From 442c7878f26c449cdb45803b887e91bcd36fe239 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sun, 19 Jan 2020 23:35:47 +0530 Subject: [PATCH 01/46] Moves Common templates needed to partials As add-ons re-use the partials helm chart, all the templates needed by multiple charts should be present in partials This commit also updates the helm tests Signed-off-by: Tarun Pothulapati --- charts/{linkerd2 => partials}/templates/_affinity.tpl | 0 charts/{linkerd2 => partials}/templates/_nodeselector.tpl | 0 charts/{linkerd2 => partials}/templates/_validate.tpl | 0 cli/cmd/install.go | 3 --- cli/cmd/install_helm_test.go | 3 +++ pkg/charts/charts.go | 3 +++ 6 files changed, 6 insertions(+), 3 deletions(-) rename charts/{linkerd2 => partials}/templates/_affinity.tpl (100%) rename charts/{linkerd2 => partials}/templates/_nodeselector.tpl (100%) rename charts/{linkerd2 => partials}/templates/_validate.tpl (100%) diff --git a/charts/linkerd2/templates/_affinity.tpl b/charts/partials/templates/_affinity.tpl similarity index 100% rename from charts/linkerd2/templates/_affinity.tpl rename to charts/partials/templates/_affinity.tpl diff --git a/charts/linkerd2/templates/_nodeselector.tpl b/charts/partials/templates/_nodeselector.tpl similarity index 100% rename from charts/linkerd2/templates/_nodeselector.tpl rename to charts/partials/templates/_nodeselector.tpl diff --git a/charts/linkerd2/templates/_validate.tpl b/charts/partials/templates/_validate.tpl similarity index 100% rename from charts/linkerd2/templates/_validate.tpl rename to charts/partials/templates/_validate.tpl diff --git a/cli/cmd/install.go b/cli/cmd/install.go index a5da48857fb8f..3cd903fd12a64 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -128,11 +128,8 @@ var ( } templatesControlPlaneStage = []string{ - "templates/_validate.tpl", - "templates/_affinity.tpl", "templates/_config.tpl", "templates/_helpers.tpl", - "templates/_nodeselector.tpl", "templates/config.yaml", "templates/identity.yaml", "templates/controller.yaml", diff --git a/cli/cmd/install_helm_test.go b/cli/cmd/install_helm_test.go index 77c10c89760bd..6caa2c549148a 100644 --- a/cli/cmd/install_helm_test.go +++ b/cli/cmd/install_helm_test.go @@ -175,6 +175,9 @@ func chartPartials(t *testing.T) *pb.Chart { {Name: "templates/_debug.tpl"}, {Name: "templates/_trace.tpl"}, {Name: "templates/_capabilities.tpl"}, + {Name: "templates/_affinity.tpl"}, + {Name: "templates/_nodeselector.tpl"}, + {Name: "templates/_validate.tpl"}, }, } diff --git a/pkg/charts/charts.go b/pkg/charts/charts.go index 64e2b9eec696d..22f4e3a3f5500 100644 --- a/pkg/charts/charts.go +++ b/pkg/charts/charts.go @@ -79,6 +79,9 @@ func (chart *Chart) Render() (bytes.Buffer, error) { {Name: "charts/partials/templates/_debug.tpl"}, {Name: "charts/partials/templates/_capabilities.tpl"}, {Name: "charts/partials/templates/_trace.tpl"}, + {Name: "charts/partials/templates/_nodeselector.tpl"}, + {Name: "charts/partials/templates/_affinity.tpl"}, + {Name: "charts/partials/templates/_validate.tpl"}, } return chart.render(l5dPartials) } From 6eba3da083b9154f59d8106f658b3af81f75e9e7 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 20 Jan 2020 13:18:27 +0530 Subject: [PATCH 02/46] add tracing add-on helm chart Tracing sub-chart includes open-census and jaeger components as a sub-chart which can be enabled as needed Signed-off-by: Tarun Pothulapati --- charts/linkerd2/add-ons/tracing/.helmignore | 22 ++ charts/linkerd2/add-ons/tracing/Chart.yaml | 5 + .../add-ons/tracing/charts/partials-0.1.0.tgz | Bin 0 -> 3599 bytes .../add-ons/tracing/requirements.lock | 6 + .../add-ons/tracing/requirements.yaml | 4 + .../tracing/templates/tracing-rbac.yaml | 26 ++ .../add-ons/tracing/templates/tracing.yaml | 223 ++++++++++++++++++ charts/linkerd2/add-ons/tracing/values.yaml | 1 + charts/linkerd2/requirements.lock | 7 +- charts/linkerd2/requirements.yaml | 4 + charts/linkerd2/values.yaml | 26 +- 11 files changed, 319 insertions(+), 5 deletions(-) create mode 100644 charts/linkerd2/add-ons/tracing/.helmignore create mode 100644 charts/linkerd2/add-ons/tracing/Chart.yaml create mode 100644 charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz create mode 100644 charts/linkerd2/add-ons/tracing/requirements.lock create mode 100644 charts/linkerd2/add-ons/tracing/requirements.yaml create mode 100644 charts/linkerd2/add-ons/tracing/templates/tracing-rbac.yaml create mode 100644 charts/linkerd2/add-ons/tracing/templates/tracing.yaml create mode 100644 charts/linkerd2/add-ons/tracing/values.yaml diff --git a/charts/linkerd2/add-ons/tracing/.helmignore b/charts/linkerd2/add-ons/tracing/.helmignore new file mode 100644 index 0000000000000..50af031725419 --- /dev/null +++ b/charts/linkerd2/add-ons/tracing/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/linkerd2/add-ons/tracing/Chart.yaml b/charts/linkerd2/add-ons/tracing/Chart.yaml new file mode 100644 index 0000000000000..3ba92081bb985 --- /dev/null +++ b/charts/linkerd2/add-ons/tracing/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: tracing +version: 0.1.0 diff --git a/charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz b/charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..bf732cc99af12de117c14c2562acf59d56defca9 GIT binary patch literal 3599 zcmV+q4)F0GiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH+#a~eCc`8>ZumzJQ^upWMGl z!#?>8LK4mzXkN2ikd7d}GWSjNH=rJJv}7QMGldBwY>Ms(djR30NOq6{&!<>{{1v(2 z19QPe;{{SPKxZ`UduAbonTyVRten|d2vgb?!yYtZK+>AWq*U#iUA2BTbN&NbqW{Sv zR=T}mdtj?a^-?%?>A$|t>i<=}cGCZ&w4C)H;mL$Bq87IDU&I;gSpQn>`f_dk>-Fo) z)A}EyJv|{8CWHYhMW)*Jxm%7!poGfHr4`>bEQEaSHkl&L)FXs^0TU1c+}l79HXS%K za05!%v@>NqdE9;kCorzX3@RH~5u70iFMO;U#bclYpx`JjR*w<#wEJj3`U0eO6f*s; zj2>XoKu=G|HsjH9nR<&5_d#F{4|Q1P#T?TBGN3dt4aec0&lxb4hNZaADW5JrXlxTq zXds~Mat{+`k3nJkAsB;Tpg`J$SN_QvL}R}Jna)%L)v8tVM8Ma89L%)><`lDLJ7Wsi zvdNS}mSh-`o&1bTrG32h^i)Q`Ts`P#i~OmjTAuxPu#d-t5=B71gb&!||8K5qYxe*8 zs(O90|Ho)rFJlJ~%Yy9-{6v^k6bU_Ge=&>?!4AOmjxt*mXm5fn7Hq zsQ4G`(LD!$M@kS6eMgKiR~w(J5MIix96*jMxE~JDR|gYhhVMa9e5qMy6*Ic59pEO0 zkmVtPPfy#Z>*S7)DO@9DZT<7~--U57eW~DY5Bx8#()B;>68c? z;v;H{d8<2R`I`!W;+F|a<35EQ_To8}D@eZ>`WwIRzpN=b6IO&!?E8>U;oyYU%+rGj z^aWvRf=X{>`Hd{CK@0I7B4|a|839bKtX7!FMe0>Gs~d?**vo9lx2>@0Rw|rNn%&`b zl+H)rkpQ1!2TFOZI@2%I4#frd!Vq36+Tk_w|aGXy^;UDygK>+W3(;% zf6N$HCMb`#|8att@CwmeUZNIdkGp1jpg=Gz7N`_Cf)XmZMB*_8w}jp@u8by?gzr$<Be z|7zDa8~MMhQ~l>CEv-kfvgq|M#{v-Qk$$u)Ipk!^(j7K)V;4KJP^b2@TAu!=vXU$ZFuT1t z_nJ>gw!j-LRWY+RW_WdVxz8kf5zuIsZ_VPE(WUc4CY*(n%-G}r3Ti<`qxYKcK>$}W zm#PY_GU|n()-vte`)$v_Zy&oQGq1JZdU`^HIW%z7) z1|FD4#;JMn%dPs70%9j43==}N*>h;9)G0RYJu)7!B?fiVN`ZBuf{b@z##EPWYrhIw_bD+kx z=0dq`4~Cs?bJ*#1M}yC;QSLJLww_NsJVJkeIKJG}4RjqW;wVY|CF z&#Ggg%BCuO50m()tho>4iKLK{n4NvrOdE>!U&9qCOg4Ub8{t1U zG5G`?V4r-!Jy0_UqMZ0Hrrh^F4cqslR#9`-0Dj3#QN;M95DegAZy_#XCe*0s= zZeb_Ey$|i~Nb7zMCnPuml&oaWYD*Av;sACW9duR{e*m@uEES z6Idl|NmHUn8Sx6gL)bDrBW58B_YkMMUaNUG>NY>7#3`~#5}(^E^JHhGC_$&Ygi||@ zFH`iM?Yqy5I`6?u9(2-jh#vYb8u zRmffRWBgu8c6_-tW4uqc__>+lyeu&#b6_B4U+^(#2RBp7{}WX7A)s+`6%Ujkjtn1h zp$ZXX_nin4MijyH7ARf}z~Ri5Iuu{aO`EZn8QZYR@i{^e{oSZmTf;bWmj!wlv=!l5 zSmwDU0J~%-uXL})3vudVTQW48lz&cYe;q=S3Vv3Gf8Wn_qEz&jl=j-EN_OVtL3#5- zp?z}HVK%zBptxMVWTM*shKc$ECR{-Kk*H`vk;|(fO`DB8PMIHn&?U(S5#|qmK~n z9iA9#pGxcRwF6vN;pBu{s?U1jy=XDlDh_+p7@k>QcwTMc(7M9u+ueWPmRJ8tto#er zfOeh#yScbnum9X!pU(dtrRARgNreGg|C8I)H@{pU+wlY2d z>oMPmnx%(C^<>8njG0QEl_;n>hX6JaArwB_2`2Ab;dmMXz6Kyy6N&F5duncSCzI*; z?CGpQIebFTHqm+dAMR|9`2Fw2M*X*1KYjmul$KZjjn4raIVe3R&r&u+SILRr|L-y= znJx1vPC2yY>Hi#4;$rn;CSaHT*X!%Q|5vYH-JJCQ7%lJof4E7Aq=0ai{kSwQ8LZz; zFrlk687<7tR9wAVmB75=-2hFvKyRdt2B6T{K0CTIq&PY=d4sc3>L-ZK^S;B(P#I^& zcM+(tzdu<+?C(#}|MRaNa`oTrzK{0(f317an4NX&gKKe{JLUe=jahzyEQR z_8RrEQXrVr9xYsd^lb(VjRQhm9n$;QdB9VUw)GkfXG9_y_@)|x#1*xz=mMU}|Ct?TBGQ9>EQF!vA${qaLFR#F-hXNkTpdZBM|q?AyU; zptu0*HEMCs;|zUn4UkKOwCpKS74tXxPQxDmQ&h~~_`z&i(SPDwIcJp>pfPqH0^j`h ziL~C?@|$nHv&Z Date: Mon, 20 Jan 2020 14:54:33 +0530 Subject: [PATCH 03/46] Updated Install path to also install add-ons This includes new interface for add-ons to implement, with example tracing implementation Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 35 +++++++++++++++++ pkg/charts/linkerd2/add-on.go | 14 +++++++ pkg/charts/linkerd2/tracing.go | 68 ++++++++++++++++++++++++++++++++++ pkg/charts/linkerd2/values.go | 3 ++ 4 files changed, 120 insertions(+) create mode 100644 pkg/charts/linkerd2/add-on.go create mode 100644 pkg/charts/linkerd2/tracing.go diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 3cd903fd12a64..cbe74e4d7ede3 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -756,6 +756,32 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } + addons := checkAddons(values) + + // Render for each add-on separately and attach + // Pass only global values to add-ons + for _, addon := range addons { + + addonValues, err := yaml.Marshal(addon.GetValues()) + if err != nil { + return err + } + + subchart := &charts.Chart{ + Name: addon.GetChartName(), + Dir: l5dcharts.AddonChartsPath + addon.GetChartName(), + Namespace: controlPlaneNamespace, + RawValues: append(rawValues, addonValues...), + Files: addon.GetFiles(), + } + addonBuf, err := subchart.Render() + if err != nil { + return err + } + + buf.Write(addonBuf.Bytes()) + } + _, err = w.Write(buf.Bytes()) return err } @@ -1104,3 +1130,12 @@ func toIdentityContext(idvals *identityWithAnchorsAndTrustDomain) *pb.IdentityCo Scheme: idvals.Identity.Issuer.Scheme, } } +func checkAddons(values *l5dcharts.Values) []l5dcharts.AddOn { + var addons []l5dcharts.AddOn + + if values.Tracing.Enabled { + addons = append(addons, values.Tracing) + } + + return addons +} diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go new file mode 100644 index 0000000000000..f5dc34069b75b --- /dev/null +++ b/pkg/charts/linkerd2/add-on.go @@ -0,0 +1,14 @@ +package linkerd2 + +import "k8s.io/helm/pkg/chartutil" + +var ( + AddonChartsPath = "linkerd2/add-ons/" +) + +type AddOn interface { + GetChartName() string + IsEnabled() bool + GetValues() interface{} + GetFiles() []*chartutil.BufferedFile +} diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go new file mode 100644 index 0000000000000..39bf57d0d2fec --- /dev/null +++ b/pkg/charts/linkerd2/tracing.go @@ -0,0 +1,68 @@ +package linkerd2 + +import ( + "k8s.io/helm/pkg/chartutil" +) + +type ( + Tracing struct { + Enabled bool `json:"enabled"` + Collector *Collector `json:"collector"` + Jaeger *Jaeger `json:"jaeger"` + } + + Collector struct { + Name string `json:"name"` + Image string `json:"image"` + Resources *Resources `json:"resources"` + } + + Jaeger struct { + Name string `json:"name"` + Image string `json:"image"` + Resources *Resources `json:"resources"` + } +) + +var ( + tracingChartName = "tracing" + tracingConfigStage = []string{ + "templates/tracing-rbac.yaml", + } + + tracingControlPlaneStage = []string{ + "templates/tracing.yaml", + } +) + +func (*Tracing) GetChartName() string { + return tracingChartName +} + +func (*Tracing) GetFiles() []*chartutil.BufferedFile { + files := []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + } + + for _, template := range tracingConfigStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } + + for _, template := range tracingControlPlaneStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } + + return files +} + +func (t *Tracing) GetValues() interface{} { + return t +} + +func (t *Tracing) IsEnabled() bool { + return t.Enabled +} diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index da1c0d04f9c41..08428e4d54d4f 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -58,6 +58,9 @@ type ( SPValidatorResources *Resources `json:"spValidatorResources"` TapResources *Resources `json:"tapResources"` WebResources *Resources `json:"webResources"` + + // Addon Structures + Tracing *Tracing `json:"tracing"` } // Global values common across all charts From a4db9420b3699d2c278f64a8d4c75c9358837f06 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 20 Jan 2020 15:13:25 +0530 Subject: [PATCH 04/46] Updates Linkerd install path to also install add-ons Changes include: - Adds an optional Linkerd Values configmap which stores add-on configuration when add-ons are present. - Updates Linkerd install path to check for add-ons and render their sub-charts. - Adds a install Option called config, which is used to pass confiugration for add-ons. - Uses a fork of mergo, to over-write default Values with the Values struct generated from config. Signed-off-by: Tarun Pothulapati --- Dockerfile-proxy | 2 +- charts/linkerd2/templates/linkerd-values.yaml | 33 ++++++++++ cli/Dockerfile-bin | 2 +- cli/cmd/install.go | 65 +++++++++++++++++-- cli/cmd/testdata/install_config.golden | 1 + cli/cmd/testdata/install_default.golden | 1 + cli/cmd/testdata/install_helm_output.golden | 3 + .../testdata/install_helm_output_ha.golden | 3 + cni-plugin/Dockerfile | 2 +- controller/Dockerfile | 2 +- go.mod | 1 + go.sum | 2 + pkg/charts/linkerd2/values.go | 1 + pkg/charts/linkerd2/values_test.go | 6 ++ web/Dockerfile | 2 +- 15 files changed, 114 insertions(+), 12 deletions(-) create mode 100644 charts/linkerd2/templates/linkerd-values.yaml diff --git a/Dockerfile-proxy b/Dockerfile-proxy index 7a7e926fd562a..1a54520f903f0 100644 --- a/Dockerfile-proxy +++ b/Dockerfile-proxy @@ -9,7 +9,7 @@ RUN (proxy=$(bin/fetch-proxy $(cat proxy-version)) && \ mv "$proxy" linkerd2-proxy) ## compile proxy-identity agent -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:4a14064f as golang WORKDIR /linkerd-build COPY pkg/flags pkg/flags COPY pkg/tls pkg/tls diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml new file mode 100644 index 0000000000000..f1c65e1d20ad3 --- /dev/null +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -0,0 +1,33 @@ +{{ if .Values.installValuesConfig -}} +{{- $dupValues := .Values -}} +{{- $dupValues := omit $dupValues "partials" -}} +{{- range $key, $value := $dupValues -}} + {{- if kindIs "map" $value -}} + {{- if hasKey $value "global" -}} + {{- $dupValues := set $dupValues $key (unset $value "global") -}} + {{- end -}} + {{- if hasKey $value "partials" -}} + {{- $dupValues := set $dupValues $key (unset $value "partials") -}} + {{- end -}} + {{- end -}} +{{- end -}} +--- +### +### linkerd values +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-values + namespace: {{.Values.global.namespace}} + labels: + {{.Values.global.controllerComponentLabel}}: controller + {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} + annotations: + {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} +data: + values: |- + tracing: + {{- toYaml $dupValues.tracing | trim | nindent 6}} +{{- end }} diff --git a/cli/Dockerfile-bin b/cli/Dockerfile-bin index c5256866f49b0..29022ecb3f638 100644 --- a/cli/Dockerfile-bin +++ b/cli/Dockerfile-bin @@ -1,5 +1,5 @@ ## compile binaries -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:4a14064f as golang WORKDIR /linkerd-build COPY cli cli COPY charts charts diff --git a/cli/cmd/install.go b/cli/cmd/install.go index cbe74e4d7ede3..bff86bd75f602 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "io" + "io/ioutil" "os" "strings" "time" @@ -19,6 +20,7 @@ import ( consts "github.com/linkerd/linkerd2/pkg/k8s" "github.com/linkerd/linkerd2/pkg/tls" "github.com/linkerd/linkerd2/pkg/version" + "github.com/pothulapati/mergo" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -38,6 +40,7 @@ type ( // install. installOptions struct { clusterDomain string + config string controlPlaneVersion string controllerReplicas uint controllerLogLevel string @@ -125,6 +128,7 @@ var ( "templates/sp-validator-rbac.yaml", "templates/tap-rbac.yaml", "templates/psp.yaml", + "templates/linkerd-values.yaml", } templatesControlPlaneStage = []string{ @@ -417,6 +421,12 @@ func (options *installOptions) validateAndBuild(stage string, flags *pflag.FlagS values.Global.IdentityTrustDomain = identityValues.TrustDomain values.Stage = stage + // Update Configuration of Add-ons from config file + err = options.UpdateAddOnValuesFromConfig(values) + if err != nil { + return nil, nil, err + } + return values, configs, nil } @@ -482,6 +492,10 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { &options.identityOptions.trustPEMFile, "identity-trust-anchors-file", options.identityOptions.trustPEMFile, "A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)", ) + flags.StringVar( + &options.config, "config", options.config, + "A path to a configuration file of add-ons", + ) flags.StringVarP(&options.controlPlaneVersion, "control-plane-version", "", options.controlPlaneVersion, "(Development) Tag to be used for the control plane component images") flags.MarkHidden("control-plane-version") flags.MarkHidden("control-plane-tracing") @@ -539,6 +553,28 @@ func (options *installOptions) installPersistentFlagSet() *pflag.FlagSet { return flags } +// UpdateValuesFromConfig takes a values struct and updates its add-on values from the config installOption +func (options *installOptions) UpdateAddOnValuesFromConfig(values *l5dcharts.Values) error { + + if options.config != "" { + addOnConfig, err := ioutil.ReadFile(options.config) + if err != nil { + return err + } + + var addOnValues *l5dcharts.Values + if err = yaml.Unmarshal(addOnConfig, &addOnValues); err != nil { + return err + } + + // Merge Add-On Values with Values + if err = mergeAddonValues(values, addOnValues); err != nil { + return err + } + } + + return nil +} func (options *installOptions) recordFlags(flags *pflag.FlagSet) { if flags == nil { return @@ -718,11 +754,6 @@ func toPromLogLevel(level string) string { } func render(w io.Writer, values *l5dcharts.Values) error { - // Render raw values and create chart config - rawValues, err := yaml.Marshal(values) - if err != nil { - return err - } files := []*chartutil.BufferedFile{ {Name: chartutil.ChartfileName}, @@ -744,6 +775,17 @@ func render(w io.Writer, values *l5dcharts.Values) error { } } + addons := checkAddons(values) + if len(addons) > 0 { + values.InstallValuesConfig = true + } + + // Render raw values and create chart config + rawValues, err := yaml.Marshal(values) + if err != nil { + return err + } + chart := &charts.Chart{ Name: helmDefaultChartName, Dir: helmDefaultChartDir, @@ -756,8 +798,6 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } - addons := checkAddons(values) - // Render for each add-on separately and attach // Pass only global values to add-ons for _, addon := range addons { @@ -1139,3 +1179,14 @@ func checkAddons(values *l5dcharts.Values) []l5dcharts.AddOn { return addons } + +func mergeAddonValues(values, addonValues *l5dcharts.Values) error { + + if err := mergo.Merge(addonValues.Tracing, values.Tracing); err != nil { + return err + } + + values.Tracing = addonValues.Tracing + + return nil +} diff --git a/cli/cmd/testdata/install_config.golden b/cli/cmd/testdata/install_config.golden index 82a13df83f6dd..5cc09925f368c 100644 --- a/cli/cmd/testdata/install_config.golden +++ b/cli/cmd/testdata/install_config.golden @@ -836,3 +836,4 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd + diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index ea5fe15250cc8..c38db3b208f02 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -836,6 +836,7 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd + --- kind: ConfigMap apiVersion: v1 diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index 5444014a086a8..d1a2f2b284e1f 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -864,6 +864,9 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd +--- +# Source: linkerd2/templates/linkerd-values.yaml + --- # Source: linkerd2/templates/config.yaml --- diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index d472721bbf2a3..7423037425219 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -864,6 +864,9 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd +--- +# Source: linkerd2/templates/linkerd-values.yaml + --- # Source: linkerd2/templates/config.yaml --- diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index 8c24e5983575d..9b42c0b374251 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:4a14064f as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/controller/Dockerfile b/controller/Dockerfile index 0c0e484389973..a0d93755f7959 100644 --- a/controller/Dockerfile +++ b/controller/Dockerfile @@ -1,5 +1,5 @@ ## compile controller service -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:4a14064f as golang WORKDIR /linkerd-build COPY controller/gen controller/gen COPY pkg pkg diff --git a/go.mod b/go.mod index 53228827bcc57..67e4df7c7d5c4 100644 --- a/go.mod +++ b/go.mod @@ -38,6 +38,7 @@ require ( github.com/nsf/termbox-go v0.0.0-20180613055208-5c94acc5e6eb github.com/patrickmn/go-cache v2.1.0+incompatible github.com/pkg/browser v0.0.0-20170505125900-c90ca0c84f15 + github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f github.com/prometheus/client_golang v1.2.1 github.com/prometheus/common v0.7.0 github.com/sergi/go-diff v1.0.0 diff --git a/go.sum b/go.sum index 119a7bdb49f9b..4f420297816ca 100644 --- a/go.sum +++ b/go.sum @@ -267,6 +267,8 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f h1:A0EmZvodfElhpeY0FZwbN8tqp5Zb8UiCCJtKw+OsVFE= +github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f/go.mod h1:ZHOBBBkz9S/P9Sp2H2jkl+8upCXvQ9zENaeP/etJeGk= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.2 h1:awm861/B8OKDd2I/6o1dy3ra4BamzKhYOiGItCeZ740= diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 08428e4d54d4f..8546aeb981ddf 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -38,6 +38,7 @@ type ( DisableHeartBeat bool `json:"disableHeartBeat"` HeartbeatSchedule string `json:"heartbeatSchedule"` InstallNamespace bool `json:"installNamespace"` + InstallValuesConfig bool `json:"installValuesConfig"` Configs ConfigJSONs `json:"configs"` Global *Global `json:"global"` Identity *Identity `json:"identity"` diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 163b593727e2a..693539fdca05f 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -134,6 +134,9 @@ func TestNewValues(t *testing.T) { actual.Global.ProxyInit.Image.Version = testVersion actual.DebugContainer.Image.Version = testVersion + // Make Add-On Values nil to not have to check for their defaults + actual.Tracing = nil + if !reflect.DeepEqual(expected, actual) { t.Errorf("Mismatch Helm values.\nExpected: %+v\nActual: %+v", expected, actual) } @@ -218,6 +221,9 @@ func TestNewValues(t *testing.T) { actual.Global.ProxyInit.Image.Version = testVersion actual.DebugContainer.Image.Version = testVersion + // Make Add-On Values nil to not have to check for their defaults + actual.Tracing = nil + if !reflect.DeepEqual(expected, actual) { t.Errorf("Mismatch Helm HA defaults.