1# Default values for linkerd.
2# This is a YAML-formatted file.
3# Declare variables to be passed into your templates.
4
5# -- Kubernetes DNS Domain name to use
6clusterDomain: cluster.local
7
8# -- The cluster networks for which service discovery is performed. This should
9# include the pod and service networks, but need not include the node network.
10#
11# By default, all IPv4 private networks and all accepted IPv6 ULAs are
12# specified so that resolution works in typical Kubernetes environments.
13clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
14# -- Docker image pull policy
15imagePullPolicy: IfNotPresent
16# -- Specifies the number of old ReplicaSets to retain to allow rollback.
17revisionHistoryLimit: 10
18# -- Log level for the control plane components
19controllerLogLevel: info
20# -- Log format for the control plane components
21controllerLogFormat: plain
22# -- enables control plane tracing
23controlPlaneTracing: false
24# -- namespace to send control plane traces to
25controlPlaneTracingNamespace: linkerd-jaeger
26# -- control plane version. See Proxy section for proxy version
27linkerdVersion: linkerdVersionValue
28# -- default kubernetes deployment strategy
29deploymentStrategy:
30 rollingUpdate:
31 maxUnavailable: 25%
32 maxSurge: 25%
33# -- enables the use of EndpointSlice informers for the destination service;
34# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
35# gate is on
36enableEndpointSlices: true
37# -- enables pod anti affinity creation on deployments for high availability
38enablePodAntiAffinity: false
39# -- enables the use of pprof endpoints on control plane component's admin
40# servers
41enablePprof: false
42# -- enables the creation of pod disruption budgets for control plane components
43enablePodDisruptionBudget: false
44# -- disables routing IPv6 traffic in addition to IPv4 traffic through the
45# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni
46# v1.4.0)
47disableIPv6: true
48
49controller:
50 # -- sets pod disruption budget parameter for all deployments
51 podDisruptionBudget:
52 # -- Maximum number of pods that can be unavailable during disruption
53 maxUnavailable: 1
54# -- enabling this omits the NET_ADMIN capability in the PSP
55# and the proxy-init container when injecting the proxy;
56# requires the linkerd-cni plugin to already be installed
57cniEnabled: false
58# -- Trust root certificate (ECDSA). It must be provided during install.
59identityTrustAnchorsPEM: |
60# -- Trust domain used for identity
61# @default -- clusterDomain
62identityTrustDomain: ""
63kubeAPI: &kubeapi
64 # -- Maximum QPS sent to the kube-apiserver before throttling.
65 # See [token bucket rate limiter
66 # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go)
67 clientQPS: 100
68 # -- Burst value over clientQPS
69 clientBurst: 200
70# -- Additional annotations to add to all pods
71podAnnotations: {}
72# -- Additional labels to add to all pods
73podLabels: {}
74# -- Labels to apply to all resources
75commonLabels: {}
76# -- Kubernetes priorityClassName for the Linkerd Pods
77priorityClassName: ""
78# -- Runtime Class Name for all the pods
79runtimeClassName: ""
80
81# policy controller configuration
82policyController:
83 image:
84 # -- Docker image for the policy controller
85 name: cr.l5d.io/linkerd/policy-controller
86 # -- Pull policy for the policy controller container image
87 # @default -- imagePullPolicy
88 pullPolicy: ""
89 # -- Tag for the policy controller container image
90 # @default -- linkerdVersion
91 version: ""
92
93 # -- Log level for the policy controller
94 logLevel: info
95
96 # -- The networks from which probes are performed.
97 #
98 # By default, all networks are allowed so that all probes are authorized.
