1---
2###
3### Tap Injector RBAC
4###
5kind: ClusterRole
6apiVersion: rbac.authorization.k8s.io/v1
7metadata:
8 name: linkerd-tap-injector
9 labels:
10 linkerd.io/extension: viz
11 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
12rules:
13- apiGroups: [""]
14 resources: ["namespaces"]
15 verbs: ["get", "list", "watch"]
16---
17kind: ClusterRoleBinding
18apiVersion: rbac.authorization.k8s.io/v1
19metadata:
20 name: linkerd-tap-injector
21 labels:
22 linkerd.io/extension: viz
23 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
24subjects:
25- kind: ServiceAccount
26 name: tap-injector
27 namespace: {{.Release.Namespace}}
28roleRef:
29 kind: ClusterRole
30 name: linkerd-tap-injector
31 apiGroup: rbac.authorization.k8s.io
32---
33kind: ServiceAccount
34apiVersion: v1
35metadata:
36 name: tap-injector
37 namespace: {{ .Release.Namespace }}
38 labels:
39 linkerd.io/extension: viz
40 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
41{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
42---
43{{- $host := printf "tap-injector.%s.svc" .Release.Namespace }}
44{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
45{{- if (not .Values.tapInjector.externalSecret) }}
46kind: Secret
47apiVersion: v1
48metadata:
49 name: tap-injector-k8s-tls
50 namespace: {{ .Release.Namespace }}
51 annotations:
52 {{ include "partials.annotations.created-by" . }}
53 labels:
54 linkerd.io/extension: viz
55 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
56type: kubernetes.io/tls
57data:
58 tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tapInjector.crtPEM)) (empty .Values.tapInjector.crtPEM) }}
59 tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.tapInjector.keyPEM)) (empty .Values.tapInjector.keyPEM) }}
60---
61{{- end }}
62{{- include "linkerd.webhook.validation" .Values.tapInjector }}
63apiVersion: admissionregistration.k8s.io/v1
64kind: MutatingWebhookConfiguration
65metadata:
66 name: linkerd-tap-injector-webhook-config
67 {{- if or (.Values.tapInjector.injectCaFrom) (.Values.tapInjector.injectCaFromSecret) }}
68 annotations:
69 {{- if .Values.tapInjector.injectCaFrom }}
70 cert-manager.io/inject-ca-from: {{ .Values.tapInjector.injectCaFrom }}
71 {{- end }}
72 {{- if .Values.tapInjector.injectCaFromSecret }}
73 cert-manager.io/inject-ca-from-secret: {{ .Values.tapInjector.injectCaFromSecret }}
74 {{- end }}
75 {{- end }}
76 labels:
77 linkerd.io/extension: viz
78 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
79webhooks:
80- name: tap-injector.linkerd.io
81 {{- if .Values.tapInjector.namespaceSelector }}
82 namespaceSelector:
83{{ toYaml .Values.tapInjector.namespaceSelector | trim | indent 4 -}}
84 {{- end }}
85 {{- if .Values.tapInjector.objectSelector }}
86 objectSelector:
87{{ toYaml .Values.tapInjector.objectSelector | trim | indent 4 -}}
88 {{- end }}
89 clientConfig:
90 service:
91 name: tap-injector
92 namespace: {{ .Release.Namespace }}
93 path: "/"
94 {{- if and (empty .Values.tapInjector.injectCaFrom) (empty .Values.tapInjector.injectCaFromSecret) }}
95 caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tapInjector.caBundle)) (empty .Values.tapInjector.caBundle) }}
96 {{- end }}
97 failurePolicy: {{.Values.tapInjector.failurePolicy}}
98 admissionReviewVersions: ["v1", "v1beta1"]
99 reinvocationPolicy: IfNeeded
100 rules:
101 - operations: [ "CREATE" ]
102 apiGroups: [""]
103 apiVersions: ["v1"]
104 resources: ["pods"]
105 scope: "Namespaced"
106 sideEffects: None
View as plain text