\nExpected: %+v\nActual: %+v", expected, actual) } diff --git a/web/Dockerfile b/web/Dockerfile index 1f6bfa1b67b93..6a55d67dd93ac 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -21,7 +21,7 @@ COPY web/app ./web/app RUN ./bin/web build ## compile go server -FROM gcr.io/linkerd-io/go-deps:462bbba0 as golang +FROM gcr.io/linkerd-io/go-deps:4a14064f as golang WORKDIR /linkerd-build RUN mkdir -p web COPY web/main.go web From 98276002f264f635cfb52ff3219856268592e49e Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 20 Jan 2020 18:40:01 +0530 Subject: [PATCH 05/46] Updates the upgrade path about add-ons. Upgrade path now checks for the linkerd-values cm, and overwrites the default values with it, if present. It then checks the config option, for any further overwrites Signed-off-by: Tarun Pothulapati --- cli/cmd/upgrade.go | 42 +++++++++++++++++++++++++++++++++++++++--- pkg/k8s/labels.go | 3 +++ 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index b8db1f8fdb317..e85e911fdb534 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -8,12 +8,11 @@ import ( "os" "strings" - "github.com/linkerd/linkerd2/pkg/config" - "github.com/linkerd/linkerd2/pkg/issuercerts" - pb "github.com/linkerd/linkerd2/controller/gen/config" charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" + "github.com/linkerd/linkerd2/pkg/config" "github.com/linkerd/linkerd2/pkg/healthcheck" + "github.com/linkerd/linkerd2/pkg/issuercerts" "github.com/linkerd/linkerd2/pkg/k8s" "github.com/linkerd/linkerd2/pkg/tls" "github.com/linkerd/linkerd2/pkg/version" @@ -23,6 +22,7 @@ import ( kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" + "sigs.k8s.io/yaml" ) const ( @@ -340,6 +340,32 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter values.Stage = stage + // Update Add-Ons Configuration from the linkerd-value cm + cmRawValues, _ := GetConfigMap(k, k8s.ValuesConfigMapName, controlPlaneNamespace) + + if cmRawValues != nil { + //Cm is present now get the data + cmData := cmRawValues["values"] + var cmValues charts.Values + err := yaml.Unmarshal([]byte(cmData), &cmValues) + if err != nil { + return nil, nil, err + } + + // over-write add-on values with cmValues + // Merge Add-On Values with Values + if err = mergeAddonValues(values, &cmValues); err != nil { + return nil, nil, err + } + } + + // Update add-ons Configuration from config file + // This allow users to over-write add-ons configuration during upgrades + err = options.UpdateAddOnValuesFromConfig(values) + if err != nil { + return nil, nil, err + } + return values, configs, nil } @@ -490,6 +516,16 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx } +// GetConfigMap returns the data in a configmap +func GetConfigMap(kubeAPI kubernetes.Interface, name string, namespace string) (map[string]string, error) { + cm, err := kubeAPI.CoreV1().ConfigMaps(namespace).Get(name, metav1.GetOptions{}) + if err != nil { + return nil, err + } + + return cm.Data, nil +} + func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuercerts.IssuerCertData, error) { key, crt, err := issuercerts.LoadIssuerCrtAndKeyFromFiles(issuerKeyPath, issuerCrtPath) if err != nil { diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 0fe91969015ef..4276357ac0591 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -215,6 +215,9 @@ const ( // ConfigConfigMapName is the name of the ConfigMap containing the linkerd controller configuration. ConfigConfigMapName = "linkerd-config" + // ConfigConfigMapName is the name of the ConfigMap containing the linkerd values configuration. + ValuesConfigMapName = "linkerd-values" + // DebugSidecarName is the name of the default linkerd debug container DebugSidecarName = "linkerd-debug" From d6eb6db58d562830a949cb5cec43c461cb9a278f Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 20 Jan 2020 18:57:22 +0530 Subject: [PATCH 06/46] Refactor linkerd-values and re-update tests also adds relevant nil checks Signed-off-by: Tarun Pothulapati --- charts/linkerd2/templates/linkerd-values.yaml | 2 +- cli/cmd/install.go | 16 +++++++++------- cli/cmd/testdata/install_config.golden | 1 - cli/cmd/testdata/install_default.golden | 1 - cli/cmd/testdata/install_helm_output.golden | 1 - cli/cmd/testdata/install_helm_output_ha.golden | 1 - 6 files changed, 10 insertions(+), 12 deletions(-) diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml index f1c65e1d20ad3..7259c69a68e93 100644 --- a/charts/linkerd2/templates/linkerd-values.yaml +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -30,4 +30,4 @@ data: values: |- tracing: {{- toYaml $dupValues.tracing | trim | nindent 6}} -{{- end }} +{{ end }} \ No newline at end of file diff --git a/cli/cmd/install.go b/cli/cmd/install.go index bff86bd75f602..8ec7fa1185f3c 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -1173,8 +1173,10 @@ func toIdentityContext(idvals *identityWithAnchorsAndTrustDomain) *pb.IdentityCo func checkAddons(values *l5dcharts.Values) []l5dcharts.AddOn { var addons []l5dcharts.AddOn - if values.Tracing.Enabled { - addons = append(addons, values.Tracing) + if values.Tracing != nil { + if values.Tracing.Enabled { + addons = append(addons, values.Tracing) + } } return addons @@ -1182,11 +1184,11 @@ func checkAddons(values *l5dcharts.Values) []l5dcharts.AddOn { func mergeAddonValues(values, addonValues *l5dcharts.Values) error { - if err := mergo.Merge(addonValues.Tracing, values.Tracing); err != nil { - return err + if addonValues.Tracing != nil { + if err := mergo.Merge(addonValues.Tracing, values.Tracing); err != nil { + return err + } + values.Tracing = addonValues.Tracing } - - values.Tracing = addonValues.Tracing - return nil } diff --git a/cli/cmd/testdata/install_config.golden b/cli/cmd/testdata/install_config.golden index 5cc09925f368c..82a13df83f6dd 100644 --- a/cli/cmd/testdata/install_config.golden +++ b/cli/cmd/testdata/install_config.golden @@ -836,4 +836,3 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd - diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index c38db3b208f02..ea5fe15250cc8 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -836,7 +836,6 @@ subjects: - kind: ServiceAccount name: linkerd-web namespace: linkerd - --- kind: ConfigMap apiVersion: v1 diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index d1a2f2b284e1f..26449f939530f 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -866,7 +866,6 @@ subjects: namespace: linkerd --- # Source: linkerd2/templates/linkerd-values.yaml - --- # Source: linkerd2/templates/config.yaml --- diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index 7423037425219..4ae6d9290afca 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -866,7 +866,6 @@ subjects: namespace: linkerd --- # Source: linkerd2/templates/linkerd-values.yaml - --- # Source: linkerd2/templates/config.yaml --- From c303d02072b1c7a691eda4e0f2c02bc6df5f3ceb Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 20 Jan 2020 20:09:33 +0530 Subject: [PATCH 07/46] Refactor code to fix linting issues Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 2 +- pkg/charts/linkerd2/add-on.go | 5 +++-- pkg/charts/linkerd2/tracing.go | 11 +++++++---- pkg/k8s/labels.go | 2 +- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 8ec7fa1185f3c..20e3532467ff8 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -809,7 +809,7 @@ func render(w io.Writer, values *l5dcharts.Values) error { subchart := &charts.Chart{ Name: addon.GetChartName(), - Dir: l5dcharts.AddonChartsPath + addon.GetChartName(), + Dir: l5dcharts.AddOnChartsPath + addon.GetChartName(), Namespace: controlPlaneNamespace, RawValues: append(rawValues, addonValues...), Files: addon.GetFiles(), diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go index f5dc34069b75b..7cd8410730b6a 100644 --- a/pkg/charts/linkerd2/add-on.go +++ b/pkg/charts/linkerd2/add-on.go @@ -3,12 +3,13 @@ package linkerd2 import "k8s.io/helm/pkg/chartutil" var ( - AddonChartsPath = "linkerd2/add-ons/" + // AddOnChartsPath is where the linkerd2 add-ons will be present + AddOnChartsPath = "linkerd2/add-ons/" ) +// AddOn interface consists of the common functions required by add-ons to be implemented type AddOn interface { GetChartName() string - IsEnabled() bool GetValues() interface{} GetFiles() []*chartutil.BufferedFile } diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go index 39bf57d0d2fec..23d00dec65653 100644 --- a/pkg/charts/linkerd2/tracing.go +++ b/pkg/charts/linkerd2/tracing.go @@ -5,18 +5,22 @@ import ( ) type ( + + // Tracing consists of the add-on configuration of the distributed tracing components sub-chart. Tracing struct { Enabled bool `json:"enabled"` Collector *Collector `json:"collector"` Jaeger *Jaeger `json:"jaeger"` } + // Collector consists of the config values required for Trace collector Collector struct { Name string `json:"name"` Image string `json:"image"` Resources *Resources `json:"resources"` } + // Jaeger consists of the config values required for Jaeger Jaeger struct { Name string `json:"name"` Image string `json:"image"` @@ -35,10 +39,12 @@ var ( } ) +// GetChartName returns the name of the add-on sub-chart func (*Tracing) GetChartName() string { return tracingChartName } +// GetFiles returns the templates files that are part of the add-on sub-chart func (*Tracing) GetFiles() []*chartutil.BufferedFile { files := []*chartutil.BufferedFile{ {Name: chartutil.ChartfileName}, @@ -59,10 +65,7 @@ func (*Tracing) GetFiles() []*chartutil.BufferedFile { return files } +// GetValues returns the values struct which will be used to render the add-on sub-chart. func (t *Tracing) GetValues() interface{} { return t } - -func (t *Tracing) IsEnabled() bool { - return t.Enabled -} diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 4276357ac0591..cf4a2fca47b40 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -215,7 +215,7 @@ const ( // ConfigConfigMapName is the name of the ConfigMap containing the linkerd controller configuration. ConfigConfigMapName = "linkerd-config" - // ConfigConfigMapName is the name of the ConfigMap containing the linkerd values configuration. + // ValuesConfigMapName is the name of the ConfigMap containing the linkerd values configuration. ValuesConfigMapName = "linkerd-values" // DebugSidecarName is the name of the default linkerd debug container From 1bb5fa450e5d612e5cfd9ebd93f82c5069023ba9 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 23 Jan 2020 15:25:09 +0530 Subject: [PATCH 08/46] Fixes an error with linkerd-config global values Also refactors the linkerd-values cm to work the same with helm Signed-off-by: Tarun Pothulapati --- charts/linkerd2/templates/linkerd-values.yaml | 4 ++-- cli/cmd/install.go | 15 ++++++--------- pkg/charts/linkerd2/values.go | 1 - 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml index 7259c69a68e93..f9d4f5ad06557 100644 --- a/charts/linkerd2/templates/linkerd-values.yaml +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -1,9 +1,9 @@ -{{ if .Values.installValuesConfig -}} +{{ if or (.Values.tracing.enabled) -}} {{- $dupValues := .Values -}} {{- $dupValues := omit $dupValues "partials" -}} {{- range $key, $value := $dupValues -}} {{- if kindIs "map" $value -}} - {{- if hasKey $value "global" -}} + {{- if and (hasKey $value "global") (ne $key "configs" ) -}} {{- $dupValues := set $dupValues $key (unset $value "global") -}} {{- end -}} {{- if hasKey $value "partials" -}} diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 20e3532467ff8..f51ee52b70a6a 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -755,6 +755,12 @@ func toPromLogLevel(level string) string { func render(w io.Writer, values *l5dcharts.Values) error { + // Render raw values and create chart config + rawValues, err := yaml.Marshal(values) + if err != nil { + return err + } + files := []*chartutil.BufferedFile{ {Name: chartutil.ChartfileName}, } @@ -776,15 +782,6 @@ func render(w io.Writer, values *l5dcharts.Values) error { } addons := checkAddons(values) - if len(addons) > 0 { - values.InstallValuesConfig = true - } - - // Render raw values and create chart config - rawValues, err := yaml.Marshal(values) - if err != nil { - return err - } chart := &charts.Chart{ Name: helmDefaultChartName, diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 8546aeb981ddf..08428e4d54d4f 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -38,7 +38,6 @@ type ( DisableHeartBeat bool `json:"disableHeartBeat"` HeartbeatSchedule string `json:"heartbeatSchedule"` InstallNamespace bool `json:"installNamespace"` - InstallValuesConfig bool `json:"installValuesConfig"` Configs ConfigJSONs `json:"configs"` Global *Global `json:"global"` Identity *Identity `json:"identity"` From b8f718227bf37c09e5ee7292acaf039dc865255a Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 23 Jan 2020 15:37:36 +0530 Subject: [PATCH 09/46] Fix a nil pointer issue for tests Signed-off-by: Tarun Pothulapati --- cli/cmd/install_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 7fecc6dd0df4c..d2c1514a9fe60 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -128,6 +128,9 @@ func TestRender(t *testing.T) { Dashboard: &charts.Dashboard{ Replicas: 1, }, + Tracing: &charts.Tracing{ + Enabled: false, + }, } haOptions, err := testInstallOptions() From df90cb3bbb39ac3d6b1a55b85f0ae16f4d7680bc Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sun, 26 Jan 2020 14:05:56 +0530 Subject: [PATCH 10/46] Updated Tracing add-on chart meta-data Also introduced a defaultGetFiles method for add-ons Signed-off-by: Tarun Pothulapati --- charts/linkerd2/add-ons/tracing/Chart.yaml | 6 +++++- pkg/charts/linkerd2/add-on.go | 21 +++++++++++++++++++++ pkg/charts/linkerd2/tracing.go | 18 +----------------- 3 files changed, 27 insertions(+), 18 deletions(-) diff --git a/charts/linkerd2/add-ons/tracing/Chart.yaml b/charts/linkerd2/add-ons/tracing/Chart.yaml index 3ba92081bb985..4a837cf0df824 100644 --- a/charts/linkerd2/add-ons/tracing/Chart.yaml +++ b/charts/linkerd2/add-ons/tracing/Chart.yaml @@ -1,5 +1,9 @@ apiVersion: v1 appVersion: "1.0" -description: A Helm chart for Kubernetes +description: A Helm chart for the tracing add-on in Linkerd name: tracing version: 0.1.0 +maintainers: + - name: Linkerd authors + email: cncf-linkerd-dev@lists.cncf.io + url: https://linkerd.io/ \ No newline at end of file diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go index 7cd8410730b6a..6268b75f41348 100644 --- a/pkg/charts/linkerd2/add-on.go +++ b/pkg/charts/linkerd2/add-on.go @@ -13,3 +13,24 @@ type AddOn interface { GetValues() interface{} GetFiles() []*chartutil.BufferedFile } + +// defaultGetFiles returns the templates files that are part of the add-on sub-chart +func defaultGetFiles(configStage, controlPlaneStage []string) []*chartutil.BufferedFile { + files := []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + } + + for _, template := range configStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } + + for _, template := range controlPlaneStage { + files = append(files, &chartutil.BufferedFile{ + Name: template, + }) + } + + return files +} diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go index 23d00dec65653..48f9658937f2e 100644 --- a/pkg/charts/linkerd2/tracing.go +++ b/pkg/charts/linkerd2/tracing.go @@ -46,23 +46,7 @@ func (*Tracing) GetChartName() string { // GetFiles returns the templates files that are part of the add-on sub-chart func (*Tracing) GetFiles() []*chartutil.BufferedFile { - files := []*chartutil.BufferedFile{ - {Name: chartutil.ChartfileName}, - } - - for _, template := range tracingConfigStage { - files = append(files, &chartutil.BufferedFile{ - Name: template, - }) - } - - for _, template := range tracingControlPlaneStage { - files = append(files, &chartutil.BufferedFile{ - Name: template, - }) - } - - return files + return defaultGetFiles(tracingConfigStage, tracingControlPlaneStage) } // GetValues returns the values struct which will be used to render the add-on sub-chart. From 6f3fa943aadb63104bdbbfef0eb555039b12f1ed Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 27 Jan 2020 18:02:19 +0530 Subject: [PATCH 11/46] Add add-on/charts to gitignore Signed-off-by: Tarun Pothulapati --- .gitignore | 1 + .../add-ons/tracing/charts/partials-0.1.0.tgz | Bin 3599 -> 0 bytes 2 files changed, 1 insertion(+) delete mode 100644 charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz diff --git a/.gitignore b/.gitignore index 449714e411fb8..2e8e47ad84139 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ web/app/yarn-error.log **/*.gogen* **/*.swp charts/*/charts/ +charts/*/add-ons/*/charts diff --git a/charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz b/charts/linkerd2/add-ons/tracing/charts/partials-0.1.0.tgz deleted file mode 100644 index bf732cc99af12de117c14c2562acf59d56defca9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3599 zcmV+q4)F0GiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH+#a~eCc`8>ZumzJQ^upWMGl z!#?>8LK4mzXkN2ikd7d}GWSjNH=rJJv}7QMGldBwY>Ms(djR30NOq6{&!<>{{1v(2 z19QPe;{{SPKxZ`UduAbonTyVRten|d2vgb?!yYtZK+>AWq*U#iUA2BTbN&NbqW{Sv zR=T}mdtj?a^-?%?>A$|t>i<=}cGCZ&w4C)H;mL$Bq87IDU&I;gSpQn>`f_dk>-Fo) z)A}EyJv|{8CWHYhMW)*Jxm%7!poGfHr4`>bEQEaSHkl&L)FXs^0TU1c+}l79HXS%K za05!%v@>NqdE9;kCorzX3@RH~5u70iFMO;U#bclYpx`JjR*w<#wEJj3`U0eO6f*s; zj2>XoKu=G|HsjH9nR<&5_d#F{4|Q1P#T?TBGN3dt4aec0&lxb4hNZaADW5JrXlxTq zXds~Mat{+`k3nJkAsB;Tpg`J$SN_QvL}R}Jna)%L)v8tVM8Ma89L%)><`lDLJ7Wsi zvdNS}mSh-`o&1bTrG32h^i)Q`Ts`P#i~OmjTAuxPu#d-t5=B71gb&!||8K5qYxe*8 zs(O90|Ho)rFJlJ~%Yy9-{6v^k6bU_Ge=&>?!4AOmjxt*mXm5fn7Hq zsQ4G`(LD!$M@kS6eMgKiR~w(J5MIix96*jMxE~JDR|gYhhVMa9e5qMy6*Ic59pEO0 zkmVtPPfy#Z>*S7)DO@9DZT<7~--U57eW~DY5Bx8#()B;>68c? z;v;H{d8<2R`I`!W;+F|a<35EQ_To8}D@eZ>`WwIRzpN=b6IO&!?E8>U;oyYU%+rGj z^aWvRf=X{>`Hd{CK@0I7B4|a|839bKtX7!FMe0>Gs~d?**vo9lx2>@0Rw|rNn%&`b zl+H)rkpQ1!2TFOZI@2%I4#frd!Vq36+Tk_w|aGXy^;UDygK>+W3(;% zf6N$HCMb`#|8att@CwmeUZNIdkGp1jpg=Gz7N`_Cf)XmZMB*_8w}jp@u8by?gzr$<Be z|7zDa8~MMhQ~l>CEv-kfvgq|M#{v-Qk$$u)Ipk!^(j7K)V;4KJP^b2@TAu!=vXU$ZFuT1t z_nJ>gw!j-LRWY+RW_WdVxz8kf5zuIsZ_VPE(WUc4CY*(n%-G}r3Ti<`qxYKcK>$}W zm#PY_GU|n()-vte`)$v_Zy&oQGq1JZdU`^HIW%z7) z1|FD4#;JMn%dPs70%9j43==}N*>h;9)G0RYJu)7!B?fiVN`ZBuf{b@z##EPWYrhIw_bD+kx z=0dq`4~Cs?bJ*#1M}yC;QSLJLww_NsJVJkeIKJG}4RjqW;wVY|CF z&#Ggg%BCuO50m()tho>4iKLK{n4NvrOdE>!U&9qCOg4Ub8{t1U zG5G`?V4r-!Jy0_UqMZ0Hrrh^F4cqslR#9`-0Dj3#QN;M95DegAZy_#XCe*0s= zZeb_Ey$|i~Nb7zMCnPuml&oaWYD*Av;sACW9duR{e*m@uEES z6Idl|NmHUn8Sx6gL)bDrBW58B_YkMMUaNUG>NY>7#3`~#5}(^E^JHhGC_$&Ygi||@ zFH`iM?Yqy5I`6?u9(2-jh#vYb8u zRmffRWBgu8c6_-tW4uqc__>+lyeu&#b6_B4U+^(#2RBp7{}WX7A)s+`6%Ujkjtn1h zp$ZXX_nin4MijyH7ARf}z~Ri5Iuu{aO`EZn8QZYR@i{^e{oSZmTf;bWmj!wlv=!l5 zSmwDU0J~%-uXL})3vudVTQW48lz&cYe;q=S3Vv3Gf8Wn_qEz&jl=j-EN_OVtL3#5- zp?z}HVK%zBptxMVWTM*shKc$ECR{-Kk*H`vk;|(fO`DB8PMIHn&?U(S5#|qmK~n z9iA9#pGxcRwF6vN;pBu{s?U1jy=XDlDh_+p7@k>QcwTMc(7M9u+ueWPmRJ8tto#er zfOeh#yScbnum9X!pU(dtrRARgNreGg|C8I)H@{pU+wlY2d z>oMPmnx%(C^<>8njG0QEl_;n>hX6JaArwB_2`2Ab;dmMXz6Kyy6N&F5duncSCzI*; z?CGpQIebFTHqm+dAMR|9`2Fw2M*X*1KYjmul$KZjjn4raIVe3R&r&u+SILRr|L-y= znJx1vPC2yY>Hi#4;$rn;CSaHT*X!%Q|5vYH-JJCQ7%lJof4E7Aq=0ai{kSwQ8LZz; zFrlk687<7tR9wAVmB75=-2hFvKyRdt2B6T{K0CTIq&PY=d4sc3>L-ZK^S;B(P#I^& zcM+(tzdu<+?C(#}|MRaNa`oTrzK{0(f317an4NX&gKKe{JLUe=jahzyEQR z_8RrEQXrVr9xYsd^lb(VjRQhm9n$;QdB9VUw)GkfXG9_y_@)|x#1*xz=mMU}|Ct?TBGQ9>EQF!vA${qaLFR#F-hXNkTpdZBM|q?AyU; zptu0*HEMCs;|zUn4UkKOwCpKS74tXxPQxDmQ&h~~_`z&i(SPDwIcJp>pfPqH0^j`h ziL~C?@|$nHv&Z Date: Tue, 28 Jan 2020 22:30:36 +0530 Subject: [PATCH 12/46] refactor gitignore for chart deps Signed-off-by: Tarun Pothulapati --- .gitignore | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2e8e47ad84139..285195707d859 100644 --- a/.gitignore +++ b/.gitignore @@ -12,5 +12,4 @@ web/app/yarn-error.log .gorun **/*.gogen* **/*.swp -charts/*/charts/ -charts/*/add-ons/*/charts +charts/**/add-ons/*/charts From 94f2340477b1c39b1d623a3a173b1668f630b24c Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 30 Jan 2020 00:16:34 +0530 Subject: [PATCH 13/46] Moves sub-charts to /charts directly Signed-off-by: Tarun Pothulapati --- .gitignore | 2 +- charts/{linkerd2 => }/add-ons/tracing/.helmignore | 0 charts/{linkerd2 => }/add-ons/tracing/Chart.yaml | 0 charts/add-ons/tracing/requirements.lock | 6 ++++++ charts/{linkerd2 => }/add-ons/tracing/requirements.yaml | 2 +- .../add-ons/tracing/templates/tracing-rbac.yaml | 0 .../{linkerd2 => }/add-ons/tracing/templates/tracing.yaml | 0 charts/{linkerd2 => }/add-ons/tracing/values.yaml | 0 charts/linkerd2/add-ons/tracing/requirements.lock | 6 ------ charts/linkerd2/requirements.lock | 6 +++--- charts/linkerd2/requirements.yaml | 2 +- pkg/charts/linkerd2/add-on.go | 2 +- 12 files changed, 13 insertions(+), 13 deletions(-) rename charts/{linkerd2 => }/add-ons/tracing/.helmignore (100%) rename charts/{linkerd2 => }/add-ons/tracing/Chart.yaml (100%) create mode 100644 charts/add-ons/tracing/requirements.lock rename charts/{linkerd2 => }/add-ons/tracing/requirements.yaml (56%) rename charts/{linkerd2 => }/add-ons/tracing/templates/tracing-rbac.yaml (100%) rename charts/{linkerd2 => }/add-ons/tracing/templates/tracing.yaml (100%) rename charts/{linkerd2 => }/add-ons/tracing/values.yaml (100%) delete mode 100644 charts/linkerd2/add-ons/tracing/requirements.lock diff --git a/.gitignore b/.gitignore index 285195707d859..89db1dc45f6db 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,4 @@ web/app/yarn-error.log .gorun **/*.gogen* **/*.swp -charts/**/add-ons/*/charts +charts/**/charts diff --git a/charts/linkerd2/add-ons/tracing/.helmignore b/charts/add-ons/tracing/.helmignore similarity index 100% rename from charts/linkerd2/add-ons/tracing/.helmignore rename to charts/add-ons/tracing/.helmignore diff --git a/charts/linkerd2/add-ons/tracing/Chart.yaml b/charts/add-ons/tracing/Chart.yaml similarity index 100% rename from charts/linkerd2/add-ons/tracing/Chart.yaml rename to charts/add-ons/tracing/Chart.yaml diff --git a/charts/add-ons/tracing/requirements.lock b/charts/add-ons/tracing/requirements.lock new file mode 100644 index 0000000000000..09c1da94f4b40 --- /dev/null +++ b/charts/add-ons/tracing/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../../partials + version: 0.1.0 +digest: sha256:2202cf6f3783f79e78414e7a94b651589f322f3724ab220f0ea3bf8f31954de4 +generated: "2020-01-30T00:01:30.861787731+05:30" diff --git a/charts/linkerd2/add-ons/tracing/requirements.yaml b/charts/add-ons/tracing/requirements.yaml similarity index 56% rename from charts/linkerd2/add-ons/tracing/requirements.yaml rename to charts/add-ons/tracing/requirements.yaml index e983f821a1572..b5d3df3884f5b 100644 --- a/charts/linkerd2/add-ons/tracing/requirements.yaml +++ b/charts/add-ons/tracing/requirements.yaml @@ -1,4 +1,4 @@ dependencies: - name: partials version: 0.1.0 - repository: file://../../../partials \ No newline at end of file + repository: file://../../partials diff --git a/charts/linkerd2/add-ons/tracing/templates/tracing-rbac.yaml b/charts/add-ons/tracing/templates/tracing-rbac.yaml similarity index 100% rename from charts/linkerd2/add-ons/tracing/templates/tracing-rbac.yaml rename to charts/add-ons/tracing/templates/tracing-rbac.yaml diff --git a/charts/linkerd2/add-ons/tracing/templates/tracing.yaml b/charts/add-ons/tracing/templates/tracing.yaml similarity index 100% rename from charts/linkerd2/add-ons/tracing/templates/tracing.yaml rename to charts/add-ons/tracing/templates/tracing.yaml diff --git a/charts/linkerd2/add-ons/tracing/values.yaml b/charts/add-ons/tracing/values.yaml similarity index 100% rename from charts/linkerd2/add-ons/tracing/values.yaml rename to charts/add-ons/tracing/values.yaml diff --git a/charts/linkerd2/add-ons/tracing/requirements.lock b/charts/linkerd2/add-ons/tracing/requirements.lock deleted file mode 100644 index e6f6b5d7db6d6..0000000000000 --- a/charts/linkerd2/add-ons/tracing/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: partials - repository: file://../../../partials - version: 0.1.0 -digest: sha256:5eedd268cf82aa72641060432d2edfd9b350a27e022d243e9b71ac34e1cd6f8d -generated: "2020-01-20T11:13:11.118660681+05:30" diff --git a/charts/linkerd2/requirements.lock b/charts/linkerd2/requirements.lock index 391469c3dd2ab..e634f9b17f7f2 100644 --- a/charts/linkerd2/requirements.lock +++ b/charts/linkerd2/requirements.lock @@ -3,7 +3,7 @@ dependencies: repository: file://../partials version: 0.1.0 - name: tracing - repository: file://add-ons/tracing + repository: file://../add-ons/tracing version: 0.1.0 -digest: sha256:01278c1b1d9f03e895f8701ec35444fadaa8c3b655f7d43c0a44ff2ca7e59cbf -generated: "2020-01-20T11:12:56.141361729+05:30" +digest: sha256:e33d9505af13cd9a047d9a2d6094af4b4d62cdc9ee64970dc3d2bba6809066d0 +generated: "2020-01-30T00:02:25.011181273+05:30" diff --git a/charts/linkerd2/requirements.yaml b/charts/linkerd2/requirements.yaml index 3636e62cf34bb..ced78a1d6676b 100644 --- a/charts/linkerd2/requirements.yaml +++ b/charts/linkerd2/requirements.yaml @@ -4,5 +4,5 @@ dependencies: repository: file://../partials - name: tracing version: 0.1.0 - repository: file://add-ons/tracing + repository: file://../add-ons/tracing condition: tracing.enabled diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go index 6268b75f41348..668848bc0ec37 100644 --- a/pkg/charts/linkerd2/add-on.go +++ b/pkg/charts/linkerd2/add-on.go @@ -4,7 +4,7 @@ import "k8s.io/helm/pkg/chartutil" var ( // AddOnChartsPath is where the linkerd2 add-ons will be present - AddOnChartsPath = "linkerd2/add-ons/" + AddOnChartsPath = "add-ons/" ) // AddOn interface consists of the common functions required by add-ons to be implemented From 1347e12a09cdb85a4edcc652fd3a066244a585ad Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 30 Jan 2020 00:26:06 +0530 Subject: [PATCH 14/46] Refactor linkerd values cm Signed-off-by: Tarun Pothulapati --- charts/linkerd2/templates/linkerd-values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml index f9d4f5ad06557..21eae56d93065 100644 --- a/charts/linkerd2/templates/linkerd-values.yaml +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -1,6 +1,5 @@ {{ if or (.Values.tracing.enabled) -}} {{- $dupValues := .Values -}} -{{- $dupValues := omit $dupValues "partials" -}} {{- range $key, $value := $dupValues -}} {{- if kindIs "map" $value -}} {{- if and (hasKey $value "global") (ne $key "configs" ) -}} From b0e013dd2dfbfc0d195507af37b373179e17bf7a Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 30 Jan 2020 00:29:41 +0530 Subject: [PATCH 15/46] Add comment in linkerd-values Signed-off-by: Tarun Pothulapati --- charts/linkerd2/templates/linkerd-values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml index 21eae56d93065..aef7908a726a8 100644 --- a/charts/linkerd2/templates/linkerd-values.yaml +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -1,4 +1,7 @@ {{ if or (.Values.tracing.enabled) -}} +{{- /* + The Below code is used to remove globals and partials fields which are automatically added by helm. +*/ -}} {{- $dupValues := .Values -}} {{- range $key, $value := $dupValues -}} {{- if kindIs "map" $value -}} From 048e696437c75f71398988f068ed6d3c5cab0886 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 8 Feb 2020 15:06:36 +0530 Subject: [PATCH 16/46] remove extra controlplanetracing flag Signed-off-by: Tarun Pothulapati --- charts/linkerd2/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 09bc735df405e..9c58290733074 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -10,9 +10,6 @@ global: # Control Plane Trace Configuration controlPlaneTracing: false - # Control Plane Trace Configuration - controlPlaneTracing: false - # control plane version. See Proxy section for proxy version linkerdVersion: &linkerd_version stable-2.7.0 From 42bffa9062580d2f5320b101e39cdd57d558ab6f Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 10 Feb 2020 20:37:00 +0530 Subject: [PATCH 17/46] Support Stages deployment for add-ons along with tests Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 26 +- cli/cmd/install_test.go | 10 + cli/cmd/testdata/install_helm_output.golden | 4 +- .../testdata/install_helm_output_ha.golden | 4 +- cli/cmd/testdata/install_tracing.golden | 3582 +++++++++++++++++ pkg/charts/linkerd2/add-on.go | 17 +- pkg/charts/linkerd2/tracing.go | 11 +- 7 files changed, 3629 insertions(+), 25 deletions(-) create mode 100644 cli/cmd/testdata/install_tracing.golden diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 7d3c32e18641f..752ea73494386 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -128,7 +128,6 @@ var ( "templates/sp-validator-rbac.yaml", "templates/tap-rbac.yaml", "templates/psp.yaml", - "templates/linkerd-values.yaml", } templatesControlPlaneStage = []string{ @@ -145,6 +144,7 @@ var ( "templates/proxy-injector.yaml", "templates/sp-validator.yaml", "templates/tap.yaml", + "templates/linkerd-values.yaml", } ) @@ -492,10 +492,7 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { &options.identityOptions.trustPEMFile, "identity-trust-anchors-file", options.identityOptions.trustPEMFile, "A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)", ) - flags.StringVar( - &options.config, "config", options.config, - "A path to a configuration file of add-ons", - ) + flags.StringVarP(&options.controlPlaneVersion, "control-plane-version", "", options.controlPlaneVersion, "(Development) Tag to be used for the control plane component images") flags.MarkHidden("control-plane-version") flags.MarkHidden("control-plane-tracing") @@ -517,6 +514,11 @@ func (options *installOptions) allStageFlagSet() *pflag.FlagSet { &options.restrictDashboardPrivileges, "restrict-dashboard-privileges", options.restrictDashboardPrivileges, "Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check", ) + + flags.StringVar( + &options.config, "config", options.config, + "A path to a configuration file of add-ons", + ) return flags } @@ -804,12 +806,24 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } + files := []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + } + + if values.Stage == "" || values.Stage == configStage { + files = append(files, addon.GetConfigFiles()...) + } + + if values.Stage == "" || values.Stage == controlPlaneStage { + files = append(files, addon.GetControlPlaneFiles()...) + } + subchart := &charts.Chart{ Name: addon.GetChartName(), Dir: l5dcharts.AddOnChartsPath + addon.GetChartName(), Namespace: controlPlaneNamespace, RawValues: append(rawValues, addonValues...), - Files: addon.GetFiles(), + Files: files, } addonBuf, err := subchart.Render() if err != nil { diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index cbd7b0e667b6e..3d0a8bdd3249b 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -216,6 +216,15 @@ func TestRender(t *testing.T) { withCustomRegistryValues, _, _ := withCustomRegistryOptions.validateAndBuild("", nil) addFakeTLSSecrets(withCustomRegistryValues) + withTracingAddon, err := testInstallOptions() + if err != nil { + t.Fatalf("Unexpected error: %v\n", err) + } + + withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) + withTracingAddonValues.Tracing.Enabled = true + addFakeTLSSecrets(withTracingAddonValues) + testCases := []struct { values *charts.Values goldenFileName string @@ -232,6 +241,7 @@ func TestRender(t *testing.T) { {withRestrictedDashboardPriviligesValues, "install_restricted_dashboard.golden"}, {withControlPlaneTracingValues, "install_controlplane_tracing_output.golden"}, {withCustomRegistryValues, "install_custom_registry.golden"}, + {withTracingAddonValues, "install_tracing.golden"}, } for i, tc := range testCases { diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index e62237baa17b7..58cdfc3c146be 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -865,8 +865,6 @@ subjects: name: linkerd-web namespace: linkerd --- -# Source: linkerd2/templates/linkerd-values.yaml ---- # Source: linkerd2/templates/config.yaml --- kind: ConfigMap @@ -3103,3 +3101,5 @@ spec: - name: tls secret: secretName: linkerd-tap-tls +--- +# Source: linkerd2/templates/linkerd-values.yaml diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index 4fc08654fa36e..1075da016fc28 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -865,8 +865,6 @@ subjects: name: linkerd-web namespace: linkerd --- -# Source: linkerd2/templates/linkerd-values.yaml ---- # Source: linkerd2/templates/config.yaml --- kind: ConfigMap @@ -3347,3 +3345,5 @@ spec: - name: tls secret: secretName: linkerd-tap-tls +--- +# Source: linkerd2/templates/linkerd-values.yaml diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden new file mode 100644 index 0000000000000..19951144a447e --- /dev/null +++ b/cli/cmd/testdata/install_tracing.golden @@ -0,0 +1,3582 @@ +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +--- +### +### Destination Controller Service +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd +--- +### +### Web RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +- apiGroups: [""] + resources: ["namespaces", "configmaps"] + verbs: ["get"] +- apiGroups: [""] + resources: ["serviceaccounts", "pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-web + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: ClusterRole + name: linkerd-linkerd-web-check + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 + key.pem: cHJveHkgaW5qZWN0b3Iga2V5 +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + clientConfig: + service: + name: linkerd-proxy-injector + namespace: linkerd + path: "/" + caBundle: cHJveHkgaW5qZWN0b3IgY3J0 + failurePolicy: Ignore + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 + key.pem: cHJveHkgaW5qZWN0b3Iga2V5 +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + clientConfig: + service: + name: linkerd-sp-validator + namespace: linkerd + path: "/" + caBundle: cHJveHkgaW5qZWN0b3IgY3J0 + failurePolicy: Ignore + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-tap-auth-delegator + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: dGFwIGNydA== + key.pem: dGFwIGtleQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd + caBundle: dGFwIGNydA== +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane + labels: + linkerd.io/control-plane-ns: linkerd +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + global: | + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s","scheme":"linkerd.io/tls"},"autoInjectContext":null,"omitWebhookSideEffects":false,"clusterDomain":"cluster.local"} + proxy: | + {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.3.1","debugImage":{"imageName":"gcr.io/linkerd-io/debug","pullPolicy":"IfNotPresent"},"debugImageVersion":"install-debug-version"} + install: | + {"cliVersion":"dev-undefined","flags":[]} +--- +### +### Identity Controller Service +### +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ== +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: localhost.:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + name: linkerd-controller + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - public-api + - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-controller + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Destination Controller Service +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + name: linkerd-destination + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - destination + - -addr=:8086 + - -controller-namespace=linkerd + - -enable-h2-upgrade=true + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-destination + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + schedule: "1 2 3 4 5" + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + spec: + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-controller-namespace=linkerd" + - "-log-level=info" + securityContext: + runAsUser: 2103 +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + name: linkerd-web + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ + image: gcr.io/linkerd-io/web:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + metric_relabel_configs: + - source_labels: [__name__] + regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' + action: keep + - source_labels: [__name__] + regex: 'container_memory_failures_total' # unneeded large metric + action: drop + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + # Copy all pod labels to tmp labels + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + # Take `linkerd_io_` prefixed labels and copy them without the prefix + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + # Drop the `linkerd_io_` originals + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + # Copy tmp labels into real labels + - action: labelmap + regex: __tmp_pod_label_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + name: linkerd-prometheus + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + image: prom/prometheus:v2.15.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + name: linkerd-grafana + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: gcr.io/linkerd-io/grafana:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - proxy-injector + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: sp-validator + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + name: linkerd-sp-validator + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: sp-validator + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-sp-validator + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - sp-validator + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + name: linkerd-tap + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-tap + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: tls + secret: + secretName: linkerd-tap-tls +--- +### +### linkerd values +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-values + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + values: |- + tracing: + collector: + image: omnition/opencensus-collector:0.1.10 + name: linkerd-collector + resources: + cpu: + limit: "1" + request: 200m + memory: + limit: 2Gi + request: 400Mi + enabled: true + jaeger: + image: jaegertracing/all-in-one:1.8 + name: linkerd-jaeger + resources: null +--- +### +### linkerd-collector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-collector + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd +--- +### +### linkerd-jaeger RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-jaeger + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd +--- +### +### Tracing Collector Service +### +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: linkerd-collector-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + linkerd-collector-config: | + receivers: + opencensus: + port: 55678 + zipkin: + port: 9411 + queued-exporters: + jaeger-all-in-one: + num-workers: 4 + queue-size: 100 + retry-on-failure: true + sender-type: jaeger-thrift-http + jaeger-thrift-http: + collector-endpoint: http://linkerd-jaeger.linkerd:14268/api/traces + timeout: 5s +--- +apiVersion: v1 +kind: Service +metadata: + name: linkerd-collector + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + ports: + - name: opencensus + port: 55678 + protocol: TCP + targetPort: 55678 + - name: zipkin + port: 9411 + protocol: TCP + targetPort: 9411 + selector: + linkerd.io/control-plane-component: linkerd-collector +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: linkerd-collector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + name: linkerd-collector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-collector + minReadySeconds: 5 + progressDeadlineSeconds: 120 + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + prometheus.io/path: /metrics + prometheus.io/port: "8888" + prometheus.io/scrape: "true" + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-collector + spec: + containers: + - command: + - /occollector_linux + - --config=/conf/linkerd-collector-config.yaml + env: + - name: GOGC + value: "80" + image: omnition/opencensus-collector:0.1.10 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 13133 + name: oc-collector + ports: + - containerPort: 55678 + - containerPort: 9411 + readinessProbe: + httpGet: + path: / + port: 13133 + resources: + limits: + cpu: "1" + memory: "2Gi" + requests: + cpu: "200m" + memory: "400Mi" + volumeMounts: + - mountPath: /conf + name: linkerd-collector-config-val + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-collector + volumes: + - configMap: + items: + - key: linkerd-collector-config + path: linkerd-collector-config.yaml + name: linkerd-collector-config + name: linkerd-collector-config-val + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Tracing Jaeger Service +### +--- +apiVersion: v1 +kind: Service +metadata: + name: linkerd-jaeger + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: linkerd-jaeger + ports: + - name: collection + port: 14268 + - name: ui + port: 16686 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: linkerd-jaeger + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + name: linkerd-jaeger + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-jaeger + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + prometheus.io/path: /metrics + prometheus.io/port: "8888" + prometheus.io/scrape: "true" + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-jaeger + spec: + containers: + - image: jaegertracing/all-in-one:1.8 + imagePullPolicy: IfNotPresent + name: jaeger + ports: + - containerPort: 14268 + name: collection + - containerPort: 16686 + name: ui + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + serviceAccountName: linkerd-jaeger + volumes: + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go index 668848bc0ec37..c26fd6ed66556 100644 --- a/pkg/charts/linkerd2/add-on.go +++ b/pkg/charts/linkerd2/add-on.go @@ -11,22 +11,15 @@ var ( type AddOn interface { GetChartName() string GetValues() interface{} - GetFiles() []*chartutil.BufferedFile + GetConfigFiles() []*chartutil.BufferedFile + GetControlPlaneFiles() []*chartutil.BufferedFile } // defaultGetFiles returns the templates files that are part of the add-on sub-chart -func defaultGetFiles(configStage, controlPlaneStage []string) []*chartutil.BufferedFile { - files := []*chartutil.BufferedFile{ - {Name: chartutil.ChartfileName}, - } - - for _, template := range configStage { - files = append(files, &chartutil.BufferedFile{ - Name: template, - }) - } +func defaultGetFiles(stageFiles []string) []*chartutil.BufferedFile { + var files []*chartutil.BufferedFile - for _, template := range controlPlaneStage { + for _, template := range stageFiles { files = append(files, &chartutil.BufferedFile{ Name: template, }) diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go index 48f9658937f2e..0b8607ca1654a 100644 --- a/pkg/charts/linkerd2/tracing.go +++ b/pkg/charts/linkerd2/tracing.go @@ -44,9 +44,14 @@ func (*Tracing) GetChartName() string { return tracingChartName } -// GetFiles returns the templates files that are part of the add-on sub-chart -func (*Tracing) GetFiles() []*chartutil.BufferedFile { - return defaultGetFiles(tracingConfigStage, tracingControlPlaneStage) +// GetConfigFiles returns the config state templates files that are part of the add-on sub-chart +func (*Tracing) GetConfigFiles() []*chartutil.BufferedFile { + return defaultGetFiles(tracingConfigStage) +} + +// GetControlPLaneFiles returns the control-plane stage templates files that are part of the add-on sub-chart +func (*Tracing) GetControlPlaneFiles() []*chartutil.BufferedFile { + return defaultGetFiles(tracingControlPlaneStage) } // GetValues returns the values struct which will be used to render the add-on sub-chart. From d8bb871d4df0af08792fec375b35523be9d0b32b Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 10 Feb 2020 20:48:56 +0530 Subject: [PATCH 18/46] linting fix Signed-off-by: Tarun Pothulapati --- pkg/charts/linkerd2/tracing.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go index 0b8607ca1654a..c6532919ec006 100644 --- a/pkg/charts/linkerd2/tracing.go +++ b/pkg/charts/linkerd2/tracing.go @@ -49,7 +49,7 @@ func (*Tracing) GetConfigFiles() []*chartutil.BufferedFile { return defaultGetFiles(tracingConfigStage) } -// GetControlPLaneFiles returns the control-plane stage templates files that are part of the add-on sub-chart +// GetControlPlaneFiles returns the control-plane stage templates files that are part of the add-on sub-chart func (*Tracing) GetControlPlaneFiles() []*chartutil.BufferedFile { return defaultGetFiles(tracingControlPlaneStage) } From 72d1c0de09602891b36582941a875e9b994dc75a Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 12 Feb 2020 08:21:56 +0530 Subject: [PATCH 19/46] update tracing rbac Signed-off-by: Tarun Pothulapati --- charts/add-ons/tracing/templates/tracing-rbac.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/add-ons/tracing/templates/tracing-rbac.yaml b/charts/add-ons/tracing/templates/tracing-rbac.yaml index d4d44e1272bd5..482d8f5e03523 100644 --- a/charts/add-ons/tracing/templates/tracing-rbac.yaml +++ b/charts/add-ons/tracing/templates/tracing-rbac.yaml @@ -6,8 +6,8 @@ kind: ServiceAccount apiVersion: v1 metadata: - name: linkerd-collector - namespace: linkerd + name: {{.Values.collector.name}} + namespace: {{.Values.global.namespace}} labels: {{.Values.global.controllerComponentLabel}}: {{.Values.collector.name}} {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} @@ -19,8 +19,8 @@ metadata: kind: ServiceAccount apiVersion: v1 metadata: - name: linkerd-jaeger - namespace: linkerd + name: {{.Values.jaeger.name}} + namespace: {{.Values.global.namespace}} labels: {{.Values.global.controllerComponentLabel}}: {{.Values.jaeger.name}} {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} From 544660e20422eab16fac73a88f028762e80d1306 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 19 Feb 2020 11:17:23 +0530 Subject: [PATCH 20/46] Removes the need for add-on Interface - Uses helm loading capabiltiies to get info about add-ons - Uses reflection to not have to unnecessarily add checks for each add-on type Signed-off-by: Tarun Pothulapati --- charts/linkerd2/values.yaml | 4 +- cli/cmd/install.go | 79 ++++++++++++++++++---------------- pkg/charts/linkerd2/add-on.go | 23 ---------- pkg/charts/linkerd2/tracing.go | 35 --------------- 4 files changed, 44 insertions(+), 97 deletions(-) diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 9c58290733074..19c516ab3b61c 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -6,7 +6,7 @@ global: clusterDomain: &cluster_domain cluster.local imagePullPolicy: &image_pull_policy IfNotPresent - + # Control Plane Trace Configuration controlPlaneTracing: false @@ -170,7 +170,7 @@ nodeSelector: # Configuration for Add-ons tracing: - enabled: false + enabled: true collector: name: linkerd-collector image: omnition/opencensus-collector:0.1.10 diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 752ea73494386..15c9d706b64c0 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -6,6 +6,7 @@ import ( "io" "io/ioutil" "os" + "reflect" "strings" "time" @@ -783,8 +784,6 @@ func render(w io.Writer, values *l5dcharts.Values) error { } } - addons := checkAddons(values) - chart := &charts.Chart{ Name: helmDefaultChartName, Dir: helmDefaultChartDir, @@ -797,42 +796,44 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } + linkerd2Chart, err := chartutil.Load("charts/" + helmDefaultChartDir) + if err != nil { + return err + } + // Render for each add-on separately and attach - // Pass only global values to add-ons - for _, addon := range addons { + for _, dep := range linkerd2Chart.Dependencies { + if dep.GetMetadata().Name != "partials" { - addonValues, err := yaml.Marshal(addon.GetValues()) - if err != nil { - return err - } + addonValues, enabled := checkAddon(values, dep.GetMetadata().Name) - files := []*chartutil.BufferedFile{ - {Name: chartutil.ChartfileName}, - } + if enabled { + files := []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + } - if values.Stage == "" || values.Stage == configStage { - files = append(files, addon.GetConfigFiles()...) - } + // Get files from dep + for _, file := range dep.GetTemplates() { + files = append(files, &chartutil.BufferedFile{Name: file.GetName()}) + } - if values.Stage == "" || values.Stage == controlPlaneStage { - files = append(files, addon.GetControlPlaneFiles()...) - } + subchart := &charts.Chart{ + Name: dep.GetMetadata().Name, + Dir: l5dcharts.AddOnChartsPath + dep.GetMetadata().Name, + Namespace: controlPlaneNamespace, + RawValues: append(rawValues, addonValues...), + Files: files, + } + addonBuf, err := subchart.Render() + if err != nil { + return err + } - subchart := &charts.Chart{ - Name: addon.GetChartName(), - Dir: l5dcharts.AddOnChartsPath + addon.GetChartName(), - Namespace: controlPlaneNamespace, - RawValues: append(rawValues, addonValues...), - Files: files, - } - addonBuf, err := subchart.Render() - if err != nil { - return err - } + buf.Write(addonBuf.Bytes()) + } - buf.Write(addonBuf.Bytes()) + } } - _, err = w.Write(buf.Bytes()) return err } @@ -1182,16 +1183,20 @@ func toIdentityContext(idvals *identityWithAnchorsAndTrustDomain) *pb.IdentityCo Scheme: idvals.Identity.Issuer.Scheme, } } -func checkAddons(values *l5dcharts.Values) []l5dcharts.AddOn { - var addons []l5dcharts.AddOn +func checkAddon(values *l5dcharts.Values, name string) (addonvalues []byte, enabled bool) { - if values.Tracing != nil { - if values.Tracing.Enabled { - addons = append(addons, values.Tracing) + r := reflect.ValueOf(values) + + if !reflect.Indirect(r).FieldByName(strings.Title(name)).IsNil() { + if reflect.Indirect(reflect.Indirect(r).FieldByName(strings.Title(name))).FieldByName("Enabled").Bool() { + values, err := yaml.Marshal(values.Tracing) + if err != nil { + return nil, false + } + return values, true } } - - return addons + return nil, false } func mergeAddonValues(values, addonValues *l5dcharts.Values) error { diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go index c26fd6ed66556..729717bba61e3 100644 --- a/pkg/charts/linkerd2/add-on.go +++ b/pkg/charts/linkerd2/add-on.go @@ -1,29 +1,6 @@ package linkerd2 -import "k8s.io/helm/pkg/chartutil" - var ( // AddOnChartsPath is where the linkerd2 add-ons will be present AddOnChartsPath = "add-ons/" ) - -// AddOn interface consists of the common functions required by add-ons to be implemented -type AddOn interface { - GetChartName() string - GetValues() interface{} - GetConfigFiles() []*chartutil.BufferedFile - GetControlPlaneFiles() []*chartutil.BufferedFile -} - -// defaultGetFiles returns the templates files that are part of the add-on sub-chart -func defaultGetFiles(stageFiles []string) []*chartutil.BufferedFile { - var files []*chartutil.BufferedFile - - for _, template := range stageFiles { - files = append(files, &chartutil.BufferedFile{ - Name: template, - }) - } - - return files -} diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go index c6532919ec006..d91b23a563f21 100644 --- a/pkg/charts/linkerd2/tracing.go +++ b/pkg/charts/linkerd2/tracing.go @@ -1,9 +1,5 @@ package linkerd2 -import ( - "k8s.io/helm/pkg/chartutil" -) - type ( // Tracing consists of the add-on configuration of the distributed tracing components sub-chart. @@ -27,34 +23,3 @@ type ( Resources *Resources `json:"resources"` } ) - -var ( - tracingChartName = "tracing" - tracingConfigStage = []string{ - "templates/tracing-rbac.yaml", - } - - tracingControlPlaneStage = []string{ - "templates/tracing.yaml", - } -) - -// GetChartName returns the name of the add-on sub-chart -func (*Tracing) GetChartName() string { - return tracingChartName -} - -// GetConfigFiles returns the config state templates files that are part of the add-on sub-chart -func (*Tracing) GetConfigFiles() []*chartutil.BufferedFile { - return defaultGetFiles(tracingConfigStage) -} - -// GetControlPlaneFiles returns the control-plane stage templates files that are part of the add-on sub-chart -func (*Tracing) GetControlPlaneFiles() []*chartutil.BufferedFile { - return