99 probeNetworks:
100 - 0.0.0.0/0
101 - "::/0"
102
103 # -- policy controller resource requests & limits
104 resources:
105 cpu:
106 # -- Maximum amount of CPU units that the policy controller can use
107 limit: ""
108 # -- Amount of CPU units that the policy controller requests
109 request: ""
110 memory:
111 # -- Maximum amount of memory that the policy controller can use
112 limit: ""
113 # -- Maximum amount of memory that the policy controller requests
114 request: ""
115 ephemeral-storage:
116 # -- Maximum amount of ephemeral storage that the policy controller can use
117 limit: ""
118 # -- Amount of ephemeral storage that the policy controller requests
119 request: ""
120
121# proxy configuration
122proxy:
123 # -- Enable service profiles for non-Kubernetes services
124 enableExternalProfiles: false
125 # -- Maximum time allowed for the proxy to establish an outbound TCP
126 # connection
127 outboundConnectTimeout: 1000ms
128 # -- Maximum time allowed for the proxy to establish an inbound TCP
129 # connection
130 inboundConnectTimeout: 100ms
131 # -- Maximum time allowed before an unused outbound discovery result
132 # is evicted from the cache
133 outboundDiscoveryCacheUnusedTimeout: "5s"
134 # -- Maximum time allowed before an unused inbound discovery result
135 # is evicted from the cache
136 inboundDiscoveryCacheUnusedTimeout: "90s"
137 # -- When set to true, disables the protocol detection timeout on the
138 # outbound side of the proxy by setting it to a very high value
139 disableOutboundProtocolDetectTimeout: false
140 # -- When set to true, disables the protocol detection timeout on the inbound
141 # side of the proxy by setting it to a very high value
142 disableInboundProtocolDetectTimeout: false
143 image:
144 # -- Docker image for the proxy
145 name: cr.l5d.io/linkerd/proxy
146 # -- Pull policy for the proxy container image
147 # @default -- imagePullPolicy
148 pullPolicy: ""
149 # -- Tag for the proxy container image
150 # @default -- linkerdVersion
151 version: ""
152 # -- Log level for the proxy
153 logLevel: warn,linkerd=info,trust_dns=error
154 # -- Log format (`plain` or `json`) for the proxy
155 logFormat: plain
156 ports:
157 # -- Admin port for the proxy container
158 admin: 4191
159 # -- Control port for the proxy container
160 control: 4190
161 # -- Inbound port for the proxy container
162 inbound: 4143
163 # -- Outbound port for the proxy container
164 outbound: 4140
165 # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores`
166 # must be an integer and should typically be set by rounding up from the
167 # limit. E.g. if cpu.limit is '1500m', cores should be 2.
168 cores: 0
169 resources:
170 cpu:
171 # -- Maximum amount of CPU units that the proxy can use
172 limit: ""
173 # -- Amount of CPU units that the proxy requests
174 request: ""
175 memory:
176 # -- Maximum amount of memory that the proxy can use
177 limit: ""
178 # -- Maximum amount of memory that the proxy requests
179 request: ""
180 ephemeral-storage:
181 # -- Maximum amount of ephemeral storage that the proxy can use
182 limit: ""
183 # -- Amount of ephemeral storage that the proxy requests
184 request: ""
185 # -- User id under which the proxy runs
186 uid: 2102
187 # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)
188 gid: -1
189
190 # -- If set the injected proxy sidecars in the data plane will stay alive for
191 # at least the given period before receiving the SIGTERM signal from
192 # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.
193 # See [Lifecycle
194 # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)
195 # for more info on container lifecycle hooks.
196 waitBeforeExitSeconds: 0
197 # -- If set, the application container will not start until the proxy is
198 # ready
199 await: true
200 requireIdentityOnInboundPorts: ""
201 # -- Default set of opaque ports
202 # - SMTP (25,587) server-first
203 # - MYSQL (3306) server-first
204 # - Galera (4444) server-first
205 # - PostgreSQL (5432) server-first
206 # - Redis (6379) server-first
207 # - ElasticSearch (9300) server-first
208 # - Memcached (11211) clients do not issue any preamble, which breaks detection
209 opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"
210 # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
211 shutdownGracePeriod: ""
212 # -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
213 # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
214 # @default -- "all-unauthenticated"
215 defaultInboundPolicy: "all-unauthenticated"
216 # -- Enable KEP-753 native sidecars
217 # This is an experimental feature. It requires Kubernetes >= 1.29.
218 # If enabled, .proxy.waitBeforeExitSeconds should not be used.
219 nativeSidecar: false
220 # -- Native sidecar proxy startup probe parameters.
221 # -- LivenessProbe timeout and delay configuration
222 livenessProbe:
223 initialDelaySeconds: 10
224 timeoutSeconds: 1
225 # -- ReadinessProbe timeout and delay configuration
226 readinessProbe:
227 initialDelaySeconds: 2
228 timeoutSeconds: 1
229 startupProbe:
230 initialDelaySeconds: 0
231 periodSeconds: 1
232 failureThreshold: 120
233 # Configures general properties of the proxy's control plane clients.
234 control:
235 # Configures limits on API response streams.
236 streams:
237 # -- The timeout for the first update from the control plane.
238 initialTimeout: "3s"
239 # -- The timeout between consecutive updates from the control plane.
240 idleTimeout: "5m"
241 # -- The maximum duration for a response stream (i.e. before it will be
242 # reinitialized).
243 lifetime: "1h"
244 inbound:
245 server:
246 http2:
247 # -- The interval at which PINGs are issued to remote HTTP/2 clients.
248 keepAliveInterval: "10s"
249 # -- The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections.
250 keepAliveTimeout: "3s"
251 outbound:
252 server:
253 http2:
254 # -- The interval at which PINGs are issued to local application HTTP/2 clients.
255 keepAliveInterval: "10s"
256 # -- The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections.
257 keepAliveTimeout: "3s"
258
259# proxy-init configuration
260proxyInit:
261 # -- Variant of iptables that will be used to configure routing. Currently,
262 # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
263 # control which utility binary will be called. The host must support
264 # whichever mode will be used
265 iptablesMode: "legacy"
266 # -- Default set of inbound ports to skip via iptables
267 # - Galera (4567,4568)
268 ignoreInboundPorts: "4567,4568"
269 # -- Default set of outbound ports to skip via iptables
270 # - Galera (4567,4568)
271 ignoreOutboundPorts: "4567,4568"
272 # -- Default set of ports to skip via iptables for control plane
273 # components so they can communicate with the Kubernetes API Server
274 kubeAPIServerPorts: "443,6443"
275 # -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy
276 skipSubnets: ""
277 # -- Log level for the proxy-init
278 # @default -- info
279 logLevel: ""
280 # -- Log format (`plain` or `json`) for the proxy-init
281 # @default -- plain
282 logFormat: ""
283 image:
284 # -- Docker image for the proxy-init container
285 name: cr.l5d.io/linkerd/proxy-init
286 # -- Pull policy for the proxy-init container image
287 # @default -- imagePullPolicy
288 pullPolicy: ""
289 # -- Tag for the proxy-init container image
290 version: v2.4.0
291 resources:
292 cpu:
293 # -- Maximum amount of CPU units that the proxy-init container can use
294 limit: 100m
295 # -- Amount of CPU units that the proxy-init container requests
296 request: 100m
297 memory:
298 # -- Maximum amount of memory that the proxy-init container can use
299 limit: 20Mi
300 # -- Amount of memory that the proxy-init container requests
301 request: 20Mi
302 ephemeral-storage:
303 # -- Maximum amount of ephemeral storage that the proxy-init container can use
304 limit: ""
305 # -- Amount of ephemeral storage that the proxy-init container requests
306 request: ""
307 closeWaitTimeoutSecs: 0
308 # -- Privileged mode allows the container processes to inherit all security
309 # capabilities and bypass any security limitations enforced by the kubelet.
310 # When used with 'runAsRoot: true', the container will behave exactly as if
311 # it was running as root on the host. May escape cgroup limits and see other
312 # processes and devices on the host.
313 # @default -- false
314 privileged: false
315 # -- Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>)
316 runAsRoot: false
317 # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
318 runAsUser: 65534
319 # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0
320 runAsGroup: 65534
321 xtMountPath:
322 mountPath: /run
323 name: linkerd-proxy-init-xtables-lock
324
325# network validator configuration
326# This runs on a host that uses iptables to reroute network traffic. The validator
327# ensures that iptables is correctly routing requests before we start linkerd.
328networkValidator:
329 # -- Log level for the network-validator
330 # @default -- debug
331 logLevel: debug
332 # -- Log format (`plain` or `json`) for network-validator
333 # @default -- plain
334 logFormat: plain
335 # -- Address to which the network-validator will attempt to connect. we expect this to be rewritten
336 connectAddr: "1.1.1.1:20001"
337 # -- Address to which network-validator listens to requests from itself
338 listenAddr: "0.0.0.0:4140"
339 # -- Timeout before network-validator fails to validate the pod's network connectivity
340 timeout: "10s"
341 # -- Include a securityContext in the network-validator pod spec
342 enableSecurityContext: true
343
344# -- For Private docker registries, authentication is needed.
345# Registry secrets are applied to the respective service accounts
346imagePullSecrets: []
347# - name: my-private-docker-registry-login-secret
348
349# -- Allow proxies to perform transparent HTTP/2 upgrading
350enableH2Upgrade: true
351
352# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
353# PSP has been deprecated since k8s v1.21
354enablePSP: false
355
356# -- Failure policy for the proxy injector
357webhookFailurePolicy: Ignore
358
359# controllerImage -- Docker image for the destination and identity components
360controllerImage: cr.l5d.io/linkerd/controller
361# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.
