1---
2###
3### Tap Injector
4###
5kind: Service
6apiVersion: v1
7metadata:
8 name: tap-injector
9 namespace: {{ .Release.Namespace }}
10 labels:
11 linkerd.io/extension: viz
12 component: tap-injector
13 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
14 annotations:
15 {{ include "partials.annotations.created-by" . }}
16 {{- with .Values.tapInjector.service.annotations }}{{ toYaml . | trim | nindent 4 }}{{- end }}
17 linkerd.io/inject: enabled
18spec:
19 type: ClusterIP
20 selector:
21 linkerd.io/extension: viz
22 component: tap-injector
23 ports:
24 - name: tap-injector
25 port: 443
26 targetPort: tap-injector
27---
28{{- $tree := deepCopy . }}
29kind: Deployment
30apiVersion: apps/v1
31metadata:
32 annotations:
33 {{ include "partials.annotations.created-by" . }}
34 linkerd.io/inject: enabled
35 config.linkerd.io/proxy-await: "enabled"
36 labels:
37 linkerd.io/extension: viz
38 app.kubernetes.io/name: tap-injector
39 app.kubernetes.io/part-of: Linkerd
40 component: tap-injector
41 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
42 name: tap-injector
43 namespace: {{ .Release.Namespace }}
44spec:
45 replicas: {{.Values.tapInjector.replicas}}
46 revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
47 selector:
48 matchLabels:
49 component: tap-injector
50 {{- if .Values.enablePodAntiAffinity }}
51 strategy:
52 rollingUpdate:
53 maxUnavailable: 1
54 {{- end }}
55 template:
56 metadata:
57 annotations:
58 {{- if empty .Values.cliVersion }}
59 checksum/config: {{ include (print $.Template.BasePath "/tap-injector-rbac.yaml") . | sha256sum }}
60 {{- end }}
61 {{ include "partials.annotations.created-by" . }}
62 {{- with .Values.tapInjector.proxy }}
63 {{- include "partials.proxy.config.annotations" .resources | nindent 8 }}
64 {{- end }}
65 {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
66 linkerd.io/inject: enabled
67 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
68 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
69 labels:
70 linkerd.io/extension: viz
71 component: tap-injector
72 {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
73 spec:
74 {{- if .Values.tolerations -}}
75 {{- include "linkerd.tolerations" . | nindent 6 }}
76 {{- end -}}
77 {{- include "linkerd.node-selector" . | nindent 6 }}
78 {{- $_ := set $tree "component" "tap-injector" -}}
79 {{- $_ := set $tree "label" "component" -}}
80 {{- include "linkerd.affinity" $tree | nindent 6 }}
81 containers:
82 - args:
83 - injector
84 - -tap-service-name=tap.{{.Release.Namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain | default .Values.clusterDomain}}
85 - -log-level={{.Values.tapInjector.logLevel | default .Values.defaultLogLevel}}
86 - -log-format={{.Values.tapInjector.logFormat | default .Values.defaultLogFormat}}
87 - -enable-pprof={{.Values.enablePprof | default false}}
88 image: {{.Values.tapInjector.image.registry | default .Values.defaultRegistry}}/{{.Values.tapInjector.image.name}}:{{.Values.tapInjector.image.tag | default .Values.linkerdVersion}}
89 imagePullPolicy: {{.Values.tapInjector.image.pullPolicy | default .Values.defaultImagePullPolicy}}
90 livenessProbe:
91 httpGet:
92 path: /ping
93 port: 9995
94 initialDelaySeconds: 10
95 name: tap-injector
96 ports:
97 - containerPort: 8443
98 name: tap-injector
99 - containerPort: 9995
100 name: admin-http
101 readinessProbe:
102 failureThreshold: 7
103 httpGet:
104 path: /ready
105 port: 9995
106 {{- if .Values.tapInjector.resources -}}
107 {{- include "partials.resources" .Values.tapInjector.resources | nindent 8 }}
108 {{- end }}
109 securityContext:
110 allowPrivilegeEscalation: false
111 capabilities:
112 drop:
113 - ALL
114 readOnlyRootFilesystem: true
115 runAsNonRoot: true
116 runAsUser: {{.Values.tapInjector.UID | default .Values.defaultUID}}
117 runAsGroup: {{.Values.tapInjector.GID | default .Values.defaultGID}}
118 seccompProfile:
119 type: RuntimeDefault
120 volumeMounts:
121 - mountPath: /var/run/linkerd/tls
122 name: tls
123 readOnly: true
124 securityContext:
125 seccompProfile:
126 type: RuntimeDefault
127 serviceAccountName: tap-injector
128 volumes:
129 - name: tls
130 secret:
131 secretName: tap-injector-k8s-tls
132{{- if and .Values.enablePodDisruptionBudget (gt (int .Values.tapInjector.replicas) 1) }}
133---
134kind: PodDisruptionBudget
135apiVersion: policy/v1
136metadata:
137 name: tap-injector
138 namespace: {{ .Release.Namespace }}
139 labels:
140 linkerd.io/extension: viz
141 component: tap-injector
142 namespace: {{.Release.Namespace}}
143 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
144 annotations:
145 {{ include "partials.annotations.created-by" . }}
146spec:
147 maxUnavailable: 1
148 selector:
149 matchLabels:
150 linkerd.io/extension: viz
151 component: tap-injector
152{{- end }}
View as plain text