1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: web
5 namespace: emojivoto
6spec:
7 replicas: 1
8 selector:
9 matchLabels:
10 app: web-svc
11 template:
12 metadata:
13 annotations:
14 config.linkerd.io/skip-inbound-ports: 22,8100-8102
15 config.linkerd.io/skip-outbound-ports: "5432"
16 linkerd.io/created-by: linkerd/cli dev-undefined
17 linkerd.io/proxy-version: test-inject-proxy-version
18 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
19 labels:
20 app: web-svc
21 linkerd.io/control-plane-ns: linkerd
22 linkerd.io/proxy-deployment: web
23 linkerd.io/workload-ns: emojivoto
24 spec:
25 containers:
26 - env:
27 - name: _pod_name
28 valueFrom:
29 fieldRef:
30 fieldPath: metadata.name
31 - name: _pod_ns
32 valueFrom:
33 fieldRef:
34 fieldPath: metadata.namespace
35 - name: _pod_nodeName
36 valueFrom:
37 fieldRef:
38 fieldPath: spec.nodeName
39 - name: LINKERD2_PROXY_LOG
40 value: warn,linkerd=info,trust_dns=error
41 - name: LINKERD2_PROXY_LOG_FORMAT
42 value: plain
43 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
44 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
45 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
46 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
47 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
48 value: linkerd-policy.linkerd.svc.cluster.local.:8090
49 - name: LINKERD2_PROXY_POLICY_WORKLOAD
50 value: |
51 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
52 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
53 value: all-unauthenticated
54 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
55 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
56 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
57 value: 3s
58 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
59 value: 5m
60 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
61 value: 1h
62 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
63 value: 100ms
64 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
65 value: 1000ms
66 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
67 value: 5s
68 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
69 value: 90s
70 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
71 value: '[::]:4190'
72 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
73 value: '[::]:4191'
74 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
75 value: 127.0.0.1:4140
76 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
77 value: 127.0.0.1:4140
78 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
79 value: '[::]:4143'
80 - name: LINKERD2_PROXY_INBOUND_IPS
81 valueFrom:
82 fieldRef:
83 fieldPath: status.podIPs
84 - name: LINKERD2_PROXY_INBOUND_PORTS
85 value: "80"
86 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
87 value: svc.cluster.local.
88 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
89 value: 10000ms
90 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
91 value: 10000ms
92 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
93 value: 10s
94 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
95 value: 3s
96 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
97 value: 10s
98 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
99 value: 3s
100 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
101 value: 25,587,3306,4444,5432,6379,9300,11211
102 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
103 value: |
104 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
105 - name: _pod_sa
106 valueFrom:
107 fieldRef:
108 fieldPath: spec.serviceAccountName
109 - name: _l5d_ns
110 value: linkerd
111 - name: _l5d_trustdomain
112 value: cluster.local
113 - name: LINKERD2_PROXY_IDENTITY_DIR
114 value: /var/run/linkerd/identity/end-entity
115 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
116 value: |
117 -----BEGIN CERTIFICATE-----
118 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
119 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
120 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
121 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
122 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
123 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
124 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
125 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
126 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
127 vgUC0d2/9FMueIVMb+46WTCOjsqr
128 -----END CERTIFICATE-----
129 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
130 value: /var/run/secrets/tokens/linkerd-identity-token
131 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
132 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
133 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
134 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
135 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
136 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
137 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
138 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
139 - name: LINKERD2_PROXY_POLICY_SVC_NAME
140 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
141 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
142 imagePullPolicy: IfNotPresent
143 lifecycle:
144 postStart:
145 exec:
146 command:
147 - /usr/lib/linkerd/linkerd-await
148 - --timeout=2m
149 - --port=4191
150 livenessProbe:
151 httpGet:
152 path: /live
153 port: 4191
154 initialDelaySeconds: 10
155 timeoutSeconds: 1
156 name: linkerd-proxy
157 ports:
158 - containerPort: 4143
159 name: linkerd-proxy
160 - containerPort: 4191
161 name: linkerd-admin
162 readinessProbe:
163 httpGet:
164 path: /ready
165 port: 4191
166 initialDelaySeconds: 2
167 timeoutSeconds: 1
168 securityContext:
169 allowPrivilegeEscalation: false
170 readOnlyRootFilesystem: true
171 runAsNonRoot: true
172 runAsUser: 2102
173 seccompProfile:
174 type: RuntimeDefault
175 terminationMessagePolicy: FallbackToLogsOnError
176 volumeMounts:
177 - mountPath: /var/run/linkerd/identity/end-entity
178 name: linkerd-identity-end-entity
179 - mountPath: /var/run/secrets/tokens
180 name: linkerd-identity-token
181 - env:
182 - name: WEB_PORT
183 value: "80"
184 - name: EMOJISVC_HOST
185 value: emoji-svc.emojivoto:8080
186 - name: VOTINGSVC_HOST
187 value: voting-svc.emojivoto:8080
188 - name: INDEX_BUNDLE
189 value: dist/index_bundle.js
190 image: buoyantio/emojivoto-web:v10
191 name: web-svc
192 ports:
193 - containerPort: 80
194 name: http
195 initContainers:
196 - args:
197 - --ipv6=false
198 - --incoming-proxy-port
199 - "4143"
200 - --outgoing-proxy-port
201 - "4140"
202 - --proxy-uid
203 - "2102"
204 - --inbound-ports-to-ignore
205 - 4190,4191,22,8100-8102
206 - --outbound-ports-to-ignore
207 - "5432"
208 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
209 imagePullPolicy: IfNotPresent
210 name: linkerd-init
211 resources:
212 limits:
213 cpu: 100m
214 memory: 20Mi
215 requests:
216 cpu: 100m
217 memory: 20Mi
218 securityContext:
219 allowPrivilegeEscalation: false
220 capabilities:
221 add:
222 - NET_ADMIN
223 - NET_RAW
224 privileged: false
225 readOnlyRootFilesystem: true
226 runAsGroup: 65534
227 runAsNonRoot: true
228 runAsUser: 65534
229 seccompProfile:
230 type: RuntimeDefault
231 terminationMessagePolicy: FallbackToLogsOnError
232 volumeMounts:
233 - mountPath: /run
234 name: linkerd-proxy-init-xtables-lock
235 volumes:
236 - emptyDir: {}
237 name: linkerd-proxy-init-xtables-lock
238 - emptyDir:
239 medium: Memory
240 name: linkerd-identity-end-entity
241 - name: linkerd-identity-token
242 projected:
243 sources:
244 - serviceAccountToken:
245 audience: identity.l5d.io
246 expirationSeconds: 86400
247 path: linkerd-identity-token
248---
View as plain text