# Default values for linkerd. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # -- Kubernetes DNS Domain name to use clusterDomain: cluster.local # -- The cluster networks for which service discovery is performed. This should # include the pod and service networks, but need not include the node network. # # By default, all private networks are specified so that resolution works in # typical Kubernetes environments. clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" # -- Docker image pull policy imagePullPolicy: IfNotPresent # -- Log level for the control plane components controllerLogLevel: info # -- Log format for the control plane components controllerLogFormat: plain # -- enables control plane tracing controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version linkerdVersion: stable-2.11.0 # -- Control plane namespace namespace: linkerd # -- enables the use of EndpointSlice informers for the destination service; # enableEndpointSlices should be set to true only if EndpointSlice K8s feature # gate is on; the feature is still experimental. enableEndpointSlices: false # -- enabling this omits the NET_ADMIN capability in the PSP # and the proxy-init container when injecting the proxy; # requires the linkerd-cni plugin to already be installed cniEnabled: false # -- Trust root certificate (ECDSA). It must be provided during install. identityTrustAnchorsPEM: | # -- Trust domain used for identity # @default -- clusterDomain identityTrustDomain: "" # -- Additional annotations to add to all pods podAnnotations: {} # -- Additional labels to add to all pods podLabels: {} # policy controller configuration policyController: # image -- Docker image for the policy controller image: # -- Docker image for the proxy name: cr.l5d.io/linkerd/policy-controller # -- Pull policy for the proxy container Docker image # @default -- imagePullPolicy pullPolicy: "" # -- Tag for the proxy container Docker image # @default -- linkerdVersion version: "" # -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" # @default -- "all-unauthenticated" defaultAllowPolicy: "all-unauthenticated" # -- Log level for the policy controller logLevel: linkerd=info,warn # -- policy controller resource requests & limits # @default -- destinationResources resources: cpu: # -- Maximum amount of CPU units that the policy controller can use limit: "" # -- Amount of CPU units that the policy controller requests request: "" memory: # -- Maximum amount of memory that the policy controller can use limit: "" # -- Maximum amount of memory that the policy controller requests request: "" # proxy configuration proxy: # -- Enable service profiles for non-Kubernetes services enableExternalProfiles: false # -- Maximum time allowed for the proxy to establish an outbound TCP # connection outboundConnectTimeout: 1000ms # -- Maximum time allowed for the proxy to establish an inbound TCP # connection inboundConnectTimeout: 100ms image: # -- Docker image for the proxy name: cr.l5d.io/linkerd/proxy # -- Pull policy for the proxy container Docker image # @default -- imagePullPolicy pullPolicy: "" # -- Tag for the proxy container Docker image # @default -- linkerdVersion version: "" # -- Log level for the proxy logLevel: warn,linkerd=info # -- Log format (`plain` or `json`) for the proxy logFormat: plain ports: # -- Admin port for the proxy container admin: 4191 # -- Control port for the proxy container control: 4190 # -- Inbound port for the proxy container inbound: 4143 # -- Outbound port for the proxy container outbound: 4140 # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores` # must be an integer and should typically be set by rounding up from the # limit. E.g. if cpu.limit is '1500m', cores should be 2. cores: 0 resources: cpu: # -- Maximum amount of CPU units that the proxy can use limit: "" # -- Amount of CPU units that the proxy requests request: "" memory: # -- Maximum amount of memory that the proxy can use limit: "" # -- Maximum amount of memory that the proxy requests request: "" # -- User id under which the proxy runs uid: 2102 # -- If set the proxy sidecar will stay alive for at # least the given period before receiving SIGTERM signal from Kubernetes but # no longer than pod's `terminationGracePeriodSeconds`. See [Lifecycle # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) # for more info on container lifecycle hooks. waitBeforeExitSeconds: 0 # -- If set, the application container will not start until the proxy is # ready await: true requireIdentityOnInboundPorts: "" # -- Default set of opaque ports # - SMTP (25,587) server-first # - MYSQL (3306) server-first # - Galera (4444) server-first # - PostgreSQL (5432) server-first # - Redis (6379) server-first # - ElasticSearch (9300) server-first # - Memcached (11211) clients do not issue any preamble, which breaks detection opaquePorts: "25,587,3306,4444,5432,6379,9300,11211" # proxy-init configuration proxyInit: # -- Default set of inbound ports to skip via iptables # - Galera (4567,4568) ignoreInboundPorts: "4567,4568" # -- Default set of outbound ports to skip via iptables # - Galera (4567,4568) ignoreOutboundPorts: "4567,4568" image: # -- Docker image for the proxy-init container name: cr.l5d.io/linkerd/proxy-init # -- Pull policy for the proxy-init container Docker image # @default -- imagePullPolicy pullPolicy: "" # -- Tag for the proxy-init container Docker image version: v1.4.0 resources: cpu: # -- Maximum amount of CPU units that the proxy-init container can use limit: 100m # -- Amount of CPU units that the proxy-init container requests request: 10m memory: # -- Maximum amount of memory that the proxy-init container can use limit: 50Mi # -- Amount of memory that the proxy-init container requests request: 10Mi closeWaitTimeoutSecs: 0 xtMountPath: mountPath: /run name: linkerd-proxy-init-xtables-lock # -- For Private docker