1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: web1
5 namespace: emojivoto
6spec:
7 replicas: 1
8 selector:
9 matchLabels:
10 app: web-svc
11 template:
12 metadata:
13 annotations:
14 linkerd.io/created-by: linkerd/cli dev-undefined
15 linkerd.io/proxy-version: test-inject-proxy-version
16 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
17 labels:
18 app: web-svc
19 linkerd.io/control-plane-ns: linkerd
20 linkerd.io/proxy-deployment: web1
21 linkerd.io/workload-ns: emojivoto
22 spec:
23 containers:
24 - env:
25 - name: _pod_name
26 valueFrom:
27 fieldRef:
28 fieldPath: metadata.name
29 - name: _pod_ns
30 valueFrom:
31 fieldRef:
32 fieldPath: metadata.namespace
33 - name: _pod_nodeName
34 valueFrom:
35 fieldRef:
36 fieldPath: spec.nodeName
37 - name: LINKERD2_PROXY_LOG
38 value: warn,linkerd=info,trust_dns=error
39 - name: LINKERD2_PROXY_LOG_FORMAT
40 value: plain
41 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
42 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
43 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
44 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
45 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
46 value: linkerd-policy.linkerd.svc.cluster.local.:8090
47 - name: LINKERD2_PROXY_POLICY_WORKLOAD
48 value: |
49 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
50 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
51 value: all-unauthenticated
52 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
53 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
54 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
55 value: 3s
56 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
57 value: 5m
58 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
59 value: 1h
60 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
61 value: 100ms
62 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
63 value: 1000ms
64 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
65 value: 5s
66 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
67 value: 90s
68 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
69 value: '[::]:4190'
70 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
71 value: '[::]:4191'
72 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
73 value: 127.0.0.1:4140
74 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
75 value: 127.0.0.1:4140
76 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
77 value: '[::]:4143'
78 - name: LINKERD2_PROXY_INBOUND_IPS
79 valueFrom:
80 fieldRef:
81 fieldPath: status.podIPs
82 - name: LINKERD2_PROXY_INBOUND_PORTS
83 value: "80"
84 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
85 value: svc.cluster.local.
86 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
87 value: 10000ms
88 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
89 value: 10000ms
90 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
91 value: 10s
92 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
93 value: 3s
94 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
95 value: 10s
96 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
97 value: 3s
98 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
99 value: 25,587,3306,4444,5432,6379,9300,11211
100 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
101 value: |
102 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
103 - name: _pod_sa
104 valueFrom:
105 fieldRef:
106 fieldPath: spec.serviceAccountName
107 - name: _l5d_ns
108 value: linkerd
109 - name: _l5d_trustdomain
110 value: cluster.local
111 - name: LINKERD2_PROXY_IDENTITY_DIR
112 value: /var/run/linkerd/identity/end-entity
113 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
114 value: |
115 -----BEGIN CERTIFICATE-----
116 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
117 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
118 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
119 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
120 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
121 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
122 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
123 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
124 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
125 vgUC0d2/9FMueIVMb+46WTCOjsqr
126 -----END CERTIFICATE-----
127 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
128 value: /var/run/secrets/tokens/linkerd-identity-token
129 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
130 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
131 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
132 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
133 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
134 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
135 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
136 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
137 - name: LINKERD2_PROXY_POLICY_SVC_NAME
138 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
139 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
140 imagePullPolicy: IfNotPresent
141 lifecycle:
142 postStart:
143 exec:
144 command:
145 - /usr/lib/linkerd/linkerd-await
