1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: controller
5 namespace: emojivoto
6spec:
7 replicas: 1
8 selector:
9 matchLabels:
10 app: web-svc
11 template:
12 metadata:
13 annotations:
14 linkerd.io/created-by: linkerd/cli dev-undefined
15 linkerd.io/proxy-version: test-inject-proxy-version
16 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
17 labels:
18 app: web-svc
19 linkerd.io/control-plane-ns: linkerd
20 linkerd.io/proxy-deployment: controller
21 linkerd.io/workload-ns: emojivoto
22 spec:
23 containers:
24 - env:
25 - name: _pod_name
26 valueFrom:
27 fieldRef:
28 fieldPath: metadata.name
29 - name: _pod_ns
30 valueFrom:
31 fieldRef:
32 fieldPath: metadata.namespace
33 - name: _pod_nodeName
34 valueFrom:
35 fieldRef:
36 fieldPath: spec.nodeName
37 - name: LINKERD2_PROXY_LOG
38 value: warn,linkerd=info,trust_dns=error
39 - name: LINKERD2_PROXY_LOG_FORMAT
40 value: plain
41 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
42 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
43 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
44 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
45 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
46 value: linkerd-policy.linkerd.svc.cluster.local.:8090
47 - name: LINKERD2_PROXY_POLICY_WORKLOAD
48 value: |
49 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
50 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
51 value: all-unauthenticated
52 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
53 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
54 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
55 value: 3s
56 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
57 value: 5m
58 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
59 value: 1h
60 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
61 value: 100ms
62 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
63 value: 1000ms
64 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
65 value: 5s
66 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
67 value: 90s
68 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
69 value: '[::]:4190'
70 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
71 value: '[::]:4191'
72 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
73 value: 127.0.0.1:4140
74 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
75 value: 127.0.0.1:4140
76 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
77 value: '[::]:4143'
78 - name: LINKERD2_PROXY_INBOUND_IPS
79 valueFrom:
80 fieldRef:
81 fieldPath: status.podIPs
82 - name: LINKERD2_PROXY_INBOUND_PORTS
83 value: "80"
84 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
85 value: svc.cluster.local.
86 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
87 value: 10000ms
88 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
89 value: 10000ms
90 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
91 value: 10s
92 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
93 value: 3s
94 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
95 value: 10s
96 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
97 value: 3s
98 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
99 value: 25,587,3306,4444,5432,6379,9300,11211
100 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
101 value: |
102 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
103 - name: _pod_sa
104 valueFrom:
105 fieldRef:
106 fieldPath: spec.serviceAccountName
107 - name: _l5d_ns
108 value: linkerd
109 - name: _l5d_trustdomain
110 value: cluster.local
111 - name: LINKERD2_PROXY_IDENTITY_DIR
112 value: /var/run/linkerd/identity/end-entity
113 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
114 value: |
115 -----BEGIN CERTIFICATE-----
116 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
117 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
118 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
119 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
120 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
121 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
122 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
123 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
124 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
125 vgUC0d2/9FMueIVMb+46WTCOjsqr
126 -----END CERTIFICATE-----
127 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
128 value: /var/run/secrets/tokens/linkerd-identity-token
129 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
130 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
131 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
132 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
133 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
134 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
135 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
136 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
137 - name: LINKERD2_PROXY_POLICY_SVC_NAME
138 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
139 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
140 imagePullPolicy: IfNotPresent
141 lifecycle:
142 postStart:
143 exec:
144 command:
145 - /usr/lib/linkerd/linkerd-await