registries, authentication is needed. # Registry secrets are applied to the respective service accounts imagePullSecrets: [] # - name: my-private-docker-registry-login-secret # -- Allow proxies to perform transparent HTTP/2 upgrading enableH2Upgrade: true # -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note # PSP has been deprecated since k8s v1.21 enablePSP: false # -- Failure policy for the proxy injector webhookFailurePolicy: Ignore # controllerImage -- Docker image for the destination and identity components controllerImage: cr.l5d.io/linkerd/controller # -- Number of replicas for each control plane pod controllerReplicas: 1 # -- User ID for the control plane components controllerUID: 2103 # destination configuration # set resources for the sp-validator and its linkerd proxy respectively # see proxy.resources for details. # destinationResources -- CPU and Memory resources required by destination (see `proxy.resources` for sub-fields) #destinationResources: #destinationProxyResources -- CPU and Memory resources required by proxy # injected into destination pod (see `proxy.resources` for sub-fields) #destinationProxyResources: # debug configuration debugContainer: image: # -- Docker image for the debug container name: cr.l5d.io/linkerd/debug # -- Pull policy for the debug container Docker image # @default -- imagePullPolicy pullPolicy: "" # -- Tag for the debug container Docker image # @default -- linkerdVersion version: "" identity: # -- If the linkerd-identity-trust-roots ConfigMap has already been created externalCA: false issuer: scheme: linkerd.io/tls # -- Amount of time to allow for clock skew within a Linkerd cluster clockSkewAllowance: 20s # -- Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM crtExpiry: # -- Amount of time for which the Identity issuer should certify identity issuanceLifetime: 24h0m0s # -- Which scheme is used for the identity issuer secret format tls: # -- Issuer certificate (ECDSA). It must be provided during install. crtPEM: | # -- Key for the issuer certificate (ECDSA). It must be provided during # install keyPEM: | # -|- CPU and Memory resources required by the identity controller (see `proxy.resources` for sub-fields) #identityResources: # -|- CPU and Memory resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) #identityProxyResources: # heartbeat configuration # disableHeartBeat -- Set to true to not start the heartbeat cronjob disableHeartBeat: false # -- Config for the heartbeat cronjob # heartbeatSchedule: "0 0 * * *" # proxy injector configuration proxyInjector: # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) externalSecret: false # -- Namespace selector used by admission webhook. If not set defaults to all # namespaces without the annotation # config.linkerd.io/admission-webhooks=disabled namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled # -- Certificate for the proxy injector. If not provided then Helm will generate one. crtPEM: | # -- Certificate key for the proxy injector. If not provided then Helm will generate one. keyPEM: | # -- Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. caBundle: | # -|- CPU and Memory resources required by the proxy injector (see #`proxy.resources` for sub-fields) #proxyInjectorResources: #-|- CPU and Memory resources required by proxy injected into the proxy injector #pod (see `proxy.resources` for sub-fields) #proxyInjectorProxyResources: # service profile validator configuration profileValidator: # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). externalSecret: false # -- Namespace selector used by admission webhook namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled # -- Certificate for the service profile validator. If not provided then Helm # will generate one. crtPEM: | # -- Certificate key for the service profile validator. If not provided then # Helm will generate one. keyPEM: | # -- Bundle of CA certificates for service profile validator. If not provided # then Helm will use the certificate generated for `profileValidator.crtPEM`. # If `profileValidator.externalSecret` is set to true, this value must be set, # as no certificate will be generated. caBundle: | # policy validator configuration policyValidator: # -- Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set (see below). externalSecret: false # -- Namespace selector used by admission webhook namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled # -- Certificate for the policy validator. If not provided then Helm # will generate one. crtPEM: | # -- Certificate key for the policy validator. If not provided then # Helm will generate one. keyPEM: | # -- Bundle of CA certificates for policy validator. If not provided # then Helm will use the certificate generated for `policyValidator.crtPEM`. # If `policyValidator.externalSecret` is set to true, this value must be set, # as no certificate will be generated. caBundle: | # -|- CPU and Memory resources required by the SP validator (see #`proxy.resources` for sub-fields) #spValidatorResources: # If the namespace is controlled by an external tool or can't be installed with Helm # you can disable its installation. In this case: # - The namespace created by the external tool must match the namespace value above # - The external tool needs to create the namespace with the label: # config.linkerd.io/admission-webhooks: disabled # installNamespace -- Set to false when installing Linkerd in a custom namespace. See the # [Linkerd documentation](https://linkerd.io/2/tasks/install-helm#customizing-the-namespace) for more information. installNamespace: true # -- NodeSelector section, See the [K8S # documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) # for more information nodeSelector: beta.kubernetes.io/os: linux # -|- Tolerations section, See the # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) # for more information #tolerations: