# Default values for linkerd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# -- Kubernetes DNS Domain name to use
clusterDomain: cluster.local

# -- The cluster networks for which service discovery is performed. This should
# include the pod and service networks, but need not include the node network.
#
# By default, all private networks are specified so that resolution works in
# typical Kubernetes environments.
clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
# -- Docker image pull policy
imagePullPolicy: IfNotPresent
# -- Log level for the control plane components
controllerLogLevel: info
# -- Log format for the control plane components
controllerLogFormat: plain
# -- enables control plane tracing
controlPlaneTracing: false
# -- namespace to send control plane traces to
controlPlaneTracingNamespace: linkerd-jaeger
# -- control plane version. See Proxy section for proxy version
linkerdVersion: stable-2.11.0
# -- Control plane namespace
namespace: linkerd
# -- enables the use of EndpointSlice informers for the destination service;
# enableEndpointSlices should be set to true only if EndpointSlice K8s feature
# gate is on; the feature is still experimental.
enableEndpointSlices: false
# -- enabling this omits the NET_ADMIN capability in the PSP
# and the proxy-init container when injecting the proxy;
# requires the linkerd-cni plugin to already be installed
cniEnabled: false
# -- Trust root certificate (ECDSA). It must be provided during install.
identityTrustAnchorsPEM: |
# -- Trust domain used for identity
# @default -- clusterDomain
identityTrustDomain: ""
# -- Additional annotations to add to all pods
podAnnotations: {}
# -- Additional labels to add to all pods
podLabels: {}

# policy controller configuration
policyController:
  # image -- Docker image for the policy controller
  image:
    # -- Docker image for the proxy
    name: cr.l5d.io/linkerd/policy-controller
    # -- Pull policy for the proxy container Docker image
    # @default -- imagePullPolicy
    pullPolicy: ""
    # -- Tag for the proxy container Docker image
    # @default -- linkerdVersion
    version: ""

  # -- The default allow policy to use when no `Server` selects a pod.  One of: "all-authenticated",
  # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
  # @default -- "all-unauthenticated"
  defaultAllowPolicy: "all-unauthenticated"

  # -- Log level for the policy controller
  logLevel: linkerd=info,warn

  # -- policy controller resource requests & limits
  # @default -- destinationResources
  resources:
    cpu:
      # -- Maximum amount of CPU units that the policy controller can use
      limit: ""
      # -- Amount of CPU units that the policy controller requests
      request: ""
    memory:
      # -- Maximum amount of memory that the policy controller can use
      limit: ""
      # -- Maximum amount of memory that the policy controller requests
      request: ""

# proxy configuration
proxy:
  # -- Enable service profiles for non-Kubernetes services
  enableExternalProfiles: false
  # -- Maximum time allowed for the proxy to establish an outbound TCP
  # connection
  outboundConnectTimeout: 1000ms
  # -- Maximum time allowed for the proxy to establish an inbound TCP
  # connection
  inboundConnectTimeout: 100ms
  image:
    # -- Docker image for the proxy
    name: cr.l5d.io/linkerd/proxy
    # -- Pull policy for the proxy container Docker image
    # @default -- imagePullPolicy
    pullPolicy: ""
    # -- Tag for the proxy container Docker image
    # @default -- linkerdVersion
    version: ""
  # -- Log level for the proxy
  logLevel: warn,linkerd=info
  # -- Log format (`plain` or `json`) for the proxy
  logFormat: plain
  ports:
    # -- Admin port for the proxy container
    admin: 4191
    # -- Control port for the proxy container
    control: 4190
    # -- Inbound port for the proxy container
    inbound: 4143
    # -- Outbound port for the proxy container
    outbound: 4140
  # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores`
  # must be an integer and should typically be set by rounding up from the
  # limit. E.g. if cpu.limit is '1500m', cores should be 2.
  cores: 0
  resources:
    cpu:
      # -- Maximum amount of CPU units that the proxy can use
      limit: ""
      # -- Amount of CPU units that the proxy requests
      request: ""
    memory:
      # -- Maximum amount of memory that the proxy can use
      limit: ""
      # -- Maximum amount of memory that the proxy requests
      request: ""
  # -- User id under which the proxy runs
  uid: 2102
  # -- If set the proxy sidecar will stay alive for at
  # least the given period before receiving SIGTERM signal from Kubernetes but
  # no longer than pod's `terminationGracePeriodSeconds`. See [Lifecycle
  # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks)
  # for more info on container lifecycle hooks.
  waitBeforeExitSeconds: 0
  #  -- If set, the application container will not start until the proxy is
  # ready
  await: true
  requireIdentityOnInboundPorts: ""
  # -- Default set of opaque ports
  # - SMTP (25,587) server-first
  # - MYSQL (3306) server-first
  # - Galera (4444) server-first
  # - PostgreSQL (5432) server-first
  # - Redis (6379) server-first
  # - ElasticSearch (9300) server-first
  # - Memcached (11211) clients do not issue any preamble, which breaks detection
  opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"

