgrade, - NoInitContainer: options.noInitContainer, - WebhookFailurePolicy: defaults.WebhookFailurePolicy, - OmitWebhookSideEffects: options.omitWebhookSideEffects, - RestrictDashboardPrivileges: options.restrictDashboardPrivileges, - PrometheusLogLevel: toPromLogLevel(strings.ToLower(options.controllerLogLevel)), - HeartbeatSchedule: options.heartbeatSchedule(), - - Configs: configJSONs{ - Global: globalJSON, - Proxy: proxyJSON, - Install: installJSON, + // override default values with CLI options + installValues.ClusterDomain = configs.GetGlobal().GetClusterDomain() + installValues.Configs.Global = globalJSON + installValues.Configs.Proxy = proxyJSON + installValues.Configs.Install = installJSON + installValues.ControllerImage = fmt.Sprintf("%s/controller", options.dockerRegistry) + installValues.ControllerImageVersion = configs.GetGlobal().GetVersion() + installValues.ControllerLogLevel = options.controllerLogLevel + installValues.ControllerReplicas = options.controllerReplicas + installValues.ControllerUID = options.controllerUID + installValues.EnableH2Upgrade = !options.disableH2Upgrade + installValues.EnablePodAntiAffinity = options.highAvailability + installValues.HighAvailability = options.highAvailability + installValues.ImagePullPolicy = options.imagePullPolicy + installValues.GrafanaImage = fmt.Sprintf("%s/grafana", options.dockerRegistry) + installValues.Namespace = controlPlaneNamespace + installValues.NoInitContainer = options.noInitContainer + installValues.OmitWebhookSideEffects = options.omitWebhookSideEffects + installValues.PrometheusLogLevel = toPromLogLevel(strings.ToLower(options.controllerLogLevel)) + installValues.HeartbeatSchedule = options.heartbeatSchedule() + installValues.RestrictDashboardPrivileges = options.restrictDashboardPrivileges + installValues.UUID = configs.GetInstall().GetUuid() + installValues.WebImage = fmt.Sprintf("%s/web", options.dockerRegistry) + + installValues.Proxy = &charts.Proxy{ + EnableExternalProfiles: options.enableExternalProfiles, + Image: &charts.Image{ + Name: registryOverride(options.proxyImage, options.dockerRegistry), + PullPolicy: options.imagePullPolicy, + Version: options.proxyVersion, }, - - DestinationResources: controllerResources, - GrafanaResources: grafanaResources, - HeartbeatResources: controllerResources, - IdentityResources: identityResources, - PrometheusResources: prometheusResources, - ProxyInjectorResources: controllerResources, - PublicAPIResources: controllerResources, - SPValidatorResources: controllerResources, - TapResources: controllerResources, - WebResources: controllerResources, - - ProxyInjector: &charts.ProxyInjector{TLS: &charts.TLS{}}, - ProfileValidator: &charts.ProfileValidator{TLS: &charts.TLS{}}, - Tap: &charts.Tap{TLS: &charts.TLS{}}, - - Proxy: &charts.Proxy{ - Component: k8s.Deployment, // only Deployment workloads are injected - EnableExternalProfiles: options.enableExternalProfiles, - Image: &charts.Image{ - Name: registryOverride(options.proxyImage, options.dockerRegistry), - PullPolicy: options.imagePullPolicy, - Version: options.proxyVersion, - }, - LogLevel: options.proxyLogLevel, - Ports: &charts.Ports{ - Admin: int32(options.proxyAdminPort), - Control: int32(options.proxyControlPort), - Inbound: int32(options.proxyInboundPort), - Outbound: int32(options.proxyOutboundPort), - }, - Resources: &charts.Resources{ - CPU: charts.Constraints{ - Limit: options.proxyCPULimit, - Request: options.proxyCPURequest, - }, - Memory: charts.Constraints{ - Limit: options.proxyMemoryLimit, - Request: options.proxyMemoryRequest, - }, - }, - UID: options.proxyUID, + LogLevel: options.proxyLogLevel, + Ports: &charts.Ports{ + Admin: int32(options.proxyAdminPort), + Control: int32(options.proxyControlPort), + Inbound: int32(options.proxyInboundPort), + Outbound: int32(options.proxyOutboundPort), }, - - ProxyInit: &charts.ProxyInit{ - Image: &charts.Image{ - Name: registryOverride(options.initImage, options.dockerRegistry), - PullPolicy: options.imagePullPolicy, - Version: options.initImageVersion, + Resources: &charts.Resources{ + CPU: charts.Constraints{ + Limit: options.proxyCPULimit, + Request: options.proxyCPURequest, }, - - Resources: &charts.Resources{ - CPU: charts.Constraints{ - Limit: defaults.ProxyInitCPULimit, - Request: defaults.ProxyInitCPURequest, - }, - Memory: charts.Constraints{ - Limit: defaults.ProxyInitMemoryLimit, - Request: defaults.ProxyInitMemoryRequest, - }, + Memory: charts.Constraints{ + Limit: options.proxyMemoryLimit, + Request: options.proxyMemoryRequest, }, }, + UID: options.proxyUID, } inboundPortStrs := []string{} for _, port := range options.ignoreInboundPorts { inboundPortStrs = append(inboundPortStrs, strconv.FormatUint(uint64(port), 10)) } - values.ProxyInit.IgnoreInboundPorts = strings.Join(inboundPortStrs, ",") - outboundPortStrs := []string{} for _, port := range options.ignoreOutboundPorts { outboundPortStrs = append(outboundPortStrs, strconv.FormatUint(uint64(port), 10)) } - values.ProxyInit.IgnoreOutboundPorts = strings.Join(outboundPortStrs, ",") - return values, nil + installValues.ProxyInit.Image.Name = registryOverride(options.initImage, options.dockerRegistry) + installValues.ProxyInit.Image.PullPolicy = options.imagePullPolicy + installValues.ProxyInit.Image.Version = options.initImageVersion + installValues.ProxyInit.IgnoreInboundPorts = strings.Join(inboundPortStrs, ",") + installValues.ProxyInit.IgnoreOutboundPorts = strings.Join(outboundPortStrs, ",") + + return installValues, nil } func toPromLogLevel(level string) string { @@ -782,7 +666,7 @@ func toPromLogLevel(level string) string { } // TODO: are `installValues.Configs` and `configs` redundant? -func (values *installValues) render(w io.Writer, configs *pb.All) error { +func render(w io.Writer, values *charts.Values, configs *pb.All) error { // Render raw values and create chart config rawValues, err := yaml.Marshal(values) if err != nil { @@ -793,41 +677,20 @@ func (values *installValues) render(w io.Writer, configs *pb.All) error { {Name: chartutil.ChartfileName}, } - if values.stage == "" || values.stage == configStage { - files = append(files, []*chartutil.BufferedFile{ - {Name: "templates/namespace.yaml"}, - {Name: "templates/identity-rbac.yaml"}, - {Name: "templates/controller-rbac.yaml"}, - {Name: "templates/heartbeat-rbac.yaml"}, - {Name: "templates/web-rbac.yaml"}, - {Name: "templates/serviceprofile-crd.yaml"}, - {Name: "templates/trafficsplit-crd.yaml"}, - {Name: "templates/prometheus-rbac.yaml"}, - {Name: "templates/grafana-rbac.yaml"}, - {Name: "templates/proxy-injector-rbac.yaml"}, - {Name: "templates/sp-validator-rbac.yaml"}, - {Name: "templates/tap-rbac.yaml"}, - {Name: "templates/psp.yaml"}, - }...) + if values.Stage == "" || values.Stage == configStage { + for _, template := range templatesConfigStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } } - if values.stage == "" || values.stage == controlPlaneStage { - files = append(files, []*chartutil.BufferedFile{ - {Name: "templates/_validate.tpl"}, - {Name: "templates/_affinity.tpl"}, - {Name: "templates/_config.tpl"}, - {Name: "templates/_helpers.tpl"}, - {Name: "templates/config.yaml"}, - {Name: "templates/identity.yaml"}, - {Name: "templates/controller.yaml"}, - {Name: "templates/heartbeat.yaml"}, - {Name: "templates/web.yaml"}, - {Name: "templates/prometheus.yaml"}, - {Name: "templates/grafana.yaml"}, - {Name: "templates/proxy-injector.yaml"}, - {Name: "templates/sp-validator.yaml"}, - {Name: "templates/tap.yaml"}, - }...) + if values.Stage == "" || values.Stage == controlPlaneStage { + for _, template := range templatesControlPlaneStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } } chart := &charts.Chart{ @@ -1023,7 +886,7 @@ func (idopts *installIdentityOptions) validate() error { return nil } -func (idopts *installIdentityOptions) validateAndBuild() (*installIdentityValues, error) { +func (idopts *installIdentityOptions) validateAndBuild() (*charts.Identity, error) { if idopts == nil { return nil, nil } @@ -1043,13 +906,13 @@ func (idopts *installIdentityOptions) issuerName() string { return fmt.Sprintf("identity.%s.%s", controlPlaneNamespace, idopts.trustDomain) } -func (idopts *installIdentityOptions) genValues() (*installIdentityValues, error) { +func (idopts *installIdentityOptions) genValues() (*charts.Identity, error) { root, err := tls.GenerateRootCAWithDefaults(idopts.issuerName()) if err != nil { return nil, fmt.Errorf("failed to generate root certificate for identity: %s", err) } - return &installIdentityValues{ + return &charts.Identity{ TrustDomain: idopts.trustDomain, TrustAnchorsPEM: root.Cred.Crt.EncodeCertificatePEM(), Issuer: &charts.Issuer{ @@ -1069,7 +932,7 @@ func (idopts *installIdentityOptions) genValues() (*installIdentityValues, error // to produce an `installIdentityValues`. // // The identity options must have already been validated. -func (idopts *installIdentityOptions) readValues() (*installIdentityValues, error) { +func (idopts *installIdentityOptions) readValues() (*charts.Identity, error) { creds, err := tls.ReadPEMCreds(idopts.keyPEMFile, idopts.crtPEMFile) if err != nil { return nil, err @@ -1089,7 +952,7 @@ func (idopts *installIdentityOptions) readValues() (*installIdentityValues, erro return nil, fmt.Errorf("invalid credentials: %s", err) } - return &installIdentityValues{ + return &charts.Identity{ TrustDomain: idopts.trustDomain, TrustAnchorsPEM: trustAnchorsPEM, Issuer: &charts.Issuer{ @@ -1105,7 +968,7 @@ func (idopts *installIdentityOptions) readValues() (*installIdentityValues, erro }, nil } -func (idvals *installIdentityValues) toIdentityContext() *pb.IdentityContext { +func toIdentityContext(idvals *charts.Identity) *pb.IdentityContext { if idvals == nil { return nil } diff --git a/cli/cmd/install_helm_test.go b/cli/cmd/install_helm_test.go new file mode 100644 index 0000000000000..673fefccfbee8 --- /dev/null +++ b/cli/cmd/install_helm_test.go @@ -0,0 +1,194 @@ +package cmd + +import ( + "bytes" + "fmt" + "path/filepath" + "regexp" + "testing" + + "github.com/linkerd/linkerd2/pkg/charts" + "github.com/linkerd/linkerd2/pkg/k8s" + "k8s.io/helm/pkg/chartutil" + pb "k8s.io/helm/pkg/proto/hapi/chart" + "k8s.io/helm/pkg/renderutil" + "sigs.k8s.io/yaml" +) + +func TestRenderHelm(t *testing.T) { + // read the control plane chart and its defaults from the local folder. + // override certain defaults with pinned values. + // use the Helm lib to render the templates. + // the golden file is generated using the following `helm template` command: + // helm template --set Identity.TrustAnchorsPEM="test-crt-pem" --set Identity.Issuer.TLS.CrtPEM="test-crt-pem" --set Identity.Issuer.TLS.KeyPEM="test-key-pem" charts/linkerd2 --set Identity.Issuer.CrtExpiry="Jul 30 17:21:14 2020" --set ProxyInjector.KeyPEM="test-proxy-injector-key-pem" --set ProxyInjector.CrtPEM="test-proxy-injector-crt-pem" --set ProfileValidator.KeyPEM="test-profile-validator-key-pem" --set ProfileValidator.CrtPEM="test-profile-validator-crt-pem" --set Tap.KeyPEM="test-tap-key-pem" --set Tap.CrtPEM="test-tap-crt-pem" --set LinkerdVersion="linkerd-version" > cli/cmd/testdata/install_helm_output.golden + + t.Run("Non-HA mode", func(t *testing.T) { + ha := false + chartControlPlane := chartControlPlane(t, ha) + testRenderHelm(t, chartControlPlane, "install_helm_output.golden") + }) + + t.Run("HA mode", func(t *testing.T) { + ha := true + chartControlPlane := chartControlPlane(t, ha) + testRenderHelm(t, chartControlPlane, "install_helm_output_ha.golden") + }) +} + +func testRenderHelm(t *testing.T, chart *pb.Chart, goldenFileName string) { + var ( + chartName = "linkerd2" + namespace = "linkerd-dev" + ) + + // pin values that are changed by Helm functions on each test run + overrideJSON := `{ + "CliVersion":"", + "LinkerdVersion":"linkerd-version", + "Identity":{ + "TrustAnchorsPEM":"test-trust-anchor", + "TrustDomain":"test.trust.domain", + "Issuer":{ + "CrtExpiry":"Jul 30 17:21:14 2020", + "CrtExpiryAnnotation":"%s", + "TLS":{ + "KeyPEM":"test-key-pem", + "CrtPEM":"test-crt-pem" + } + } + }, + "Configs": null, + "Proxy":{ + "Image":{ + "Version":"test-proxy-version" + } + }, + "ProxyInit":{ + "Image":{ + "Version":"test-proxy-init-version" + } + }, + "ProxyInjector":{ + "KeyPEM":"test-proxy-injector-key-pem", + "CrtPEM":"test-proxy-injector-crt-pem" + }, + "ProfileValidator":{ + "KeyPEM":"test-profile-validator-key-pem", + "CrtPEM":"test-profile-validator-crt-pem" + }, + "Tap":{ + "KeyPEM":"test-tap-key-pem", + "CrtPEM":"test-tap-crt-pem" + } +}` + overrideConfig := &pb.Config{ + Raw: fmt.Sprintf(overrideJSON, k8s.IdentityIssuerExpiryAnnotation), + } + + releaseOptions := renderutil.Options{ + ReleaseOptions: chartutil.ReleaseOptions{ + Name: chartName, + Namespace: namespace, + IsUpgrade: false, + IsInstall: true, + }, + } + + rendered, err := renderutil.Render(chart, overrideConfig, releaseOptions) + if err != nil { + t.Fatal("Unexpected error", err) + } + + var buf bytes.Buffer + for _, template := range chart.Templates { + source := chartName + "/" + template.Name + v, exists := rendered[source] + if !exists { + // skip partial templates + continue + } + buf.WriteString("---\n# Source: " + source + "\n") + buf.WriteString(v) + } + + // pin the uuid in the linkerd-config config map + re := regexp.MustCompile(`"uuid":".*"`) + result := re.ReplaceAllString(buf.String(), `"uuid":"test-install-uuid"`) + + diffTestdata(t, goldenFileName, result) +} + +func chartControlPlane(t *testing.T, ha bool) *pb.Chart { + values, err := readTestValues(t, ha) + if err != nil { + t.Fatal("Unexpected error", err) + } + + chartPartials := chartPartials(t) + + chart := &pb.Chart{ + Metadata: &pb.Metadata{ + Name: helmDefaultChartName, + Sources: []string{ + filepath.Join("..", "..", "..", "charts", "linkerd2"), + }, + }, + Dependencies: []*pb.Chart{ + chartPartials, + }, + Values: &pb.Config{ + Raw: string(values), + }, + } + + for _, filepath := range append(templatesConfigStage, templatesControlPlaneStage...) { + chart.Templates = append(chart.Templates, &pb.Template{ + Name: filepath, + }) + } + + for _, template := range chart.Templates { + filepath := filepath.Join(chart.Metadata.Sources[0], template.Name) + template.Data = []byte(readTestdata(t, filepath)) + } + + return chart +} + +func chartPartials(t *testing.T) *pb.Chart { + chart := &pb.Chart{ + Metadata: &pb.Metadata{ + Name: "partials", + Sources: []string{ + filepath.Join("..", "..", "..", "charts", "partials"), + }, + }, + Templates: []*pb.Template{ + {Name: "templates/_proxy.tpl"}, + {Name: "templates/_proxy-init.tpl"}, + {Name: "templates/_volumes.tpl"}, + {Name: "templates/_resources.tpl"}, + {Name: "templates/_metadata.tpl"}, + {Name: "templates/_helpers.tpl"}, + {Name: "templates/_debug.tpl"}, + {Name: "templates/_capabilities.tpl"}, + }, + } + + for _, template := range chart.Templates { + template := template + filepath := filepath.Join(chart.Metadata.Sources[0], template.Name) + template.Data = []byte(readTestdata(t, filepath)) + } + + return chart +} + +func readTestValues(t *testing.T, ha bool) ([]byte, error) { + values, err := charts.NewValues(ha) + if err != nil { + t.Fatal("Unexpected error", err) + } + + return yaml.Marshal(values) +} diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index a556b85260949..1522515b76d56 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -41,15 +41,15 @@ func TestRender(t *testing.T) { t.Fatalf("Unexpected error: %v\n", err) } - identityContext := (&installIdentityValues{ + identityContext := toIdentityContext(&charts.Identity{ Issuer: &charts.Issuer{ ClockSkewAllowance: "20s", IssuanceLifetime: "86400s", }, - }).toIdentityContext() + }) metaConfig := metaOptions.configs(identityContext) metaConfig.Global.LinkerdNamespace = "Namespace" - metaValues := &installValues{ + metaValues := &charts.Values{ Namespace: "Namespace", ClusterDomain: "cluster.local", ControllerImage: "ControllerImage", @@ -75,7 +75,7 @@ func TestRender(t *testing.T) { WebhookFailurePolicy: "WebhookFailurePolicy", OmitWebhookSideEffects: false, RestrictDashboardPrivileges: false, - Configs: configJSONs{ + Configs: charts.ConfigJSONs{ Global: "GlobalConfig", Proxy: "ProxyConfig", Install: "InstallConfig", @@ -158,7 +158,7 @@ func TestRender(t *testing.T) { addFakeTLSSecrets(noInitContainerValues) testCases := []struct { - values *installValues + values *charts.Values configs *config.All goldenFileName string }{ @@ -177,7 +177,7 @@ func TestRender(t *testing.T) { controlPlaneNamespace = tc.configs.GetGlobal().GetLinkerdNamespace() var buf bytes.Buffer - if err := tc.values.render(&buf, tc.configs); err != nil { + if err := render(&buf, tc.values, tc.configs); err != nil { t.Fatalf("Failed to render templates: %v", err) } diffTestdata(t, tc.goldenFileName, buf.String()) @@ -305,7 +305,7 @@ func fakeHeartbeatSchedule() string { return "1 2 3 4 5" } -func addFakeTLSSecrets(values *installValues) { +func addFakeTLSSecrets(values *charts.Values) { values.ProxyInjector.CrtPEM = "proxy injector crt" values.ProxyInjector.KeyPEM = "proxy injector key" values.ProfileValidator.CrtPEM = "proxy injector crt" diff --git a/cli/cmd/testdata/install_control-plane.golden b/cli/cmd/testdata/install_control-plane.golden index 788f746b71b79..9207687b27a55 100644 --- a/cli/cmd/testdata/install_control-plane.golden +++ b/cli/cmd/testdata/install_control-plane.golden @@ -105,7 +105,6 @@ spec: httpGet: path: /ready port: 9990 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -338,7 +337,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -368,7 +366,6 @@ spec: httpGet: path: /ready port: 9996 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -539,7 +536,6 @@ spec: - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - "-controller-namespace=linkerd" - "-log-level=info" - resources: securityContext: runAsUser: 2103 --- @@ -621,7 +617,6 @@ spec: httpGet: path: /ready port: 9994 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -939,7 +934,6 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - resources: securityContext: runAsUser: 65534 volumeMounts: @@ -1210,7 +1204,6 @@ spec: httpGet: path: /api/health port: 3000 - resources: securityContext: runAsUser: 472 volumeMounts: @@ -1408,7 +1401,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1638,7 +1630,6 @@ spec: httpGet: path: /ready port: 9997 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1852,7 +1843,6 @@ spec: httpGet: path: /ready port: 9998 - resources: securityContext: runAsUser: 2103 volumeMounts: diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 53bfc6d1b37b6..614edd825cb28 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -786,7 +786,6 @@ spec: httpGet: path: /ready port: 9990 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1019,7 +1018,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1049,7 +1047,6 @@ spec: httpGet: path: /ready port: 9996 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1220,7 +1217,6 @@ spec: - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - "-controller-namespace=linkerd" - "-log-level=info" - resources: securityContext: runAsUser: 2103 --- @@ -1302,7 +1298,6 @@ spec: httpGet: path: /ready port: 9994 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1620,7 +1615,6 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - resources: securityContext: runAsUser: 65534 volumeMounts: @@ -1891,7 +1885,6 @@ spec: httpGet: path: /api/health port: 3000 - resources: securityContext: runAsUser: 472 volumeMounts: @@ -2089,7 +2082,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2319,7 +2311,6 @@ spec: httpGet: path: /ready port: 9997 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2533,7 +2524,6 @@ spec: httpGet: path: /ready port: 9998 - resources: securityContext: runAsUser: 2103 volumeMounts: diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden new file mode 100644 index 0000000000000..fe341f32cd62a --- /dev/null +++ b/cli/cmd/testdata/install_helm_output.golden @@ -0,0 +1,2686 @@ +--- +# Source: linkerd2/templates/namespace.yaml +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" +--- +# Source: linkerd2/templates/identity-rbac.yaml +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/controller-rbac.yaml +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/heartbeat-rbac.yaml +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/web-rbac.yaml +--- +### +### Web RBAC +### +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/serviceprofile-crd.yaml +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +--- +# Source: linkerd2/templates/trafficsplit-crd.yaml +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +--- +# Source: linkerd2/templates/prometheus-rbac.yaml +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/grafana-rbac.yaml +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/proxy-injector-rbac.yaml +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt + key.pem: dGVzdC1wcm94eS1pbmplY3Rvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: linkerd.io/is-control-plane + operator: DoesNotExist + clientConfig: + service: + name: linkerd-proxy-injector + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt + failurePolicy: Ignore + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +# Source: linkerd2/templates/sp-validator-rbac.yaml +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt + key.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-sp-validator.linkerd.io + clientConfig: + service: + name: linkerd-sp-validator + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt + failurePolicy: Ignore + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +# Source: linkerd2/templates/tap-rbac.yaml +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-tap-auth-delegator + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC10YXAtY3J0LXBlbQ== + key.pem: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd + caBundle: dGVzdC10YXAtY3J0LXBlbQ== +--- +# Source: linkerd2/templates/psp.yaml +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane + labels: + linkerd.io/control-plane-ns: linkerd +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +# Source: linkerd2/templates/config.yaml +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + global: | + { + "linkerdNamespace": "linkerd", + "cniEnabled": false, + "version": "linkerd-version", + "identityContext":{ + "trustDomain": "test.trust.domain", + "trustAnchorsPem": "test-trust-anchor", + "issuanceLifeTime": "", + "clockSkewAllowance": "20s" + }, + "autoInjectContext": null, + "omitWebhookSideEffects": false, + "clusterDomain": "cluster.local" + } + proxy: | + { + "proxyImage":{ + "imageName":"gcr.io/linkerd-io/proxy", + "pullPolicy":"IfNotPresent" + }, + "proxyInitImage":{ + "imageName":"gcr.io/linkerd-io/proxy-init", + "pullPolicy":"IfNotPresent" + }, + "controlPort":{ + "port": 4190 + }, + "ignoreInboundPorts":[], + "ignoreOutboundPorts":[], + "inboundPort":{ + "port": 4143 + }, + "adminPort":{ + "port": 4191 + }, + "outboundPort":{ + "port": 4140 + }, + "resource":{ + "requestCpu": "", + "limitCpu": "", + "requestMemory": "", + "limitMemory": "" + }, + "proxyUid": 2102, + "logLevel":{ + "level": "warn,linkerd2_proxy=info" + }, + "disableExternalProfiles": true, + "proxyVersion": "test-proxy-version", + "proxyInitImageVersion": "test-proxy-init-version" + } + install: | + { + "uuid":"test-install-uuid", + "cliVersion":"linkerd-version", + "flags":[] + } +--- +# Source: linkerd2/templates/identity.yaml +--- +### +### Identity Controller Service +### +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-issuer-expiry: Jul 30 17:21:14 2020 +data: + crt.pem: dGVzdC1jcnQtcGVt + key.pem: dGVzdC1rZXktcGVt +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: localhost.:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/controller.yaml +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + name: linkerd-controller + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + spec: + containers: + - args: + - public-api + - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - args: + - destination + - -addr=:8086 + - -controller-namespace=linkerd + - -enable-h2-upgrade=true + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-controller + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/heartbeat.yaml +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + schedule: "0 0 * * *" + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + spec: + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-controller-namespace=linkerd" + - "-log-level=info" + securityContext: + runAsUser: 2103 +--- +# Source: linkerd2/templates/web.yaml +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + name: linkerd-web + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + spec: + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/web:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/prometheus.yaml +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + name: linkerd-prometheus + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + spec: + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + image: prom/prometheus:v2.11.