Added chart versions:

buoyant/linkerd-control-plane:
    - 2024.11.3
  buoyant/linkerd-crds:
    - 2024.11.3
  instana/instana-agent:
    - 2.0.2
  percona/psmdb-db:
    - 1.18.0
  percona/psmdb-operator:
    - 1.18.0
  redpanda/redpanda:
    - 5.9.10

charts/buoyant/linkerd-control-plane/2024.11.2/Chart.yaml

@@ -2,7 +2,6 @@ annotations:
   catalog.cattle.io/auto-install: linkerd-crds
   catalog.cattle.io/certified: partner
   catalog.cattle.io/display-name: Linkerd Control Plane
-  catalog.cattle.io/featured: "5"
   catalog.cattle.io/kube-version: '>=1.22.0-0'
   catalog.cattle.io/release-name: linkerd-control-plane
 apiVersion: v2

charts/buoyant/linkerd-control-plane/2024.11.3/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+OWNERS
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/buoyant/linkerd-control-plane/2024.11.3/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: partials
+  repository: file://../partials
+  version: 0.1.0
+digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba
+generated: "2021-12-06T11:42:50.784240359-05:00"

charts/buoyant/linkerd-control-plane/2024.11.3/Chart.yaml

@@ -0,0 +1,29 @@
+annotations:
+  catalog.cattle.io/auto-install: linkerd-crds
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Linkerd Control Plane
+  catalog.cattle.io/featured: "5"
+  catalog.cattle.io/kube-version: '>=1.22.0-0'
+  catalog.cattle.io/release-name: linkerd-control-plane
+apiVersion: v2
+appVersion: edge-24.11.3
+dependencies:
+- name: partials
+  repository: file://../partials
+  version: 0.1.0
+description: 'Linkerd gives you observability, reliability, and security for your
+  microservices — with no code change required. '
+home: https://linkerd.io
+icon: file://assets/icons/linkerd-control-plane.png
+keywords:
+- service-mesh
+kubeVersion: '>=1.22.0-0'
+maintainers:
+- email: cncf-linkerd-dev@lists.cncf.io
+  name: Linkerd authors
+  url: https://linkerd.io/
+name: linkerd-control-plane
+sources:
+- https://github.com/linkerd/linkerd2/
+type: application
+version: 2024.11.3

charts/buoyant/linkerd-control-plane/2024.11.3/README.md

@@ -0,0 +1,322 @@
+# linkerd-control-plane
+
+Linkerd gives you observability, reliability, and security
+for your microservices — with no code change required.
+
+![Version: 2024.11.3](https://img.shields.io/badge/Version-2024.11.3-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)
+
+**Homepage:** <https://linkerd.io>
+
+## Quickstart and documentation
+
+You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
+[Linkerd Getting Started Guide][getting-started] for how.
+
+For more comprehensive documentation, start with the [Linkerd
+docs][linkerd-docs].
+
+## Prerequisite: linkerd-crds chart
+
+Before installing this chart, please install the `linkerd-crds` chart, which
+creates all the CRDs that the components from the current chart require.
+
+## Prerequisite: identity certificates
+
+The identity component of Linkerd requires setting up a trust anchor
+certificate, and an issuer certificate with its key. These need to be provided
+to Helm by the user (unlike when using the `linkerd install` CLI which can
+generate these automatically). You can provide your own, or follow [these
+instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new
+ones.
+
+Alternatively, both trust anchor and identity issuer certificates may be
+derived from in-cluster resources. Existing CA (trust anchor) certificates
+**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`.
+Issuer certificates **must** live in a `Secret` named
+`linkerd-identity-issuer`. Both resources should exist in the control-plane's
+install namespace. In order to use an existing CA, Linkerd needs to be
+installed with `identity.externalCA=true`. To use an existing issuer
+certificate, Linkerd should be installed with
+`identity.issuer.scheme=kubernetes.io/tls`.
+
+A more comprehensive description is in the [automatic certificate rotation
+guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions).
+
+Note that the provided certificates must be ECDSA certificates.
+
+## Adding Linkerd's Helm repository
+
+Included here for completeness-sake, but should have already been added when
+`linkerd-base` was installed.
+
+```bash
+# To add the repo for Linkerd edge releases:
+helm repo add linkerd https://helm.linkerd.io/edge
+```
+
+## Installing the chart
+
+You must provide the certificates and keys described in the preceding section,
+and the same expiration date you used to generate the Issuer certificate.
+
+```bash
+helm install linkerd-control-plane -n linkerd \
+  --set-file identityTrustAnchorsPEM=ca.crt \
+  --set-file identity.issuer.tls.crtPEM=issuer.crt \
+  --set-file identity.issuer.tls.keyPEM=issuer.key \
+  linkerd/linkerd-control-plane
+```
+
+Note that you require to install this chart in the same namespace you installed
+the `linkerd-base` chart.
+
+## Setting High-Availability
+
+Besides the default `values.yaml` file, the chart provides a `values-ha.yaml`
+file that overrides some default values as to set things up under a
+high-availability scenario, analogous to the `--ha` option in `linkerd install`.
+Values such as higher number of replicas, higher memory/cpu limits and
+affinities are specified in that file.
+
+You can get ahold of `values-ha.yaml` by fetching the chart files:
+
+```bash
+helm fetch --untar linkerd/linkerd-control-plane
+```
+
+Then use the `-f` flag to provide the override file, for example:
+
+```bash
+helm install linkerd-control-plane -n linkerd \
+  --set-file identityTrustAnchorsPEM=ca.crt \
+  --set-file identity.issuer.tls.crtPEM=issuer.crt \
+  --set-file identity.issuer.tls.keyPEM=issuer.key \
+  -f linkerd2/values-ha.yaml
+  linkerd/linkerd-control-plane
+```
+
+## Get involved
+
+* Check out Linkerd's source code at [GitHub][linkerd2].
+* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
+  list][linkerd-dev], and [announcements mailing list][linkerd-announce].
+* Follow [@linkerd][twitter] on Twitter.
+* Join the [Linkerd Slack][slack].
+
+[getting-started]: https://linkerd.io/2/getting-started/
+[linkerd2]: https://github.com/linkerd/linkerd2
+[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
+[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
+[linkerd-docs]: https://linkerd.io/2/overview/
+[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
+[slack]: http://slack.linkerd.io
+[twitter]: https://twitter.com/linkerd
+
+## Extensions for Linkerd
+
+The current chart installs the core Linkerd components, which grant you
+reliability and security features. Other functionality is available through
+extensions. Check the corresponding docs for each one of the following
+extensions:
+
+* Observability:
+  [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md)
+* Multicluster:
+  [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md)
+* Tracing:
+  [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md)
+
+## Requirements
+
+Kubernetes: `>=1.22.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../partials | partials | 0.1.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use |
+| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network.  By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. |
+| cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed |
+| commonLabels | object | `{}` | Labels to apply to all resources |
+| controlPlaneTracing | bool | `false` | enables control plane tracing |
+| controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to |
+| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments |
+| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption |
+| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) |
+| controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components |
+| controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. |
+| controllerLogFormat | string | `"plain"` | Log format for the control plane components |
+| controllerLogLevel | string | `"info"` | Log level for the control plane components |
+| controllerReplicas | int | `1` | Number of replicas for each control plane pod |
+| controllerUID | int | `2103` | User ID for the control plane components |
+| debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container |
+| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image |
+| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image |
+| deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy |
+| destinationController.livenessProbe.timeoutSeconds | int | `1` |  |
+| destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` |  |
+| destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` |  |
+| destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` |  |
+| destinationController.readinessProbe.timeoutSeconds | int | `1` |  |
+| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob |
+| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) |
+| egress.globalEgressNetworkNamespace | string | `"linkerd-egress"` | The namespace that is used to store egress configuration that affects all client workloads in the cluster |
+| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on |
+| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading |
+| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 |
+| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability |
+| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components |
+| enablePprof | bool | `false` | enables the use of pprof endpoints on control plane component's admin servers |
+| identity.externalCA | bool | `false` | If the linkerd-identity-trust-roots ConfigMap has already been created |
+| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster |
+| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity |
+| identity.issuer.scheme | string | `"linkerd.io/tls"` |  |
+| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format |
+| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. |
+| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install |
+| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
+| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
+| identity.livenessProbe.timeoutSeconds | int | `1` |  |
+| identity.readinessProbe.timeoutSeconds | int | `1` |  |
+| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token |
+| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. |
+| identityTrustDomain | string | clusterDomain | Trust domain used for identity |
+| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
+| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed.  Registry secrets are applied to the respective service accounts |
+| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS |
+| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) |
+| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version |
+| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. |
+| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec |
+| networkValidator.listenAddr | string | `""` | Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. |
+| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator |
+| networkValidator.logLevel | string | debug | Log level for the network-validator |
+| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity |
+| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
+| podAnnotations | object | `{}` | Additional annotations to add to all pods |
+| podLabels | object | `{}` | Additional labels to add to all pods |
+| podMonitor.controller.enabled | bool | `true` | Enables the creation of PodMonitor for the control-plane |
+| podMonitor.controller.namespaceSelector | string | `"matchNames:\n  - {{ .Release.Namespace }}\n  - linkerd-viz\n  - linkerd-jaeger\n"` | Selector to select which namespaces the Endpoints objects are discovered from |
+| podMonitor.enabled | bool | `false` | Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) |
+| podMonitor.labels | object | `{}` | Labels to apply to all pod Monitors |
+| podMonitor.proxy.enabled | bool | `true` | Enables the creation of PodMonitor for the data-plane |
+| podMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped |
+| podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended |
+| podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component |
+| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller |
+| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image |
+| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image |
+| policyController.livenessProbe.timeoutSeconds | int | `1` |  |
+| policyController.logLevel | string | `"info"` | Log level for the policy controller |
+| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed.  By default, all networks are allowed so that all probes are authorized. |
+| policyController.readinessProbe.timeoutSeconds | int | `1` |  |
+| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits |
+| policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use |
+| policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests |
+| policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use |
+| policyController.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the policy controller requests |
+| policyController.resources.memory.limit | string | `""` | Maximum amount of memory that the policy controller can use |
+| policyController.resources.memory.request | string | `""` | Maximum amount of memory that the policy controller requests |
+| policyValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `policyValidator.crtPEM`. If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
+| policyValidator.crtPEM | string | `""` | Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one. |
+| policyValidator.externalSecret | bool | `false` | Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). |
+| policyValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
+| policyValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
+| policyValidator.keyPEM | string | `""` | Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one. |
+| policyValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
+| priorityClassName | string | `""` | Kubernetes priorityClassName for the Linkerd Pods |
+| profileValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
+| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one. |
+| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). |
+| profileValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
+| profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
+| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. |
+| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
+| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) |
+| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready |
+| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. |
+| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. |
+| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). |
+| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. |
+| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod.  One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" |
+| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value |
+| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value |
+| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
+| proxy.enableShutdownEndpoint | bool | `false` | Enables the proxy's /shutdown admin endpoint |
+| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) |
+| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
+| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image |
+| proxy.image.version | string | linkerdVersion | Tag for the proxy container image |
+| proxy.inbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to remote HTTP/2 clients. |
+| proxy.inbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. |
+| proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection |
+| proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache |
+| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration |
+| proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy |
+| proxy.logHTTPHeaders | `off` or `insecure` | `"off"` | If set to `off`, will prevent the proxy from logging HTTP headers. If set to `insecure`, HTTP headers may be logged verbatim. Note that setting this to `insecure` is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug. |
+| proxy.logLevel | string | `"warn,linkerd=info,hickory=error"` | Log level for the proxy |
+| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. |
+| proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection |
+| proxy.outbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to local application HTTP/2 clients. |
+| proxy.outbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. |
+| proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection |
+| proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache |
+| proxy.ports.admin | int | `4191` | Admin port for the proxy container |
+| proxy.ports.control | int | `4190` | Control port for the proxy container |
+| proxy.ports.inbound | int | `4143` | Inbound port for the proxy container |
+| proxy.ports.outbound | int | `4140` | Outbound port for the proxy container |
+| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration |
+| proxy.requireIdentityOnInboundPorts | string | `""` |  |
+| proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use |
+| proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests |
+| proxy.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy can use |
+| proxy.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy requests |
+| proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use |
+| proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests |
+| proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. |
+| proxy.startupProbe.failureThreshold | int | `120` |  |
+| proxy.startupProbe.initialDelaySeconds | int | `0` |  |
+| proxy.startupProbe.periodSeconds | int | `1` |  |
+| proxy.uid | int | `2102` | User id under which the proxy runs |
+| proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. |
+| proxyInit.closeWaitTimeoutSecs | int | `0` |  |
+| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) |
+| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) |
+| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container |
+| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image |
+| proxyInit.image.version | string | `"v2.4.1"` | Tag for the proxy-init container image |
+| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
+| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
+| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
+| proxyInit.logLevel | string | info | Log level for the proxy-init |
+| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. |
+| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 |
+| proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>) |
+| proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 |
+| proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy |
+| proxyInit.xtMountPath.mountPath | string | `"/run"` |  |
+| proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` |  |
+| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. |
+| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one. |
+| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the proxyInjector webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). |
+| proxyInjector.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. |
+| proxyInjector.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. |
+| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. |
+| proxyInjector.livenessProbe.timeoutSeconds | int | `1` |  |
+| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. |
+| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. |
+| proxyInjector.readinessProbe.timeoutSeconds | int | `1` |  |
+| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. |
+| revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. |
+| runtimeClassName | string | `""` | Runtime Class Name for all the pods |
+| spValidator | object | `{"livenessProbe":{"timeoutSeconds":1},"readinessProbe":{"timeoutSeconds":1}}` | SP validator configuration |
+| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/buoyant/linkerd-control-plane/2024.11.3/README.md.gotmpl

@@ -0,0 +1,133 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}
+{{ template "chart.typeBadge" . }}
+{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.homepageLine" . }}
+
+## Quickstart and documentation
+
+You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
+[Linkerd Getting Started Guide][getting-started] for how.
+
+For more comprehensive documentation, start with the [Linkerd
+docs][linkerd-docs].
+
+## Prerequisite: linkerd-crds chart
+
+Before installing this chart, please install the `linkerd-crds` chart, which
+creates all the CRDs that the components from the current chart require.
+
+## Prerequisite: identity certificates
+
+The identity component of Linkerd requires setting up a trust anchor
+certificate, and an issuer certificate with its key. These need to be provided
+to Helm by the user (unlike when using the `linkerd install` CLI which can
+generate these automatically). You can provide your own, or follow [these
+instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new
+ones.
+
+Alternatively, both trust anchor and identity issuer certificates may be
+derived from in-cluster resources. Existing CA (trust anchor) certificates
+**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`.
+Issuer certificates **must** live in a `Secret` named
+`linkerd-identity-issuer`. Both resources should exist in the control-plane's
+install namespace. In order to use an existing CA, Linkerd needs to be
+installed with `identity.externalCA=true`. To use an existing issuer
+certificate, Linkerd should be installed with
+`identity.issuer.scheme=kubernetes.io/tls`.
+
+A more comprehensive description is in the [automatic certificate rotation
+guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions).
+
+Note that the provided certificates must be ECDSA certificates.
+
+## Adding Linkerd's Helm repository
+
+Included here for completeness-sake, but should have already been added when
+`linkerd-base` was installed.
+
+```bash
+# To add the repo for Linkerd edge releases:
+helm repo add linkerd https://helm.linkerd.io/edge
+```
+
+## Installing the chart
+
+You must provide the certificates and keys described in the preceding section,
+and the same expiration date you used to generate the Issuer certificate.
+
+```bash
+helm install linkerd-control-plane -n linkerd \
+  --set-file identityTrustAnchorsPEM=ca.crt \
+  --set-file identity.issuer.tls.crtPEM=issuer.crt \
+  --set-file identity.issuer.tls.keyPEM=issuer.key \
+  linkerd/linkerd-control-plane
+```
+
+Note that you require to install this chart in the same namespace you installed
+the `linkerd-base` chart.
+
+## Setting High-Availability
+
+Besides the default `values.yaml` file, the chart provides a `values-ha.yaml`
+file that overrides some default values as to set things up under a
+high-availability scenario, analogous to the `--ha` option in `linkerd install`.
+Values such as higher number of replicas, higher memory/cpu limits and
+affinities are specified in that file.
+
+You can get ahold of `values-ha.yaml` by fetching the chart files:
+
+```bash
+helm fetch --untar linkerd/linkerd-control-plane
+```
+
+Then use the `-f` flag to provide the override file, for example:
+
+```bash
+helm install linkerd-control-plane -n linkerd \
+  --set-file identityTrustAnchorsPEM=ca.crt \
+  --set-file identity.issuer.tls.crtPEM=issuer.crt \
+  --set-file identity.issuer.tls.keyPEM=issuer.key \
+  -f linkerd2/values-ha.yaml
+  linkerd/linkerd-control-plane
+```
+
+## Get involved
+
+* Check out Linkerd's source code at [GitHub][linkerd2].
+* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
+  list][linkerd-dev], and [announcements mailing list][linkerd-announce].
+* Follow [@linkerd][twitter] on Twitter.
+* Join the [Linkerd Slack][slack].
+
+[getting-started]: https://linkerd.io/2/getting-started/
+[linkerd2]: https://github.com/linkerd/linkerd2
+[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
+[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
+[linkerd-docs]: https://linkerd.io/2/overview/
+[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
+[slack]: http://slack.linkerd.io
+[twitter]: https://twitter.com/linkerd
+
+## Extensions for Linkerd
+
+The current chart installs the core Linkerd components, which grant you
+reliability and security features. Other functionality is available through
+extensions. Check the corresponding docs for each one of the following
+extensions:
+
+* Observability:
+  [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md)
+* Multicluster:
+  [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md)
+* Tracing:
+  [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md)
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/buoyant/linkerd-control-plane/2024.11.3/app-readme.md

@@ -0,0 +1,14 @@
+# Linkerd 2 Chart
+
+Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd
+adds security, observability, and reliability to Kubernetes, without the
+complexity.
+
+This particular Helm chart only installs the control plane core. You will also need to install the
+linkerd-crds chart. This chart should be automatically installed along with any other dependencies.
+If it is not installed as a dependency, install it first.
+
+To gain access to the observability features, please install the linkerd-viz chart.
+Other extensions are available (multicluster, jaeger) under the linkerd Helm repo.
+
+Full documentation available at: https://linkerd.io/2/overview/

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd''
+  and ''patch'' charts. '
+name: partials
+version: 0.1.0

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/README.md

@@ -0,0 +1,9 @@
+# partials
+
+A Helm chart containing Linkerd partial templates,
+depended by the 'linkerd' and 'patch' charts.
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square)
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/README.md.gotmpl

@@ -0,0 +1,14 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}
+{{ template "chart.typeBadge" . }}
+{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_affinity.tpl

@@ -0,0 +1,38 @@
+{{ define "linkerd.pod-affinity" -}}
+podAntiAffinity:
+  preferredDuringSchedulingIgnoredDuringExecution:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+        - key: {{ default "linkerd.io/control-plane-component" .label }}
+          operator: In
+          values:
+          - {{ .component }}
+      topologyKey: topology.kubernetes.io/zone
+    weight: 100
+  requiredDuringSchedulingIgnoredDuringExecution:
+  - labelSelector:
+      matchExpressions:
+      - key: {{ default "linkerd.io/control-plane-component" .label }}
+        operator: In
+        values:
+        - {{ .component }}
+    topologyKey: kubernetes.io/hostname
+{{- end }}
+
+{{ define "linkerd.node-affinity" -}}
+nodeAffinity:
+{{- toYaml .Values.nodeAffinity | trim | nindent 2 }}
+{{- end }}
+
+{{ define "linkerd.affinity" -}}
+{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}}
+affinity:
+{{- end }}
+{{- if .Values.enablePodAntiAffinity -}}
+{{- include "linkerd.pod-affinity" . | nindent 2 }}
+{{- end }}
+{{- if .Values.nodeAffinity -}}
+{{- include "linkerd.node-affinity" . | nindent 2 }}
+{{- end }}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_capabilities.tpl

@@ -0,0 +1,16 @@
+{{- define "partials.proxy.capabilities" -}}
+capabilities:
+  {{- if .Values.proxy.capabilities.add }}
+  add:
+  {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }}
+  {{- end }}
+  {{- if .Values.proxy.capabilities.drop }}
+  drop:
+  {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{- define "partials.proxy-init.capabilities.drop" -}}
+drop:
+{{ toYaml .Values.proxyInit.capabilities.drop | trim }}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_debug.tpl

@@ -0,0 +1,15 @@
+{{- define "partials.debug" -}}
+image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}}
+imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}}
+name: linkerd-debug
+terminationMessagePolicy: FallbackToLogsOnError
+# some environments require probes, so we provide some infallible ones
+livenessProbe:
+    exec:
+      command:
+      - "true"
+readinessProbe:
+    exec:
+      command:
+      - "true"
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Splits a coma separated list into a list of string values.
+For example "11,22,55,44" will become "11","22","55","44"
+*/}}
+{{- define "partials.splitStringList" -}}
+{{- if gt (len (toString .)) 0 -}}
+{{- $ports := toString . | splitList "," -}}
+{{- $last := sub (len $ports) 1 -}}
+{{- range $i,$port := $ports -}}
+"{{$port}}"{{ternary "," "" (ne $i $last)}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_metadata.tpl

@@ -0,0 +1,17 @@
+{{- define "partials.annotations.created-by" -}}
+linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }}
+{{- end -}}
+
+{{- define "partials.proxy.annotations" -}}
+linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}}
+cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }}
+{{- end -}}
+
+{{/*
+To add labels to the control-plane components, instead update at individual component manifests as
+adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades.
+*/}}
+{{- define "partials.proxy.labels" -}}
+linkerd.io/proxy-{{.workloadKind}}: {{.component}}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_network-validator.tpl

@@ -0,0 +1,45 @@
+{{- define "partials.network-validator" -}}
+name: linkerd-network-validator
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }}
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
+{{ include "partials.resources" .Values.proxy.resources }}
+{{- if or .Values.networkValidator.enableSecurityContext }}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsGroup: 65534
+  runAsNonRoot: true
+  runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
+command:
+  - /usr/lib/linkerd/linkerd2-network-validator
+args:
+  - --log-format
+  - {{ .Values.networkValidator.logFormat }}
+  - --log-level
+  - {{ .Values.networkValidator.logLevel }}
+  - --connect-addr
+    {{- if .Values.networkValidator.connectAddr }}
+  - {{ .Values.networkValidator.connectAddr | quote }}
+    {{- else if .Values.disableIPv6}}
+  - "1.1.1.1:20001"
+    {{- else }}
+  - "[fd00::1]:20001"
+    {{- end }}
+  - --listen-addr
+    {{- if .Values.networkValidator.listenAddr }}
+  - {{ .Values.networkValidator.listenAddr | quote }}
+    {{- else if .Values.disableIPv6}}
+  - "0.0.0.0:4140"
+    {{- else }}
+  - "[::]:4140"
+    {{- end }}
+  - --timeout
+  - {{ .Values.networkValidator.timeout }}
+
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_nodeselector.tpl

@@ -0,0 +1,4 @@
+{{- define "linkerd.node-selector" -}}
+nodeSelector:
+{{- toYaml .Values.nodeSelector | trim | nindent 2 }}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_proxy-config-ann.tpl

@@ -0,0 +1,18 @@
+{{- define "partials.proxy.config.annotations" -}}
+{{- with .cpu }}
+{{- with .request -}}
+config.linkerd.io/proxy-cpu-request: {{. | quote}}
+{{end}}
+{{- with .limit -}}
+config.linkerd.io/proxy-cpu-limit: {{. | quote}}
+{{- end}}
+{{- end}}
+{{- with .memory }}
+{{- with .request }}
+config.linkerd.io/proxy-memory-request: {{. | quote}}
+{{end}}
+{{- with .limit -}}
+config.linkerd.io/proxy-memory-limit: {{. | quote}}
+{{- end}}
+{{- end }}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_proxy-init.tpl

@@ -0,0 +1,98 @@
+{{- define "partials.proxy-init" -}}
+args:
+{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }}
+- --firewall-bin-path
+- "iptables-nft"
+- --firewall-save-bin-path
+- "iptables-nft-save"
+{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
+{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
+{{end -}}
+{{- if .Values.disableIPv6 }}
+- --ipv6=false
+{{- end }}
+- --incoming-proxy-port
+- {{.Values.proxy.ports.inbound | quote}}
+- --outgoing-proxy-port
+- {{.Values.proxy.ports.outbound | quote}}
+- --proxy-uid
+- {{.Values.proxy.uid | quote}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+- --proxy-gid
+- {{.Values.proxy.gid | quote}}
+{{- end }}
+- --inbound-ports-to-ignore
+- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}"
+{{- if .Values.proxyInit.ignoreOutboundPorts }}
+- --outbound-ports-to-ignore
+- {{.Values.proxyInit.ignoreOutboundPorts | quote}}
+{{- end }}
+{{- if .Values.proxyInit.closeWaitTimeoutSecs }}
+- --timeout-close-wait-secs
+- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}}
+{{- end }}
+{{- if .Values.proxyInit.logFormat }}
+- --log-format
+- {{ .Values.proxyInit.logFormat }}
+{{- end }}
+{{- if .Values.proxyInit.logLevel }}
+- --log-level
+- {{ .Values.proxyInit.logLevel }}
+{{- end }}
+{{- if .Values.proxyInit.skipSubnets }}
+- --subnets-to-ignore
+- {{ .Values.proxyInit.skipSubnets | quote }}
+{{- end }}
+image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}}
+imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}}
+name: linkerd-init
+{{ include "partials.resources" .Values.proxy.resources }}
+securityContext:
+  {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }}
+  allowPrivilegeEscalation: true
+  {{- else }}
+  allowPrivilegeEscalation: false
+  {{- end }}
+  capabilities:
+    add:
+    - NET_ADMIN
+    - NET_RAW
+    {{- if .Values.proxyInit.capabilities -}}
+    {{- if .Values.proxyInit.capabilities.add }}
+    {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }}
+    {{- end }}
+    {{- if .Values.proxyInit.capabilities.drop -}}
+    {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}}
+    {{- end }}
+    {{- end }}
+  {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }}
+  privileged: true
+  {{- else }}
+  privileged: false
+  {{- end }}
+  {{- if .Values.proxyInit.runAsRoot }}
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+  {{- else }}
+  runAsNonRoot: true
+  runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
+  runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }}
+  {{- end }}
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+terminationMessagePolicy: FallbackToLogsOnError
+{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }}
+volumeMounts:
+{{- end -}}
+{{- if not .Values.cniEnabled }}
+- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}}
+  name: {{.Values.proxyInit.xtMountPath.name}}
+{{- end -}}
+{{- if .Values.proxyInit.saMountPath }}
+- mountPath: {{.Values.proxyInit.saMountPath.mountPath}}
+  name: {{.Values.proxyInit.saMountPath.name}}
+  readOnly: {{.Values.proxyInit.saMountPath.readOnly}}
+{{- end -}}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_proxy.tpl

@@ -0,0 +1,271 @@
+{{ define "partials.proxy" -}}
+{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }}
+{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }}
+{{- end }}
+{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }}
+{{- fail "logHTTPHeaders must be one of: insecure | off" }}
+{{- end }}
+{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}}
+env:
+- name: _pod_name
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+- name: _pod_ns
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.namespace
+- name: _pod_nodeName
+  valueFrom:
+    fieldRef:
+      fieldPath: spec.nodeName
+{{- if .Values.proxy.cores }}
+- name: LINKERD2_PROXY_CORES
+  value: {{.Values.proxy.cores | quote}}
+{{- end }}
+{{ if .Values.proxy.requireIdentityOnInboundPorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY
+  value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}}
+{{ end -}}
+{{ if .Values.proxy.requireTLSOnInboundPorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
+  value: {{.Values.proxy.requireTLSOnInboundPorts | quote}}
+{{ end -}}
+- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED
+  value: {{.Values.proxy.enableShutdownEndpoint | quote}}
+- name: LINKERD2_PROXY_LOG
+  value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}"
+- name: LINKERD2_PROXY_LOG_FORMAT
+  value: {{.Values.proxy.logFormat | quote}}
+- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
+  value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
+- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
+  value: {{.Values.clusterNetworks | quote}}
+- name: LINKERD2_PROXY_POLICY_SVC_ADDR
+  value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
+- name: LINKERD2_PROXY_POLICY_WORKLOAD
+  value: |
+    {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
+- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
+  value: {{.Values.proxy.defaultInboundPolicy}}
+- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
+  value: {{.Values.clusterNetworks | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
+  value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
+  value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
+  value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}}
+{{ if .Values.proxy.inboundConnectTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
+  value: {{.Values.proxy.inboundConnectTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.outboundConnectTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
+  value: {{.Values.proxy.outboundConnectTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
+  value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
+  value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT
+  value: "365d"
+{{ end -}}
+{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT
+  value: "365d"
+{{ end -}}
+- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}"
+- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}"
+{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}}
+- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
+  value: "127.0.0.1:{{.Values.proxy.ports.outbound}}"
+- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
+  value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}"
+- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}"
+- name: LINKERD2_PROXY_INBOUND_IPS
+  valueFrom:
+    fieldRef:
+      fieldPath: status.podIPs
+- name: LINKERD2_PROXY_INBOUND_PORTS
+  value: {{ .Values.proxy.podInboundPorts | quote }}
+{{ if .Values.proxy.isGateway -}}
+- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES
+  value: {{printf "svc.%s." .Values.clusterDomain}}
+{{ end -}}
+{{ if .Values.proxy.isIngress -}}
+- name: LINKERD2_PROXY_INGRESS_MODE
+  value: "true"
+{{ end -}}
+- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
+  {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }}
+  value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}}
+- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT
+  value: 30s
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT
+  value: 30s
+{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}}
+{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}}
+{{   range $scopeK, $scopeV := $proxyV -}}
+{{     range $protoK, $protoV := $scopeV -}}
+{{       range $paramK, $paramV := $protoV -}}
+- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}}
+  value: {{ quote $paramV }}
+{{       end -}}
+{{     end -}}
+{{   end -}}
+{{ end -}}
+{{ if .Values.proxy.opaquePorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
+  value: {{.Values.proxy.opaquePorts | quote}}
+{{ end -}}
+- name: LINKERD2_PROXY_DESTINATION_CONTEXT
+  value: |
+    {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
+- name: _pod_sa
+  valueFrom:
+    fieldRef:
+      fieldPath: spec.serviceAccountName
+- name: _l5d_ns
+  value: {{.Release.Namespace}}
+- name: _l5d_trustdomain
+  value: {{$trustDomain}}
+- name: LINKERD2_PROXY_IDENTITY_DIR
+  value: /var/run/linkerd/identity/end-entity
+- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
+{{- /*
+Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain
+the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not
+be used in other contexts.
+*/}}
+{{- if .Values.proxy.loadTrustBundleFromConfigMap }}
+  valueFrom:
+    configMapKeyRef:
+      name: linkerd-identity-trust-roots
+      key: ca-bundle.crt
+{{ else }}
+  value: |
+    {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }}
+{{ end -}}
+- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
+{{- if .Values.identity.serviceAccountTokenProjection }}
+  value: /var/run/secrets/tokens/linkerd-identity-token
+{{ else }}
+  value: /var/run/secrets/kubernetes.io/serviceaccount/token
+{{ end -}}
+- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
+  value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}}
+- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
+  value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
+  value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
+  value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_POLICY_SVC_NAME
+  value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+{{ if .Values.proxy.accessLog -}}
+- name: LINKERD2_PROXY_ACCESS_LOG
+  value: {{.Values.proxy.accessLog | quote}}
+{{ end -}}
+{{ if .Values.proxy.shutdownGracePeriod -}}
+- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD
+  value: {{.Values.proxy.shutdownGracePeriod | quote}}
+{{ end -}}
+{{ if .Values.proxy.additionalEnv -}}
+{{ toYaml .Values.proxy.additionalEnv }}
+{{ end -}}
+{{ if .Values.proxy.experimentalEnv -}}
+{{ toYaml .Values.proxy.experimentalEnv }}
+{{ end -}}
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}}
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
+livenessProbe:
+  httpGet:
+    path: /live
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }}
+  timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }}
+name: linkerd-proxy
+ports:
+- containerPort: {{.Values.proxy.ports.inbound}}
+  name: linkerd-proxy
+- containerPort: {{.Values.proxy.ports.admin}}
+  name: linkerd-admin
+readinessProbe:
+  httpGet:
+    path: /ready
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }}
+  timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }}
+{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }}
+startupProbe:
+  httpGet:
+    path: /ready
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}}
+  periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}}
+  failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}}
+{{- end }}
+{{- if .Values.proxy.resources }}
+{{ include "partials.resources" .Values.proxy.resources }}
+{{- end }}
+securityContext:
+  allowPrivilegeEscalation: false
+  {{- if .Values.proxy.capabilities -}}
+  {{- include "partials.proxy.capabilities" . | nindent 2 -}}
+  {{- end }}
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: {{.Values.proxy.uid}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+  runAsGroup: {{.Values.proxy.gid}}
+{{- end }}
+  seccompProfile:
+    type: RuntimeDefault
+terminationMessagePolicy: FallbackToLogsOnError
+{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }}
+lifecycle:
+{{- if .Values.proxy.await }}
+  postStart:
+    exec:
+      command:
+        - /usr/lib/linkerd/linkerd-await
+        - --timeout=2m
+        - --port={{.Values.proxy.ports.admin}}
+{{- end }}
+{{- if .Values.proxy.waitBeforeExitSeconds }}
+  preStop:
+    exec:
+      command:
+        - /bin/sleep
+        - {{.Values.proxy.waitBeforeExitSeconds | quote}}
+{{- end }}
+{{- end }}
+volumeMounts:
+- mountPath: /var/run/linkerd/identity/end-entity
+  name: linkerd-identity-end-entity
+{{- if .Values.identity.serviceAccountTokenProjection }}
+- mountPath: /var/run/secrets/tokens
+  name: linkerd-identity-token
+{{- end }}
+{{- if .Values.proxy.saMountPath }}
+- mountPath: {{.Values.proxy.saMountPath.mountPath}}
+  name: {{.Values.proxy.saMountPath.name}}
+  readOnly: {{.Values.proxy.saMountPath.readOnly}}
+{{- end -}}
+{{- if .Values.proxy.nativeSidecar }}
+restartPolicy: Always
+{{- end -}}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_pull-secrets.tpl

@@ -0,0 +1,6 @@
+{{- define "partials.image-pull-secrets"}}
+{{- if . }}
+imagePullSecrets:
+{{ toYaml . | indent 2 }}
+{{- end }}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_resources.tpl

@@ -0,0 +1,28 @@
+{{- define "partials.resources" -}}
+{{- $ephemeralStorage := index . "ephemeral-storage" -}}
+resources:
+  {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }}
+  limits:
+    {{- with (.cpu).limit }}
+    cpu: {{. | quote}}
+    {{- end }}
+    {{- with (.memory).limit }}
+    memory: {{. | quote}}
+    {{- end }}
+    {{- with ($ephemeralStorage).limit }}
+    ephemeral-storage: {{. | quote}}
+    {{- end }}
+  {{- end }}
+  {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }}
+  requests:
+    {{- with (.cpu).request }}
+    cpu: {{. | quote}}
+    {{- end }}
+    {{- with (.memory).request }}
+    memory: {{. | quote}}
+    {{- end }}
+    {{- with ($ephemeralStorage).request }}
+    ephemeral-storage: {{. | quote}}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_tolerations.tpl

@@ -0,0 +1,4 @@
+{{- define "linkerd.tolerations" -}}
+tolerations:
+{{ toYaml .Values.tolerations | trim | indent 2 }}
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_trace.tpl

@@ -0,0 +1,5 @@
+{{ define "partials.linkerd.trace" -}}
+{{ if .Values.controlPlaneTracing -}}
+- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678
+{{ end -}}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_validate.tpl

@@ -0,0 +1,19 @@
+{{- define "linkerd.webhook.validation" -}}
+
+{{- if and (.injectCaFrom) (.injectCaFromSecret) -}}
+{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}}
+{{- end -}}
+
+{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}}
+{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}}
+{{- end -}}
+
+{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}}
+{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}}
+{{- end }}
+
+{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}}
+{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}}
+{{- end -}}
+
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/charts/partials/templates/_volumes.tpl

@@ -0,0 +1,41 @@
+{{ define "partials.proxy.volumes.identity" -}}
+emptyDir:
+  medium: Memory
+name: linkerd-identity-end-entity
+{{- end -}}
+
+{{ define "partials.proxyInit.volumes.xtables" -}}
+emptyDir: {}
+name: {{ .Values.proxyInit.xtMountPath.name }}
+{{- end -}}
+
+{{- define "partials.proxy.volumes.service-account-token" -}}
+name: linkerd-identity-token
+projected:
+  sources:
+  - serviceAccountToken:
+      path: linkerd-identity-token
+      expirationSeconds: 86400 {{- /* # 24 hours */}}
+      audience: identity.l5d.io
+{{- end -}}
+
+{{- define "partials.volumes.manual-mount-service-account-token" -}}
+name: kube-api-access
+projected:
+  defaultMode: 420
+  sources:
+  - serviceAccountToken:
+      expirationSeconds: 3607
+      path: token
+  - configMap:
+      items:
+      - key: ca.crt
+        path: ca.crt
+      name: kube-root-ca.crt
+  - downwardAPI:
+      items:
+      - fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+        path: namespace
+{{- end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/questions.yaml

@@ -0,0 +1,19 @@
+questions:
+- variable: identityTrustAnchorsPEM
+  label: "Trust root certificate (ECDSA)"
+  description: "Root certificate used to support mTLS connections between meshed pods"
+  required: true
+  type: multiline
+  group: Identity
+- variable: identity.issuer.tls.crtPEM
+  label: "Issuer certificate (ECDSA)"
+  description: "Intermediate certificate, rooted on identityTrustAnchorsPEM, used to sign the Linkerd proxies' CSR"
+  required: true
+  type: multiline
+  group: Identity
+- variable: identity.issuer.tls.keyPEM
+  label: "Key for the issuer certificate (ECDSA)"
+  description: "Private key for the certificate entered on crtPEM"
+  required: true
+  type: multiline
+  group: Identity

charts/buoyant/linkerd-control-plane/2024.11.3/templates/NOTES.txt

@@ -0,0 +1,19 @@
+The Linkerd control plane was successfully installed 🎉
+
+To help you manage your Linkerd service mesh you can install the Linkerd CLI by running:
+
+  curl -sL https://run.linkerd.io/install | sh
+
+Alternatively, you can download the CLI directly via the Linkerd releases page:
+
+  https://github.com/linkerd/linkerd2/releases/
+
+To make sure everything works as expected, run the following:
+
+  linkerd check
+
+The viz extension can be installed by running:
+
+  helm install linkerd-viz linkerd/linkerd-viz
+
+Looking for more? Visit https://linkerd.io/2/getting-started/

charts/buoyant/linkerd-control-plane/2024.11.3/templates/config-rbac.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  name: ext-namespace-metadata-linkerd-config
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get"]
+  resourceNames: ["linkerd-config"]

charts/buoyant/linkerd-control-plane/2024.11.3/templates/config.yaml

@@ -0,0 +1,39 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: linkerd-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: controller
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+data:
+  linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
+  values: |
+  {{- $values := deepCopy .Values }}
+  {{- /*
+    WARNING! All sensitive or private data such as TLS keys must be removed
+    here to avoid it being publicly readable.
+  */ -}}
+  {{- if kindIs "map" $values.identity.issuer.tls -}}
+    {{- $_ := unset $values.identity.issuer.tls "keyPEM"}}
+  {{- end -}}
+  {{- if kindIs "map" $values.profileValidator -}}
+    {{- $_ := unset $values.profileValidator "keyPEM"}}
+  {{- end -}}
+  {{- if kindIs "map" $values.proxyInjector -}}
+    {{- $_ := unset $values.proxyInjector "keyPEM"}}
+  {{- end -}}
+  {{- if kindIs "map" $values.policyValidator -}}
+    {{- $_ := unset $values.policyValidator "keyPEM"}}
+  {{- end -}}
+  {{- if (empty $values.identityTrustDomain) -}}
+  {{- $_ := set $values "identityTrustDomain" $values.clusterDomain}}
+  {{- end -}}
+  {{- $_ := unset $values "partials"}}
+  {{- $_ := unset $values "configs"}}
+  {{- $_ := unset $values "stage"}}
+  {{- toYaml $values | trim | nindent 4 }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/destination-rbac.yaml

@@ -0,0 +1,339 @@
+---
+###
+### Destination Controller Service
+###
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-destination
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: ["apps"]
+  resources: ["replicasets"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: [""]
+  resources: ["pods", "endpoints", "services", "nodes"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["linkerd.io"]
+  resources: ["serviceprofiles"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["workload.linkerd.io"]
+  resources: ["externalworkloads"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["create", "get", "update", "patch"]
+  {{- if .Values.enableEndpointSlices }}
+- apiGroups: ["discovery.k8s.io"]
+  resources: ["endpointslices"]
+  verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
+  {{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-destination
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: linkerd-{{.Release.Namespace}}-destination
+subjects:
+- kind: ServiceAccount
+  name: linkerd-destination
+  namespace: {{.Release.Namespace}}
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-destination
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
+---
+{{- $host := printf "linkerd-sp-validator.%s.svc" .Release.Namespace }}
+{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
+{{- if (not .Values.profileValidator.externalSecret) }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator-k8s-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }}
+  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }}
+---
+{{- end }}
+{{- include "linkerd.webhook.validation" .Values.profileValidator }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: linkerd-sp-validator-webhook-config
+  {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }}
+  annotations:
+  {{- if .Values.profileValidator.injectCaFrom }}
+    cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }}
+  {{- end }}
+  {{- if .Values.profileValidator.injectCaFromSecret }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }}
+  {{- end }}
+  {{- end }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+webhooks:
+- name: linkerd-sp-validator.linkerd.io
+  namespaceSelector:
+    {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }}
+  clientConfig:
+    service:
+      name: linkerd-sp-validator
+      namespace: {{ .Release.Namespace }}
+      path: "/"
+    {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }}
+    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }}
+    {{- end }}
+  failurePolicy: {{.Values.webhookFailurePolicy}}
+  admissionReviewVersions: ["v1", "v1beta1"]
+  rules:
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: ["linkerd.io"]
+    apiVersions: ["v1alpha1", "v1alpha2"]
+    resources: ["serviceprofiles"]
+  sideEffects: None
+---
+{{- $host := printf "linkerd-policy-validator.%s.svc" .Release.Namespace }}
+{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
+{{- if (not .Values.policyValidator.externalSecret) }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-policy-validator-k8s-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }}
+  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }}
+---
+{{- end }}
+{{- include "linkerd.webhook.validation" .Values.policyValidator }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: linkerd-policy-validator-webhook-config
+  {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }}
+  annotations:
+  {{- if .Values.policyValidator.injectCaFrom }}
+    cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }}
+  {{- end }}
+  {{- if .Values.policyValidator.injectCaFromSecret }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }}
+  {{- end }}
+  {{- end }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+webhooks:
+- name: linkerd-policy-validator.linkerd.io
+  namespaceSelector:
+    {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }}
+  clientConfig:
+    service:
+      name: linkerd-policy-validator
+      namespace: {{ .Release.Namespace }}
+      path: "/"
+    {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }}
+    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }}
+    {{- end }}
+  failurePolicy: {{.Values.webhookFailurePolicy}}
+  admissionReviewVersions: ["v1", "v1beta1"]
+  rules:
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: ["policy.linkerd.io"]
+    apiVersions: ["*"]
+    resources:
+    - authorizationpolicies
+    - httplocalratelimitpolicies
+    - httproutes
+    - networkauthentications
+    - meshtlsauthentications
+    - serverauthorizations
+    - servers
+    - egressnetworks
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: ["gateway.networking.k8s.io"]
+    apiVersions: ["*"]
+    resources:
+    - httproutes
+    - grpcroutes
+    - tlsroutes
+    - tcproutes
+  sideEffects: None
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: linkerd-policy
+  labels:
+    app.kubernetes.io/part-of: Linkerd
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+  - apiGroups:
+      - policy.linkerd.io
+    resources:
+      - authorizationpolicies
+      - httplocalratelimitpolicies
+      - httproutes
+      - meshtlsauthentications
+      - networkauthentications
+      - servers
+      - serverauthorizations
+      - egressnetworks
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - httproutes
+      - grpcroutes
+      - tlsroutes
+      - tcproutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy.linkerd.io
+    resources:
+      - httproutes/status
+      - httplocalratelimitpolicies/status
+      - egressnetworks/status
+    verbs:
+      - patch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - httproutes/status
+      - grpcroutes/status
+      - tlsroutes/status
+      - tcproutes/status
+    verbs:
+      - patch
+  - apiGroups:
+      - workload.linkerd.io
+    resources:
+      - externalworkloads
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: linkerd-destination-policy
+  labels:
+    app.kubernetes.io/part-of: Linkerd
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: linkerd-policy
+subjects:
+  - kind: ServiceAccount
+    name: linkerd-destination
+    namespace: {{.Release.Namespace}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: remote-discovery
+  namespace: {{.Release.Namespace}}
+  labels:
+    app.kubernetes.io/part-of: Linkerd
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: linkerd-destination-remote-discovery
+  namespace: {{.Release.Namespace}}
+  labels:
+    app.kubernetes.io/part-of: Linkerd
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: remote-discovery
+subjects:
+  - kind: ServiceAccount
+    name: linkerd-destination
+    namespace: {{.Release.Namespace}}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/destination.yaml

@@ -0,0 +1,448 @@
+---
+###
+### Destination Controller Service
+###
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-dst
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: destination
+  ports:
+  - name: grpc
+    port: 8086
+    targetPort: 8086
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-dst-headless
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  clusterIP: None
+  selector:
+    linkerd.io/control-plane-component: destination
+  ports:
+  - name: grpc
+    port: 8086
+    targetPort: 8086
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-sp-validator
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: destination
+  ports:
+  - name: sp-validator
+    port: 443
+    targetPort: sp-validator
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-policy
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  clusterIP: None
+  selector:
+    linkerd.io/control-plane-component: destination
+  ports:
+  - name: grpc
+    port: 8090
+    targetPort: 8090
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-policy-validator
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: destination
+  ports:
+  - name: policy-https
+    port: 443
+    targetPort: policy-https
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: linkerd-dst
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: destination
+{{- end }}
+---
+{{- $tree := deepCopy . }}
+{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
+{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}}
+{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
+{{- if not (empty .Values.destinationProxyResources) }}
+{{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }}
+{{- $_ := set $tree.Values.proxy "cores" $c }}
+{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }}
+{{- $_ := set $tree.Values.proxy "resources" $r }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    app.kubernetes.io/name: destination
+    app.kubernetes.io/part-of: Linkerd
+    app.kubernetes.io/version: {{.Values.linkerdVersion}}
+    linkerd.io/control-plane-component: destination
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  name: linkerd-destination
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{.Values.controllerReplicas}}
+  revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: destination
+      linkerd.io/control-plane-ns: {{.Release.Namespace}}
+      {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
+  {{- if .Values.deploymentStrategy }}
+  strategy:
+    {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  {{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }}
+        {{ include "partials.annotations.created-by" . }}
+        {{- include "partials.proxy.annotations" . | nindent 8}}
+        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
+      labels:
+        linkerd.io/control-plane-component: destination
+        linkerd.io/control-plane-ns: {{.Release.Namespace}}
+        linkerd.io/workload-ns: {{.Release.Namespace}}
+        {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
+        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+    spec:
+      {{- with .Values.runtimeClassName }}
+      runtimeClassName: {{ . | quote }}
+      {{- end }}
+      {{- if .Values.tolerations -}}
+      {{- include "linkerd.tolerations" . | nindent 6 }}
+      {{- end -}}
+      {{- include "linkerd.node-selector" . | nindent 6 }}
+      {{- $_ := set $tree "component" "destination" -}}
+      {{- include "linkerd.affinity" $tree | nindent 6 }}
+      automountServiceAccountToken: false
+      containers:
+      {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
+      {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
+      {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }}
+      {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
+      {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
+      {{- /*
+        The pod needs to accept webhook traffic, and we can't rely on that originating in the
+        cluster network.
+      */}}
+      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
+      {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
+      {{- if not $tree.Values.proxy.nativeSidecar }}
+      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{- end }}
+      - args:
+        - destination
+        - -addr=:8086
+        - -controller-namespace={{.Release.Namespace}}
+        - -enable-h2-upgrade={{.Values.enableH2Upgrade}}
+        - -log-level={{.Values.controllerLogLevel}}
+        - -log-format={{.Values.controllerLogFormat}}
+        - -enable-endpoint-slices={{.Values.enableEndpointSlices}}
+        - -cluster-domain={{.Values.clusterDomain}}
+        - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
+        - -default-opaque-ports={{.Values.proxy.opaquePorts}}
+        - -enable-ipv6={{not .Values.disableIPv6}}
+        - -enable-pprof={{.Values.enablePprof | default false}}
+        {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }}
+        - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }}
+        {{- end }}
+        {{- range (.Values.destinationController).additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        {{- range (.Values.destinationController).experimentalArgs }}
+        - {{ . }}
+        {{- end }}
+        {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }}
+        env:
+        {{- with (.Values.destinationController).additionalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- with (.Values.destinationController).experimentalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- end }}
+        {{- include "partials.linkerd.trace" . | nindent 8 -}}
+        image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9996
+          initialDelaySeconds: 10
+          {{- with (.Values.destinationController.livenessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        name: destination
+        ports:
+        - containerPort: 8086
+          name: grpc
+        - containerPort: 9996
+          name: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9996
+          {{- with (.Values.destinationController.readinessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        {{- if .Values.destinationResources -}}
+        {{- include "partials.resources" .Values.destinationResources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+      - args:
+        - sp-validator
+        - -log-level={{.Values.controllerLogLevel}}
+        - -log-format={{.Values.controllerLogFormat}}
+        - -enable-pprof={{.Values.enablePprof | default false}}
+        {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }}
+        env:
+        {{- with (.Values.spValidator).additionalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- with (.Values.spValidator).experimentalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- end }}
+        image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9997
+          initialDelaySeconds: 10
+          {{- with ((.Values.spValidator).livenessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        name: sp-validator
+        ports:
+        - containerPort: 8443
+          name: sp-validator
+        - containerPort: 9997
+          name: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9997
+          {{- with ((.Values.spValidator).readinessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        {{- if .Values.spValidatorResources -}}
+        {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/linkerd/tls
+          name: sp-tls
+          readOnly: true
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+      - args:
+        - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990
+        - --control-plane-namespace={{.Release.Namespace}}
+        - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090
+        - --server-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9443
+        - --server-tls-key=/var/run/linkerd/tls/tls.key
+        - --server-tls-certs=/var/run/linkerd/tls/tls.crt
+        - --cluster-networks={{.Values.clusterNetworks}}
+        - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
+        - --cluster-domain={{.Values.clusterDomain}}
+        - --default-policy={{.Values.proxy.defaultInboundPolicy}}
+        - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
+        - --log-format={{.Values.controllerLogFormat}}
+        - --default-opaque-ports={{.Values.proxy.opaquePorts}}
+        - --global-egress-network-namespace={{.Values.egress.globalEgressNetworkNamespace}}
+        {{- if .Values.policyController.probeNetworks }}
+        - --probe-networks={{.Values.policyController.probeNetworks | join ","}}
+        {{- end}}
+        {{- range .Values.policyController.additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        {{- range .Values.policyController.experimentalArgs }}
+        - {{ . }}
+        {{- end }}
+        image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}}
+        imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /live
+            port: admin-http
+          {{- with (.Values.policyController.livenessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        name: policy
+        ports:
+        - containerPort: 8090
+          name: grpc
+        - containerPort: 9990
+          name: admin-http
+        - containerPort: 9443
+          name: policy-https
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: admin-http
+          initialDelaySeconds: 10
+          {{- with (.Values.policyController.readinessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        {{- if .Values.policyController.resources }}
+        {{- include "partials.resources" .Values.policyController.resources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/linkerd/tls
+          name: policy-tls
+          readOnly: true
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+      initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
+      {{- /*
+        The destination controller needs to connect to the Kubernetes API before the proxy is able
+        to proxy requests, so we always skip these connections.
+      */}}
+      {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
+      - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{- if $tree.Values.proxy.nativeSidecar }}
+        {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }}
+        {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }}
+        {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }}
+      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{- if .Values.priorityClassName -}}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{ end -}}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: linkerd-destination
+      volumes:
+      - name: sp-tls
+        secret:
+          secretName: linkerd-sp-validator-k8s-tls
+      - name: policy-tls
+        secret:
+          secretName: linkerd-policy-validator-k8s-tls
+      - {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ if not .Values.cniEnabled -}}
+      - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{if .Values.identity.serviceAccountTokenProjection -}}
+      - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/heartbeat-rbac.yaml

@@ -0,0 +1,78 @@
+{{ if not .Values.disableHeartBeat -}}
+---
+###
+### Heartbeat RBAC
+###
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: linkerd-heartbeat
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get"]
+  resourceNames: ["linkerd-config"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: linkerd-heartbeat
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  kind: Role
+  name: linkerd-heartbeat
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: linkerd-heartbeat
+  namespace: {{.Release.Namespace}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: linkerd-heartbeat
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["list"]
+- apiGroups: ["linkerd.io"]
+  resources: ["serviceprofiles"]
+  verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: linkerd-heartbeat
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  kind: ClusterRole
+  name: linkerd-heartbeat
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: linkerd-heartbeat
+  namespace: {{.Release.Namespace}}
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-heartbeat
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: heartbeat
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/heartbeat.yaml

@@ -0,0 +1,101 @@
+{{ if not .Values.disableHeartBeat -}}
+---
+###
+### Heartbeat
+###
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: linkerd-heartbeat
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: heartbeat
+    app.kubernetes.io/part-of: Linkerd
+    app.kubernetes.io/version: {{.Values.linkerdVersion}}
+    linkerd.io/control-plane-component: heartbeat
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  concurrencyPolicy: Replace
+  {{ if .Values.heartbeatSchedule -}}
+  schedule: "{{.Values.heartbeatSchedule}}"
+  {{ else -}}
+  schedule: "{{ dateInZone "04 15 * * *" (now | mustDateModify "+10m") "UTC"}}"
+  {{ end -}}
+  successfulJobsHistoryLimit: 0
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            linkerd.io/control-plane-component: heartbeat
+            linkerd.io/workload-ns: {{.Release.Namespace}}
+            {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 12 }}{{- end }}
+          annotations:
+            {{ include "partials.annotations.created-by" . }}
+            {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 12 }}{{- end }}
+        spec:
+          {{- if .Values.priorityClassName }}
+          priorityClassName: {{ .Values.priorityClassName }}
+          {{- end -}}
+          {{- with .Values.runtimeClassName }}
+          runtimeClassName: {{ . | quote }}
+          {{- end }}
+          {{- if .Values.tolerations -}}
+          {{- include "linkerd.tolerations" . | nindent 10 }}
+          {{- end -}}
+          {{- include "linkerd.node-selector" . | nindent 10 }}
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          serviceAccountName: linkerd-heartbeat
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          containers:
+          - name: heartbeat
+            image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
+            imagePullPolicy: {{.Values.imagePullPolicy}}
+            env:
+            - name: LINKERD_DISABLED
+              value: "the heartbeat controller does not use the proxy"
+            {{- with (.Values.heartbeat).additionalEnv }}
+            {{- toYaml . | nindent 12 -}}
+            {{- end }}
+            {{- with (.Values.heartbeat).experimentalEnv }}
+            {{- toYaml . | nindent 12 -}}
+            {{- end }}
+            args:
+            - "heartbeat"
+            - "-controller-namespace={{.Release.Namespace}}"
+            - "-log-level={{.Values.controllerLogLevel}}"
+            - "-log-format={{.Values.controllerLogFormat}}"
+            {{- if .Values.prometheusUrl }}
+            - "-prometheus-url={{.Values.prometheusUrl}}"
+            {{- else }}
+            - "-prometheus-url=http://prometheus.linkerd-viz.svc.{{.Values.clusterDomain}}:9090"
+            {{- end }}
+            {{- if .Values.heartbeatResources -}}
+            {{- include "partials.resources" .Values.heartbeatResources | nindent 12 }}
+            {{- end }}
+            securityContext:
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              runAsUser: {{.Values.controllerUID}}
+              {{- if ge (int .Values.controllerGID) 0 }}
+              runAsGroup: {{.Values.controllerGID}}
+              {{- end }}
+              allowPrivilegeEscalation: false
+              seccompProfile:
+                type: RuntimeDefault
+            volumeMounts:
+            - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              name: kube-api-access
+              readOnly: true
+          volumes:
+          - {{- include "partials.volumes.manual-mount-service-account-token" . | indent 12 | trimPrefix (repeat 11 " ") }}
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/identity-rbac.yaml

@@ -0,0 +1,49 @@
+---
+###
+### Identity Controller Service RBAC
+###
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-identity
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+# TODO(ver) Restrict this to the Linkerd namespace. See
+# https://github.com/linkerd/linkerd2/issues/9367
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-identity
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: linkerd-{{.Release.Namespace}}-identity
+subjects:
+- kind: ServiceAccount
+  name: linkerd-identity
+  namespace: {{.Release.Namespace}}
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-identity
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/identity.yaml

@@ -0,0 +1,277 @@
+{{if .Values.identity -}}
+---
+###
+### Identity Controller Service
+###
+{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-identity-issuer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+data:
+  crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}}
+  key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}}
+---
+{{- end}}
+{{ if not (.Values.identity.externalCA) -}}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: linkerd-identity-trust-roots
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+data:
+  ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}
+---
+{{- end}}
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-identity
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: identity
+  ports:
+  - name: grpc
+    port: 8080
+    targetPort: 8080
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-identity-headless
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  clusterIP: None
+  selector:
+    linkerd.io/control-plane-component: identity
+  ports:
+  - name: grpc
+    port: 8080
+    targetPort: 8080
+---
+{{- if .Values.enablePodDisruptionBudget }}
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: linkerd-identity
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: identity
+---
+{{- end }}
+{{- $tree := deepCopy . }}
+{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
+{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}}
+{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
+{{- if not (empty .Values.identityProxyResources) }}
+{{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }}
+{{- $_ := set $tree.Values.proxy "cores" $c }}
+{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}
+{{- $_ := set $tree.Values.proxy "resources" $r }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    app.kubernetes.io/name: identity
+    app.kubernetes.io/part-of: Linkerd
+    app.kubernetes.io/version: {{.Values.linkerdVersion}}
+    linkerd.io/control-plane-component: identity
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  name: linkerd-identity
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{.Values.controllerReplicas}}
+  revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: identity
+      linkerd.io/control-plane-ns: {{.Release.Namespace}}
+      {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
+  {{- if .Values.deploymentStrategy }}
+  strategy:
+    {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  {{- end }}
+  template:
+    metadata:
+      annotations:
+        {{ include "partials.annotations.created-by" . }}
+        {{- include "partials.proxy.annotations" . | nindent 8}}
+        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
+      labels:
+        linkerd.io/control-plane-component: identity
+        linkerd.io/control-plane-ns: {{.Release.Namespace}}
+        linkerd.io/workload-ns: {{.Release.Namespace}}
+        {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
+        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+    spec:
+      {{- with .Values.runtimeClassName }}
+      runtimeClassName: {{ . | quote }}
+      {{- end }}
+      {{- if .Values.tolerations -}}
+      {{- include "linkerd.tolerations" . | nindent 6 }}
+      {{- end -}}
+      {{- include "linkerd.node-selector" . | nindent 6 }}
+      {{- $_ := set $tree "component" "identity" -}}
+      {{- include "linkerd.affinity" $tree | nindent 6 }}
+      automountServiceAccountToken: false
+      containers:
+      - args:
+        - identity
+        - -log-level={{.Values.controllerLogLevel}}
+        - -log-format={{.Values.controllerLogFormat}}
+        - -controller-namespace={{.Release.Namespace}}
+        - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
+        - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}
+        - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}
+        - -identity-scheme={{.Values.identity.issuer.scheme}}
+        - -enable-pprof={{.Values.enablePprof | default false}}
+        - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}}
+        - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}}
+        {{- include "partials.linkerd.trace" . | nindent 8 -}}
+        env:
+        - name: LINKERD_DISABLED
+          value: "linkerd-await cannot block the identity controller"
+        {{- with (.Values.identity).additionalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- with (.Values.identity).experimentalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9990
+          initialDelaySeconds: 10
+          {{- with (.Values.identity.livenessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        name: identity
+        ports:
+        - containerPort: 8080
+          name: grpc
+        - containerPort: 9990
+          name: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9990
+          {{- with (.Values.identity.readinessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        {{- if .Values.identityResources -}}
+        {{- include "partials.resources" .Values.identityResources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/linkerd/identity/issuer
+          name: identity-issuer
+        - mountPath: /var/run/linkerd/identity/trust-roots/
+          name: trust-roots
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+      {{- $_ := set $tree.Values.proxy "await" false }}
+      {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
+      {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
+      {{- $_ := set $tree.Values.proxy "nativeSidecar" false }}
+      {{- /*
+        The identity controller cannot discover policies, so we configure it with defaults that
+        enforce TLS on the identity service.
+      */}}
+      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
+      {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
+      {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
+      {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
+      {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
+      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
+      {{- /*
+        The identity controller needs to connect to the Kubernetes API before the proxy is able to
+        proxy requests, so we always skip these connections. The identity controller makes no other
+        outbound connections (so it's not important to persist any other skip ports here)
+      */}}
+      {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
+      - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{- if .Values.priorityClassName -}}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{ end -}}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: linkerd-identity
+      volumes:
+      - name: identity-issuer
+        secret:
+          secretName: linkerd-identity-issuer
+      - configMap:
+          name: linkerd-identity-trust-roots
+        name: trust-roots
+      - {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ if not .Values.cniEnabled -}}
+      - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{if .Values.identity.serviceAccountTokenProjection -}}
+      - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
+{{end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/namespace.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Release.Service "CLI" -}}
+---
+###
+### Linkerd Namespace
+###
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    linkerd.io/is-control-plane: "true"
+    config.linkerd.io/admission-webhooks: disabled
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}
+    pod-security.kubernetes.io/enforce: {{ ternary "restricted" "privileged" .Values.cniEnabled }}
+{{ end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/podmonitor.yaml

@@ -0,0 +1,128 @@
+{{- $podMonitor := .Values.podMonitor -}}
+{{- if and $podMonitor.enabled $podMonitor.controller.enabled }}
+---
+###
+### Prometheus Operator PodMonitor for Linkerd control-plane
+###
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: "linkerd-controller"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{ .Release.Namespace }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  namespaceSelector: {{ tpl .Values.podMonitor.controller.namespaceSelector . | nindent 4 }}
+  selector:
+    matchLabels: {}
+  podMetricsEndpoints:
+    - interval: {{ $podMonitor.scrapeInterval }}
+      scrapeTimeout: {{ $podMonitor.scrapeTimeout }}
+      relabelings:
+        - sourceLabels:
+            - __meta_kubernetes_pod_container_port_name
+          action: keep
+          regex: admin-http
+        - sourceLabels:
+            - __meta_kubernetes_pod_container_name
+          action: replace
+          targetLabel: component
+{{- end }}
+{{- if and $podMonitor.enabled $podMonitor.serviceMirror.enabled }}
+---
+###
+### Prometheus Operator PodMonitor for Linkerd Service Mirror (multi-cluster)
+###
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: "linkerd-service-mirror"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{ .Release.Namespace }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels: {}
+  podMetricsEndpoints:
+    - interval: {{ $podMonitor.scrapeInterval }}
+      scrapeTimeout: {{ $podMonitor.scrapeTimeout }}
+      relabelings:
+        - sourceLabels:
+            - __meta_kubernetes_pod_label_linkerd_io_control_plane_component
+            - __meta_kubernetes_pod_container_port_name
+          action: keep
+          regex: linkerd-service-mirror;admin-http$
+        - sourceLabels:
+            - __meta_kubernetes_pod_container_name
+          action: replace
+          targetLabel: component
+{{- end }}
+{{- if and $podMonitor.enabled $podMonitor.proxy.enabled }}
+---
+###
+### Prometheus Operator PodMonitor Linkerd data-plane
+###
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: "linkerd-proxy"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{ .Release.Namespace }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels: {}
+  podMetricsEndpoints:
+    - interval: {{ $podMonitor.scrapeInterval }}
+      scrapeTimeout: {{ $podMonitor.scrapeTimeout }}
+      relabelings:
+        - sourceLabels:
+            - __meta_kubernetes_pod_container_name
+            - __meta_kubernetes_pod_container_port_name
+            - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns
+          action: keep
+          regex: ^linkerd-proxy;linkerd-admin;{{ .Release.Namespace }}$
+        - sourceLabels: [ __meta_kubernetes_namespace ]
+          action: replace
+          targetLabel: namespace
+        - sourceLabels: [ __meta_kubernetes_pod_name ]
+          action: replace
+          targetLabel: pod
+        - sourceLabels: [ __meta_kubernetes_pod_label_linkerd_io_proxy_job ]
+          action: replace
+          targetLabel: k8s_job
+        - action: labeldrop
+          regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
+        - action: labeldrop
+          regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_linkerd_io_(.+)
+        - action: labelmap
+          regex: __meta_kubernetes_pod_label_(.+)
+          replacement: __tmp_pod_label_$1
+        - action: labelmap
+          regex: __tmp_pod_label_linkerd_io_(.+)
+          replacement: __tmp_pod_label_$1
+        - action: labeldrop
+          regex: __tmp_pod_label_linkerd_io_(.+)
+        - action: labelmap
+          regex: __tmp_pod_label_(.+)
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/proxy-injector-rbac.yaml

@@ -0,0 +1,120 @@
+---
+###
+### Proxy Injector RBAC
+###
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-proxy-injector
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: [""]
+  resources: ["namespaces", "replicationcontrollers"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["list", "watch"]
+- apiGroups: ["extensions", "apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["extensions", "batch"]
+  resources: ["cronjobs", "jobs"]
+  verbs: ["list", "get", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: linkerd-{{.Release.Namespace}}-proxy-injector
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+subjects:
+- kind: ServiceAccount
+  name: linkerd-proxy-injector
+  namespace: {{.Release.Namespace}}
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: linkerd-{{.Release.Namespace}}-proxy-injector
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: linkerd-proxy-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
+---
+{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }}
+{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
+{{- if (not .Values.proxyInjector.externalSecret) }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: linkerd-proxy-injector-k8s-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }}
+  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }}
+---
+{{- end }}
+{{- include "linkerd.webhook.validation" .Values.proxyInjector }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: linkerd-proxy-injector-webhook-config
+  {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }}
+  annotations:
+  {{- if .Values.proxyInjector.injectCaFrom }}
+    cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }}
+  {{- end }}
+  {{- if .Values.proxyInjector.injectCaFromSecret }}
+    cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }}
+  {{- end }}
+  {{- end }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+webhooks:
+- name: linkerd-proxy-injector.linkerd.io
+  namespaceSelector:
+    {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }}
+  objectSelector:
+    {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }}
+  clientConfig:
+    service:
+      name: linkerd-proxy-injector
+      namespace: {{ .Release.Namespace }}
+      path: "/"
+    {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }}
+    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }}
+    {{- end }}
+  failurePolicy: {{.Values.webhookFailurePolicy}}
+  admissionReviewVersions: ["v1", "v1beta1"]
+  rules:
+  - operations: [ "CREATE" ]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods", "services"]
+    scope: "Namespaced"
+  sideEffects: None
+  timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/proxy-injector.yaml

