--- ### ### Destination Controller Service ### kind: Service apiVersion: v1 metadata: name: linkerd-dst namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- kind: Service apiVersion: v1 metadata: name: linkerd-dst-headless namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: clusterIP: None selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- kind: Service apiVersion: v1 metadata: name: linkerd-sp-validator namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: sp-validator port: 443 targetPort: sp-validator --- kind: Service apiVersion: v1 metadata: name: linkerd-policy namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: clusterIP: None selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8090 targetPort: 8090 --- kind: Service apiVersion: v1 metadata: name: linkerd-policy-validator namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: policy-https port: 443 targetPort: policy-https {{- if .Values.enablePodAntiAffinity }} --- kind: PodDisruptionBudget apiVersion: policy/v1beta1 metadata: name: linkerd-dst namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: maxUnavailable: 1 selector: matchLabels: linkerd.io/control-plane-component: destination {{- end }} --- {{- $tree := deepCopy . }} {{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} {{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}} {{ include "linkerd.proxy.validation" .Values.proxy -}} apiVersion: apps/v1 kind: Deployment metadata: annotations: {{ include "partials.annotations.created-by" . }} labels: app.kubernetes.io/name: destination app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} name: linkerd-destination namespace: {{.Values.namespace}} spec: replicas: {{.Values.controllerReplicas}} selector: matchLabels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} {{- if .Values.enablePodAntiAffinity }} strategy: rollingUpdate: maxUnavailable: 1 {{- end }} template: metadata: annotations: {{- if (or (empty .Values.cliVersion) (not (eq (.Values.stage | toString) "control-plane"))) }} checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }} {{- end }} {{ include "partials.annotations.created-by" . }} {{- include "partials.proxy.annotations" . | nindent 8}} {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: {{.Values.namespace}} linkerd.io/workload-ns: {{.Values.namespace}} {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: {{- if .Values.tolerations -}} {{- include "linkerd.tolerations" . | nindent 6 }} {{- end -}} {{- include "linkerd.node-selector" . | nindent 6 }} {{- if .Values.enablePodAntiAffinity -}} {{- $local := dict "component" "destination" -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} containers: {{- if not (empty .Values.destinationProxyResources) }} {{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} {{- $_ := set $tree.Values.proxy "resources" $r }} {{- end }} {{- $_ := set $tree.Values.proxy "await" true }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }} {{- /* The pod needs to accept webhook traffic, and we can't rely on that originating in the cluster network. */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} - args: - destination - -addr=:8086 - -controller-namespace={{.Values.namespace}} - -enable-h2-upgrade={{.Values.enableH2Upgrade}} - -log-level={{.Values.controllerLogLevel}} - -log-format={{.Values.controllerLogFormat}} - -enable-endpoint-slices={{.Values.enableEndpointSlices}} - -cluster-domain={{.Values.clusterDomain}} - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} - -default-opaque-ports={{.Values.proxy.opaquePorts}} {{- include "partials.linkerd.trace" . | nindent 8 -}} image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: httpGet: path: /ping port: 9996 initialDelaySeconds: 10 name: destination ports: - containerPort: 8086 name: grpc - containerPort: 9996 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9996 {{- if .Values.destinationResources -}} {{- include "partials.resources" .Values.destinationResources | nindent 8 }} {{- end }} securityContext: runAsUser: {{.Values.controllerUID}} - args: - sp-validator - -log-level={{.Values.controllerLogLevel}} - -log-format={{.Values.controllerLogFormat}} image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: httpGet: path: /ping port: 9997 initialDelaySeconds: 10 name: sp-validator ports: - containerPort: 8443 name: sp-validator - containerPort: 9997 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9997 {{- if .Values.spValidatorResources -}} {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }} {{- end }} securityContext: runAsUser: {{.Values.controllerUID}} volumeMounts: - mountPath: /var/run/linkerd/tls name: sp-tls readOnly: true - args: - --admin-addr=0.0.0.0:9990 - --grpc-addr=0.0.0.0:8090 - --admission-addr=0.0.0.0:9443 - --cluster-networks={{.Values.clusterNetworks}} - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} - --default-policy={{.Values.policyController.defaultAllowPolicy}} - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}} - --log-format={{.Values.controllerLogFormat}} image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}} imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}} livenessProbe: httpGet: path: /ready port: admin-http initialDelaySeconds: 10 name: policy ports: - containerPort: 8090 name: grpc - containerPort: 9990 name: admin-http - containerPort: 9443 name: policy-https readinessProbe: failureThreshold: 7 httpGet: path: /ready port: admin-http {{- $res := .Values.policyController.resources | default .Values.destinationResources }} {{- if $res }} {{- include "partials.resources" $res | nindent 8 }} {{- end }} securityContext: runAsUser: {{.Values.controllerUID}} volumeMounts: - mountPath: /var/run/linkerd/tls name: policy-tls readOnly: true {{ if not .Values.cniEnabled -}} initContainers: {{- /* The destination controller needs to connect to the Kubernetes API before the proxy is able to proxy requests, so we always skip these connections. */}} {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" }} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} serviceAccountName: linkerd-destination volumes: - name: sp-tls secret: secretName: linkerd-sp-validator-k8s-tls - name: policy-tls secret: secretName: linkerd-policy-validator-k8s-tls {{ if not .Values.cniEnabled -}} - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}