andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/linkerd/linkerd2/templates/proxy-injector.yaml

164 lines
5.9 KiB
YAML
Raw Blame History

---
###
### Proxy Injector
###
{{- $tree := deepCopy . }}
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}}
{{ include "linkerd.proxy.validation" .Values.proxy -}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}}
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: {{.Values.namespace}}
name: linkerd-proxy-injector
namespace: {{.Values.namespace}}
spec:
replicas: {{.Values.controllerReplicas}}
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
{{- if .Values.enablePodAntiAffinity }}
strategy:
rollingUpdate:
maxUnavailable: 1
{{- end }}
template:
metadata:
annotations:
{{- if (or (empty .Values.cliVersion) (not (eq (.Values.stage | toString) "control-plane"))) }}
checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
{{- end }}
{{ include "partials.annotations.created-by" . }}
{{- include "partials.proxy.annotations" . | nindent 8}}
{{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
config.linkerd.io/opaque-ports: "8443"
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: {{.Values.namespace}}
linkerd.io/workload-ns: {{.Values.namespace}}
{{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
{{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
spec:
{{- if .Values.tolerations -}}
{{- include "linkerd.tolerations" . | nindent 6 }}
{{- end -}}
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- if .Values.enablePodAntiAffinity -}}
{{- $local := dict "component" "proxy-injector" "label" -}}
{{- include "linkerd.pod-affinity" $local | nindent 6 -}}
{{- end }}
containers:
{{- if not (empty .Values.proxyInjectorProxyResources) }}
{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }}
{{- $_ := set $tree.Values.proxy "resources" $r }}
{{- end }}
{{- $_ := set $tree.Values.proxy "await" true }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
{{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }}
{{- /*
The pod needs to accept webhook traffic, and we can't rely on that originating in the
cluster network.
*/}}
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
- args:
- proxy-injector
- -log-level={{.Values.controllerLogLevel}}
- -log-format={{.Values.controllerLogFormat}}
image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}}
imagePullPolicy: {{.Values.imagePullPolicy}}
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
{{- if .Values.proxyInjectorResources -}}
{{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }}
{{- end }}
securityContext:
runAsUser: {{.Values.controllerUID}}
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/trust-roots
name: trust-roots
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
{{ if not .Values.cniEnabled -}}
initContainers:
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
{{- if .Values.enablePodAntiAffinity }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1beta1
metadata:
name: linkerd-proxy-injector
namespace: {{.Values.namespace}}
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: {{.Values.namespace}}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
maxUnavailable: 1
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
{{- end }}
Reference in New Issue View Git Blame Copy Permalink