Text file src/github.com/linkerd/linkerd2/cli/cmd/testdata/install_helm_control_plane_output.golden

Documentation: github.com/linkerd/linkerd2/cli/cmd/testdata

     1---
     2# Source: linkerd-control-plane/templates/namespace.yaml
     3---
     4# Source: linkerd-control-plane/templates/identity-rbac.yaml
     5---
     6###
     7### Identity Controller Service RBAC
     8###
     9kind: ClusterRole
    10apiVersion: rbac.authorization.k8s.io/v1
    11metadata:
    12  name: linkerd-linkerd-dev-identity
    13  labels:
    14    linkerd.io/control-plane-component: identity
    15    linkerd.io/control-plane-ns: linkerd-dev
    16rules:
    17- apiGroups: ["authentication.k8s.io"]
    18  resources: ["tokenreviews"]
    19  verbs: ["create"]
    20# TODO(ver) Restrict this to the Linkerd namespace. See
    21# https://github.com/linkerd/linkerd2/issues/9367
    22- apiGroups: [""]
    23  resources: ["events"]
    24  verbs: ["create", "patch"]
    25---
    26kind: ClusterRoleBinding
    27apiVersion: rbac.authorization.k8s.io/v1
    28metadata:
    29  name: linkerd-linkerd-dev-identity
    30  labels:
    31    linkerd.io/control-plane-component: identity
    32    linkerd.io/control-plane-ns: linkerd-dev
    33roleRef:
    34  apiGroup: rbac.authorization.k8s.io
    35  kind: ClusterRole
    36  name: linkerd-linkerd-dev-identity
    37subjects:
    38- kind: ServiceAccount
    39  name: linkerd-identity
    40  namespace: linkerd-dev
    41---
    42kind: ServiceAccount
    43apiVersion: v1
    44metadata:
    45  name: linkerd-identity
    46  namespace: linkerd-dev
    47  labels:
    48    linkerd.io/control-plane-component: identity
    49    linkerd.io/control-plane-ns: linkerd-dev
    50---
    51# Source: linkerd-control-plane/templates/destination-rbac.yaml
    52---
    53###
    54### Destination Controller Service
    55###
    56kind: ClusterRole
    57apiVersion: rbac.authorization.k8s.io/v1
    58metadata:
    59  name: linkerd-linkerd-dev-destination
    60  labels:
    61    linkerd.io/control-plane-component: destination
    62    linkerd.io/control-plane-ns: linkerd-dev
    63rules:
    64- apiGroups: ["apps"]
    65  resources: ["replicasets"]
    66  verbs: ["list", "get", "watch"]
    67- apiGroups: ["batch"]
    68  resources: ["jobs"]
    69  verbs: ["list", "get", "watch"]
    70- apiGroups: [""]
    71  resources: ["pods", "endpoints", "services", "nodes"]
    72  verbs: ["list", "get", "watch"]
    73- apiGroups: ["linkerd.io"]
    74  resources: ["serviceprofiles"]
    75  verbs: ["list", "get", "watch"]
    76- apiGroups: ["workload.linkerd.io"]
    77  resources: ["externalworkloads"]
    78  verbs: ["list", "get", "watch"]
    79- apiGroups: ["coordination.k8s.io"]
    80  resources: ["leases"]
    81  verbs: ["create", "get", "update", "patch"]
    82- apiGroups: ["discovery.k8s.io"]
    83  resources: ["endpointslices"]
    84  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
    85---
    86kind: ClusterRoleBinding
    87apiVersion: rbac.authorization.k8s.io/v1
    88metadata:
    89  name: linkerd-linkerd-dev-destination
    90  labels:
    91    linkerd.io/control-plane-component: destination
    92    linkerd.io/control-plane-ns: linkerd-dev
    93roleRef:
    94  apiGroup: rbac.authorization.k8s.io
    95  kind: ClusterRole
    96  name: linkerd-linkerd-dev-destination
    97subjects:
    98- kind: ServiceAccount
    99  name: linkerd-destination
   100  namespace: linkerd-dev
   101---
   102kind: ServiceAccount
   103apiVersion: v1
   104metadata:
   105  name: linkerd-destination
   106  namespace: linkerd-dev
   107  labels:
   108    linkerd.io/control-plane-component: destination
   109    linkerd.io/control-plane-ns: linkerd-dev
   110---
   111apiVersion: admissionregistration.k8s.io/v1
   112kind: ValidatingWebhookConfiguration
   113metadata:
   114  name: linkerd-sp-validator-webhook-config
   115  labels:
   116    linkerd.io/control-plane-component: destination
   117    linkerd.io/control-plane-ns: linkerd-dev
   118webhooks:
   119- name: linkerd-sp-validator.linkerd.io
   120  namespaceSelector:
   121    matchExpressions:
   122    - key: config.linkerd.io/admission-webhooks
   123      operator: NotIn
   124      values:
   125      - disabled
   126  clientConfig:
   127    service:
   128      name: linkerd-sp-validator
   129      namespace: linkerd-dev
   130      path: "/"
   131    caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
   132  failurePolicy: Ignore
   133  admissionReviewVersions: ["v1", "v1beta1"]
   134  rules:
   135  - operations: ["CREATE", "UPDATE"]
   136    apiGroups: ["linkerd.io"]
   137    apiVersions: ["v1alpha1", "v1alpha2"]
   138    resources: ["serviceprofiles"]
   139  sideEffects: None
   140---
   141apiVersion: admissionregistration.k8s.io/v1
   142kind: ValidatingWebhookConfiguration
   143metadata:
   144  name: linkerd-policy-validator-webhook-config
   145  labels:
   146    linkerd.io/control-plane-component: destination
   147    linkerd.io/control-plane-ns: linkerd-dev
   148webhooks:
   149- name: linkerd-policy-validator.linkerd.io
   150  namespaceSelector:
   151    matchExpressions:
   152    - key: config.linkerd.io/admission-webhooks
   153      operator: NotIn
   154      values:
   155      - disabled
   156  clientConfig:
   157    service:
   158      name: linkerd-policy-validator
   159      namespace: linkerd-dev
   160      path: "/"
   161    caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
   162  failurePolicy: Ignore
   163  admissionReviewVersions: ["v1", "v1beta1"]
   164  rules:
   165  - operations: ["CREATE", "UPDATE"]
   166    apiGroups: ["policy.linkerd.io"]
   167    apiVersions: ["*"]
   168    resources:
   169    - authorizationpolicies
   170    - httproutes
   171    - networkauthentications
   172    - meshtlsauthentications
   173    - serverauthorizations
   174    - servers
   175  - operations: ["CREATE", "UPDATE"]
   176    apiGroups: ["gateway.networking.k8s.io"]
   177    apiVersions: ["*"]
   178    resources:
   179    - httproutes
   180  sideEffects: None
   181---
   182apiVersion: rbac.authorization.k8s.io/v1
   183kind: ClusterRole
   184metadata:
   185  name: linkerd-policy
   186  labels:
   187    app.kubernetes.io/part-of: Linkerd
   188    linkerd.io/control-plane-component: destination
   189    linkerd.io/control-plane-ns: linkerd-dev
   190rules:
   191  - apiGroups:
   192      - ""
   193    resources:
   194      - pods
   195    verbs:
   196      - get
   197      - list
   198      - watch
   199  - apiGroups:
   200      - apps
   201    resources:
   202      - deployments
   203    verbs:
   204      - get
   205  - apiGroups:
   206      - policy.linkerd.io
   207    resources:
   208      - authorizationpolicies
   209      - httproutes
   210      - meshtlsauthentications
   211      - networkauthentications
   212      - servers
   213      - serverauthorizations
   214    verbs:
   215      - get
   216      - list
   217      - watch
   218  - apiGroups:
   219      - gateway.networking.k8s.io
   220    resources:
   221      - httproutes
   222    verbs:
   223      - get
   224      - list
   225      - watch
   226  - apiGroups:
   227      - policy.linkerd.io
   228    resources:
   229      - httproutes/status
   230    verbs:
   231      - patch
   232  - apiGroups:
   233      - gateway.networking.k8s.io
   234    resources:
   235      - httproutes/status
   236    verbs:
   237      - patch
   238  - apiGroups:
   239      - workload.linkerd.io
   240    resources:
   241      - externalworkloads
   242    verbs:
   243      - get
   244      - list
   245      - watch
   246  - apiGroups:
   247      - coordination.k8s.io
   248    resources:
   249      - leases
   250    verbs:
   251      - create
   252      - get
   253      - patch
   254---
   255apiVersion: rbac.authorization.k8s.io/v1
   256kind: ClusterRoleBinding
   257metadata:
   258  name: linkerd-destination-policy
   259  labels:
   260    app.kubernetes.io/part-of: Linkerd
   261    linkerd.io/control-plane-component: destination
   262    linkerd.io/control-plane-ns: linkerd-dev
   263roleRef:
