rancher-partner-charts/charts/linkerd/linkerd-control-plane/2024.7.1/templates/proxy-injector-rbac.yaml

---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-{{.Release.Namespace}}-proxy-injector
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
rules:
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: [""]
  resources: ["namespaces", "replicationcontrollers"]
  verbs: ["list", "get", "watch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-{{.Release.Namespace}}-proxy-injector
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
subjects:
- kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: {{.Release.Namespace}}
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: linkerd-{{.Release.Namespace}}-proxy-injector
  apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: linkerd-proxy-injector
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
---
{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }}
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
{{- if (not .Values.proxyInjector.externalSecret) }}
kind: Secret
apiVersion: v1
metadata:
  name: linkerd-proxy-injector-k8s-tls
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
type: kubernetes.io/tls
data:
  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }}
  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }}
---
{{- end }}
{{- include "linkerd.webhook.validation" .Values.proxyInjector }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: linkerd-proxy-injector-webhook-config
  {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }}
  annotations:
  {{- if .Values.proxyInjector.injectCaFrom }}
    cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }}
  {{- end }}
  {{- if .Values.proxyInjector.injectCaFromSecret }}
    cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }}
  {{- end }}
  {{- end }}
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
webhooks:
- name: linkerd-proxy-injector.linkerd.io
  namespaceSelector:
    {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }}
  objectSelector:
    {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }}
  clientConfig:
    service:
      name: linkerd-proxy-injector
      namespace: {{ .Release.Namespace }}
      path: "/"
    {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }}
    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }}
    {{- end }}
  failurePolicy: {{.Values.webhookFailurePolicy}}
  admissionReviewVersions: ["v1", "v1beta1"]
  rules:
  - operations: [ "CREATE" ]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods", "services"]
    scope: "Namespaced"
  sideEffects: None
  timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }}
make charts 2021-09-30 22:13:01 +00:00			`---`
			`###`
			`### Proxy Injector RBAC`
			`###`
			`kind: ClusterRole`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`name: linkerd-{{.Release.Namespace}}-proxy-injector`
make charts 2021-09-30 22:13:01 +00:00			`labels:`
			`linkerd.io/control-plane-component: proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`linkerd.io/control-plane-ns: {{.Release.Namespace}}`
			`{{- with .Values.commonLabels }}{{ toYaml . \| trim \| nindent 4 }}{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`rules:`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`- apiGroups: [""]`
			`resources: ["namespaces", "replicationcontrollers"]`
			`verbs: ["list", "get", "watch"]`
			`- apiGroups: [""]`
			`resources: ["pods"]`
			`verbs: ["list", "watch"]`
			`- apiGroups: ["extensions", "apps"]`
			`resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]`
			`verbs: ["list", "get", "watch"]`
			`- apiGroups: ["extensions", "batch"]`
			`resources: ["cronjobs", "jobs"]`
			`verbs: ["list", "get", "watch"]`
			`---`
			`kind: ClusterRoleBinding`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`name: linkerd-{{.Release.Namespace}}-proxy-injector`
make charts 2021-09-30 22:13:01 +00:00			`labels:`
			`linkerd.io/control-plane-component: proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`linkerd.io/control-plane-ns: {{.Release.Namespace}}`
			`{{- with .Values.commonLabels }}{{ toYaml . \| trim \| nindent 4 }}{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`subjects:`
			`- kind: ServiceAccount`
			`name: linkerd-proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`namespace: {{.Release.Namespace}}`
make charts 2021-09-30 22:13:01 +00:00			`apiGroup: ""`
			`roleRef:`
			`kind: ClusterRole`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`name: linkerd-{{.Release.Namespace}}-proxy-injector`
make charts 2021-09-30 22:13:01 +00:00			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`kind: ServiceAccount`
			`apiVersion: v1`
			`metadata:`
			`name: linkerd-proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`namespace: {{ .Release.Namespace }}`
make charts 2021-09-30 22:13:01 +00:00			`labels:`
			`linkerd.io/control-plane-component: proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`linkerd.io/control-plane-ns: {{.Release.Namespace}}`
			`{{- with .Values.commonLabels }}{{ toYaml . \| trim \| nindent 4 }}{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}`
			`---`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }}`
make charts 2021-09-30 22:13:01 +00:00			`{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}`
			`{{- if (not .Values.proxyInjector.externalSecret) }}`
			`kind: Secret`
			`apiVersion: v1`
			`metadata:`
			`name: linkerd-proxy-injector-k8s-tls`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`namespace: {{ .Release.Namespace }}`
make charts 2021-09-30 22:13:01 +00:00			`labels:`
			`linkerd.io/control-plane-component: proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`linkerd.io/control-plane-ns: {{.Release.Namespace}}`
			`{{- with .Values.commonLabels }}{{ toYaml . \| trim \| nindent 4 }}{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`annotations:`
			`{{ include "partials.annotations.created-by" . }}`
			`type: kubernetes.io/tls`
			`data:`
			`tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }}`
			`tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }}`
			`---`
			`{{- end }}`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`{{- include "linkerd.webhook.validation" .Values.proxyInjector }}`
make charts 2021-09-30 22:13:01 +00:00			`apiVersion: admissionregistration.k8s.io/v1`
			`kind: MutatingWebhookConfiguration`
			`metadata:`
			`name: linkerd-proxy-injector-webhook-config`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`{{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }}`
			`annotations:`
			`{{- if .Values.proxyInjector.injectCaFrom }}`
			`cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }}`
			`{{- end }}`
			`{{- if .Values.proxyInjector.injectCaFromSecret }}`
			`cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }}`
			`{{- end }}`
			`{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`labels:`
			`linkerd.io/control-plane-component: proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`linkerd.io/control-plane-ns: {{.Release.Namespace}}`
			`{{- with .Values.commonLabels }}{{ toYaml . \| trim \| nindent 4 }}{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`webhooks:`
			`- name: linkerd-proxy-injector.linkerd.io`
			`namespaceSelector:`
			`{{- toYaml .Values.proxyInjector.namespaceSelector \| trim \| nindent 4 }}`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`objectSelector:`
			`{{- toYaml .Values.proxyInjector.objectSelector \| trim \| nindent 4 }}`
make charts 2021-09-30 22:13:01 +00:00			`clientConfig:`
			`service:`
			`name: linkerd-proxy-injector`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`namespace: {{ .Release.Namespace }}`
make charts 2021-09-30 22:13:01 +00:00			`path: "/"`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`{{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }}`
make charts 2021-09-30 22:13:01 +00:00			`caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }}`
Migrating linkerd to new workflow; removing outdated linkerd2 chart 2023-07-07 15:40:48 +00:00			`{{- end }}`
make charts 2021-09-30 22:13:01 +00:00			`failurePolicy: {{.Values.webhookFailurePolicy}}`
			`admissionReviewVersions: ["v1", "v1beta1"]`
			`rules:`
			`- operations: [ "CREATE" ]`
			`apiGroups: [""]`
			`apiVersions: ["v1"]`
			`resources: ["pods", "services"]`
Charts CI (#996) 2024-04-03 19:02:06 +00:00			`scope: "Namespaced"`
make charts 2021-09-30 22:13:01 +00:00			`sideEffects: None`
[AUTOMATED] Auto-update charts on main-source (#990) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> 2024-03-15 16:19:45 +00:00			`timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds \| default 10 }}`