1---
2###
3### Proxy Injector
4###
5{{- $tree := deepCopy . }}
6{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
7{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}}
8{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
9apiVersion: apps/v1
10kind: Deployment
11metadata:
12 annotations:
13 {{ include "partials.annotations.created-by" . }}
14 labels:
15 app.kubernetes.io/name: proxy-injector
16 app.kubernetes.io/part-of: Linkerd
17 app.kubernetes.io/version: {{.Values.linkerdVersion}}
18 linkerd.io/control-plane-component: proxy-injector
19 linkerd.io/control-plane-ns: {{.Release.Namespace}}
20 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
21 name: linkerd-proxy-injector
22 namespace: {{ .Release.Namespace }}
23spec:
24 replicas: {{.Values.controllerReplicas}}
25 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
26 selector:
27 matchLabels:
28 linkerd.io/control-plane-component: proxy-injector
29 {{- if .Values.deploymentStrategy }}
30 strategy:
31 {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
32 {{- end }}
33 template:
34 metadata:
35 annotations:
36 checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
37 {{ include "partials.annotations.created-by" . }}
38 {{- include "partials.proxy.annotations" . | nindent 8}}
39 {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
40 config.linkerd.io/opaque-ports: "8443"
41 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
42 labels:
43 linkerd.io/control-plane-component: proxy-injector
44 linkerd.io/control-plane-ns: {{.Release.Namespace}}
45 linkerd.io/workload-ns: {{.Release.Namespace}}
46 {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
47 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
48 spec:
49 {{- with .Values.runtimeClassName }}
50 runtimeClassName: {{ . | quote }}
51 {{- end }}
52 {{- if .Values.tolerations -}}
53 {{- include "linkerd.tolerations" . | nindent 6 }}
54 {{- end -}}
55 {{- include "linkerd.node-selector" . | nindent 6 }}
56 {{- $_ := set $tree "component" "proxy-injector" -}}
57 {{- include "linkerd.affinity" $tree | nindent 6 }}
58 containers:
59 {{- if not (empty .Values.proxyInjectorProxyResources) }}
60 {{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }}
61 {{- $_ := set $tree.Values.proxy "cores" $c }}
62 {{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }}
63 {{- $_ := set $tree.Values.proxy "resources" $r }}
64 {{- end }}
65 {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
66 {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
67 {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }}
68 {{- /*
69 The pod needs to accept webhook traffic, and we can't rely on that originating in the
70 cluster network.
71 */}}
72 {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
73 {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
74 {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
75 {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
76 {{- if not $tree.Values.proxy.nativeSidecar }}
77 - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
78 {{- end }}
79 - args:
80 - proxy-injector
81 - -log-level={{.Values.controllerLogLevel}}
82 - -log-format={{.Values.controllerLogFormat}}
83 - -linkerd-namespace={{.Release.Namespace}}
84 - -enable-pprof={{.Values.enablePprof | default false}}
85 {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }}
86 env:
87 {{- with (.Values.proxyInjector).additionalEnv }}
88 {{- toYaml . | nindent 8 -}}
89 {{- end }}
90 {{- with (.Values.proxyInjector).experimentalEnv }}
91 {{- toYaml . | nindent 8 -}}
92 {{- end }}
93 {{- end }}
94 image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
95 imagePullPolicy: {{.Values.imagePullPolicy}}
96 livenessProbe:
97 httpGet:
98 path: /ping
99 port: 9995
100 initialDelaySeconds: 10
101 name: proxy-injector
102 ports:
103 - containerPort: 8443
104 name: proxy-injector
105 - containerPort: 9995
106 name: admin-http
107 readinessProbe:
108 failureThreshold: 7
109 httpGet:
110 path: /ready
111 port: 9995
112 {{- if .Values.proxyInjectorResources -}}
113 {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }}
114 {{- end }}
115 securityContext:
116 capabilities:
117 drop:
118 - ALL
119 readOnlyRootFilesystem: true
120 runAsNonRoot: true
121 runAsUser: {{.Values.controllerUID}}
122 {{- if ge (int .Values.controllerGID) 0 }}
123 runAsGroup: {{.Values.controllerGID}}
124 {{- end }}
125 allowPrivilegeEscalation: false
126 seccompProfile:
127 type: RuntimeDefault
128 volumeMounts:
129 - mountPath: /var/run/linkerd/config
130 name: config
131 - mountPath: /var/run/linkerd/identity/trust-roots
132 name: trust-roots
133 - mountPath: /var/run/linkerd/tls
134 name: tls
135 readOnly: true
136 initContainers:
137 {{ if .Values.cniEnabled -}}
138 - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
139 {{ else -}}
140 {{- /*
141 The controller needs to connect to the Kubernetes API. There's no reason
142 to put the proxy in the way of that.
143 */}}
144 {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
145 - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
146 {{ end -}}
147 {{- if $tree.Values.proxy.nativeSidecar }}
148 {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }}
149 {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }}
150 {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }}
151 - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
152 {{ end -}}
153 {{- if .Values.priorityClassName -}}
154 priorityClassName: {{ .Values.priorityClassName }}
155 {{ end -}}
156 securityContext:
157 seccompProfile:
158 type: RuntimeDefault
159 serviceAccountName: linkerd-proxy-injector
160 volumes:
161 - configMap:
162 name: linkerd-config
163 name: config
164 - configMap:
165 name: linkerd-identity-trust-roots
166 name: trust-roots
167 - name: tls
168 secret:
169 secretName: linkerd-proxy-injector-k8s-tls
170 {{ if not .Values.cniEnabled -}}
171 - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
172 {{ end -}}
173 {{if .Values.identity.serviceAccountTokenProjection -}}
174 - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
175 {{ end -}}
176 - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
177---
178kind: Service
179apiVersion: v1
180metadata:
181 name: linkerd-proxy-injector
182 namespace: {{ .Release.Namespace }}
183 labels:
184 linkerd.io/control-plane-component: proxy-injector
185 linkerd.io/control-plane-ns: {{.Release.Namespace}}
186 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
187 annotations:
188 {{ include "partials.annotations.created-by" . }}
189 config.linkerd.io/opaque-ports: "443"
190spec:
191 type: ClusterIP
192 selector:
193 linkerd.io/control-plane-component: proxy-injector
194 ports:
195 - name: proxy-injector
196 port: 443
197 targetPort: proxy-injector
198{{- if .Values.enablePodDisruptionBudget }}
199---
200kind: PodDisruptionBudget
201apiVersion: policy/v1
202metadata:
203 name: linkerd-proxy-injector
204 namespace: {{ .Release.Namespace }}
205 labels:
206 linkerd.io/control-plane-component: proxy-injector
207 linkerd.io/control-plane-ns: {{.Release.Namespace}}
208 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
209 annotations:
210 {{ include "partials.annotations.created-by" . }}
211spec:
212 maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
213 selector:
214 matchLabels:
215 linkerd.io/control-plane-component: proxy-injector
216{{- end }}
View as plain text