apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: external-secrets-probe-server
spec:
  port: health
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: external-secrets
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: external-secrets-probe-server-auth
spec:
  client:
    unauthenticated: true
  server:
    name: external-secrets-probe-server
# external-secrets metrics server/server auth for prometheus
---
apiVersion: policy.linkerd.io/v1beta1 # external-secrets metrics server/server auth for prometheus
kind: Server
metadata:
  name: external-secrets-metrics-server
  namespace: external-secrets
spec:
  port: metrics
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: external-secrets
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: external-secrets-metrics-server-auth
spec:
  client:
    meshTLS:
      serviceAccounts:
      # authorize access to the metrics port from prometheus
      - name: prometheus
        namespace: prometheus
  server:
    name: external-secrets-metrics-server
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: external-secrets-webhook-server
spec:
  port: webhook
  podSelector:
    matchLabels:
      app.kubernetes.io/name: external-secrets-webhook
  proxyProtocol: opaque
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: external-secrets-webhook-server-auth
  namespace: external-secrets
spec:
  client:
    unauthenticated: true
  server:
    name: external-secrets-webhook-server