225 lines
8.1 KiB
YAML
225 lines
8.1 KiB
YAML
|
{{if .Values.identity -}}
|
||
|
---
|
||
|
###
|
||
|
### Identity Controller Service
|
||
|
###
|
||
|
{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}}
|
||
|
---
|
||
|
kind: Secret
|
||
|
apiVersion: v1
|
||
|
metadata:
|
||
|
name: linkerd-identity-issuer
|
||
|
namespace: {{.Values.namespace}}
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
linkerd.io/identity-issuer-expiry: {{required "Please provide the identity issuer certificate expiry date" .Values.identity.issuer.crtExpiry}}
|
||
|
data:
|
||
|
crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}}
|
||
|
key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}}
|
||
|
{{- end}}
|
||
|
{{ if not (.Values.identity.externalCA) -}}
|
||
|
---
|
||
|
kind: ConfigMap
|
||
|
apiVersion: v1
|
||
|
metadata:
|
||
|
name: linkerd-identity-trust-roots
|
||
|
namespace: {{.Values.namespace}}
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
data:
|
||
|
ca-bundle.crt: |{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}
|
||
|
{{- end}}
|
||
|
---
|
||
|
kind: Service
|
||
|
apiVersion: v1
|
||
|
metadata:
|
||
|
name: linkerd-identity
|
||
|
namespace: {{.Values.namespace}}
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
spec:
|
||
|
type: ClusterIP
|
||
|
selector:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
ports:
|
||
|
- name: grpc
|
||
|
port: 8080
|
||
|
targetPort: 8080
|
||
|
---
|
||
|
kind: Service
|
||
|
apiVersion: v1
|
||
|
metadata:
|
||
|
name: linkerd-identity-headless
|
||
|
namespace: {{.Values.namespace}}
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
spec:
|
||
|
clusterIP: None
|
||
|
selector:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
ports:
|
||
|
- name: grpc
|
||
|
port: 8080
|
||
|
targetPort: 8080
|
||
|
{{- if .Values.enablePodAntiAffinity }}
|
||
|
---
|
||
|
kind: PodDisruptionBudget
|
||
|
apiVersion: policy/v1beta1
|
||
|
metadata:
|
||
|
name: linkerd-identity
|
||
|
namespace: {{.Values.namespace}}
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
spec:
|
||
|
maxUnavailable: 1
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
{{- end }}
|
||
|
---
|
||
|
{{- $tree := deepCopy . }}
|
||
|
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
|
||
|
{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}}
|
||
|
{{ include "linkerd.proxy.validation" .Values.proxy -}}
|
||
|
apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
labels:
|
||
|
app.kubernetes.io/name: identity
|
||
|
app.kubernetes.io/part-of: Linkerd
|
||
|
app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}}
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
name: linkerd-identity
|
||
|
namespace: {{.Values.namespace}}
|
||
|
spec:
|
||
|
replicas: {{.Values.controllerReplicas}}
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
|
||
|
{{- if .Values.enablePodAntiAffinity }}
|
||
|
strategy:
|
||
|
rollingUpdate:
|
||
|
maxUnavailable: 1
|
||
|
{{- end }}
|
||
|
template:
|
||
|
metadata:
|
||
|
annotations:
|
||
|
{{ include "partials.annotations.created-by" . }}
|
||
|
{{- include "partials.proxy.annotations" . | nindent 8}}
|
||
|
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
|
||
|
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
|
||
|
labels:
|
||
|
linkerd.io/control-plane-component: identity
|
||
|
linkerd.io/control-plane-ns: {{.Values.namespace}}
|
||
|
linkerd.io/workload-ns: {{.Values.namespace}}
|
||
|
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
|
||
|
{{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
|
||
|
spec:
|
||
|
{{- if .Values.tolerations -}}
|
||
|
{{- include "linkerd.tolerations" . | nindent 6 }}
|
||
|
{{- end -}}
|
||
|
{{- include "linkerd.node-selector" . | nindent 6 }}
|
||
|
{{- if .Values.enablePodAntiAffinity -}}
|
||
|
{{- $local := dict "component" "identity" -}}
|
||
|
{{- include "linkerd.pod-affinity" $local | nindent 6 -}}
|
||
|
{{- end }}
|
||
|
containers:
|
||
|
- args:
|
||
|
- identity
|
||
|
- -log-level={{.Values.controllerLogLevel}}
|
||
|
- -log-format={{.Values.controllerLogFormat}}
|
||
|
- -controller-namespace={{.Values.namespace}}
|
||
|
- -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
|
||
|
- -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}
|
||
|
- -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}
|
||
|
- -identity-scheme={{.Values.identity.issuer.scheme}}
|
||
|
{{- include "partials.linkerd.trace" . | nindent 8 -}}
|
||
|
env:
|
||
|
- name: LINKERD_DISABLED
|
||
|
value: "linkerd-await cannot block the identity controller"
|
||
|
image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}}
|
||
|
imagePullPolicy: {{.Values.imagePullPolicy}}
|
||
|
livenessProbe:
|
||
|
httpGet:
|
||
|
path: /ping
|
||
|
port: 9990
|
||
|
initialDelaySeconds: 10
|
||
|
name: identity
|
||
|
ports:
|
||
|
- containerPort: 8080
|
||
|
name: grpc
|
||
|
- containerPort: 9990
|
||
|
name: admin-http
|
||
|
readinessProbe:
|
||
|
failureThreshold: 7
|
||
|
httpGet:
|
||
|
path: /ready
|
||
|
port: 9990
|
||
|
{{- if .Values.identityResources -}}
|
||
|
{{- include "partials.resources" .Values.identityResources | nindent 8 }}
|
||
|
{{- end }}
|
||
|
securityContext:
|
||
|
runAsUser: {{.Values.controllerUID}}
|
||
|
volumeMounts:
|
||
|
- mountPath: /var/run/linkerd/identity/issuer
|
||
|
name: identity-issuer
|
||
|
- mountPath: /var/run/linkerd/identity/trust-roots/
|
||
|
name: trust-roots
|
||
|
{{- if not (empty .Values.identityProxyResources) }}
|
||
|
{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}
|
||
|
{{- $_ := set $tree.Values.proxy "resources" $r }}
|
||
|
{{- end }}
|
||
|
{{- $_ := set $tree.Values.proxy "await" false }}
|
||
|
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
|
||
|
{{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
|
||
|
{{- /*
|
||
|
The identity controller cannot discover policies, so we configure it with defaults that
|
||
|
enforce TLS on the identity service.
|
||
|
*/}}
|
||
|
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "cluster-unauthenticated" }}
|
||
|
{{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
|
||
|
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||
|
{{ if not .Values.cniEnabled -}}
|
||
|
initContainers:
|
||
|
{{- /*
|
||
|
The identity controller needs to connect to the Kubernetes API before the proxy is able to
|
||
|
proxy requests, so we always skip these connections. The identity controller makes no other
|
||
|
outbound connections (so it's not important to persist any other skip ports here)
|
||
|
*/}}
|
||
|
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" }}
|
||
|
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||
|
{{ end -}}
|
||
|
serviceAccountName: linkerd-identity
|
||
|
volumes:
|
||
|
- name: identity-issuer
|
||
|
secret:
|
||
|
secretName: linkerd-identity-issuer
|
||
|
- configMap:
|
||
|
name: linkerd-identity-trust-roots
|
||
|
name: trust-roots
|
||
|
{{ if not .Values.cniEnabled -}}
|
||
|
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||
|
{{ end -}}
|
||
|
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||
|
{{end -}}
|