146 - --timeout=2m
147 - --port=4191
148 livenessProbe:
149 httpGet:
150 path: /live
151 port: 4191
152 initialDelaySeconds: 10
153 timeoutSeconds: 1
154 name: linkerd-proxy
155 ports:
156 - containerPort: 4143
157 name: linkerd-proxy
158 - containerPort: 4191
159 name: linkerd-admin
160 readinessProbe:
161 httpGet:
162 path: /ready
163 port: 4191
164 initialDelaySeconds: 2
165 timeoutSeconds: 1
166 securityContext:
167 allowPrivilegeEscalation: false
168 readOnlyRootFilesystem: true
169 runAsNonRoot: true
170 runAsUser: 2102
171 seccompProfile:
172 type: RuntimeDefault
173 terminationMessagePolicy: FallbackToLogsOnError
174 volumeMounts:
175 - mountPath: /var/run/linkerd/identity/end-entity
176 name: linkerd-identity-end-entity
177 - mountPath: /var/run/secrets/tokens
178 name: linkerd-identity-token
179 - env:
180 - name: WEB_PORT
181 value: "80"
182 - name: EMOJISVC_HOST
183 value: emoji-svc.emojivoto:8080
184 - name: VOTINGSVC_HOST
185 value: voting-svc.emojivoto:8080
186 - name: INDEX_BUNDLE
187 value: dist/index_bundle.js
188 image: buoyantio/emojivoto-web:v10
189 name: web-svc
190 ports:
191 - containerPort: 80
192 name: http
193 initContainers:
194 - args:
195 - --ipv6=false
196 - --incoming-proxy-port
197 - "4143"
198 - --outgoing-proxy-port
199 - "4140"
200 - --proxy-uid
201 - "2102"
202 - --inbound-ports-to-ignore
203 - 4190,4191,4567,4568
204 - --outbound-ports-to-ignore
205 - 4567,4568
206 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
207 imagePullPolicy: IfNotPresent
208 name: linkerd-init
209 resources:
210 limits:
211 cpu: 100m
212 memory: 20Mi
213 requests:
214 cpu: 100m
215 memory: 20Mi
216 securityContext:
217 allowPrivilegeEscalation: false
218 capabilities:
219 add:
220 - NET_ADMIN
221 - NET_RAW
222 privileged: false
223 readOnlyRootFilesystem: true
224 runAsGroup: 65534
225 runAsNonRoot: true
226 runAsUser: 65534
227 seccompProfile:
228 type: RuntimeDefault
229 terminationMessagePolicy: FallbackToLogsOnError
230 volumeMounts:
231 - mountPath: /run
232 name: linkerd-proxy-init-xtables-lock
233 volumes:
234 - emptyDir: {}
235 name: linkerd-proxy-init-xtables-lock
236 - emptyDir:
237 medium: Memory
238 name: linkerd-identity-end-entity
239 - name: linkerd-identity-token
240 projected:
241 sources:
242 - serviceAccountToken:
243 audience: identity.l5d.io
244 expirationSeconds: 86400
245 path: linkerd-identity-token
246---
247apiVersion: apps/v1
248kind: Deployment
249metadata:
250 name: not-controller
251 namespace: linkerd
252spec:
253 replicas: 1
254 selector:
255 matchLabels:
256 app: web-svc
257 template:
258 metadata:
259 annotations:
260 linkerd.io/created-by: linkerd/cli dev-undefined
261 linkerd.io/proxy-version: test-inject-proxy-version
262 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
263 labels:
264 app: web-svc
265 linkerd.io/control-plane-ns: linkerd
266 linkerd.io/proxy-deployment: not-controller
267 linkerd.io/workload-ns: linkerd
268 spec:
269 containers:
270 - env:
271 - name: _pod_name
272 valueFrom:
273 fieldRef:
274 fieldPath: metadata.name
275 - name: _pod_ns
276 valueFrom:
277 fieldRef:
278 fieldPath: metadata.namespace
279 - name: _pod_nodeName
280 valueFrom:
281 fieldRef:
282 fieldPath: spec.nodeName
283 - name: LINKERD2_PROXY_LOG
284 value: warn,linkerd=info,trust_dns=error
285 - name: LINKERD2_PROXY_LOG_FORMAT
286 value: plain
287 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
288 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
289 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
290 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
291 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
292 value: linkerd-policy.linkerd.svc.cluster.local.:8090
293 - name: LINKERD2_PROXY_POLICY_WORKLOAD
294 value: |
295 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
296 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
297 value: all-unauthenticated
298 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
299 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
300 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
301 value: 3s
302 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
303 value: 5m
304 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
305 value: 1h
306 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
307 value: 100ms
308 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
309 value: 1000ms
310 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
311 value: 5s
312 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
313 value: 90s
314 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
315 value: '[::]:4190'
316 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
317 value: '[::]:4191'
318 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
319 value: 127.0.0.1:4140
320 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
321 value: 127.0.0.1:4140
322 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
323 value: '[::]:4143'
324 - name: LINKERD2_PROXY_INBOUND_IPS
325 valueFrom:
326 fieldRef:
327 fieldPath: status.podIPs
328 - name: LINKERD2_PROXY_INBOUND_PORTS
329 value: "80"
330 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
331 value: svc.cluster.local.
