...
1# Default values for linkerd.
2# This is a YAML-formatted file.
3# Declare variables to be passed into your templates.
4
5# Fields that should be common with the core control plane
6
7# -- control plane version. See Proxy section for proxy version
8linkerdVersion: linkerdVersionValue
9# -- Kubernetes DNS Domain name to use
10clusterDomain: cluster.local
11# -- Additional labels to add to all pods
12podLabels: {}
13# -- Labels to apply to all resources
14commonLabels: {}
15# -- Trust domain used for identity
16# @default -- clusterDomain
17identityTrustDomain: ""
18# -- Specifies the number of old ReplicaSets to retain to allow rollback.
19revisionHistoryLimit: 10
20
21# -- Docker registry for all viz components
22defaultRegistry: cr.l5d.io/linkerd
23# -- Docker imagePullPolicy for all viz components
24defaultImagePullPolicy: IfNotPresent
25# -- Log level for all the viz components
26defaultLogLevel: info
27# -- Log format (`plain` or `json`) for all the viz components.
28defaultLogFormat: plain
29# -- UID for all the viz components
30defaultUID: 2103
31# -- GID for all the viz components
32defaultGID: 2103
33
34# -- Namespace of the Linkerd core control-plane install
35linkerdNamespace: linkerd
36
37# -- Default nodeSelector section, See the
38# [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information
39nodeSelector: &default_node_selector
40 kubernetes.io/os: linux
41
42# -- For Private docker registries, authentication is needed.
43# Registry secrets are applied to the respective service accounts
44imagePullSecrets: []
45# - name: my-private-docker-registry-login-secret
46
47# -- Default tolerations section, See the
48# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
49# for more information
50tolerations: &default_tolerations
51
52# -- Enables Pod Anti Affinity logic to balance the placement of replicas
53# across hosts and zones for High Availability.
54# Enable this only when you have multiple replicas of components.
55enablePodAntiAffinity: false
56
57# -- enables the creation of pod disruption budgets for tap, tap-injector, web and metrics-api components
58enablePodDisruptionBudget: false
59
60# -- NodeAffinity section, See the
61# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
62# for more information
63# nodeAffinity:
64
65# -- Creates a Job that adds necessary metadata to the extension's namespace
66# during install; disable if lack of privileges require doing this manually
67createNamespaceMetadataJob: true
68
69# -- Create Roles and RoleBindings to associate this extension's
70# ServiceAccounts to the control plane PSP resource. This requires that
71# `enabledPSP` is set to true on the control plane install. Note PSP has been
72# deprecated since k8s v1.21
73enablePSP: false
74
75# -- url of external prometheus instance
76prometheusUrl: ""
77
78# -- url of external jaeger instance
79# Set this to `jaeger.linkerd-jaeger.svc.<clusterDomain>:16686` if you plan to use jaeger extension
80jaegerUrl: ""
81
82# metrics API configuration
83metricsAPI:
84 # -- Number of replicas of the metrics-api component
85 replicas: 1
86 # -- log level of the metrics-api component
87 # @default -- defaultLogLevel
88 logLevel: ""
89 # -- log format of the metrics-api component
90 # @default -- defaultLogFormat
91 logFormat: ""
92 image:
93 # -- Docker registry for the metrics-api component
94 # @default -- defaultRegistry
95 registry: ""
96 # -- Docker image name for the metrics-api component
97 name: metrics-api
98 # -- Docker image tag for the metrics-api component
99 # @default -- linkerdVersion
100 tag: ""
101 # -- Pull policy for the metrics-api component
102 # @default -- defaultImagePullPolicy
103 pullPolicy: ""
104
105 resources:
106 cpu:
107 # -- Maximum amount of CPU units that the metrics-api container can use
108 limit:
109 # -- Amount of CPU units that the metrics-api container requests
110 request:
111 memory:
112 # -- Maximum amount of memory that metrics-api container can use
113 limit:
114 # -- Amount of memory that the metrics-api container requests
115 request:
116 ephemeral-storage:
117 # -- Maximum amount of ephemeral storage that the metrics-api container can use
118 limit: ""
119 # -- Amount of ephemeral storage that the metrics-api container requests
120 request: ""
121
122 proxy:
123 # -- If set, overrides default proxy resources for the proxy injected
124 # into the metrics-api component
125 # resources:
126
127 # -- UID for the metrics-api resource
128 UID:
129
130 # -- GID for the metrics-api resource
131 GID:
132
133 # -- NodeSelector section, See the
134 # [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information
135 nodeSelector: *default_node_selector
136 # -- Tolerations section, See the
137 # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
138 # for more information
139 tolerations: *default_tolerations
140
141 # -- metrics-api service configuration
142 service:
143 # -- Additional annotations to add to metrics-api service
144 annotations: {}
145
146# tap configuration
147tap:
148 # -- Number of tap component replicas
149 replicas: 1
150 # -- log level of the tap component
151 # @default -- defaultLogLevel
152 logLevel: ""
153 # -- log format of the tap component
154 # @default -- defaultLogFormat
155 logFormat: ""
156 image:
157 # -- Docker registry for the tap instance
158 # @default -- defaultRegistry
159 registry: ""
160 # -- Docker image name for the tap instance
161 name: tap
162 # -- Docker image tag for the tap instance
163 # @default -- linkerdVersion
164 tag: ""
165 # -- Pull policy for the tap component
166 # @default -- defaultImagePullPolicy
167 pullPolicy: ""
168
169 # -- Do not create a secret resource for the Tap component.
170 # If this is set to `true`, the value `tap.caBundle` must be set
171 # or the ca bundle must injected with cert-manager ca injector using
172 # `tap.injectCaFrom` or `tap.injectCaFromSecret` (see below).
173 externalSecret: false
174
175 # -- Certificate for the Tap component. If not provided and not using an external secret
176 # then Helm will generate one.
177 crtPEM: |
178
179 # -- Certificate key for Tap component. If not provided and not using an external secret
180 # then Helm will generate one.
181 keyPEM: |
182
183 # -- Bundle of CA certificates for tap.
184 # If not provided nor injected with cert-manager,
185 # then Helm will use the certificate generated for `tap.crtPEM`.
186 # If `tap.externalSecret` is set to true, this value, injectCaFrom, or
187 # injectCaFromSecret must be set, as no certificate will be generated.
188 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
189 caBundle: |
190
191 # -- Inject the CA bundle from a cert-manager Certificate.
192 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
193 # for more information.
194 injectCaFrom: ""
195
196 # -- Inject the CA bundle from a Secret.
197 # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
198 # The Secret must have the CA Bundle stored in the `ca.crt` key and have
199 # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
200 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
201 # for more information.
202 injectCaFromSecret: ""
203
204 resources:
205 cpu:
206 # -- Maximum amount of CPU units that the tap container can use
207 limit:
208 # -- Amount of CPU units that the tap container requests
209 request:
210 memory:
211 # -- Maximum amount of memory that tap container can use
212 limit:
213 # -- Amount of memory that the tap container requests
214 request:
215 ephemeral-storage:
216 # -- Maximum amount of ephemeral storage that the tap container can use
217 limit: ""
218 # -- Amount of ephemeral storage that the tap container requests
219 request: ""
220
221 # -- List of headers that will be ignored for Linkerd Tap
222 ignoreHeaders: []
223
224 proxy:
225 # -- If set, overrides default proxy resources for the proxy injected
226 # into the tap component
227 # resources:
228
229 # -- UID for the tap component
230 UID:
231
232 # -- GID for the tap component
233 GID:
234
235 # -- tap service configuration
236 service:
237 # -- Additional annotations to add to tap service
238 annotations: {}
239
240# tapInjector configuration
241tapInjector:
242 # -- Number of replicas of tapInjector
243 replicas: 1
244 # -- log level of the tapInjector
245 # @default -- defaultLogLevel
246 logLevel: ""
247 # -- log format of the tapInjector component
248 # @default -- defaultLogFormat
249 logFormat: ""
250 image:
251 # -- Docker registry for the tapInjector instance
252 # @default -- defaultRegistry
253 registry: ""
254 # -- Docker image name for the tapInjector instance
255 name: tap
256 # -- Docker image tag for the tapInjector instance
257 # @default -- linkerdVersion
258 tag: ""
259 # -- Pull policy for the tapInjector component
260 # @default -- defaultImagePullPolicy
261 pullPolicy: ""
262
263 # -- Namespace selector used by admission webhook.
264 namespaceSelector:
265 matchExpressions:
266 - key: kubernetes.io/metadata.name
267 operator: NotIn
268 values:
269 - kube-system
270 objectSelector:
271 # matchLabels:
272 # foo: bar
273 # -- UID for the tapInjector resource
274 UID:
275 # -- GID for the tapInjector resource
276 GID:
277 failurePolicy: Ignore
278 resources:
279 cpu:
280 # -- Maximum amount of CPU units that the tapInjector container can use
281 limit:
282 # -- Amount of CPU units that the tapInjector container requests
283 request:
284 memory:
285 # -- Maximum amount of memory that tapInjector container can use
286 limit:
287 # -- Amount of memory that the tapInjector container requests
288 request:
289 ephemeral-storage:
290 # -- Maximum amount of ephemeral storage that the tapInjector container can use
291 limit: ""
292 # -- Amount of ephemeral storage that the tapInjector container requests
293 request: ""
294 proxy:
295 # -- If set, overrides default proxy resources for the proxy injected
296 # into the tapInjector component
297 # resources:
298
299 # -- Do not create a secret resource for the tapInjector webhook.
300 # If this is set to `true`, the value `tapInjector.caBundle` must be set
301 # or the ca bundle must injected with cert-manager ca injector using
302 # `tapInjector.injectCaFrom` or `tapInjector.injectCaFromSecret` (see below).
303 externalSecret: false
304
305 # -- Certificate for the tapInjector. If not provided and not using an external secret
306 # then Helm will generate one.
307 crtPEM: |
308
309 # -- Certificate key for the tapInjector. If not provided and not using an external secret
310 # then Helm will generate one.
311 keyPEM: |
312
313 # -- Bundle of CA certificates for the tapInjector.
314 # If not provided nor injected with cert-manager,
315 # then Helm will use the certificate generated for `tapInjector.crtPEM`.
316 # If `tapInjector.externalSecret` is set to true, this value, injectCaFrom, or
317 # injectCaFromSecret must be set, as no certificate will be generated.
318 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
319 caBundle: |
320
321 # -- Inject the CA bundle from a cert-manager Certificate.
322 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
323 # for more information.
324 injectCaFrom: ""
325
326 # -- Inject the CA bundle from a Secret.
327 # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
328 # The Secret must have the CA Bundle stored in the `ca.crt` key and have
329 # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
330 # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
331 # for more information.
332 injectCaFromSecret: ""
333
334 # -- tap service configuration
335 service:
336 # -- Additional annotations to add to tapInjector service
337 annotations: {}
338
339# web dashboard configuration
340dashboard:
341 # -- Number of replicas of dashboard
342 replicas: 1
343 # -- log level of the dashboard component
344 # @default -- defaultLogLevel
345 logLevel: ""
346 # -- log format of the dashboard component
347 # @default -- defaultLogFormat
348 logFormat: ""
349 image:
350 # -- Docker registry for the web instance
351 # @default -- defaultRegistry
352 registry: ""
353 # -- Docker image name for the web instance
354 name: web
355 # -- Docker image tag for the web instance
356 # @default -- linkerdVersion
357 tag: ""
358 # -- Pull policy for the web component
359 # @default -- defaultImagePullPolicy
360 pullPolicy: ""
361
362 # -- UID for the dashboard resource
363 UID:
364
365 # -- GID for the dashboard resource
366 GID:
367
368 # -- Restrict the Linkerd Dashboard's default privileges to disallow Tap and Check
369 restrictPrivileges: false
370
371 # -- Host header validation regex for the dashboard. See the [Linkerd
372 # documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more
373 # information
374 enforcedHostRegexp: ""
375 resources:
376 cpu:
377 # -- Maximum amount of CPU units that the web container can use
378 limit:
379 # -- Amount of CPU units that the web container requests
380 request:
381 memory:
382 # -- Maximum amount of memory that web container can use
383 limit:
384 # -- Amount of memory that the web container requests
385 request:
386 ephemeral-storage:
387 # -- Maximum amount of ephemeral storage that the web container can use
388 limit: ""
389 # -- Amount of ephemeral storage that the web container requests
390 request: ""
391
392 proxy:
393 # -- If set, overrides default proxy resources for the proxy injected
394 # into the dashboard component
395 # resources:
396
397 # -- dashboard service configuration
398 service:
399 # -- Additional annotations to add to dashboard service
400 annotations: {}
401
402namespaceMetadata:
403 image:
404 # -- Docker registry for the namespace-metadata instance
405 # @default -- defaultRegistry
406 registry: ""
407 # -- Docker image name for the namespace-metadata instance
408 name: extension-init
409 # -- Docker image tag for the namespace-metadata instance
410 tag: v0.1.0
411 # -- Pull policy for the namespace-metadata instance
412 # @default -- defaultImagePullPolicy
413 pullPolicy: ""
414
415 # -- NodeSelector section, See the
416 # [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information
417 nodeSelector: *default_node_selector
418 # -- Tolerations section, See the
419 # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
420 # for more information
421 tolerations: *default_tolerations
422
423grafana:
424 # -- url of an in-cluster Grafana instance with reverse proxy configured, used by the
425 # Linkerd viz web dashboard to provide direct links to specific Grafana
426 # dashboards. Cannot be set if grafana.externalUrl is set. See the [Linkerd
427 # documentation](https://linkerd.io/2/tasks/grafana) for more information
428 url:
429 # -- url of a Grafana instance hosted off-cluster. Cannot be set if
430 # grafana.url is set. The reverse proxy will not be used for this URL.
431 externalUrl:
432 # -- prefix for Grafana dashboard UID's, used when grafana.externalUrl is
433 # set.
434 uidPrefix:
435
436prometheus:
437 # -- toggle field to enable or disable prometheus
438 enabled: true
439 image:
440 # -- Docker registry for the prometheus instance
441 registry: prom
442 # -- Docker image name for the prometheus instance
443 name: prometheus
444 # -- Docker image tag for the prometheus instance
445 tag: v2.48.1
446 # -- Pull policy for the prometheus instance
447 # @default -- defaultImagePullPolicy
448 pullPolicy: ""
449
450 # -- log level of the prometheus instance
451 # @default -- defaultLogLevel
452 logLevel: ""
453 # -- log format (plain, json) of the prometheus instance
454 # @default -- defaultLogLevel
455 logFormat: ""
456 # -- Command line options for Prometheus binary
457 args:
458 storage.tsdb.path: /data
459 storage.tsdb.retention.time: 6h
460 config.file: /etc/prometheus/prometheus.yml
461 # -- The global configuration specifies parameters that are valid in all other
462 # configuration contexts.
463 globalConfig:
464 scrape_interval: 10s
465 scrape_timeout: 10s
466 evaluation_interval: 10s
467
468 # -- annotations for the prometheus pod
469 podAnnotations: {}
470
471 # -- Alert relabeling is applied to alerts before they are sent to the
472 # Alertmanager.
473 alertRelabelConfigs:
474 # Ex:
475 # - action: labeldrop
476 # regex: prometheus_replica
477
478 # -- Alertmanager instances the Prometheus server sends alerts to configured via
479 # the static_configs parameter.
480 alertmanagers:
481 # Ex:
482 # - scheme: http
483 # static_configs:
484 # - targets:
485 # - "alertmanager.linkerd.svc:9093"
486
487 # -- Allows transparently sending samples to an endpoint. Mostly used for long
488 # term storage.
