1---
2###
3### Destination Controller Service
4###
5kind: Service
6apiVersion: v1
7metadata:
8 name: linkerd-dst
9 namespace: {{ .Release.Namespace }}
10 labels:
11 linkerd.io/control-plane-component: destination
12 linkerd.io/control-plane-ns: {{.Release.Namespace}}
13 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
14 annotations:
15 {{ include "partials.annotations.created-by" . }}
16spec:
17 type: ClusterIP
18 selector:
19 linkerd.io/control-plane-component: destination
20 ports:
21 - name: grpc
22 port: 8086
23 targetPort: 8086
24---
25kind: Service
26apiVersion: v1
27metadata:
28 name: linkerd-dst-headless
29 namespace: {{ .Release.Namespace }}
30 labels:
31 linkerd.io/control-plane-component: destination
32 linkerd.io/control-plane-ns: {{.Release.Namespace}}
33 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
34 annotations:
35 {{ include "partials.annotations.created-by" . }}
36spec:
37 clusterIP: None
38 selector:
39 linkerd.io/control-plane-component: destination
40 ports:
41 - name: grpc
42 port: 8086
43 targetPort: 8086
44---
45kind: Service
46apiVersion: v1
47metadata:
48 name: linkerd-sp-validator
49 namespace: {{ .Release.Namespace }}
50 labels:
51 linkerd.io/control-plane-component: destination
52 linkerd.io/control-plane-ns: {{.Release.Namespace}}
53 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
54 annotations:
55 {{ include "partials.annotations.created-by" . }}
56spec:
57 type: ClusterIP
58 selector:
59 linkerd.io/control-plane-component: destination
60 ports:
61 - name: sp-validator
62 port: 443
63 targetPort: sp-validator
64---
65kind: Service
66apiVersion: v1
67metadata:
68 name: linkerd-policy
69 namespace: {{ .Release.Namespace }}
70 labels:
71 linkerd.io/control-plane-component: destination
72 linkerd.io/control-plane-ns: {{.Release.Namespace}}
73 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
74 annotations:
75 {{ include "partials.annotations.created-by" . }}
76spec:
77 clusterIP: None
78 selector:
79 linkerd.io/control-plane-component: destination
80 ports:
81 - name: grpc
82 port: 8090
83 targetPort: 8090
84---
85kind: Service
86apiVersion: v1
87metadata:
88 name: linkerd-policy-validator
89 namespace: {{ .Release.Namespace }}
90 labels:
91 linkerd.io/control-plane-component: destination
92 linkerd.io/control-plane-ns: {{.Release.Namespace}}
93 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
94 annotations:
95 {{ include "partials.annotations.created-by" . }}
96spec:
97 type: ClusterIP
98 selector:
99 linkerd.io/control-plane-component: destination
100 ports:
101 - name: policy-https
102 port: 443
103 targetPort: policy-https
104{{- if .Values.enablePodDisruptionBudget }}
105---
106kind: PodDisruptionBudget
107apiVersion: policy/v1
108metadata:
109 name: linkerd-dst
110 namespace: {{ .Release.Namespace }}
111 labels:
112 linkerd.io/control-plane-component: destination
113 linkerd.io/control-plane-ns: {{.Release.Namespace}}
114 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
115 annotations:
116 {{ include "partials.annotations.created-by" . }}
117spec:
118 maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
119 selector:
120 matchLabels:
121 linkerd.io/control-plane-component: destination
122{{- end }}
123---
124{{- $tree := deepCopy . }}
125{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
126{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}}
127{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
128apiVersion: apps/v1
129kind: Deployment
130metadata:
131 annotations:
132 {{ include "partials.annotations.created-by" . }}
133 labels:
134 app.kubernetes.io/name: destination
135 app.kubernetes.io/part-of: Linkerd
136 app.kubernetes.io/version: {{.Values.linkerdVersion}}
137 linkerd.io/control-plane-component: destination
138 linkerd.io/control-plane-ns: {{.Release.Namespace}}
139 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
140 name: linkerd-destination
141 namespace: {{ .Release.Namespace }}
142spec:
143 replicas: {{.Values.controllerReplicas}}
144 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
145 selector:
146 matchLabels:
147 linkerd.io/control-plane-component: destination
148 linkerd.io/control-plane-ns: {{.Release.Namespace}}
149 {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
150 {{- if .Values.deploymentStrategy }}
151 strategy:
152 {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
153 {{- end }}
154 template:
155 metadata:
156 annotations:
157 checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }}
158 {{ include "partials.annotations.created-by" . }}
159 {{- include "partials.proxy.annotations" . | nindent 8}}
160 {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
161 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
162 labels:
163 linkerd.io/control-plane-component: destination
164 linkerd.io/control-plane-ns: {{.Release.Namespace}}
165 linkerd.io/workload-ns: {{.Release.Namespace}}
166 {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
167 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
168 spec:
169 {{- with .Values.runtimeClassName }}
170 runtimeClassName: {{ . | quote }}
171 {{- end }}
172 {{- if .Values.tolerations -}}
173 {{- include "linkerd.tolerations" . | nindent 6 }}
174 {{- end -}}
175 {{- include "linkerd.node-selector" . | nindent 6 }}
176 {{- $_ := set $tree "component" "destination" -}}
177 {{- include "linkerd.affinity" $tree | nindent 6 }}
178 containers:
179 {{- if not (empty .Values.destinationProxyResources) }}
180 {{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }}
181 {{- $_ := set $tree.Values.proxy "cores" $c }}
182 {{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }}
183 {{- $_ := set $tree.Values.proxy "resources" $r }}
184 {{- end }}
185 {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
186 {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
187 {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }}
188 {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
189 {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
190 {{- /*
191 The pod needs to accept webhook traffic, and we can't rely on that originating in the
192 cluster network.