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/grafana.yaml +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + name: linkerd-grafana + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + spec: + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: gcr.io/linkerd-io/grafana:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/proxy-injector.yaml +--- +### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + containers: + - args: + - proxy-injector + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +# Source: linkerd2/templates/sp-validator.yaml +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + name: linkerd-sp-validator + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: sp-validator + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-sp-validator + spec: + containers: + - args: + - sp-validator + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/tap.yaml +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + name: linkerd-tap + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + spec: + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-tap + volumes: + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: tls + secret: + secretName: linkerd-tap-tls diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden new file mode 100644 index 0000000000000..a1d10406bfdf2 --- /dev/null +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -0,0 +1,2904 @@ +--- +# Source: linkerd2/templates/namespace.yaml +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" +--- +# Source: linkerd2/templates/identity-rbac.yaml +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/controller-rbac.yaml +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/heartbeat-rbac.yaml +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/web-rbac.yaml +--- +### +### Web RBAC +### +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/serviceprofile-crd.yaml +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +--- +# Source: linkerd2/templates/trafficsplit-crd.yaml +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +--- +# Source: linkerd2/templates/prometheus-rbac.yaml +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/grafana-rbac.yaml +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd +--- +# Source: linkerd2/templates/proxy-injector-rbac.yaml +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt + key.pem: dGVzdC1wcm94eS1pbmplY3Rvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: linkerd.io/is-control-plane + operator: DoesNotExist + clientConfig: + service: + name: linkerd-proxy-injector + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jcnQtcGVt + failurePolicy: Fail + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +# Source: linkerd2/templates/sp-validator-rbac.yaml +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt + key.pem: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1rZXktcGVt +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-sp-validator.linkerd.io + clientConfig: + service: + name: linkerd-sp-validator + namespace: linkerd + path: "/" + caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jcnQtcGVt + failurePolicy: Fail + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +# Source: linkerd2/templates/tap-rbac.yaml +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-tap-auth-delegator + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +type: Opaque +data: + crt.pem: dGVzdC10YXAtY3J0LXBlbQ== + key.pem: dGVzdC10YXAta2V5LXBlbQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd + caBundle: dGVzdC10YXAtY3J0LXBlbQ== +--- +# Source: linkerd2/templates/psp.yaml +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane + labels: + linkerd.io/control-plane-ns: linkerd +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +# Source: linkerd2/templates/config.yaml +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + global: | + { + "linkerdNamespace": "linkerd", + "cniEnabled": false, + "version": "linkerd-version", + "identityContext":{ + "trustDomain": "test.trust.domain", + "trustAnchorsPem": "test-trust-anchor", + "issuanceLifeTime": "", + "clockSkewAllowance": "20s" + }, + "autoInjectContext": null, + "omitWebhookSideEffects": false, + "clusterDomain": "cluster.local" + } + proxy: | + { + "proxyImage":{ + "imageName":"gcr.io/linkerd-io/proxy", + "pullPolicy":"IfNotPresent" + }, + "proxyInitImage":{ + "imageName":"gcr.io/linkerd-io/proxy-init", + "pullPolicy":"IfNotPresent" + }, + "controlPort":{ + "port": 4190 + }, + "ignoreInboundPorts":[], + "ignoreOutboundPorts":[], + "inboundPort":{ + "port": 4143 + }, + "adminPort":{ + "port": 4191 + }, + "outboundPort":{ + "port": 4140 + }, + "resource":{ + "requestCpu": "100m", + "limitCpu": "1", + "requestMemory": "20Mi", + "limitMemory": "250Mi" + }, + "proxyUid": 2102, + "logLevel":{ + "level": "warn,linkerd2_proxy=info" + }, + "disableExternalProfiles": true, + "proxyVersion": "test-proxy-version", + "proxyInitImageVersion": "test-proxy-init-version" + } + install: | + { + "uuid":"test-install-uuid", + "cliVersion":"linkerd-version", + "flags":[] + } +--- +# Source: linkerd2/templates/identity.yaml +--- +### +### Identity Controller Service +### +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-issuer-expiry: Jul 30 17:21:14 2020 +data: + crt.pem: dGVzdC1jcnQtcGVt + key.pem: dGVzdC1rZXktcGVt +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + name: linkerd-identity + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - identity + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - identity + topologyKey: kubernetes.io/hostname + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "10Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: localhost.:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/controller.yaml +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + name: linkerd-controller + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - controller + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + containers: + - args: + - public-api + - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - args: + - destination + - -addr=:8086 + - -controller-namespace=linkerd + - -enable-h2-upgrade=true + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-controller + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/heartbeat.yaml +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + schedule: "0 0 * * *" + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + spec: + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-controller-namespace=linkerd" + - "-log-level=info" + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 +--- +# Source: linkerd2/templates/web.yaml +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + name: linkerd-web + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + spec: + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/web:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/prometheus.yaml +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + name: linkerd-prometheus + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + spec: + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + image: prom/prometheus:v2.11.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: + limits: + cpu: "4" + memory: "8192Mi" + requests: + cpu: "300m" + memory: "300Mi" + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/grafana.yaml +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + name: linkerd-grafana + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + spec: + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: gcr.io/linkerd-io/grafana:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + limits: + cpu: "1" + memory: "1024Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/proxy-injector.yaml +--- +### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - proxy-injector + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - proxy-injector + topologyKey: kubernetes.io/hostname + containers: + - args: + - proxy-injector + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +# Source: linkerd2/templates/sp-validator.yaml +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + name: linkerd-sp-validator + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: sp-validator + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-sp-validator + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - sp-validator + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - sp-validator + topologyKey: kubernetes.io/hostname + containers: + - args: + - sp-validator + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +# Source: linkerd2/templates/tap.yaml +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + name: linkerd-tap + namespace: linkerd +spec: + replicas: 3 + selector: + matchLabels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/helm linkerd-version + linkerd.io/identity-mode: default + linkerd.io/proxy-version: test-proxy-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - tap + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: In + values: + - tap + topologyKey: kubernetes.io/hostname + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:linkerd-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd2_proxy=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-destination.