332 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
333 value: 10000ms
334 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
335 value: 10000ms
336 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
337 value: 10s
338 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
339 value: 3s
340 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
341 value: 10s
342 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
343 value: 3s
344 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
345 value: 25,587,3306,4444,5432,6379,9300,11211
346 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
347 value: |
348 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
349 - name: _pod_sa
350 valueFrom:
351 fieldRef:
352 fieldPath: spec.serviceAccountName
353 - name: _l5d_ns
354 value: linkerd
355 - name: _l5d_trustdomain
356 value: cluster.local
357 - name: LINKERD2_PROXY_IDENTITY_DIR
358 value: /var/run/linkerd/identity/end-entity
359 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
360 value: |
361 -----BEGIN CERTIFICATE-----
362 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
363 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
364 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
365 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
366 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
367 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
368 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
369 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
370 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
371 vgUC0d2/9FMueIVMb+46WTCOjsqr
372 -----END CERTIFICATE-----
373 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
374 value: /var/run/secrets/tokens/linkerd-identity-token
375 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
376 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
377 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
378 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
379 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
380 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
381 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
382 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
383 - name: LINKERD2_PROXY_POLICY_SVC_NAME
384 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
385 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
386 imagePullPolicy: IfNotPresent
387 lifecycle:
388 postStart:
389 exec:
390 command:
391 - /usr/lib/linkerd/linkerd-await
392 - --timeout=2m
393 - --port=4191
394 livenessProbe:
395 httpGet:
396 path: /live
397 port: 4191
398 initialDelaySeconds: 10
399 timeoutSeconds: 1
400 name: linkerd-proxy
401 ports:
402 - containerPort: 4143
403 name: linkerd-proxy
404 - containerPort: 4191
405 name: linkerd-admin
406 readinessProbe:
407 httpGet:
408 path: /ready
409 port: 4191
410 initialDelaySeconds: 2
411 timeoutSeconds: 1
412 securityContext:
413 allowPrivilegeEscalation: false
414 readOnlyRootFilesystem: true
415 runAsNonRoot: true
416 runAsUser: 2102
417 seccompProfile:
418 type: RuntimeDefault
419 terminationMessagePolicy: FallbackToLogsOnError
420 volumeMounts:
421 - mountPath: /var/run/linkerd/identity/end-entity
422 name: linkerd-identity-end-entity
423 - mountPath: /var/run/secrets/tokens
424 name: linkerd-identity-token
425 - env:
426 - name: WEB_PORT
427 value: "80"
428 - name: EMOJISVC_HOST
429 value: emoji-svc.emojivoto:8080
430 - name: VOTINGSVC_HOST
431 value: voting-svc.emojivoto:8080
432 - name: INDEX_BUNDLE
433 value: dist/index_bundle.js
434 image: buoyantio/emojivoto-web:v10
435 name: web-svc
436 ports:
437 - containerPort: 80
438 name: http
439 initContainers:
440 - args:
441 - --ipv6=false
442 - --incoming-proxy-port
443 - "4143"
444 - --outgoing-proxy-port
445 - "4140"
446 - --proxy-uid
447 - "2102"
448 - --inbound-ports-to-ignore
449 - 4190,4191,4567,4568
450 - --outbound-ports-to-ignore
451 - 4567,4568
452 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
453 imagePullPolicy: IfNotPresent
454 name: linkerd-init
455 resources:
456 limits:
457 cpu: 100m
458 memory: 20Mi
459 requests:
460 cpu: 100m
461 memory: 20Mi
462 securityContext:
463 allowPrivilegeEscalation: false
464 capabilities:
465 add:
466 - NET_ADMIN
467 - NET_RAW
468 privileged: false
469 readOnlyRootFilesystem: true
470 runAsGroup: 65534
471 runAsNonRoot: true
472 runAsUser: 65534
473 seccompProfile:
474 type: RuntimeDefault
475 terminationMessagePolicy: FallbackToLogsOnError
476 volumeMounts:
477 - mountPath: /run
478 name: linkerd-proxy-init-xtables-lock
479 volumes:
480 - emptyDir: {}
481 name: linkerd-proxy-init-xtables-lock
482 - emptyDir:
483 medium: Memory
484 name: linkerd-identity-end-entity
485 - name: linkerd-identity-token
486 projected:
487 sources:
488 - serviceAccountToken:
489 audience: identity.l5d.io
490 expirationSeconds: 86400
491 path: linkerd-identity-token
492---
View as plain text