...

Text file src/github.com/linkerd/linkerd2/viz/charts/linkerd-viz/templates/tap-rbac.yaml

Documentation: github.com/linkerd/linkerd2/viz/charts/linkerd-viz/templates 

     1---
     2###
     3### Tap RBAC
     4###
     5kind: ClusterRole
     6apiVersion: rbac.authorization.k8s.io/v1
     7metadata:
     8  name: linkerd-{{.Release.Namespace}}-tap
     9  labels:
    10    linkerd.io/extension: viz
    11    component: tap
    12    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    13rules:
    14- apiGroups: [""]
    15  resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
    16  verbs: ["list", "get", "watch"]
    17- apiGroups: ["extensions", "apps"]
    18  resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
    19  verbs: ["list", "get", "watch"]
    20- apiGroups: ["extensions", "batch"]
    21  resources: ["cronjobs", "jobs"]
    22  verbs: ["list" , "get", "watch"]
    23---
    24kind: ClusterRole
    25apiVersion: rbac.authorization.k8s.io/v1
    26metadata:
    27  name: linkerd-{{.Release.Namespace}}-tap-admin
    28  labels:
    29    linkerd.io/extension: viz
    30    component: tap
    31    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    32rules:
    33- apiGroups: [""]
    34  resources: ["namespaces"]
    35  verbs: ["list"]
    36- apiGroups: ["tap.linkerd.io"]
    37  resources: ["*"]
    38  verbs: ["watch"]
    39---
    40kind: ClusterRoleBinding
    41apiVersion: rbac.authorization.k8s.io/v1
    42metadata:
    43  name: linkerd-{{.Release.Namespace}}-tap
    44  labels:
    45    linkerd.io/extension: viz
    46    component: tap
    47    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    48roleRef:
    49  apiGroup: rbac.authorization.k8s.io
    50  kind: ClusterRole
    51  name: linkerd-{{.Release.Namespace}}-tap
    52subjects:
    53- kind: ServiceAccount
    54  name: tap
    55  namespace: {{.Release.Namespace}}
    56---
    57apiVersion: rbac.authorization.k8s.io/v1
    58kind: ClusterRoleBinding
    59metadata:
    60  name: linkerd-{{.Release.Namespace}}-tap-auth-delegator
    61  labels:
    62    linkerd.io/extension: viz
    63    component: tap
    64    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    65roleRef:
    66  apiGroup: rbac.authorization.k8s.io
    67  kind: ClusterRole
    68  name: system:auth-delegator
    69subjects:
    70- kind: ServiceAccount
    71  name: tap
    72  namespace: {{.Release.Namespace}}
    73---
    74kind: ServiceAccount
    75apiVersion: v1
    76metadata:
    77  name: tap
    78  namespace: {{ .Release.Namespace }}
    79  labels:
    80    linkerd.io/extension: viz
    81    component: tap
    82    namespace: {{.Release.Namespace}}
    83    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    84{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
    85---
    86apiVersion: rbac.authorization.k8s.io/v1
    87kind: RoleBinding
    88metadata:
    89  name: linkerd-{{.Release.Namespace}}-tap-auth-reader
    90  namespace: kube-system
    91  labels:
    92    linkerd.io/extension: viz
    93    component: tap
    94    namespace: {{.Release.Namespace}}
    95    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    96roleRef:
    97  apiGroup: rbac.authorization.k8s.io
    98  kind: Role
    99  name: extension-apiserver-authentication-reader
   100subjects:
   101- kind: ServiceAccount
   102  name: tap
   103  namespace: {{.Release.Namespace}}
   104---
   105{{- $host := printf "tap.%s.svc" .Release.Namespace }}
   106{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
   107{{- if (not .Values.tap.externalSecret) }}
   108kind: Secret
   109apiVersion: v1
   110metadata:
   111  name: tap-k8s-tls
   112  namespace: {{ .Release.Namespace }}
   113  labels:
   114    linkerd.io/extension: viz
   115    component: tap
   116    namespace: {{.Release.Namespace}}
   117    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   118  annotations:
   119    {{ include "partials.annotations.created-by" . }}
   120type: kubernetes.io/tls
   121data:
   122  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.crtPEM)) (empty .Values.tap.crtPEM) }}
   123  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.tap.keyPEM)) (empty .Values.tap.keyPEM) }}
   124---
   125{{- end }}
   126{{- include "linkerd.webhook.validation" .Values.tap }}
   127apiVersion: apiregistration.k8s.io/v1
   128kind: APIService
   129metadata:
   130  name: v1alpha1.tap.linkerd.io
   131  {{- if or (.Values.tap.injectCaFrom) (.Values.tap.injectCaFromSecret) }}
   132  annotations:
   133  {{- if .Values.tap.injectCaFrom }}
   134    cert-manager.io/inject-ca-from: {{ .Values.tap.injectCaFrom }}
   135  {{- end }}
   136  {{- if .Values.tap.injectCaFromSecret }}
   137    cert-manager.io/inject-ca-from-secret: {{ .Values.tap.injectCaFromSecret }}
   138  {{- end }}
   139  {{- end }}
   140  labels:
   141    linkerd.io/extension: viz
   142    component: tap
   143    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   144spec:
   145  group: tap.linkerd.io
   146  version: v1alpha1
   147  groupPriorityMinimum: 1000
   148  versionPriority: 100
   149  service:
   150    name: tap
   151    namespace: {{.Release.Namespace}}
   152  {{- if and (empty .Values.tap.injectCaFrom) (empty .Values.tap.injectCaFromSecret) }}
   153  caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.tap.caBundle)) (empty .Values.tap.caBundle) }}
   154  {{- end }}

View as plain text