@@ -0,0 +1,227 @@
+---
+###
+### Proxy Injector
+###
+{{- $tree := deepCopy . }}
+{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
+{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}}
+{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
+{{- if not (empty .Values.proxyInjectorProxyResources) }}
+{{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }}
+{{- $_ := set $tree.Values.proxy "cores" $c }}
+{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }}
+{{- $_ := set $tree.Values.proxy "resources" $r }}
+{{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    app.kubernetes.io/name: proxy-injector
+    app.kubernetes.io/part-of: Linkerd
+    app.kubernetes.io/version: {{.Values.linkerdVersion}}
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  name: linkerd-proxy-injector
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{.Values.controllerReplicas}}
+  revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: proxy-injector
+  {{- if .Values.deploymentStrategy }}
+  strategy:
+    {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  {{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
+        {{ include "partials.annotations.created-by" . }}
+        {{- include "partials.proxy.annotations" . | nindent 8}}
+        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        config.linkerd.io/opaque-ports: "8443"
+        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
+      labels:
+        linkerd.io/control-plane-component: proxy-injector
+        linkerd.io/control-plane-ns: {{.Release.Namespace}}
+        linkerd.io/workload-ns: {{.Release.Namespace}}
+        {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
+        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+    spec:
+      {{- with .Values.runtimeClassName }}
+      runtimeClassName: {{ . | quote }}
+      {{- end }}
+      {{- if .Values.tolerations -}}
+      {{- include "linkerd.tolerations" . | nindent 6 }}
+      {{- end -}}
+      {{- include "linkerd.node-selector" . | nindent 6 }}
+      {{- $_ := set $tree "component" "proxy-injector" -}}
+      {{- include "linkerd.affinity" $tree | nindent 6 }}
+      automountServiceAccountToken: false
+      containers:
+      {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
+      {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
+      {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }}
+      {{- /*
+        The pod needs to accept webhook traffic, and we can't rely on that originating in the
+        cluster network.
+      */}}
+      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
+      {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
+      {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
+      {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
+      {{- if not $tree.Values.proxy.nativeSidecar }}
+      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{- end }}
+      - args:
+        - proxy-injector
+        - -log-level={{.Values.controllerLogLevel}}
+        - -log-format={{.Values.controllerLogFormat}}
+        - -linkerd-namespace={{.Release.Namespace}}
+        - -enable-pprof={{.Values.enablePprof | default false}}
+        {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }}
+        env:
+        {{- with (.Values.proxyInjector).additionalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- with (.Values.proxyInjector).experimentalEnv }}
+        {{- toYaml . | nindent 8 -}}
+        {{- end }}
+        {{- end }}
+        image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
+        imagePullPolicy: {{.Values.imagePullPolicy}}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: 9995
+          initialDelaySeconds: 10
+          {{- with (.Values.proxyInjector.livenessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        name: proxy-injector
+        ports:
+        - containerPort: 8443
+          name: proxy-injector
+        - containerPort: 9995
+          name: admin-http
+        readinessProbe:
+          failureThreshold: 7
+          httpGet:
+            path: /ready
+            port: 9995
+          {{- with (.Values.proxyInjector.readinessProbe).timeoutSeconds }}
+          timeoutSeconds: {{ . }}
+          {{- end }}
+        {{- if .Values.proxyInjectorResources -}}
+        {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }}
+        {{- end }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.controllerUID}}
+          {{- if ge (int .Values.controllerGID) 0 }}
+          runAsGroup: {{.Values.controllerGID}}
+          {{- end }}
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/linkerd/config
+          name: config
+        - mountPath: /var/run/linkerd/identity/trust-roots
+          name: trust-roots
+        - mountPath: /var/run/linkerd/tls
+          name: tls
+          readOnly: true
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+      initContainers:
+      {{ if .Values.cniEnabled -}}
+      - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ else -}}
+      {{- /*
+        The controller needs to connect to the Kubernetes API. There's no reason
+        to put the proxy in the way of that.
+      */}}
+      {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
+      - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{- if $tree.Values.proxy.nativeSidecar }}
+        {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }}
+        {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }}
+        {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }}
+      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{- if .Values.priorityClassName -}}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{ end -}}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: linkerd-proxy-injector
+      volumes:
+      - configMap:
+          name: linkerd-config
+        name: config
+      - configMap:
+          name: linkerd-identity-trust-roots
+        name: trust-roots
+      - name: tls
+        secret:
+          secretName: linkerd-proxy-injector-k8s-tls
+      - {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ if not .Values.cniEnabled -}}
+      - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      {{if .Values.identity.serviceAccountTokenProjection -}}
+      - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
+      {{ end -}}
+      - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: linkerd-proxy-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+    config.linkerd.io/opaque-ports: "443"
+spec:
+  type: ClusterIP
+  selector:
+    linkerd.io/control-plane-component: proxy-injector
+  ports:
+  - name: proxy-injector
+    port: 443
+    targetPort: proxy-injector
+{{- if .Values.enablePodDisruptionBudget }}
+---
+kind: PodDisruptionBudget
+apiVersion: policy/v1
+metadata:
+  name: linkerd-proxy-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-component: proxy-injector
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
+  selector:
+    matchLabels:
+      linkerd.io/control-plane-component: proxy-injector
+{{- end }}

charts/buoyant/linkerd-control-plane/2024.11.3/templates/psp.yaml

@@ -0,0 +1,119 @@
+{{ if .Values.enablePSP -}}
+---
+###
+### Control Plane PSP
+###
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: linkerd-{{.Release.Namespace}}-control-plane
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default"
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+spec:
+  {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }}
+  allowPrivilegeEscalation: true
+  {{- else }}
+  allowPrivilegeEscalation: false
+  {{- end }}
+  readOnlyRootFilesystem: true
+  {{- if empty .Values.cniEnabled }}
+  allowedCapabilities:
+  - NET_ADMIN
+  - NET_RAW
+  {{- end}}
+  requiredDropCapabilities:
+  - ALL
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  seLinux:
+    rule: RunAsAny
+  runAsUser:
+    {{- if .Values.cniEnabled }}
+    rule: MustRunAsNonRoot
+    {{- else }}
+    rule: RunAsAny
+    {{- end }}
+  runAsGroup:
+    {{- if .Values.cniEnabled }}
+    rule: MustRunAs
+    ranges:
+    - min: 1000
+      max: 999999
+    {{- else }}
+    rule: RunAsAny
+    {{- end }}
+  supplementalGroups:
+    rule: MustRunAs
+    ranges:
+    {{- if .Values.cniEnabled }}
+    - min: 10001
+      max: 65535
+    {{- else }}
+    - min: 1
+      max: 65535
+    {{- end }}
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+    {{- if .Values.cniEnabled }}
+    - min: 10001
+      max: 65535
+    {{- else }}
+    - min: 1
+      max: 65535
+    {{- end }}
+  volumes:
+  - configMap
+  - emptyDir
+  - secret
+  - projected
+  - downwardAPI
+  - persistentVolumeClaim
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: linkerd-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+- apiGroups: ['policy', 'extensions']
+  resources: ['podsecuritypolicies']
+  verbs: ['use']
+  resourceNames:
+  - linkerd-{{.Release.Namespace}}-control-plane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: linkerd-psp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  kind: Role
+  name: linkerd-psp
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: linkerd-destination
+  namespace: {{.Release.Namespace}}
+{{ if not .Values.disableHeartBeat -}}
+- kind: ServiceAccount
+  name: linkerd-heartbeat
+  namespace: {{.Release.Namespace}}
+{{ end -}}
+- kind: ServiceAccount
+  name: linkerd-identity
+  namespace: {{.Release.Namespace}}
+- kind: ServiceAccount
+  name: linkerd-proxy-injector
+  namespace: {{.Release.Namespace}}
+{{ end -}}

charts/buoyant/linkerd-control-plane/2024.11.3/values-ha.yaml

@@ -0,0 +1,63 @@
+# This values.yaml file contains the values needed to enable HA mode.
+# Usage:
+#   helm install -f values-ha.yaml
+
+# -- Create PodDisruptionBudget resources for each control plane workload
+enablePodDisruptionBudget: true
+
+controller:
+  # -- sets pod disruption budget parameter for all deployments
+  podDisruptionBudget:
+    # -- Maximum number of pods that can be unavailable during disruption
+    maxUnavailable: 1
+
+# -- Specify a deployment strategy for each control plane workload
+deploymentStrategy:
+  rollingUpdate:
+    maxUnavailable: 1
+    maxSurge: 25%
+
+# -- add PodAntiAffinity to each control plane workload
+enablePodAntiAffinity: true
+
+# nodeAffinity:
+
+# proxy configuration
+proxy:
+  resources:
+    cpu:
+      request: 100m
+    memory:
+      limit: 250Mi
+      request: 20Mi
+
+# controller configuration
+controllerReplicas: 3
+controllerResources: &controller_resources
+  cpu: &controller_resources_cpu
+    limit: ""
+    request: 100m
+  memory:
+    limit: 250Mi
+    request: 50Mi
+destinationResources: *controller_resources
+
+# identity configuration
+identityResources:
+  cpu: *controller_resources_cpu
+  memory:
+    limit: 250Mi
+    request: 10Mi
+
+# heartbeat configuration
+heartbeatResources: *controller_resources
+
+# proxy injector configuration
+proxyInjectorResources: *controller_resources
+webhookFailurePolicy: Fail
+
+# service profile validator configuration
+spValidatorResources: *controller_resources
+
+# flag for linkerd check
+highAvailability: true

charts/buoyant/linkerd-control-plane/2024.11.3/values.yaml

@@ -0,0 +1,671 @@
+# Default values for linkerd.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# -- Kubernetes DNS Domain name to use
+clusterDomain: cluster.local
+
+# -- The cluster networks for which service discovery is performed. This should
+# include the pod and service networks, but need not include the node network.
+#
+# By default, all IPv4 private networks and all accepted IPv6 ULAs are
+# specified so that resolution works in typical Kubernetes environments.
+clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
+# -- Docker image pull policy
+imagePullPolicy: IfNotPresent
+# -- Specifies the number of old ReplicaSets to retain to allow rollback.
+revisionHistoryLimit: 10
+# -- Log level for the control plane components
+controllerLogLevel: info
+# -- Log format for the control plane components
+controllerLogFormat: plain
+# -- enables control plane tracing
+controlPlaneTracing: false
+# -- namespace to send control plane traces to
+controlPlaneTracingNamespace: linkerd-jaeger
+# -- control plane version. See Proxy section for proxy version
+linkerdVersion: edge-24.11.3
+# -- default kubernetes deployment strategy
+deploymentStrategy:
+  rollingUpdate:
+    maxUnavailable: 25%
+    maxSurge: 25%
+# -- enables the use of EndpointSlice informers for the destination service;
+# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
+# gate is on
+enableEndpointSlices: true
+# -- enables pod anti affinity creation on deployments for high availability
+enablePodAntiAffinity: false
+# -- enables the use of pprof endpoints on control plane component's admin
+# servers
+enablePprof: false
+# -- enables the creation of pod disruption budgets for control plane components
+enablePodDisruptionBudget: false
+# -- disables routing IPv6 traffic in addition to IPv4 traffic through the
+# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni
+# v1.4.0)
+disableIPv6: true
+
+controller:
+  # -- sets pod disruption budget parameter for all deployments
+  podDisruptionBudget:
+    # -- Maximum number of pods that can be unavailable during disruption
+    maxUnavailable: 1
+# -- enabling this omits the NET_ADMIN capability in the PSP
+# and the proxy-init container when injecting the proxy;
+# requires the linkerd-cni plugin to already be installed
+cniEnabled: false
+# -- Trust root certificate (ECDSA). It must be provided during install.
+identityTrustAnchorsPEM: |
+# -- Trust domain used for identity
+# @default -- clusterDomain
+identityTrustDomain: ""
+kubeAPI: &kubeapi
+  # -- Maximum QPS sent to the kube-apiserver before throttling.
+  # See [token bucket rate limiter
+  # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go)
+  clientQPS: 100
+  # -- Burst value over clientQPS
+  clientBurst: 200
+# -- Additional annotations to add to all pods
+podAnnotations: {}
+# -- Additional labels to add to all pods
+podLabels: {}
+# -- Labels to apply to all resources
+commonLabels: {}
+# -- Kubernetes priorityClassName for the Linkerd Pods
+priorityClassName: ""
+# -- Runtime Class Name for all the pods
+runtimeClassName: ""
+
+# policy controller configuration
+policyController:
+  image:
+    # -- Docker image for the policy controller
+    name: cr.l5d.io/linkerd/policy-controller
+    # -- Pull policy for the policy controller container image
+    # @default -- imagePullPolicy
+    pullPolicy: ""
+    # -- Tag for the policy controller container image
+    # @default -- linkerdVersion
+    version: ""
+
+  # -- Log level for the policy controller
+  logLevel: info
+
+  # -- The networks from which probes are performed.
+  #
+  # By default, all networks are allowed so that all probes are authorized.
+  probeNetworks:
+    - 0.0.0.0/0
+    - "::/0"
+
+  # -- policy controller resource requests & limits
+  resources:
+    cpu:
+      # -- Maximum amount of CPU units that the policy controller can use
+      limit: ""
+      # -- Amount of CPU units that the policy controller requests
+      request: ""
+    memory:
+      # -- Maximum amount of memory that the policy controller can use
+      limit: ""
+      # -- Maximum amount of memory that the policy controller requests
+      request: ""
+    ephemeral-storage:
+      # -- Maximum amount of ephemeral storage that the policy controller can use
+      limit: ""
+      # -- Amount of ephemeral storage that the policy controller requests
+      request: ""
+
+  livenessProbe:
+    timeoutSeconds: 1
+  readinessProbe:
+    timeoutSeconds: 1
+
+# proxy configuration
+proxy:
+  # -- Enable service profiles for non-Kubernetes services
+  enableExternalProfiles: false
+  # -- Maximum time allowed for the proxy to establish an outbound TCP
+  # connection
+  outboundConnectTimeout: 1000ms
+  # -- Maximum time allowed for the proxy to establish an inbound TCP
+  # connection
+  inboundConnectTimeout: 100ms
+  # -- Maximum time allowed before an unused outbound discovery result
+  # is evicted from the cache
+  outboundDiscoveryCacheUnusedTimeout: "5s"
+  # -- Maximum time allowed before an unused inbound discovery result
+  # is evicted from the cache
+  inboundDiscoveryCacheUnusedTimeout: "90s"
+  # -- When set to true, disables the protocol detection timeout on the
+  # outbound side of the proxy by setting it to a very high value
+  disableOutboundProtocolDetectTimeout: false
+  # -- When set to true, disables the protocol detection timeout on the inbound
+  # side of the proxy by setting it to a very high value
+  disableInboundProtocolDetectTimeout: false
+  image:
+    # -- Docker image for the proxy
+    name: cr.l5d.io/linkerd/proxy
+    # -- Pull policy for the proxy container image
+    # @default -- imagePullPolicy
+    pullPolicy: ""
+    # -- Tag for the proxy container image
+    # @default -- linkerdVersion
+    version: ""
+  # -- Enables the proxy's /shutdown admin endpoint
+  enableShutdownEndpoint: false
+  # -- Log level for the proxy
+  logLevel: warn,linkerd=info,hickory=error
+  # -- Log format (`plain` or `json`) for the proxy
+  logFormat: plain
+  # -- (`off` or `insecure`) If set to `off`, will prevent the proxy from
+  # logging HTTP headers. If set to `insecure`, HTTP headers may be logged
+  # verbatim. Note that setting this to `insecure` is not alone sufficient to
+  # log HTTP headers; the proxy logLevel must also be set to debug.
+  logHTTPHeaders: "off"
+  ports:
+    # -- Admin port for the proxy container
+    admin: 4191
+    # -- Control port for the proxy container
+    control: 4190
+    # -- Inbound port for the proxy container
+    inbound: 4143
+    # -- Outbound port for the proxy container
+    outbound: 4140
+  # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores`
+  # must be an integer and should typically be set by rounding up from the
+  # limit. E.g. if cpu.limit is '1500m', cores should be 2.
+  cores: 0
+  resources:
+    cpu:
+      # -- Maximum amount of CPU units that the proxy can use
+      limit: ""
+      # -- Amount of CPU units that the proxy requests
+      request: ""
+    memory:
+      # -- Maximum amount of memory that the proxy can use
+      limit: ""
+      # -- Maximum amount of memory that the proxy requests
+      request: ""
+    ephemeral-storage:
+      # -- Maximum amount of ephemeral storage that the proxy can use
+      limit: ""
+      # -- Amount of ephemeral storage that the proxy requests
+      request: ""
+  # -- User id under which the proxy runs
+  uid: 2102
+  # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)
+  gid: -1
+
+  # -- If set the injected proxy sidecars in the data plane will stay alive for
+  # at least the given period before receiving the SIGTERM signal from
+  # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.
+  # See [Lifecycle
+  # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)
+  # for more info on container lifecycle hooks.
+  waitBeforeExitSeconds: 0
+  # -- If set, the application container will not start until the proxy is
+  # ready
+  await: true
+  requireIdentityOnInboundPorts: ""
+  # -- Default set of opaque ports
+  # - SMTP (25,587) server-first
+  # - MYSQL (3306) server-first
+  # - Galera (4444) server-first
+  # - PostgreSQL (5432) server-first
+  # - Redis (6379) server-first
+  # - ElasticSearch (9300) server-first
+  # - Memcached (11211) clients do not issue any preamble, which breaks detection
+  opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"
+  # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
+  shutdownGracePeriod: ""
+  # -- The default allow policy to use when no `Server` selects a pod.  One of: "all-authenticated",
+  # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit"
+  # @default -- "all-unauthenticated"
+  defaultInboundPolicy: "all-unauthenticated"
+  # -- Enable KEP-753 native sidecars
+  # This is an experimental feature. It requires Kubernetes >= 1.29.
+  # If enabled, .proxy.waitBeforeExitSeconds should not be used.
+  nativeSidecar: false
+  # -- Native sidecar proxy startup probe parameters.
+  # -- LivenessProbe timeout and delay configuration
+  livenessProbe:
+    initialDelaySeconds: 10
+    timeoutSeconds: 1
+  # -- ReadinessProbe timeout and delay configuration
+  readinessProbe:
+    initialDelaySeconds: 2
+    timeoutSeconds: 1
+  startupProbe:
+    initialDelaySeconds: 0
+    periodSeconds: 1
+    failureThreshold: 120
+  # Configures general properties of the proxy's control plane clients.
+  control:
+    # Configures limits on API response streams.
+    streams:
+      # -- The timeout for the first update from the control plane.
+      initialTimeout: "3s"
+      # -- The timeout between consecutive updates from the control plane.
+      idleTimeout: "5m"
+      # -- The maximum duration for a response stream (i.e. before it will be
+      # reinitialized).
+      lifetime: "1h"
+  inbound:
+    server:
+      http2:
+        # -- The interval at which PINGs are issued to remote HTTP/2 clients.
+        keepAliveInterval: "10s"
+        # -- The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections.
+        keepAliveTimeout: "3s"
+  outbound:
+    server:
+      http2:
+        # -- The interval at which PINGs are issued to local application HTTP/2 clients.
+        keepAliveInterval: "10s"
+        # -- The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections.
+        keepAliveTimeout: "3s"
+
+# proxy-init configuration
+proxyInit:
+  # -- Variant of iptables that will be used to configure routing. Currently,
+  # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
+  # control which utility binary will be called. The host must support
+  # whichever mode will be used
+  iptablesMode: "legacy"
+  # -- Default set of inbound ports to skip via iptables
+  # - Galera (4567,4568)
+  ignoreInboundPorts: "4567,4568"
+  # -- Default set of outbound ports to skip via iptables
+  # - Galera (4567,4568)
+  ignoreOutboundPorts: "4567,4568"
+  # -- Default set of ports to skip via iptables for control plane
+  # components so they can communicate with the Kubernetes API Server
+  kubeAPIServerPorts: "443,6443"
+  # -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy
+  skipSubnets: ""
+  # -- Log level for the proxy-init
+  # @default -- info
+  logLevel: ""
+  # -- Log format (`plain` or `json`) for the proxy-init
+  # @default -- plain
+  logFormat: ""
+  image:
+    # -- Docker image for the proxy-init container
+    name: cr.l5d.io/linkerd/proxy-init
+    # -- Pull policy for the proxy-init container image
+    # @default -- imagePullPolicy
+    pullPolicy: ""
+    # -- Tag for the proxy-init container image
+    version: v2.4.1
+  closeWaitTimeoutSecs: 0
+  # -- Privileged mode allows the container processes to inherit all security
+  # capabilities and bypass any security limitations enforced by the kubelet.
+  # When used with 'runAsRoot: true', the container will behave exactly as if
+  # it was running as root on the host. May escape cgroup limits and see other
+  # processes and devices on the host.
+  # @default -- false
+  privileged: false
+  # -- Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>)
+  runAsRoot: false
+  # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
+  runAsUser: 65534
+  # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0
+  runAsGroup: 65534
+  xtMountPath:
+    mountPath: /run
+    name: linkerd-proxy-init-xtables-lock
+
+# network validator configuration
+# This runs on a host that uses iptables to reroute network traffic. The validator
+# ensures that iptables is correctly routing requests before we start linkerd.
+networkValidator:
+  # -- Log level for the network-validator
+  # @default -- debug
+  logLevel: debug
+  # -- Log format (`plain` or `json`) for network-validator
+  # @default -- plain
+  logFormat: plain
+  # -- Address to which the network-validator will attempt to connect. This should be an IP
+  # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP
+  # for public clusters and a private IP for air-gapped clusters with a port like 20001.
+  # If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.
+  connectAddr: ""
+  # -- Address to which network-validator listens to requests from itself.
+  # If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively.
+  listenAddr: ""
+  # -- Timeout before network-validator fails to validate the pod's network connectivity
+  timeout: "10s"
+  # -- Include a securityContext in the network-validator pod spec
+  enableSecurityContext: true
+
+# -- For Private docker registries, authentication is needed.
+#  Registry secrets are applied to the respective service accounts
+imagePullSecrets: []
+# - name: my-private-docker-registry-login-secret
+
+# -- Allow proxies to perform transparent HTTP/2 upgrading
+enableH2Upgrade: true
+
+# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
+# PSP has been deprecated since k8s v1.21
+enablePSP: false
+
+# -- Failure policy for the proxy injector
+webhookFailurePolicy: Ignore
+
+# controllerImage -- Docker image for the destination and identity components
+controllerImage: cr.l5d.io/linkerd/controller
+# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.
+controllerImageVersion: ""
+
+# -- Number of replicas for each control plane pod
+controllerReplicas: 1
+# -- User ID for the control plane components
+controllerUID: 2103
+# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)
+controllerGID: -1
+
+# destination configuration
+# set resources for the sp-validator and its linkerd proxy respectively
+# see proxy.resources for details.
+# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields)
+#destinationResources:
+# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields)
+#destinationProxyResources:
+
+destinationController:
+  meshedHttp2ClientProtobuf:
+    keep_alive:
+      interval:
+        seconds: 10
+      timeout:
+        seconds: 3
+      while_idle: true
+  livenessProbe:
+    timeoutSeconds: 1
+  readinessProbe:
+    timeoutSeconds: 1
+
+# debug configuration
+debugContainer:
+  image:
+    # -- Docker image for the debug container
+    name: cr.l5d.io/linkerd/debug
+    # -- Pull policy for the debug container image
+    # @default -- imagePullPolicy
+    pullPolicy: ""
+    # -- Tag for the debug container image
+    # @default -- linkerdVersion
+    version: ""
+
+identity:
+  # -- If the linkerd-identity-trust-roots ConfigMap has already been created
+  externalCA: false
+
+  # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token
+  serviceAccountTokenProjection: true
+
+  issuer:
+    scheme: linkerd.io/tls
+
+    # -- Amount of time to allow for clock skew within a Linkerd cluster
+    clockSkewAllowance: 20s
+
+    # -- Amount of time for which the Identity issuer should certify identity
+    issuanceLifetime: 24h0m0s
+
+    # -- Which scheme is used for the identity issuer secret format
+    tls:
+      # -- Issuer certificate (ECDSA). It must be provided during install.
+      crtPEM: |
+
+      # -- Key for the issuer certificate (ECDSA). It must be provided during
+      # install
+      keyPEM: |
+
+  kubeAPI: *kubeapi
+
+  livenessProbe:
+    timeoutSeconds: 1
+  readinessProbe:
+    timeoutSeconds: 1
+
+# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields)
+#identityResources:
+# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
+#identityProxyResources:
+
+# heartbeat configuration
+# disableHeartBeat -- Set to true to not start the heartbeat cronjob
+disableHeartBeat: false
+# -- Config for the heartbeat cronjob
+# heartbeatSchedule: "0 0 * * *"
+
+# proxy injector configuration
+proxyInjector:
+  # -- Timeout in seconds before the API Server cancels a request to the proxy
+  # injector. If timeout is exceeded, the webhookfailurePolicy is used.
+  timeoutSeconds: 10
+  # -- Do not create a secret resource for the proxyInjector webhook.
+  # If this is set to `true`, the value `proxyInjector.caBundle` must be set
+  # or the ca bundle must injected with cert-manager ca injector using
+  # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
+  externalSecret: false
+
+  # -- Namespace selector used by admission webhook.
+  namespaceSelector:
+    matchExpressions:
+    - key: config.linkerd.io/admission-webhooks
+      operator: NotIn
+      values:
+      - disabled
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kube-system
+      - cert-manager
+
+  # -- Object selector used by admission webhook.
+  objectSelector:
+    matchExpressions:
+    - key: linkerd.io/control-plane-component
+      operator: DoesNotExist
+    - key: linkerd.io/cni-resource
+      operator: DoesNotExist
+
+  # -- Certificate for the proxy injector. If not provided and not using an external secret
+  # then Helm will generate one.
+  crtPEM: |
+
+  # -- Certificate key for the proxy injector. If not provided and not using an external secret
+  # then Helm will generate one.
+  keyPEM: |
+
+  # -- Bundle of CA certificates for proxy injector.
+  # If not provided nor injected with cert-manager,
+  # then Helm will use the certificate generated for `proxyInjector.crtPEM`.
+  # If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or
+  # injectCaFromSecret must be set, as no certificate will be generated.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
+  caBundle: |
+
+  # -- Inject the CA bundle from a cert-manager Certificate.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
+  # for more information.
+  injectCaFrom: ""
+
+  # -- Inject the CA bundle from a Secret.
+  # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
+  # The Secret must have the CA Bundle stored in the `ca.crt` key and have
+  # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
+  # for more information.
+  injectCaFromSecret: ""
+
+  livenessProbe:
+    timeoutSeconds: 1
+  readinessProbe:
+    timeoutSeconds: 1
+
+# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see
+#`proxy.resources` for sub-fields)
+#proxyInjectorResources:
+#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector
+#pod (see `proxy.resources` for sub-fields)
+#proxyInjectorProxyResources:
+
+# service profile validator configuration
+profileValidator:
+  # -- Do not create a secret resource for the profileValidator webhook.
+  # If this is set to `true`, the value `proxyInjector.caBundle` must be set
+  # or the ca bundle must injected with cert-manager ca injector using
+  # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
+  externalSecret: false
+
+  # -- Namespace selector used by admission webhook
+  namespaceSelector:
+    matchExpressions:
+    - key: config.linkerd.io/admission-webhooks
+      operator: NotIn
+      values:
+      - disabled
+
+  # -- Certificate for the service profile validator. If not provided and not using an external secret
+  # then Helm will generate one.
+  crtPEM: |
+
+  # -- Certificate key for the service profile validator. If not provided and not using an external secret
+  # then Helm will generate one.
+  keyPEM: |
+
+  # -- Bundle of CA certificates for proxy injector.
+  # If not provided nor injected with cert-manager,
+  # then Helm will use the certificate generated for `profileValidator.crtPEM`.
+  # If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or
+  # injectCaFromSecret must be set, as no certificate will be generated.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
+  caBundle: |
+
+  # -- Inject the CA bundle from a cert-manager Certificate.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
+  # for more information.
+  injectCaFrom: ""
+
+  # -- Inject the CA bundle from a Secret.
+  # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
+  # The Secret must have the CA Bundle stored in the `ca.crt` key and have
+  # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
+  # for more information.
+  injectCaFromSecret: ""
+
+# policy validator configuration
+policyValidator:
+  # -- Do not create a secret resource for the policyValidator webhook.
+  # If this is set to `true`, the value `policyValidator.caBundle` must be set
+  # or the ca bundle must injected with cert-manager ca injector using
+  # `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below).
+  externalSecret: false
+
+  # -- Namespace selector used by admission webhook
+  namespaceSelector:
+    matchExpressions:
+    - key: config.linkerd.io/admission-webhooks
+      operator: NotIn
+      values:
+      - disabled
+
+  # -- Certificate for the policy validator. If not provided and not using an external secret
+  # then Helm will generate one.
+  crtPEM: |
+
+  # -- Certificate key for the policy validator. If not provided and not using an external secret
+  # then Helm will generate one.
+  keyPEM: |
+
+  # -- Bundle of CA certificates for proxy injector.
+  # If not provided nor injected with cert-manager,
+  # then Helm will use the certificate generated for `policyValidator.crtPEM`.
+  # If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or
+  # injectCaFromSecret must be set, as no certificate will be generated.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
+  caBundle: |
+
+  # -- Inject the CA bundle from a cert-manager Certificate.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
+  # for more information.
+  injectCaFrom: ""
+
+  # -- Inject the CA bundle from a Secret.
+  # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
+  # The Secret must have the CA Bundle stored in the `ca.crt` key and have
+  # the `cert-manager.io/allow-direct-injection` annotation set to `true`.
+  # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
+  # for more information.
+  injectCaFromSecret: ""
+
+# -- NodeSelector section, See the [K8S
+# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
+# for more information
+nodeSelector:
+  kubernetes.io/os: linux
+
+# -- SP validator configuration
+spValidator:
+  livenessProbe:
+    timeoutSeconds: 1
+  readinessProbe:
+    timeoutSeconds: 1
+
+# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see
+#`proxy.resources` for sub-fields)
+#spValidatorResources:
+
+# -|- Tolerations section, See the
+# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
+# for more information
+#tolerations:
+
+# -|- NodeAffinity section, See the
+# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
+# for more information
+#nodeAffinity:
+
+# -- url of external prometheus instance (used for the heartbeat)
+prometheusUrl: ""
+
+# Prometheus Operator PodMonitor configuration
+podMonitor:
+  # -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor)
+  enabled: false
+  # -- Interval at which metrics should be scraped
+  scrapeInterval: 10s
+  # -- Iimeout after which the scrape is ended
+  scrapeTimeout: 10s
+  # -- Labels to apply to all pod Monitors
+  labels: {}
+  controller:
+    # -- Enables the creation of PodMonitor for the control-plane
+    enabled: true
+    # -- Selector to select which namespaces the Endpoints objects are discovered from
+    namespaceSelector: |
+      matchNames:
+        - {{ .Release.Namespace }}
+        - linkerd-viz
+        - linkerd-jaeger
+  serviceMirror:
+    # -- Enables the creation of PodMonitor for the Service Mirror component
+    enabled: true
+  proxy:
+    # -- Enables the creation of PodMonitor for the data-plane
+    enabled: true
+
+
+# Egress related configuration
+egress:
+  # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster
+  globalEgressNetworkNamespace: linkerd-egress
+  

charts/buoyant/linkerd-crds/2024.11.3/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+OWNERS
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/buoyant/linkerd-crds/2024.11.3/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: partials
+  repository: file://../partials
+  version: 0.1.0
+digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba
+generated: "2021-08-17T10:42:52.610449255-05:00"

charts/buoyant/linkerd-crds/2024.11.3/Chart.yaml

@@ -0,0 +1,26 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Linkerd CRDs
+  catalog.cattle.io/kube-version: '>=1.22.0-0'
+  catalog.cattle.io/release-name: linkerd-crds
+apiVersion: v2
+dependencies:
+- name: partials
+  repository: file://../partials
+  version: 0.1.0
+description: 'Linkerd gives you observability, reliability, and security for your
+  microservices — with no code change required. '
+home: https://linkerd.io
+icon: file://assets/icons/linkerd-crds.png
+keywords:
+- service-mesh
+kubeVersion: '>=1.22.0-0'
+maintainers:
+- email: cncf-linkerd-dev@lists.cncf.io
+  name: Linkerd authors
+  url: https://linkerd.io/
+name: linkerd-crds
+sources:
+- https://github.com/linkerd/linkerd2/
+type: application
+version: 2024.11.3

charts/buoyant/linkerd-crds/2024.11.3/README.md

@@ -0,0 +1,73 @@
+# linkerd-crds
+
+Linkerd gives you observability, reliability, and security
+for your microservices — with no code change required.
+
+![Version: 2024.11.3](https://img.shields.io/badge/Version-2024.11.3-informational?style=flat-square)
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+**Homepage:** <https://linkerd.io>
+
+## Quickstart and documentation
+
+You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
+[Linkerd Getting Started Guide][getting-started] for how.
+
+For more comprehensive documentation, start with the [Linkerd
+docs][linkerd-docs].
+
+## Adding Linkerd's Helm repository
+
+```bash
+# To add the repo for Linkerd edge releases:
+helm repo add linkerd https://helm.linkerd.io/edge
+```
+
+## Installing the linkerd-crds chart
+
+This installs the `linkerd-crds` chart, which only persists the CRDs that
+Linkerd requires.
+
+After installing this chart, you need then to install the
+`linkerd-control-plane` chart in the same namespace, which provides all the
+linkerd core control components.
+
+```bash
+helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
+```
+
+## Get involved
+
+* Check out Linkerd's source code at [GitHub][linkerd2].
+* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
+  list][linkerd-dev], and [announcements mailing list][linkerd-announce].
+* Follow [@linkerd][twitter] on Twitter.
+* Join the [Linkerd Slack][slack].
+
+[getting-started]: https://linkerd.io/2/getting-started/
+[linkerd2]: https://github.com/linkerd/linkerd2
+[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
+[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
+[linkerd-docs]: https://linkerd.io/2/overview/
+[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
+[slack]: http://slack.linkerd.io
+[twitter]: https://twitter.com/linkerd
+
+## Requirements
+
+Kubernetes: `>=1.22.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| file://../partials | partials | 0.1.0 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| enableHttpRoutes | bool | `true` |  |
+| enableTcpRoutes | bool | `true` |  |
+| enableTlsRoutes | bool | `true` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/buoyant/linkerd-crds/2024.11.3/README.md.gotmpl

@@ -0,0 +1,59 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}
+{{ template "chart.typeBadge" . }}
+{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.homepageLine" . }}
+
+## Quickstart and documentation
+
+You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the
+[Linkerd Getting Started Guide][getting-started] for how.
+
+For more comprehensive documentation, start with the [Linkerd
+docs][linkerd-docs].
+
+## Adding Linkerd's Helm repository
+
+```bash
+# To add the repo for Linkerd edge releases:
+helm repo add linkerd https://helm.linkerd.io/edge
+```
+
+## Installing the linkerd-crds chart
+
+This installs the `linkerd-crds` chart, which only persists the CRDs that
+Linkerd requires.
+
+After installing this chart, you need then to install the
+`linkerd-control-plane` chart in the same namespace, which provides all the
+linkerd core control components.
+
+```bash
+helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds
+```
+
+## Get involved
+
+* Check out Linkerd's source code at [GitHub][linkerd2].
+* Join Linkerd's [user mailing list][linkerd-users], [developer mailing
+  list][linkerd-dev], and [announcements mailing list][linkerd-announce].
+* Follow [@linkerd][twitter] on Twitter.
+* Join the [Linkerd Slack][slack].
+
+[getting-started]: https://linkerd.io/2/getting-started/
+[linkerd2]: https://github.com/linkerd/linkerd2
+[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce
+[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev
+[linkerd-docs]: https://linkerd.io/2/overview/
+[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users
+[slack]: http://slack.linkerd.io
+[twitter]: https://twitter.com/linkerd
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/buoyant/linkerd-crds/2024.11.3/app-readme.md

@@ -0,0 +1,9 @@
+# Linkerd 2 CRDs Chart
+
+Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd
+adds security, observability, and reliability to Kubernetes, without the
+complexity.
+
+This particular Helm chart only installs Linkerd CRDs.
+
+Full documentation available at: https://linkerd.io/2/overview/

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd''
+  and ''patch'' charts. '
+name: partials
+version: 0.1.0

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/README.md

@@ -0,0 +1,9 @@
+# partials
+
+A Helm chart containing Linkerd partial templates,
+depended by the 'linkerd' and 'patch' charts.
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square)
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/README.md.gotmpl

@@ -0,0 +1,14 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}
+{{ template "chart.typeBadge" . }}
+{{ template "chart.appVersionBadge" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_affinity.tpl

@@ -0,0 +1,38 @@
+{{ define "linkerd.pod-affinity" -}}
+podAntiAffinity:
+  preferredDuringSchedulingIgnoredDuringExecution:
+  - podAffinityTerm:
+      labelSelector:
+        matchExpressions:
+        - key: {{ default "linkerd.io/control-plane-component" .label }}
+          operator: In
+          values:
+          - {{ .component }}
+      topologyKey: topology.kubernetes.io/zone
+    weight: 100
+  requiredDuringSchedulingIgnoredDuringExecution:
+  - labelSelector:
+      matchExpressions:
+      - key: {{ default "linkerd.io/control-plane-component" .label }}
+        operator: In
+        values:
+        - {{ .component }}
+    topologyKey: kubernetes.io/hostname
+{{- end }}
+
+{{ define "linkerd.node-affinity" -}}
+nodeAffinity:
+{{- toYaml .Values.nodeAffinity | trim | nindent 2 }}
+{{- end }}
+
+{{ define "linkerd.affinity" -}}
+{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}}
+affinity:
+{{- end }}
+{{- if .Values.enablePodAntiAffinity -}}
+{{- include "linkerd.pod-affinity" . | nindent 2 }}
+{{- end }}
+{{- if .Values.nodeAffinity -}}
+{{- include "linkerd.node-affinity" . | nindent 2 }}
+{{- end }}
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_capabilities.tpl

@@ -0,0 +1,16 @@
+{{- define "partials.proxy.capabilities" -}}
+capabilities:
+  {{- if .Values.proxy.capabilities.add }}
+  add:
+  {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }}
+  {{- end }}
+  {{- if .Values.proxy.capabilities.drop }}
+  drop:
+  {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }}
+  {{- end }}
+{{- end -}}
+
+{{- define "partials.proxy-init.capabilities.drop" -}}
+drop:
+{{ toYaml .Values.proxyInit.capabilities.drop | trim }}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_debug.tpl

@@ -0,0 +1,15 @@
+{{- define "partials.debug" -}}
+image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}}
+imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}}
+name: linkerd-debug
+terminationMessagePolicy: FallbackToLogsOnError
+# some environments require probes, so we provide some infallible ones
+livenessProbe:
+    exec:
+      command:
+      - "true"
+readinessProbe:
+    exec:
+      command:
+      - "true"
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Splits a coma separated list into a list of string values.
+For example "11,22,55,44" will become "11","22","55","44"
+*/}}
+{{- define "partials.splitStringList" -}}
+{{- if gt (len (toString .)) 0 -}}
+{{- $ports := toString . | splitList "," -}}
+{{- $last := sub (len $ports) 1 -}}
+{{- range $i,$port := $ports -}}
+"{{$port}}"{{ternary "," "" (ne $i $last)}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_metadata.tpl

@@ -0,0 +1,17 @@
+{{- define "partials.annotations.created-by" -}}
+linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }}
+{{- end -}}
+
+{{- define "partials.proxy.annotations" -}}
+linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}}
+cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }}
+{{- end -}}
+
+{{/*
+To add labels to the control-plane components, instead update at individual component manifests as
+adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades.
+*/}}
+{{- define "partials.proxy.labels" -}}
+linkerd.io/proxy-{{.workloadKind}}: {{.component}}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_network-validator.tpl

@@ -0,0 +1,45 @@
+{{- define "partials.network-validator" -}}
+name: linkerd-network-validator
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }}
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
+{{ include "partials.resources" .Values.proxy.resources }}
+{{- if or .Values.networkValidator.enableSecurityContext }}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsGroup: 65534
+  runAsNonRoot: true
+  runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
+command:
+  - /usr/lib/linkerd/linkerd2-network-validator
+args:
+  - --log-format
+  - {{ .Values.networkValidator.logFormat }}
+  - --log-level
+  - {{ .Values.networkValidator.logLevel }}
+  - --connect-addr
+    {{- if .Values.networkValidator.connectAddr }}
+  - {{ .Values.networkValidator.connectAddr | quote }}
+    {{- else if .Values.disableIPv6}}
+  - "1.1.1.1:20001"
+    {{- else }}
+  - "[fd00::1]:20001"
+    {{- end }}
+  - --listen-addr
+    {{- if .Values.networkValidator.listenAddr }}
+  - {{ .Values.networkValidator.listenAddr | quote }}
+    {{- else if .Values.disableIPv6}}
+  - "0.0.0.0:4140"
+    {{- else }}
+  - "[::]:4140"
+    {{- end }}
+  - --timeout
+  - {{ .Values.networkValidator.timeout }}
+
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_nodeselector.tpl

@@ -0,0 +1,4 @@
+{{- define "linkerd.node-selector" -}}
+nodeSelector:
+{{- toYaml .Values.nodeSelector | trim | nindent 2 }}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_proxy-config-ann.tpl

@@ -0,0 +1,18 @@
+{{- define "partials.proxy.config.annotations" -}}
+{{- with .cpu }}
+{{- with .request -}}
+config.linkerd.io/proxy-cpu-request: {{. | quote}}
+{{end}}
+{{- with .limit -}}
+config.linkerd.io/proxy-cpu-limit: {{. | quote}}
+{{- end}}
+{{- end}}
+{{- with .memory }}
+{{- with .request }}
+config.linkerd.io/proxy-memory-request: {{. | quote}}
+{{end}}
+{{- with .limit -}}
+config.linkerd.io/proxy-memory-limit: {{. | quote}}
+{{- end}}
+{{- end }}
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_proxy-init.tpl

@@ -0,0 +1,98 @@
+{{- define "partials.proxy-init" -}}
+args:
+{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }}
+- --firewall-bin-path
+- "iptables-nft"
+- --firewall-save-bin-path
+- "iptables-nft-save"
+{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }}
+{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }}
+{{end -}}
+{{- if .Values.disableIPv6 }}
+- --ipv6=false
+{{- end }}
+- --incoming-proxy-port
+- {{.Values.proxy.ports.inbound | quote}}
+- --outgoing-proxy-port
+- {{.Values.proxy.ports.outbound | quote}}
+- --proxy-uid
+- {{.Values.proxy.uid | quote}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+- --proxy-gid
+- {{.Values.proxy.gid | quote}}
+{{- end }}
+- --inbound-ports-to-ignore
+- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}"
+{{- if .Values.proxyInit.ignoreOutboundPorts }}
+- --outbound-ports-to-ignore
+- {{.Values.proxyInit.ignoreOutboundPorts | quote}}
+{{- end }}
+{{- if .Values.proxyInit.closeWaitTimeoutSecs }}
+- --timeout-close-wait-secs
+- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}}
+{{- end }}
+{{- if .Values.proxyInit.logFormat }}
+- --log-format
+- {{ .Values.proxyInit.logFormat }}
+{{- end }}
+{{- if .Values.proxyInit.logLevel }}
+- --log-level
+- {{ .Values.proxyInit.logLevel }}
+{{- end }}
+{{- if .Values.proxyInit.skipSubnets }}
+- --subnets-to-ignore
+- {{ .Values.proxyInit.skipSubnets | quote }}
+{{- end }}
+image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}}
+imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}}
+name: linkerd-init
+{{ include "partials.resources" .Values.proxy.resources }}
+securityContext:
+  {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }}
+  allowPrivilegeEscalation: true
+  {{- else }}
+  allowPrivilegeEscalation: false
+  {{- end }}
+  capabilities:
+    add:
+    - NET_ADMIN
+    - NET_RAW
+    {{- if .Values.proxyInit.capabilities -}}
+    {{- if .Values.proxyInit.capabilities.add }}
+    {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }}
+    {{- end }}
+    {{- if .Values.proxyInit.capabilities.drop -}}
+    {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}}
+    {{- end }}
+    {{- end }}
+  {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }}
+  privileged: true
+  {{- else }}
+  privileged: false
+  {{- end }}
+  {{- if .Values.proxyInit.runAsRoot }}
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+  {{- else }}
+  runAsNonRoot: true
+  runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
+  runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }}
+  {{- end }}
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
+terminationMessagePolicy: FallbackToLogsOnError
+{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }}
+volumeMounts:
+{{- end -}}
+{{- if not .Values.cniEnabled }}
+- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}}
+  name: {{.Values.proxyInit.xtMountPath.name}}
+{{- end -}}
+{{- if .Values.proxyInit.saMountPath }}
+- mountPath: {{.Values.proxyInit.saMountPath.mountPath}}
+  name: {{.Values.proxyInit.saMountPath.name}}
+  readOnly: {{.Values.proxyInit.saMountPath.readOnly}}
+{{- end -}}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_proxy.tpl

@@ -0,0 +1,271 @@
+{{ define "partials.proxy" -}}
+{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }}
+{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }}
+{{- end }}
+{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }}
+{{- fail "logHTTPHeaders must be one of: insecure | off" }}
+{{- end }}
+{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}}
+env:
+- name: _pod_name
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+- name: _pod_ns
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.namespace
+- name: _pod_nodeName
+  valueFrom:
+    fieldRef:
+      fieldPath: spec.nodeName
+{{- if .Values.proxy.cores }}
+- name: LINKERD2_PROXY_CORES
+  value: {{.Values.proxy.cores | quote}}
+{{- end }}
+{{ if .Values.proxy.requireIdentityOnInboundPorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY
+  value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}}
+{{ end -}}
+{{ if .Values.proxy.requireTLSOnInboundPorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
+  value: {{.Values.proxy.requireTLSOnInboundPorts | quote}}
+{{ end -}}
+- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED
+  value: {{.Values.proxy.enableShutdownEndpoint | quote}}
+- name: LINKERD2_PROXY_LOG
+  value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}"
+- name: LINKERD2_PROXY_LOG_FORMAT
+  value: {{.Values.proxy.logFormat | quote}}
+- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
+  value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
+- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
+  value: {{.Values.clusterNetworks | quote}}
+- name: LINKERD2_PROXY_POLICY_SVC_ADDR
+  value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
+- name: LINKERD2_PROXY_POLICY_WORKLOAD
+  value: |
+    {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
+- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
+  value: {{.Values.proxy.defaultInboundPolicy}}
+- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
+  value: {{.Values.clusterNetworks | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
+  value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
+  value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}}
+- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
+  value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}}
+{{ if .Values.proxy.inboundConnectTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
+  value: {{.Values.proxy.inboundConnectTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.outboundConnectTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
+  value: {{.Values.proxy.outboundConnectTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
+  value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
+  value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}}
+{{ end -}}
+{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}}
+- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT
+  value: "365d"
+{{ end -}}
+{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}}
+- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT
+  value: "365d"
+{{ end -}}
+- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}"
+- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}"
+{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}}
+- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
+  value: "127.0.0.1:{{.Values.proxy.ports.outbound}}"
+- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
+  value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}"
+- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
+  value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}"
+- name: LINKERD2_PROXY_INBOUND_IPS
+  valueFrom:
+    fieldRef:
+      fieldPath: status.podIPs
+- name: LINKERD2_PROXY_INBOUND_PORTS
+  value: {{ .Values.proxy.podInboundPorts | quote }}
+{{ if .Values.proxy.isGateway -}}
+- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES
+  value: {{printf "svc.%s." .Values.clusterDomain}}
+{{ end -}}
+{{ if .Values.proxy.isIngress -}}
+- name: LINKERD2_PROXY_INGRESS_MODE
+  value: "true"
+{{ end -}}
+- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
+  {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }}
+  value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}}
+- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
+  value: 10000ms
+- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT
+  value: 30s
+- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT
+  value: 30s
+{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}}
+{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}}
+{{   range $scopeK, $scopeV := $proxyV -}}
+{{     range $protoK, $protoV := $scopeV -}}
+{{       range $paramK, $paramV := $protoV -}}
+- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}}
+  value: {{ quote $paramV }}
+{{       end -}}
+{{     end -}}
+{{   end -}}
+{{ end -}}
+{{ if .Values.proxy.opaquePorts -}}
+- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
+  value: {{.Values.proxy.opaquePorts | quote}}
+{{ end -}}
+- name: LINKERD2_PROXY_DESTINATION_CONTEXT
+  value: |
+    {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
+- name: _pod_sa
+  valueFrom:
+    fieldRef:
+      fieldPath: spec.serviceAccountName
+- name: _l5d_ns
+  value: {{.Release.Namespace}}
+- name: _l5d_trustdomain
+  value: {{$trustDomain}}
+- name: LINKERD2_PROXY_IDENTITY_DIR
+  value: /var/run/linkerd/identity/end-entity
+- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
+{{- /*
+Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain
+the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not
+be used in other contexts.
+*/}}
+{{- if .Values.proxy.loadTrustBundleFromConfigMap }}
+  valueFrom:
+    configMapKeyRef:
+      name: linkerd-identity-trust-roots
+      key: ca-bundle.crt
+{{ else }}
+  value: |
+    {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }}
+{{ end -}}
+- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
+{{- if .Values.identity.serviceAccountTokenProjection }}
+  value: /var/run/secrets/tokens/linkerd-identity-token
+{{ else }}
+  value: /var/run/secrets/kubernetes.io/serviceaccount/token
+{{ end -}}
+- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
+  value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}}
+- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
+  value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
+  value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
+  value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+- name: LINKERD2_PROXY_POLICY_SVC_NAME
+  value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}}
+{{ if .Values.proxy.accessLog -}}
+- name: LINKERD2_PROXY_ACCESS_LOG
+  value: {{.Values.proxy.accessLog | quote}}
+{{ end -}}
+{{ if .Values.proxy.shutdownGracePeriod -}}
+- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD
+  value: {{.Values.proxy.shutdownGracePeriod | quote}}
+{{ end -}}
+{{ if .Values.proxy.additionalEnv -}}
+{{ toYaml .Values.proxy.additionalEnv }}
+{{ end -}}
+{{ if .Values.proxy.experimentalEnv -}}
+{{ toYaml .Values.proxy.experimentalEnv }}
+{{ end -}}
+image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}}
+imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
+livenessProbe:
+  httpGet:
+    path: /live
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }}
+  timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }}
+name: linkerd-proxy
+ports:
+- containerPort: {{.Values.proxy.ports.inbound}}
+  name: linkerd-proxy
+- containerPort: {{.Values.proxy.ports.admin}}
+  name: linkerd-admin
+readinessProbe:
+  httpGet:
+    path: /ready
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }}
+  timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }}
+{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }}
+startupProbe:
+  httpGet:
+    path: /ready
+    port: {{.Values.proxy.ports.admin}}
+  initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}}
+  periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}}
+  failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}}
+{{- end }}
+{{- if .Values.proxy.resources }}
+{{ include "partials.resources" .Values.proxy.resources }}
+{{- end }}
+securityContext:
+  allowPrivilegeEscalation: false
+  {{- if .Values.proxy.capabilities -}}
+  {{- include "partials.proxy.capabilities" . | nindent 2 -}}
+  {{- end }}
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: {{.Values.proxy.uid}}
+{{- if ge (int .Values.proxy.gid) 0 }}
+  runAsGroup: {{.Values.proxy.gid}}
+{{- end }}
+  seccompProfile:
+    type: RuntimeDefault
+terminationMessagePolicy: FallbackToLogsOnError
+{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }}
+lifecycle:
+{{- if .Values.proxy.await }}
+  postStart:
+    exec:
+      command:
+        - /usr/lib/linkerd/linkerd-await
+        - --timeout=2m
+        - --port={{.Values.proxy.ports.admin}}
+{{- end }}
+{{- if .Values.proxy.waitBeforeExitSeconds }}
+  preStop:
+    exec:
+      command:
+        - /bin/sleep
+        - {{.Values.proxy.waitBeforeExitSeconds | quote}}
+{{- end }}
+{{- end }}
+volumeMounts:
+- mountPath: /var/run/linkerd/identity/end-entity
+  name: linkerd-identity-end-entity
+{{- if .Values.identity.serviceAccountTokenProjection }}
+- mountPath: /var/run/secrets/tokens
+  name: linkerd-identity-token
+{{- end }}
+{{- if .Values.proxy.saMountPath }}
+- mountPath: {{.Values.proxy.saMountPath.mountPath}}
+  name: {{.Values.proxy.saMountPath.name}}
+  readOnly: {{.Values.proxy.saMountPath.readOnly}}
+{{- end -}}
+{{- if .Values.proxy.nativeSidecar }}
+restartPolicy: Always
+{{- end -}}
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_pull-secrets.tpl

@@ -0,0 +1,6 @@
+{{- define "partials.image-pull-secrets"}}
+{{- if . }}
+imagePullSecrets:
+{{ toYaml . | indent 2 }}
+{{- end }}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_resources.tpl

@@ -0,0 +1,28 @@
+{{- define "partials.resources" -}}
+{{- $ephemeralStorage := index . "ephemeral-storage" -}}
+resources:
+  {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }}
+  limits:
+    {{- with (.cpu).limit }}
+    cpu: {{. | quote}}
+    {{- end }}
+    {{- with (.memory).limit }}
+    memory: {{. | quote}}
+    {{- end }}
+    {{- with ($ephemeralStorage).limit }}
+    ephemeral-storage: {{. | quote}}
+    {{- end }}
+  {{- end }}
+  {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }}
+  requests:
+    {{- with (.cpu).request }}
+    cpu: {{. | quote}}
+    {{- end }}
+    {{- with (.memory).request }}
+    memory: {{. | quote}}
+    {{- end }}
+    {{- with ($ephemeralStorage).request }}
+    ephemeral-storage: {{. | quote}}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_tolerations.tpl

@@ -0,0 +1,4 @@
+{{- define "linkerd.tolerations" -}}
+tolerations:
+{{ toYaml .Values.tolerations | trim | indent 2 }}
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_trace.tpl

@@ -0,0 +1,5 @@
+{{ define "partials.linkerd.trace" -}}
+{{ if .Values.controlPlaneTracing -}}
+- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678
+{{ end -}}
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_validate.tpl

@@ -0,0 +1,19 @@
+{{- define "linkerd.webhook.validation" -}}
+
+{{- if and (.injectCaFrom) (.injectCaFromSecret) -}}
+{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}}
+{{- end -}}
+
+{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}}
+{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}}
+{{- end -}}
+
+{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}}
+{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}}
+{{- end }}
+
+{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}}
+{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}}
+{{- end -}}
+
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/charts/partials/templates/_volumes.tpl

@@ -0,0 +1,41 @@
+{{ define "partials.proxy.volumes.identity" -}}
+emptyDir:
+  medium: Memory
+name: linkerd-identity-end-entity
+{{- end -}}
+
+{{ define "partials.proxyInit.volumes.xtables" -}}
+emptyDir: {}
+name: {{ .Values.proxyInit.xtMountPath.name }}
+{{- end -}}
+
+{{- define "partials.proxy.volumes.service-account-token" -}}
+name: linkerd-identity-token
+projected:
+  sources:
+  - serviceAccountToken:
+      path: linkerd-identity-token
+      expirationSeconds: 86400 {{- /* # 24 hours */}}
+      audience: identity.l5d.io
+{{- end -}}
+
+{{- define "partials.volumes.manual-mount-service-account-token" -}}
+name: kube-api-access
+projected:
+  defaultMode: 420
+  sources:
+  - serviceAccountToken:
+      expirationSeconds: 3607
+      path: token
+  - configMap:
+      items:
+      - key: ca.crt
+        path: ca.crt
+      name: kube-root-ca.crt
+  - downwardAPI:
+      items:
+      - fieldRef:
+          apiVersion: v1
+          fieldPath: metadata.namespace
+        path: namespace
+{{- end -}}

charts/buoyant/linkerd-crds/2024.11.3/templates/NOTES.txt

@@ -0,0 +1,6 @@
+The linkerd-crds chart was successfully installed 🎉
+
+To complete the linkerd core installation, please now proceed to install the
+linkerd-control-plane chart in the {{ .Release.Namespace }} namespace.
+
+Looking for more? Visit https://linkerd.io/2/getting-started/

charts/buoyant/linkerd-crds/2024.11.3/templates/gateway.networking.k8s.io_tcproutes.yaml

@@ -0,0 +1,533 @@
+{{- if .Values.enableTcpRoutes }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923
+    gateway.networking.k8s.io/bundle-version: v0.7.1
+    gateway.networking.k8s.io/channel: experimental
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+  creationTimestamp: null
+  name: tcproutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TCPRoute
+    listKind: TCPRouteList
+    plural: tcproutes
+    singular: tcproute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: TCPRoute provides a way to route TCP requests. When combined
+          with a Gateway listener, it can be used to forward connections on the port
+          specified by the listener to a set of backends specified by the TCPRoute.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TCPRoute.
+            properties:
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged. \n Note that for ParentRefs that cross namespace
+                  boundaries, there are specific rules. Cross-namespace references
+                  are only valid if they are explicitly allowed by something in the
+                  namespace they are referring to. For example, Gateway has the AllowedRoutes
+                  field, and ReferenceGrant provides a generic way to enable any other
+                  kind of cross-namespace reference."
+                items:
+                  description: "ParentReference identifies an API object (usually
+                    a Gateway) that can be considered a parent of this resource (usually
+                    a route). The only kind of parent resource with \"Core\" support
+                    is Gateway. This API may be extended in the future to support
+                    additional kinds of parent resources, such as HTTPRoute. \n The
+                    API object must be valid in the cluster; the Group and Kind must
+                    be registered in the cluster for this reference to be valid."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. When unspecified,
+                        \"gateway.networking.k8s.io\" is inferred. To set the core
+                        API group (such as for a \"Service\" kind referent), Group
+                        must be explicitly set to \"\" (empty string). \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) \n Support: Implementation-specific (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified, this refers to the local namespace of the Route.
+                        \n Note that there are specific rules for ParentRefs which
+                        cross namespace boundaries. Cross-namespace references are
+                        only valid if they are explicitly allowed by something in
+                        the namespace they are referring to. For example: Gateway
+                        has the AllowedRoutes field, and ReferenceGrant provides a
+                        generic way to enable any other kind of cross-namespace reference.
+                        \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    port:
+                      description: "Port is the network port this Route targets. It
+                        can be interpreted differently based on the type of parent
+                        resource. \n When the parent resource is a Gateway, this targets
+                        all listeners listening on the specified port that also support
+                        this kind of Route(and select this Route). It's not recommended
+                        to set `Port` unless the networking behaviors specified in
+                        a Route must apply to a specific port as opposed to a listener(s)
+                        whose port(s) may be changed. When both Port and SectionName
+                        are specified, the name and port of the selected listener
+                        must match both specified values. \n Implementations MAY choose
+                        to support other parent resources. Implementations supporting
+                        other types of parent resources MUST clearly document how/if
+                        Port is interpreted. \n For the purpose of status, an attachment
+                        is considered successful as long as the parent resource accepts
+                        it partially. For example, Gateway listeners can restrict
+                        which Routes can attach to them by Route kind, namespace,
+                        or hostname. If 1 of 2 Gateway listeners accept attachment
+                        from the referencing Route, the Route MUST be considered successfully
+                        attached. If no Gateway listeners accept attachment from this
+                        Route, the Route MUST be considered detached from the Gateway.
+                        \n Support: Extended \n <gateway:experimental>"
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name.
+                        When both Port (experimental) and SectionName are specified,
+                        the name and port of the selected listener must match both
+                        specified values. \n Implementations MAY choose to support
+                        attaching Routes to other resources. If that is the case,
+                        they MUST clearly document how SectionName is interpreted.
+                        \n When unspecified (empty string), this will reference the
+                        entire resource. For the purpose of status, an attachment
+                        is considered successful if at least one section in the parent
+                        resource accepts it. For example, Gateway listeners can restrict
+                        which Routes can attach to them by Route kind, namespace,
+                        or hostname. If 1 of 2 Gateway listeners accept attachment
+                        from the referencing Route, the Route MUST be considered successfully
+                        attached. If no Gateway listeners accept attachment from this
+                        Route, the Route MUST be considered detached from the Gateway.
+                        \n Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TCP matchers and actions.
+                items:
+                  description: TCPRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the underlying implementation MUST actively reject connection
+                        attempts to this backend. Connection rejections must respect
+                        weight; if an invalid backend is requested to have 80% of
+                        connections, then 80% of connections must be rejected instead.
+                        \n Support: Core for Kubernetes Service \n Support: Extended
+                        for Kubernetes ServiceImport \n Support: Implementation-specific
+                        for any other resource \n Support for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace different than the local namespace is specified,
+                          a ReferenceGrant object is required in the referent namespace
+                          to allow that namespace's owner to accept the reference.
+                          See the ReferenceGrant documentation for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "gateway.networking.k8s.io". When unspecified or empty
+                              string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: "Kind is the Kubernetes resource kind of
+                              the referent. For example \"Service\". \n Defaults to
+                              \"Service\" when not specified. \n ExternalName services
+                              can refer to CNAME DNS records that may live outside
+                              of the cluster and as such are difficult to reason about
+                              in terms of conformance. They also may not be safe to
+                              forward to (see CVE-2021-25740 for more information).
+                              Implementations SHOULD NOT support ExternalName Services.
+                              \n Support: Core (Services with a type other than ExternalName)
+                              \n Support: Implementation-specific (Services with type
+                              ExternalName)"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace different than the local
+                              namespace is specified, a ReferenceGrant object is required
+                              in the referent namespace to allow that namespace's
+                              owner to accept the reference. See the ReferenceGrant
+                              documentation for details. \n Support: Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. In this case, the
+                              port number is the service port number, not the target
+                              port. For other resources, destination port might be
+                              derived from the referent resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TCPRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, \n type FooStatus struct{
+                          // Represents the observations of a foo's current state.
+                          // Known .status.conditions.type are: \"Available\", \"Progressing\",
+                          and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                          // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                          `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                          protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+                          }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+                        \n Controllers MUST populate this field when writing status.
+                        Controllers should ensure that entries to status populated
+                        with their ControllerName are cleaned up when they are no
+                        longer necessary."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. When unspecified,
+                            \"gateway.networking.k8s.io\" is inferred. To set the
+                            core API group (such as for a \"Service\" kind referent),
+                            Group must be explicitly set to \"\" (empty string). \n
+                            Support: Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) \n Support: Implementation-specific (Other
+                            Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified, this refers to the local namespace of
+                            the Route. \n Note that there are specific rules for ParentRefs
+                            which cross namespace boundaries. Cross-namespace references
+                            are only valid if they are explicitly allowed by something
+                            in the namespace they are referring to. For example: Gateway
+                            has the AllowedRoutes field, and ReferenceGrant provides
+                            a generic way to enable any other kind of cross-namespace
+                            reference. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        port:
+                          description: "Port is the network port this Route targets.
+                            It can be interpreted differently based on the type of
+                            parent resource. \n When the parent resource is a Gateway,
+                            this targets all listeners listening on the specified
+                            port that also support this kind of Route(and select this
+                            Route). It's not recommended to set `Port` unless the
+                            networking behaviors specified in a Route must apply to
+                            a specific port as opposed to a listener(s) whose port(s)
+                            may be changed. When both Port and SectionName are specified,
+                            the name and port of the selected listener must match
+                            both specified values. \n Implementations MAY choose to
+                            support other parent resources. Implementations supporting
+                            other types of parent resources MUST clearly document
+                            how/if Port is interpreted. \n For the purpose of status,
+                            an attachment is considered successful as long as the
+                            parent resource accepts it partially. For example, Gateway
+                            listeners can restrict which Routes can attach to them
+                            by Route kind, namespace, or hostname. If 1 of 2 Gateway
+                            listeners accept attachment from the referencing Route,
+                            the Route MUST be considered successfully attached. If
+                            no Gateway listeners accept attachment from this Route,
+                            the Route MUST be considered detached from the Gateway.
+                            \n Support: Extended \n <gateway:experimental>"
+                          format: int32
+                          maximum: 65535
+                          minimum: 1
+                          type: integer
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name. When both Port (experimental) and SectionName are
+                            specified, the name and port of the selected listener
+                            must match both specified values. \n Implementations MAY
+                            choose to support attaching Routes to other resources.
+                            If that is the case, they MUST clearly document how SectionName
+                            is interpreted. \n When unspecified (empty string), this
+                            will reference the entire resource. For the purpose of
+                            status, an attachment is considered successful if at least
+                            one section in the parent resource accepts it. For example,
+                            Gateway listeners can restrict which Routes can attach
+                            to them by Route kind, namespace, or hostname. If 1 of
+                            2 Gateway listeners accept attachment from the referencing
+                            Route, the Route MUST be considered successfully attached.
+                            If no Gateway listeners accept attachment from this Route,
+                            the Route MUST be considered detached from the Gateway.
+                            \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/templates/gateway.networking.k8s.io_tlsroutes.yaml

