1{{- if .Values.collector.enabled -}}
2---
3###
4### collector RBAC
5###
6kind: ServiceAccount
7apiVersion: v1
8metadata:
9 name: collector
10 namespace: {{ .Release.Namespace }}
11 labels:
12 linkerd.io/extension: jaeger
13 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
14{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
15---
16kind: ClusterRole
17apiVersion: rbac.authorization.k8s.io/v1
18metadata:
19 name: collector
20 labels:
21 linkerd.io/extension: jaeger
22 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
23rules:
24- apiGroups: [""]
25 resources: ["pods", "namespaces"]
26 verbs: ["get", "list", "watch"]
27- apiGroups: ["apps"]
28 resources: ["daemonsets", "replicasets", "statefulsets"]
29 verbs: ["get", "list", "watch"]
30- apiGroups: ["batch"]
31 resources: ["cronjobs", "jobs"]
32 verbs: ["get", "list", "watch"]
33---
34kind: ClusterRoleBinding
35apiVersion: rbac.authorization.k8s.io/v1
36metadata:
37 name: collector
38 labels:
39 linkerd.io/extension: jaeger
40 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
41subjects:
42- kind: ServiceAccount
43 name: collector
44 namespace: {{.Release.Namespace}}
45roleRef:
46 kind: ClusterRole
47 name: collector
48 apiGroup: rbac.authorization.k8s.io
49{{ end -}}
50---
51###
52### Jaeger Injector RBAC
53###
54kind: ClusterRole
55apiVersion: rbac.authorization.k8s.io/v1
56metadata:
57 name: linkerd-jaeger-injector
58 labels:
59 linkerd.io/extension: jaeger
60 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
61rules:
62- apiGroups: [""]
63 resources: ["namespaces"]
64 verbs: ["get", "list", "watch"]
65---
66kind: ClusterRoleBinding
67apiVersion: rbac.authorization.k8s.io/v1
68metadata:
69 name: linkerd-jaeger-injector
70 labels:
71 linkerd.io/extension: jaeger
72 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
73subjects:
74- kind: ServiceAccount
75 name: jaeger-injector
76 namespace: {{.Release.Namespace}}
77 apiGroup: ""
78roleRef:
79 kind: ClusterRole
80 name: linkerd-jaeger-injector
81 apiGroup: rbac.authorization.k8s.io
82---
83kind: ServiceAccount
84apiVersion: v1
85metadata:
86 name: jaeger-injector
87 namespace: {{ .Release.Namespace }}
88 labels:
89 linkerd.io/extension: jaeger
90 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
91{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
92---
93{{- $host := printf "jaeger-injector.%s.svc" .Release.Namespace }}
94{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
95{{- if (not .Values.webhook.externalSecret) }}
96kind: Secret
97apiVersion: v1
98metadata:
99 name: jaeger-injector-k8s-tls
100 namespace: {{ .Release.Namespace }}
101 labels:
102 linkerd.io/extension: jaeger
103 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
104type: kubernetes.io/tls
105data:
106 tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.webhook.crtPEM)) (empty .Values.webhook.crtPEM) }}
107 tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.webhook.keyPEM)) (empty .Values.webhook.keyPEM) }}
108---
109{{- end }}
110{{- include "linkerd.webhook.validation" .Values.webhook }}
111apiVersion: admissionregistration.k8s.io/v1
112kind: MutatingWebhookConfiguration
113metadata:
114 name: linkerd-jaeger-injector-webhook-config
115 {{- if or (.Values.webhook.injectCaFrom) (.Values.webhook.injectCaFromSecret) }}
116 annotations:
117 {{- if .Values.webhook.injectCaFrom }}
118 cert-manager.io/inject-ca-from: {{ .Values.webhook.injectCaFrom }}
119 {{- end }}
120 {{- if .Values.webhook.injectCaFromSecret }}
121 cert-manager.io/inject-ca-from-secret: {{ .Values.webhook.injectCaFromSecret }}
122 {{- end }}
123 {{- end }}
124 labels:
125 linkerd.io/extension: jaeger
126 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
127webhooks:
128- name: jaeger-injector.linkerd.io
129 {{- if .Values.webhook.namespaceSelector }}
130 namespaceSelector:
131{{ toYaml .Values.webhook.namespaceSelector | trim | indent 4 -}}
132 {{- end }}
133 {{- if .Values.webhook.objectSelector }}
134 objectSelector:
135{{ toYaml .Values.webhook.objectSelector | trim | indent 4 -}}
136 {{- end }}
137 clientConfig:
138 service:
139 name: jaeger-injector
140 namespace: {{ .Release.Namespace }}
141 path: "/"
142 {{- if and (empty .Values.webhook.injectCaFrom) (empty .Values.webhook.injectCaFromSecret) }}
143 caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.webhook.caBundle)) (empty .Values.webhook.caBundle) }}
144 {{- end }}
145 failurePolicy: {{.Values.webhook.failurePolicy}}
146 admissionReviewVersions: ["v1", "v1beta1"]
147 reinvocationPolicy: IfNeeded
148 rules:
149 - operations: [ "CREATE" ]
150 apiGroups: [""]
151 apiVersions: ["v1"]
152 resources: ["pods"]
153 scope: "Namespaced"
154 sideEffects: None
155{{ if .Values.jaeger.enabled -}}
156---
157###
158### jaeger RBAC
159###
160kind: ServiceAccount
161apiVersion: v1
162metadata:
163 name: jaeger
164 namespace: {{ .Release.Namespace }}
165 labels:
166 linkerd.io/extension: jaeger
167 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
168{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
169{{ end -}}
View as plain text