# proxy-init configuration
proxyInit:
  # -- Default set of inbound ports to skip via iptables
  # - Galera (4567,4568)
  ignoreInboundPorts: "4567,4568"
  # -- Default set of outbound ports to skip via iptables
  # - Galera (4567,4568)
  ignoreOutboundPorts: "4567,4568"
  image:
    # -- Docker image for the proxy-init container
    name: cr.l5d.io/linkerd/proxy-init
    # -- Pull policy for the proxy-init container Docker image
    # @default -- imagePullPolicy
    pullPolicy: ""
    # -- Tag for the proxy-init container Docker image
    version: v1.4.0
  resources:
    cpu:
      # -- Maximum amount of CPU units that the proxy-init container can use
      limit: 100m
      # -- Amount of CPU units that the proxy-init container requests
      request: 10m
    memory:
      # -- Maximum amount of memory that the proxy-init container can use
      limit: 50Mi
      # -- Amount of memory that the proxy-init container requests
      request: 10Mi
  closeWaitTimeoutSecs: 0
  xtMountPath:
    mountPath: /run
    name: linkerd-proxy-init-xtables-lock
# -- For Private docker registries, authentication is needed.
#  Registry secrets are applied to the respective service accounts
imagePullSecrets: []
# - name: my-private-docker-registry-login-secret

# -- Allow proxies to perform transparent HTTP/2 upgrading
enableH2Upgrade: true

# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note
# PSP has been deprecated since k8s v1.21
enablePSP: false

# -- Failure policy for the proxy injector
webhookFailurePolicy: Ignore


# controllerImage -- Docker image for the destination and identity components
controllerImage: cr.l5d.io/linkerd/controller
# -- Number of replicas for each control plane pod
controllerReplicas: 1
# -- User ID for the control plane components
controllerUID: 2103


# destination configuration
# set resources for the sp-validator and its linkerd proxy respectively
# see proxy.resources for details.
# destinationResources -- CPU and Memory resources required by destination (see `proxy.resources` for sub-fields)
#destinationResources:
#destinationProxyResources -- CPU and Memory resources required by proxy
# injected into destination pod (see `proxy.resources` for sub-fields)
#destinationProxyResources:

# debug configuration
debugContainer:
  image:
    # -- Docker image for the debug container
    name: cr.l5d.io/linkerd/debug
    # -- Pull policy for the debug container Docker image
    # @default -- imagePullPolicy
    pullPolicy: ""
    # -- Tag for the debug container Docker image
    # @default -- linkerdVersion
    version: ""

identity:
  # -- If the linkerd-identity-trust-roots ConfigMap has already been created
  externalCA: false
  issuer:
    scheme: linkerd.io/tls

    # -- Amount of time to allow for clock skew within a Linkerd cluster
    clockSkewAllowance: 20s

    # -- Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM
    crtExpiry:

    # -- Amount of time for which the Identity issuer should certify identity
    issuanceLifetime: 24h0m0s

    # -- Which scheme is used for the identity issuer secret format
    tls:
      # -- Issuer certificate (ECDSA). It must be provided during install.
      crtPEM: |