defaultGetFiles(tracingControlPlaneStage) -} - -// GetValues returns the values struct which will be used to render the add-on sub-chart. -func (t *Tracing) GetValues() interface{} { - return t -} From 86e17bf2e3adb0534f03d0c1e65fbbdf54c92c38 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 19 Feb 2020 11:19:26 +0530 Subject: [PATCH 21/46] disable tracing flag Signed-off-by: Tarun Pothulapati --- charts/linkerd2/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 19c516ab3b61c..de9321aedc191 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -170,7 +170,7 @@ nodeSelector: # Configuration for Add-ons tracing: - enabled: true + enabled: false collector: name: linkerd-collector image: omnition/opencensus-collector:0.1.10 From 0e316bb00fd6a9b5ca9ca42dfa63c1b14bae553e Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 19 Feb 2020 20:10:45 +0530 Subject: [PATCH 22/46] Remove dep on forked mergo - Re-use merge from helm Signed-off-by: Tarun Pothulapati --- Dockerfile-proxy | 2 +- cli/Dockerfile-bin | 2 +- cli/cmd/install.go | 67 ++++++++++++++++++++++++++++++++----------- cli/cmd/upgrade.go | 9 ++++-- cni-plugin/Dockerfile | 2 +- controller/Dockerfile | 2 +- go.mod | 1 - go.sum | 2 -- web/Dockerfile | 2 +- 9 files changed, 61 insertions(+), 28 deletions(-) diff --git a/Dockerfile-proxy b/Dockerfile-proxy index 9eb05f96ce751..7d0da11f424e9 100644 --- a/Dockerfile-proxy +++ b/Dockerfile-proxy @@ -9,7 +9,7 @@ RUN (proxy=$(bin/fetch-proxy $(cat proxy-version)) && \ mv "$proxy" linkerd2-proxy) ## compile proxy-identity agent -FROM gcr.io/linkerd-io/go-deps:395b5137 as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build COPY pkg/flags pkg/flags COPY pkg/tls pkg/tls diff --git a/cli/Dockerfile-bin b/cli/Dockerfile-bin index c9961574365ea..c465d05dff1d9 100644 --- a/cli/Dockerfile-bin +++ b/cli/Dockerfile-bin @@ -1,5 +1,5 @@ ## compile binaries -FROM gcr.io/linkerd-io/go-deps:395b5137 as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build COPY cli cli COPY charts charts diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 15c9d706b64c0..55a12d715cbd5 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -21,7 +21,6 @@ import ( consts "github.com/linkerd/linkerd2/pkg/k8s" "github.com/linkerd/linkerd2/pkg/tls" "github.com/linkerd/linkerd2/pkg/version" - "github.com/pothulapati/mergo" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" "github.com/spf13/pflag" @@ -560,24 +559,69 @@ func (options *installOptions) installPersistentFlagSet() *pflag.FlagSet { func (options *installOptions) UpdateAddOnValuesFromConfig(values *l5dcharts.Values) error { if options.config != "" { - addOnConfig, err := ioutil.ReadFile(options.config) + addOnValues, err := ioutil.ReadFile(options.config) if err != nil { return err } - var addOnValues *l5dcharts.Values - if err = yaml.Unmarshal(addOnConfig, &addOnValues); err != nil { + rawValues, err := yaml.Marshal(values) + if err != nil { return err } - // Merge Add-On Values with Values - if err = mergeAddonValues(values, addOnValues); err != nil { + finalValues, err := mergeRaw(rawValues, addOnValues) + if err != nil { return err } + + if err = yaml.Unmarshal(finalValues, values); err != nil { + return nil + } + } return nil } + +func mergeRaw(a, b []byte) ([]byte, error) { + aMap := make(map[string]interface{}) + bMap := make(map[string]interface{}) + + err := yaml.Unmarshal(a, &aMap) + if err != nil { + return nil, err + } + + err = yaml.Unmarshal(b, &bMap) + if err != nil { + return nil, err + } + + resultMap := mergeMaps(aMap, bMap) + + return yaml.Marshal(resultMap) + +} + +func mergeMaps(a, b map[string]interface{}) map[string]interface{} { + out := make(map[string]interface{}, len(a)) + for k, v := range a { + out[k] = v + } + for k, v := range b { + if v, ok := v.(map[string]interface{}); ok { + if bv, ok := out[k]; ok { + if bv, ok := bv.(map[string]interface{}); ok { + out[k] = mergeMaps(bv, v) + continue + } + } + } + out[k] = v + } + return out +} + func (options *installOptions) recordFlags(flags *pflag.FlagSet) { if flags == nil { return @@ -1198,14 +1242,3 @@ func checkAddon(values *l5dcharts.Values, name string) (addonvalues []byte, enab } return nil, false } - -func mergeAddonValues(values, addonValues *l5dcharts.Values) error { - - if addonValues.Tracing != nil { - if err := mergo.Merge(addonValues.Tracing, values.Tracing); err != nil { - return err - } - values.Tracing = addonValues.Tracing - } - return nil -} diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go index 6d074d07491e3..8723cf770e650 100644 --- a/cli/cmd/upgrade.go +++ b/cli/cmd/upgrade.go @@ -346,15 +346,18 @@ func (options *upgradeOptions) validateAndBuild(stage string, k kubernetes.Inter if cmRawValues != nil { //Cm is present now get the data cmData := cmRawValues["values"] - var cmValues charts.Values - err := yaml.Unmarshal([]byte(cmData), &cmValues) + rawValues, err := yaml.Marshal(values) if err != nil { return nil, nil, err } // over-write add-on values with cmValues // Merge Add-On Values with Values - if err = mergeAddonValues(values, &cmValues); err != nil { + if rawValues, err = mergeRaw(rawValues, []byte(cmData)); err != nil { + return nil, nil, err + } + + if err = yaml.Unmarshal(rawValues, &values); err != nil { return nil, nil, err } } diff --git a/cni-plugin/Dockerfile b/cni-plugin/Dockerfile index da981629ea242..9ae99bcb20a9d 100644 --- a/cni-plugin/Dockerfile +++ b/cni-plugin/Dockerfile @@ -1,5 +1,5 @@ ## compile cni-plugin utility -FROM gcr.io/linkerd-io/go-deps:395b5137 as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build COPY pkg pkg COPY controller controller diff --git a/controller/Dockerfile b/controller/Dockerfile index 51e3606daa9b6..b4cc08afc2b97 100644 --- a/controller/Dockerfile +++ b/controller/Dockerfile @@ -1,5 +1,5 @@ ## compile controller service -FROM gcr.io/linkerd-io/go-deps:395b5137 as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build COPY controller/gen controller/gen COPY pkg pkg diff --git a/go.mod b/go.mod index 43f0aad8afefa..dd73d025be7d4 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,6 @@ require ( github.com/nsf/termbox-go v0.0.0-20180613055208-5c94acc5e6eb github.com/patrickmn/go-cache v2.1.0+incompatible github.com/pkg/browser v0.0.0-20170505125900-c90ca0c84f15 - github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f github.com/prometheus/client_golang v1.2.1 github.com/prometheus/common v0.7.0 github.com/sergi/go-diff v1.0.0 diff --git a/go.sum b/go.sum index 49d512d5a71e5..518fec5655ea3 100644 --- a/go.sum +++ b/go.sum @@ -267,8 +267,6 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f h1:A0EmZvodfElhpeY0FZwbN8tqp5Zb8UiCCJtKw+OsVFE= -github.com/pothulapati/mergo v0.3.9-0.20200119140448-5a1b1cee7b3f/go.mod h1:ZHOBBBkz9S/P9Sp2H2jkl+8upCXvQ9zENaeP/etJeGk= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.2 h1:awm861/B8OKDd2I/6o1dy3ra4BamzKhYOiGItCeZ740= diff --git a/web/Dockerfile b/web/Dockerfile index d20f952de82f9..439831140a02f 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -21,7 +21,7 @@ COPY web/app ./web/app RUN ./bin/web build ## compile go server -FROM gcr.io/linkerd-io/go-deps:395b5137 as golang +FROM gcr.io/linkerd-io/go-deps:93ea34a8 as golang WORKDIR /linkerd-build RUN mkdir -p web COPY web/main.go web From 1bfcfc651ddd7e569490b8c4921916abcc21064b Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 19 Feb 2020 20:31:27 +0530 Subject: [PATCH 23/46] Re-use helm's merge Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 55a12d715cbd5..c1b80b781dffd 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -597,29 +597,9 @@ func mergeRaw(a, b []byte) ([]byte, error) { return nil, err } - resultMap := mergeMaps(aMap, bMap) + chartutil.Values.MergeInto(aMap, bMap) + return yaml.Marshal(aMap) - return yaml.Marshal(resultMap) - -} - -func mergeMaps(a, b map[string]interface{}) map[string]interface{} { - out := make(map[string]interface{}, len(a)) - for k, v := range a { - out[k] = v - } - for k, v := range b { - if v, ok := v.(map[string]interface{}); ok { - if bv, ok := out[k]; ok { - if bv, ok := bv.(map[string]interface{}); ok { - out[k] = mergeMaps(bv, v) - continue - } - } - } - out[k] = v - } - return out } func (options *installOptions) recordFlags(flags *pflag.FlagSet) { From 19be7f72a5fa243d47e36840d759b65bca098c77 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 20 Feb 2020 11:28:53 +0530 Subject: [PATCH 24/46] Override the chartDir path during tests Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 20 ++++++++++++++------ cli/cmd/install_test.go | 1 + pkg/charts/linkerd2/add-on.go | 6 ------ 3 files changed, 15 insertions(+), 12 deletions(-) delete mode 100644 pkg/charts/linkerd2/add-on.go diff --git a/cli/cmd/install.go b/cli/cmd/install.go index c45769ac9f175..e714af2808528 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -6,6 +6,7 @@ import ( "io" "io/ioutil" "os" + "path/filepath" "reflect" "strings" "time" @@ -82,6 +83,10 @@ type ( ) const ( + + // addOnChartsPath is where the linkerd2 add-ons will be present + addOnChartsPath = "add-ons/" + configStage = "config" controlPlaneStage = "control-plane" @@ -146,6 +151,9 @@ var ( "templates/tap.yaml", "templates/linkerd-values.yaml", } + + // overridden during unit test + rawChartRootDir = "charts" ) // newInstallOptionsWithDefaults initializes install options with default @@ -816,17 +824,16 @@ func render(w io.Writer, values *l5dcharts.Values) error { Files: files, } buf, err := chart.Render() - if err != nil { - return err - } - linkerd2Chart, err := chartutil.Load("charts/" + helmDefaultChartDir) + // load the raw chart from the filesystem to determine its dependent addons + // in the requirements.yaml + rawChart, err := chartutil.Load(filepath.Join(rawChartRootDir, helmDefaultChartDir)) if err != nil { return err } // Render for each add-on separately and attach - for _, dep := range linkerd2Chart.Dependencies { + for _, dep := range rawChart.Dependencies { if dep.GetMetadata().Name != "partials" { addonValues, enabled := checkAddon(values, dep.GetMetadata().Name) @@ -838,12 +845,13 @@ func render(w io.Writer, values *l5dcharts.Values) error { // Get files from dep for _, file := range dep.GetTemplates() { + fmt.Println(file.GetName()) files = append(files, &chartutil.BufferedFile{Name: file.GetName()}) } subchart := &charts.Chart{ Name: dep.GetMetadata().Name, - Dir: l5dcharts.AddOnChartsPath + dep.GetMetadata().Name, + Dir: addOnChartsPath + dep.GetMetadata().Name, Namespace: controlPlaneNamespace, RawValues: append(rawValues, addonValues...), Files: files, diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 3d0a8bdd3249b..aa84f683a96ae 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -244,6 +244,7 @@ func TestRender(t *testing.T) { {withTracingAddonValues, "install_tracing.golden"}, } + rawChartRootDir = filepath.Join("..", "..", "charts") for i, tc := range testCases { tc := tc // pin t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { diff --git a/pkg/charts/linkerd2/add-on.go b/pkg/charts/linkerd2/add-on.go deleted file mode 100644 index 729717bba61e3..0000000000000 --- a/pkg/charts/linkerd2/add-on.go +++ /dev/null @@ -1,6 +0,0 @@ -package linkerd2 - -var ( - // AddOnChartsPath is where the linkerd2 add-ons will be present - AddOnChartsPath = "add-ons/" -) From e8629b62068cd70e4a70ff2d4f4b4ad83e4081e5 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 20 Feb 2020 11:48:20 +0530 Subject: [PATCH 25/46] add error check Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index e714af2808528..4593411a8d6d1 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -824,6 +824,9 @@ func render(w io.Writer, values *l5dcharts.Values) error { Files: files, } buf, err := chart.Render() + if err != nil { + return err + } // load the raw chart from the filesystem to determine its dependent addons // in the requirements.yaml From e28efddac456fbdb74edb26ebae2fb5c09121436 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Thu, 20 Feb 2020 13:05:19 +0530 Subject: [PATCH 26/46] Updated the dependency iteration code Currently, the charts directory, will not have the deps in the repo. So, Code is updated to read the dependencies from requirements.yaml and use that info to read templates from the relevant add-ons directory. Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 43 +++++++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 4593411a8d6d1..aa7c177fb214a 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -85,7 +85,7 @@ type ( const ( // addOnChartsPath is where the linkerd2 add-ons will be present - addOnChartsPath = "add-ons/" + addOnChartsPath = "add-ons" configStage = "config" controlPlaneStage = "control-plane" @@ -828,43 +828,54 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } - // load the raw chart from the filesystem to determine its dependent addons - // in the requirements.yaml + // load the raw chart from the filesystem rawChart, err := chartutil.Load(filepath.Join(rawChartRootDir, helmDefaultChartDir)) if err != nil { return err } + // read the dependencies from requirements.yaml as dependencies are not present + // in charts directory + rawChartReq, err := chartutil.LoadRequirements(rawChart) + if err != nil { + return err + } + // Render for each add-on separately and attach - for _, dep := range rawChart.Dependencies { - if dep.GetMetadata().Name != "partials" { + for _, dep := range rawChartReq.Dependencies { - addonValues, enabled := checkAddon(values, dep.GetMetadata().Name) + if dep.Name != "partials" { + addOnValues, enabled := checkAddon(values, dep.Name) if enabled { files := []*chartutil.BufferedFile{ {Name: chartutil.ChartfileName}, } - // Get files from dep - for _, file := range dep.GetTemplates() { - fmt.Println(file.GetName()) - files = append(files, &chartutil.BufferedFile{Name: file.GetName()}) + // Get files from the addOns directory for the dep + dirFiles, err := ioutil.ReadDir(filepath.Join(rawChartRootDir, addOnChartsPath, dep.Name, "templates")) + if err != nil { + log.Fatal(err) + } + + for _, file := range dirFiles { + files = append(files, &chartutil.BufferedFile{Name: filepath.Join("templates", file.Name())}) } - subchart := &charts.Chart{ - Name: dep.GetMetadata().Name, - Dir: addOnChartsPath + dep.GetMetadata().Name, + subChart := &charts.Chart{ + Name: dep.Name, + Dir: filepath.Join(addOnChartsPath, dep.Name), Namespace: controlPlaneNamespace, - RawValues: append(rawValues, addonValues...), + RawValues: append(rawValues, addOnValues...), Files: files, } - addonBuf, err := subchart.Render() + + addOnBuf, err := subChart.Render() if err != nil { return err } - buf.Write(addonBuf.Bytes()) + buf.Write(addOnBuf.Bytes()) } } From b5f388259e2725fe44de1b51dee61850595e824a Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Fri, 21 Feb 2020 13:01:17 +0530 Subject: [PATCH 27/46] Hard Code add-ons name Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index aa7c177fb214a..8bcfcbfd12f04 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -154,6 +154,8 @@ var ( // overridden during unit test rawChartRootDir = "charts" + + subCharts = []string{"tracing"} ) // newInstallOptionsWithDefaults initializes install options with default @@ -828,24 +830,11 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } - // load the raw chart from the filesystem - rawChart, err := chartutil.Load(filepath.Join(rawChartRootDir, helmDefaultChartDir)) - if err != nil { - return err - } - - // read the dependencies from requirements.yaml as dependencies are not present - // in charts directory - rawChartReq, err := chartutil.LoadRequirements(rawChart) - if err != nil { - return err - } - // Render for each add-on separately and attach - for _, dep := range rawChartReq.Dependencies { + for _, dep := range subCharts { - if dep.Name != "partials" { - addOnValues, enabled := checkAddon(values, dep.Name) + if dep != "partials" { + addOnValues, enabled := checkAddon(values, dep) if enabled { files := []*chartutil.BufferedFile{ @@ -853,7 +842,7 @@ func render(w io.Writer, values *l5dcharts.Values) error { } // Get files from the addOns directory for the dep - dirFiles, err := ioutil.ReadDir(filepath.Join(rawChartRootDir, addOnChartsPath, dep.Name, "templates")) + dirFiles, err := ioutil.ReadDir(filepath.Join(rawChartRootDir, addOnChartsPath, dep, "templates")) if err != nil { log.Fatal(err) } @@ -863,8 +852,8 @@ func render(w io.Writer, values *l5dcharts.Values) error { } subChart := &charts.Chart{ - Name: dep.Name, - Dir: filepath.Join(addOnChartsPath, dep.Name), + Name: dep, + Dir: filepath.Join(addOnChartsPath, dep), Namespace: controlPlaneNamespace, RawValues: append(rawValues, addOnValues...), Files: files, From faed2d0e106b2394fa115563dc4df0df22d95a44 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Fri, 21 Feb 2020 14:00:17 +0530 Subject: [PATCH 28/46] Remove struct details for add-ons - As we don't use fields of a add-on struct, we don't have them to be typed. Instead we can just use the `enabled` flag using reflection - Users can just use map[string]interface{} as the add-on type. Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 4 ++-- pkg/charts/linkerd2/tracing.go | 25 ------------------------- pkg/charts/linkerd2/values.go | 2 +- 3 files changed, 3 insertions(+), 28 deletions(-) delete mode 100644 pkg/charts/linkerd2/tracing.go diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 8bcfcbfd12f04..e8aab325a1188 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -1223,8 +1223,8 @@ func checkAddon(values *l5dcharts.Values, name string) (addonvalues []byte, enab r := reflect.ValueOf(values) if !reflect.Indirect(r).FieldByName(strings.Title(name)).IsNil() { - if reflect.Indirect(reflect.Indirect(r).FieldByName(strings.Title(name))).FieldByName("Enabled").Bool() { - values, err := yaml.Marshal(values.Tracing) + if reflect.Indirect(r).FieldByName(strings.Title(name)).MapIndex(reflect.ValueOf("enabled")).Interface().(bool) == true { + values, err := yaml.Marshal(reflect.Indirect(r).FieldByName(strings.Title(name)).Interface()) if err != nil { return nil, false } diff --git a/pkg/charts/linkerd2/tracing.go b/pkg/charts/linkerd2/tracing.go deleted file mode 100644 index d91b23a563f21..0000000000000 --- a/pkg/charts/linkerd2/tracing.go +++ /dev/null @@ -1,25 +0,0 @@ -package linkerd2 - -type ( - - // Tracing consists of the add-on configuration of the distributed tracing components sub-chart. - Tracing struct { - Enabled bool `json:"enabled"` - Collector *Collector `json:"collector"` - Jaeger *Jaeger `json:"jaeger"` - } - - // Collector consists of the config values required for Trace collector - Collector struct { - Name string `json:"name"` - Image string `json:"image"` - Resources *Resources `json:"resources"` - } - - // Jaeger consists of the config values required for Jaeger - Jaeger struct { - Name string `json:"name"` - Image string `json:"image"` - Resources *Resources `json:"resources"` - } -) diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 468253f8f90b4..cd5b40df08cc5 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -60,7 +60,7 @@ type ( WebResources *Resources `json:"webResources"` // Addon Structures - Tracing *Tracing `json:"tracing"` + Tracing map[string]interface{} `json:"tracing"` } // Global values common across all charts From a7acaadda50d7066d25d74da7fcc6fcef7822b90 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Fri, 21 Feb 2020 14:11:11 +0530 Subject: [PATCH 29/46] update unit tests Signed-off-by: Tarun Pothulapati --- cli/cmd/install_test.go | 6 +++--- cli/cmd/testdata/install_tracing.golden | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index aa84f683a96ae..e9f89e619e58e 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -128,8 +128,8 @@ func TestRender(t *testing.T) { Dashboard: &charts.Dashboard{ Replicas: 1, }, - Tracing: &charts.Tracing{ - Enabled: false, + Tracing: map[string]interface{}{ + "enabled": false, }, } @@ -222,7 +222,7 @@ func TestRender(t *testing.T) { } withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) - withTracingAddonValues.Tracing.Enabled = true + withTracingAddonValues.Tracing["enabled"] = true addFakeTLSSecrets(withTracingAddonValues) testCases := []struct { diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden index 19951144a447e..84be7ecea0959 100644 --- a/cli/cmd/testdata/install_tracing.golden +++ b/cli/cmd/testdata/install_tracing.golden @@ -3094,7 +3094,7 @@ data: name: linkerd-collector resources: cpu: - limit: "1" + limit: 1 request: 200m memory: limit: 2Gi From ab8965e7af9fec6ace006436acb8450921ac3ef6 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Fri, 21 Feb 2020 14:20:57 +0530 Subject: [PATCH 30/46] linting fix Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index e8aab325a1188..a508760ef16d7 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -1223,7 +1223,7 @@ func checkAddon(values *l5dcharts.Values, name string) (addonvalues []byte, enab r := reflect.ValueOf(values) if !reflect.Indirect(r).FieldByName(strings.Title(name)).IsNil() { - if reflect.Indirect(r).FieldByName(strings.Title(name)).MapIndex(reflect.ValueOf("enabled")).Interface().(bool) == true { + if reflect.Indirect(r).FieldByName(strings.Title(name)).MapIndex(reflect.ValueOf("enabled")).Interface().(bool) { values, err := yaml.Marshal(reflect.Indirect(r).FieldByName(strings.Title(name)).Interface()) if err != nil { return nil, false From b1fc765610904f555d0cdc52f786a3682c6af475 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 22 Feb 2020 12:40:20 +0530 Subject: [PATCH 31/46] Rename flag to addon-config Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index a508760ef16d7..fae100b7ce0f6 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -41,7 +41,7 @@ type ( // install. installOptions struct { clusterDomain string - config string + addOnConfig string controlPlaneVersion string controllerReplicas uint controllerLogLevel string @@ -526,7 +526,7 @@ func (options *installOptions) allStageFlagSet() *pflag.FlagSet { ) flags.StringVar( - &options.config, "config", options.config, + &options.addOnConfig, "addon-config", options.addOnConfig, "A path to a configuration file of add-ons", ) return flags @@ -568,8 +568,8 @@ func (options *installOptions) installPersistentFlagSet() *pflag.FlagSet { // UpdateValuesFromConfig takes a values struct and updates its add-on values from the config installOption func (options *installOptions) UpdateAddOnValuesFromConfig(values *l5dcharts.Values) error { - if options.config != "" { - addOnValues, err := ioutil.ReadFile(options.config) + if options.addOnConfig != "" { + addOnValues, err := ioutil.ReadFile(options.addOnConfig) if err != nil { return err } From 2b90e208ca3ddf794bac74b9c47334aee3debdd9 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 22 Feb 2020 13:10:26 +0530 Subject: [PATCH 32/46] Use Chart loading logic - This code uses chart loading to read the files and keep in a vfs. - Once we have those files read we will then use them for generation of sub-charts. Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 70 ++++++++++++------------ cli/cmd/install_test.go | 1 - pkg/charts/charts.go | 110 +++++++++++++++++++++++++++++++++++++- pkg/charts/charts_test.go | 92 +++++++++++++++++++++++++++++++ 4 files changed, 235 insertions(+), 38 deletions(-) create mode 100644 pkg/charts/charts_test.go diff --git a/cli/cmd/install.go b/cli/cmd/install.go index fae100b7ce0f6..168fbafb5c6bc 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -151,11 +151,6 @@ var ( "templates/tap.yaml", "templates/linkerd-values.yaml", } - - // overridden during unit test - rawChartRootDir = "charts" - - subCharts = []string{"tracing"} ) // newInstallOptionsWithDefaults initializes install options with default @@ -791,7 +786,6 @@ func toPromLogLevel(level string) string { } func render(w io.Writer, values *l5dcharts.Values) error { - // Render raw values and create chart config rawValues, err := yaml.Marshal(values) if err != nil { @@ -818,6 +812,7 @@ func render(w io.Writer, values *l5dcharts.Values) error { } } + // TODO refactor to use l5dcharts.LoadChart() chart := &charts.Chart{ Name: helmDefaultChartName, Dir: helmDefaultChartDir, @@ -830,45 +825,48 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } - // Render for each add-on separately and attach - for _, dep := range subCharts { - - if dep != "partials" { - addOnValues, enabled := checkAddon(values, dep) - - if enabled { - files := []*chartutil.BufferedFile{ - {Name: chartutil.ChartfileName}, - } + dependencies, err := charts.LoadDependencies(helmDefaultChartName) + if err != nil { + return err + } - // Get files from the addOns directory for the dep - dirFiles, err := ioutil.ReadDir(filepath.Join(rawChartRootDir, addOnChartsPath, dep, "templates")) - if err != nil { - log.Fatal(err) - } + // Render for each add-on separately and attach + for _, dep := range dependencies { + chartName := dep.Metadata.Name + if chartName == "partials" { + continue + } - for _, file := range dirFiles { - files = append(files, &chartutil.BufferedFile{Name: filepath.Join("templates", file.Name())}) - } + addOnValues, enabled := checkAddon(values, chartName) + if enabled { + files := []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + } - subChart := &charts.Chart{ - Name: dep, - Dir: filepath.Join(addOnChartsPath, dep), - Namespace: controlPlaneNamespace, - RawValues: append(rawValues, addOnValues...), - Files: files, - } + for _, template := range dep.Templates { + files = append(files, &chartutil.BufferedFile{ + Name: template.Name, + Data: template.Data, + }) + } - addOnBuf, err := subChart.Render() - if err != nil { - return err - } + subChart := &charts.Chart{ + Name: chartName, + Dir: filepath.Join(addOnChartsPath, chartName), + Namespace: controlPlaneNamespace, + RawValues: append(rawValues, addOnValues...), + Files: files, + } - buf.Write(addOnBuf.Bytes()) + addOnBuf, err := subChart.Render() + if err != nil { + return err } + buf.Write(addOnBuf.Bytes()) } } + _, err = w.Write(buf.Bytes()) return err } diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index e9f89e619e58e..4677725cbc8c0 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -244,7 +244,6 @@ func TestRender(t *testing.T) { {withTracingAddonValues, "install_tracing.golden"}, } - rawChartRootDir = filepath.Join("..", "..", "charts") for i, tc := range testCases { tc := tc // pin t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { diff --git a/pkg/charts/charts.go b/pkg/charts/charts.go index 828d1a913cf20..7e44f0be2b895 100644 --- a/pkg/charts/charts.go +++ b/pkg/charts/charts.go @@ -2,18 +2,26 @@ package charts import ( "bytes" + "io/ioutil" + "net/http" "path" + fpath "path/filepath" "strings" "github.com/linkerd/linkerd2/pkg/charts/static" "github.com/linkerd/linkerd2/pkg/version" "k8s.io/helm/pkg/chartutil" + "k8s.io/helm/pkg/proto/hapi/chart" helmChart "k8s.io/helm/pkg/proto/hapi/chart" "k8s.io/helm/pkg/renderutil" "k8s.io/helm/pkg/timeconv" ) -const versionPlaceholder = "{version}" +const ( + versionPlaceholder = "{version}" + linkerdChartName = "linkerd2" + linkerdChartRootDir = "linkerd2" +) // Chart holds the necessary info to render a Helm chart type Chart struct { @@ -24,6 +32,106 @@ type Chart struct { Files []*chartutil.BufferedFile } +// LoadChart returns a new Chart object that contains all the files of the +// specified chart. The chart's files are loaded from the virtual filesystem +// using the Helm's chartutil.LoadFiles() helper function. +func LoadChart(chartName string) (*helmChart.Chart, error) { + var vfiles []*chartutil.BufferedFile + + // retrieve all the files of a chart located at linkerdChartRootRid + walkVFS := func() error { + files, err := readVirtualFiles(linkerdChartRootDir, chartName) + if err != nil { + return err + } + + for path, file := range files { + data, err := ioutil.ReadAll(file) + if err != nil { + return err + } + + filename := path + if strings.HasPrefix(path, chartName) { + filename = path[len(chartName)+1:] + } + + vfiles = append(vfiles, &chartutil.BufferedFile{ + Name: filename, + Data: data, + }) + } + + return nil + } + + if err := walkVFS(); err != nil { + return nil, err + } + + return chartutil.LoadFiles(vfiles) +} + +// LoadDependencies loads all the dependent subcharts of the specified chart. +// It relies on LoadChart to load the files and metadata of the chart from the +// VFS. +func LoadDependencies(chartName string) ([]*chart.Chart, error) { + chart, err := LoadChart(chartName) + if err != nil { + return nil, err + } + + return chart.Dependencies, nil +} + +// readVirtualFiles read the content of a file from the VFS. If the file is +// directory, it also loads the children files content, recursively. +// +// The result map is keyed off the full path of the files, which is needed +// by the renderer. The http.File struct contains only the file basename. +func readVirtualFiles(filename, root string) (map[string]http.File, error) { + filepath := filename + if !strings.HasPrefix(filepath, root) { + filepath = fpath.Join(root, filename) + } + + file, err := static.Templates.Open(filepath) + if err != nil { + return nil, err + } + + fileInfo, err := file.Stat() + if err != nil { + return nil, err + } + + if !fileInfo.IsDir() { + return map[string]http.File{filepath: file}, nil + } + + // file is a directory. read its children files. + files := map[string]http.File{} + filesInfo, err := file.Readdir(0) + if err != nil { + return nil, err + } + + parent := fileInfo.Name() + for _, fileInfo := range filesInfo { + filename := fpath.Join(parent, fileInfo.Name()) + children, err := readVirtualFiles(filename, root) + if err != nil { + return nil, err + } + + for path, file := range children { + files[path] = file + } + } + + return files, nil +} + func (chart *Chart) render(partialsFiles []*chartutil.BufferedFile) (bytes.Buffer, error) { if err := FilesReader(chart.Dir+"/", chart.Files); err != nil { return bytes.Buffer{}, err diff --git a/pkg/charts/charts_test.go b/pkg/charts/charts_test.go new file mode 100644 index 0000000000000..0a79cb5b53953 --- /dev/null +++ b/pkg/charts/charts_test.go @@ -0,0 +1,92 @@ +package charts + +import ( + "reflect" + "testing" + + "k8s.io/helm/pkg/chartutil" + "k8s.io/helm/pkg/proto/hapi/chart" +) + +const testChartRootDir = "../../charts/linkerd2" + +func TestLoadChart(t *testing.T) { + actual, err := LoadChart(linkerdChartName) + if err != nil { + t.Fatal("unexpected error: ", err) + } + + expected, err := chartutil.Load(testChartRootDir) + if err != nil { + t.Fatal("unexpected error: ", err) + } + + // compare the charts' metadata + if !reflect.DeepEqual(expected.Metadata, actual.Metadata) { + t.Errorf("chart metadata mismatch.\nexpected: %+v\n actual: %+v\n", expected.Metadata, actual.Metadata) + } + + // check for missing templates + missing := []*chart.Template{} + for _, expected := range expected.Templates { + expected := expected + + var found bool + for _, actual := range actual.Templates { + if reflect.DeepEqual(expected, actual) { + found = true + break + } + } + + if !found { + missing = append(missing, expected) + } + } + + if len(missing) > 0 { + err := "missing chart templates:" + for _, m := range missing { + err += m.Name + ", " + } + t.Errorf(err) + } +} + +func TestLoadDependencies(t *testing.T) { + actual, err := LoadDependencies(linkerdChartName) + if err != nil { + t.Fatal("unexpected error: ", err) + } + + expected, err := chartutil.Load(testChartRootDir) + if err != nil { + t.Fatal("unexpected error: ", err) + } + + // check for missing dependencies + missing := []string{} + for _, expected := range expected.Dependencies { + expected := expected + + var found bool + for _, actual := range actual { + if reflect.DeepEqual(expected.Metadata, actual.Metadata) { + found = true + break + } + } + + if !found { + missing = append(missing, expected.Metadata.Name) + } + } + + if len(missing) > 0 { + err := "missing dependencies: " + for _, m := range missing { + err += m + ", " + } + t.Errorf(err) + } +} From 216fdaa51d82496a80c852f61d44679b3104a75d Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 22 Feb 2020 13:14:56 +0530 Subject: [PATCH 33/46] Go fmt fix Signed-off-by: Tarun Pothulapati --- pkg/charts/charts.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/charts/charts.go b/pkg/charts/charts.go index 7e44f0be2b895..53d4f901db8d3 100644 --- a/pkg/charts/charts.go +++ b/pkg/charts/charts.go @@ -19,7 +19,7 @@ import ( const ( versionPlaceholder = "{version}" - linkerdChartName = "linkerd2" + linkerdChartName = "linkerd2" linkerdChartRootDir = "linkerd2" ) From bc5829fba465a5dad6fbdf78a76ed0b8adc0e743 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Sat, 22 Feb 2020 14:52:32 +0530 Subject: [PATCH 34/46] Update the linkerd-values cm to use second level field Signed-off-by: Tarun Pothulapati --- charts/linkerd2/templates/linkerd-values.yaml | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/charts/linkerd2/templates/linkerd-values.yaml b/charts/linkerd2/templates/linkerd-values.yaml index aef7908a726a8..00f57acfe400f 100644 --- a/charts/linkerd2/templates/linkerd-values.yaml +++ b/charts/linkerd2/templates/linkerd-values.yaml @@ -1,18 +1,9 @@ -{{ if or (.Values.tracing.enabled) -}} {{- /* - The Below code is used to remove globals and partials fields which are automatically added by helm. + This config-map is used to store the configuration of add-ons, which is useful during upgrades. + As fields like global, etc are added by helm and we would not want them in the data, second level fields should be used + instead of directly specifying the add-on field. */ -}} -{{- $dupValues := .Values -}} -{{- range $key, $value := $dupValues -}} - {{- if kindIs "map" $value -}} - {{- if and (hasKey $value "global") (ne $key "configs" ) -}} - {{- $dupValues := set $dupValues $key (unset $value "global") -}} - {{- end -}} - {{- if hasKey $value "partials" -}} - {{- $dupValues := set $dupValues $key (unset $value "partials") -}} - {{- end -}} - {{- end -}} -{{- end -}} +{{ if or (.Values.tracing.enabled) -}} --- ### ### linkerd values @@ -24,12 +15,15 @@ metadata: name: linkerd-values namespace: {{.Values.global.namespace}} labels: - {{.Values.global.controllerComponentLabel}}: controller {{.Values.global.controllerNamespaceLabel}}: {{.Values.global.namespace}} annotations: {{.Values.global.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.global.linkerdVersion) .Values.global.cliVersion}} data: values: |- tracing: - {{- toYaml $dupValues.tracing | trim | nindent 6}} -{{ end }} \ No newline at end of file + enabled: {{.Values.tracing.enabled}} + collector: + {{- toYaml .Values.tracing.collector | trim | nindent 8}} + jaeger: + {{- toYaml .Values.tracing.jaeger | trim | nindent 8}} +{{ end -}} From 262287d8c88619fadce9997a712b37fc3ef51bcb Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 24 Feb 2020 01:31:35 +0530 Subject: [PATCH 35/46] Add relevant unit tests for mergeRaw Signed-off-by: Tarun Pothulapati --- cli/cmd/install_test.go | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 4677725cbc8c0..b32326550ccff 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -4,8 +4,11 @@ import ( "bytes" "fmt" "path/filepath" + "reflect" "testing" + "github.com/ghodss/yaml" + "github.com/linkerd/linkerd2/controller/gen/config" pb "github.com/linkerd/linkerd2/controller/gen/config" charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" @@ -485,6 +488,63 @@ func TestValidate(t *testing.T) { }) } +func TestMergeRaw(t *testing.T) { + t.Run("Test Ovewriting of Values struct", func(*testing.T) { + + initialValues := charts.Values{ + PrometheusImage: "initial-prometheus", + EnableH2Upgrade: true, + ControllerReplicas: 1, + OmitWebhookSideEffects: false, + InstallNamespace: true, + } + + // Overwrite values should not be unmarshalled from values struct as the zero values are added + // causing overwriting of fields not present in the inital struct to zero values. This can be mitigated + // partially by using omitempty, but then we don't have relevant checks in helm templates as they would + // be nil when omitempty is present. + rawOverwriteValues := ` +prometheusImage: override-prometheus +enableH2Upgrade: false +controllerReplicas: 2 +omitWebhookSideEffects: true +enablePodAntiAffinity: true` + + expectedValues := charts.Values{ + PrometheusImage: "override-prometheus", + EnableH2Upgrade: false, + ControllerReplicas: 2, + OmitWebhookSideEffects: true, + EnablePodAntiAffinity: true, + InstallNamespace: true, + } + + rawInitialValues, err := yaml.Marshal(initialValues) + if err != nil { + t.Fatalf("Error while Marshaling: %s", err) + + } + + actualRawValues, err := mergeRaw(rawInitialValues, []byte(rawOverwriteValues)) + if err != nil { + t.Fatalf("Error while Merging: %s", err) + + } + + var actualValues charts.Values + err = yaml.Unmarshal(actualRawValues, &actualValues) + if err != nil { + t.Fatalf("Error while unmarshalling: %s", err) + + } + if !reflect.DeepEqual(expectedValues, actualValues) { + t.Fatal("Expected and Actual not equal.") + + } + }) + +} + func fakeHeartbeatSchedule() string { return "1 2 3 4 5" } From b9d941bafbac08d33839bcf97df98206a7380385 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 24 Feb 2020 15:19:34 +0530 Subject: [PATCH 36/46] linting fix Signed-off-by: Tarun Pothulapati --- cli/cmd/install_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index b32326550ccff..e56e6aa8b8f51 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -499,8 +499,8 @@ func TestMergeRaw(t *testing.T) { InstallNamespace: true, } - // Overwrite values should not be unmarshalled from values struct as the zero values are added - // causing overwriting of fields not present in the inital struct to zero values. This can be mitigated + // Overwrite values should not be unmarshal from values struct as the zero values are added + // causing overwriting of fields not present in the initial struct to zero values. This can be mitigated // partially by using omitempty, but then we don't have relevant checks in helm templates as they would // be nil when omitempty is present. rawOverwriteValues := ` From 721b5b455fb5ae7f62d601fb8337b6a5d53b37d9 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 24 Feb 2020 15:24:50 +0530 Subject: [PATCH 37/46] Move addon tests to a new file Signed-off-by: Tarun Pothulapati --- cli/cmd/install_addon_test.go | 97 +++++++++++++++++++++++++++++++++++ cli/cmd/install_test.go | 70 ------------------------- 2 files changed, 97 insertions(+), 70 deletions(-) create mode 100644 cli/cmd/install_addon_test.go diff --git a/cli/cmd/install_addon_test.go b/cli/cmd/install_addon_test.go new file mode 100644 index 0000000000000..59f6764c20d68 --- /dev/null +++ b/cli/cmd/install_addon_test.go @@ -0,0 +1,97 @@ +package cmd + +import ( + "bytes" + "fmt" + "reflect" + "testing" + + charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" + "sigs.k8s.io/yaml" +) + +func TestAddOnRender(t *testing.T) { + withTracingAddon, err := testInstallOptions() + if err != nil { + t.Fatalf("Unexpected error: %v\n", err) + } + + withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) + withTracingAddonValues.Tracing["enabled"] = true + addFakeTLSSecrets(withTracingAddonValues) + + testCases := []struct { + values *charts.Values + goldenFileName string + }{ + {withTracingAddonValues, "install_tracing.golden"}, + } + + for i, tc := range testCases { + tc := tc // pin + t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { + var buf bytes.Buffer + if err := render(&buf, tc.values); err != nil { + t.Fatalf("Failed to render templates: %v", err) + } + diffTestdata(t, tc.goldenFileName, buf.String()) + }) + } +} + +func TestMergeRaw(t *testing.T) { + t.Run("Test Ovewriting of Values struct", func(*testing.T) { + + initialValues := charts.Values{ + PrometheusImage: "initial-prometheus", + EnableH2Upgrade: true, + ControllerReplicas: 1, + OmitWebhookSideEffects: false, + InstallNamespace: true, + } + + // Overwrite values should not be unmarshal from values struct as the zero values are added + // causing overwriting of fields not present in the initial struct to zero values. This can be mitigated + // partially by using omitempty, but then we don't have relevant checks in helm templates as they would + // be nil when omitempty is present. + rawOverwriteValues := ` +prometheusImage: override-prometheus +enableH2Upgrade: false +controllerReplicas: 2 +omitWebhookSideEffects: true +enablePodAntiAffinity: true` + + expectedValues := charts.Values{ + PrometheusImage: "override-prometheus", + EnableH2Upgrade: false, + ControllerReplicas: 2, + OmitWebhookSideEffects: true, + EnablePodAntiAffinity: true, + InstallNamespace: true, + } + + rawInitialValues, err := yaml.Marshal(initialValues) + if err != nil { + t.Fatalf("Error while Marshaling: %s", err) + + } + + actualRawValues, err := mergeRaw(rawInitialValues, []byte(rawOverwriteValues)) + if err != nil { + t.Fatalf("Error while Merging: %s", err) + + } + + var actualValues charts.Values + err = yaml.Unmarshal(actualRawValues, &actualValues) + if err != nil { + t.Fatalf("Error while unmarshalling: %s", err) + + } + if !reflect.DeepEqual(expectedValues, actualValues) { + t.Fatal("Expected and Actual not equal.") + + } + }) + +} diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index e56e6aa8b8f51..86e664bad20f8 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -4,11 +4,8 @@ import ( "bytes" "fmt" "path/filepath" - "reflect" "testing" - "github.com/ghodss/yaml" - "github.com/linkerd/linkerd2/controller/gen/config" pb "github.com/linkerd/linkerd2/controller/gen/config" charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" @@ -219,15 +216,6 @@ func TestRender(t *testing.T) { withCustomRegistryValues, _, _ := withCustomRegistryOptions.validateAndBuild("", nil) addFakeTLSSecrets(withCustomRegistryValues) - withTracingAddon, err := testInstallOptions() - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) - withTracingAddonValues.Tracing["enabled"] = true - addFakeTLSSecrets(withTracingAddonValues) - testCases := []struct { values *charts.Values goldenFileName string @@ -244,7 +232,6 @@ func TestRender(t *testing.T) { {withRestrictedDashboardPriviligesValues, "install_restricted_dashboard.golden"}, {withControlPlaneTracingValues, "install_controlplane_tracing_output.golden"}, {withCustomRegistryValues, "install_custom_registry.golden"}, - {withTracingAddonValues, "install_tracing.golden"}, } for i, tc := range testCases { @@ -488,63 +475,6 @@ func TestValidate(t *testing.T) { }) } -func TestMergeRaw(t *testing.T) { - t.Run("Test Ovewriting of Values struct", func(*testing.T) { - - initialValues := charts.Values{ - PrometheusImage: "initial-prometheus", - EnableH2Upgrade: true, - ControllerReplicas: 1, - OmitWebhookSideEffects: false, - InstallNamespace: true, - } - - // Overwrite values should not be unmarshal from values struct as the zero values are added - // causing overwriting of fields not present in the initial struct to zero values. This can be mitigated - // partially by using omitempty, but then we don't have relevant checks in helm templates as they would - // be nil when omitempty is present. - rawOverwriteValues := ` -prometheusImage: override-prometheus -enableH2Upgrade: false -controllerReplicas: 2 -omitWebhookSideEffects: true -enablePodAntiAffinity: true` - - expectedValues := charts.Values{ - PrometheusImage: "override-prometheus", - EnableH2Upgrade: false, - ControllerReplicas: 2, - OmitWebhookSideEffects: true, - EnablePodAntiAffinity: true, - InstallNamespace: true, - } - - rawInitialValues, err := yaml.Marshal(initialValues) - if err != nil { - t.Fatalf("Error while Marshaling: %s", err) - - } - - actualRawValues, err := mergeRaw(rawInitialValues, []byte(rawOverwriteValues)) - if err != nil { - t.Fatalf("Error while Merging: %s", err) - - } - - var actualValues charts.Values - err = yaml.Unmarshal(actualRawValues, &actualValues) - if err != nil { - t.Fatalf("Error while unmarshalling: %s", err) - - } - if !reflect.DeepEqual(expectedValues, actualValues) { - t.Fatal("Expected and Actual not equal.") - - } - }) - -} - func fakeHeartbeatSchedule() string { return "1 2 3 4 5" } From 2f50ee7e8b830c89679eef72c6977678b31e5afc Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 24 Feb 2020 15:30:01 +0530 Subject: [PATCH 38/46] Fix golden files Signed-off-by: Tarun Pothulapati --- cli/cmd/testdata/install_tracing.golden | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden index 84be7ecea0959..70006f2944b0f 100644 --- a/cli/cmd/testdata/install_tracing.golden +++ b/cli/cmd/testdata/install_tracing.golden @@ -3082,13 +3082,13 @@ metadata: name: linkerd-values namespace: linkerd labels: - linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli dev-undefined data: values: |- tracing: + enabled: true collector: image: omnition/opencensus-collector:0.1.10 name: linkerd-collector @@ -3099,7 +3099,6 @@ data: memory: limit: 2Gi request: 400Mi - enabled: true jaeger: image: jaegertracing/all-in-one:1.8 name: linkerd-jaeger From 8461251ccfd6fa2213c61abb01a963a77dfa3f73 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 25 Feb 2020 00:00:18 +0530 Subject: [PATCH 39/46] remove addon install unit test Signed-off-by: Tarun Pothulapati --- cli/cmd/install_addon_test.go | 31 - cli/cmd/testdata/install_tracing.golden | 3581 ----------------------- 2 files changed, 3612 deletions(-) delete mode 100644 cli/cmd/testdata/install_tracing.golden diff --git a/cli/cmd/install_addon_test.go b/cli/cmd/install_addon_test.go index 59f6764c20d68..d87e88379e797 100644 --- a/cli/cmd/install_addon_test.go +++ b/cli/cmd/install_addon_test.go @@ -1,8 +1,6 @@ package cmd import ( - "bytes" - "fmt" "reflect" "testing" @@ -10,35 +8,6 @@ import ( "sigs.k8s.io/yaml" ) -func TestAddOnRender(t *testing.T) { - withTracingAddon, err := testInstallOptions() - if err != nil { - t.Fatalf("Unexpected error: %v\n", err) - } - - withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) - withTracingAddonValues.Tracing["enabled"] = true - addFakeTLSSecrets(withTracingAddonValues) - - testCases := []struct { - values *charts.Values - goldenFileName string - }{ - {withTracingAddonValues, "install_tracing.golden"}, - } - - for i, tc := range testCases { - tc := tc // pin - t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { - var buf bytes.Buffer - if err := render(&buf, tc.values); err != nil { - t.Fatalf("Failed to render templates: %v", err) - } - diffTestdata(t, tc.goldenFileName, buf.String()) - }) - } -} - func TestMergeRaw(t *testing.T) { t.Run("Test Ovewriting of Values struct", func(*testing.T) { diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden deleted file mode 100644 index 70006f2944b0f..0000000000000 --- a/cli/cmd/testdata/install_tracing.golden +++ /dev/null @@ -1,3581 +0,0 @@ ---- -### -### Linkerd Namespace -### ---- -kind: Namespace -apiVersion: v1 -metadata: - name: linkerd - annotations: - linkerd.io/inject: disabled - labels: - linkerd.io/is-control-plane: "true" - config.linkerd.io/admission-webhooks: disabled ---- -### -### Identity Controller Service RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-identity - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-identity -subjects: -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd ---- -### -### Controller RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-controller - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-controller -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-controller - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd ---- -### -### Destination Controller Service -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods", "endpoints", "services"] - verbs: ["list", "get", "watch"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list", "get", "watch"] -- apiGroups: ["split.smi-spec.io"] - resources: ["trafficsplits"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-destination - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-destination -subjects: -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-destination - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd ---- -### -### Heartbeat RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-heartbeat - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd ---- -### -### Web RBAC -### ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] - resourceNames: ["linkerd-config"] -- apiGroups: [""] - resources: ["namespaces", "configmaps"] - verbs: ["get"] -- apiGroups: [""] - resources: ["serviceaccounts", "pods"] - verbs: ["list"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-web - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles", "clusterrolebindings"] - verbs: ["list"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["list"] -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["list"] -- apiGroups: ["linkerd.io"] - resources: ["serviceprofiles"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-web-check - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: ClusterRole - name: linkerd-linkerd-web-check - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-web-admin - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap-admin -subjects: -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd ---- -### -### Service Profile CRD -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceprofiles.linkerd.io - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: linkerd.io - versions: - - name: v1alpha1 - served: true - storage: false - - name: v1alpha2 - served: true - storage: true - scope: Namespaced - names: - plural: serviceprofiles - singular: serviceprofile - kind: ServiceProfile - shortNames: - - sp ---- -### -### TrafficSplit CRD -### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml -### ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: trafficsplits.split.smi-spec.io - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - linkerd.io/control-plane-ns: linkerd -spec: - group: split.smi-spec.io - version: v1alpha1 - scope: Namespaced - names: - kind: TrafficSplit - shortNames: - - ts - plural: trafficsplits - singular: trafficsplit - additionalPrinterColumns: - - name: Service - type: string - description: The apex service of this split. - JSONPath: .spec.service ---- -### -### Prometheus RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["nodes", "nodes/proxy", "pods"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-prometheus - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-prometheus -subjects: -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd ---- -### -### Grafana RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd ---- -### -### Proxy Injector RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["namespaces", "replicationcontrollers"] - verbs: ["list", "get", "watch"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list", "get", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-proxy-injector - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-proxy-injector - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-proxy-injector-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: Opaque -data: - crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 - key.pem: cHJveHkgaW5qZWN0b3Iga2V5 ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: linkerd-proxy-injector-webhook-config - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-proxy-injector.