489 remoteWrite:
490
491 # -- Alerting/recording rule ConfigMap mounts (sub-path names must end in
492 # ´_rules.yml´ or ´_rules.yaml´)
493 ruleConfigMapMounts:
494 # Ex:
495 # - name: alerting-rules
496 # subPath: alerting_rules.yml
497 # configMap: linkerd-prometheus-rules
498 # - name: recording-rules
499 # subPath: recording_rules.yml
500 # configMap: linkerd-prometheus-rules
501
502 # -- A scrapeConfigs section specifies a set of targets and parameters
503 # describing how to scrape them.
504 scrapeConfigs:
505 # Ex:
506 # - job_name: 'kubernetes-nodes'
507 # scheme: https
508 # tls_config:
509 # ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
510 # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
511 # kubernetes_sd_configs:
512 # - role: node
513 # relabel_configs:
514 # - action: labelmap
515 # regex: __meta_kubernetes_node_label_(.+)
516
517 # -- A metricRelabelConfigs section allows to drop high cardinality metrics.
518 # *NOTE:* Please use with caution. Some metrics are needed for linkerd-viz to
519 # function properly.
520 metricRelabelConfigs:
521 # This allows us to fine tune prometheus cardinality by dropping certain
522 # metrics as suggested here: https://itnext.io/optimizing-linkerd-metrics-in-prometheus-de607ec10f6b
523 #
524 # Ex:
525 # - action: keep
526 # source_labels: [le]
527 # regex: "(?i)(|10|50|100|500|1000|10000|30000|\\+Inf)"
528
529 # -- A sidecarContainers section specifies a list of secondary containers to run
530 # in the prometheus pod e.g. to export data to non-prometheus systems
531 sidecarContainers:
532 # Ex:
533 # - name: sidecar
534 # image: gcr.io/myproject/stackdriver-prometheus-sidecar
535 # imagePullPolicy: Always
536 # command:
537 # - /bin/sh
538 # - -c
539 # - |
540 # exec /bin/stackdriver-prometheus-sidecar \
541 # --stackdriver.project-id=myproject \
542 # --stackdriver.kubernetes.location=us-central1 \
543 # --stackdriver.kubernetes.cluster-name=mycluster \
544 # --prometheus.wal-directory=/data/wal \
545 # --log.level=info
546 # volumeMounts:
547 # - mountPath: /data
548 # name: data
549 # ports:
550 # - name: foo
551 # containerPort: 9091
552 # protocol: TCP
553 ### WARNING: persistence is experimental and has not been tested/vetted by the Linkerd team.
554 ### As such, please refer to https://linkerd.io/2/tasks/exporting-metrics/ for the recommended approach to metrics data retention.
555 # if enabled, creates a persistent volume claim for prometheus data
556 # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims
557 #persistence:
558 # -- Storage class used to create prometheus data PV.
559 # storageClass:
560 # -- PVC access mode.
561 # accessMode:
562 # -- Prometheus data volume size.
563 # size:
564
565 resources:
566 cpu:
567 # -- Maximum amount of CPU units that the prometheus container can use
568 limit:
569 # -- Amount of CPU units that the prometheus container requests
570 request:
571 memory:
572 # -- Maximum amount of memory that prometheus container can use
573 limit:
574 # -- Amount of memory that the prometheus container requests
575 request:
576 ephemeral-storage:
577 # -- Maximum amount of ephemeral storage that the prometheus container can use
578 limit: ""
579 # -- Amount of ephemeral storage that the prometheus container requests
580 request: ""
581
582 proxy:
583 # -- If set, overrides default proxy resources for the proxy injected
584 # into the prometheus component
585 # resources:
586
587 # -- NodeSelector section, See the
588 # [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information
589 nodeSelector: *default_node_selector
590 # -- Tolerations section, See the
591 # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
592 # for more information
593 tolerations: *default_tolerations
View as plain text