      # -- Key for the issuer certificate (ECDSA). It must be provided during
      # install
      keyPEM: |


# -|- CPU and Memory resources required by the identity controller (see `proxy.resources` for sub-fields)
#identityResources:
# -|- CPU and Memory resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields)
#identityProxyResources:

# heartbeat configuration
# disableHeartBeat -- Set to true to not start the heartbeat cronjob
disableHeartBeat: false
# -- Config for the heartbeat cronjob
# heartbeatSchedule: "0 0 * * *"

# proxy injector configuration
proxyInjector:
  # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below)
  externalSecret: false

  # -- Namespace selector used by admission webhook. If not set defaults to all
  # namespaces without the annotation
  # config.linkerd.io/admission-webhooks=disabled
  namespaceSelector:
    matchExpressions:
    - key: config.linkerd.io/admission-webhooks
      operator: NotIn
      values:
      - disabled

  # -- Certificate for the proxy injector. If not provided then Helm will generate one.
  crtPEM: |

  # -- Certificate key for the proxy injector. If not provided then Helm will generate one.
  keyPEM: |

  # -- Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated  for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated.
  caBundle: |

# -|- CPU and Memory resources required by the proxy injector (see
#`proxy.resources` for sub-fields)
#proxyInjectorResources:
#-|- CPU and Memory resources required by proxy injected into the proxy injector
#pod (see `proxy.resources` for sub-fields)
#proxyInjectorProxyResources:

# service profile validator configuration
profileValidator:
  # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below).
  externalSecret: false

  # -- Namespace selector used by admission webhook
  namespaceSelector:
    matchExpressions:
    - key: config.linkerd.io/admission-webhooks
      operator: NotIn
      values:
      - disabled

  # -- Certificate for the service profile validator. If not provided then Helm
  # will generate one.
  crtPEM: |

  # -- Certificate key for the service profile validator. If not provided then
  # Helm will generate one.
  keyPEM: |

  # -- Bundle of CA certificates for service profile validator. If not provided
  # then Helm will use the certificate generated  for `profileValidator.crtPEM`.
  # If `profileValidator.externalSecret` is set to true, this value must be set,
  # as no certificate will be generated.
  caBundle: |

# policy validator configuration
policyValidator:
  # -- Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set (see below).
  externalSecret: false

  # -- Namespace selector used by admission webhook
  namespaceSelector:
    matchExpressions:
    - key: config.linkerd.io/admission-webhooks
      operator: NotIn
      values:
      - disabled

  # -- Certificate for the policy validator. If not provided then Helm
  # will generate one.
  crtPEM: |

  # -- Certificate key for the policy validator. If not provided then
  # Helm will generate one.
  keyPEM: |

  # -- Bundle of CA certificates for policy validator. If not provided
  # then Helm will use the certificate generated  for `policyValidator.crtPEM`.
  # If `policyValidator.externalSecret` is set to true, this value must be set,
  # as no certificate will be generated.
  caBundle: |

# -|- CPU and Memory resources required by the SP validator (see
#`proxy.resources` for sub-fields)
#spValidatorResources:

# If the namespace is controlled by an external tool or can't be installed with Helm
# you can disable its installation. In this case:
# - The namespace created by the external tool must match the namespace value above
# - The external tool needs to create the namespace with the label:
#     config.linkerd.io/admission-webhooks: disabled

# installNamespace -- Set to false when installing Linkerd in a custom namespace. See the
# [Linkerd documentation](https://linkerd.io/2/tasks/install-helm#customizing-the-namespace) for more information.
installNamespace: true

# -- NodeSelector section, See the [K8S
# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector)
# for more information
nodeSelector:
  beta.kubernetes.io/os: linux

# -|- Tolerations section, See the
# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
# for more information
#tolerations: