---
apiVersion: policy.linkerd.io/v1beta2
kind: Server
metadata:
  namespace: {{ .Release.Namespace }}
  name: service-mirror
  labels:
    linkerd.io/extension: multicluster
    component: linkerd-service-mirror
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
spec:
  podSelector:
    matchLabels:
      component: linkerd-service-mirror
  port: admin-http
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: {{ .Release.Namespace }}
  name: service-mirror
  labels:
    linkerd.io/extension: multicluster
    component: linkerd-service-mirror
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: service-mirror
  requiredAuthenticationRefs:
    # In order to use `linkerd mc gateways` you need viz' Prometheus instance
    # to be able to reach the service-mirror. In order to also have a separate
    # Prometheus scrape the service-mirror an additional AuthorizationPolicy
    # resource should be created.
    - kind: ServiceAccount
      name: prometheus
      namespace: linkerd-viz