1{{if .Values.identity -}}
2---
3###
4### Identity Controller Service
5###
6{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}}
7---
8kind: Secret
9apiVersion: v1
10metadata:
11 name: linkerd-identity-issuer
12 namespace: {{ .Release.Namespace }}
13 labels:
14 linkerd.io/control-plane-component: identity
15 linkerd.io/control-plane-ns: {{.Release.Namespace}}
16 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
17 annotations:
18 {{ include "partials.annotations.created-by" . }}
19data:
20 crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}}
21 key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}}
22{{- end}}
23{{ if not (.Values.identity.externalCA) -}}
24---
25kind: ConfigMap
26apiVersion: v1
27metadata:
28 name: linkerd-identity-trust-roots
29 namespace: {{ .Release.Namespace }}
30 labels:
31 linkerd.io/control-plane-component: identity
32 linkerd.io/control-plane-ns: {{.Release.Namespace}}
33 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
34 annotations:
35 {{ include "partials.annotations.created-by" . }}
36data:
37 ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}
38{{- end}}
39---
40kind: Service
41apiVersion: v1
42metadata:
43 name: linkerd-identity
44 namespace: {{ .Release.Namespace }}
45 labels:
46 linkerd.io/control-plane-component: identity
47 linkerd.io/control-plane-ns: {{.Release.Namespace}}
48 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
49 annotations:
50 {{ include "partials.annotations.created-by" . }}
51spec:
52 type: ClusterIP
53 selector:
54 linkerd.io/control-plane-component: identity
55 ports:
56 - name: grpc
57 port: 8080
58 targetPort: 8080
59---
60kind: Service
61apiVersion: v1
62metadata:
63 name: linkerd-identity-headless
64 namespace: {{ .Release.Namespace }}
65 labels:
66 linkerd.io/control-plane-component: identity
67 linkerd.io/control-plane-ns: {{.Release.Namespace}}
68 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
69 annotations:
70 {{ include "partials.annotations.created-by" . }}
71spec:
72 clusterIP: None
73 selector:
74 linkerd.io/control-plane-component: identity
75 ports:
76 - name: grpc
77 port: 8080
78 targetPort: 8080
79{{- if .Values.enablePodDisruptionBudget }}
80---
81kind: PodDisruptionBudget
82apiVersion: policy/v1
83metadata:
84 name: linkerd-identity
85 namespace: {{ .Release.Namespace }}
86 labels:
87 linkerd.io/control-plane-component: identity
88 linkerd.io/control-plane-ns: {{.Release.Namespace}}
89 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
90 annotations:
91 {{ include "partials.annotations.created-by" . }}
92spec:
93 maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
94 selector:
95 matchLabels:
96 linkerd.io/control-plane-component: identity
97{{- end }}
98---
99{{- $tree := deepCopy . }}
100{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
101{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}}
102{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
103apiVersion: apps/v1
104kind: Deployment
105metadata:
106 annotations:
107 {{ include "partials.annotations.created-by" . }}
108 labels:
109 app.kubernetes.io/name: identity
110 app.kubernetes.io/part-of: Linkerd
111 app.kubernetes.io/version: {{.Values.linkerdVersion}}
112 linkerd.io/control-plane-component: identity
113 linkerd.io/control-plane-ns: {{.Release.Namespace}}
114 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
115 name: linkerd-identity
116 namespace: {{ .Release.Namespace }}
117spec:
118 replicas: {{.Values.controllerReplicas}}
119 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
120 selector:
121 matchLabels:
122 linkerd.io/control-plane-component: identity
123 linkerd.io/control-plane-ns: {{.Release.Namespace}}
124 {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
125 {{- if .Values.deploymentStrategy }}
126 strategy:
127 {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
128 {{- end }}
129 template:
130 metadata:
131 annotations:
132 {{ include "partials.annotations.created-by" . }}
133 {{- include "partials.proxy.annotations" . | nindent 8}}
134 {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
135 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
136 labels:
137 linkerd.io/control-plane-component: identity
138 linkerd.io/control-plane-ns: {{.Release.Namespace}}
139 linkerd.io/workload-ns: {{.Release.Namespace}}
140 {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
141 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
142 spec:
143 {{- with .Values.runtimeClassName }}
144 runtimeClassName: {{ . | quote }}
145 {{- end }}
146 {{- if .Values.tolerations -}}
147 {{- include "linkerd.tolerations" . | nindent 6 }}
148 {{- end -}}
149 {{- include "linkerd.node-selector" . | nindent 6 }}
150 {{- $_ := set $tree "component" "identity" -}}
151 {{- include "linkerd.affinity" $tree | nindent 6 }}
152 containers:
153 - args:
154 - identity
155 - -log-level={{.Values.controllerLogLevel}}
156 - -log-format={{.Values.controllerLogFormat}}
157 - -controller-namespace={{.Release.Namespace}}
158 - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
159 - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}
160 - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}
161 - -identity-scheme={{.Values.identity.issuer.scheme}}
162 - -enable-pprof={{.Values.enablePprof | default false}}
163 - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}}
164 - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}}
165 {{- include "partials.linkerd.trace" . | nindent 8 -}}
166 env:
167 - name: LINKERD_DISABLED
168 value: "linkerd-await cannot block the identity controller"
169 {{- with (.Values.identity).additionalEnv }}
170 {{- toYaml . | nindent 8 -}}
171 {{- end }}
172 {{- with (.Values.identity).experimentalEnv }}
173 {{- toYaml . | nindent 8 -}}
174 {{- end }}
175 image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
176 imagePullPolicy: {{.Values.imagePullPolicy}}
177 livenessProbe:
178 httpGet:
179 path: /ping
180 port: 9990
181 initialDelaySeconds: 10
182 name: identity
183 ports:
184 - containerPort: 8080
185 name: grpc
186 - containerPort: 9990
187 name: admin-http
188 readinessProbe:
189 failureThreshold: 7
190 httpGet:
191 path: /ready
192 port: 9990
193 {{- if .Values.identityResources -}}
194 {{- include "partials.resources" .Values.identityResources | nindent 8 }}
195 {{- end }}
196 securityContext:
197 capabilities:
198 drop:
199 - ALL
200 readOnlyRootFilesystem: true
201 runAsNonRoot: true
202 runAsUser: {{.Values.controllerUID}}
203 {{- if ge (int .Values.controllerGID) 0 }}
204 runAsGroup: {{.Values.controllerGID}}
205 {{- end }}
206 allowPrivilegeEscalation: false
207 seccompProfile:
208 type: RuntimeDefault
209 volumeMounts:
210 - mountPath: /var/run/linkerd/identity/issuer
211 name: identity-issuer
212 - mountPath: /var/run/linkerd/identity/trust-roots/
213 name: trust-roots
214 {{- if not (empty .Values.identityProxyResources) }}
215 {{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }}
216 {{- $_ := set $tree.Values.proxy "cores" $c }}
217 {{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}
218 {{- $_ := set $tree.Values.proxy "resources" $r }}
219 {{- end }}
220 {{- $_ := set $tree.Values.proxy "await" false }}
221 {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
222 {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
223 {{- $_ := set $tree.Values.proxy "nativeSidecar" false }}
224 {{- /*
225 The identity controller cannot discover policies, so we configure it with defaults that
226 enforce TLS on the identity service.
227 */}}
228 {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
229 {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
230 {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
231 {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
232 {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
233 - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
234 initContainers:
235 {{ if .Values.cniEnabled -}}
236 - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
237 {{ else -}}
238 {{- /*
239 The identity controller needs to connect to the Kubernetes API before the proxy is able to
240 proxy requests, so we always skip these connections. The identity controller makes no other
241 outbound connections (so it's not important to persist any other skip ports here)
242 */}}
243 {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
244 - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
245 {{ end -}}
246 {{- if .Values.priorityClassName -}}
247 priorityClassName: {{ .Values.priorityClassName }}
248 {{ end -}}
249 securityContext:
250 seccompProfile:
251 type: RuntimeDefault
252 serviceAccountName: linkerd-identity
253 volumes:
254 - name: identity-issuer
255 secret:
256 secretName: linkerd-identity-issuer
257 - configMap:
258 name: linkerd-identity-trust-roots
259 name: trust-roots
260 {{ if not .Values.cniEnabled -}}
261 - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
262 {{ end -}}
263 {{if .Values.identity.serviceAccountTokenProjection -}}
264 - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
265 {{ end -}}
266 - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
267{{end -}}
View as plain text