apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: flux-healthz
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  port: healthz
  podSelector:
    matchLabels: {} # every pod
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: flux-healthz
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  client:
    unauthenticated: true
  server:
    name: flux-healthz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: flux-http-prom
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  port: http-prom
  podSelector:
    matchLabels: {} # every pod
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: flux-http-prom
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  client:
    meshTLS:
      serviceAccounts:
      - name: prometheus
        namespace: prometheus
  server:
    name: flux-http-prom
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: flux-source-controller-file-server
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  port: http
  podSelector:
    matchLabels:
      app: source-controller
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: flux-source-controller-file-server
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  client:
    # source controller uses http endpoint for readiness probe
    # this should be removed after the following issue is closed:
    # https://github.com/linkerd/linkerd2/issues/7050#issuecomment-1054808996
    unauthenticated: true
  server:
    name: flux-source-controller-file-server
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: flux-notification-controller-event-server
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  port: http
  podSelector:
    matchLabels:
      app: notification-controller
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: flux-notification-controller-event-server
  namespace: flux-system
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    workload.edge.ncr.com: 'platform'
spec:
  # this doesnt allow for webhook receivers: 
  # https://github.com/fluxcd/notification-controller/blob/main/docs/spec/README.md#webhook-receivers-1
  client:
    meshTLS:
      identities:
      # all service accounts in the flux-system namespace
      - "*.flux-system.serviceaccount.identity.linkerd.cluster.local"
  server:
    name: flux-notification-controller-event-server