andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/linkerd/linkerd2/values.yaml

371 lines
13 KiB
YAML
Raw Normal View History

make charts
2021-09-30 22:13:01 +00:00
# Default values for linkerd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Kubernetes DNS Domain name to use
clusterDomain: cluster.local
# -- The cluster networks for which service discovery is performed. This should
# include the pod and service networks, but need not include the node network.
#
# By default, all private networks are specified so that resolution works in
# typical Kubernetes environments.
clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
# -- Docker image pull policy
imagePullPolicy: IfNotPresent
# -- Log level for the control plane components
controllerLogLevel: info
# -- Log format for the control plane components
controllerLogFormat: plain
# -- enables control plane tracing
controlPlaneTracing: false
# -- namespace to send control plane traces to
controlPlaneTracingNamespace: linkerd-jaeger
# -- control plane version. See Proxy section for proxy version
linkerdVersion: stable-2.11.0
# -- Control plane namespace
namespace: linkerd
# -- enables the use of EndpointSlice informers for the destination service;
# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
# gate is on; the feature is still experimental.
enableEndpointSlices: false
# -- enabling this omits the NET_ADMIN capability in the PSP
# and the proxy-init container when injecting the proxy;
# requires the linkerd-cni plugin to already be installed
cniEnabled: false
# -- Trust root certificate (ECDSA). It must be provided during install.
identityTrustAnchorsPEM: |
# -- Trust domain used for identity
# @default -- clusterDomain
identityTrustDomain: ""
# -- Additional annotations to add to all pods
podAnnotations: {}
# -- Additional labels to add to all pods
podLabels: {}
# policy controller configuration
policyController:
# image -- Docker image for the policy controller
image:
# -- Docker image for the proxy
name: cr.l5d.io/linkerd/policy-controller
# -- Pull policy for the proxy container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy container Docker image
# @default -- linkerdVersion
version: ""
# -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
# "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
# @default -- "all-unauthenticated"
defaultAllowPolicy: "all-unauthenticated"
# -- Log level for the policy controller
logLevel: linkerd=info,warn
# -- policy controller resource requests & limits
# @default -- destinationResources
resources:
cpu:
# -- Maximum amount of CPU units that the policy controller can use
limit: ""
# -- Amount of CPU units that the policy controller requests
request: ""
memory:
# -- Maximum amount of memory that the policy controller can use
limit: ""
# -- Maximum amount of memory that the policy controller requests
request: ""
# proxy configuration
proxy:
# -- Enable service profiles for non-Kubernetes services
enableExternalProfiles: false
# -- Maximum time allowed for the proxy to establish an outbound TCP
# connection
outboundConnectTimeout: 1000ms
# -- Maximum time allowed for the proxy to establish an inbound TCP
# connection
inboundConnectTimeout: 100ms
image:
# -- Docker image for the proxy
name: cr.l5d.io/linkerd/proxy
# -- Pull policy for the proxy container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy container Docker image
# @default -- linkerdVersion
version: ""
# -- Log level for the proxy
logLevel: warn,linkerd=info
# -- Log format (`plain` or `json`) for the proxy
logFormat: plain
ports:
# -- Admin port for the proxy container
admin: 4191
# -- Control port for the proxy container
control: 4190
# -- Inbound port for the proxy container
inbound: 4143
# -- Outbound port for the proxy container
outbound: 4140
# -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores`
# must be an integer and should typically be set by rounding up from the
# limit. E.g. if cpu.limit is '1500m', cores should be 2.
cores: 0
resources:
cpu:
# -- Maximum amount of CPU units that the proxy can use
limit: ""
# -- Amount of CPU units that the proxy requests
request: ""
memory:
# -- Maximum amount of memory that the proxy can use
limit: ""
# -- Maximum amount of memory that the proxy requests
request: ""
# -- User id under which the proxy runs
uid: 2102
# -- If set the proxy sidecar will stay alive for at
# least the given period before receiving SIGTERM signal from Kubernetes but
# no longer than pod's `terminationGracePeriodSeconds`. See [Lifecycle
# hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)
# for more info on container lifecycle hooks.
waitBeforeExitSeconds: 0
# -- If set, the application container will not start until the proxy is
# ready
await: true
requireIdentityOnInboundPorts: ""
# -- Default set of opaque ports
# - SMTP (25,587) server-first
# - MYSQL (3306) server-first
# - Galera (4444) server-first
# - PostgreSQL (5432) server-first
# - Redis (6379) server-first
# - ElasticSearch (9300) server-first
# - Memcached (11211) clients do not issue any preamble, which breaks detection
opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"
# proxy-init configuration
proxyInit:
# -- Default set of inbound ports to skip via iptables
# - Galera (4567,4568)
ignoreInboundPorts: "4567,4568"
# -- Default set of outbound ports to skip via iptables
# - Galera (4567,4568)
ignoreOutboundPorts: "4567,4568"
image:
# -- Docker image for the proxy-init container
name: cr.l5d.io/linkerd/proxy-init
# -- Pull policy for the proxy-init container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy-init container Docker image
version: v1.4.0
resources:
cpu:
# -- Maximum amount of CPU units that the proxy-init container can use
limit: 100m
# -- Amount of CPU units that the proxy-init container requests
request: 10m
memory:
# -- Maximum amount of memory that the proxy-init container can use
limit: 50Mi
# -- Amount of memory that the proxy-init container requests
request: 10Mi
closeWaitTimeoutSecs: 0
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
# -- For Private docker registries, authentication is needed.
# Registry secrets are applied to the respective service accounts
imagePullSecrets: []
# - name: my-private-docker-registry-login-secret
# -- Allow proxies to perform transparent HTTP/2 upgrading
enableH2Upgrade: true
# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
# PSP has been deprecated since k8s v1.21
enablePSP: false
# -- Failure policy for the proxy injector
webhookFailurePolicy: Ignore
# controllerImage -- Docker image for the destination and identity components
controllerImage: cr.l5d.io/linkerd/controller
# -- Number of replicas for each control plane pod
controllerReplicas: 1
# -- User ID for the control plane components
controllerUID: 2103
# destination configuration
# set resources for the sp-validator and its linkerd proxy respectively
# see proxy.resources for details.
# destinationResources -- CPU and Memory resources required by destination (see `proxy.resources` for sub-fields)
#destinationResources:
#destinationProxyResources -- CPU and Memory resources required by proxy
# injected into destination pod (see `proxy.resources` for sub-fields)
#destinationProxyResources:
# debug configuration
debugContainer:
image:
# -- Docker image for the debug container
name: cr.l5d.io/linkerd/debug
# -- Pull policy for the debug container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the debug container Docker image
# @default -- linkerdVersion
version: ""
identity:
# -- If the linkerd-identity-trust-roots ConfigMap has already been created
externalCA: false
issuer:
scheme: linkerd.io/tls
# -- Amount of time to allow for clock skew within a Linkerd cluster
clockSkewAllowance: 20s
# -- Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM
crtExpiry:
# -- Amount of time for which the Identity issuer should certify identity
issuanceLifetime: 24h0m0s
# -- Which scheme is used for the identity issuer secret format
tls:
# -- Issuer certificate (ECDSA). It must be provided during install.
crtPEM: |
# -- Key for the issuer certificate (ECDSA). It must be provided during
# install
keyPEM: |
# -|- CPU and Memory resources required by the identity controller (see `proxy.resources` for sub-fields)
#identityResources:
# -|- CPU and Memory resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
#identityProxyResources:
# heartbeat configuration
# disableHeartBeat -- Set to true to not start the heartbeat cronjob
disableHeartBeat: false
# -- Config for the heartbeat cronjob
# heartbeatSchedule: "0 0 * * *"
# proxy injector configuration
proxyInjector:
# -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below)
externalSecret: false
# -- Namespace selector used by admission webhook. If not set defaults to all
# namespaces without the annotation
# config.linkerd.io/admission-webhooks=disabled
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
# -- Certificate for the proxy injector. If not provided then Helm will generate one.
crtPEM: |
# -- Certificate key for the proxy injector. If not provided then Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated.
caBundle: |
# -|- CPU and Memory resources required by the proxy injector (see
#`proxy.resources` for sub-fields)
#proxyInjectorResources:
#-|- CPU and Memory resources required by proxy injected into the proxy injector
#pod (see `proxy.resources` for sub-fields)
#proxyInjectorProxyResources:
# service profile validator configuration
profileValidator:
# -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below).
externalSecret: false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
# -- Certificate for the service profile validator. If not provided then Helm
# will generate one.
crtPEM: |
# -- Certificate key for the service profile validator. If not provided then
# Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for service profile validator. If not provided
# then Helm will use the certificate generated for `profileValidator.crtPEM`.
# If `profileValidator.externalSecret` is set to true, this value must be set,
# as no certificate will be generated.
caBundle: |
# policy validator configuration
policyValidator:
# -- Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set (see below).
externalSecret: false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
# -- Certificate for the policy validator. If not provided then Helm
# will generate one.
crtPEM: |
# -- Certificate key for the policy validator. If not provided then
# Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for policy validator. If not provided
# then Helm will use the certificate generated for `policyValidator.crtPEM`.
# If `policyValidator.externalSecret` is set to true, this value must be set,
# as no certificate will be generated.
caBundle: |
# -|- CPU and Memory resources required by the SP validator (see
#`proxy.resources` for sub-fields)
#spValidatorResources:
# If the namespace is controlled by an external tool or can't be installed with Helm
# you can disable its installation. In this case:
# - The namespace created by the external tool must match the namespace value above
# - The external tool needs to create the namespace with the label:
# config.linkerd.io/admission-webhooks: disabled
# installNamespace -- Set to false when installing Linkerd in a custom namespace. See the
# [Linkerd documentation](https://linkerd.io/2/tasks/install-helm#customizing-the-namespace) for more information.
installNamespace: true
# -- NodeSelector section, See the [K8S
# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
# for more information
nodeSelector:
beta.kubernetes.io/os: linux
# -|- Tolerations section, See the
# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
# for more information
#tolerations: