# -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
shutdownGracePeriod:""
# -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
# -- Variant of iptables that will be used to configure routing. Currently,
# proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
# control which utility binary will be called. The host must support
# whichever mode will be used
iptablesMode:"legacy"
# -- Default set of inbound ports to skip via iptables
# - Galera (4567,4568)
ignoreInboundPorts:"4567,4568"
# -- Default set of outbound ports to skip via iptables
# - Galera (4567,4568)
ignoreOutboundPorts:"4567,4568"
# -- Default set of ports to skip via iptables for control plane
# components so they can communicate with the Kubernetes API Server
kubeAPIServerPorts:"443,6443"
# -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy
skipSubnets:""
# -- Log level for the proxy-init
# @default -- info
logLevel:""
# -- Log format (`plain` or `json`) for the proxy-init
# @default -- plain
logFormat:""
image:
# -- Docker image for the proxy-init container
name:cr.l5d.io/linkerd/proxy-init
# -- Pull policy for the proxy-init container Docker image
# @default -- imagePullPolicy
pullPolicy:""
# -- Tag for the proxy-init container Docker image
version:v2.2.1
resources:
cpu:
# -- Maximum amount of CPU units that the proxy-init container can use
limit:100m
# -- Amount of CPU units that the proxy-init container requests
request:100m
memory:
# -- Maximum amount of memory that the proxy-init container can use
limit:20Mi
# -- Amount of memory that the proxy-init container requests
request:20Mi
ephemeral-storage:
# -- Maximum amount of ephemeral storage that the proxy-init container can use
limit:""
# -- Amount of ephemeral storage that the proxy-init container requests
request:""
closeWaitTimeoutSecs:0
# -- Privileged mode allows the container processes to inherit all security
# capabilities and bypass any security limitations enforced by the kubelet.
# When used with 'runAsRoot: true', the container will behave exactly as if
# it was running as root on the host. May escape cgroup limits and see other
# processes and devices on the host.
# @default -- false
privileged:false
# -- Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>)
runAsRoot:false
# -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
runAsUser:65534
xtMountPath:
mountPath:/run
name:linkerd-proxy-init-xtables-lock
# network validator configuration
# This runs on a host that uses iptables to reroute network traffic. The validator
# ensures that iptables is correctly routing requests before we start linkerd.
networkValidator:
# -- Log level for the network-validator
# @default -- debug
logLevel:debug
# -- Log format (`plain` or `json`) for network-validator
# @default -- plain
logFormat:plain
# -- Address to which the network-validator will attempt to connect. we expect this to be rewritten
connectAddr:"1.1.1.1:20001"
# -- Address to which network-validator listens to requests from itself
listenAddr:"0.0.0.0:4140"
# -- Timeout before network-validator fails to validate the pod's network connectivity
timeout:"10s"
# -- For Private docker registries, authentication is needed.
# Registry secrets are applied to the respective service accounts
imagePullSecrets:[]
# - name: my-private-docker-registry-login-secret
# -- Allow proxies to perform transparent HTTP/2 upgrading
enableH2Upgrade:true
# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
# PSP has been deprecated since k8s v1.21
enablePSP:false
# -- Failure policy for the proxy injector
webhookFailurePolicy:Ignore
# controllerImage -- Docker image for the destination and identity components
controllerImage:cr.l5d.io/linkerd/controller
# -- Number of replicas for each control plane pod
controllerReplicas:1
# -- User ID for the control plane components
controllerUID:2103
# destination configuration
# set resources for the sp-validator and its linkerd proxy respectively
# see proxy.resources for details.
# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields)
#destinationResources:
#destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy
# injected into destination pod (see `proxy.resources` for sub-fields)
#destinationProxyResources:
# debug configuration
debugContainer:
image:
# -- Docker image for the debug container
name:cr.l5d.io/linkerd/debug
# -- Pull policy for the debug container Docker image
# @default -- imagePullPolicy
pullPolicy:""
# -- Tag for the debug container Docker image
# @default -- linkerdVersion
version:""
identity:
# -- If the linkerd-identity-trust-roots ConfigMap has already been created
externalCA:false
# -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token
serviceAccountTokenProjection:true
issuer:
scheme:linkerd.io/tls
# -- Amount of time to allow for clock skew within a Linkerd cluster
clockSkewAllowance:20s
# -- Amount of time for which the Identity issuer should certify identity
issuanceLifetime:24h0m0s
# -- Which scheme is used for the identity issuer secret format
tls:
# -- Issuer certificate (ECDSA). It must be provided during install.
crtPEM:|
# -- Key for the issuer certificate (ECDSA). It must be provided during
# install
keyPEM:|
# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields)
#identityResources:
# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
#identityProxyResources:
# heartbeat configuration
# disableHeartBeat -- Set to true to not start the heartbeat cronjob
disableHeartBeat:false
# -- Config for the heartbeat cronjob
# heartbeatSchedule: "0 0 * * *"
# proxy injector configuration
proxyInjector:
# -- Do not create a secret resource for the proxyInjector webhook.
# If this is set to `true`, the value `proxyInjector.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
externalSecret:false
# -- Namespace selector used by admission webhook.
namespaceSelector:
matchExpressions:
- key:config.linkerd.io/admission-webhooks
operator:NotIn
values:
- disabled
- key:kubernetes.io/metadata.name
operator:NotIn
values:
- kube-system
- cert-manager
# -- Object selector used by admission webhook.
objectSelector:
matchExpressions:
- key:linkerd.io/control-plane-component
operator:DoesNotExist
- key:linkerd.io/cni-resource
operator:DoesNotExist
# -- Certificate for the proxy injector. If not provided and not using an external secret
# then Helm will generate one.
crtPEM:|
# -- Certificate key for the proxy injector. If not provided and not using an external secret
# then Helm will generate one.
keyPEM:|
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `proxyInjector.crtPEM`.
# If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle:|
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom:""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
# for more information.
injectCaFromSecret:""
# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see
#`proxy.resources` for sub-fields)
#proxyInjectorResources:
#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector
#pod (see `proxy.resources` for sub-fields)
#proxyInjectorProxyResources:
# service profile validator configuration
profileValidator:
# -- Do not create a secret resource for the profileValidator webhook.
# If this is set to `true`, the value `proxyInjector.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
externalSecret:false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key:config.linkerd.io/admission-webhooks
operator:NotIn
values:
- disabled
# -- Certificate for the service profile validator. If not provided and not using an external secret
# then Helm will generate one.
crtPEM:|
# -- Certificate key for the service profile validator. If not provided and not using an external secret
# then Helm will generate one.
keyPEM:|
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `profileValidator.crtPEM`.
# If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle:|
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom:""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
# for more information.
injectCaFromSecret:""
# policy validator configuration
policyValidator:
# -- Do not create a secret resource for the policyValidator webhook.
# If this is set to `true`, the value `policyValidator.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below).
externalSecret:false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key:config.linkerd.io/admission-webhooks
operator:NotIn
values:
- disabled
# -- Certificate for the policy validator. If not provided and not using an external secret
# then Helm will generate one.
crtPEM:|
# -- Certificate key for the policy validator. If not provided and not using an external secret
# then Helm will generate one.
keyPEM:|
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `policyValidator.crtPEM`.
# If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle:|
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom:""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