@@ -0,0 +1,582 @@
+{{- if .Values.enableTlsRoutes }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923
+    gateway.networking.k8s.io/bundle-version: v0.7.1
+    gateway.networking.k8s.io/channel: experimental
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+  creationTimestamp: null
+  name: tlsroutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TLSRoute
+    listKind: TLSRouteList
+    plural: tlsroutes
+    singular: tlsroute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: "The TLSRoute resource is similar to TCPRoute, but can be configured
+          to match against TLS-specific metadata. This allows more flexibility in
+          matching streams for a given TLS listener. \n If you need to forward traffic
+          to a single target for a TLS listener, you could choose to use a TCPRoute
+          with a TLS listener."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TLSRoute.
+            properties:
+              hostnames:
+                description: "Hostnames defines a set of SNI names that should match
+                  against the SNI attribute of TLS ClientHello message in TLS handshake.
+                  This matches the RFC 1123 definition of a hostname with 2 notable
+                  exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
+                  2. A hostname may be prefixed with a wildcard label (`*.`). The
+                  wildcard label must appear by itself as the first label. \n If a
+                  hostname is specified by both the Listener and TLSRoute, there must
+                  be at least one intersecting hostname for the TLSRoute to be attached
+                  to the Listener. For example: \n * A Listener with `test.example.com`
+                  as the hostname matches TLSRoutes that have either not specified
+                  any hostnames, or have specified at least one of `test.example.com`
+                  or `*.example.com`. * A Listener with `*.example.com` as the hostname
+                  matches TLSRoutes that have either not specified any hostnames or
+                  have specified at least one hostname that matches the Listener hostname.
+                  For example, `test.example.com` and `*.example.com` would both match.
+                  On the other hand, `example.com` and `test.example.net` would not
+                  match. \n If both the Listener and TLSRoute have specified hostnames,
+                  any TLSRoute hostnames that do not match the Listener hostname MUST
+                  be ignored. For example, if a Listener specified `*.example.com`,
+                  and the TLSRoute specified `test.example.com` and `test.example.net`,
+                  `test.example.net` must not be considered for a match. \n If both
+                  the Listener and TLSRoute have specified hostnames, and none match
+                  with the criteria above, then the TLSRoute is not accepted. The
+                  implementation must raise an 'Accepted' Condition with a status
+                  of `False` in the corresponding RouteParentStatus. \n Support: Core"
+                items:
+                  description: "Hostname is the fully qualified domain name of a network
+                    host. This matches the RFC 1123 definition of a hostname with
+                    2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+                    may be prefixed with a wildcard label (`*.`). The wildcard label
+                    must appear by itself as the first label. \n Hostname can be \"precise\"
+                    which is a domain name without the terminating dot of a network
+                    host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+                    name prefixed with a single wildcard label (e.g. `*.example.com`).
+                    \n Note that as per RFC1035 and RFC1123, a *label* must consist
+                    of lower case alphanumeric characters or '-', and must start and
+                    end with an alphanumeric character. No other punctuation is allowed."
+                  maxLength: 253
+                  minLength: 1
+                  pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                  type: string
+                maxItems: 16
+                type: array
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged. \n Note that for ParentRefs that cross namespace
+                  boundaries, there are specific rules. Cross-namespace references
+                  are only valid if they are explicitly allowed by something in the
+                  namespace they are referring to. For example, Gateway has the AllowedRoutes
+                  field, and ReferenceGrant provides a generic way to enable any other
+                  kind of cross-namespace reference."
+                items:
+                  description: "ParentReference identifies an API object (usually
+                    a Gateway) that can be considered a parent of this resource (usually
+                    a route). The only kind of parent resource with \"Core\" support
+                    is Gateway. This API may be extended in the future to support
+                    additional kinds of parent resources, such as HTTPRoute. \n The
+                    API object must be valid in the cluster; the Group and Kind must
+                    be registered in the cluster for this reference to be valid."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. When unspecified,
+                        \"gateway.networking.k8s.io\" is inferred. To set the core
+                        API group (such as for a \"Service\" kind referent), Group
+                        must be explicitly set to \"\" (empty string). \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) \n Support: Implementation-specific (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified, this refers to the local namespace of the Route.
+                        \n Note that there are specific rules for ParentRefs which
+                        cross namespace boundaries. Cross-namespace references are
+                        only valid if they are explicitly allowed by something in
+                        the namespace they are referring to. For example: Gateway
+                        has the AllowedRoutes field, and ReferenceGrant provides a
+                        generic way to enable any other kind of cross-namespace reference.
+                        \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    port:
+                      description: "Port is the network port this Route targets. It
+                        can be interpreted differently based on the type of parent
+                        resource. \n When the parent resource is a Gateway, this targets
+                        all listeners listening on the specified port that also support
+                        this kind of Route(and select this Route). It's not recommended
+                        to set `Port` unless the networking behaviors specified in
+                        a Route must apply to a specific port as opposed to a listener(s)
+                        whose port(s) may be changed. When both Port and SectionName
+                        are specified, the name and port of the selected listener
+                        must match both specified values. \n Implementations MAY choose
+                        to support other parent resources. Implementations supporting
+                        other types of parent resources MUST clearly document how/if
+                        Port is interpreted. \n For the purpose of status, an attachment
+                        is considered successful as long as the parent resource accepts
+                        it partially. For example, Gateway listeners can restrict
+                        which Routes can attach to them by Route kind, namespace,
+                        or hostname. If 1 of 2 Gateway listeners accept attachment
+                        from the referencing Route, the Route MUST be considered successfully
+                        attached. If no Gateway listeners accept attachment from this
+                        Route, the Route MUST be considered detached from the Gateway.
+                        \n Support: Extended \n <gateway:experimental>"
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name.
+                        When both Port (experimental) and SectionName are specified,
+                        the name and port of the selected listener must match both
+                        specified values. \n Implementations MAY choose to support
+                        attaching Routes to other resources. If that is the case,
+                        they MUST clearly document how SectionName is interpreted.
+                        \n When unspecified (empty string), this will reference the
+                        entire resource. For the purpose of status, an attachment
+                        is considered successful if at least one section in the parent
+                        resource accepts it. For example, Gateway listeners can restrict
+                        which Routes can attach to them by Route kind, namespace,
+                        or hostname. If 1 of 2 Gateway listeners accept attachment
+                        from the referencing Route, the Route MUST be considered successfully
+                        attached. If no Gateway listeners accept attachment from this
+                        Route, the Route MUST be considered detached from the Gateway.
+                        \n Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TLS matchers and actions.
+                items:
+                  description: TLSRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the rule performs no forwarding; if no filters are specified
+                        that would result in a response being sent, the underlying
+                        implementation must actively reject request attempts to this
+                        backend, by rejecting the connection or returning a 500 status
+                        code. Request rejections must respect weight; if an invalid
+                        backend is requested to have 80% of requests, then 80% of
+                        requests must be rejected instead. \n Support: Core for Kubernetes
+                        Service \n Support: Extended for Kubernetes ServiceImport
+                        \n Support: Implementation-specific for any other resource
+                        \n Support for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace different than the local namespace is specified,
+                          a ReferenceGrant object is required in the referent namespace
+                          to allow that namespace's owner to accept the reference.
+                          See the ReferenceGrant documentation for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "gateway.networking.k8s.io". When unspecified or empty
+                              string, core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: "Kind is the Kubernetes resource kind of
+                              the referent. For example \"Service\". \n Defaults to
+                              \"Service\" when not specified. \n ExternalName services
+                              can refer to CNAME DNS records that may live outside
+                              of the cluster and as such are difficult to reason about
+                              in terms of conformance. They also may not be safe to
+                              forward to (see CVE-2021-25740 for more information).
+                              Implementations SHOULD NOT support ExternalName Services.
+                              \n Support: Core (Services with a type other than ExternalName)
+                              \n Support: Implementation-specific (Services with type
+                              ExternalName)"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace different than the local
+                              namespace is specified, a ReferenceGrant object is required
+                              in the referent namespace to allow that namespace's
+                              owner to accept the reference. See the ReferenceGrant
+                              documentation for details. \n Support: Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. In this case, the
+                              port number is the service port number, not the target
+                              port. For other resources, destination port might be
+                              derived from the referent resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TLSRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, \n type FooStatus struct{
+                          // Represents the observations of a foo's current state.
+                          // Known .status.conditions.type are: \"Available\", \"Progressing\",
+                          and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                          // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                          `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                          protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
+                          }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+                        \n Controllers MUST populate this field when writing status.
+                        Controllers should ensure that entries to status populated
+                        with their ControllerName are cleaned up when they are no
+                        longer necessary."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. When unspecified,
+                            \"gateway.networking.k8s.io\" is inferred. To set the
+                            core API group (such as for a \"Service\" kind referent),
+                            Group must be explicitly set to \"\" (empty string). \n
+                            Support: Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) \n Support: Implementation-specific (Other
+                            Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified, this refers to the local namespace of
+                            the Route. \n Note that there are specific rules for ParentRefs
+                            which cross namespace boundaries. Cross-namespace references
+                            are only valid if they are explicitly allowed by something
+                            in the namespace they are referring to. For example: Gateway
+                            has the AllowedRoutes field, and ReferenceGrant provides
+                            a generic way to enable any other kind of cross-namespace
+                            reference. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        port:
+                          description: "Port is the network port this Route targets.
+                            It can be interpreted differently based on the type of
+                            parent resource. \n When the parent resource is a Gateway,
+                            this targets all listeners listening on the specified
+                            port that also support this kind of Route(and select this
+                            Route). It's not recommended to set `Port` unless the
+                            networking behaviors specified in a Route must apply to
+                            a specific port as opposed to a listener(s) whose port(s)
+                            may be changed. When both Port and SectionName are specified,
+                            the name and port of the selected listener must match
+                            both specified values. \n Implementations MAY choose to
+                            support other parent resources. Implementations supporting
+                            other types of parent resources MUST clearly document
+                            how/if Port is interpreted. \n For the purpose of status,
+                            an attachment is considered successful as long as the
+                            parent resource accepts it partially. For example, Gateway
+                            listeners can restrict which Routes can attach to them
+                            by Route kind, namespace, or hostname. If 1 of 2 Gateway
+                            listeners accept attachment from the referencing Route,
+                            the Route MUST be considered successfully attached. If
+                            no Gateway listeners accept attachment from this Route,
+                            the Route MUST be considered detached from the Gateway.
+                            \n Support: Extended \n <gateway:experimental>"
+                          format: int32
+                          maximum: 65535
+                          minimum: 1
+                          type: integer
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name. When both Port (experimental) and SectionName are
+                            specified, the name and port of the selected listener
+                            must match both specified values. \n Implementations MAY
+                            choose to support attaching Routes to other resources.
+                            If that is the case, they MUST clearly document how SectionName
+                            is interpreted. \n When unspecified (empty string), this
+                            will reference the entire resource. For the purpose of
+                            status, an attachment is considered successful if at least
+                            one section in the parent resource accepts it. For example,
+                            Gateway listeners can restrict which Routes can attach
+                            to them by Route kind, namespace, or hostname. If 1 of
+                            2 Gateway listeners accept attachment from the referencing
+                            Route, the Route MUST be considered successfully attached.
+                            If no Gateway listeners accept attachment from this Route,
+                            the Route MUST be considered detached from the Gateway.
+                            \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null
+{{- end }}

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/authorization-policy.yaml

@@ -0,0 +1,99 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: authorizationpolicies.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  scope: Namespaced
+  names:
+    kind: AuthorizationPolicy
+    plural: authorizationpolicies
+    singular: authorizationpolicy
+    shortNames: [authzpolicy]
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              description: >-
+                Authorizes clients to communicate with Linkerd-proxied server
+                resources.
+              type: object
+              required: [targetRef, requiredAuthenticationRefs]
+              properties:
+                targetRef:
+                  description: >-
+                    TargetRef references a resource to which the authorization
+                    policy applies.
+                  type: object
+                  required: [kind, name]
+                  # Modified from the gateway API.
+                  # Copyright 2020 The Kubernetes Authors
+                  properties:
+                    group:
+                      description: >-
+                        Group is the group of the referent. When empty, the
+                        Kubernetes core API group is inferred.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: >-
+                        Kind is the kind of the referent.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: Name is the name of the referent.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                requiredAuthenticationRefs:
+                  description: >-
+                    RequiredAuthenticationRefs enumerates a set of required
+                    authentications. ALL authentications must be satisfied for
+                    the authorization to apply. If any of the referred objects
+                    cannot be found, the authorization will be ignored.
+                  type: array
+                  items:
+                    type: object
+                    required: [kind, name]
+                    properties:
+                      group:
+                        description: >-
+                          Group is the group of the referent. When empty, the
+                          Kubernetes core API group is inferred."
+                        maxLength: 253
+                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      kind:
+                        description: >-
+                          Kind is the kind of the referent.
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                        type: string
+                      name:
+                        description: >-
+                          Name is the name of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: >-
+                          Name is the name of the referent. When unspecified,
+                          this authentication refers to the local namespace.
+                        maxLength: 253
+                        type: string

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/egress-network.yaml

@@ -0,0 +1,123 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: egressnetworks.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  names:
+    categories:
+    - policy
+    kind: EgressNetwork
+    listKind: EgressNetworkList
+    plural: egressnetworks
+    singular: egressnetwork
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        description: >-
+          An EgressNetwork captures traffic to egress destinations
+        type: object
+        required: [spec]
+        properties:
+          apiVerson:
+            type: string
+          kind:
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              trafficPolicy:
+                description: >-
+                  This field controls the traffic policy enforced upon traffic
+                  that does not match any explicit route resources associated
+                  with an instance of this object. The values that are allowed
+                  currently are:
+                   - Allow - permits all traffic, even if it has not been
+                                explicitly described via attaching an xRoute
+                                resources.
+                   - Deny -  blocks all traffic that has not been described via
+                                attaching an xRoute resource.
+                type: string
+                enum:
+                - Allow
+                - Deny
+              networks:
+                type: array
+                items:
+                  type: object
+                  required: [cidr]
+                  properties:
+                    cidr:
+                      description: >-
+                        The CIDR of the network to be authorized.
+                      type: string
+                    except:
+                      description: >-
+                        A list of IP networks/addresses not to be included in
+                        the above `cidr`.
+                      type: array
+                      items:
+                        type: string
+            type: object
+            required:
+            - trafficPolicy
+          status:
+            type: object
+            properties:
+              conditions:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the
+                        condition transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    status:
+                      description: status of the condition (one of True, False, Unknown)
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of the condition in CamelCase or in
+                        foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                    reason:
+                      description: reason contains a programmatic identifier
+                        indicating the reason for the condition's last
+                        transition. Producers of specific condition types may
+                        define expected values and meanings for this field, and
+                        whether the values are considered a guaranteed API. The
+                        value should be a CamelCase string. This field may not
+                        be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    message:
+                      description: message is a human readable message
+                        indicating details about the transition. This may be an
+                        empty string.
+                      maxLength: 32768
+                      type: string
+                required:
+                - status
+                - type

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/http-local-ratelimit-policy.yaml

@@ -0,0 +1,215 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: httplocalratelimitpolicies.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  names:
+    kind: HTTPLocalRateLimitPolicy
+    listKind: HTTPLocalRateLimitPolicyList
+    plural: httplocalratelimitpolicies
+    singular: httplocalratelimitpolicy
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required: [targetRef]
+              properties:
+                targetRef:
+                  description: >-
+                    TargetRef references a resource to which the rate limit
+                    policy applies. Only Server is allowed.
+                  type: object
+                  required: [kind, name]
+                  properties:
+                    group:
+                      description: >-
+                        Group is the group of the referent. When empty, the
+                        Kubernetes core API group is inferred.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: Kind is the kind of the referent.
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: Name is the name of the referent.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                total:
+                  description: >-
+                    Overall rate-limit, which all traffic coming to this
+                    target should abide.
+                    If unset no overall limit is applied.
+                  type: object
+                  required: [requestsPerSecond]
+                  properties:
+                    requestsPerSecond:
+                      format: int64
+                      type: integer
+                identity:
+                  description: >-
+                    Fairness for individual identities; each separate client,
+                    grouped by identity, will have this rate-limit. The
+                    requestsPerSecond value should be less than or equal to the
+                    total requestsPerSecond (if set).
+                  type: object
+                  required: [requestsPerSecond]
+                  properties:
+                    requestsPerSecond:
+                      format: int64
+                      type: integer
+                overrides:
+                  description: >-
+                    Overrides for traffic from a specific client. The
+                    requestsPerSecond value should be less than or equal to the
+                    total requestsPerSecond (if set).
+                  type: array
+                  items:
+                    type: object
+                    required: [requestsPerSecond, clientRefs]
+                    properties:
+                      requestsPerSecond:
+                        format: int64
+                        type: integer
+                      clientRefs:
+                        type: array
+                        items:
+                          type: object
+                          required: [kind, name]
+                          properties:
+                            group:
+                              description: >-
+                                Group is the group of the referent. When empty, the
+                                Kubernetes core API group is inferred.
+                              maxLength: 253
+                              pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                            kind:
+                              description: Kind is the kind of the referent.
+                              maxLength: 63
+                              minLength: 1
+                              pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                              type: string
+                            namespace:
+                              description: >-
+                                  Namespace is the namespace of the referent.
+                                  When unspecified (or empty string), this refers to the
+                                  local namespace of the Policy.
+                              maxLength: 63
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                              type: string
+                            name:
+                              description: Name is the name of the referent.
+                              maxLength: 253
+                              minLength: 1
+                              type: string
+            status:
+              type: object
+              properties:
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      lastTransitionTime:
+                        description: lastTransitionTime is the last time the
+                          condition transitioned from one status to another.
+                        format: date-time
+                        type: string
+                      status:
+                        description: status of the condition (one of True, False, Unknown)
+                        enum:
+                        - "True"
+                        - "False"
+                        - Unknown
+                        type: string
+                      type:
+                        description: type of the condition in CamelCase or in
+                          foo.example.com/CamelCase.
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                        type: string
+                      reason:
+                        description: reason contains a programmatic identifier
+                          indicating the reason for the condition's last
+                          transition. Producers of specific condition types may
+                          define expected values and meanings for this field, and
+                          whether the values are considered a guaranteed API. The
+                          value should be a CamelCase string. This field may not
+                          be empty.
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                        type: string
+                      message:
+                        description: message is a human readable message
+                          indicating details about the transition. This may be an
+                          empty string.
+                        maxLength: 32768
+                        type: string
+                  required:
+                  - status
+                  - type
+                targetRef:
+                  properties:
+                    group:
+                      default: policy.linkerd.io
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Server
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - name
+                  type: object
+              required:
+              - targetRef
+      additionalPrinterColumns:
+      - name: Target_kind
+        description: The resource kind to which the rate-limit applies
+        type: string
+        jsonPath: .spec.targetRef.kind
+      - name: Target_name
+        type: string
+        description: The resource name to which the rate-limit applies
+        jsonPath: .spec.targetRef.name
+      - name: Total_RPS
+        description: The overall rate-limit
+        type: integer
+        format: int32
+        jsonPath: .spec.total.requestsPerSecond
+      - name: Identity_RPS
+        description: The rate-limit per identity
+        type: integer
+        format: int32
+        jsonPath: .spec.identity.requestsPerSecond

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/meshtls-authentication.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: meshtlsauthentications.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  scope: Namespaced
+  names:
+    kind: MeshTLSAuthentication
+    plural: meshtlsauthentications
+    singular: meshtlsauthentication
+    shortNames: [meshtlsauthn]
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              description: >-
+                MeshTLSAuthentication defines a list of authenticated client IDs
+                to be referenced by an `AuthorizationPolicy`. If a client
+                connection has the mutually-authenticated identity that matches
+                ANY of the of the provided identities, the connection is
+                considered authenticated.
+              type: object
+              oneOf:
+                - required: [identities]
+                - required: [identityRefs]
+              properties:
+                identities:
+                  description: >-
+                    Authorizes clients with the provided proxy identity strings
+                    (as provided via MTLS)
+
+                    The `*` prefix can be used to match all identities in
+                    a domain. An identity string of `*` indicates that
+                    all authentication clients are authorized.
+                  type: array
+                  minItems: 1
+                  items:
+                    type: string
+                identityRefs:
+                  type: array
+                  minItems: 1
+                  items:
+                    type: object
+                    required:
+                      - kind
+                    properties:
+                      group:
+                        description: >-
+                          Group is the group of the referent. When empty, the
+                          Kubernetes core API group is inferred."
+                        maxLength: 253
+                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      kind:
+                        description: >-
+                          Kind is the kind of the referent.
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                        type: string
+                      name:
+                        description: >-
+                          Name is the name of the referent. When unspecified,
+                          this refers to all resources of the specified Group
+                          and Kind in the specified namespace.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: >-
+                          Name is the name of the referent. When unspecified,
+                          this authentication refers to the local namespace.
+                        maxLength: 253
+                        type: string

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/network-authentication.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networkauthentications.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  scope: Namespaced
+  names:
+    kind: NetworkAuthentication
+    plural: networkauthentications
+    singular: networkauthentication
+    shortNames: [netauthn, networkauthn]
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              description: >-
+                NetworkAuthentication defines a list of authenticated client
+                networks to be referenced by an `AuthorizationPolicy`. If a
+                client connection originates from ANY of the of the provided
+                networks, the connection is considered authenticated.
+              type: object
+              required: [networks]
+              properties:
+                networks:
+                  type: array
+                  items:
+                    type: object
+                    required: [cidr]
+                    properties:
+                      cidr:
+                        description: >-
+                          The CIDR of the network to be authorized.
+                        type: string
+                      except:
+                        description: >-
+                          A list of IP networks/addresses not to be included in
+                          the above `cidr`.
+                        type: array
+                        items:
+                          type: string

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/server-authorization.yaml

@@ -0,0 +1,266 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: serverauthorizations.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  scope: Namespaced
+  names:
+    kind: ServerAuthorization
+    plural: serverauthorizations
+    singular: serverauthorization
+    shortNames: [saz, serverauthz, srvauthz]
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: false
+      deprecated: true
+      deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization"
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              description: >-
+                Authorizes clients to communicate with Linkerd-proxied servers.
+              type: object
+              required: [server, client]
+              properties:
+                server:
+                  description: >-
+                    Identifies servers in the same namespace for which this
+                    authorization applies.
+
+                    Only one of `name` or `selector` may be specified.
+                  type: object
+                  oneOf:
+                    - required: [name]
+                    - required: [selector]
+                  properties:
+                    name:
+                      description: References a `Server` instance by name
+                      type: string
+                      pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+                    selector:
+                      description: >-
+                        A label query over servers on which this authorization applies.
+                      type: object
+                      properties:
+                        matchLabels:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        matchExpressions:
+                          type: array
+                          items:
+                            type: object
+                            required: [key, operator]
+                            properties:
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                                enum: [In, NotIn, Exists, DoesNotExist]
+                              values:
+                                type: array
+                                items:
+                                  type: string
+                client:
+                  description:  Describes clients authorized to access a server.
+                  type: object
+                  properties:
+                    networks:
+                      description: >-
+                        Limits the client IP addresses to which this
+                        authorization applies. If unset, the server chooses a
+                        default (typically, all IPs or the cluster's pod
+                        network).
+                      type: array
+                      items:
+                        type: object
+                        required: [cidr]
+                        properties:
+                          cidr:
+                            type: string
+                          except:
+                            type: array
+                            items:
+                              type: string
+                    unauthenticated:
+                      description: >-
+                        Authorizes unauthenticated clients to access a server.
+                      type: boolean
+                    meshTLS:
+                      type: object
+                      properties:
+                        unauthenticatedTLS:
+                          type: boolean
+                          description: >-
+                            Indicates that no client identity is required for
+                            communication.
+
+                            This is mostly important for the identity
+                            controller, which must terminate TLS connections
+                            from clients that do not yet have a certificate.
+                        identities:
+                          description: >-
+                            Authorizes clients with the provided proxy identity
+                            strings (as provided via MTLS)
+
+                            The `*` prefix can be used to match all identities in
+                            a domain. An identity string of `*` indicates that
+                            all authentication clients are authorized.
+                          type: array
+                          items:
+                            type: string
+                            pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
+                        serviceAccounts:
+                          description: >-
+                            Authorizes clients with the provided proxy identity
+                            service accounts (as provided via MTLS)
+                          type: array
+                          items:
+                            type: object
+                            required: [name]
+                            properties:
+                              name:
+                                description: The ServiceAccount's name.
+                                type: string
+                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+                              namespace:
+                                description: >-
+                                  The ServiceAccount's namespace. If unset, the
+                                  authorization's namespace is used.
+                                type: string
+                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              description: >-
+                Authorizes clients to communicate with Linkerd-proxied servers.
+              type: object
+              required: [server, client]
+              properties:
+                server:
+                  description: >-
+                    Identifies servers in the same namespace for which this
+                    authorization applies.
+
+                    Only one of `name` or `selector` may be specified.
+                  type: object
+                  oneOf:
+                    - required: [name]
+                    - required: [selector]
+                  properties:
+                    name:
+                      description: References a `Server` instance by name
+                      type: string
+                      pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+                    selector:
+                      description: >-
+                        A label query over servers on which this authorization applies.
+                      type: object
+                      properties:
+                        matchLabels:
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        matchExpressions:
+                          type: array
+                          items:
+                            type: object
+                            required: [key, operator]
+                            properties:
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                                enum: [In, NotIn, Exists, DoesNotExist]
+                              values:
+                                type: array
+                                items:
+                                  type: string
+                client:
+                  description:  Describes clients authorized to access a server.
+                  type: object
+                  properties:
+                    networks:
+                      description: >-
+                        Limits the client IP addresses to which this
+                        authorization applies. If unset, the server chooses a
+                        default (typically, all IPs or the cluster's pod
+                        network).
+                      type: array
+                      items:
+                        type: object
+                        required: [cidr]
+                        properties:
+                          cidr:
+                            type: string
+                          except:
+                            type: array
+                            items:
+                              type: string
+                    unauthenticated:
+                      description: >-
+                        Authorizes unauthenticated clients to access a server.
+                      type: boolean
+                    meshTLS:
+                      type: object
+                      properties:
+                        unauthenticatedTLS:
+                          type: boolean
+                          description: >-
+                            Indicates that no client identity is required for
+                            communication.
+
+                            This is mostly important for the identity
+                            controller, which must terminate TLS connections
+                            from clients that do not yet have a certificate.
+                        identities:
+                          description: >-
+                            Authorizes clients with the provided proxy identity
+                            strings (as provided via MTLS)
+
+                            The `*` prefix can be used to match all identities in
+                            a domain. An identity string of `*` indicates that
+                            all authentication clients are authorized.
+                          type: array
+                          items:
+                            type: string
+                            pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
+                        serviceAccounts:
+                          description: >-
+                            Authorizes clients with the provided proxy identity
+                            service accounts (as provided via MTLS)
+                          type: array
+                          items:
+                            type: object
+                            required: [name]
+                            properties:
+                              name:
+                                description: The ServiceAccount's name.
+                                type: string
+                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+                              namespace:
+                                description: >-
+                                  The ServiceAccount's namespace. If unset, the
+                                  authorization's namespace is used.
+                                type: string
+                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+      additionalPrinterColumns:
+      - name: Server
+        type: string
+        description: The server that this grants access to
+        jsonPath: .spec.server.name

