{{if .Values.identity -}} --- ### ### Identity Controller Service ### {{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}} --- kind: Secret apiVersion: v1 metadata: name: linkerd-identity-issuer namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} linkerd.io/identity-issuer-expiry: {{required "Please provide the identity issuer certificate expiry date" .Values.identity.issuer.crtExpiry}} data: crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}} key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}} {{- end}} {{ if not (.Values.identity.externalCA) -}} --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-identity-trust-roots namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} data: ca-bundle.crt: |{{.Values.identityTrustAnchorsPEM | trim | nindent 4}} {{- end}} --- kind: Service apiVersion: v1 metadata: name: linkerd-identity namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: type: ClusterIP selector: linkerd.io/control-plane-component: identity ports: - name: grpc port: 8080 targetPort: 8080 --- kind: Service apiVersion: v1 metadata: name: linkerd-identity-headless namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: clusterIP: None selector: linkerd.io/control-plane-component: identity ports: - name: grpc port: 8080 targetPort: 8080 {{- if .Values.enablePodAntiAffinity }} --- kind: PodDisruptionBudget apiVersion: policy/v1beta1 metadata: name: linkerd-identity namespace: {{.Values.namespace}} labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} annotations: {{ include "partials.annotations.created-by" . }} spec: maxUnavailable: 1 selector: matchLabels: linkerd.io/control-plane-component: identity {{- end }} --- {{- $tree := deepCopy . }} {{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} {{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}} {{ include "linkerd.proxy.validation" .Values.proxy -}} apiVersion: apps/v1 kind: Deployment metadata: annotations: {{ include "partials.annotations.created-by" . }} labels: app.kubernetes.io/name: identity app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}} linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} name: linkerd-identity namespace: {{.Values.namespace}} spec: replicas: {{.Values.controllerReplicas}} selector: matchLabels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} {{- if .Values.enablePodAntiAffinity }} strategy: rollingUpdate: maxUnavailable: 1 {{- end }} template: metadata: annotations: {{ include "partials.annotations.created-by" . }} {{- include "partials.proxy.annotations" . | nindent 8}} {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: {{.Values.namespace}} linkerd.io/workload-ns: {{.Values.namespace}} {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: {{- if .Values.tolerations -}} {{- include "linkerd.tolerations" . | nindent 6 }} {{- end -}} {{- include "linkerd.node-selector" . | nindent 6 }} {{- if .Values.enablePodAntiAffinity -}} {{- $local := dict "component" "identity" -}} {{- include "linkerd.pod-affinity" $local | nindent 6 -}} {{- end }} containers: - args: - identity - -log-level={{.Values.controllerLogLevel}} - -log-format={{.Values.controllerLogFormat}} - -controller-namespace={{.Values.namespace}} - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}} - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}} - -identity-scheme={{.Values.identity.issuer.scheme}} {{- include "partials.linkerd.trace" . | nindent 8 -}} env: - name: LINKERD_DISABLED value: "linkerd-await cannot block the identity controller" image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}} imagePullPolicy: {{.Values.imagePullPolicy}} livenessProbe: httpGet: path: /ping port: 9990 initialDelaySeconds: 10 name: identity ports: - containerPort: 8080 name: grpc - containerPort: 9990 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9990 {{- if .Values.identityResources -}} {{- include "partials.resources" .Values.identityResources | nindent 8 }} {{- end }} securityContext: runAsUser: {{.Values.controllerUID}} volumeMounts: - mountPath: /var/run/linkerd/identity/issuer name: identity-issuer - mountPath: /var/run/linkerd/identity/trust-roots/ name: trust-roots {{- if not (empty .Values.identityProxyResources) }} {{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} {{- $_ := set $tree.Values.proxy "resources" $r }} {{- end }} {{- $_ := set $tree.Values.proxy "await" false }} {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} {{- /* The identity controller cannot discover policies, so we configure it with defaults that enforce TLS on the identity service. */}} {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "cluster-unauthenticated" }} {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }} - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ if not .Values.cniEnabled -}} initContainers: {{- /* The identity controller needs to connect to the Kubernetes API before the proxy is able to proxy requests, so we always skip these connections. The identity controller makes no other outbound connections (so it's not important to persist any other skip ports here) */}} {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" }} - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} serviceAccountName: linkerd-identity volumes: - name: identity-issuer secret: secretName: linkerd-identity-issuer - configMap: name: linkerd-identity-trust-roots name: trust-roots {{ if not .Values.cniEnabled -}} - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} {{ end -}} - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} {{end -}}