362controllerImageVersion: ""
363
364# -- Number of replicas for each control plane pod
365controllerReplicas: 1
366# -- User ID for the control plane components
367controllerUID: 2103
368# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)
369controllerGID: -1
370
371# destination configuration
372# set resources for the sp-validator and its linkerd proxy respectively
373# see proxy.resources for details.
374# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields)
375#destinationResources:
376# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields)
377#destinationProxyResources:
378
379destinationController:
380 meshedHttp2ClientProtobuf:
381 keep_alive:
382 interval:
383 seconds: 10
384 timeout:
385 seconds: 3
386 while_idle: true
387
388# debug configuration
389debugContainer:
390 image:
391 # -- Docker image for the debug container
392 name: cr.l5d.io/linkerd/debug
393 # -- Pull policy for the debug container image
394 # @default -- imagePullPolicy
395 pullPolicy: ""
396 # -- Tag for the debug container image
397 # @default -- linkerdVersion
398 version: ""
399
400identity:
401 # -- If the linkerd-identity-trust-roots ConfigMap has already been created
402 externalCA: false
403
404 # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token
405 serviceAccountTokenProjection: true
406
407 issuer:
408 scheme: linkerd.io/tls
409
410 # -- Amount of time to allow for clock skew within a Linkerd cluster
411 clockSkewAllowance: 20s
412
413 # -- Amount of time for which the Identity issuer should certify identity
414 issuanceLifetime: 24h0m0s
415
416 # -- Which scheme is used for the identity issuer secret format
417 tls:
418 # -- Issuer certificate (ECDSA). It must be provided during install.
419 crtPEM: |
420
421 # -- Key for the issuer certificate (ECDSA). It must be provided during
422 # install
423 keyPEM: |
424
425 kubeAPI: *kubeapi
426
427# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields)
428#identityResources:
429# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
430#identityProxyResources:
431
432# heartbeat configuration
433# disableHeartBeat -- Set to true to not start the heartbeat cronjob
434disableHeartBeat: false
435# -- Config for the heartbeat cronjob
436# heartbeatSchedule: "0 0 * * *"
437
438# proxy injector configuration
439proxyInjector:
440 # -- Timeout in seconds before the API Server cancels a request to the proxy
441 # injector. If timeout is exceeded, the webhookfailurePolicy is used.
442 timeoutSeconds: 10
443 # -- Do not create a secret resource for the proxyInjector webhook.
444 # If this is set to `true`, the value `proxyInjector.caBundle` must be set
445 # or the ca bundle must injected with cert-manager ca injector using
446 # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
447 externalSecret: false
448
449 # -- Namespace selector used by admission webhook.
450 namespaceSelector:
451 matchExpressions:
452 - key: config.linkerd.io/admission-webhooks
453 operator: NotIn
454 values:
455 - disabled
456 - key: kubernetes.io/metadata.name
457 operator: NotIn
458 values:
459 - kube-system
460 - cert-manager
461
462 # -- Object selector used by admission webhook.
463 objectSelector:
464 matchExpressions:
465 - key: linkerd.io/control-plane-component
466 operator: DoesNotExist
467 - key: linkerd.io/cni-resource
468 operator: DoesNotExist
469
470 # -- Certificate for the proxy injector. If not provided and not using an external secret
471 # then Helm will generate one.
472 crtPEM: |
473
474 # -- Certificate key for the proxy injector. If not provided and not using an external secret
475 # then Helm will generate one.
476 keyPEM: |
477
478 # -- Bundle of CA certificates for proxy injector.
479 # If not provided nor injected with cert-manager,
480 # then Helm will use the certificate generated for `proxyInjector.crtPEM`.
481 # If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or
482 # injectCaFromSecret must be set, as no certificate will be generated.
483 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
484 caBundle: |
485
486 # -- Inject the CA bundle from a cert-manager Certificate.
487 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
488 # for more information.
489 injectCaFrom: ""
490
491 # -- Inject the CA bundle from a Secret.
492 # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
493 # The Secret must have the CA Bundle stored in the `ca.crt` key and have
494 # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
495 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
496 # for more information.
