# Default values for linkerd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Kubernetes DNS Domain name to use
clusterDomain: cluster.local
# -- The cluster networks for which service discovery is performed. This should
# include the pod and service networks, but need not include the node network.
#
# By default, all private networks are specified so that resolution works in
# typical Kubernetes environments.
clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
# -- Docker image pull policy
imagePullPolicy: IfNotPresent
# -- Log level for the control plane components
controllerLogLevel: info
# -- Log format for the control plane components
controllerLogFormat: plain
# -- enables control plane tracing
controlPlaneTracing: false
# -- namespace to send control plane traces to
controlPlaneTracingNamespace: linkerd-jaeger
# -- control plane version. See Proxy section for proxy version
linkerdVersion: stable-2.14.5
# -- default kubernetes deployment strategy
deploymentStrategy:
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
# -- enables the use of EndpointSlice informers for the destination service;
# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
# gate is on
enableEndpointSlices: true
# -- enables pod anti affinity creation on deployments for high availability
enablePodAntiAffinity: false
# -- enables the use of pprof endpoints on control plane component's admin
# servers
enablePprof: false
# -- enables the creation of pod disruption budgets for control plane components
enablePodDisruptionBudget: false
# -- enabling this omits the NET_ADMIN capability in the PSP
# and the proxy-init container when injecting the proxy;
# requires the linkerd-cni plugin to already be installed
cniEnabled: false
# -- Trust root certificate (ECDSA). It must be provided during install.
identityTrustAnchorsPEM: |
# -- Trust domain used for identity
# @default -- clusterDomain
identityTrustDomain: ""
# -- Additional annotations to add to all pods
podAnnotations: {}
# -- Additional labels to add to all pods
podLabels: {}
# -- Labels to apply to all resources
commonLabels: {}
# -- Kubernetes priorityClassName for the Linkerd Pods
priorityClassName: ""
# -- Runtime Class Name for all the pods
runtimeClassName: ""
# policy controller configuration
policyController:
image:
# -- Docker image for the policy controller
name: cr.l5d.io/linkerd/policy-controller
# -- Pull policy for the proxy container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy container Docker image
# @default -- linkerdVersion
version: ""
# -- Log level for the policy controller
logLevel: info
# -- The networks from which probes are performed.
#
# By default, all networks are allowed so that all probes are authorized.
probeNetworks:
- 0.0.0.0/0
# -- policy controller resource requests & limits
# @default -- destinationResources
resources:
cpu:
# -- Maximum amount of CPU units that the policy controller can use
limit: ""
# -- Amount of CPU units that the policy controller requests
request: ""
memory:
# -- Maximum amount of memory that the policy controller can use
limit: ""
# -- Maximum amount of memory that the policy controller requests
request: ""
ephemeral-storage:
# -- Maximum amount of ephemeral storage that the policy controller can use
limit: ""
# -- Amount of ephemeral storage that the policy controller requests
request: ""
# proxy configuration
proxy:
# -- Enable service profiles for non-Kubernetes services
enableExternalProfiles: false
# -- Maximum time allowed for the proxy to establish an outbound TCP
# connection
outboundConnectTimeout: 1000ms
# -- Maximum time allowed for the proxy to establish an inbound TCP
# connection
inboundConnectTimeout: 100ms
# -- Maximum time allowed before an unused outbound discovery result
# is evicted from the cache
outboundDiscoveryCacheUnusedTimeout: "5s"
# -- Maximum time allowed before an unused inbound discovery result
# is evicted from the cache
inboundDiscoveryCacheUnusedTimeout: "90s"
# -- When set to true, disables the protocol detection timeout on the
# outbound side of the proxy by setting it to a very high value
disableOutboundProtocolDetectTimeout: false
# -- When set to true, disables the protocol detection timeout on the inbound
# side of the proxy by setting it to a very high value
disableInboundProtocolDetectTimeout: false
image:
# -- Docker image for the proxy
name: cr.l5d.io/linkerd/proxy
# -- Pull policy for the proxy container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy container Docker image
# @default -- linkerdVersion
version: ""
# -- Log level for the proxy
logLevel: warn,linkerd=info,trust_dns=error
# -- Log format (`plain` or `json`) for the proxy
logFormat: plain
ports:
# -- Admin port for the proxy container
admin: 4191
# -- Control port for the proxy container
control: 4190
# -- Inbound port for the proxy container
inbound: 4143
# -- Outbound port for the proxy container
outbound: 4140
# -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores`
# must be an integer and should typically be set by rounding up from the
# limit. E.g. if cpu.limit is '1500m', cores should be 2.
cores: 0
resources:
cpu:
# -- Maximum amount of CPU units that the proxy can use
limit: ""
# -- Amount of CPU units that the proxy requests
request: ""
memory:
# -- Maximum amount of memory that the proxy can use
limit: ""
# -- Maximum amount of memory that the proxy requests
request: ""
ephemeral-storage:
# -- Maximum amount of ephemeral storage that the proxy can use
limit: ""
# -- Amount of ephemeral storage that the proxy requests
request: ""
# -- User id under which the proxy runs
uid: 2102
# -- If set the injected proxy sidecars in the data plane will stay alive for
# at least the given period before receiving the SIGTERM signal from
# Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`.
# See [Lifecycle
# hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)
# for more info on container lifecycle hooks.
waitBeforeExitSeconds: 0
# -- If set, the application container will not start until the proxy is
# ready
await: true
requireIdentityOnInboundPorts: ""
# -- Default set of opaque ports
# - SMTP (25,587) server-first
# - MYSQL (3306) server-first
# - Galera (4444) server-first
# - PostgreSQL (5432) server-first
# - Redis (6379) server-first
# - ElasticSearch (9300) server-first
# - Memcached (11211) clients do not issue any preamble, which breaks detection
opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"
# -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
shutdownGracePeriod: ""
# -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
# "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
# @default -- "all-unauthenticated"
defaultInboundPolicy: "all-unauthenticated"
# proxy-init configuration
proxyInit:
# -- Variant of iptables that will be used to configure routing. Currently,
# proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will
# control which utility binary will be called. The host must support
# whichever mode will be used
iptablesMode: "legacy"
# -- Default set of inbound ports to skip via iptables
# - Galera (4567,4568)
ignoreInboundPorts: "4567,4568"
# -- Default set of outbound ports to skip via iptables
# - Galera (4567,4568)
ignoreOutboundPorts: "4567,4568"
# -- Default set of ports to skip via iptables for control plane
# components so they can communicate with the Kubernetes API Server
kubeAPIServerPorts: "443,6443"
# -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy
skipSubnets: ""
# -- Log level for the proxy-init
# @default -- info
logLevel: ""
# -- Log format (`plain` or `json`) for the proxy-init
# @default -- plain
logFormat: ""
image:
# -- Docker image for the proxy-init container
name: cr.l5d.io/linkerd/proxy-init
# -- Pull policy for the proxy-init container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the proxy-init container Docker image
version: v2.2.3
resources:
cpu:
# -- Maximum amount of CPU units that the proxy-init container can use
limit: 100m
# -- Amount of CPU units that the proxy-init container requests
request: 100m
memory:
# -- Maximum amount of memory that the proxy-init container can use
limit: 20Mi
# -- Amount of memory that the proxy-init container requests
request: 20Mi
ephemeral-storage:
# -- Maximum amount of ephemeral storage that the proxy-init container can use
limit: ""
# -- Amount of ephemeral storage that the proxy-init container requests
request: ""
closeWaitTimeoutSecs: 0
# -- Privileged mode allows the container processes to inherit all security
# capabilities and bypass any security limitations enforced by the kubelet.
# When used with 'runAsRoot: true', the container will behave exactly as if
# it was running as root on the host. May escape cgroup limits and see other
# processes and devices on the host.
# @default -- false
privileged: false
# -- Allow overriding the runAsNonRoot behaviour (<https://github.com/linkerd/linkerd2/issues/7308>)
runAsRoot: false
# -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0
runAsUser: 65534
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
# network validator configuration
# This runs on a host that uses iptables to reroute network traffic. The validator
# ensures that iptables is correctly routing requests before we start linkerd.
networkValidator:
# -- Log level for the network-validator
# @default -- debug
logLevel: debug
# -- Log format (`plain` or `json`) for network-validator
# @default -- plain
logFormat: plain
# -- Address to which the network-validator will attempt to connect. we expect this to be rewritten
connectAddr: "1.1.1.1:20001"
# -- Address to which network-validator listens to requests from itself
listenAddr: "0.0.0.0:4140"
# -- Timeout before network-validator fails to validate the pod's network connectivity
timeout: "10s"
# -- Include a securityContext in the network-validator pod spec
enableSecurityContext: true
# -- For Private docker registries, authentication is needed.
# Registry secrets are applied to the respective service accounts
imagePullSecrets: []
# - name: my-private-docker-registry-login-secret
# -- Allow proxies to perform transparent HTTP/2 upgrading
enableH2Upgrade: true
# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
# PSP has been deprecated since k8s v1.21
enablePSP: false
# -- Failure policy for the proxy injector
webhookFailurePolicy: Ignore
# controllerImage -- Docker image for the destination and identity components
controllerImage: cr.l5d.io/linkerd/controller
# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.