   264  apiGroup: rbac.authorization.k8s.io
   265  kind: ClusterRole
   266  name: linkerd-policy
   267subjects:
   268  - kind: ServiceAccount
   269    name: linkerd-destination
   270    namespace: linkerd-dev
   271---
   272apiVersion: rbac.authorization.k8s.io/v1
   273kind: Role
   274metadata:
   275  name: remote-discovery
   276  namespace: linkerd-dev
   277  labels:
   278    app.kubernetes.io/part-of: Linkerd
   279    linkerd.io/control-plane-component: destination
   280    linkerd.io/control-plane-ns: linkerd-dev
   281rules:
   282  - apiGroups:
   283      - ""
   284    resources:
   285      - secrets
   286    verbs:
   287      - get
   288      - list
   289      - watch
   290---
   291apiVersion: rbac.authorization.k8s.io/v1
   292kind: RoleBinding
   293metadata:
   294  name: linkerd-destination-remote-discovery
   295  namespace: linkerd-dev
   296  labels:
   297    app.kubernetes.io/part-of: Linkerd
   298    linkerd.io/control-plane-component: destination
   299    linkerd.io/control-plane-ns: linkerd-dev
   300roleRef:
   301  apiGroup: rbac.authorization.k8s.io
   302  kind: Role
   303  name: remote-discovery
   304subjects:
   305  - kind: ServiceAccount
   306    name: linkerd-destination
   307    namespace: linkerd-dev
   308---
   309# Source: linkerd-control-plane/templates/heartbeat-rbac.yaml
   310---
   311###
   312### Heartbeat RBAC
   313###
   314apiVersion: rbac.authorization.k8s.io/v1
   315kind: Role
   316metadata:
   317  name: linkerd-heartbeat
   318  namespace: linkerd-dev
   319  labels:
   320    linkerd.io/control-plane-ns: linkerd-dev
   321rules:
   322- apiGroups: [""]
   323  resources: ["configmaps"]
   324  verbs: ["get"]
   325  resourceNames: ["linkerd-config"]
   326---
   327apiVersion: rbac.authorization.k8s.io/v1
   328kind: RoleBinding
   329metadata:
   330  name: linkerd-heartbeat
   331  namespace: linkerd-dev
   332  labels:
   333    linkerd.io/control-plane-ns: linkerd-dev
   334roleRef:
   335  kind: Role
   336  name: linkerd-heartbeat
   337  apiGroup: rbac.authorization.k8s.io
   338subjects:
   339- kind: ServiceAccount
   340  name: linkerd-heartbeat
   341  namespace: linkerd-dev
   342---
   343apiVersion: rbac.authorization.k8s.io/v1
   344kind: ClusterRole
   345metadata:
   346  name: linkerd-heartbeat
   347  labels:
   348    linkerd.io/control-plane-ns: linkerd-dev
   349rules:
   350- apiGroups: [""]
   351  resources: ["namespaces"]
   352  verbs: ["list"]
   353- apiGroups: ["linkerd.io"]
   354  resources: ["serviceprofiles"]
   355  verbs: ["list"]
   356---
   357apiVersion: rbac.authorization.k8s.io/v1
   358kind: ClusterRoleBinding
   359metadata:
   360  name: linkerd-heartbeat
   361  labels:
   362    linkerd.io/control-plane-ns: linkerd-dev
   363roleRef:
   364  kind: ClusterRole
   365  name: linkerd-heartbeat
   366  apiGroup: rbac.authorization.k8s.io
   367subjects:
   368- kind: ServiceAccount
   369  name: linkerd-heartbeat
   370  namespace: linkerd-dev
   371---
   372kind: ServiceAccount
   373apiVersion: v1
   374metadata:
   375  name: linkerd-heartbeat
   376  namespace: linkerd-dev
   377  labels:
   378    linkerd.io/control-plane-component: heartbeat
   379    linkerd.io/control-plane-ns: linkerd-dev
   380---
   381# Source: linkerd-control-plane/templates/podmonitor.yaml
   382
   383---
   384# Source: linkerd-control-plane/templates/proxy-injector-rbac.yaml
   385---
   386###
   387### Proxy Injector RBAC
   388###
   389kind: ClusterRole
   390apiVersion: rbac.authorization.k8s.io/v1
   391metadata:
   392  name: linkerd-linkerd-dev-proxy-injector
   393  labels:
   394    linkerd.io/control-plane-component: proxy-injector
   395    linkerd.io/control-plane-ns: linkerd-dev
   396rules:
   397- apiGroups: [""]
   398  resources: ["events"]
   399  verbs: ["create", "patch"]
   400- apiGroups: [""]
   401  resources: ["namespaces", "replicationcontrollers"]
   402  verbs: ["list", "get", "watch"]
   403- apiGroups: [""]
   404  resources: ["pods"]
   405  verbs: ["list", "watch"]
   406- apiGroups: ["extensions", "apps"]
   407  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
   408  verbs: ["list", "get", "watch"]
   409- apiGroups: ["extensions", "batch"]
   410  resources: ["cronjobs", "jobs"]
   411  verbs: ["list", "get", "watch"]
   412---
   413kind: ClusterRoleBinding
   414apiVersion: rbac.authorization.k8s.io/v1
   415metadata:
   416  name: linkerd-linkerd-dev-proxy-injector
   417  labels:
   418    linkerd.io/control-plane-component: proxy-injector
   419    linkerd.io/control-plane-ns: linkerd-dev
   420subjects:
   421- kind: ServiceAccount
   422  name: linkerd-proxy-injector
   423  namespace: linkerd-dev
   424  apiGroup: ""
   425roleRef:
   426  kind: ClusterRole
   427  name: linkerd-linkerd-dev-proxy-injector
   428  apiGroup: rbac.authorization.k8s.io
   429---
   430kind: ServiceAccount
   431apiVersion: v1
   432metadata:
   433  name: linkerd-proxy-injector
   434  namespace: linkerd-dev
   435  labels:
   436    linkerd.io/control-plane-component: proxy-injector
   437    linkerd.io/control-plane-ns: linkerd-dev
   438---
   439apiVersion: admissionregistration.k8s.io/v1
   440kind: MutatingWebhookConfiguration
   441metadata:
   442  name: linkerd-proxy-injector-webhook-config
   443  labels:
   444    linkerd.io/control-plane-component: proxy-injector
   445    linkerd.io/control-plane-ns: linkerd-dev
   446webhooks:
   447- name: linkerd-proxy-injector.linkerd.io
   448  namespaceSelector:
   449    matchExpressions:
   450    - key: config.linkerd.io/admission-webhooks
   451      operator: NotIn
   452      values:
   453      - disabled
   454    - key: kubernetes.io/metadata.name
   455      operator: NotIn
   456      values:
   457      - kube-system
   458      - cert-manager
   459  objectSelector:
   460    null
   461  clientConfig:
   462    service:
   463      name: linkerd-proxy-injector
   464      namespace: linkerd-dev
   465      path: "/"
   466    caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU=
   467  failurePolicy: Ignore
   468  admissionReviewVersions: ["v1", "v1beta1"]
   469  rules:
   470  - operations: [ "CREATE" ]
   471    apiGroups: [""]
   472    apiVersions: ["v1"]
   473    resources: ["pods", "services"]
   474    scope: "Namespaced"
   475  sideEffects: None
   476  timeoutSeconds: 10
   477---
   478# Source: linkerd-control-plane/templates/psp.yaml
   479---
   480# Source: linkerd-control-plane/templates/config.yaml
   481---
   482kind: ConfigMap
   483apiVersion: v1
   484metadata:
   485  name: linkerd-config
   486  namespace: linkerd-dev
   487  labels:
   488    linkerd.io/control-plane-component: controller
   489    linkerd.io/control-plane-ns: linkerd-dev
   490  annotations:
   491    linkerd.io/created-by: linkerd/helm linkerd-version
   492data:
   493  linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
   494  values: |
   495    cliVersion: ""
   496    clusterDomain: cluster.local
   497    clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
   498    cniEnabled: false
   499    controlPlaneTracing: false
   500    controlPlaneTracingNamespace: linkerd-jaeger
   501    controller:
   502      podDisruptionBudget:
   503        maxUnavailable: 1
   504    controllerGID: -1
   505    controllerImage: cr.l5d.io/linkerd/controller
   506    controllerLogFormat: plain
   507    controllerLogLevel: info
   508    controllerReplicas: 1
   509    controllerUID: 2103
   510    debugContainer:
   511      image:
   512        name: cr.l5d.io/linkerd/debug
   513        pullPolicy: ""
   514        version: test-debug-version
   515    deploymentStrategy:
   516      rollingUpdate:
   517        maxSurge: 25%
   518        maxUnavailable: 25%
   519    destinationController:
   520      meshedHttp2ClientProtobuf:
   521        keep_alive:
   522          interval:
   523            seconds: 10
   524          timeout:
   525            seconds: 3
   526          while_idle: true
   527    destinationProxyResources: null
   528    destinationResources: null
   529    disableHeartBeat: false
   530    disableIPv6: true
   531    enableEndpointSlices: true