193 */}}
194 {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
195 {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
196 {{- if not $tree.Values.proxy.nativeSidecar }}
197 - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
198 {{- end }}
199 - args:
200 - destination
201 - -addr=:8086
202 - -controller-namespace={{.Release.Namespace}}
203 - -enable-h2-upgrade={{.Values.enableH2Upgrade}}
204 - -log-level={{.Values.controllerLogLevel}}
205 - -log-format={{.Values.controllerLogFormat}}
206 - -enable-endpoint-slices={{.Values.enableEndpointSlices}}
207 - -cluster-domain={{.Values.clusterDomain}}
208 - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
209 - -default-opaque-ports={{.Values.proxy.opaquePorts}}
210 - -enable-ipv6={{not .Values.disableIPv6}}
211 - -enable-pprof={{.Values.enablePprof | default false}}
212 {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }}
213 - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }}
214 {{- end }}
215 {{- range (.Values.destinationController).additionalArgs }}
216 - {{ . }}
217 {{- end }}
218 {{- range (.Values.destinationController).experimentalArgs }}
219 - {{ . }}
220 {{- end }}
221 {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }}
222 env:
223 {{- with (.Values.destinationController).additionalEnv }}
224 {{- toYaml . | nindent 8 -}}
225 {{- end }}
226 {{- with (.Values.destinationController).experimentalEnv }}
227 {{- toYaml . | nindent 8 -}}
228 {{- end }}
229 {{- end }}
230 {{- include "partials.linkerd.trace" . | nindent 8 -}}
231 image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
232 imagePullPolicy: {{.Values.imagePullPolicy}}
233 livenessProbe:
234 httpGet:
235 path: /ping
236 port: 9996
237 initialDelaySeconds: 10
238 name: destination
239 ports:
240 - containerPort: 8086
241 name: grpc
242 - containerPort: 9996
243 name: admin-http
244 readinessProbe:
245 failureThreshold: 7
246 httpGet:
247 path: /ready
248 port: 9996
249 {{- if .Values.destinationResources -}}
250 {{- include "partials.resources" .Values.destinationResources | nindent 8 }}
251 {{- end }}
252 securityContext:
253 capabilities:
254 drop:
255 - ALL
256 readOnlyRootFilesystem: true
257 runAsNonRoot: true
258 runAsUser: {{.Values.controllerUID}}
259 {{- if ge (int .Values.controllerGID) 0 }}
260 runAsGroup: {{.Values.controllerGID}}
261 {{- end }}
262 allowPrivilegeEscalation: false
263 seccompProfile:
264 type: RuntimeDefault
265 - args:
266 - sp-validator
267 - -log-level={{.Values.controllerLogLevel}}
268 - -log-format={{.Values.controllerLogFormat}}
269 - -enable-pprof={{.Values.enablePprof | default false}}
270 {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }}
271 env:
272 {{- with (.Values.spValidator).additionalEnv }}
273 {{- toYaml . | nindent 8 -}}
274 {{- end }}
275 {{- with (.Values.spValidator).experimentalEnv }}
276 {{- toYaml . | nindent 8 -}}
277 {{- end }}
278 {{- end }}
279 image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
280 imagePullPolicy: {{.Values.imagePullPolicy}}
281 livenessProbe:
282 httpGet:
283 path: /ping
284 port: 9997
285 initialDelaySeconds: 10
286 name: sp-validator
287 ports:
288 - containerPort: 8443
289 name: sp-validator
290 - containerPort: 9997
291 name: admin-http
292 readinessProbe:
293 failureThreshold: 7
294 httpGet:
295 path: /ready
296 port: 9997
297 {{- if .Values.spValidatorResources -}}
298 {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }}
299 {{- end }}
300 securityContext:
301 capabilities:
302 drop:
303 - ALL
304 readOnlyRootFilesystem: true
305 runAsNonRoot: true
306 runAsUser: {{.Values.controllerUID}}
307 {{- if ge (int .Values.controllerGID) 0 }}
308 runAsGroup: {{.Values.controllerGID}}
