andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/linkerd/linkerd-control-plane/1.16.2/templates/destination.yaml

364 lines
13 KiB
YAML
Raw Blame History

---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8090
targetPort: 8090
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy-validator
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: policy-https
port: 443
targetPort: policy-https
{{- if .Values.enablePodDisruptionBudget }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
name: linkerd-dst
namespace: {{ .Release.Namespace }}
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
maxUnavailable: 1
selector:
matchLabels:
linkerd.io/control-plane-component: destination
{{- end }}
---
{{- $tree := deepCopy . }}
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}}
{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: {{.Values.linkerdVersion}}
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
name: linkerd-destination
namespace: {{ .Release.Namespace }}
spec:
replicas: {{.Values.controllerReplicas}}
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
{{- if .Values.deploymentStrategy }}
strategy:
{{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- end }}
template:
metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
{{- include "partials.proxy.annotations" . | nindent 8}}
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: {{.Release.Namespace}}
linkerd.io/workload-ns: {{.Release.Namespace}}
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
{{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
spec:
{{- with .Values.runtimeClassName }}
runtimeClassName: {{ . | quote }}
{{- end }}
{{- if .Values.tolerations -}}
{{- include "linkerd.tolerations" . | nindent 6 }}
{{- end -}}
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- $_ := set $tree "component" "destination" -}}
{{- include "linkerd.affinity" $tree | nindent 6 }}
containers:
{{- if not (empty .Values.destinationProxyResources) }}
{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }}
{{- $_ := set $tree.Values.proxy "resources" $r }}
{{- end }}
{{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
{{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }}
{{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
{{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
{{- /*
The pod needs to accept webhook traffic, and we can't rely on that originating in the
cluster network.
*/}}
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
{{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
- args:
- destination
- -addr=:8086
- -controller-namespace={{.Release.Namespace}}
- -enable-h2-upgrade={{.Values.enableH2Upgrade}}
- -log-level={{.Values.controllerLogLevel}}
- -log-format={{.Values.controllerLogFormat}}
- -enable-endpoint-slices={{.Values.enableEndpointSlices}}
- -cluster-domain={{.Values.clusterDomain}}
- -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
- -default-opaque-ports={{.Values.proxy.opaquePorts}}
- -enable-pprof={{.Values.enablePprof | default false}}
{{- include "partials.linkerd.trace" . | nindent 8 -}}
image: {{.Values.controllerImage}}:{{.Values.linkerdVersion}}
imagePullPolicy: {{.Values.imagePullPolicy}}
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
{{- if .Values.destinationResources -}}
{{- include "partials.resources" .Values.destinationResources | nindent 8 }}
{{- end }}
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- args:
- sp-validator
- -log-level={{.Values.controllerLogLevel}}
- -log-format={{.Values.controllerLogFormat}}
- -enable-pprof={{.Values.enablePprof | default false}}
image: {{.Values.controllerImage}}:{{.Values.linkerdVersion}}
imagePullPolicy: {{.Values.imagePullPolicy}}
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
{{- if .Values.spValidatorResources -}}
{{- include "partials.resources" .Values.spValidatorResources | nindent 8 }}
{{- end }}
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: sp-tls
readOnly: true
- args:
- --admin-addr=0.0.0.0:9990
- --control-plane-namespace={{.Release.Namespace}}
- --grpc-addr=0.0.0.0:8090
- --server-addr=0.0.0.0:9443
- --server-tls-key=/var/run/linkerd/tls/tls.key
- --server-tls-certs=/var/run/linkerd/tls/tls.crt
- --cluster-networks={{.Values.clusterNetworks}}
- --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
- --cluster-domain={{.Values.clusterDomain}}
- --default-policy={{.Values.proxy.defaultInboundPolicy}}
- --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
- --log-format={{.Values.controllerLogFormat}}
- --default-opaque-ports={{.Values.proxy.opaquePorts}}
{{- if .Values.policyController.probeNetworks }}
- --probe-networks={{.Values.policyController.probeNetworks | join ","}}
{{- end}}
image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}}
imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}}
livenessProbe:
httpGet:
path: /live
port: admin-http
name: policy
ports:
- containerPort: 8090
name: grpc
- containerPort: 9990
name: admin-http
- containerPort: 9443
name: policy-https
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: admin-http
initialDelaySeconds: 10
{{- $res := .Values.policyController.resources | default .Values.destinationResources }}
{{- if $res }}
{{- include "partials.resources" $res | nindent 8 }}
{{- end }}
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: {{.Values.controllerUID}}
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: policy-tls
readOnly: true
initContainers:
{{ if .Values.cniEnabled -}}
- {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
{{ else -}}
{{- /*
The destination controller needs to connect to the Kubernetes API before the proxy is able
to proxy requests, so we always skip these connections.
*/}}
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
{{- if .Values.priorityClassName -}}
priorityClassName: {{ .Values.priorityClassName }}
{{ end -}}
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-destination
volumes:
- name: sp-tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- name: policy-tls
secret:
secretName: linkerd-policy-validator-k8s-tls
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
{{if .Values.identity.serviceAccountTokenProjection -}}
- {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
Reference in New Issue View Git Blame Copy Permalink