charts/buoyant/linkerd-crds/2024.11.3/templates/policy/server.yaml

@@ -0,0 +1,319 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: servers.policy.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: policy.linkerd.io
+  names:
+    kind: Server
+    plural: servers
+    singular: server
+    shortNames: [srv]
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: false
+      deprecated: true
+      deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server"
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required:
+                - podSelector
+                - port
+              properties:
+                podSelector:
+                  type: object
+                  description: >-
+                    Selects pods in the same namespace.
+                  oneOf:
+                    - required: [matchExpressions]
+                    - required: [matchLabels]
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                port:
+                  description: >-
+                    A port name or number. Must exist in a pod spec.
+                  x-kubernetes-int-or-string: true
+                proxyProtocol:
+                  description: >-
+                    Configures protocol discovery for inbound connections.
+
+                    Supersedes the `config.linkerd.io/opaque-ports` annotation.
+                  type: string
+                  default: unknown
+    - name: v1beta1
+      served: true
+      storage: false
+      deprecated: true
+      deprecationWarning: "policy.linkerd.io/v1beta1 Server is deprecated; use policy.linkerd.io/v1beta3 Server"
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required:
+                - podSelector
+                - port
+              properties:
+                podSelector:
+                  type: object
+                  description: >-
+                    Selects pods in the same namespace.
+
+                    The result of matchLabels and matchExpressions are ANDed.
+                    Selects all if empty.
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                port:
+                  description: >-
+                    A port name or number. Must exist in a pod spec.
+                  x-kubernetes-int-or-string: true
+                proxyProtocol:
+                  description: >-
+                    Configures protocol discovery for inbound connections.
+
+                    Supersedes the `config.linkerd.io/opaque-ports` annotation.
+                  type: string
+                  default: unknown
+      additionalPrinterColumns:
+      - name: Port
+        type: string
+        description: The port the server is listening on
+        jsonPath: .spec.port
+      - name: Protocol
+        type: string
+        description: The protocol of the server
+        jsonPath: .spec.proxyProtocol
+    - name: v1beta2
+      served: true
+      storage: false
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required:
+                - port
+              oneOf:
+                - required: [podSelector]
+                - required: [externalWorkloadSelector]
+              properties:
+                podSelector:
+                  type: object
+                  description: >-
+                    Selects pods in the same namespace.
+
+                    The result of matchLabels and matchExpressions are ANDed.
+                    Selects all if empty.
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                externalWorkloadSelector:
+                  type: object
+                  description: >-
+                    Selects ExternalWorkloads in the same namespace.
+
+                    The result of matchLabels and matchExpressions are ANDed.
+                    Selects all if empty.
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                port:
+                  description: >-
+                    A port name or number. Must exist in a pod spec.
+                  x-kubernetes-int-or-string: true
+                proxyProtocol:
+                  description: >-
+                    Configures protocol discovery for inbound connections.
+
+                    Supersedes the `config.linkerd.io/opaque-ports` annotation.
+                  type: string
+                  default: unknown
+      additionalPrinterColumns:
+      - name: Port
+        type: string
+        description: The port the server is listening on
+        jsonPath: .spec.port
+      - name: Protocol
+        type: string
+        description: The protocol of the server
+        jsonPath: .spec.proxyProtocol
+    - name: v1beta3
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: [spec]
+          properties:
+            spec:
+              type: object
+              required:
+                - port
+              oneOf:
+                - required: [podSelector]
+                - required: [externalWorkloadSelector]
+              properties:
+                accessPolicy:
+                  type: string
+                  default: deny
+                  description: >-
+                    Default access policy to apply when the traffic doesn't match any of the policy rules.
+                podSelector:
+                  type: object
+                  description: >-
+                    Selects pods in the same namespace.
+
+                    The result of matchLabels and matchExpressions are ANDed.
+                    Selects all if empty.
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                externalWorkloadSelector:
+                  type: object
+                  description: >-
+                    Selects ExternalWorkloads in the same namespace.
+
+                    The result of matchLabels and matchExpressions are ANDed.
+                    Selects all if empty.
+                  properties:
+                    matchLabels:
+                      type: object
+                      x-kubernetes-preserve-unknown-fields: true
+                    matchExpressions:
+                      type: array
+                      items:
+                        type: object
+                        required: [key, operator]
+                        properties:
+                          key:
+                            type: string
+                          operator:
+                            type: string
+                            enum: [In, NotIn, Exists, DoesNotExist]
+                          values:
+                            type: array
+                            items:
+                              type: string
+                port:
+                  description: >-
+                    A port name or number. Must exist in a pod spec.
+                  x-kubernetes-int-or-string: true
+                proxyProtocol:
+                  description: >-
+                    Configures protocol discovery for inbound connections.
+
+                    Supersedes the `config.linkerd.io/opaque-ports` annotation.
+                  type: string
+                  default: unknown
+      additionalPrinterColumns:
+      - name: Port
+        type: string
+        description: The port the server is listening on
+        jsonPath: .spec.port
+      - name: Protocol
+        type: string
+        description: The protocol of the server
+        jsonPath: .spec.proxyProtocol
+      - name: Access Policy
+        type: string
+        description: The default access policy applied when the traffic doesn't match any of the policy rules
+        jsonPath: .spec.accessPolicy

charts/buoyant/linkerd-crds/2024.11.3/templates/serviceprofile.yaml

@@ -0,0 +1,274 @@
+---
+###
+### Service Profile CRD
+###
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: serviceprofiles.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: linkerd.io
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: false
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            description: Spec is the custom resource spec
+            required:
+            - routes
+            properties:
+              dstOverrides:
+                type: array
+                required:
+                - authority
+                - weight
+                items:
+                  type: object
+                  description: WeightedDst is a weighted alternate destination.
+                  properties:
+                    authority:
+                      type: string
+                    weight:
+                      x-kubernetes-int-or-string: true
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+              opaquePorts:
+                type: array
+                items:
+                  type: string
+              retryBudget:
+                type: object
+                required:
+                - minRetriesPerSecond
+                - retryRatio
+                - ttl
+                description: RetryBudget describes the maximum number of retries that should be issued to this service.
+                properties:
+                  minRetriesPerSecond:
+                    format: int32
+                    type: integer
+                  retryRatio:
+                    type: number
+                    format: float
+                  ttl:
+                    type: string
+              routes:
+                type: array
+                items:
+                  type: object
+                  description: RouteSpec specifies a Route resource.
+                  required:
+                  - condition
+                  - name
+                  properties:
+                    condition:
+                      type: object
+                      description: RequestMatch describes the conditions under which to match a Route.
+                      properties:
+                        pathRegex:
+                          type: string
+                        method:
+                          type: string
+                        all:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        any:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        not:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                    isRetryable:
+                      type: boolean
+                    name:
+                      type: string
+                    timeout:
+                      type: string
+                    responseClasses:
+                      type: array
+                      items:
+                        type: object
+                        required:
+                        - condition
+                        description: ResponseClass describes how to classify a response (e.g. success or failures).
+                        properties:
+                          condition:
+                            type: object
+                            description: ResponseMatch describes the conditions under
+                              which to classify a response.
+                            properties:
+                              all:
+                                type: array
+                                items:
+                                  type: object
+                                  x-kubernetes-preserve-unknown-fields: true
+                              any:
+                                type: array
+                                items:
+                                  type: object
+                                  x-kubernetes-preserve-unknown-fields: true
+                              not:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              status:
+                                type: object
+                                description: Range describes a range of integers (e.g. status codes).
+                                properties:
+                                  max:
+                                    format: int32
+                                    type: integer
+                                  min:
+                                    format: int32
+                                    type: integer
+                          isFailure:
+                            type: boolean
+  - name: v1alpha2
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            description: Spec is the custom resource spec
+            properties:
+              dstOverrides:
+                type: array
+                required:
+                - authority
+                - weight
+                items:
+                  type: object
+                  description: WeightedDst is a weighted alternate destination.
+                  properties:
+                    authority:
+                      type: string
+                    weight:
+                      x-kubernetes-int-or-string: true
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+              opaquePorts:
+                type: array
+                items:
+                  type: string
+              retryBudget:
+                type: object
+                required:
+                - minRetriesPerSecond
+                - retryRatio
+                - ttl
+                description: RetryBudget describes the maximum number of retries that should be issued to this service.
+                properties:
+                  minRetriesPerSecond:
+                    format: int32
+                    type: integer
+                  retryRatio:
+                    type: number
+                    format: float
+                  ttl:
+                    type: string
+              routes:
+                type: array
+                items:
+                  type: object
+                  description: RouteSpec specifies a Route resource.
+                  required:
+                  - condition
+                  - name
+                  properties:
+                    condition:
+                      type: object
+                      description: RequestMatch describes the conditions under which to match a Route.
+                      properties:
+                        pathRegex:
+                          type: string
+                        method:
+                          type: string
+                        all:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        any:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        not:
+                          type: array
+                          items:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                    isRetryable:
+                      type: boolean
+                    name:
+                      type: string
+                    timeout:
+                      type: string
+                    responseClasses:
+                      type: array
+                      items:
+                        type: object
+                        required:
+                        - condition
+                        description: ResponseClass describes how to classify a response (e.g. success or failures).
+                        properties:
+                          condition:
+                            type: object
+                            description: ResponseMatch describes the conditions under
+                              which to classify a response.
+                            properties:
+                              all:
+                                type: array
+                                items:
+                                  type: object
+                                  x-kubernetes-preserve-unknown-fields: true
+                              any:
+                                type: array
+                                items:
+                                  type: object
+                                  x-kubernetes-preserve-unknown-fields: true
+                              not:
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                              status:
+                                type: object
+                                description: Range describes a range of integers (e.g. status codes).
+                                properties:
+                                  max:
+                                    format: int32
+                                    type: integer
+                                  min:
+                                    format: int32
+                                    type: integer
+                          isFailure:
+                            type: boolean
+  scope: Namespaced
+  preserveUnknownFields: false
+  names:
+    plural: serviceprofiles
+    singular: serviceprofile
+    kind: ServiceProfile
+    shortNames:
+    - sp

charts/buoyant/linkerd-crds/2024.11.3/templates/workload/external-workload.yaml

@@ -0,0 +1,303 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: externalworkloads.workload.linkerd.io
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    linkerd.io/control-plane-ns: {{.Release.Namespace}}
+spec:
+  group: workload.linkerd.io
+  names:
+    categories:
+    - external
+    kind: ExternalWorkload
+    listKind: ExternalWorkloadList
+    plural: externalworkloads
+    singular: externalworkload
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: false
+    schema:
+      openAPIV3Schema:
+        description: >-
+          An ExternalWorkload describes a single workload (i.e. a deployable unit) external
+          to the cluster that should be enrolled in the mesh.
+        type: object
+        required: [spec]
+        properties:
+          apiVerson:
+            type: string
+          kind:
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              meshTls:
+                description: meshTls describes TLS settings associated with an
+                  external workload.
+                properties:
+                  identity:
+                    type: string
+                    description: identity of the workload. Corresponds to the
+                      identity used in the workload's certificate. It is used
+                      by peers to perform verification in the mTLS handshake.
+                    minLength: 1
+                    maxLength: 253
+                  serverName:
+                    type: string
+                    description: serverName is the name of the workload in DNS
+                      format. It is used by the workload to terminate TLS using
+                      SNI.
+                    minLength: 1
+                    maxLength: 253
+                type: object
+                required:
+                - identity
+                - serverName
+              ports:
+                type: array
+                description: ports describes a list of ports exposed by the
+                  workload
+                items:
+                  properties:
+                    name:
+                      type: string
+                      description: name must be an IANA_SVC_NAME and unique
+                        within the ports set. Each named port can be referred
+                        to by services.
+                    port:
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: protocol exposed by the port. Must be UDP or
+                        TCP. Defaults to TCP.
+                      type: string
+                      default: "TCP"
+                  type: object
+                  required:
+                  - port
+              workloadIPs:
+                type: array
+                description: workloadIPs contains a list of IP addresses that
+                  can be used to send traffic to the workload.
+                items:
+                  type: object
+                  properties:
+                    ip:
+                      type: string
+                # TODO: relax this in the future when ipv6 is supported
+                # an external workload (like a pod) should only
+                # support 2 interfaces
+                maxItems: 1
+            type: object
+            required:
+            - meshTls
+          status:
+            type: object
+            properties:
+              conditions:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime is the last time the
+                        healthcheck endpoint was probed.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the
+                        condition transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    status:
+                      description: status of the condition (one of True, False, Unknown)
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of the condition in CamelCase or in
+                        foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                    reason:
+                      description: reason contains a programmatic identifier
+                        indicating the reason for the condition's last
+                        transition. Producers of specific condition types may
+                        define expected values and meanings for this field, and
+                        whether the values are considered a guaranteed API. The
+                        value should be a CamelCase string. This field may not
+                        be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    message:
+                      description: message is a human readable message
+                        indicating details about the transition. This may be an
+                        empty string.
+                      maxLength: 32768
+                      type: string
+                required:
+                - status
+                - type
+    additionalPrinterColumns:
+    - jsonPath: .spec.meshTls.identity
+      name: Identity
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        description: >-
+          An ExternalWorkload describes a single workload (i.e. a deployable unit) external
+          to the cluster that should be enrolled in the mesh.
+        type: object
+        required: [spec]
+        properties:
+          apiVerson:
+            type: string
+          kind:
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              meshTLS:
+                description: meshTLS describes TLS settings associated with an
+                  external workload.
+                properties:
+                  identity:
+                    type: string
+                    description: identity of the workload. Corresponds to the
+                      identity used in the workload's certificate. It is used
+                      by peers to perform verification in the mTLS handshake.
+                    minLength: 1
+                    maxLength: 253
+                  serverName:
+                    type: string
+                    description: serverName is the name of the workload in DNS
+                      format. It is used by the workload to terminate TLS using
+                      SNI.
+                    minLength: 1
+                    maxLength: 253
+                type: object
+                required:
+                - identity
+                - serverName
+              ports:
+                type: array
+                description: ports describes a list of ports exposed by the
+                  workload
+                items:
+                  properties:
+                    name:
+                      type: string
+                      description: name must be an IANA_SVC_NAME and unique
+                        within the ports set. Each named port can be referred
+                        to by services.
+                    port:
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: protocol exposed by the port. Must be UDP or
+                        TCP. Defaults to TCP.
+                      type: string
+                      default: "TCP"
+                  type: object
+                  required:
+                  - port
+              workloadIPs:
+                type: array
+                description: workloadIPs contains a list of IP addresses that
+                  can be used to send traffic to the workload. This field may
+                  hold a maximum of two entries. If one entry, it can be an
+                  IPv4 or IPv6 address; if two entries it should contain one
+                  IPv4 address and one IPv6 address.
+                items:
+                  type: object
+                  properties:
+                    ip:
+                      type: string
+                maxItems: 2
+            type: object
+            required:
+            - meshTLS
+          status:
+            type: object
+            properties:
+              conditions:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    lastProbeTime:
+                      description: lastProbeTime is the last time the
+                        healthcheck endpoint was probed.
+                      format: date-time
+                      type: string
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the
+                        condition transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    status:
+                      description: status of the condition (one of True, False, Unknown)
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of the condition in CamelCase or in
+                        foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                    reason:
+                      description: reason contains a programmatic identifier
+                        indicating the reason for the condition's last
+                        transition. Producers of specific condition types may
+                        define expected values and meanings for this field, and
+                        whether the values are considered a guaranteed API. The
+                        value should be a CamelCase string. This field may not
+                        be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    message:
+                      description: message is a human readable message
+                        indicating details about the transition. This may be an
+                        empty string.
+                      maxLength: 32768
+                      type: string
+                required:
+                - status
+                - type
+    additionalPrinterColumns:
+    - jsonPath: .spec.meshTLS.identity
+      name: Identity
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date

charts/buoyant/linkerd-crds/2024.11.3/values.yaml

@@ -0,0 +1,3 @@
+enableHttpRoutes: true
+enableTlsRoutes: true
+enableTcpRoutes: true

charts/instana/instana-agent/2.0.2/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# OWNERS file for helm
+OWNERS

charts/instana/instana-agent/2.0.2/Chart.yaml

@@ -0,0 +1,39 @@
+annotations:
+  artifacthub.io/links: |
+    - name: Instana website
+      url: https://www.ibm.com/products/instana
+    - name: Instana Helm charts
+      url: https://github.com/instana/helm-charts
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Instana Agent
+  catalog.cattle.io/kube-version: '>=1.21-0'
+  catalog.cattle.io/release-name: instana-agent
+apiVersion: v2
+appVersion: 1.285.0
+description: Instana Agent for Kubernetes
+home: https://www.instana.com/
+icon: file://assets/icons/instana-agent.png
+kubeVersion: '>=1.21-0'
+maintainers:
+- email: felix.marx@ibm.com
+  name: FelixMarxIBM
+- email: henning.treu@ibm.com
+  name: htreu
+- email: konrad.ohms@de.ibm.com
+  name: Konrad-Ohms
+- email: fredrik.gundersen@ibm.com
+  name: FredrikAtIBM
+- email: jefiyamj@ibm.com
+  name: Jefiya-MJ
+- email: milica.cvrkota@ibm.com
+  name: Milica-Cvrkota-IBM
+- email: Nagaraj.Kandoor@ibm.com
+  name: nagaraj-kandoor
+- email: Vineeth.Soman@ibm.com
+  name: vineethsoman03
+- email: Rashmi.Swamy@ibm.com
+  name: rashmiswamyibm
+name: instana-agent
+sources:
+- https://github.com/instana/instana-agent-docker
+version: 2.0.2

charts/instana/instana-agent/2.0.2/DEPLOYMENT.md

@@ -0,0 +1,54 @@
+# Kubernetes Deployment Mode (tech preview)
+
+Instana has always endeavored to make the experience of using Instana as seamless as possible from auto-instrumentation to one-liner installs. To date for our customers with Kubernetes clusters containing more than 1,000 entities this wasn’t the case. The Kubernetes sensor as a deployment is one of many steps we’re taking to improve the experience of operating Instana in Kubernetes. This is a tech preview however we have a high degree of confidence it will work well in your production workloads. The fundamental change moves the Kubernetes sensor from the DaemonSet responsible for monitoring your hosts and processes into its own dedicated Deployment where it does not contend for resources with other sensors. An overview of this deployment is below:
+
+![kubernetes.deployment.enabled=true](kubernetes.deployment.enabled.png)
+
+This change provides a few primary benefits including:
+
+* Lower load on the Kubernetes api-server as it eliminates per node pod monitoring.
+* Lower load on the Kubernetes api-server as it reduces the endpoint watch to 2 leader elector side cars.
+* Lower memory and CPU requests in the DaemonSet as it is no longer responsible for monitoring Kubernetes.
+* Elimination of the leader elector sidecar in the DaemonSet as it is only required for the Kubernetes sensor.
+* Better performance of the Kubernetes sensor as it is isolated from other sensors and does not contend for CPU and memory.
+* Better scaling behaviour as you can adjust the memory and CPU requirements to monitor your clusters without overprovisioning utilisation cluster wide.
+
+The primary drawback of this model in the tech preview include:
+
+* Reduced control and observability of the Kubernetes specific Agents in the Agent dashboard.
+* Some unnecessary features are still enabled in the Kubernetes sensor (e.g. trace sinks, and host monitoring).
+
+Some limitations remain unchanged from the previous sensor:
+
+* Clusters with a high number of entities (e.g. pods, deployments, etc) are likely to have non-deterministic behaviour due to limitations we impose on message sizes. This is unlikely to be experienced in clusters with fewer than 500 hosts.
+* The ServiceAccount is shared between both the DaemonSet and Deployment meaning no change in the security posture. We plan to add an additional service account to limit access to the api-server to only the Kubernetes sensor Deployment.
+
+## Installation
+
+For clusters with minimal controls you can install the tech preview with the following Helm install command:
+
+```
+helm template instana-agent \
+    --repo https://agents.instana.io/helm \
+    --namespace instana-agent \
+    --create-namespace \
+    --set agent.key=${AGENT_KEY} \
+    --set agent.endpointHost=${BACKEND_URL} \
+    --set agent.endpointPort=443 \
+    --set cluster.name=${CLUSTER_NAME} \
+    --set zone.name=${ZONE_NAME} \
+    --set kubernetes.deployment.enabled=true \
+    instana-agent
+```
+
+If your cluster employs Pod Security Policies you will need the following additional flag:
+
+```
+--set podSecurityPolicy.enable=true
+```
+
+If you are deploying into an OpenShift 4.x cluster you will need the following additional flag:
+
+```
+--set openshift=true
+```