1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: web
5 namespace: emojivoto
6spec:
7 replicas: 1
8 selector:
9 matchLabels:
10 app: web-svc
11 template:
12 metadata:
13 annotations:
14 config.linkerd.io/admin-port: "9998"
15 config.linkerd.io/proxy-cpu-limit: "1"
16 config.linkerd.io/proxy-cpu-request: "0.5"
17 config.linkerd.io/proxy-memory-limit: 256Mi
18 config.linkerd.io/proxy-memory-request: 64Mi
19 config.linkerd.io/proxy-version: override
20 config.linkerd.io/skip-inbound-ports: 7777,8888
21 config.linkerd.io/skip-outbound-ports: "9999"
22 linkerd.io/created-by: linkerd/cli dev-undefined
23 linkerd.io/proxy-version: override
24 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
25 labels:
26 app: web-svc
27 linkerd.io/control-plane-ns: linkerd
28 linkerd.io/proxy-deployment: web
29 linkerd.io/workload-ns: emojivoto
30 spec:
31 containers:
32 - env:
33 - name: _pod_name
34 valueFrom:
35 fieldRef:
36 fieldPath: metadata.name
37 - name: _pod_ns
38 valueFrom:
39 fieldRef:
40 fieldPath: metadata.namespace
41 - name: _pod_nodeName
42 valueFrom:
43 fieldRef:
44 fieldPath: spec.nodeName
45 - name: LINKERD2_PROXY_CORES
46 value: "1"
47 - name: LINKERD2_PROXY_LOG
48 value: warn,linkerd=info,trust_dns=error
49 - name: LINKERD2_PROXY_LOG_FORMAT
50 value: plain
51 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
52 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
53 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
54 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
55 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
56 value: linkerd-policy.linkerd.svc.cluster.local.:8090
57 - name: LINKERD2_PROXY_POLICY_WORKLOAD
58 value: |
59 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
60 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
61 value: all-unauthenticated
62 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
63 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
64 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
65 value: 3s
66 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
67 value: 5m
68 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
69 value: 1h
70 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
71 value: 100ms
72 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
73 value: 1000ms
74 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
75 value: 5s
76 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
77 value: 90s
78 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
79 value: '[::]:4190'
80 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
81 value: '[::]:9998'
82 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
83 value: 127.0.0.1:4140
84 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
85 value: 127.0.0.1:4140
86 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
87 value: '[::]:4143'
88 - name: LINKERD2_PROXY_INBOUND_IPS
89 valueFrom:
90 fieldRef:
91 fieldPath: status.podIPs
92 - name: LINKERD2_PROXY_INBOUND_PORTS
93 value: "80"
94 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
95 value: svc.cluster.local.
96 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
97 value: 10000ms
98 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
99 value: 10000ms
100 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
101 value: 10s
102 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
103 value: 3s
104 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
105 value: 10s
106 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
107 value: 3s
108 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
109 value: 25,587,3306,4444,5432,6379,9300,11211
110 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
111 value: |
112 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
113 - name: _pod_sa
114 valueFrom:
115 fieldRef:
116 fieldPath: spec.serviceAccountName
117 - name: _l5d_ns
118 value: linkerd
119 - name: _l5d_trustdomain
120 value: cluster.local
121 - name: LINKERD2_PROXY_IDENTITY_DIR
122 value: /var/run/linkerd/identity/end-entity
123 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
124 value: |
125 -----BEGIN CERTIFICATE-----
126 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
127 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
128 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
129 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
130 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
131 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
132 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
133 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
134 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
135 vgUC0d2/9FMueIVMb+46WTCOjsqr
136 -----END CERTIFICATE-----
137 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
138 value: /var/run/secrets/tokens/linkerd-identity-token
139 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
140 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
141 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
142 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
143 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
144 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
145 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
146 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
147 - name: LINKERD2_PROXY_POLICY_SVC_NAME
148 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
149 image: cr.l5d.io/linkerd/proxy:override
150 imagePullPolicy: IfNotPresent
151 lifecycle:
152 postStart:
153 exec:
154 command:
155 - /usr/lib/linkerd/linkerd-await
156 - --timeout=2m
157 - --port=9998
158 livenessProbe:
159 httpGet:
160 path: /live
161 port: 9998
162 initialDelaySeconds: 10
163 timeoutSeconds: 1
164 name: linkerd-proxy
165 ports:
166 - containerPort: 4143
167 name: linkerd-proxy
168 - containerPort: 9998
169 name: linkerd-admin
170 readinessProbe:
171 httpGet:
172 path: /ready
173 port: 9998
174 initialDelaySeconds: 2
175 timeoutSeconds: 1
176 resources:
177 limits:
178 cpu: "1"
179 memory: 256Mi
180 requests:
181 cpu: 500m
182 memory: 64Mi
183 securityContext:
184 allowPrivilegeEscalation: false
185 readOnlyRootFilesystem: true
186 runAsNonRoot: true
187 runAsUser: 2102
188 seccompProfile:
189 type: RuntimeDefault
190 terminationMessagePolicy: FallbackToLogsOnError
191 volumeMounts:
192 - mountPath: /var/run/linkerd/identity/end-entity
193 name: linkerd-identity-end-entity
194 - mountPath: /var/run/secrets/tokens
195 name: linkerd-identity-token
196 - env:
197 - name: WEB_PORT
198 value: "80"
199 - name: EMOJISVC_HOST
200 value: emoji-svc.emojivoto:8080
201 - name: VOTINGSVC_HOST
202 value: voting-svc.emojivoto:8080
203 - name: INDEX_BUNDLE
204 value: dist/index_bundle.js
205 image: buoyantio/emojivoto-web:v10
206 name: web-svc
207 ports:
208 - containerPort: 80
209 name: http
210 initContainers:
211 - args:
212 - --ipv6=false
213 - --incoming-proxy-port
214 - "4143"
215 - --outgoing-proxy-port
216 - "4140"
217 - --proxy-uid
218 - "2102"
219 - --inbound-ports-to-ignore
220 - 4190,9998,7777,8888
221 - --outbound-ports-to-ignore
222 - "9999"
223 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
224 imagePullPolicy: IfNotPresent
225 name: linkerd-init
226 resources:
227 limits:
228 cpu: 100m
229 memory: 20Mi
230 requests:
231 cpu: 100m
232 memory: 20Mi
233 securityContext:
234 allowPrivilegeEscalation: false
235 capabilities:
236 add:
237 - NET_ADMIN
238 - NET_RAW
239 privileged: false
240 readOnlyRootFilesystem: true
241 runAsGroup: 65534
242 runAsNonRoot: true
243 runAsUser: 65534
244 seccompProfile:
245 type: RuntimeDefault
246 terminationMessagePolicy: FallbackToLogsOnError
247 volumeMounts:
248 - mountPath: /run
249 name: linkerd-proxy-init-xtables-lock
250 volumes:
251 - emptyDir: {}
252 name: linkerd-proxy-init-xtables-lock
253 - emptyDir:
254 medium: Memory
255 name: linkerd-identity-end-entity
256 - name: linkerd-identity-token
257 projected:
258 sources:
259 - serviceAccountToken:
260 audience: identity.l5d.io
261 expirationSeconds: 86400
262 path: linkerd-identity-token
263---
View as plain text