309 {{- end }}
310 allowPrivilegeEscalation: false
311 seccompProfile:
312 type: RuntimeDefault
313 volumeMounts:
314 - mountPath: /var/run/linkerd/tls
315 name: sp-tls
316 readOnly: true
317 - args:
318 - --admin-addr=[::]:9990
319 - --control-plane-namespace={{.Release.Namespace}}
320 - --grpc-addr=[::]:8090
321 - --server-addr=[::]:9443
322 - --server-tls-key=/var/run/linkerd/tls/tls.key
323 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
324 - --cluster-networks={{.Values.clusterNetworks}}
325 - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
326 - --cluster-domain={{.Values.clusterDomain}}
327 - --default-policy={{.Values.proxy.defaultInboundPolicy}}
328 - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
329 - --log-format={{.Values.controllerLogFormat}}
330 - --default-opaque-ports={{.Values.proxy.opaquePorts}}
331 {{- if .Values.policyController.probeNetworks }}
332 - --probe-networks={{.Values.policyController.probeNetworks | join ","}}
333 {{- end}}
334 {{- range .Values.policyController.additionalArgs }}
335 - {{ . }}
336 {{- end }}
337 {{- range .Values.policyController.experimentalArgs }}
338 - {{ . }}
339 {{- end }}
340 image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}}
341 imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}}
342 livenessProbe:
343 httpGet:
344 path: /live
345 port: admin-http
346 name: policy
347 ports:
348 - containerPort: 8090
349 name: grpc
350 - containerPort: 9990
351 name: admin-http
352 - containerPort: 9443
353 name: policy-https
354 readinessProbe:
355 failureThreshold: 7
356 httpGet:
357 path: /ready
358 port: admin-http
359 initialDelaySeconds: 10
360 {{- if .Values.policyController.resources }}
361 {{- include "partials.resources" .Values.policyController.resources | nindent 8 }}
362 {{- end }}
363 securityContext:
364 capabilities:
365 drop:
366 - ALL
367 readOnlyRootFilesystem: true
368 runAsNonRoot: true
369 runAsUser: {{.Values.controllerUID}}
370 {{- if ge (int .Values.controllerGID) 0 }}
371 runAsGroup: {{.Values.controllerGID}}
372 {{- end }}
373 allowPrivilegeEscalation: false
374 seccompProfile:
375 type: RuntimeDefault
376 volumeMounts:
377 - mountPath: /var/run/linkerd/tls
378 name: policy-tls
379 readOnly: true
380 initContainers:
381 {{ if .Values.cniEnabled -}}
382 - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
383 {{ else -}}
384 {{- /*
385 The destination controller needs to connect to the Kubernetes API before the proxy is able
386 to proxy requests, so we always skip these connections.
387 */}}
388 {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
389 - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
390 {{ end -}}
391 {{- if $tree.Values.proxy.nativeSidecar }}
392 {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }}
393 {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }}
394 {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }}
395 - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
396 {{ end -}}
397 {{- if .Values.priorityClassName -}}
398 priorityClassName: {{ .Values.priorityClassName }}
399 {{ end -}}
400 securityContext:
401 seccompProfile:
402 type: RuntimeDefault
403 serviceAccountName: linkerd-destination
404 volumes:
405 - name: sp-tls
406 secret:
407 secretName: linkerd-sp-validator-k8s-tls
408 - name: policy-tls
409 secret:
410 secretName: linkerd-policy-validator-k8s-tls
411 {{ if not .Values.cniEnabled -}}
412 - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
413 {{ end -}}
414 {{if .Values.identity.serviceAccountTokenProjection -}}
415 - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
416 {{ end -}}
417 - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
View as plain text