controllerImageVersion: ""
# -- Number of replicas for each control plane pod
controllerReplicas: 1
# -- User ID for the control plane components
controllerUID: 2103
# destination configuration
# set resources for the sp-validator and its linkerd proxy respectively
# see proxy.resources for details.
# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields)
#destinationResources:
#destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy
# injected into destination pod (see `proxy.resources` for sub-fields)
#destinationProxyResources:
# debug configuration
debugContainer:
image:
# -- Docker image for the debug container
name: cr.l5d.io/linkerd/debug
# -- Pull policy for the debug container Docker image
# @default -- imagePullPolicy
pullPolicy: ""
# -- Tag for the debug container Docker image
# @default -- linkerdVersion
version: ""
identity:
# -- If the linkerd-identity-trust-roots ConfigMap has already been created
externalCA: false
# -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token
serviceAccountTokenProjection: true
issuer:
scheme: linkerd.io/tls
# -- Amount of time to allow for clock skew within a Linkerd cluster
clockSkewAllowance: 20s
# -- Amount of time for which the Identity issuer should certify identity
issuanceLifetime: 24h0m0s
# -- Which scheme is used for the identity issuer secret format
tls:
# -- Issuer certificate (ECDSA). It must be provided during install.
crtPEM: |
# -- Key for the issuer certificate (ECDSA). It must be provided during
# install
keyPEM: |
# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields)
#identityResources:
# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
#identityProxyResources:
# heartbeat configuration
# disableHeartBeat -- Set to true to not start the heartbeat cronjob
disableHeartBeat: false
# -- Config for the heartbeat cronjob
# heartbeatSchedule: "0 0 * * *"
# proxy injector configuration
proxyInjector:
# -- Do not create a secret resource for the proxyInjector webhook.
# If this is set to `true`, the value `proxyInjector.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
externalSecret: false
# -- Namespace selector used by admission webhook.
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
# -- Object selector used by admission webhook.
objectSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: DoesNotExist
- key: linkerd.io/cni-resource
operator: DoesNotExist
# -- Certificate for the proxy injector. If not provided and not using an external secret
# then Helm will generate one.
crtPEM: |
# -- Certificate key for the proxy injector. If not provided and not using an external secret
# then Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `proxyInjector.crtPEM`.
# If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle: |
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom: ""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
# for more information.
injectCaFromSecret: ""
# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see
#`proxy.resources` for sub-fields)
#proxyInjectorResources:
#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector
#pod (see `proxy.resources` for sub-fields)
#proxyInjectorProxyResources:
# service profile validator configuration
profileValidator:
# -- Do not create a secret resource for the profileValidator webhook.
# If this is set to `true`, the value `proxyInjector.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below).
externalSecret: false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
# -- Certificate for the service profile validator. If not provided and not using an external secret
# then Helm will generate one.
crtPEM: |
# -- Certificate key for the service profile validator. If not provided and not using an external secret
# then Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `profileValidator.crtPEM`.
# If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle: |
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom: ""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
# for more information.
injectCaFromSecret: ""
# policy validator configuration
policyValidator:
# -- Do not create a secret resource for the policyValidator webhook.
# If this is set to `true`, the value `policyValidator.caBundle` must be set
# or the ca bundle must injected with cert-manager ca injector using
# `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below).
externalSecret: false
# -- Namespace selector used by admission webhook
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
# -- Certificate for the policy validator. If not provided and not using an external secret
# then Helm will generate one.
crtPEM: |
# -- Certificate key for the policy validator. If not provided and not using an external secret
# then Helm will generate one.
keyPEM: |
# -- Bundle of CA certificates for proxy injector.
# If not provided nor injected with cert-manager,
# then Helm will use the certificate generated for `policyValidator.crtPEM`.
# If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or
# injectCaFromSecret must be set, as no certificate will be generated.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information.
caBundle: |
# -- Inject the CA bundle from a cert-manager Certificate.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource)
# for more information.
injectCaFrom: ""
# -- Inject the CA bundle from a Secret.
# If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook.
# The Secret must have the CA Bundle stored in the `ca.crt` key and have
# the `cert-manager.io/allow-direct-injection` annotation set to `true`.
# See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource)
# for more information.
injectCaFromSecret: ""
# -|- CPU, Memory and Ephemeral Storage resources required by the policy controller
#policyControllerResources:
# -- NodeSelector section, See the [K8S
# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
# for more information
nodeSelector:
kubernetes.io/os: linux
# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see
#`proxy.resources` for sub-fields)
#spValidatorResources:
# -|- Tolerations section, See the
# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
# for more information
#tolerations:
# -|- NodeAffinity section, See the
# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
# for more information
#nodeAffinity:
# Prometheus Operator PodMonitor configuration
podMonitor:
# -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor)
enabled: false
# -- Interval at which metrics should be scraped
scrapeInterval: 10s
# -- Iimeout after which the scrape is ended
scrapeTimeout: 10s
controller:
# -- Enables the creation of PodMonitor for the control-plane
enabled: true
# -- Selector to select which namespaces the Endpoints objects are discovered from
namespaceSelector: |
matchNames:
- {{ .Release.Namespace }}
- linkerd-viz
- linkerd-jaeger
serviceMirror:
# -- Enables the creation of PodMonitor for the Service Mirror component
enabled: true
proxy:
# -- Enables the creation of PodMonitor for the data-plane
enabled: true