146 - --timeout=2m
147 - --port=4191
148 livenessProbe:
149 httpGet:
150 path: /live
151 port: 4191
152 initialDelaySeconds: 10
153 timeoutSeconds: 1
154 name: linkerd-proxy
155 ports:
156 - containerPort: 4143
157 name: linkerd-proxy
158 - containerPort: 4191
159 name: linkerd-admin
160 readinessProbe:
161 httpGet:
162 path: /ready
163 port: 4191
164 initialDelaySeconds: 2
165 timeoutSeconds: 1
166 securityContext:
167 allowPrivilegeEscalation: false
168 readOnlyRootFilesystem: true
169 runAsNonRoot: true
170 runAsUser: 2102
171 seccompProfile:
172 type: RuntimeDefault
173 terminationMessagePolicy: FallbackToLogsOnError
174 volumeMounts:
175 - mountPath: /var/run/linkerd/identity/end-entity
176 name: linkerd-identity-end-entity
177 - mountPath: /var/run/secrets/tokens
178 name: linkerd-identity-token
179 - env:
180 - name: WEB_PORT
181 value: "80"
182 - name: EMOJISVC_HOST
183 value: emoji-svc.emojivoto:8080
184 - name: VOTINGSVC_HOST
185 value: voting-svc.emojivoto:8080
186 - name: INDEX_BUNDLE
187 value: dist/index_bundle.js
188 image: buoyantio/emojivoto-web:v10
189 name: web-svc
190 ports:
191 - containerPort: 80
192 name: http
193 initContainers:
194 - args:
195 - --ipv6=false
196 - --incoming-proxy-port
197 - "4143"
198 - --outgoing-proxy-port
199 - "4140"
200 - --proxy-uid
201 - "2102"
202 - --inbound-ports-to-ignore
203 - 4190,4191,4567,4568
204 - --outbound-ports-to-ignore
205 - 4567,4568
206 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
207 imagePullPolicy: IfNotPresent
208 name: linkerd-init
209 resources:
210 limits:
211 cpu: 100m
212 memory: 20Mi
213 requests:
214 cpu: 100m
215 memory: 20Mi
216 securityContext:
217 allowPrivilegeEscalation: false
218 capabilities:
219 add:
220 - NET_ADMIN
221 - NET_RAW
222 privileged: false
223 readOnlyRootFilesystem: true
224 runAsGroup: 65534
225 runAsNonRoot: true
226 runAsUser: 65534
227 seccompProfile:
228 type: RuntimeDefault
229 terminationMessagePolicy: FallbackToLogsOnError
230 volumeMounts:
231 - mountPath: /run
232 name: linkerd-proxy-init-xtables-lock
233 volumes:
234 - emptyDir: {}
235 name: linkerd-proxy-init-xtables-lock
236 - emptyDir:
237 medium: Memory
238 name: linkerd-identity-end-entity
239 - name: linkerd-identity-token
240 projected:
241 sources:
242 - serviceAccountToken:
243 audience: identity.l5d.io
244 expirationSeconds: 86400
245 path: linkerd-identity-token
246---
247apiVersion: apps/v1
248kind: Deployment
249metadata:
250 name: web2
251 namespace: emojivoto
252spec:
253 replicas: 1
254 selector:
255 matchLabels:
256 app: web-svc
257 template:
258 metadata:
259 annotations:
260 linkerd.io/created-by: linkerd/cli dev-undefined
261 linkerd.io/proxy-version: test-inject-proxy-version
262 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
263 labels:
264 app: web-svc
265 linkerd.io/control-plane-ns: linkerd
266 linkerd.io/proxy-deployment: web2
267 linkerd.io/workload-ns: emojivoto
268 spec:
269 containers:
270 - env:
271 - name: _pod_name
272 valueFrom:
273 fieldRef:
274 fieldPath: metadata.name
275 - name: _pod_ns
276 valueFrom:
277 fieldRef:
278 fieldPath: metadata.namespace
279 - name: _pod_nodeName
280 valueFrom:
281 fieldRef:
282 fieldPath: spec.nodeName
283 - name: LINKERD2_PROXY_LOG
284 value: warn,linkerd=info,trust_dns=error
285 - name: LINKERD2_PROXY_LOG_FORMAT
286 value: plain
287 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
288 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
289 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
290 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
291 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
292 value: linkerd-policy.linkerd.svc.cluster.local.:8090
293 - name: LINKERD2_PROXY_POLICY_WORKLOAD
294 value: |
295 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
296 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
297 value: all-unauthenticated
298 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
299 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
300 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
301 value: 3s
302 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
303 value: 5m
304 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
305 value: 1h
306 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
307 value: 100ms
308 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
309 value: 1000ms
310 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
311 value: 5s
312 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
313 value: 90s
314 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
315 value: '[::]:4190'
316 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
317 value: '[::]:4191'
318 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
319 value: 127.0.0.1:4140
320 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
321 value: 127.0.0.1:4140
322 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
323 value: '[::]:4143'
324 - name: LINKERD2_PROXY_INBOUND_IPS
325 valueFrom:
326 fieldRef:
327 fieldPath: status.podIPs
328 - name: LINKERD2_PROXY_INBOUND_PORTS
329 value: "80"
330 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
331 value: svc.cluster.local.
332 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
333 value: 10000ms
334 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
335 value: 10000ms
336 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
337 value: 10s
338 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
339 value: 3s
340 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
341 value: 10s
342 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
343 value: 3s
344 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
345 value: 25,587,3306,4444,5432,6379,9300,11211
346 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
347 value: |
348 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
349 - name: _pod_sa
350 valueFrom:
351 fieldRef:
352 fieldPath: spec.serviceAccountName
353 - name: _l5d_ns
354 value: linkerd
355 - name: _l5d_trustdomain
356 value: cluster.local
357 - name: LINKERD2_PROXY_IDENTITY_DIR
358 value: /var/run/linkerd/identity/end-entity
359 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
360 value: |
361 -----BEGIN CERTIFICATE-----
362 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
363 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
364 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
365 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
366 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
367 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
368 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
369 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
370 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
371 vgUC0d2/9FMueIVMb+46WTCOjsqr
372 -----END CERTIFICATE-----
373 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
374 value: /var/run/secrets/tokens/linkerd-identity-token
375 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
376 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
377 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
378 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
379 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
380 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
381 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
382 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
383 - name: LINKERD2_PROXY_POLICY_SVC_NAME
384 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
385 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
386 imagePullPolicy: IfNotPresent
387 lifecycle:
388 postStart:
389 exec:
390 command:
391 - /usr/lib/linkerd/linkerd-await
392 - --timeout=2m
393 - --port=4191
394 livenessProbe:
395 httpGet:
396 path: /live
397 port: 4191
398 initialDelaySeconds: 10
399 timeoutSeconds: 1
400 name: linkerd-proxy
401 ports:
402 - containerPort: 4143
403 name: linkerd-proxy
404 - containerPort: 4191
405 name: linkerd-admin
406 readinessProbe:
407 httpGet:
408 path: /ready
409 port: 4191
410 initialDelaySeconds: 2
411 timeoutSeconds: 1
412 securityContext:
413 allowPrivilegeEscalation: false
414 readOnlyRootFilesystem: true
415 runAsNonRoot: true
416 runAsUser: 2102
417 seccompProfile:
418 type: RuntimeDefault
419 terminationMessagePolicy: FallbackToLogsOnError
420 volumeMounts:
421 - mountPath: /var/run/linkerd/identity/end-entity
422 name: linkerd-identity-end-entity
423 - mountPath: /var/run/secrets/tokens
424 name: linkerd-identity-token
425 - env:
426 - name: WEB_PORT
427 value: "80"
428 - name: EMOJISVC_HOST
429 value: emoji-svc.emojivoto:8080
430 - name: VOTINGSVC_HOST
431 value: voting-svc.emojivoto:8080
432 - name: INDEX_BUNDLE
433 value: dist/index_bundle.js
434 image: buoyantio/emojivoto-web:v10
435 name: web-svc
436 ports:
437 - containerPort: 80
438 name: http
439 initContainers:
440 - args:
441 - --ipv6=false
442 - --incoming-proxy-port
443 - "4143"
444 - --outgoing-proxy-port
445 - "4140"
446 - --proxy-uid
447 - "2102"
448 - --inbound-ports-to-ignore
449 - 4190,4191,4567,4568
450 - --outbound-ports-to-ignore
451 - 4567,4568
452 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
453 imagePullPolicy: IfNotPresent
454 name: linkerd-init
455 resources:
456 limits:
457 cpu: 100m
458 memory: 20Mi
459 requests:
460 cpu: 100m
461 memory: 20Mi
462 securityContext:
463 allowPrivilegeEscalation: false
464 capabilities:
465 add:
466 - NET_ADMIN
467 - NET_RAW
468 privileged: false
469 readOnlyRootFilesystem: true
470 runAsGroup: 65534
471 runAsNonRoot: true
472 runAsUser: 65534
473 seccompProfile:
474 type: RuntimeDefault
475 terminationMessagePolicy: FallbackToLogsOnError
476 volumeMounts:
477 - mountPath: /run
478 name: linkerd-proxy-init-xtables-lock
479 volumes:
480 - emptyDir: {}
481 name: linkerd-proxy-init-xtables-lock
482 - emptyDir:
483 medium: Memory
484 name: linkerd-identity-end-entity
485 - name: linkerd-identity-token
486 projected:
487 sources:
488 - serviceAccountToken:
489 audience: identity.l5d.io
490 expirationSeconds: 86400
491 path: linkerd-identity-token
492---
493apiVersion: apps/v1
494kind: Deployment
495metadata:
496 name: web3
497 namespace: emojivoto
498spec:
499 replicas: 1
500 selector:
501 matchLabels:
502 app: web-svc
503 template:
504 metadata:
505 annotations:
