1kind: ClusterRole
2apiVersion: rbac.authorization.k8s.io/v1
3metadata:
4 name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
5 labels:
6 linkerd.io/extension: multicluster
7 component: service-mirror
8 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
9 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
10rules:
11- apiGroups: [""]
12 resources: ["endpoints", "services"]
13 verbs: ["list", "get", "watch", "create", "delete", "update"]
14- apiGroups: [""]
15 resources: ["namespaces"]
16 verbs: ["list", "get", "watch"]
17---
18kind: ClusterRoleBinding
19apiVersion: rbac.authorization.k8s.io/v1
20metadata:
21 name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
22 labels:
23 linkerd.io/extension: multicluster
24 component: service-mirror
25 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
26 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
27roleRef:
28 apiGroup: rbac.authorization.k8s.io
29 kind: ClusterRole
30 name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
31subjects:
32- kind: ServiceAccount
33 name: linkerd-service-mirror-{{.Values.targetClusterName}}
34 namespace: {{.Release.Namespace}}
35---
36kind: Role
37apiVersion: rbac.authorization.k8s.io/v1
38metadata:
39 name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
40 namespace: {{ .Release.Namespace }}
41 labels:
42 linkerd.io/extension: multicluster
43 component: service-mirror
44 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
45 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
46rules:
47 - apiGroups: [""]
48 resources: ["secrets"]
49 resourceNames: ["cluster-credentials-{{.Values.targetClusterName}}"]
50 verbs: ["list", "get", "watch"]
51 - apiGroups: ["multicluster.linkerd.io"]
52 resources: ["links"]
53 verbs: ["list", "get", "watch"]
54 - apiGroups: ["coordination.k8s.io"]
55 resources: ["leases"]
56 verbs: ["create", "get", "update", "patch"]
57---
58kind: RoleBinding
59apiVersion: rbac.authorization.k8s.io/v1
60metadata:
61 name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
62 namespace: {{ .Release.Namespace }}
63 labels:
64 linkerd.io/extension: multicluster
65 component: service-mirror
66 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
67 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
68roleRef:
69 apiGroup: rbac.authorization.k8s.io
70 kind: Role
71 name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
72subjects:
73 - kind: ServiceAccount
74 name: linkerd-service-mirror-{{.Values.targetClusterName}}
75 namespace: {{.Release.Namespace}}
76---
77kind: ServiceAccount
78apiVersion: v1
79metadata:
80 name: linkerd-service-mirror-{{.Values.targetClusterName}}
81 namespace: {{ .Release.Namespace }}
82 labels:
83 linkerd.io/extension: multicluster
84 component: service-mirror
85 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
86 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
87{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
88---
89apiVersion: apps/v1
90kind: Deployment
91metadata:
92 labels:
93 linkerd.io/extension: multicluster
94 component: service-mirror
95 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
96 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
97 name: linkerd-service-mirror-{{.Values.targetClusterName}}
98 namespace: {{ .Release.Namespace }}
99spec:
100 replicas: {{ .Values.replicas }}
101 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
102 selector:
103 matchLabels:
104 component: linkerd-service-mirror
105 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
106 {{- if .Values.enablePodAntiAffinity }}
107 strategy:
108 rollingUpdate:
109 maxUnavailable: 1
110 {{- end }}
111 template:
112 metadata:
113 annotations:
114 linkerd.io/inject: enabled
115 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
116 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
117 {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
118 labels:
119 linkerd.io/extension: multicluster
120 component: linkerd-service-mirror
121 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
122 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
123 spec:
124 {{- if .Values.enablePodAntiAffinity}}
125 {{- with $tree := deepCopy . }}
126 {{- $_ := set $tree "component" .Values.targetClusterName -}}
127 {{- $_ := set $tree "label" "mirror.linkerd.io/cluster-name" -}}
128 {{- include "linkerd.affinity" $tree | nindent 6 }}
129 {{- end }}
130 {{- end }}
131 containers:
132 - args:
133 - service-mirror
134 - -log-level={{.Values.logLevel}}
135 - -log-format={{.Values.logFormat}}
136 - -event-requeue-limit={{.Values.serviceMirrorRetryLimit}}
137 - -namespace={{.Release.Namespace}}
138 {{- if .Values.enableHeadlessServices }}
139 - -enable-headless-services
140 {{- end }}
141 - -enable-pprof={{.Values.enablePprof | default false}}
142 - {{.Values.targetClusterName}}
143 {{- if or .Values.serviceMirrorAdditionalEnv .Values.serviceMirrorExperimentalEnv }}
144 env:
145 {{- with .Values.serviceMirrorAdditionalEnv }}
146 {{- toYaml . | nindent 8 -}}
147 {{- end }}
148 {{- with .Values.serviceMirrorExperimentalEnv }}
149 {{- toYaml . | nindent 8 -}}
150 {{- end }}
151 {{- end }}
152 image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion}}
153 name: service-mirror
154 securityContext:
155 allowPrivilegeEscalation: false
156 capabilities:
157 drop:
158 - ALL
159 readOnlyRootFilesystem: true
160 runAsNonRoot: true
161 runAsUser: {{.Values.serviceMirrorUID}}
162 runAsGroup: {{.Values.serviceMirrorGID}}
163 seccompProfile:
164 type: RuntimeDefault
165 ports:
166 - containerPort: 9999
167 name: admin-http
168 {{- with .Values.resources }}
169 resources: {{ toYaml . | nindent 10 }}
170 {{- end }}
171 securityContext:
172 seccompProfile:
173 type: RuntimeDefault
174 serviceAccountName: linkerd-service-mirror-{{.Values.targetClusterName}}
175 {{- with .Values.nodeSelector }}
176 nodeSelector: {{ toYaml . | nindent 8 }}
177 {{- end }}
178 {{- with .Values.tolerations }}
179 tolerations: {{ toYaml . | nindent 6 }}
180 {{- end }}
181{{- if .Values.enablePodAntiAffinity }}
182---
183kind: PodDisruptionBudget
184apiVersion: policy/v1
185metadata:
186 name: linkerd-service-mirror-{{.Values.targetClusterName}}
187 namespace: {{ .Release.Namespace }}
188 labels:
189 component: linkerd-service-mirror
190 annotations:
191 {{ include "partials.annotations.created-by" . }}
192spec:
193 maxUnavailable: 1
194 selector:
195 matchLabels:
196 component: linkerd-service-mirror
197 mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
198{{- end}}
View as plain text