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-proxy-injector - namespace: linkerd - path: "/" - caBundle: cHJveHkgaW5qZWN0b3IgY3J0 - failurePolicy: Ignore - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - sideEffects: None ---- -### -### Service Profile Validator RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-sp-validator - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -subjects: -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd - apiGroup: "" -roleRef: - kind: ClusterRole - name: linkerd-linkerd-sp-validator - apiGroup: rbac.authorization.k8s.io ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-sp-validator-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: Opaque -data: - crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 - key.pem: cHJveHkgaW5qZWN0b3Iga2V5 ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: linkerd-sp-validator-webhook-config - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd -webhooks: -- name: linkerd-sp-validator.linkerd.io - namespaceSelector: - matchExpressions: - - key: config.linkerd.io/admission-webhooks - operator: NotIn - values: - - disabled - clientConfig: - service: - name: linkerd-sp-validator - namespace: linkerd - path: "/" - caBundle: cHJveHkgaW5qZWN0b3IgY3J0 - failurePolicy: Ignore - rules: - - operations: [ "CREATE" , "UPDATE" ] - apiGroups: ["linkerd.io"] - apiVersions: ["v1alpha1", "v1alpha2"] - resources: ["serviceprofiles"] - sideEffects: None ---- -### -### Tap RBAC -### ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: [""] - resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] - verbs: ["list", "get", "watch"] -- apiGroups: ["extensions", "batch"] - resources: ["cronjobs", "jobs"] - verbs: ["list" , "get", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap-admin - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ["tap.linkerd.io"] - resources: ["*"] - verbs: ["watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: linkerd-linkerd-tap - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: linkerd-linkerd-tap -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: linkerd-linkerd-tap-auth-delegator - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-linkerd-tap-auth-reader - namespace: kube-system - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-tap-tls - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -type: Opaque -data: - crt.pem: dGFwIGNydA== - key.pem: dGFwIGtleQ== ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - name: v1alpha1.tap.linkerd.io - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd -spec: - group: tap.linkerd.io - version: v1alpha1 - groupPriorityMinimum: 1000 - versionPriority: 100 - service: - name: linkerd-tap - namespace: linkerd - caBundle: dGFwIGNydA== ---- -### -### Control Plane PSP -### ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: linkerd-linkerd-control-plane - labels: - linkerd.io/control-plane-ns: linkerd -spec: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - allowedCapabilities: - - NET_ADMIN - - NET_RAW - requiredDropCapabilities: - - ALL - hostNetwork: false - hostIPC: false - hostPID: false - seLinux: - rule: RunAsAny - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - volumes: - - configMap - - emptyDir - - secret - - projected - - downwardAPI - - persistentVolumeClaim ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -rules: -- apiGroups: ['policy', 'extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - linkerd-linkerd-control-plane ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: linkerd-psp - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd -roleRef: - kind: Role - name: linkerd-psp - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: linkerd-controller - namespace: linkerd -- kind: ServiceAccount - name: linkerd-destination - namespace: linkerd -- kind: ServiceAccount - name: linkerd-grafana - namespace: linkerd -- kind: ServiceAccount - name: linkerd-heartbeat - namespace: linkerd -- kind: ServiceAccount - name: linkerd-identity - namespace: linkerd -- kind: ServiceAccount - name: linkerd-prometheus - namespace: linkerd -- kind: ServiceAccount - name: linkerd-proxy-injector - namespace: linkerd -- kind: ServiceAccount - name: linkerd-sp-validator - namespace: linkerd -- kind: ServiceAccount - name: linkerd-tap - namespace: linkerd -- kind: ServiceAccount - name: linkerd-web - namespace: linkerd ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - global: | - {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s","scheme":"linkerd.io/tls"},"autoInjectContext":null,"omitWebhookSideEffects":false,"clusterDomain":"cluster.local"} - proxy: | - {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.3.1","debugImage":{"imageName":"gcr.io/linkerd-io/debug","pullPolicy":"IfNotPresent"},"debugImageVersion":"install-debug-version"} - install: | - {"cliVersion":"dev-undefined","flags":[]} ---- -### -### Identity Controller Service -### ---- -kind: Secret -apiVersion: v1 -metadata: - name: linkerd-identity-issuer - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z -data: - crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t - key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ== ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-identity - namespace: linkerd - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: identity - ports: - - name: grpc - port: 8080 - targetPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: identity - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - name: linkerd-identity - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: identity - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-identity - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - identity - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9990 - initialDelaySeconds: 10 - name: identity - ports: - - containerPort: 8080 - name: grpc - - containerPort: 9990 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9990 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - mountPath: /var/run/linkerd/identity/issuer - name: identity-issuer - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: localhost.:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-identity - volumes: - - configMap: - name: linkerd-config - name: config - - name: identity-issuer - secret: - secretName: linkerd-identity-issuer - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Controller -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-controller-api - namespace: linkerd - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: controller - ports: - - name: http - port: 8085 - targetPort: 8085 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: controller - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - name: linkerd-controller - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: controller - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-controller - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - public-api - - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: public-api - ports: - - containerPort: 8085 - name: http - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-controller - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Destination Controller Service -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-dst - namespace: linkerd - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: destination - ports: - - name: grpc - port: 8086 - targetPort: 8086 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: destination - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - name: linkerd-destination - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: destination - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-destination - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - destination - - -addr=:8086 - - -controller-namespace=linkerd - - -enable-h2-upgrade=true - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9996 - initialDelaySeconds: 10 - name: destination - ports: - - containerPort: 8086 - name: grpc - - containerPort: 9996 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9996 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: localhost.:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-destination - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Heartbeat -### ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: linkerd-heartbeat - namespace: linkerd - labels: - app.kubernetes.io/name: heartbeat - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: heartbeat - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - schedule: "1 2 3 4 5" - successfulJobsHistoryLimit: 0 - jobTemplate: - spec: - template: - metadata: - labels: - linkerd.io/control-plane-component: heartbeat - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - spec: - nodeSelector: - beta.kubernetes.io/os: linux - serviceAccountName: linkerd-heartbeat - restartPolicy: Never - containers: - - name: heartbeat - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - args: - - "heartbeat" - - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" - - "-controller-namespace=linkerd" - - "-log-level=info" - securityContext: - runAsUser: 2103 ---- -### -### Web -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-web - namespace: linkerd - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: web - ports: - - name: http - port: 8084 - targetPort: 8084 - - name: admin-http - port: 9994 - targetPort: 9994 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: web - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - name: linkerd-web - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: web - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-web - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 - - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 - - -controller-namespace=linkerd - - -log-level=info - - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ - image: gcr.io/linkerd-io/web:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9994 - initialDelaySeconds: 10 - name: web - ports: - - containerPort: 8084 - name: http - - containerPort: 9994 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9994 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-web - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Prometheus -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-prometheus-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - prometheus.yml: |- - global: - scrape_interval: 10s - scrape_timeout: 10s - evaluation_interval: 10s - - rule_files: - - /etc/prometheus/*_rules.yml - - scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['localhost:9090'] - - - job_name: 'grafana' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - action: keep - regex: ^grafana$ - - # Required for: https://grafana.com/grafana/dashboards/315 - - job_name: 'kubernetes-nodes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - insecure_skip_verify: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - metric_relabel_configs: - - source_labels: [__name__] - regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' - action: keep - - source_labels: [__name__] - regex: 'container_memory_failures_total' # unneeded large metric - action: drop - - - job_name: 'linkerd-controller' - kubernetes_sd_configs: - - role: pod - namespaces: - names: ['linkerd'] - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - - __meta_kubernetes_pod_container_port_name - action: keep - regex: (.*);admin-http$ - - source_labels: [__meta_kubernetes_pod_container_name] - action: replace - target_label: component - - - job_name: 'linkerd-proxy' - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_container_name - - __meta_kubernetes_pod_container_port_name - - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns - action: keep - regex: ^linkerd-proxy;linkerd-admin;linkerd$ - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod - # special case k8s' "job" label, to not interfere with prometheus' "job" - # label - # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => - # k8s_job=foo - - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] - action: replace - target_label: k8s_job - # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job - # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => - # deployment=foo - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # drop all labels that we just made copies of in the previous labelmap - - action: labeldrop - regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) - # __meta_kubernetes_pod_label_linkerd_io_foo=bar => - # foo=bar - - action: labelmap - regex: __meta_kubernetes_pod_label_linkerd_io_(.+) - # Copy all pod labels to tmp labels - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - replacement: __tmp_pod_label_$1 - # Take `linkerd_io_` prefixed labels and copy them without the prefix - - action: labelmap - regex: __tmp_pod_label_linkerd_io_(.+) - replacement: __tmp_pod_label_$1 - # Drop the `linkerd_io_` originals - - action: labeldrop - regex: __tmp_pod_label_linkerd_io_(.+) - # Copy tmp labels into real labels - - action: labelmap - regex: __tmp_pod_label_(.+) ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-prometheus - namespace: linkerd - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: prometheus - ports: - - name: admin-http - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: prometheus - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - name: linkerd-prometheus - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: prometheus - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-prometheus - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - --storage.tsdb.path=/data - - --storage.tsdb.retention.time=6h - - --config.file=/etc/prometheus/prometheus.yml - - --log.level=info - image: prom/prometheus:v2.15.2 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - name: prometheus - ports: - - containerPort: 9090 - name: admin-http - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - initialDelaySeconds: 30 - timeoutSeconds: 30 - securityContext: - runAsUser: 65534 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/prometheus - name: prometheus-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY - value: "10000" - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-prometheus - volumes: - - emptyDir: {} - name: data - - configMap: - name: linkerd-prometheus-config - name: prometheus-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Grafana -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-grafana-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - grafana.ini: |- - instance_name = linkerd-grafana - - [server] - root_url = %(protocol)s://%(domain)s:/grafana/ - - [auth] - disable_login_form = true - - [auth.anonymous] - enabled = true - org_role = Editor - - [auth.basic] - enabled = false - - [analytics] - check_for_updates = false - - [panels] - disable_sanitize_html = true - - datasources.yaml: |- - apiVersion: 1 - datasources: - - name: prometheus - type: prometheus - access: proxy - orgId: 1 - url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 - isDefault: true - jsonData: - timeInterval: "5s" - version: 1 - editable: true - - dashboards.yaml: |- - apiVersion: 1 - providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: true - editable: true - options: - path: /var/lib/grafana/dashboards - homeDashboardId: linkerd-top-line ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-grafana - namespace: linkerd - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: grafana - ports: - - name: http - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: grafana - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - name: linkerd-grafana - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: grafana - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-grafana - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - env: - - name: GF_PATHS_DATA - value: /data - image: gcr.io/linkerd-io/grafana:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 30 - name: grafana - ports: - - containerPort: 3000 - name: http - readinessProbe: - httpGet: - path: /api/health - port: 3000 - securityContext: - runAsUser: 472 - volumeMounts: - - mountPath: /data - name: data - - mountPath: /etc/grafana - name: grafana-config - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-grafana - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: grafana.ini - path: grafana.ini - - key: datasources.yaml - path: provisioning/datasources/datasources.yaml - - key: dashboards.yaml - path: provisioning/dashboards/dashboards.yaml - name: linkerd-grafana-config - name: grafana-config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Proxy Injector -### ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: proxy-injector - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - name: linkerd-proxy-injector - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: proxy-injector - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-proxy-injector - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - proxy-injector - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9995 - initialDelaySeconds: 10 - name: proxy-injector - ports: - - containerPort: 8443 - name: proxy-injector - - containerPort: 9995 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9995 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/config - name: config - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-proxy-injector - volumes: - - configMap: - name: linkerd-config - name: config - - name: tls - secret: - secretName: linkerd-proxy-injector-tls - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-proxy-injector - namespace: linkerd - labels: - linkerd.io/control-plane-component: proxy-injector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: proxy-injector - ports: - - name: proxy-injector - port: 443 - targetPort: proxy-injector ---- -### -### Service Profile Validator -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-sp-validator - namespace: linkerd - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: sp-validator - ports: - - name: sp-validator - port: 443 - targetPort: sp-validator ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: sp-validator - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - name: linkerd-sp-validator - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: sp-validator - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: sp-validator - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-sp-validator - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - sp-validator - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9997 - initialDelaySeconds: 10 - name: sp-validator - ports: - - containerPort: 8443 - name: sp-validator - - containerPort: 9997 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9997 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-sp-validator - volumes: - - name: tls - secret: - secretName: linkerd-sp-validator-tls - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Tap -### ---- -kind: Service -apiVersion: v1 -metadata: - name: linkerd-tap - namespace: linkerd - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: tap - ports: - - name: grpc - port: 8088 - targetPort: 8088 - - name: apiserver - port: 443 - targetPort: apiserver ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: tap - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - name: linkerd-tap - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - labels: - linkerd.io/control-plane-component: tap - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-tap - spec: - nodeSelector: - beta.kubernetes.io/os: linux - containers: - - args: - - tap - - -controller-namespace=linkerd - - -log-level=info - image: gcr.io/linkerd-io/controller:install-control-plane-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /ping - port: 9998 - initialDelaySeconds: 10 - name: tap - ports: - - containerPort: 8088 - name: grpc - - containerPort: 8089 - name: apiserver - - containerPort: 9998 - name: admin-http - readinessProbe: - failureThreshold: 7 - httpGet: - path: /ready - port: 9998 - securityContext: - runAsUser: 2103 - volumeMounts: - - mountPath: /var/run/linkerd/tls - name: tls - readOnly: true - - mountPath: /var/run/linkerd/config - name: config - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-tap - volumes: - - configMap: - name: linkerd-config - name: config - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity - - name: tls - secret: - secretName: linkerd-tap-tls ---- -### -### linkerd values -### ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: linkerd-values - namespace: linkerd - labels: - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - values: |- - tracing: - enabled: true - collector: - image: omnition/opencensus-collector:0.1.10 - name: linkerd-collector - resources: - cpu: - limit: 1 - request: 200m - memory: - limit: 2Gi - request: 400Mi - jaeger: - image: jaegertracing/all-in-one:1.8 - name: linkerd-jaeger - resources: null ---- -### -### linkerd-collector RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-collector - namespace: linkerd - labels: - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd ---- -### -### linkerd-jaeger RBAC -### ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: linkerd-jaeger - namespace: linkerd - labels: - linkerd.io/control-plane-component: linkerd-jaeger - linkerd.io/control-plane-ns: linkerd ---- -### -### Tracing Collector Service -### ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: linkerd-collector-config - namespace: linkerd - labels: - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -data: - linkerd-collector-config: | - receivers: - opencensus: - port: 55678 - zipkin: - port: 9411 - queued-exporters: - jaeger-all-in-one: - num-workers: 4 - queue-size: 100 - retry-on-failure: true - sender-type: jaeger-thrift-http - jaeger-thrift-http: - collector-endpoint: http://linkerd-jaeger.linkerd:14268/api/traces - timeout: 5s ---- -apiVersion: v1 -kind: Service -metadata: - name: linkerd-collector - namespace: linkerd - labels: - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - ports: - - name: opencensus - port: 55678 - protocol: TCP - targetPort: 55678 - - name: zipkin - port: 9411 - protocol: TCP - targetPort: 9411 - selector: - linkerd.io/control-plane-component: linkerd-collector ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: linkerd-collector - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd - name: linkerd-collector - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-collector - minReadySeconds: 5 - progressDeadlineSeconds: 120 - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - prometheus.io/path: /metrics - prometheus.io/port: "8888" - prometheus.io/scrape: "true" - labels: - linkerd.io/control-plane-component: linkerd-collector - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-collector - spec: - containers: - - command: - - /occollector_linux - - --config=/conf/linkerd-collector-config.yaml - env: - - name: GOGC - value: "80" - image: omnition/opencensus-collector:0.1.10 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: / - port: 13133 - name: oc-collector - ports: - - containerPort: 55678 - - containerPort: 9411 - readinessProbe: - httpGet: - path: / - port: 13133 - resources: - limits: - cpu: "1" - memory: "2Gi" - requests: - cpu: "200m" - memory: "400Mi" - volumeMounts: - - mountPath: /conf - name: linkerd-collector-config-val - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - serviceAccountName: linkerd-collector - volumes: - - configMap: - items: - - key: linkerd-collector-config - path: linkerd-collector-config.yaml - name: linkerd-collector-config - name: linkerd-collector-config-val - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity ---- -### -### Tracing Jaeger Service -### ---- -apiVersion: v1 -kind: Service -metadata: - name: linkerd-jaeger - namespace: linkerd - labels: - linkerd.io/control-plane-component: linkerd-jaeger - linkerd.io/control-plane-ns: linkerd - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined -spec: - type: ClusterIP - selector: - linkerd.io/control-plane-component: linkerd-jaeger - ports: - - name: collection - port: 14268 - - name: ui - port: 16686 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - labels: - app.kubernetes.io/name: linkerd-jaeger - app.kubernetes.io/part-of: Linkerd - app.kubernetes.io/version: install-control-plane-version - linkerd.io/control-plane-component: linkerd-jaeger - linkerd.io/control-plane-ns: linkerd - name: linkerd-jaeger - namespace: linkerd -spec: - replicas: 1 - selector: - matchLabels: - linkerd.io/control-plane-component: linkerd-jaeger - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-jaeger - template: - metadata: - annotations: - linkerd.io/created-by: linkerd/cli dev-undefined - linkerd.io/identity-mode: default - linkerd.io/proxy-version: install-proxy-version - prometheus.io/path: /metrics - prometheus.io/port: "8888" - prometheus.io/scrape: "true" - labels: - linkerd.io/control-plane-component: linkerd-jaeger - linkerd.io/control-plane-ns: linkerd - linkerd.io/proxy-deployment: linkerd-jaeger - spec: - containers: - - image: jaegertracing/all-in-one:1.8 - imagePullPolicy: IfNotPresent - name: jaeger - ports: - - containerPort: 14268 - name: collection - - containerPort: 16686 - name: ui - - env: - - name: LINKERD2_PROXY_LOG - value: warn,linkerd=info - - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: linkerd-dst.linkerd.svc.cluster.local:8086 - - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:4190 - - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:4191 - - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:4140 - - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:4143 - - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - value: svc.cluster.local. - - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE - value: 10000ms - - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE - value: 10000ms - - name: _pod_ns - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LINKERD2_PROXY_DESTINATION_CONTEXT - value: ns:$(_pod_ns) - - name: LINKERD2_PROXY_IDENTITY_DIR - value: /var/run/linkerd/identity/end-entity - - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS - value: | - -----BEGIN CERTIFICATE----- - MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy - LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE - AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 - xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 - 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF - BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE - AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv - OLO4Zsk1XrGZHGsmyiEyvYF9lpY= - -----END CERTIFICATE----- - - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE - value: /var/run/secrets/kubernetes.io/serviceaccount/token - - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - value: linkerd-identity.linkerd.svc.cluster.local:8080 - - name: _pod_sa - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: _l5d_ns - value: linkerd - - name: _l5d_trustdomain - value: cluster.local - - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME - value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_IDENTITY_SVC_NAME - value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_DESTINATION_SVC_NAME - value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - - name: LINKERD2_PROXY_TAP_SVC_NAME - value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - image: gcr.io/linkerd-io/proxy:install-proxy-version - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /metrics - port: 4191 - initialDelaySeconds: 10 - name: linkerd-proxy - ports: - - containerPort: 4143 - name: linkerd-proxy - - containerPort: 4191 - name: linkerd-admin - readinessProbe: - httpGet: - path: /ready - port: 4191 - initialDelaySeconds: 2 - resources: - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 2102 - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/run/linkerd/identity/end-entity - name: linkerd-identity-end-entity - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191 - - --outbound-ports-to-ignore - - "443" - image: gcr.io/linkerd-io/proxy-init:v1.3.1 - imagePullPolicy: IfNotPresent - name: linkerd-init - resources: - limits: - cpu: "100m" - memory: "50Mi" - requests: - cpu: "10m" - memory: "10Mi" - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: false - runAsUser: 0 - terminationMessagePolicy: FallbackToLogsOnError - dnsPolicy: ClusterFirst - serviceAccountName: linkerd-jaeger - volumes: - - emptyDir: - medium: Memory - name: linkerd-identity-end-entity From 250e0e29c7d43784e410421df642348e7768d1ff Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 25 Feb 2020 15:02:14 +0530 Subject: [PATCH 40/46] Refactor sub-chart load logic Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 90 +++++++++++++++---------------- pkg/charts/charts.go | 110 +------------------------------------- pkg/charts/charts_test.go | 92 ------------------------------- 3 files changed, 44 insertions(+), 248 deletions(-) delete mode 100644 pkg/charts/charts_test.go diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 168fbafb5c6bc..2aaecceca54ba 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -7,7 +7,6 @@ import ( "io/ioutil" "os" "path/filepath" - "reflect" "strings" "time" @@ -96,6 +95,8 @@ const ( helmDefaultChartName = "linkerd2" helmDefaultChartDir = "linkerd2" + tracingChartName = "tracing" + errMsgCannotInitializeClient = `Unable to install the Linkerd control plane. Cannot connect to the Kubernetes cluster: %s @@ -151,6 +152,12 @@ var ( "templates/tap.yaml", "templates/linkerd-values.yaml", } + + tracingTemplates = []*chartutil.BufferedFile{ + {Name: chartutil.ChartfileName}, + {Name: "templates/tracing-rbac.yaml"}, + {Name: "templates/tracing.yaml"}, + } ) // newInstallOptionsWithDefaults initializes install options with default @@ -560,7 +567,7 @@ func (options *installOptions) installPersistentFlagSet() *pflag.FlagSet { return flags } -// UpdateValuesFromConfig takes a values struct and updates its add-on values from the config installOption +// UpdateAddOnValuesFromConfig takes a values struct and updates its add-on values from the config installOption func (options *installOptions) UpdateAddOnValuesFromConfig(values *l5dcharts.Values) error { if options.addOnConfig != "" { @@ -589,8 +596,7 @@ func (options *installOptions) UpdateAddOnValuesFromConfig(values *l5dcharts.Val } func mergeRaw(a, b []byte) ([]byte, error) { - aMap := make(map[string]interface{}) - bMap := make(map[string]interface{}) + var aMap, bMap chartutil.Values err := yaml.Unmarshal(a, &aMap) if err != nil { @@ -602,7 +608,7 @@ func mergeRaw(a, b []byte) ([]byte, error) { return nil, err } - chartutil.Values.MergeInto(aMap, bMap) + aMap.MergeInto(bMap) return yaml.Marshal(aMap) } @@ -825,45 +831,33 @@ func render(w io.Writer, values *l5dcharts.Values) error { return err } - dependencies, err := charts.LoadDependencies(helmDefaultChartName) - if err != nil { - return err - } - - // Render for each add-on separately and attach - for _, dep := range dependencies { - chartName := dep.Metadata.Name - if chartName == "partials" { - continue + if values.Stage != configStage { + addons, err := parseAddOnValues(values) + if err != nil { + return err } - addOnValues, enabled := checkAddon(values, chartName) - if enabled { - files := []*chartutil.BufferedFile{ - {Name: chartutil.ChartfileName}, - } - - for _, template := range dep.Templates { - files = append(files, &chartutil.BufferedFile{ - Name: template.Name, - Data: template.Data, - }) - } + for addon, values := range addons { + var chart *charts.Chart + switch addon { + case "tracing": + chart = &charts.Chart{ + Name: tracingChartName, + Dir: filepath.Join(addOnChartsPath, tracingChartName), + Namespace: controlPlaneNamespace, + RawValues: append(rawValues, values...), + Files: tracingTemplates, + } - subChart := &charts.Chart{ - Name: chartName, - Dir: filepath.Join(addOnChartsPath, chartName), - Namespace: controlPlaneNamespace, - RawValues: append(rawValues, addOnValues...), - Files: files, - } + b, err := chart.Render() + if err != nil { + return err + } - addOnBuf, err := subChart.Render() - if err != nil { - return err + if _, err := buf.WriteString(b.String()); err != nil { + return err + } } - - buf.Write(addOnBuf.Bytes()) } } @@ -1216,18 +1210,20 @@ func toIdentityContext(idvals *identityWithAnchorsAndTrustDomain) *pb.IdentityCo Scheme: idvals.Identity.Issuer.Scheme, } } -func checkAddon(values *l5dcharts.Values, name string) (addonvalues []byte, enabled bool) { - r := reflect.ValueOf(values) +func parseAddOnValues(values *l5dcharts.Values) (map[string][]byte, error) { + addonValues := map[string][]byte{} - if !reflect.Indirect(r).FieldByName(strings.Title(name)).IsNil() { - if reflect.Indirect(r).FieldByName(strings.Title(name)).MapIndex(reflect.ValueOf("enabled")).Interface().(bool) { - values, err := yaml.Marshal(reflect.Indirect(r).FieldByName(strings.Title(name)).Interface()) + if values.Tracing != nil { + if values.Tracing["enabled"].(bool) { + data, err := yaml.Marshal(values.Tracing) if err != nil { - return nil, false + return nil, err } - return values, true + + addonValues[tracingChartName] = data } } - return nil, false + + return addonValues, nil } diff --git a/pkg/charts/charts.go b/pkg/charts/charts.go index 53d4f901db8d3..828d1a913cf20 100644 --- a/pkg/charts/charts.go +++ b/pkg/charts/charts.go @@ -2,26 +2,18 @@ package charts import ( "bytes" - "io/ioutil" - "net/http" "path" - fpath "path/filepath" "strings" "github.com/linkerd/linkerd2/pkg/charts/static" "github.com/linkerd/linkerd2/pkg/version" "k8s.io/helm/pkg/chartutil" - "k8s.io/helm/pkg/proto/hapi/chart" helmChart "k8s.io/helm/pkg/proto/hapi/chart" "k8s.io/helm/pkg/renderutil" "k8s.io/helm/pkg/timeconv" ) -const ( - versionPlaceholder = "{version}" - linkerdChartName = "linkerd2" - linkerdChartRootDir = "linkerd2" -) +const versionPlaceholder = "{version}" // Chart holds the necessary info to render a Helm chart type Chart struct { @@ -32,106 +24,6 @@ type Chart struct { Files []*chartutil.BufferedFile } -// LoadChart returns a new Chart object that contains all the files of the -// specified chart. The chart's files are loaded from the virtual filesystem -// using the Helm's chartutil.LoadFiles() helper function. -func LoadChart(chartName string) (*helmChart.Chart, error) { - var vfiles []*chartutil.BufferedFile - - // retrieve all the files of a chart located at linkerdChartRootRid - walkVFS := func() error { - files, err := readVirtualFiles(linkerdChartRootDir, chartName) - if err != nil { - return err - } - - for path, file := range files { - data, err := ioutil.ReadAll(file) - if err != nil { - return err - } - - filename := path - if strings.HasPrefix(path, chartName) { - filename = path[len(chartName)+1:] - } - - vfiles = append(vfiles, &chartutil.BufferedFile{ - Name: filename, - Data: data, - }) - } - - return nil - } - - if err := walkVFS(); err != nil { - return nil, err - } - - return chartutil.LoadFiles(vfiles) -} - -// LoadDependencies loads all the dependent subcharts of the specified chart. -// It relies on LoadChart to load the files and metadata of the chart from the -// VFS. -func LoadDependencies(chartName string) ([]*chart.Chart, error) { - chart, err := LoadChart(chartName) - if err != nil { - return nil, err - } - - return chart.Dependencies, nil -} - -// readVirtualFiles read the content of a file from the VFS. If the file is -// directory, it also loads the children files content, recursively. -// -// The result map is keyed off the full path of the files, which is needed -// by the renderer. The http.File struct contains only the file basename. -func readVirtualFiles(filename, root string) (map[string]http.File, error) { - filepath := filename - if !strings.HasPrefix(filepath, root) { - filepath = fpath.Join(root, filename) - } - - file, err := static.Templates.Open(filepath) - if err != nil { - return nil, err - } - - fileInfo, err := file.Stat() - if err != nil { - return nil, err - } - - if !fileInfo.IsDir() { - return map[string]http.File{filepath: file}, nil - } - - // file is a directory. read its children files. - files := map[string]http.File{} - filesInfo, err := file.Readdir(0) - if err != nil { - return nil, err - } - - parent := fileInfo.Name() - for _, fileInfo := range filesInfo { - filename := fpath.Join(parent, fileInfo.Name()) - children, err := readVirtualFiles(filename, root) - if err != nil { - return nil, err - } - - for path, file := range children { - files[path] = file - } - } - - return files, nil -} - func (chart *Chart) render(partialsFiles []*chartutil.BufferedFile) (bytes.Buffer, error) { if err := FilesReader(chart.Dir+"/", chart.Files); err != nil { return bytes.Buffer{}, err diff --git a/pkg/charts/charts_test.go b/pkg/charts/charts_test.go deleted file mode 100644 index 0a79cb5b53953..0000000000000 --- a/pkg/charts/charts_test.go +++ /dev/null @@ -1,92 +0,0 @@ -package charts - -import ( - "reflect" - "testing" - - "k8s.io/helm/pkg/chartutil" - "k8s.io/helm/pkg/proto/hapi/chart" -) - -const testChartRootDir = "../../charts/linkerd2" - -func TestLoadChart(t *testing.T) { - actual, err := LoadChart(linkerdChartName) - if err != nil { - t.Fatal("unexpected error: ", err) - } - - expected, err := chartutil.Load(testChartRootDir) - if err != nil { - t.Fatal("unexpected error: ", err) - } - - // compare the charts' metadata - if !reflect.DeepEqual(expected.Metadata, actual.Metadata) { - t.Errorf("chart metadata mismatch.\nexpected: %+v\n actual: %+v\n", expected.Metadata, actual.Metadata) - } - - // check for missing templates - missing := []*chart.Template{} - for _, expected := range expected.Templates { - expected := expected - - var found bool - for _, actual := range actual.Templates { - if reflect.DeepEqual(expected, actual) { - found = true - break - } - } - - if !found { - missing = append(missing, expected) - } - } - - if len(missing) > 0 { - err := "missing chart templates:" - for _, m := range missing { - err += m.Name + ", " - } - t.Errorf(err) - } -} - -func TestLoadDependencies(t *testing.T) { - actual, err := LoadDependencies(linkerdChartName) - if err != nil { - t.Fatal("unexpected error: ", err) - } - - expected, err := chartutil.Load(testChartRootDir) - if err != nil { - t.Fatal("unexpected error: ", err) - } - - // check for missing dependencies - missing := []string{} - for _, expected := range expected.Dependencies { - expected := expected - - var found bool - for _, actual := range actual { - if reflect.DeepEqual(expected.Metadata, actual.Metadata) { - found = true - break - } - } - - if !found { - missing = append(missing, expected.Metadata.Name) - } - } - - if len(missing) > 0 { - err := "missing dependencies: " - for _, m := range missing { - err += m + ", " - } - t.Errorf(err) - } -} From bc3208233baad549a63081caa7b74656ec5a834e Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 25 Feb 2020 15:18:44 +0530 Subject: [PATCH 41/46] Add install tracing unit test Signed-off-by: Tarun Pothulapati --- cli/cmd/install_addon_test.go | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/cli/cmd/install_addon_test.go b/cli/cmd/install_addon_test.go index d87e88379e797..59f6764c20d68 100644 --- a/cli/cmd/install_addon_test.go +++ b/cli/cmd/install_addon_test.go @@ -1,6 +1,8 @@ package cmd import ( + "bytes" + "fmt" "reflect" "testing" @@ -8,6 +10,35 @@ import ( "sigs.k8s.io/yaml" ) +func TestAddOnRender(t *testing.T) { + withTracingAddon, err := testInstallOptions() + if err != nil { + t.Fatalf("Unexpected error: %v\n", err) + } + + withTracingAddonValues, _, _ := withTracingAddon.validateAndBuild("", nil) + withTracingAddonValues.Tracing["enabled"] = true + addFakeTLSSecrets(withTracingAddonValues) + + testCases := []struct { + values *charts.Values + goldenFileName string + }{ + {withTracingAddonValues, "install_tracing.golden"}, + } + + for i, tc := range testCases { + tc := tc // pin + t.Run(fmt.Sprintf("%d: %s", i, tc.goldenFileName), func(t *testing.T) { + var buf bytes.Buffer + if err := render(&buf, tc.values); err != nil { + t.Fatalf("Failed to render templates: %v", err) + } + diffTestdata(t, tc.goldenFileName, buf.String()) + }) + } +} + func TestMergeRaw(t *testing.T) { t.Run("Test Ovewriting of Values struct", func(*testing.T) { From 12f7b1a751de96a451140f7521196581d15bf302 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 25 Feb 2020 15:25:25 +0530 Subject: [PATCH 42/46] golden file update for tracing install Signed-off-by: Tarun Pothulapati --- cli/cmd/testdata/install_tracing.golden | 3581 +++++++++++++++++++++++ 1 file changed, 3581 insertions(+) create mode 100644 cli/cmd/testdata/install_tracing.golden diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden new file mode 100644 index 0000000000000..70006f2944b0f --- /dev/null +++ b/cli/cmd/testdata/install_tracing.golden @@ -0,0 +1,3581 @@ +--- +### +### Linkerd Namespace +### +--- +kind: Namespace +apiVersion: v1 +metadata: + name: linkerd + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled +--- +### +### Identity Controller Service RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd +--- +### +### Controller RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-controller + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-controller +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-controller + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd +--- +### +### Destination Controller Service +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["split.smi-spec.io"] + resources: ["trafficsplits"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd +--- +### +### Heartbeat RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd +--- +### +### Web RBAC +### +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +- apiGroups: [""] + resources: ["namespaces", "configmaps"] + verbs: ["get"] +- apiGroups: [""] + resources: ["serviceaccounts", "pods"] + verbs: ["list"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-web + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["list"] +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-web-check + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: ClusterRole + name: linkerd-linkerd-web-check + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-web-admin + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap-admin +subjects: +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd +--- +### +### Service Profile CRD +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1alpha2 + served: true + storage: true + scope: Namespaced + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp +--- +### +### TrafficSplit CRD +### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml +### +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trafficsplits.split.smi-spec.io + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + linkerd.io/control-plane-ns: linkerd +spec: + group: split.smi-spec.io + version: v1alpha1 + scope: Namespaced + names: + kind: TrafficSplit + shortNames: + - ts + plural: trafficsplits + singular: trafficsplit + additionalPrinterColumns: + - name: Service + type: string + description: The apex service of this split. + JSONPath: .spec.service +--- +### +### Prometheus RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["nodes", "nodes/proxy", "pods"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-prometheus + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-prometheus +subjects: +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd +--- +### +### Grafana RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd +--- +### +### Proxy Injector RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 + key.pem: cHJveHkgaW5qZWN0b3Iga2V5 +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + clientConfig: + service: + name: linkerd-proxy-injector + namespace: linkerd + path: "/" + caBundle: cHJveHkgaW5qZWN0b3IgY3J0 + failurePolicy: Ignore + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + sideEffects: None +--- +### +### Service Profile Validator RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-sp-validator + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +subjects: +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-linkerd-sp-validator + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: cHJveHkgaW5qZWN0b3IgY3J0 + key.pem: cHJveHkgaW5qZWN0b3Iga2V5 +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + clientConfig: + service: + name: linkerd-sp-validator + namespace: linkerd + path: "/" + caBundle: cHJveHkgaW5qZWN0b3IgY3J0 + failurePolicy: Ignore + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +### +### Tap RBAC +### +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: [""] + resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list" , "get", "watch"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap-admin + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ["tap.linkerd.io"] + resources: ["*"] + verbs: ["watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-linkerd-tap + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-linkerd-tap +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-linkerd-tap-auth-delegator + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-linkerd-tap-auth-reader + namespace: kube-system + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-tap-tls + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +type: Opaque +data: + crt.pem: dGFwIGNydA== + key.pem: dGFwIGtleQ== +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tap.linkerd.io + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd +spec: + group: tap.linkerd.io + version: v1alpha1 + groupPriorityMinimum: 1000 + versionPriority: 100 + service: + name: linkerd-tap + namespace: linkerd + caBundle: dGFwIGNydA== +--- +### +### Control Plane PSP +### +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-linkerd-control-plane + labels: + linkerd.io/control-plane-ns: linkerd +spec: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + allowedCapabilities: + - NET_ADMIN + - NET_RAW + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-linkerd-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-controller + namespace: linkerd +- kind: ServiceAccount + name: linkerd-destination + namespace: linkerd +- kind: ServiceAccount + name: linkerd-grafana + namespace: linkerd +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: linkerd +- kind: ServiceAccount + name: linkerd-identity + namespace: linkerd +- kind: ServiceAccount + name: linkerd-prometheus + namespace: linkerd +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: linkerd +- kind: ServiceAccount + name: linkerd-sp-validator + namespace: linkerd +- kind: ServiceAccount + name: linkerd-tap + namespace: linkerd +- kind: ServiceAccount + name: linkerd-web + namespace: linkerd +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + global: | + {"linkerdNamespace":"linkerd","cniEnabled":false,"version":"install-control-plane-version","identityContext":{"trustDomain":"cluster.local","trustAnchorsPem":"-----BEGIN CERTIFICATE-----\nMIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy\nLmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE\nAxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0\nxtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364\n6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF\nBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE\nAiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv\nOLO4Zsk1XrGZHGsmyiEyvYF9lpY=\n-----END CERTIFICATE-----\n","issuanceLifetime":"86400s","clockSkewAllowance":"20s","scheme":"linkerd.io/tls"},"autoInjectContext":null,"omitWebhookSideEffects":false,"clusterDomain":"cluster.local"} + proxy: | + {"proxyImage":{"imageName":"gcr.io/linkerd-io/proxy","pullPolicy":"IfNotPresent"},"proxyInitImage":{"imageName":"gcr.io/linkerd-io/proxy-init","pullPolicy":"IfNotPresent"},"controlPort":{"port":4190},"ignoreInboundPorts":[],"ignoreOutboundPorts":[],"inboundPort":{"port":4143},"adminPort":{"port":4191},"outboundPort":{"port":4140},"resource":{"requestCpu":"","requestMemory":"","limitCpu":"","limitMemory":""},"proxyUid":"2102","logLevel":{"level":"warn,linkerd=info"},"disableExternalProfiles":true,"proxyVersion":"install-proxy-version","proxyInitImageVersion":"v1.3.1","debugImage":{"imageName":"gcr.io/linkerd-io/debug","pullPolicy":"IfNotPresent"},"debugImageVersion":"install-debug-version"} + install: | + {"cliVersion":"dev-undefined","flags":[]} +--- +### +### Identity Controller Service +### +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-issuer-expiry: 2029-02-28T02:03:52Z +data: + crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJjakNDQVJpZ0F3SUJBZ0lCQWpBS0JnZ3Foa2pPUFFRREFqQVlNUll3RkFZRFZRUURFdzFqYkhWemRHVnkKTG14dlkyRnNNQjRYRFRFNU1ETXdNekF4TlRrMU1sb1hEVEk1TURJeU9EQXlNRE0xTWxvd0tURW5NQ1VHQTFVRQpBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJCktvWkl6ajBEQVFjRFFnQUVJU2cwQ21KTkJXTHhKVHNLdDcrYno4QXMxWWZxWkZ1VHEyRm5ZbzAxNk5LVnY3MGUKUUMzVDZ0T3Bhajl4dUtzWGZsVTZaa3VpVlJpaWh3K3RWMmlzcTZOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFRwpNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvCk1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQ0lGK2FNMEJ3MlBkTUZEcS9LdGFCUXZIZEFZYVVQVng4dmYzam4rTTQKQWFENEFpRUE5SEJkanlXeWlLZUt4bEE4Q29PdlVBd0k5NXhjNlhVTW9EeFJTWGpucFhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU1JSnltZWtZeitra0NMUGtGbHJVeUF1L2NISllSVHl3Zm1BVVJLS1JYZHpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSVNnMENtSk5CV0x4SlRzS3Q3K2J6OEFzMVlmcVpGdVRxMkZuWW8wMTZOS1Z2NzBlUUMzVAo2dE9wYWo5eHVLc1hmbFU2Wmt1aVZSaWlodyt0VjJpc3F3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ== +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: linkerd + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + name: linkerd-identity + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-identity + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - identity + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: localhost.:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-identity + volumes: + - configMap: + name: linkerd-config + name: config + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Controller +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-controller-api + namespace: linkerd + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: controller + ports: + - name: http + port: 8085 + targetPort: 8085 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: controller + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + name: linkerd-controller + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-controller + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - public-api + - -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: public-api + ports: + - containerPort: 8085 + name: http + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-controller + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Destination Controller Service +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: linkerd + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + name: linkerd-destination + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-destination + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - destination + - -addr=:8086 + - -controller-namespace=linkerd + - -enable-h2-upgrade=true + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: localhost.:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-destination + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Heartbeat +### +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: linkerd + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + schedule: "1 2 3 4 5" + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + spec: + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + args: + - "heartbeat" + - "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090" + - "-controller-namespace=linkerd" + - "-log-level=info" + securityContext: + runAsUser: 2103 +--- +### +### Web +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-web + namespace: linkerd + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: web + ports: + - name: http + port: 8084 + targetPort: 8084 + - name: admin-http + port: 9994 + targetPort: 9994 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: web + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + name: linkerd-web + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: web + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-web + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085 + - -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000 + - -controller-namespace=linkerd + - -log-level=info + - -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$ + image: gcr.io/linkerd-io/web:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9994 + initialDelaySeconds: 10 + name: web + ports: + - containerPort: 8084 + name: http + - containerPort: 9994 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9994 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-web + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Prometheus +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-prometheus-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + prometheus.yml: |- + global: + scrape_interval: 10s + scrape_timeout: 10s + evaluation_interval: 10s + + rule_files: + - /etc/prometheus/*_rules.yml + + scrape_configs: + - job_name: 'prometheus' + static_configs: + - targets: ['localhost:9090'] + + - job_name: 'grafana' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + action: keep + regex: ^grafana$ + + # Required for: https://grafana.com/grafana/dashboards/315 + - job_name: 'kubernetes-nodes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + metric_relabel_configs: + - source_labels: [__name__] + regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' + action: keep + - source_labels: [__name__] + regex: 'container_memory_failures_total' # unneeded large metric + action: drop + + - job_name: 'linkerd-controller' + kubernetes_sd_configs: + - role: pod + namespaces: + names: ['linkerd'] + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: (.*);admin-http$ + - source_labels: [__meta_kubernetes_pod_container_name] + action: replace + target_label: component + + - job_name: 'linkerd-proxy' + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;linkerd$ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + # special case k8s' "job" label, to not interfere with prometheus' "job" + # label + # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => + # k8s_job=foo + - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] + action: replace + target_label: k8s_job + # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => + # deployment=foo + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # drop all labels that we just made copies of in the previous labelmap + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + # __meta_kubernetes_pod_label_linkerd_io_foo=bar => + # foo=bar + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + # Copy all pod labels to tmp labels + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + # Take `linkerd_io_` prefixed labels and copy them without the prefix + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + # Drop the `linkerd_io_` originals + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + # Copy tmp labels into real labels + - action: labelmap + regex: __tmp_pod_label_(.+) +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-prometheus + namespace: linkerd + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: prometheus + ports: + - name: admin-http + port: 9090 + targetPort: 9090 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + name: linkerd-prometheus + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: prometheus + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-prometheus + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - --storage.tsdb.path=/data + - --storage.tsdb.retention.time=6h + - --config.file=/etc/prometheus/prometheus.yml + - --log.level=info + image: prom/prometheus:v2.15.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + name: prometheus + ports: + - containerPort: 9090 + name: admin-http + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + runAsUser: 65534 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/prometheus + name: prometheus-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY + value: "10000" + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-prometheus + volumes: + - emptyDir: {} + name: data + - configMap: + name: linkerd-prometheus-config + name: prometheus-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Grafana +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-grafana-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + grafana.ini: |- + instance_name = linkerd-grafana + + [server] + root_url = %(protocol)s://%(domain)s:/grafana/ + + [auth] + disable_login_form = true + + [auth.anonymous] + enabled = true + org_role = Editor + + [auth.basic] + enabled = false + + [analytics] + check_for_updates = false + + [panels] + disable_sanitize_html = true + + datasources.yaml: |- + apiVersion: 1 + datasources: + - name: prometheus + type: prometheus + access: proxy + orgId: 1 + url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090 + isDefault: true + jsonData: + timeInterval: "5s" + version: 1 + editable: true + + dashboards.yaml: |- + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards + homeDashboardId: linkerd-top-line +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-grafana + namespace: linkerd + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: grafana + ports: + - name: http + port: 3000 + targetPort: 3000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + name: linkerd-grafana + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: grafana + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-grafana + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - env: + - name: GF_PATHS_DATA + value: /data + image: gcr.io/linkerd-io/grafana:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 30 + name: grafana + ports: + - containerPort: 3000 + name: http + readinessProbe: + httpGet: + path: /api/health + port: 3000 + securityContext: + runAsUser: 472 + volumeMounts: + - mountPath: /data + name: data + - mountPath: /etc/grafana + name: grafana-config + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-grafana + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: grafana.ini + path: grafana.ini + - key: datasources.yaml + path: provisioning/datasources/datasources.yaml + - key: dashboards.yaml + path: provisioning/dashboards/dashboards.yaml + name: linkerd-grafana-config + name: grafana-config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Proxy Injector +### +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + name: linkerd-proxy-injector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-proxy-injector + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - proxy-injector + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - name: tls + secret: + secretName: linkerd-proxy-injector-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: linkerd + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +--- +### +### Service Profile Validator +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: linkerd + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: sp-validator + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: sp-validator + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + name: linkerd-sp-validator + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: sp-validator + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: sp-validator + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-sp-validator + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - sp-validator + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-sp-validator + volumes: + - name: tls + secret: + secretName: linkerd-sp-validator-tls + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Tap +### +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-tap + namespace: linkerd + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: tap + ports: + - name: grpc + port: 8088 + targetPort: 8088 + - name: apiserver + port: 443 + targetPort: apiserver +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: tap + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + name: linkerd-tap + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + labels: + linkerd.io/control-plane-component: tap + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-tap + spec: + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - args: + - tap + - -controller-namespace=linkerd + - -log-level=info + image: gcr.io/linkerd-io/controller:install-control-plane-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /ping + port: 9998 + initialDelaySeconds: 10 + name: tap + ports: + - containerPort: 8088 + name: grpc + - containerPort: 8089 + name: apiserver + - containerPort: 9998 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9998 + securityContext: + runAsUser: 2103 + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + - mountPath: /var/run/linkerd/config + name: config + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-tap + volumes: + - configMap: + name: linkerd-config + name: config + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity + - name: tls + secret: + secretName: linkerd-tap-tls +--- +### +### linkerd values +### +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-values + namespace: linkerd + labels: + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + values: |- + tracing: + enabled: true + collector: + image: omnition/opencensus-collector:0.1.10 + name: linkerd-collector + resources: + cpu: + limit: 1 + request: 200m + memory: + limit: 2Gi + request: 400Mi + jaeger: + image: jaegertracing/all-in-one:1.8 + name: linkerd-jaeger + resources: null +--- +### +### linkerd-collector RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-collector + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd +--- +### +### linkerd-jaeger RBAC +### +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-jaeger + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd +--- +### +### Tracing Collector Service +### +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: linkerd-collector-config + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +data: + linkerd-collector-config: | + receivers: + opencensus: + port: 55678 + zipkin: + port: 9411 + queued-exporters: + jaeger-all-in-one: + num-workers: 4 + queue-size: 100 + retry-on-failure: true + sender-type: jaeger-thrift-http + jaeger-thrift-http: + collector-endpoint: http://linkerd-jaeger.linkerd:14268/api/traces + timeout: 5s +--- +apiVersion: v1 +kind: Service +metadata: + name: linkerd-collector + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + ports: + - name: opencensus + port: 55678 + protocol: TCP + targetPort: 55678 + - name: zipkin + port: 9411 + protocol: TCP + targetPort: 9411 + selector: + linkerd.io/control-plane-component: linkerd-collector +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: linkerd-collector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + name: linkerd-collector + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-collector + minReadySeconds: 5 + progressDeadlineSeconds: 120 + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + prometheus.io/path: /metrics + prometheus.io/port: "8888" + prometheus.io/scrape: "true" + labels: + linkerd.io/control-plane-component: linkerd-collector + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-collector + spec: + containers: + - command: + - /occollector_linux + - --config=/conf/linkerd-collector-config.yaml + env: + - name: GOGC + value: "80" + image: omnition/opencensus-collector:0.1.10 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: / + port: 13133 + name: oc-collector + ports: + - containerPort: 55678 + - containerPort: 9411 + readinessProbe: + httpGet: + path: / + port: 13133 + resources: + limits: + cpu: "1" + memory: "2Gi" + requests: + cpu: "200m" + memory: "400Mi" + volumeMounts: + - mountPath: /conf + name: linkerd-collector-config-val + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + serviceAccountName: linkerd-collector + volumes: + - configMap: + items: + - key: linkerd-collector-config + path: linkerd-collector-config.yaml + name: linkerd-collector-config + name: linkerd-collector-config-val + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity +--- +### +### Tracing Jaeger Service +### +--- +apiVersion: v1 +kind: Service +metadata: + name: linkerd-jaeger + namespace: linkerd + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: linkerd-jaeger + ports: + - name: collection + port: 14268 + - name: ui + port: 16686 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + labels: + app.kubernetes.io/name: linkerd-jaeger + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: install-control-plane-version + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + name: linkerd-jaeger + namespace: linkerd +spec: + replicas: 1 + selector: + matchLabels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-jaeger + template: + metadata: + annotations: + linkerd.io/created-by: linkerd/cli dev-undefined + linkerd.io/identity-mode: default + linkerd.io/proxy-version: install-proxy-version + prometheus.io/path: /metrics + prometheus.io/port: "8888" + prometheus.io/scrape: "true" + labels: + linkerd.io/control-plane-component: linkerd-jaeger + linkerd.io/control-plane-ns: linkerd + linkerd.io/proxy-deployment: linkerd-jaeger + spec: + containers: + - image: jaegertracing/all-in-one:1.8 + imagePullPolicy: IfNotPresent + name: jaeger + ports: + - containerPort: 14268 + name: collection + - containerPort: 16686 + name: ui + - env: + - name: LINKERD2_PROXY_LOG + value: warn,linkerd=info + - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: linkerd-dst.linkerd.svc.cluster.local:8086 + - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: 0.0.0.0:4190 + - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: 0.0.0.0:4191 + - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: 127.0.0.1:4140 + - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: 0.0.0.0:4143 + - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + value: svc.cluster.local. + - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms + - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms + - name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: ns:$(_pod_ns) + - name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity + - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS + value: | + -----BEGIN CERTIFICATE----- + MIIBYDCCAQegAwIBAgIBATAKBggqhkjOPQQDAjAYMRYwFAYDVQQDEw1jbHVzdGVy + LmxvY2FsMB4XDTE5MDMwMzAxNTk1MloXDTI5MDIyODAyMDM1MlowGDEWMBQGA1UE + AxMNY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAChpAt0 + xtgO9qbVtEtDK80N6iCL2Htyf2kIv2m5QkJ1y0TFQi5hTVe3wtspJ8YpZF0pl364 + 6TiYeXB8tOOhIACjQjBAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBE + AiBQ/AAwF8kG8VOmRSUTPakSSa/N4mqK2HsZuhQXCmiZHwIgZEzI5DCkpU7w3SIv + OLO4Zsk1XrGZHGsmyiEyvYF9lpY= + -----END CERTIFICATE----- + - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: linkerd-identity.linkerd.svc.cluster.local:8080 + - name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: _l5d_ns + value: linkerd + - name: _l5d_trustdomain + value: cluster.local + - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + - name: LINKERD2_PROXY_TAP_SVC_NAME + value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) + image: gcr.io/linkerd-io/proxy:install-proxy-version + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /metrics + port: 4191 + initialDelaySeconds: 10 + name: linkerd-proxy + ports: + - containerPort: 4143 + name: linkerd-proxy + - containerPort: 4191 + name: linkerd-admin + readinessProbe: + httpGet: + path: /ready + port: 4191 + initialDelaySeconds: 2 + resources: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 2102 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity + initContainers: + - args: + - --incoming-proxy-port + - "4143" + - --outgoing-proxy-port + - "4140" + - --proxy-uid + - "2102" + - --inbound-ports-to-ignore + - 4190,4191 + - --outbound-ports-to-ignore + - "443" + image: gcr.io/linkerd-io/proxy-init:v1.3.1 + imagePullPolicy: IfNotPresent + name: linkerd-init + resources: + limits: + cpu: "100m" + memory: "50Mi" + requests: + cpu: "10m" + memory: "10Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + terminationMessagePolicy: FallbackToLogsOnError + dnsPolicy: ClusterFirst + serviceAccountName: linkerd-jaeger + volumes: + - emptyDir: + medium: Memory + name: linkerd-identity-end-entity From cb8b4863c7978bb20fa2b9ba681aed2a42c62b8e Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 25 Feb 2020 20:29:54 +0530 Subject: [PATCH 43/46] Update golden files to reflect another pr changes Signed-off-by: Tarun Pothulapati --- cli/cmd/testdata/install_tracing.golden | 1 + 1 file changed, 1 insertion(+) diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden index 70006f2944b0f..48cdf34d3aaca 100644 --- a/cli/cmd/testdata/install_tracing.golden +++ b/cli/cmd/testdata/install_tracing.golden @@ -12,6 +12,7 @@ metadata: labels: linkerd.io/is-control-plane: "true" config.linkerd.io/admission-webhooks: disabled + linkerd.io/control-plane-ns: linkerd --- ### ### Identity Controller Service RBAC From 829ba047725baea9e1c7ea5bf499e1646207043d Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 26 Feb 2020 01:11:38 +0530 Subject: [PATCH 44/46] Move addon-config flag to recordFlagSet Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 3d9a27f59a8eb..34fe98c5ae4fb 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -513,6 +513,11 @@ func (options *installOptions) recordableFlagSet() *pflag.FlagSet { "A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)", ) + flags.StringVar( + &options.addOnConfig, "addon-config", options.addOnConfig, + "A path to a configuration file of add-ons", + ) + flags.StringVarP(&options.controlPlaneVersion, "control-plane-version", "", options.controlPlaneVersion, "(Development) Tag to be used for the control plane component images") flags.MarkHidden("control-plane-version") flags.MarkHidden("control-plane-tracing") @@ -535,10 +540,6 @@ func (options *installOptions) allStageFlagSet() *pflag.FlagSet { "Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check", ) - flags.StringVar( - &options.addOnConfig, "addon-config", options.addOnConfig, - "A path to a configuration file of add-ons", - ) return flags } From 8ef593cf6e091577e34b73e9671119ad48fb7d59 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 26 Feb 2020 18:30:36 +0530 Subject: [PATCH 45/46] add relevant tracing enabled checks Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 34fe98c5ae4fb..c7d00ffd5e015 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -1231,7 +1231,9 @@ func parseAddOnValues(values *l5dcharts.Values) (map[string][]byte, error) { addonValues := map[string][]byte{} if values.Tracing != nil { - if values.Tracing["enabled"].(bool) { + if enabled, ok := values.Tracing["enabled"].(bool); !ok { + return nil, fmt.Errorf("invalid value for 'Tracing.enabled' (should be boolean):", values.Tracing["enabled"]) + } else if enabled { data, err := yaml.Marshal(values.Tracing) if err != nil { return nil, err From 26b28adedf9a947a06fc98c0f016fe60f7e55da9 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Wed, 26 Feb 2020 19:41:34 +0530 Subject: [PATCH 46/46] linting fix Signed-off-by: Tarun Pothulapati --- cli/cmd/install.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index c7d00ffd5e015..87118e71483b7 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -1232,7 +1232,7 @@ func parseAddOnValues(values *l5dcharts.Values) (map[string][]byte, error) { if values.Tracing != nil { if enabled, ok := values.Tracing["enabled"].(bool); !ok { - return nil, fmt.Errorf("invalid value for 'Tracing.enabled' (should be boolean):", values.Tracing["enabled"]) + return nil, fmt.Errorf("invalid value for 'Tracing.enabled' (should be boolean): %s", values.Tracing["enabled"]) } else if enabled { data, err := yaml.Marshal(values.Tracing) if err != nil {