   532    enableH2Upgrade: true
   533    enablePodAntiAffinity: false
   534    enablePodDisruptionBudget: false
   535    heartbeat: null
   536    heartbeatResources: null
   537    heartbeatSchedule: 1 2 3 4 5
   538    highAvailability: false
   539    identity:
   540      additionalEnv: null
   541      experimentalEnv: null
   542      externalCA: false
   543      issuer:
   544        clockSkewAllowance: 20s
   545        issuanceLifetime: 24h0m0s
   546        scheme: linkerd.io/tls
   547        tls:
   548          crtPEM: test-crt-pem
   549      kubeAPI:
   550        clientBurst: 200
   551        clientQPS: 100
   552      serviceAccountTokenProjection: true
   553    identityProxyResources: null
   554    identityResources: null
   555    identityTrustAnchorsPEM: test-trust-anchor
   556    identityTrustDomain: test.trust.domain
   557    imagePullPolicy: IfNotPresent
   558    imagePullSecrets: []
   559    linkerdVersion: linkerd-version
   560    networkValidator:
   561      connectAddr: 1.1.1.1:20001
   562      enableSecurityContext: true
   563      listenAddr: 0.0.0.0:4140
   564      logFormat: plain
   565      logLevel: debug
   566      timeout: 10s
   567    nodeAffinity: null
   568    nodeSelector:
   569      kubernetes.io/os: linux
   570    podAnnotations: {}
   571    podLabels: {}
   572    podMonitor:
   573      controller:
   574        enabled: true
   575        namespaceSelector: |
   576          matchNames:
   577            - {{ .Release.Namespace }}
   578            - linkerd-viz
   579            - linkerd-jaeger
   580      enabled: false
   581      proxy:
   582        enabled: true
   583      scrapeInterval: 10s
   584      scrapeTimeout: 10s
   585      serviceMirror:
   586        enabled: true
   587    policyController:
   588      image:
   589        name: cr.l5d.io/linkerd/policy-controller
   590        pullPolicy: ""
   591        version: ""
   592      logLevel: info
   593      probeNetworks:
   594      - 0.0.0.0/0
   595      - ::/0
   596      resources:
   597        cpu:
   598          limit: ""
   599          request: ""
   600        ephemeral-storage:
   601          limit: ""
   602          request: ""
   603        memory:
   604          limit: ""
   605          request: ""
   606    policyValidator:
   607      caBundle: test-profile-validator-ca-bundle
   608      crtPEM: ""
   609      externalSecret: true
   610      injectCaFrom: ""
   611      injectCaFromSecret: ""
   612      namespaceSelector:
   613        matchExpressions:
   614        - key: config.linkerd.io/admission-webhooks
   615          operator: NotIn
   616          values:
   617          - disabled
   618    priorityClassName: ""
   619    profileValidator:
   620      caBundle: test-profile-validator-ca-bundle
   621      crtPEM: ""
   622      externalSecret: true
   623      injectCaFrom: ""
   624      injectCaFromSecret: ""
   625      namespaceSelector:
   626        matchExpressions:
   627        - key: config.linkerd.io/admission-webhooks
   628          operator: NotIn
   629          values:
   630          - disabled
   631    prometheusUrl: ""
   632    proxy:
   633      accessLog: ""
   634      additionalEnv: null
   635      await: true
   636      capabilities: null
   637      control:
   638        streams:
   639          idleTimeout: 5m
   640          initialTimeout: 3s
   641          lifetime: 1h
   642      defaultInboundPolicy: all-unauthenticated
   643      disableInboundProtocolDetectTimeout: false
   644      disableOutboundProtocolDetectTimeout: false
   645      enableExternalProfiles: false
   646      experimentalEnv: null
   647      gid: -1
   648      image:
   649        name: cr.l5d.io/linkerd/proxy
   650        pullPolicy: ""
   651        version: test-proxy-version
   652      inbound:
   653        server:
   654          http2:
   655            keepAliveInterval: 10s
   656            keepAliveTimeout: 3s
   657      inboundConnectTimeout: 100ms
   658      inboundDiscoveryCacheUnusedTimeout: 90s
   659      isGateway: false
   660      isIngress: false
   661      livenessProbe:
   662        initialDelaySeconds: 10
   663        timeoutSeconds: 1
   664      logFormat: plain
   665      logLevel: warn,linkerd=info,trust_dns=error
   666      nativeSidecar: false
   667      opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
   668      outbound:
   669        server:
   670          http2:
   671            keepAliveInterval: 10s
   672            keepAliveTimeout: 3s
   673      outboundConnectTimeout: 1000ms
   674      outboundDiscoveryCacheUnusedTimeout: 5s
   675      podInboundPorts: ""
   676      ports:
   677        admin: 4191
   678        control: 4190
   679        inbound: 4143
   680        outbound: 4140
   681      readinessProbe:
   682        initialDelaySeconds: 2
   683        timeoutSeconds: 1
   684      requireIdentityOnInboundPorts: ""
   685      resources:
   686        cpu:
   687          limit: ""
   688          request: ""
   689        ephemeral-storage:
   690          limit: ""
   691          request: ""
   692        memory:
   693          limit: ""
   694          request: ""
   695      saMountPath: null
   696      shutdownGracePeriod: ""
   697      startupProbe:
   698        failureThreshold: 120
   699        initialDelaySeconds: 0
   700        periodSeconds: 1
   701      uid: 2102
   702      waitBeforeExitSeconds: 0
   703    proxyContainerName: linkerd-proxy
   704    proxyInit:
   705      capabilities: null
   706      closeWaitTimeoutSecs: 0
   707      ignoreInboundPorts: "222"
   708      ignoreOutboundPorts: "111"
   709      image:
   710        name: cr.l5d.io/linkerd/proxy-init
   711        pullPolicy: ""
   712        version: test-proxy-init-version
   713      iptablesMode: legacy
   714      kubeAPIServerPorts: 443,6443
   715      logFormat: ""
   716      logLevel: ""
   717      privileged: false
   718      resources:
   719        cpu:
   720          limit: 100m
   721          request: 100m
   722        ephemeral-storage:
   723          limit: ""
   724          request: ""
   725        memory:
   726          limit: 20Mi
   727          request: 20Mi
   728      runAsGroup: 65534
   729      runAsRoot: false
   730      runAsUser: 65534
   731      saMountPath: null
   732      skipSubnets: ""
   733      xtMountPath:
   734        mountPath: /run
   735        name: linkerd-proxy-init-xtables-lock
   736        readOnly: false
   737    proxyInjector:
   738      additionalEnv: null
   739      caBundle: test-proxy-injector-ca-bundle
   740      crtPEM: ""
   741      experimentalEnv: null
   742      externalSecret: true
   743      injectCaFrom: ""
   744      injectCaFromSecret: ""
   745      namespaceSelector:
   746        matchExpressions:
   747        - key: config.linkerd.io/admission-webhooks
   748          operator: NotIn
   749          values:
   750          - disabled
   751        - key: kubernetes.io/metadata.name
   752          operator: NotIn
   753          values:
   754          - kube-system
   755          - cert-manager
   756    proxyInjectorProxyResources: null
   757    proxyInjectorResources: null
   758    revisionHistoryLimit: 10
   759    spValidator: null
   760    tap:
   761      caBundle: test-tap-ca-bundle
   762      externalSecret: true
   763    tolerations: null
   764    webhookFailurePolicy: Ignore
   765---
   766# Source: linkerd-control-plane/templates/config-rbac.yaml
   767---
   768apiVersion: rbac.authorization.k8s.io/v1
   769kind: Role
   770metadata:
   771  annotations:
   772    linkerd.io/created-by: linkerd/helm linkerd-version
   773  name: ext-namespace-metadata-linkerd-config
   774  namespace: linkerd-dev
   775rules:
   776- apiGroups: [""]
   777  resources: ["configmaps"]
   778  verbs: ["get"]
   779  resourceNames: ["linkerd-config"]
   780---
   781# Source: linkerd-control-plane/templates/identity.yaml
   782---
   783###
   784### Identity Controller Service
   785###
   786---
   787kind: Secret
   788apiVersion: v1
   789metadata:
   790  name: linkerd-identity-issuer
   791  namespace: linkerd-dev