506 linkerd.io/created-by: linkerd/cli dev-undefined
507 linkerd.io/proxy-version: test-inject-proxy-version
508 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
509 labels:
510 app: web-svc
511 linkerd.io/control-plane-ns: linkerd
512 linkerd.io/proxy-deployment: web3
513 linkerd.io/workload-ns: emojivoto
514 spec:
515 containers:
516 - env:
517 - name: _pod_name
518 valueFrom:
519 fieldRef:
520 fieldPath: metadata.name
521 - name: _pod_ns
522 valueFrom:
523 fieldRef:
524 fieldPath: metadata.namespace
525 - name: _pod_nodeName
526 valueFrom:
527 fieldRef:
528 fieldPath: spec.nodeName
529 - name: LINKERD2_PROXY_LOG
530 value: warn,linkerd=info,trust_dns=error
531 - name: LINKERD2_PROXY_LOG_FORMAT
532 value: plain
533 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
534 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
535 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
536 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
537 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
538 value: linkerd-policy.linkerd.svc.cluster.local.:8090
539 - name: LINKERD2_PROXY_POLICY_WORKLOAD
540 value: |
541 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
542 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
543 value: all-unauthenticated
544 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
545 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
546 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
547 value: 3s
548 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
549 value: 5m
550 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
551 value: 1h
552 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
553 value: 100ms
554 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
555 value: 1000ms
556 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
557 value: 5s
558 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
559 value: 90s
560 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
561 value: '[::]:4190'
562 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
563 value: '[::]:4191'
564 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
565 value: 127.0.0.1:4140
566 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
567 value: 127.0.0.1:4140
568 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
569 value: '[::]:4143'
570 - name: LINKERD2_PROXY_INBOUND_IPS
571 valueFrom:
572 fieldRef:
573 fieldPath: status.podIPs
574 - name: LINKERD2_PROXY_INBOUND_PORTS
575 value: "80"
576 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
577 value: svc.cluster.local.
578 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
579 value: 10000ms
580 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
581 value: 10000ms
582 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
583 value: 10s
584 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
585 value: 3s
586 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
587 value: 10s
588 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
589 value: 3s
590 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
591 value: 25,587,3306,4444,5432,6379,9300,11211
592 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
593 value: |
594 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
595 - name: _pod_sa
596 valueFrom:
597 fieldRef:
598 fieldPath: spec.serviceAccountName
599 - name: _l5d_ns
600 value: linkerd
601 - name: _l5d_trustdomain
602 value: cluster.local
603 - name: LINKERD2_PROXY_IDENTITY_DIR
604 value: /var/run/linkerd/identity/end-entity
605 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
606 value: |
607 -----BEGIN CERTIFICATE-----
608 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
609 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
610 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
611 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
612 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
613 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
614 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
615 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
616 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
617 vgUC0d2/9FMueIVMb+46WTCOjsqr
618 -----END CERTIFICATE-----
619 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
620 value: /var/run/secrets/tokens/linkerd-identity-token
621 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
622 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
623 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
624 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
625 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
626 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
627 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
628 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
629 - name: LINKERD2_PROXY_POLICY_SVC_NAME
630 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
631 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
632 imagePullPolicy: IfNotPresent
633 lifecycle:
634 postStart:
635 exec:
636 command:
637 - /usr/lib/linkerd/linkerd-await
638 - --timeout=2m
639 - --port=4191
640 livenessProbe:
641 httpGet:
642 path: /live
643 port: 4191
644 initialDelaySeconds: 10
645 timeoutSeconds: 1
646 name: linkerd-proxy
647 ports:
648 - containerPort: 4143
649 name: linkerd-proxy
650 - containerPort: 4191
651 name: linkerd-admin
652 readinessProbe:
653 httpGet:
654 path: /ready
655 port: 4191
656 initialDelaySeconds: 2
657 timeoutSeconds: 1
658 securityContext:
659 allowPrivilegeEscalation: false
660 readOnlyRootFilesystem: true
661 runAsNonRoot: true
662 runAsUser: 2102
663 seccompProfile:
664 type: RuntimeDefault
665 terminationMessagePolicy: FallbackToLogsOnError
666 volumeMounts:
667 - mountPath: /var/run/linkerd/identity/end-entity
668 name: linkerd-identity-end-entity
669 - mountPath: /var/run/secrets/tokens
670 name: linkerd-identity-token
671 - env:
672 - name: WEB_PORT
673 value: "80"
674 - name: EMOJISVC_HOST
675 value: emoji-svc.emojivoto:8080
676 - name: VOTINGSVC_HOST
677 value: voting-svc.emojivoto:8080
678 - name: INDEX_BUNDLE
679 value: dist/index_bundle.js
680 image: buoyantio/emojivoto-web:v10
681 name: web-svc
682 ports:
683 - containerPort: 80
684 name: http
685 initContainers:
686 - args:
687 - --ipv6=false
688 - --incoming-proxy-port
689 - "4143"
690 - --outgoing-proxy-port
691 - "4140"
692 - --proxy-uid
693 - "2102"
694 - --inbound-ports-to-ignore
695 - 4190,4191,4567,4568
696 - --outbound-ports-to-ignore
697 - 4567,4568
698 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
699 imagePullPolicy: IfNotPresent
700 name: linkerd-init
701 resources:
702 limits:
703 cpu: 100m
704 memory: 20Mi
705 requests:
706 cpu: 100m
707 memory: 20Mi
708 securityContext:
709 allowPrivilegeEscalation: false
710 capabilities:
711 add:
712 - NET_ADMIN
713 - NET_RAW
714 privileged: false
715 readOnlyRootFilesystem: true
716 runAsGroup: 65534
717 runAsNonRoot: true
718 runAsUser: 65534
719 seccompProfile:
720 type: RuntimeDefault
721 terminationMessagePolicy: FallbackToLogsOnError
722 volumeMounts:
723 - mountPath: /run
724 name: linkerd-proxy-init-xtables-lock
725 volumes:
726 - emptyDir: {}
727 name: linkerd-proxy-init-xtables-lock
728 - emptyDir:
729 medium: Memory
730 name: linkerd-identity-end-entity
731 - name: linkerd-identity-token
732 projected:
733 sources:
734 - serviceAccountToken:
735 audience: identity.l5d.io
736 expirationSeconds: 86400
737 path: linkerd-identity-token
738---
739apiVersion: apps/v1
740kind: Deployment
741metadata:
742 name: web4
743 namespace: emojivoto
744spec:
745 replicas: 1
746 selector:
747 matchLabels:
748 app: web-svc
749 template:
750 metadata:
751 annotations:
752 linkerd.io/created-by: linkerd/cli dev-undefined
753 linkerd.io/proxy-version: test-inject-proxy-version
754 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
755 labels:
756 app: web-svc
757 linkerd.io/control-plane-ns: linkerd
758 linkerd.io/proxy-deployment: web4
759 linkerd.io/workload-ns: emojivoto
760 spec:
761 containers:
762 - env:
763 - name: _pod_name
764 valueFrom:
765 fieldRef:
766 fieldPath: metadata.name
767 - name: _pod_ns
768 valueFrom:
769 fieldRef:
770 fieldPath: metadata.namespace
771 - name: _pod_nodeName
772 valueFrom:
773 fieldRef:
774 fieldPath: spec.nodeName
775 - name: LINKERD2_PROXY_LOG
776 value: warn,linkerd=info,trust_dns=error
777 - name: LINKERD2_PROXY_LOG_FORMAT
778 value: plain
779 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
780 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
781 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
782 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
783 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
784 value: linkerd-policy.linkerd.svc.cluster.local.:8090
785 - name: LINKERD2_PROXY_POLICY_WORKLOAD
786 value: |
787 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
788 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
789 value: all-unauthenticated
790 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
791 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
792 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
793 value: 3s
794 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
795 value: 5m
796 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
797 value: 1h
798 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
799 value: 100ms
800 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
801 value: 1000ms
802 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
803 value: 5s
804 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
805 value: 90s
806 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
807 value: '[::]:4190'
808 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
809 value: '[::]:4191'
810 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
811 value: 127.0.0.1:4140
812 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
813 value: 127.0.0.1:4140
814 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
815 value: '[::]:4143'
816 - name: LINKERD2_PROXY_INBOUND_IPS
817 valueFrom:
818 fieldRef:
819 fieldPath: status.podIPs
820 - name: LINKERD2_PROXY_INBOUND_PORTS
821 value: "80"
822 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
823 value: svc.cluster.local.
824 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
825 value: 10000ms
826 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
827 value: 10000ms
828 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
829 value: 10s
830 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
831 value: 3s
832 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
833 value: 10s
834 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
835 value: 3s
836 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
837 value: 25,587,3306,4444,5432,6379,9300,11211
838 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
839 value: |
840 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
841 - name: _pod_sa
842 valueFrom:
843 fieldRef:
844 fieldPath: spec.serviceAccountName
845 - name: _l5d_ns
846 value: linkerd
847 - name: _l5d_trustdomain
848 value: cluster.local
849 - name: LINKERD2_PROXY_IDENTITY_DIR
850 value: /var/run/linkerd/identity/end-entity
851 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
852 value: |
853 -----BEGIN CERTIFICATE-----
854 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
855 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
856 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
857 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
858 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
859 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
860 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
861 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
862 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
863 vgUC0d2/9FMueIVMb+46WTCOjsqr
864 -----END CERTIFICATE-----
865 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
866 value: /var/run/secrets/tokens/linkerd-identity-token
867 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
868 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
869 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
870 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
871 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
872 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
873 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
874 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
875 - name: LINKERD2_PROXY_POLICY_SVC_NAME
876 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
877 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
878 imagePullPolicy: IfNotPresent
879 lifecycle:
880 postStart:
881 exec:
882 command:
883 - /usr/lib/linkerd/linkerd-await
884 - --timeout=2m
885 - --port=4191
886 livenessProbe:
887 httpGet:
888 path: /live
889 port: 4191
890 initialDelaySeconds: 10
891 timeoutSeconds: 1
892 name: linkerd-proxy
893 ports:
894 - containerPort: 4143
895 name: linkerd-proxy
896 - containerPort: 4191
897 name: linkerd-admin
898 readinessProbe:
899 httpGet:
900 path: /ready
901 port: 4191
902 initialDelaySeconds: 2
903 timeoutSeconds: 1
904 securityContext:
905 allowPrivilegeEscalation: false
906 readOnlyRootFilesystem: true
907 runAsNonRoot: true
908 runAsUser: 2102
909 seccompProfile:
910 type: RuntimeDefault
911 terminationMessagePolicy: FallbackToLogsOnError
912 volumeMounts:
913 - mountPath: /var/run/linkerd/identity/end-entity
914 name: linkerd-identity-end-entity
915 - mountPath: /var/run/secrets/tokens
916 name: linkerd-identity-token
917 - env:
918 - name: WEB_PORT
919 value: "80"
920 - name: EMOJISVC_HOST
921 value: emoji-svc.emojivoto:8080
922 - name: VOTINGSVC_HOST
923 value: voting-svc.emojivoto:8080
924 - name: INDEX_BUNDLE
925 value: dist/index_bundle.js
926 image: buoyantio/emojivoto-web:v10
927 name: web-svc
928 ports:
929 - containerPort: 80
930 name: http
931 initContainers:
932 - args:
933 - --ipv6=false
934 - --incoming-proxy-port
935 - "4143"
936 - --outgoing-proxy-port
937 - "4140"
938 - --proxy-uid
939 - "2102"
940 - --inbound-ports-to-ignore
941 - 4190,4191,4567,4568
942 - --outbound-ports-to-ignore
943 - 4567,4568
944 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
945 imagePullPolicy: IfNotPresent
946 name: linkerd-init
947 resources:
948 limits:
949 cpu: 100m
950 memory: 20Mi
951 requests:
952 cpu: 100m
953 memory: 20Mi
954 securityContext:
955 allowPrivilegeEscalation: false
956 capabilities:
957 add:
958 - NET_ADMIN
959 - NET_RAW
960 privileged: false
961 readOnlyRootFilesystem: true
962 runAsGroup: 65534
963 runAsNonRoot: true
964 runAsUser: 65534
965 seccompProfile:
966 type: RuntimeDefault
967 terminationMessagePolicy: FallbackToLogsOnError
968 volumeMounts:
969 - mountPath: /run
970 name: linkerd-proxy-init-xtables-lock
971 volumes:
972 - emptyDir: {}
973 name: linkerd-proxy-init-xtables-lock
974 - emptyDir:
975 medium: Memory
976 name: linkerd-identity-end-entity
977 - name: linkerd-identity-token
978 projected:
979 sources:
980 - serviceAccountToken:
981 audience: identity.l5d.io
982 expirationSeconds: 86400
983 path: linkerd-identity-token
984---
View as plain text