497 injectCaFromSecret: ""
498
499# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see
500#`proxy.resources` for sub-fields)
501#proxyInjectorResources:
502#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector
503#pod (see `proxy.resources` for sub-fields)
504#proxyInjectorProxyResources:
505
506# service profile validator configuration
507profileValidator:
508 # -- Do not create a secret resource for the profileValidator webhook.
509 # If this is set to `true`, the value `proxyInjector.caBundle` must be set
510 # or the ca bundle must injected with cert-manager ca injector using
511 # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
512 externalSecret: false
513
514 # -- Namespace selector used by admission webhook
515 namespaceSelector:
516 matchExpressions:
517 - key: config.linkerd.io/admission-webhooks
518 operator: NotIn
519 values:
520 - disabled
521
522 # -- Certificate for the service profile validator. If not provided and not using an external secret
523 # then Helm will generate one.
524 crtPEM: |
525
526 # -- Certificate key for the service profile validator. If not provided and not using an external secret
527 # then Helm will generate one.
528 keyPEM: |
529
530 # -- Bundle of CA certificates for proxy injector.
531 # If not provided nor injected with cert-manager,
532 # then Helm will use the certificate generated for `profileValidator.crtPEM`.
533 # If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or
534 # injectCaFromSecret must be set, as no certificate will be generated.
535 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
536 caBundle: |
537
538 # -- Inject the CA bundle from a cert-manager Certificate.
539 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
540 # for more information.
541 injectCaFrom: ""
542
543 # -- Inject the CA bundle from a Secret.
544 # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
545 # The Secret must have the CA Bundle stored in the `ca.crt` key and have
546 # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
547 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
548 # for more information.
549 injectCaFromSecret: ""
550
551# policy validator configuration
552policyValidator:
553 # -- Do not create a secret resource for the policyValidator webhook.
554 # If this is set to `true`, the value `policyValidator.caBundle` must be set
555 # or the ca bundle must injected with cert-manager ca injector using
556 # `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below).
557 externalSecret: false
558
559 # -- Namespace selector used by admission webhook
560 namespaceSelector:
561 matchExpressions:
562 - key: config.linkerd.io/admission-webhooks
563 operator: NotIn
564 values:
565 - disabled
566
567 # -- Certificate for the policy validator. If not provided and not using an external secret
568 # then Helm will generate one.
569 crtPEM: |
570
571 # -- Certificate key for the policy validator. If not provided and not using an external secret
572 # then Helm will generate one.
573 keyPEM: |
574
575 # -- Bundle of CA certificates for proxy injector.
576 # If not provided nor injected with cert-manager,
577 # then Helm will use the certificate generated for `policyValidator.crtPEM`.
578 # If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or
579 # injectCaFromSecret must be set, as no certificate will be generated.
580 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
581 caBundle: |
582
583 # -- Inject the CA bundle from a cert-manager Certificate.
584 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
585 # for more information.
586 injectCaFrom: ""
587
588 # -- Inject the CA bundle from a Secret.
589 # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
590 # The Secret must have the CA Bundle stored in the `ca.crt` key and have
591 # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
592 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
593 # for more information.
594 injectCaFromSecret: ""
595
596# -- NodeSelector section, See the [K8S
597# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
598# for more information
599nodeSelector:
600 kubernetes.io/os: linux
601
602# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see
603#`proxy.resources` for sub-fields)
604#spValidatorResources:
605
606# -|- Tolerations section, See the
607# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
608# for more information
609#tolerations:
610
611# -|- NodeAffinity section, See the
612# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
613# for more information
614#nodeAffinity:
615
616# -- url of external prometheus instance (used for the heartbeat)
617prometheusUrl: ""
618
619# Prometheus Operator PodMonitor configuration
620podMonitor:
621 # -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor)
622 enabled: false
623 # -- Interval at which metrics should be scraped
624 scrapeInterval: 10s
625 # -- Iimeout after which the scrape is ended
626 scrapeTimeout: 10s
627 # -- Labels to apply to all pod Monitors
628 labels: {}
629 controller:
630 # -- Enables the creation of PodMonitor for the control-plane
631 enabled: true
632 # -- Selector to select which namespaces the Endpoints objects are discovered from
633 namespaceSelector: |
634 matchNames:
635 - {{ .Release.Namespace }}
636 - linkerd-viz
637 - linkerd-jaeger
638 serviceMirror:
639 # -- Enables the creation of PodMonitor for the Service Mirror component
640 enabled: true
641 proxy:
642 # -- Enables the creation of PodMonitor for the data-plane
643 enabled: true
View as plain text