   792  labels:
   793    linkerd.io/control-plane-component: identity
   794    linkerd.io/control-plane-ns: linkerd-dev
   795  annotations:
   796    linkerd.io/created-by: linkerd/helm linkerd-version
   797data:
   798  crt.pem: dGVzdC1jcnQtcGVt
   799  key.pem: dGVzdC1rZXktcGVt
   800---
   801kind: ConfigMap
   802apiVersion: v1
   803metadata:
   804  name: linkerd-identity-trust-roots
   805  namespace: linkerd-dev
   806  labels:
   807    linkerd.io/control-plane-component: identity
   808    linkerd.io/control-plane-ns: linkerd-dev
   809  annotations:
   810    linkerd.io/created-by: linkerd/helm linkerd-version
   811data:
   812  ca-bundle.crt: |-
   813    test-trust-anchor
   814---
   815kind: Service
   816apiVersion: v1
   817metadata:
   818  name: linkerd-identity
   819  namespace: linkerd-dev
   820  labels:
   821    linkerd.io/control-plane-component: identity
   822    linkerd.io/control-plane-ns: linkerd-dev
   823  annotations:
   824    linkerd.io/created-by: linkerd/helm linkerd-version
   825spec:
   826  type: ClusterIP
   827  selector:
   828    linkerd.io/control-plane-component: identity
   829  ports:
   830  - name: grpc
   831    port: 8080
   832    targetPort: 8080
   833---
   834kind: Service
   835apiVersion: v1
   836metadata:
   837  name: linkerd-identity-headless
   838  namespace: linkerd-dev
   839  labels:
   840    linkerd.io/control-plane-component: identity
   841    linkerd.io/control-plane-ns: linkerd-dev
   842  annotations:
   843    linkerd.io/created-by: linkerd/helm linkerd-version
   844spec:
   845  clusterIP: None
   846  selector:
   847    linkerd.io/control-plane-component: identity
   848  ports:
   849  - name: grpc
   850    port: 8080
   851    targetPort: 8080
   852---
   853apiVersion: apps/v1
   854kind: Deployment
   855metadata:
   856  annotations:
   857    linkerd.io/created-by: linkerd/helm linkerd-version
   858  labels:
   859    app.kubernetes.io/name: identity
   860    app.kubernetes.io/part-of: Linkerd
   861    app.kubernetes.io/version: linkerd-version
   862    linkerd.io/control-plane-component: identity
   863    linkerd.io/control-plane-ns: linkerd-dev
   864  name: linkerd-identity
   865  namespace: linkerd-dev
   866spec:
   867  replicas: 1
   868  revisionHistoryLimit: 10
   869  selector:
   870    matchLabels:
   871      linkerd.io/control-plane-component: identity
   872      linkerd.io/control-plane-ns: linkerd-dev
   873      linkerd.io/proxy-deployment: linkerd-identity
   874  strategy:
   875    rollingUpdate:
   876      maxSurge: 25%
   877      maxUnavailable: 25%
   878  template:
   879    metadata:
   880      annotations:
   881        linkerd.io/created-by: linkerd/helm linkerd-version
   882        linkerd.io/proxy-version: test-proxy-version
   883        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
   884        linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
   885        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
   886      labels:
   887        linkerd.io/control-plane-component: identity
   888        linkerd.io/control-plane-ns: linkerd-dev
   889        linkerd.io/workload-ns: linkerd-dev
   890        linkerd.io/proxy-deployment: linkerd-identity
   891    spec:
   892      nodeSelector:
   893        kubernetes.io/os: linux
   894      
   895      containers:
   896      - args:
   897        - identity
   898        - -log-level=info
   899        - -log-format=plain
   900        - -controller-namespace=linkerd-dev
   901        - -identity-trust-domain=test.trust.domain
   902        - -identity-issuance-lifetime=24h0m0s
   903        - -identity-clock-skew-allowance=20s
   904        - -identity-scheme=linkerd.io/tls
   905        - -enable-pprof=false
   906        - -kube-apiclient-qps=100
   907        - -kube-apiclient-burst=200
   908        env:
   909        - name: LINKERD_DISABLED
   910          value: "linkerd-await cannot block the identity controller"
   911        image: cr.l5d.io/linkerd/controller:linkerd-version
   912        imagePullPolicy: IfNotPresent
   913        livenessProbe:
   914          httpGet:
   915            path: /ping
   916            port: 9990
   917          initialDelaySeconds: 10
   918        name: identity
   919        ports:
   920        - containerPort: 8080
   921          name: grpc
   922        - containerPort: 9990
   923          name: admin-http
   924        readinessProbe:
   925          failureThreshold: 7
   926          httpGet:
   927            path: /ready
   928            port: 9990
   929        securityContext:
   930          capabilities:
   931            drop:
   932            - ALL
   933          readOnlyRootFilesystem: true
   934          runAsNonRoot: true
   935          runAsUser: 2103
   936          allowPrivilegeEscalation: false
   937          seccompProfile:
   938            type: RuntimeDefault
   939        volumeMounts:
   940        - mountPath: /var/run/linkerd/identity/issuer
   941          name: identity-issuer
   942        - mountPath: /var/run/linkerd/identity/trust-roots/
   943          name: trust-roots
   944      - env:
   945        - name: _pod_name
   946          valueFrom:
   947            fieldRef:
   948              fieldPath: metadata.name
   949        - name: _pod_ns
   950          valueFrom:
   951            fieldRef:
   952              fieldPath: metadata.namespace
   953        - name: _pod_nodeName
   954          valueFrom:
   955            fieldRef:
   956              fieldPath: spec.nodeName
   957        - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
   958          value: "8080"
   959        - name: LINKERD2_PROXY_LOG
   960          value: "warn,linkerd=info,trust_dns=error"
   961        - name: LINKERD2_PROXY_LOG_FORMAT
   962          value: "plain"
   963        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
   964          value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
   965        - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
   966          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
   967        - name: LINKERD2_PROXY_POLICY_SVC_ADDR
   968          value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
   969        - name: LINKERD2_PROXY_POLICY_WORKLOAD
   970          value: |
   971            {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
   972        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
   973          value: all-unauthenticated
   974        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
   975          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
   976        - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
   977          value: "3s"
   978        - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
   979          value: "5m"
   980        - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
   981          value: "1h"
   982        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
   983          value: "100ms"
   984        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
   985          value: "1000ms"
   986        - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
   987          value: "5s"
   988        - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
   989          value: "90s"
   990        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
   991          value: "[::]:4190"
   992        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
   993          value: "[::]:4191"
   994        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
   995          value: "127.0.0.1:4140"
   996        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
   997          value: "127.0.0.1:4140"
   998        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
   999          value: "[::]:4143"
  1000        - name: LINKERD2_PROXY_INBOUND_IPS
  1001          valueFrom:
  1002            fieldRef:
  1003              fieldPath: status.podIPs
  1004        - name: LINKERD2_PROXY_INBOUND_PORTS
  1005          value: "8080,9990"
  1006        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
  1007          value: svc.cluster.local.