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + test-trust-anchor + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: test.trust.domain + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:test-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + limits: + cpu: "1" + memory: "250Mi" + requests: + cpu: "100m" + memory: "20Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:test-proxy-init-version + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-tap + volumes: + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: tls + secret: + secretName: linkerd-tap-tls diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 3d15383b7c200..880273a7c06ce 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -783,7 +783,6 @@ spec: httpGet: path: /ready port: 9990 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -983,7 +982,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1013,7 +1011,6 @@ spec: httpGet: path: /ready port: 9996 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1151,7 +1148,6 @@ spec: - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - "-controller-namespace=linkerd" - "-log-level=info" - resources: securityContext: runAsUser: 2103 --- @@ -1233,7 +1229,6 @@ spec: httpGet: path: /ready port: 9994 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1518,7 +1513,6 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - resources: securityContext: runAsUser: 65534 volumeMounts: @@ -1756,7 +1750,6 @@ spec: httpGet: path: /api/health port: 3000 - resources: securityContext: runAsUser: 472 volumeMounts: @@ -1921,7 +1914,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2118,7 +2110,6 @@ spec: httpGet: path: /ready port: 9997 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2299,7 +2290,6 @@ spec: httpGet: path: /ready port: 9998 - resources: securityContext: runAsUser: 2103 volumeMounts: diff --git a/cli/cmd/testdata/upgrade_default.golden b/cli/cmd/testdata/upgrade_default.golden index eeb22a6771f26..8db2050583cf9 100644 --- a/cli/cmd/testdata/upgrade_default.golden +++ b/cli/cmd/testdata/upgrade_default.golden @@ -786,7 +786,6 @@ spec: httpGet: path: /ready port: 9990 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1020,7 +1019,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1050,7 +1048,6 @@ spec: httpGet: path: /ready port: 9996 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1222,7 +1219,6 @@ spec: - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - "-controller-namespace=linkerd" - "-log-level=info" - resources: securityContext: runAsUser: 2103 --- @@ -1304,7 +1300,6 @@ spec: httpGet: path: /ready port: 9994 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -1623,7 +1618,6 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 - resources: securityContext: runAsUser: 65534 volumeMounts: @@ -1895,7 +1889,6 @@ spec: httpGet: path: /api/health port: 3000 - resources: securityContext: runAsUser: 472 volumeMounts: @@ -2094,7 +2087,6 @@ spec: httpGet: path: /ready port: 9995 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2325,7 +2317,6 @@ spec: httpGet: path: /ready port: 9997 - resources: securityContext: runAsUser: 2103 volumeMounts: @@ -2540,7 +2531,6 @@ spec: httpGet: path: /ready port: 9998 - resources: securityContext: runAsUser: 2103 volumeMounts: diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index 1d857867bcd15..8a1f936c283a2 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -177,7 +177,7 @@ func upgradeRunE(options *upgradeOptions, stage string, flags *pflag.FlagSet) er // rendering to a buffer and printing full contents of buffer after // render is complete, to ensure that okStatus prints separately var buf bytes.Buffer - if err = values.render(&buf, configs); err != nil { + if err = render(&buf, values, configs); err != nil { upgradeErrorf("Could not render upgrade configuration: %s", err) } @@ -192,7 +192,7 @@ func upgradeRunE(options *upgradeOptions, stage string, flags *pflag.FlagSet) er return nil } -func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Interface, flags *pflag.FlagSet) (*installValues, *pb.All, error) { +func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Interface, flags *pflag.FlagSet) (*charts.Values, *pb.All, error) { if err := options.validate(); err != nil { return nil, nil, err } @@ -222,7 +222,10 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter options.recordFlags(flags) // Update the configs from the synthesized options. + // The overrideConfigs() is used to override proxy configs only. options.overrideConfigs(configs, map[string]string{}) + + // Override configs with upgrade CLI options. if options.controlPlaneVersion != "" { configs.GetGlobal().Version = options.controlPlaneVersion } @@ -232,7 +235,7 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter configs.GetGlobal().ClusterDomain = defaultClusterDomain } - var identity *installIdentityValues + var identity *charts.Identity idctx := configs.GetGlobal().GetIdentityContext() if idctx.GetTrustDomain() == "" || idctx.GetTrustAnchorsPem() == "" { // If there wasn't an idctx, or if it doesn't specify the required fields, we @@ -241,7 +244,7 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter if err != nil { return nil, nil, fmt.Errorf("unable to generate issuer credentials: %s", err) } - configs.GetGlobal().IdentityContext = identity.toIdentityContext() + configs.GetGlobal().IdentityContext = toIdentityContext(identity) } else { identity, err = fetchIdentityValues(k, idctx) if err != nil { @@ -286,7 +289,7 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter } values.Tap = &charts.Tap{TLS: tapTLS} - values.stage = stage + values.Stage = stage return values, configs, nil } @@ -340,7 +343,7 @@ func fetchTLSSecret(k kubernetes.Interface, webhook string, options *upgradeOpti // // This bypasses the public API so that we can access secrets and validate // permissions. -func fetchIdentityValues(k kubernetes.Interface, idctx *pb.IdentityContext) (*installIdentityValues, error) { +func fetchIdentityValues(k kubernetes.Interface, idctx *pb.IdentityContext) (*charts.Identity, error) { if idctx == nil { return nil, nil } @@ -350,7 +353,7 @@ func fetchIdentityValues(k kubernetes.Interface, idctx *pb.IdentityContext) (*in return nil, err } - return &installIdentityValues{ + return &charts.Identity{ TrustDomain: idctx.GetTrustDomain(), TrustAnchorsPEM: idctx.GetTrustAnchorsPem(), Issuer: &charts.Issuer{ diff --git a/cli/cmd/upgrade_test.go b/cli/cmd/upgrade_test.go index e561e5deb958e..44bfab5e1fe96 100644 --- a/cli/cmd/upgrade_test.go +++ b/cli/cmd/upgrade_test.go @@ -315,7 +315,7 @@ type: Opaque`, } var buf bytes.Buffer - if err = values.render(&buf, configs); err != nil { + if err = render(&buf, values, configs); err != nil { t.Fatalf("could not render upgrade configuration: %s", err) } diffTestdata(t, tc.outputfile, buf.String()) diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 22a93dda5fc9d..07a12bab4f8b3 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/controller/Dockerfile b/controller/Dockerfile index 47c1a084f01a1..2f42689c93e53 100644 --- a/controller/Dockerfile +++ b/controller/Dockerfile @@ -1,5 +1,5 @@ ## compile controller services -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build COPY controller/gen controller/gen COPY pkg pkg diff --git a/go.mod b/go.mod index 935736040acfe..bf4abbb252b49 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20160910222444-6b7015e65d36 github.com/huandu/xstrings v1.2.0 // indirect - github.com/imdario/mergo v0.0.0-20180119215619-163f41321a19 // indirect + github.com/imdario/mergo v0.3.7 github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jonboulle/clockwork v0.1.0 // indirect github.com/julienschmidt/httprouter v1.1.0 diff --git a/go.sum b/go.sum index 868ec4f96cc06..0f7553c011939 100644 --- a/go.sum +++ b/go.sum @@ -127,8 +127,8 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/huandu/xstrings v1.2.0 h1:yPeWdRnmynF7p+lLYz0H2tthW9lqhMJrQV/U7yy4wX0= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= -github.com/imdario/mergo v0.0.0-20180119215619-163f41321a19 h1:geJOJJZwkYI1yqxWrAMcgrwDvy4P1XyNNgIyN9d6UXc= -github.com/imdario/mergo v0.0.0-20180119215619-163f41321a19/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo= diff --git a/pkg/charts/defaults.go b/pkg/charts/defaults.go deleted file mode 100644 index 1d1b29c35858c..0000000000000 --- a/pkg/charts/defaults.go +++ /dev/null @@ -1,245 +0,0 @@ -package charts - -import ( - "time" - - "k8s.io/helm/pkg/chartutil" -) - -const ( - helmDefaultValuesFile = "values.yaml" - helmDefaultHAValuesFile = "values-ha.yaml" -) - -// DefaultValues contain all the default variables defined in the values.yaml -// and values-ha.yaml. -type DefaultValues struct { - ControllerReplicas uint - ControllerLogLevel string - ControllerCPULimit string - ControllerCPURequest string - ControllerMemoryLimit string - ControllerMemoryRequest string - ControllerUID int64 - EnableExternalProfiles bool - EnableH2Upgrade bool - GrafanaCPULimit string - GrafanaCPURequest string - GrafanaMemoryLimit string - GrafanaMemoryRequest string - ImagePullPolicy string - IdentityCPULimit string - IdentityCPURequest string - IdentityMemoryLimit string - IdentityMemoryRequest string - IdentityTrustDomain string - IdentityIssuerClockSkewAllowance time.Duration - IdentityIssuerIssuanceLifetime time.Duration - OmitWebhookSideEffects bool - PrometheusCPULimit string - PrometheusCPURequest string - PrometheusImage string - PrometheusMemoryLimit string - PrometheusMemoryRequest string - ProxyAdminPort uint - ProxyControlPort uint - ProxyCPULimit string - ProxyCPURequest string - ProxyImageName string - ProxyInboundPort uint - ProxyInitImageName string - ProxyInitCPULimit string - ProxyInitCPURequest string - ProxyInitMemoryLimit string - ProxyInitMemoryRequest string - ProxyLogLevel string - ProxyMemoryLimit string - ProxyMemoryRequest string - ProxyOutboundPort uint - ProxyUID int64 - WebhookFailurePolicy string -} - -// ReadDefaults read all the default variables from the values.yaml file. -// If ha is true, values-ha.yaml will be merged into values.yaml. -// chartDir is the root directory of the Helm chart where values.yaml is. -// chartDir should use `/` as a dir separator regardless of the OS. -func ReadDefaults(chartDir string, ha bool) (*DefaultValues, error) { - valuesFiles := []*chartutil.BufferedFile{ - {Name: helmDefaultValuesFile}, - } - - if ha { - valuesFiles = append(valuesFiles, &chartutil.BufferedFile{ - Name: helmDefaultHAValuesFile, - }) - } - - if err := filesReader(chartDir, valuesFiles); err != nil { - return nil, err - } - - values := chartutil.Values{} - for _, valuesFile := range valuesFiles { - v, err := chartutil.ReadValues(valuesFile.Data) - if err != nil { - return nil, err - } - values.MergeInto(v) - } - return setDefaults(values, ha) -} - -func setDefaults(defaults chartutil.Values, ha bool) (*DefaultValues, error) { - identity, err := defaults.Table("Identity") - if err != nil { - return nil, err - } - - identityIssuer, err := defaults.Table("Identity.Issuer") - if err != nil { - return nil, err - } - - identityIssuanceLifetime, err := time.ParseDuration(identityIssuer["IssuanceLifeTime"].(string)) - if err != nil { - return nil, err - } - - identityClockSkewAllowance, err := time.ParseDuration(identityIssuer["ClockSkewAllowance"].(string)) - if err != nil { - return nil, err - } - - proxy, err := defaults.Table("Proxy") - if err != nil { - return nil, err - } - - proxyImage, err := defaults.Table("Proxy.Image") - if err != nil { - return nil, err - } - - proxyInitImage, err := defaults.Table("ProxyInit.Image") - if err != nil { - return nil, err - } - - proxyInitResourcesCPU, err := defaults.Table("ProxyInit.Resources.CPU") - if err != nil { - return nil, err - } - - proxyInitResourcesMemory, err := defaults.Table("ProxyInit.Resources.Memory") - if err != nil { - return nil, err - } - - proxyPorts, err := defaults.Table("Proxy.Ports") - if err != nil { - return nil, err - } - - proxyResourcesCPU, err := defaults.Table("Proxy.Resources.CPU") - if err != nil { - return nil, err - } - - proxyResourcesMemory, err := defaults.Table("Proxy.Resources.Memory") - if err != nil { - return nil, err - } - - defaultValues := &DefaultValues{ - ControllerReplicas: uint(defaults["ControllerReplicas"].(float64)), - ControllerLogLevel: defaults["ControllerLogLevel"].(string), - ControllerUID: int64(defaults["ControllerUID"].(float64)), - EnableExternalProfiles: proxy["EnableExternalProfiles"].(bool), - EnableH2Upgrade: defaults["EnableH2Upgrade"].(bool), - ImagePullPolicy: defaults["ImagePullPolicy"].(string), - IdentityTrustDomain: identity["TrustDomain"].(string), - IdentityIssuerClockSkewAllowance: identityClockSkewAllowance, - IdentityIssuerIssuanceLifetime: identityIssuanceLifetime, - OmitWebhookSideEffects: defaults["OmitWebhookSideEffects"].(bool), - PrometheusImage: defaults["PrometheusImage"].(string), - ProxyAdminPort: uint(proxyPorts["Admin"].(float64)), - ProxyControlPort: uint(proxyPorts["Control"].(float64)), - ProxyCPULimit: proxyResourcesCPU["Limit"].(string), - ProxyCPURequest: proxyResourcesCPU["Request"].(string), - ProxyImageName: proxyImage["Name"].(string), - ProxyInboundPort: uint(proxyPorts["Inbound"].(float64)), - ProxyInitImageName: proxyInitImage["Name"].(string), - ProxyInitCPULimit: proxyInitResourcesCPU["Limit"].(string), - ProxyInitCPURequest: proxyInitResourcesCPU["Request"].(string), - ProxyInitMemoryLimit: proxyInitResourcesMemory["Limit"].(string), - ProxyInitMemoryRequest: proxyInitResourcesMemory["Request"].(string), - ProxyLogLevel: proxy["LogLevel"].(string), - ProxyMemoryLimit: proxyResourcesMemory["Limit"].(string), - ProxyMemoryRequest: proxyResourcesMemory["Request"].(string), - ProxyOutboundPort: uint(proxyPorts["Outbound"].(float64)), - ProxyUID: int64(proxy["UID"].(float64)), - WebhookFailurePolicy: defaults["WebhookFailurePolicy"].(string), - } - - if ha { - controllerResourcesCPU, err := defaults.Table("ControllerResources.CPU") - if err != nil { - return nil, err - } - - controllerResourcesMemory, err := defaults.Table("ControllerResources.Memory") - if err != nil { - return nil, err - } - - grafanaResourcesCPU, err := defaults.Table("GrafanaResources.CPU") - if err != nil { - return nil, err - } - - grafanaResourcesMemory, err := defaults.Table("GrafanaResources.Memory") - if err != nil { - return nil, err - } - - identityResourcesCPU, err := defaults.Table("IdentityResources.CPU") - if err != nil { - return nil, err - } - - identityResourcesMemory, err := defaults.Table("IdentityResources.Memory") - if err != nil { - return nil, err - } - - prometheusResourcesCPU, err := defaults.Table("PrometheusResources.CPU") - if err != nil { - return nil, err - } - - prometheusResourcesMemory, err := defaults.Table("PrometheusResources.Memory") - if err != nil { - return nil, err - } - - defaultValues.ControllerCPULimit = controllerResourcesCPU["Limit"].(string) - defaultValues.ControllerCPURequest = controllerResourcesCPU["Request"].(string) - defaultValues.ControllerMemoryLimit = controllerResourcesMemory["Limit"].(string) - defaultValues.ControllerMemoryRequest = controllerResourcesMemory["Request"].(string) - defaultValues.GrafanaCPULimit = grafanaResourcesCPU["Limit"].(string) - defaultValues.GrafanaCPURequest = grafanaResourcesCPU["Request"].(string) - defaultValues.GrafanaMemoryLimit = grafanaResourcesMemory["Limit"].(string) - defaultValues.GrafanaMemoryRequest = grafanaResourcesMemory["Request"].(string) - defaultValues.IdentityCPULimit = identityResourcesCPU["Limit"].(string) - defaultValues.IdentityCPURequest = identityResourcesCPU["Request"].(string) - defaultValues.IdentityMemoryLimit = identityResourcesMemory["Limit"].(string) - defaultValues.IdentityMemoryRequest = identityResourcesMemory["Request"].(string) - defaultValues.PrometheusCPULimit = prometheusResourcesCPU["Limit"].(string) - defaultValues.PrometheusCPURequest = prometheusResourcesCPU["Request"].(string) - defaultValues.PrometheusMemoryLimit = prometheusResourcesMemory["Limit"].(string) - defaultValues.PrometheusMemoryRequest = prometheusResourcesMemory["Request"].(string) - } - - return defaultValues, nil -} diff --git a/pkg/charts/defaults_test.go b/pkg/charts/defaults_test.go deleted file mode 100644 index f5d0db52b54de..0000000000000 --- a/pkg/charts/defaults_test.go +++ /dev/null @@ -1,93 +0,0 @@ -package charts - -import ( - "reflect" - "testing" - "time" -) - -func TestReadDefaults(t *testing.T) { - actual, err := ReadDefaults("linkerd2/", false) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - clockSkewAllowance, err := time.ParseDuration("20s") - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - issuanceLifetime, err := time.ParseDuration("86400s") - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - expected := &DefaultValues{ - ControllerReplicas: 1, - ControllerLogLevel: "info", - ControllerUID: 2103, - EnableExternalProfiles: false, - EnableH2Upgrade: true, - ImagePullPolicy: "IfNotPresent", - IdentityTrustDomain: "cluster.local", - IdentityIssuerClockSkewAllowance: clockSkewAllowance, - IdentityIssuerIssuanceLifetime: issuanceLifetime, - OmitWebhookSideEffects: false, - PrometheusImage: "prom/prometheus:v2.11.1", - ProxyAdminPort: 4191, - ProxyControlPort: 4190, - ProxyCPULimit: "", - ProxyCPURequest: "", - ProxyImageName: "gcr.io/linkerd-io/proxy", - ProxyInboundPort: 4143, - ProxyInitImageName: "gcr.io/linkerd-io/proxy-init", - ProxyInitCPULimit: "100m", - ProxyInitCPURequest: "10m", - ProxyInitMemoryLimit: "50Mi", - ProxyInitMemoryRequest: "10Mi", - ProxyLogLevel: "warn,linkerd2_proxy=info", - ProxyMemoryLimit: "", - ProxyMemoryRequest: "", - ProxyOutboundPort: 4140, - ProxyUID: 2102, - WebhookFailurePolicy: "Ignore", - } - - if !reflect.DeepEqual(expected, actual) { - t.Errorf("Mismatch Helm defaults.\nExpected: %+v\nActual: %+v", expected, actual) - } - - t.Run("HA", func(t *testing.T) { - actual, err := ReadDefaults("linkerd2/", true) - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - expected.ControllerCPULimit = "1" - expected.ControllerCPURequest = "100m" - expected.ControllerMemoryLimit = "250Mi" - expected.ControllerMemoryRequest = "50Mi" - expected.ControllerReplicas = 3 - expected.GrafanaCPULimit = expected.ControllerCPULimit - expected.GrafanaCPURequest = expected.ControllerCPURequest - expected.GrafanaMemoryLimit = "1024Mi" - expected.GrafanaMemoryRequest = "50Mi" - expected.IdentityCPULimit = expected.ControllerCPULimit - expected.IdentityCPURequest = expected.ControllerCPURequest - expected.IdentityMemoryLimit = expected.ControllerMemoryLimit - expected.IdentityMemoryRequest = "10Mi" - expected.PrometheusCPULimit = "4" - expected.PrometheusCPURequest = "300m" - expected.PrometheusMemoryLimit = "8192Mi" - expected.PrometheusMemoryRequest = "300Mi" - expected.ProxyCPULimit = expected.ControllerCPULimit - expected.ProxyCPURequest = expected.ControllerCPURequest - expected.ProxyMemoryLimit = expected.ControllerMemoryLimit - expected.ProxyMemoryRequest = "20Mi" - expected.WebhookFailurePolicy = "Fail" - - if !reflect.DeepEqual(expected, actual) { - t.Errorf("Mismatch Helm defaults.\nExpected: %+v\nActual: %+v", expected, actual) - } - }) -} diff --git a/pkg/charts/template-values.go b/pkg/charts/template-values.go deleted file mode 100644 index 5bf172b4ce63a..0000000000000 --- a/pkg/charts/template-values.go +++ /dev/null @@ -1,125 +0,0 @@ -package charts - -import "time" - -type ( - // Values contains the top-level elements in the Helm charts - Values struct { - Namespace string - ClusterDomain string - HighAvailability bool - Identity *Identity - - Proxy *Proxy - ProxyInit *ProxyInit - } - - // Proxy contains the fields to set the proxy sidecar container - Proxy struct { - Capabilities *Capabilities - Component string - DisableIdentity bool - DisableTap bool - EnableExternalProfiles bool - Image *Image - LogLevel string - SAMountPath *SAMountPath - Ports *Ports - Resources *Resources - UID int64 - } - - // ProxyInit contains the fields to set the proxy-init container - ProxyInit struct { - Capabilities *Capabilities - IgnoreInboundPorts string - IgnoreOutboundPorts string - Image *Image - SAMountPath *SAMountPath - Resources *Resources - } - - // DebugContainer contains the fields to set the debugging sidecar - DebugContainer struct { - Image *Image - } - - // Image contains the details to define a container image - Image struct { - Name string - PullPolicy string - Version string - } - - // Ports contains all the port-related setups - Ports struct { - Admin int32 - Control int32 - Inbound int32 - Outbound int32 - } - - // Constraints wraps the Limit and Request settings for computational resources - Constraints struct { - Limit string - Request string - } - - // Capabilities contains the SecurityContext capabilities to add/drop into the injected - // containers - Capabilities struct { - Add []string - Drop []string - } - - // SAMountPath contains the details for ServiceAccount volume mount - SAMountPath struct { - Name string - MountPath string - ReadOnly bool - } - - // Resources represents the computational resources setup for a given container - Resources struct { - CPU Constraints - Memory Constraints - } - - // Identity contains the fields to set the identity variables in the proxy - // sidecar container - Identity struct { - TrustAnchorsPEM string - TrustDomain string - Issuer *Issuer - } - - // Issuer has the Helm variables of the identity issuer - Issuer struct { - ClockSkewAllowance string - IssuanceLifetime string - CrtExpiryAnnotation string - CrtExpiry time.Time - TLS *TLS - } - - // ProxyInjector has all the proxy injector's Helm variables - ProxyInjector struct { - *TLS - } - - // ProfileValidator has all the profile validator's Helm variables - ProfileValidator struct { - *TLS - } - - // Tap has all the Tap's Helm variables - Tap struct { - *TLS - } - - // TLS has a pair of PEM-encoded key and certificate variables used in the - // Helm templates - TLS struct { - KeyPEM, CrtPEM string - } -) diff --git a/pkg/charts/values.go b/pkg/charts/values.go new file mode 100644 index 0000000000000..ba71c4713db66 --- /dev/null +++ b/pkg/charts/values.go @@ -0,0 +1,248 @@ +package charts + +import ( + "fmt" + "time" + + "github.com/imdario/mergo" + "github.com/linkerd/linkerd2/pkg/k8s" + "k8s.io/helm/pkg/chartutil" + "sigs.k8s.io/yaml" +) + +const ( + helmDefaultChartDir = "linkerd2" + helmDefaultHAValuesFile = "values-ha.yaml" +) + +type ( + // Values contains the top-level elements in the Helm charts + Values struct { + Stage string + Namespace string + ClusterDomain string + ControllerImage string + ControllerImageVersion string + WebImage string + PrometheusImage string + GrafanaImage string + ImagePullPolicy string + UUID string + CliVersion string + ControllerReplicas uint + ControllerLogLevel string + PrometheusLogLevel string + ControllerComponentLabel string + ControllerNamespaceLabel string + CreatedByAnnotation string + ProxyContainerName string + ProxyInjectAnnotation string + ProxyInjectDisabled string + LinkerdNamespaceLabel string + ControllerUID int64 + EnableH2Upgrade bool + EnablePodAntiAffinity bool + HighAvailability bool + NoInitContainer bool + WebhookFailurePolicy string + OmitWebhookSideEffects bool + RestrictDashboardPrivileges bool + HeartbeatSchedule string + Configs ConfigJSONs + Identity *Identity + ProxyInjector *ProxyInjector + ProfileValidator *ProfileValidator + Tap *Tap + Proxy *Proxy + ProxyInit *ProxyInit + + DestinationResources, + GrafanaResources, + HeartbeatResources, + IdentityResources, + PrometheusResources, + ProxyInjectorResources, + PublicAPIResources, + SPValidatorResources, + TapResources, + WebResources *Resources + } + + // ConfigJSONs is the JSON encoding of the Linkerd configuration + ConfigJSONs struct{ Global, Proxy, Install string } + + // Proxy contains the fields to set the proxy sidecar container + Proxy struct { + Capabilities *Capabilities + Component string + DisableIdentity bool + DisableTap bool + EnableExternalProfiles bool + Image *Image + LogLevel string + SAMountPath *SAMountPath + Ports *Ports + Resources *Resources + UID int64 + } + + // ProxyInit contains the fields to set the proxy-init container + ProxyInit struct { + Capabilities *Capabilities + IgnoreInboundPorts string + IgnoreOutboundPorts string + Image *Image + SAMountPath *SAMountPath + Resources *Resources + } + + // DebugContainer contains the fields to set the debugging sidecar + DebugContainer struct { + Image *Image + } + + // Image contains the details to define a container image + Image struct { + Name string + PullPolicy string + Version string + } + + // Ports contains all the port-related setups + Ports struct { + Admin int32 + Control int32 + Inbound int32 + Outbound int32 + } + + // Constraints wraps the Limit and Request settings for computational resources + Constraints struct { + Limit string + Request string + } + + // Capabilities contains the SecurityContext capabilities to add/drop into the injected + // containers + Capabilities struct { + Add []string + Drop []string + } + + // SAMountPath contains the details for ServiceAccount volume mount + SAMountPath struct { + Name string + MountPath string + ReadOnly bool + } + + // Resources represents the computational resources setup for a given container + Resources struct { + CPU Constraints + Memory Constraints + } + + // Identity contains the fields to set the identity variables in the proxy + // sidecar container + Identity struct { + TrustAnchorsPEM string + TrustDomain string + Issuer *Issuer + } + + // Issuer has the Helm variables of the identity issuer + Issuer struct { + ClockSkewAllowance string + IssuanceLifetime string + CrtExpiryAnnotation string + CrtExpiry time.Time + TLS *TLS + } + + // ProxyInjector has all the proxy injector's Helm variables + ProxyInjector struct { + *TLS + } + + // ProfileValidator has all the profile validator's Helm variables + ProfileValidator struct { + *TLS + } + + // Tap has all the Tap's Helm variables + Tap struct { + *TLS + } + + // TLS has a pair of PEM-encoded key and certificate variables used in the + // Helm templates + TLS struct { + KeyPEM, CrtPEM string + } +) + +// NewValues returns a new instance of the Values type. +func NewValues(ha bool) (*Values, error) { + chartDir := fmt.Sprintf("%s/", helmDefaultChartDir) + v, err := readDefaults(chartDir, ha) + if err != nil { + return nil, err + } + + v.CliVersion = k8s.CreatedByAnnotationValue() + v.ProfileValidator = &ProfileValidator{TLS: &TLS{}} + v.ProxyInjector = &ProxyInjector{TLS: &TLS{}} + v.ProxyContainerName = k8s.ProxyContainerName + v.Tap = &Tap{TLS: &TLS{}} + + return v, nil +} + +// readDefaults read all the default variables from the values.yaml file. +// chartDir is the root directory of the Helm chart where values.yaml is. +func readDefaults(chartDir string, ha bool) (*Values, error) { + valuesFiles := []*chartutil.BufferedFile{ + {Name: chartutil.ValuesfileName}, + } + + if ha { + valuesFiles = append(valuesFiles, &chartutil.BufferedFile{ + Name: helmDefaultHAValuesFile, + }) + } + + if err := filesReader(chartDir, valuesFiles); err != nil { + return nil, err + } + + values := Values{} + for _, valuesFile := range valuesFiles { + var v Values + if err := yaml.Unmarshal(valuesFile.Data, &v); err != nil { + return nil, err + } + + var err error + values, err = values.merge(v) + if err != nil { + return nil, err + } + } + + return &values, nil +} + +// merge merges the non-empty properties of src into v. +// A new Values instance is returned. Neither src nor v are mutated after +// calling merge. +func (v Values) merge(src Values) (Values, error) { + // By default, mergo.Merge doesn't overwrite any existing non-empty values + // in its first argument. So in HA mode, we are merging values.yaml into + // values-ha.yaml, instead of the other way round (like Helm). This ensures + // that all the HA values take precedence. + if err := mergo.Merge(&src, v); err != nil { + return Values{}, err + } + + return src, nil +} diff --git a/pkg/charts/values_test.go b/pkg/charts/values_test.go new file mode 100644 index 0000000000000..16db93a847c8c --- /dev/null +++ b/pkg/charts/values_test.go @@ -0,0 +1,202 @@ +package charts + +import ( + "reflect" + "testing" +) + +func TestNewValues(t *testing.T) { + actual, err := NewValues(false) + if err != nil { + t.Fatalf("Unexpected error: %v\n", err) + } + + testVersion := "linkerd-dev" + + expected := &Values{ + Stage: "", + Namespace: "linkerd", + ClusterDomain: "cluster.local", + ControllerImage: "gcr.io/linkerd-io/controller", + ControllerImageVersion: testVersion, + WebImage: "gcr.io/linkerd-io/web", + PrometheusImage: "prom/prometheus:v2.11.1", + GrafanaImage: "gcr.io/linkerd-io/grafana", + ImagePullPolicy: "IfNotPresent", + UUID: "", + CliVersion: "linkerd/cli dev-undefined", + ControllerReplicas: 1, + ControllerLogLevel: "info", + PrometheusLogLevel: "info", + ControllerComponentLabel: "linkerd.io/control-plane-component", + ControllerNamespaceLabel: "linkerd.io/control-plane-ns", + CreatedByAnnotation: "linkerd.io/created-by", + ProxyContainerName: "linkerd-proxy", + ProxyInjectAnnotation: "linkerd.io/inject", + ProxyInjectDisabled: "disabled", + LinkerdNamespaceLabel: "linkerd.io/is-control-plane", + ControllerUID: 2103, + EnableH2Upgrade: true, + EnablePodAntiAffinity: false, + HighAvailability: false, + NoInitContainer: false, + WebhookFailurePolicy: "Ignore", + OmitWebhookSideEffects: false, + RestrictDashboardPrivileges: false, + HeartbeatSchedule: "0 0 * * *", + + Identity: &Identity{ + TrustDomain: "cluster.local", + Issuer: &Issuer{ + ClockSkewAllowance: "20s", + IssuanceLifetime: "86400s", + CrtExpiryAnnotation: "linkerd.io/identity-issuer-expiry", + TLS: &TLS{}, + }, + }, + + ProxyInjector: &ProxyInjector{TLS: &TLS{}}, + ProfileValidator: &ProfileValidator{TLS: &TLS{}}, + Tap: &Tap{TLS: &TLS{}}, + + Proxy: &Proxy{ + EnableExternalProfiles: false, + Image: &Image{ + Name: "gcr.io/linkerd-io/proxy", + PullPolicy: "IfNotPresent", + Version: testVersion, + }, + LogLevel: "warn,linkerd2_proxy=info", + Ports: &Ports{ + Admin: 4191, + Control: 4190, + Inbound: 4143, + Outbound: 4140, + }, + Resources: &Resources{ + CPU: Constraints{ + Limit: "", + Request: "", + }, + Memory: Constraints{ + Limit: "", + Request: "", + }, + }, + UID: 2102, + }, + + ProxyInit: &ProxyInit{ + Image: &Image{ + Name: "gcr.io/linkerd-io/proxy-init", + PullPolicy: "IfNotPresent", + Version: testVersion, + }, + Resources: &Resources{ + CPU: Constraints{ + Limit: "100m", + Request: "10m", + }, + Memory: Constraints{ + Limit: "50Mi", + Request: "10Mi", + }, + }, + }, + } + + // pin the versions to ensure consistent test result. + // in non-test environment, the default versions are read from the + // values.yaml. + actual.ControllerImageVersion = testVersion + actual.Proxy.Image.Version = testVersion + actual.ProxyInit.Image.Version = testVersion + + if !reflect.DeepEqual(expected, actual) { + t.Errorf("Mismatch Helm values.\nExpected: %+v\nActual: %+v", expected, actual) + } + + t.Run("HA", func(t *testing.T) { + actual, err := NewValues(true) + if err != nil { + t.Fatalf("Unexpected error: %v\n", err) + } + + expected.ControllerReplicas = 3 + expected.EnablePodAntiAffinity = true + expected.WebhookFailurePolicy = "Fail" + + controllerResources := &Resources{ + CPU: Constraints{ + Limit: "1", + Request: "100m", + }, + Memory: Constraints{ + Limit: "250Mi", + Request: "50Mi", + }, + } + expected.DestinationResources = controllerResources + expected.PublicAPIResources = controllerResources + expected.ProxyInjectorResources = controllerResources + expected.SPValidatorResources = controllerResources + expected.TapResources = controllerResources + expected.WebResources = controllerResources + expected.HeartbeatResources = controllerResources + + expected.GrafanaResources = &Resources{ + CPU: Constraints{ + Limit: controllerResources.CPU.Limit, + Request: controllerResources.CPU.Request, + }, + Memory: Constraints{ + Limit: "1024Mi", + Request: "50Mi", + }, + } + + expected.IdentityResources = &Resources{ + CPU: Constraints{ + Limit: controllerResources.CPU.Limit, + Request: controllerResources.CPU.Request, + }, + Memory: Constraints{ + Limit: controllerResources.Memory.Limit, + Request: "10Mi", + }, + } + + expected.PrometheusResources = &Resources{ + CPU: Constraints{ + Limit: "4", + Request: "300m", + }, + Memory: Constraints{ + Limit: "8192Mi", + Request: "300Mi", + }, + } + + expected.Proxy.Resources = &Resources{ + CPU: Constraints{ + Limit: controllerResources.CPU.Limit, + Request: controllerResources.CPU.Request, + }, + Memory: Constraints{ + Limit: controllerResources.Memory.Limit, + Request: "20Mi", + }, + } + + // pin the versions to ensure consistent test result. + // in non-test environment, the default versions are read from the + // values.yaml. + actual.ControllerImageVersion = testVersion + actual.Proxy.Image.Version = testVersion + actual.ProxyInit.Image.Version = testVersion + + if !reflect.DeepEqual(expected, actual) { + t.Errorf("Mismatch Helm HA defaults.\nExpected: %+v\nActual: %+v", expected, actual) + } + }) +} diff --git a/web/Dockerfile b/web/Dockerfile index ea9577d9f495d..fd5ed50892c94 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -21,7 +21,7 @@ COPY web/app ./web/app RUN ./bin/web build ## compile go server -FROM gcr.io/linkerd-io/go-deps:c7fb42bd as golang +FROM gcr.io/linkerd-io/go-deps:773dfbc7 as golang WORKDIR /linkerd-build RUN mkdir -p web COPY web/main.go web