rancher-partner-charts/charts/linkerd/linkerd2/templates/identity.yaml

225 lines
8.1 KiB
YAML

{{if .Values.identity -}}
---
###
### Identity Controller Service
###
{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}}
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
linkerd.io/identity-issuer-expiry: {{required "Please provide the identity issuer certificate expiry date" .Values.identity.issuer.crtExpiry}}
data:
crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}}
key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}}
{{- end}}
{{ if not (.Values.identity.externalCA) -}}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-identity-trust-roots
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
data:
ca-bundle.crt: |{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}
{{- end}}
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
{{- if .Values.enablePodAntiAffinity }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1beta1
metadata:
name: linkerd-identity
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
maxUnavailable: 1
selector:
matchLabels:
linkerd.io/control-plane-component: identity
{{- end }}
---
{{- $tree := deepCopy . }}
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}}
{{ include "linkerd.proxy.validation" .Values.proxy -}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}}
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
name: linkerd-identity
namespace: {{.Values.namespace}}
spec:
replicas: {{.Values.controllerReplicas}}
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
{{- if .Values.enablePodAntiAffinity }}
strategy:
rollingUpdate:
maxUnavailable: 1
{{- end }}
template:
metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
{{- include "partials.proxy.annotations" . | nindent 8}}
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: {{.Values.namespace}}
linkerd.io/workload-ns: {{.Values.namespace}}
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
{{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
spec:
{{- if .Values.tolerations -}}
{{- include "linkerd.tolerations" . | nindent 6 }}
{{- end -}}
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- if .Values.enablePodAntiAffinity -}}
{{- $local := dict "component" "identity" -}}
{{- include "linkerd.pod-affinity" $local | nindent 6 -}}
{{- end }}
containers:
- args:
- identity
- -log-level={{.Values.controllerLogLevel}}
- -log-format={{.Values.controllerLogFormat}}
- -controller-namespace={{.Values.namespace}}
- -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
- -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}
- -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}
- -identity-scheme={{.Values.identity.issuer.scheme}}
{{- include "partials.linkerd.trace" . | nindent 8 -}}
env:
- name: LINKERD_DISABLED
value: "linkerd-await cannot block the identity controller"
image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}}
imagePullPolicy: {{.Values.imagePullPolicy}}
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
{{- if .Values.identityResources -}}
{{- include "partials.resources" .Values.identityResources | nindent 8 }}
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- mountPath: /var/run/linkerd/identity/trust-roots/
name: trust-roots
{{- if not (empty .Values.identityProxyResources) }}
{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}
{{- $_ := set $tree.Values.proxy "resources" $r }}
{{- end }}
{{- $_ := set $tree.Values.proxy "await" false }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
{{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
{{- /*
The identity controller cannot discover policies, so we configure it with defaults that
enforce TLS on the identity service.
*/}}
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "cluster-unauthenticated" }}
{{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
{{ if not .Values.cniEnabled -}}
initContainers:
{{- /*
The identity controller needs to connect to the Kubernetes API before the proxy is able to
proxy requests, so we always skip these connections. The identity controller makes no other
outbound connections (so it's not important to persist any other skip ports here)
*/}}
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" }}
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{end -}}