  1008        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
  1009          value: 10000ms
  1010        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
  1011          value: 10000ms
  1012        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1013          value: "10s"
  1014        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1015          value: "3s"
  1016        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1017          value: "10s"
  1018        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1019          value: "3s"
  1020        - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
  1021          value: "25,587,3306,4444,5432,6379,9300,11211"
  1022        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
  1023          value: |
  1024            {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
  1025        - name: _pod_sa
  1026          valueFrom:
  1027            fieldRef:
  1028              fieldPath: spec.serviceAccountName
  1029        - name: _l5d_ns
  1030          value: linkerd-dev
  1031        - name: _l5d_trustdomain
  1032          value: test.trust.domain
  1033        - name: LINKERD2_PROXY_IDENTITY_DIR
  1034          value: /var/run/linkerd/identity/end-entity
  1035        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
  1036          valueFrom:
  1037            configMapKeyRef:
  1038              name: linkerd-identity-trust-roots
  1039              key: ca-bundle.crt
  1040        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
  1041          value: /var/run/secrets/tokens/linkerd-identity-token
  1042        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
  1043          value: localhost.:8080
  1044        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
  1045          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
  1046        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
  1047          value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1048        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
  1049          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1050        - name: LINKERD2_PROXY_POLICY_SVC_NAME
  1051          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1052        image: cr.l5d.io/linkerd/proxy:test-proxy-version
  1053        imagePullPolicy: IfNotPresent
  1054        livenessProbe:
  1055          httpGet:
  1056            path: /live
  1057            port: 4191
  1058          initialDelaySeconds: 10
  1059          timeoutSeconds: 1
  1060        name: linkerd-proxy
  1061        ports:
  1062        - containerPort: 4143
  1063          name: linkerd-proxy
  1064        - containerPort: 4191
  1065          name: linkerd-admin
  1066        readinessProbe:
  1067          httpGet:
  1068            path: /ready
  1069            port: 4191
  1070          initialDelaySeconds: 2
  1071          timeoutSeconds: 1
  1072        resources:
  1073        securityContext:
  1074          allowPrivilegeEscalation: false
  1075          capabilities:
  1076            drop:
  1077              - ALL
  1078          readOnlyRootFilesystem: true
  1079          runAsNonRoot: true
  1080          runAsUser: 2102
  1081          seccompProfile:
  1082            type: RuntimeDefault
  1083        terminationMessagePolicy: FallbackToLogsOnError
  1084        volumeMounts:
  1085        - mountPath: /var/run/linkerd/identity/end-entity
  1086          name: linkerd-identity-end-entity
  1087        - mountPath: /var/run/secrets/tokens
  1088          name: linkerd-identity-token
  1089      initContainers:
  1090      - args:
  1091        - --ipv6=false
  1092        - --incoming-proxy-port
  1093        - "4143"
  1094        - --outgoing-proxy-port
  1095        - "4140"
  1096        - --proxy-uid
  1097        - "2102"
  1098        - --inbound-ports-to-ignore
  1099        - "4190,4191,222"
  1100        - --outbound-ports-to-ignore
  1101        - "443,6443"
  1102        image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
  1103        imagePullPolicy: IfNotPresent
  1104        name: linkerd-init
  1105        resources:
  1106          limits:
  1107            cpu: "100m"
  1108            memory: "20Mi"
  1109          requests:
  1110            cpu: "100m"
  1111            memory: "20Mi"
  1112        securityContext:
  1113          allowPrivilegeEscalation: false
  1114          capabilities:
  1115            add:
  1116            - NET_ADMIN
  1117            - NET_RAW
  1118          privileged: false
  1119          runAsNonRoot: true
  1120          runAsUser: 65534
  1121          runAsGroup: 65534
  1122          readOnlyRootFilesystem: true
  1123          seccompProfile:
  1124            type: RuntimeDefault
  1125        terminationMessagePolicy: FallbackToLogsOnError
  1126        volumeMounts:
  1127        - mountPath: /run
  1128          name: linkerd-proxy-init-xtables-lock
  1129      securityContext:
  1130        seccompProfile:
  1131          type: RuntimeDefault
  1132      serviceAccountName: linkerd-identity
  1133      volumes:
  1134      - name: identity-issuer
  1135        secret:
  1136          secretName: linkerd-identity-issuer
  1137      - configMap:
  1138          name: linkerd-identity-trust-roots
  1139        name: trust-roots
  1140      - emptyDir: {}
  1141        name: linkerd-proxy-init-xtables-lock
  1142      - name: linkerd-identity-token
  1143        projected:
  1144          sources:
  1145          - serviceAccountToken:
  1146              path: linkerd-identity-token
  1147              expirationSeconds: 86400
  1148              audience: identity.l5d.io
  1149      - emptyDir:
  1150          medium: Memory
  1151        name: linkerd-identity-end-entity
  1152---
  1153# Source: linkerd-control-plane/templates/destination.yaml
  1154---
  1155###
  1156### Destination Controller Service
  1157###
  1158kind: Service
  1159apiVersion: v1
  1160metadata:
  1161  name: linkerd-dst
  1162  namespace: linkerd-dev
  1163  labels:
  1164    linkerd.io/control-plane-component: destination
  1165    linkerd.io/control-plane-ns: linkerd-dev
  1166  annotations:
  1167    linkerd.io/created-by: linkerd/helm linkerd-version
  1168spec:
  1169  type: ClusterIP
  1170  selector:
  1171    linkerd.io/control-plane-component: destination
  1172  ports:
  1173  - name: grpc
  1174    port: 8086
  1175    targetPort: 8086
  1176---
  1177kind: Service
  1178apiVersion: v1
  1179metadata:
  1180  name: linkerd-dst-headless
  1181  namespace: linkerd-dev
  1182  labels:
  1183    linkerd.io/control-plane-component: destination
  1184    linkerd.io/control-plane-ns: linkerd-dev
  1185  annotations:
  1186    linkerd.io/created-by: linkerd/helm linkerd-version
  1187spec:
  1188  clusterIP: None
  1189  selector:
  1190    linkerd.io/control-plane-component: destination
  1191  ports:
  1192  - name: grpc
  1193    port: 8086
  1194    targetPort: 8086
  1195---
  1196kind: Service
  1197apiVersion: v1
  1198metadata:
  1199  name: linkerd-sp-validator
  1200  namespace: linkerd-dev
  1201  labels:
  1202    linkerd.io/control-plane-component: destination
  1203    linkerd.io/control-plane-ns: linkerd-dev
  1204  annotations:
  1205    linkerd.io/created-by: linkerd/helm linkerd-version
  1206spec:
  1207  type: ClusterIP
  1208  selector:
  1209    linkerd.io/control-plane-component: destination
  1210  ports:
  1211  - name: sp-validator
  1212    port: 443
  1213    targetPort: sp-validator
  1214---
  1215kind: Service
  1216apiVersion: v1
  1217metadata:
  1218  name: linkerd-policy
  1219  namespace: linkerd-dev
  1220  labels:
  1221    linkerd.io/control-plane-component: destination
  1222    linkerd.io/control-plane-ns: linkerd-dev
  1223  annotations:
  1224    linkerd.io/created-by: linkerd/helm linkerd-version
  1225spec:
  1226  clusterIP: None
  1227  selector:
  1228    linkerd.io/control-plane-component: destination
  1229  ports:
  1230  - name: grpc
  1231    port: 8090
  1232    targetPort: 8090
  1233---
  1234kind: Service
  1235apiVersion: v1
  1236metadata:
  1237  name: linkerd-policy-validator
  1238  namespace: linkerd-dev
  1239  labels:
  1240    linkerd.io/control-plane-component: destination
  1241    linkerd.io/control-plane-ns: linkerd-dev
  1242  annotations:
  1243    linkerd.io/created-by: linkerd/helm linkerd-version
  1244spec:
  1245  type: ClusterIP
  1246  selector:
  1247    linkerd.io/control-plane-component: destination
  1248  ports:
  1249  - name: policy-https
  1250    port: 443
  1251    targetPort: policy-https
  1252---
  1253apiVersion: apps/v1
  1254kind: Deployment
  1255metadata:
  1256  annotations:
  1257    linkerd.io/created-by: linkerd/helm linkerd-version
  1258  labels:
  1259    app.kubernetes.io/name: destination
  1260    app.kubernetes.io/part-of: Linkerd
  1261    app.kubernetes.io/version: linkerd-version
  1262    linkerd.io/control-plane-component: destination
  1263    linkerd.io/control-plane-ns: linkerd-dev
  1264  name: linkerd-destination
  1265  namespace: linkerd-dev
  1266spec:
  1267  replicas: 1
  1268  revisionHistoryLimit: 10
  1269  selector:
  1270    matchLabels:
  1271      linkerd.io/control-plane-component: destination
  1272      linkerd.io/control-plane-ns: linkerd-dev
  1273      linkerd.io/proxy-deployment: linkerd-destination
  1274  strategy:
  1275    rollingUpdate:
  1276      maxSurge: 25%
  1277      maxUnavailable: 25%
  1278  template:
  1279    metadata:
  1280      annotations:
  1281        checksum/config: bdf627c4f8fc3bc85e69064de22d6032ab30887fa55d18238a677e9b9b594dd8
  1282        linkerd.io/created-by: linkerd/helm linkerd-version
  1283        linkerd.io/proxy-version: test-proxy-version
  1284        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  1285        linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
  1286        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
  1287      labels:
  1288        linkerd.io/control-plane-component: destination
  1289        linkerd.io/control-plane-ns: linkerd-dev
  1290        linkerd.io/workload-ns: linkerd-dev
  1291        linkerd.io/proxy-deployment: linkerd-destination
  1292    spec:
  1293      nodeSelector:
  1294        kubernetes.io/os: linux
  1295      
  1296      containers:
  1297      - env:
  1298        - name: _pod_name
  1299          valueFrom:
  1300            fieldRef:
  1301              fieldPath: metadata.name
  1302        - name: _pod_ns
  1303          valueFrom:
  1304            fieldRef:
  1305              fieldPath: metadata.namespace
  1306        - name: _pod_nodeName
  1307          valueFrom:
  1308            fieldRef:
  1309              fieldPath: spec.nodeName
  1310        - name: LINKERD2_PROXY_LOG
  1311          value: "warn,linkerd=info,trust_dns=error"
  1312        - name: LINKERD2_PROXY_LOG_FORMAT
  1313          value: "plain"
  1314        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
  1315          value: localhost.:8086
  1316        - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
  1317          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
  1318        - name: LINKERD2_PROXY_POLICY_SVC_ADDR
  1319          value: localhost.:8090
  1320        - name: LINKERD2_PROXY_POLICY_WORKLOAD
  1321          value: |
  1322            {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
  1323        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
  1324          value: all-unauthenticated
  1325        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
  1326          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
  1327        - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
  1328          value: "3s"
  1329        - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
  1330          value: "5m"
  1331        - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
  1332          value: "1h"
  1333        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
  1334          value: "100ms"
  1335        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
  1336          value: "1000ms"
  1337        - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
  1338          value: "5s"
  1339        - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
  1340          value: "90s"
  1341        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
  1342          value: "[::]:4190"
  1343        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
  1344          value: "[::]:4191"
  1345        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
  1346          value: "127.0.0.1:4140"
  1347        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
  1348          value: "127.0.0.1:4140"
  1349        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
  1350          value: "[::]:4143"
  1351        - name: LINKERD2_PROXY_INBOUND_IPS
  1352          valueFrom:
  1353            fieldRef:
  1354              fieldPath: status.podIPs
  1355        - name: LINKERD2_PROXY_INBOUND_PORTS
  1356          value: "8086,8090,8443,9443,9990,9996,9997"
  1357        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
  1358          value: svc.cluster.local.
  1359        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
  1360          value: 10000ms
  1361        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
  1362          value: 10000ms
  1363        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1364          value: "10s"
  1365        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1366          value: "3s"
  1367        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1368          value: "10s"
  1369        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1370          value: "3s"
  1371        - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
  1372          value: "25,587,3306,4444,5432,6379,9300,11211"
  1373        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
  1374          value: |
  1375            {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
  1376        - name: _pod_sa
  1377          valueFrom:
  1378            fieldRef:
  1379              fieldPath: spec.serviceAccountName
  1380        - name: _l5d_ns
  1381          value: linkerd-dev
  1382        - name: _l5d_trustdomain
  1383          value: test.trust.domain
  1384        - name: LINKERD2_PROXY_IDENTITY_DIR
  1385          value: /var/run/linkerd/identity/end-entity
  1386        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
  1387          valueFrom:
  1388            configMapKeyRef:
  1389              name: linkerd-identity-trust-roots
  1390              key: ca-bundle.crt
  1391        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
  1392          value: /var/run/secrets/tokens/linkerd-identity-token
  1393        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
  1394          value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
  1395        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
  1396          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
  1397        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
  1398          value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1399        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
  1400          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1401        - name: LINKERD2_PROXY_POLICY_SVC_NAME
  1402          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1403        image: cr.l5d.io/linkerd/proxy:test-proxy-version
  1404        imagePullPolicy: IfNotPresent
  1405        livenessProbe:
  1406          httpGet:
  1407            path: /live
  1408            port: 4191
  1409          initialDelaySeconds: 10
  1410          timeoutSeconds: 1
  1411        name: linkerd-proxy
  1412        ports:
  1413        - containerPort: 4143
  1414          name: linkerd-proxy
  1415        - containerPort: 4191
  1416          name: linkerd-admin
  1417        readinessProbe:
  1418          httpGet:
  1419            path: /ready
  1420            port: 4191
  1421          initialDelaySeconds: 2
  1422          timeoutSeconds: 1
  1423        resources:
  1424        securityContext:
  1425          allowPrivilegeEscalation: false
  1426          capabilities:
  1427            drop:
  1428              - ALL
  1429          readOnlyRootFilesystem: true
  1430          runAsNonRoot: true
  1431          runAsUser: 2102
  1432          seccompProfile:
  1433            type: RuntimeDefault
  1434        terminationMessagePolicy: FallbackToLogsOnError
  1435        lifecycle:
  1436          postStart:
  1437            exec:
  1438              command:
  1439                - /usr/lib/linkerd/linkerd-await
  1440                - --timeout=2m
  1441                - --port=4191
  1442        volumeMounts:
  1443        - mountPath: /var/run/linkerd/identity/end-entity
  1444          name: linkerd-identity-end-entity
  1445        - mountPath: /var/run/secrets/tokens
  1446          name: linkerd-identity-token
  1447      - args:
  1448        - destination
  1449        - -addr=:8086
  1450        - -controller-namespace=linkerd-dev
  1451        - -enable-h2-upgrade=true
  1452        - -log-level=info
  1453        - -log-format=plain
  1454        - -enable-endpoint-slices=true
  1455        - -cluster-domain=cluster.local
  1456        - -identity-trust-domain=test.trust.domain
  1457        - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
  1458        - -enable-ipv6=false
  1459        - -enable-pprof=false
  1460        - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
  1461        image: cr.l5d.io/linkerd/controller:linkerd-version
  1462        imagePullPolicy: IfNotPresent
  1463        livenessProbe:
  1464          httpGet:
  1465            path: /ping
  1466            port: 9996
  1467          initialDelaySeconds: 10
  1468        name: destination
  1469        ports:
  1470        - containerPort: 8086
  1471          name: grpc
  1472        - containerPort: 9996
  1473          name: admin-http
  1474        readinessProbe:
  1475          failureThreshold: 7
  1476          httpGet:
  1477            path: /ready
  1478            port: 9996
  1479        securityContext:
  1480          capabilities:
  1481            drop:
  1482            - ALL
  1483          readOnlyRootFilesystem: true
  1484          runAsNonRoot: true
  1485          runAsUser: 2103
  1486          allowPrivilegeEscalation: false
  1487          seccompProfile:
  1488            type: RuntimeDefault
  1489      - args:
  1490        - sp-validator
  1491        - -log-level=info
  1492        - -log-format=plain
  1493        - -enable-pprof=false
  1494        image: cr.l5d.io/linkerd/controller:linkerd-version
  1495        imagePullPolicy: IfNotPresent
  1496        livenessProbe:
  1497          httpGet:
  1498            path: /ping
  1499            port: 9997
  1500          initialDelaySeconds: 10
  1501        name: sp-validator
  1502        ports:
  1503        - containerPort: 8443
  1504          name: sp-validator
  1505        - containerPort: 9997
  1506          name: admin-http
  1507        readinessProbe:
  1508          failureThreshold: 7
  1509          httpGet:
  1510            path: /ready
  1511            port: 9997
  1512        securityContext:
  1513          capabilities:
  1514            drop:
  1515            - ALL
  1516          readOnlyRootFilesystem: true
  1517          runAsNonRoot: true
  1518          runAsUser: 2103
  1519          allowPrivilegeEscalation: false
  1520          seccompProfile:
  1521            type: RuntimeDefault
  1522        volumeMounts:
  1523        - mountPath: /var/run/linkerd/tls
  1524          name: sp-tls
  1525          readOnly: true
  1526      - args:
  1527        - --admin-addr=[::]:9990
  1528        - --control-plane-namespace=linkerd-dev
  1529        - --grpc-addr=[::]:8090
  1530        - --server-addr=[::]:9443
  1531        - --server-tls-key=/var/run/linkerd/tls/tls.key
  1532        - --server-tls-certs=/var/run/linkerd/tls/tls.crt
  1533        - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
  1534        - --identity-domain=test.trust.domain
  1535        - --cluster-domain=cluster.local
  1536        - --default-policy=all-unauthenticated
  1537        - --log-level=info
  1538        - --log-format=plain
  1539        - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
  1540        - --probe-networks=0.0.0.0/0,::/0
  1541        image: cr.l5d.io/linkerd/policy-controller:linkerd-version
  1542        imagePullPolicy: IfNotPresent
  1543        livenessProbe:
  1544          httpGet:
  1545            path: /live
  1546            port: admin-http
  1547        name: policy
  1548        ports:
  1549        - containerPort: 8090
  1550          name: grpc
  1551        - containerPort: 9990
  1552          name: admin-http
  1553        - containerPort: 9443
  1554          name: policy-https
  1555        readinessProbe:
  1556          failureThreshold: 7
  1557          httpGet:
  1558            path: /ready
  1559            port: admin-http
  1560          initialDelaySeconds: 10
  1561        resources:
  1562        securityContext:
  1563          capabilities:
  1564            drop:
  1565            - ALL
  1566          readOnlyRootFilesystem: true
  1567          runAsNonRoot: true
  1568          runAsUser: 2103
  1569          allowPrivilegeEscalation: false
  1570          seccompProfile:
  1571            type: RuntimeDefault
  1572        volumeMounts:
  1573        - mountPath: /var/run/linkerd/tls
  1574          name: policy-tls
  1575          readOnly: true
  1576      initContainers:
  1577      - args:
  1578        - --ipv6=false
  1579        - --incoming-proxy-port
  1580        - "4143"
  1581        - --outgoing-proxy-port
  1582        - "4140"
  1583        - --proxy-uid
  1584        - "2102"
  1585        - --inbound-ports-to-ignore
  1586        - "4190,4191,222"
  1587        - --outbound-ports-to-ignore
  1588        - "443,6443"
  1589        image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
  1590        imagePullPolicy: IfNotPresent
  1591        name: linkerd-init
  1592        resources:
  1593          limits:
  1594            cpu: "100m"
  1595            memory: "20Mi"
  1596          requests:
  1597            cpu: "100m"
  1598            memory: "20Mi"
  1599        securityContext:
  1600          allowPrivilegeEscalation: false
  1601          capabilities:
  1602            add:
  1603            - NET_ADMIN
  1604            - NET_RAW
  1605          privileged: false
  1606          runAsNonRoot: true
  1607          runAsUser: 65534
  1608          runAsGroup: 65534
  1609          readOnlyRootFilesystem: true
  1610          seccompProfile:
  1611            type: RuntimeDefault
  1612        terminationMessagePolicy: FallbackToLogsOnError
  1613        volumeMounts:
  1614        - mountPath: /run
  1615          name: linkerd-proxy-init-xtables-lock
  1616      securityContext:
  1617        seccompProfile:
  1618          type: RuntimeDefault
  1619      serviceAccountName: linkerd-destination
  1620      volumes:
  1621      - name: sp-tls
  1622        secret:
  1623          secretName: linkerd-sp-validator-k8s-tls
  1624      - name: policy-tls
  1625        secret:
  1626          secretName: linkerd-policy-validator-k8s-tls
  1627      - emptyDir: {}
  1628        name: linkerd-proxy-init-xtables-lock
  1629      - name: linkerd-identity-token
  1630        projected:
  1631          sources:
  1632          - serviceAccountToken:
  1633              path: linkerd-identity-token
  1634              expirationSeconds: 86400
  1635              audience: identity.l5d.io
  1636      - emptyDir:
  1637          medium: Memory
  1638        name: linkerd-identity-end-entity
  1639---
  1640# Source: linkerd-control-plane/templates/heartbeat.yaml
  1641---
  1642###
  1643### Heartbeat
  1644###
  1645apiVersion: batch/v1
  1646kind: CronJob
  1647metadata:
  1648  name: linkerd-heartbeat
  1649  namespace: linkerd-dev
  1650  labels:
  1651    app.kubernetes.io/name: heartbeat
  1652    app.kubernetes.io/part-of: Linkerd
  1653    app.kubernetes.io/version: linkerd-version
  1654    linkerd.io/control-plane-component: heartbeat
  1655    linkerd.io/control-plane-ns: linkerd-dev
  1656  annotations:
  1657    linkerd.io/created-by: linkerd/helm linkerd-version
  1658spec:
  1659  concurrencyPolicy: Replace
  1660  schedule: "1 2 3 4 5"
  1661  successfulJobsHistoryLimit: 0
  1662  jobTemplate:
  1663    spec:
  1664      template:
  1665        metadata:
  1666          labels:
  1667            linkerd.io/control-plane-component: heartbeat
  1668            linkerd.io/workload-ns: linkerd-dev
  1669          annotations:
  1670            linkerd.io/created-by: linkerd/helm linkerd-version
  1671        spec:
  1672          nodeSelector:
  1673            kubernetes.io/os: linux
  1674          securityContext:
  1675            seccompProfile:
  1676              type: RuntimeDefault
  1677          serviceAccountName: linkerd-heartbeat
  1678          restartPolicy: Never
  1679          containers:
  1680          - name: heartbeat
  1681            image: cr.l5d.io/linkerd/controller:linkerd-version
  1682            imagePullPolicy: IfNotPresent
  1683            env:
  1684            - name: LINKERD_DISABLED
  1685              value: "the heartbeat controller does not use the proxy"
  1686            args:
  1687            - "heartbeat"
  1688            - "-controller-namespace=linkerd-dev"
  1689            - "-log-level=info"
  1690            - "-log-format=plain"
  1691            - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
  1692            securityContext:
  1693              capabilities:
  1694                drop:
  1695                - ALL
  1696              readOnlyRootFilesystem: true
  1697              runAsNonRoot: true
  1698              runAsUser: 2103
  1699              allowPrivilegeEscalation: false
  1700              seccompProfile:
  1701                type: RuntimeDefault
  1702---
  1703# Source: linkerd-control-plane/templates/proxy-injector.yaml
  1704---
  1705###
  1706### Proxy Injector
  1707###
  1708apiVersion: apps/v1
  1709kind: Deployment
  1710metadata:
  1711  annotations:
  1712    linkerd.io/created-by: linkerd/helm linkerd-version
  1713  labels:
  1714    app.kubernetes.io/name: proxy-injector
  1715    app.kubernetes.io/part-of: Linkerd
  1716    app.kubernetes.io/version: linkerd-version
  1717    linkerd.io/control-plane-component: proxy-injector
  1718    linkerd.io/control-plane-ns: linkerd-dev
  1719  name: linkerd-proxy-injector
  1720  namespace: linkerd-dev
  1721spec:
  1722  replicas: 1
  1723  revisionHistoryLimit: 10
  1724  selector:
  1725    matchLabels:
  1726      linkerd.io/control-plane-component: proxy-injector
  1727  strategy:
  1728    rollingUpdate:
  1729      maxSurge: 25%
  1730      maxUnavailable: 25%
  1731  template:
  1732    metadata:
  1733      annotations:
  1734        checksum/config: a03c5a5d4ed8cae24c45d89569246c3e44eded6915cbdc71698e8008d3587d59
  1735        linkerd.io/created-by: linkerd/helm linkerd-version
  1736        linkerd.io/proxy-version: test-proxy-version
  1737        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  1738        linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
  1739        config.linkerd.io/opaque-ports: "8443"
  1740        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
  1741      labels:
  1742        linkerd.io/control-plane-component: proxy-injector
  1743        linkerd.io/control-plane-ns: linkerd-dev
  1744        linkerd.io/workload-ns: linkerd-dev
  1745        linkerd.io/proxy-deployment: linkerd-proxy-injector
  1746    spec:
  1747      nodeSelector:
  1748        kubernetes.io/os: linux
  1749      
  1750      containers:
  1751      - env:
  1752        - name: _pod_name
  1753          valueFrom:
  1754            fieldRef:
  1755              fieldPath: metadata.name
  1756        - name: _pod_ns
  1757          valueFrom:
  1758            fieldRef:
  1759              fieldPath: metadata.namespace
  1760        - name: _pod_nodeName
  1761          valueFrom:
  1762            fieldRef:
  1763              fieldPath: spec.nodeName
  1764        - name: LINKERD2_PROXY_LOG
  1765          value: "warn,linkerd=info,trust_dns=error"
  1766        - name: LINKERD2_PROXY_LOG_FORMAT
  1767          value: "plain"
  1768        - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
  1769          value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
  1770        - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
  1771          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
  1772        - name: LINKERD2_PROXY_POLICY_SVC_ADDR
  1773          value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
  1774        - name: LINKERD2_PROXY_POLICY_WORKLOAD
  1775          value: |
  1776            {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
  1777        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
  1778          value: all-unauthenticated
  1779        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
  1780          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
  1781        - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
  1782          value: "3s"
  1783        - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
  1784          value: "5m"
  1785        - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
  1786          value: "1h"
  1787        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
  1788          value: "100ms"
  1789        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
  1790          value: "1000ms"
  1791        - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
  1792          value: "5s"
  1793        - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
  1794          value: "90s"
  1795        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
  1796          value: "[::]:4190"
  1797        - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
  1798          value: "[::]:4191"
  1799        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
  1800          value: "127.0.0.1:4140"
  1801        - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
  1802          value: "127.0.0.1:4140"
  1803        - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
  1804          value: "[::]:4143"
  1805        - name: LINKERD2_PROXY_INBOUND_IPS
  1806          valueFrom:
  1807            fieldRef:
  1808              fieldPath: status.podIPs
  1809        - name: LINKERD2_PROXY_INBOUND_PORTS
  1810          value: "8443,9995"
  1811        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
  1812          value: svc.cluster.local.
  1813        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
  1814          value: 10000ms
  1815        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
  1816          value: 10000ms
  1817        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1818          value: "10s"
  1819        - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1820          value: "3s"
  1821        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
  1822          value: "10s"
  1823        - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
  1824          value: "3s"
  1825        - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
  1826          value: "25,587,3306,4444,5432,6379,9300,11211"
  1827        - name: LINKERD2_PROXY_DESTINATION_CONTEXT
  1828          value: |
  1829            {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
  1830        - name: _pod_sa
  1831          valueFrom:
  1832            fieldRef:
  1833              fieldPath: spec.serviceAccountName
  1834        - name: _l5d_ns
  1835          value: linkerd-dev
  1836        - name: _l5d_trustdomain
  1837          value: test.trust.domain
  1838        - name: LINKERD2_PROXY_IDENTITY_DIR
  1839          value: /var/run/linkerd/identity/end-entity
  1840        - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
  1841          valueFrom:
  1842            configMapKeyRef:
  1843              name: linkerd-identity-trust-roots
  1844              key: ca-bundle.crt
  1845        - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
  1846          value: /var/run/secrets/tokens/linkerd-identity-token
  1847        - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
  1848          value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
  1849        - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
  1850          value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
  1851        - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
  1852          value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1853        - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
  1854          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1855        - name: LINKERD2_PROXY_POLICY_SVC_NAME
  1856          value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
  1857        image: cr.l5d.io/linkerd/proxy:test-proxy-version
  1858        imagePullPolicy: IfNotPresent
  1859        livenessProbe:
  1860          httpGet:
  1861            path: /live
  1862            port: 4191
  1863          initialDelaySeconds: 10
  1864          timeoutSeconds: 1
  1865        name: linkerd-proxy
  1866        ports:
  1867        - containerPort: 4143
  1868          name: linkerd-proxy
  1869        - containerPort: 4191
  1870          name: linkerd-admin
  1871        readinessProbe:
  1872          httpGet:
  1873            path: /ready
  1874            port: 4191
  1875          initialDelaySeconds: 2
  1876          timeoutSeconds: 1
  1877        resources:
  1878        securityContext:
  1879          allowPrivilegeEscalation: false
  1880          capabilities:
  1881            drop:
  1882              - ALL
  1883          readOnlyRootFilesystem: true
  1884          runAsNonRoot: true
  1885          runAsUser: 2102
  1886          seccompProfile:
  1887            type: RuntimeDefault
  1888        terminationMessagePolicy: FallbackToLogsOnError
  1889        lifecycle:
  1890          postStart:
  1891            exec:
  1892              command:
  1893                - /usr/lib/linkerd/linkerd-await
  1894                - --timeout=2m
  1895                - --port=4191
  1896        volumeMounts:
  1897        - mountPath: /var/run/linkerd/identity/end-entity
  1898          name: linkerd-identity-end-entity
  1899        - mountPath: /var/run/secrets/tokens
  1900          name: linkerd-identity-token
  1901      - args:
  1902        - proxy-injector
  1903        - -log-level=info
  1904        - -log-format=plain
  1905        - -linkerd-namespace=linkerd-dev
  1906        - -enable-pprof=false
  1907        image: cr.l5d.io/linkerd/controller:linkerd-version
  1908        imagePullPolicy: IfNotPresent
  1909        livenessProbe:
  1910          httpGet:
  1911            path: /ping
  1912            port: 9995
  1913          initialDelaySeconds: 10
  1914        name: proxy-injector
  1915        ports:
  1916        - containerPort: 8443
  1917          name: proxy-injector
  1918        - containerPort: 9995
  1919          name: admin-http
  1920        readinessProbe:
  1921          failureThreshold: 7
  1922          httpGet:
  1923            path: /ready
  1924            port: 9995
  1925        securityContext:
  1926          capabilities:
  1927            drop:
  1928            - ALL
  1929          readOnlyRootFilesystem: true
  1930          runAsNonRoot: true
  1931          runAsUser: 2103
  1932          allowPrivilegeEscalation: false
  1933          seccompProfile:
  1934            type: RuntimeDefault
  1935        volumeMounts:
  1936        - mountPath: /var/run/linkerd/config
  1937          name: config
  1938        - mountPath: /var/run/linkerd/identity/trust-roots
  1939          name: trust-roots
  1940        - mountPath: /var/run/linkerd/tls
  1941          name: tls
  1942          readOnly: true
  1943      initContainers:
  1944      - args:
  1945        - --ipv6=false
  1946        - --incoming-proxy-port
  1947        - "4143"
  1948        - --outgoing-proxy-port
  1949        - "4140"
  1950        - --proxy-uid
  1951        - "2102"
  1952        - --inbound-ports-to-ignore
  1953        - "4190,4191,222"
  1954        - --outbound-ports-to-ignore
  1955        - "443,6443"
  1956        image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
  1957        imagePullPolicy: IfNotPresent
  1958        name: linkerd-init
  1959        resources:
  1960          limits:
  1961            cpu: "100m"
  1962            memory: "20Mi"
  1963          requests:
  1964            cpu: "100m"
  1965            memory: "20Mi"
  1966        securityContext:
  1967          allowPrivilegeEscalation: false
  1968          capabilities:
  1969            add:
  1970            - NET_ADMIN
  1971            - NET_RAW
  1972          privileged: false
  1973          runAsNonRoot: true
  1974          runAsUser: 65534
  1975          runAsGroup: 65534
  1976          readOnlyRootFilesystem: true
  1977          seccompProfile:
  1978            type: RuntimeDefault
  1979        terminationMessagePolicy: FallbackToLogsOnError
  1980        volumeMounts:
  1981        - mountPath: /run
  1982          name: linkerd-proxy-init-xtables-lock
  1983      securityContext:
  1984        seccompProfile:
  1985          type: RuntimeDefault
  1986      serviceAccountName: linkerd-proxy-injector
  1987      volumes:
  1988      - configMap:
  1989          name: linkerd-config
  1990        name: config
  1991      - configMap:
  1992          name: linkerd-identity-trust-roots
  1993        name: trust-roots
  1994      - name: tls
  1995        secret:
  1996          secretName: linkerd-proxy-injector-k8s-tls
  1997      - emptyDir: {}
  1998        name: linkerd-proxy-init-xtables-lock
  1999      - name: linkerd-identity-token
  2000        projected:
  2001          sources:
  2002          - serviceAccountToken:
  2003              path: linkerd-identity-token
  2004              expirationSeconds: 86400
  2005              audience: identity.l5d.io
  2006      - emptyDir:
  2007          medium: Memory
  2008        name: linkerd-identity-end-entity
  2009---
  2010kind: Service
  2011apiVersion: v1
  2012metadata:
  2013  name: linkerd-proxy-injector
  2014  namespace: linkerd-dev
  2015  labels:
  2016    linkerd.io/control-plane-component: proxy-injector
  2017    linkerd.io/control-plane-ns: linkerd-dev
  2018  annotations:
  2019    linkerd.io/created-by: linkerd/helm linkerd-version
  2020    config.linkerd.io/opaque-ports: "443"
  2021spec:
  2022  type: ClusterIP
  2023  selector:
  2024    linkerd.io/control-plane-component: proxy-injector
  2025  ports:
  2026  - name: proxy-injector
  2027    port: 443
  2028    targetPort: proxy-injector

View as plain text