From 70c1a613e28226e77a65e59acaf97d6a93728344 Mon Sep 17 00:00:00 2001 From: ihcsim Date: Tue, 30 Jul 2019 14:24:15 -0700 Subject: [PATCH] Change proxy and proxy-init templates to use global scope Some of the nested variables are removed from values.yaml to ensure changes made to root-level variables are propagated directly into the partial templates. The previous approach of using YAML anchors in the values.yaml to share common values can get out-of-sync when values are changed via the Helm's `--set` option. Signed-off-by: Ivan Sim --- charts/linkerd/templates/_config.tpl | 64 +++++++++++++ charts/linkerd/templates/config.yaml | 29 ++++-- charts/linkerd/templates/controller.yaml | 4 +- charts/linkerd/templates/grafana.yaml | 4 +- charts/linkerd/templates/identity.yaml | 4 +- charts/linkerd/templates/prometheus.yaml | 4 +- charts/linkerd/templates/proxy-injector.yaml | 4 +- charts/linkerd/templates/sp-validator.yaml | 4 +- charts/linkerd/templates/tap.yaml | 4 +- charts/linkerd/templates/web.yaml | 4 +- charts/linkerd/values.yaml | 97 ++++++-------------- charts/partials/templates/_proxy-init.tpl | 24 ++--- charts/partials/templates/_proxy.tpl | 50 +++++----- 13 files changed, 163 insertions(+), 133 deletions(-) create mode 100644 charts/linkerd/templates/_config.tpl diff --git a/charts/linkerd/templates/_config.tpl b/charts/linkerd/templates/_config.tpl new file mode 100644 index 0000000000000..c8bc7f89085df --- /dev/null +++ b/charts/linkerd/templates/_config.tpl @@ -0,0 +1,64 @@ +{{- define "linkerd.configs.global" -}} +{ + "autoInjectContext": null, + "clusterDomain": "{{.ClusterDomain}}", + "cniEnabled": {{.CNIEnabled}}, + "identityContext":{ + "clockSkewAllowance": "{{.Identity.Issuer.ClockSkewAllowance}}", + "issuanceLifeTime": "{{.Identity.Issuer.IssuanceLifeTime}}", + "trustAnchorsPem": "{{.Identity.Issuer.CrtPEM}}", + "trustDomain": "{{.TrustDomain}}" + }, + "linkerdNamespace": "{{.Namespace}}", + "omitWebhookSideEffects": {{.OmitWebhookSideEffects}}, + "version": "{{.LinkerdVersion}}" +} +{{- end -}} + +{{- define "linkerd.configs.proxy" -}} +{ + "adminPort":{ + "port": {{.Proxy.Port.Admin}} + }, + "controlPort":{ + "port": {{.Proxy.Port.Control}} + }, + "disableExternalProfiles": {{not .Proxy.EnableExternalProfile}}, + "ignoreInboundPorts": {{splitList "," .ProxyInit.IgnoreInboundPorts}}, + "ignoreOutboundPorts": {{splitList "," .ProxyInit.IgnoreOutboundPorts}}, + "inboundPort":{ + "port": {{.Proxy.Port.Inbound}} + }, + "logLevel":{ + "level": "{{.Proxy.LogLevel}}" + }, + "outboundPort":{ + "port": {{.Proxy.Port.Outbound}} + }, + "proxyImage":{ + "imageName":"{{.Proxy.Image.Name}}", + "pullPolicy":"{{.Proxy.Image.PullPolicy}}" + }, + "proxyInitImage":{ + "imageName":"{{.ProxyInit.Image.Name}}", + "pullPolicy":"{{.ProxyInit.Image.PullPolicy}}" + }, + "proxyInitImageVersion": "{{.ProxyInit.Image.Version}}", + "proxyUid": {{.Proxy.UID}}, + "proxyVersion": "{{.Proxy.Image.Version}}", + "resource":{ + "limitCpu": "{{.Proxy.ResourceRequirements.CPU.Limit}}", + "limitMemory": "{{.Proxy.ResourceRequirements.Memory.Limit}}", + "requestCpu": "{{.Proxy.ResourceRequirements.CPU.Request}}", + "requestMemory": "{{.Proxy.ResourceRequirements.Memory.Request}}" + } +} +{{- end -}} + +{{- define "linkerd.configs.install" -}} +{ + "uuid":"{{ uuidv4 }}", + "cliVersion":"{{ .LinkerdVersion }}", + "flags":[] +} +{{- end -}} diff --git a/charts/linkerd/templates/config.yaml b/charts/linkerd/templates/config.yaml index 653832d153722..602164a97ae5c 100644 --- a/charts/linkerd/templates/config.yaml +++ b/charts/linkerd/templates/config.yaml @@ -1,7 +1,4 @@ {{with .Values -}} -{{- if empty .Configs -}} -{{- fail ".Configs must be defined and non-empty" -}} -{{- end -}} --- kind: ConfigMap apiVersion: v1 @@ -15,13 +12,27 @@ metadata: {{.CreatedByAnnotation}}: {{default (printf "linkerd/helm %s" .LinkerdVersion) .CliVersion}} data: global: | - {{- toJson (required ".Configs.Global must be non-empty" .Configs.Global) | nindent 4 }} + {{- if .Configs -}} + {{- if .Configs.Global -}} + {{.Configs.Global}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.global" . | nindent 4}} + {{- end }} proxy: | - {{- toJson (required ".Configs.Proxy must be non-empty" .Configs.Proxy) | nindent 4 }} + {{- if .Configs -}} + {{- if .Configs.Proxy -}} + {{.Configs.Proxy}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.proxy" . | nindent 4}} + {{- end }} install: | + {{- if .Configs -}} {{- if .Configs.Install -}} - {{- toJson .Configs.Install | nindent 4 }} - {{ else }} - {"uuid":"{{ uuidv4 }}","cliVersion":"{{.LinkerdVersion}}", "flags":[]} - {{- end -}} + {{.Configs.Instal}} + {{- end }} + {{- else -}} + {{- include "linkerd.configs.install" . | nindent 4}} + {{- end }} {{- end -}} diff --git a/charts/linkerd/templates/controller.yaml b/charts/linkerd/templates/controller.yaml index 4ecdb89c1df50..768017e325920 100644 --- a/charts/linkerd/templates/controller.yaml +++ b/charts/linkerd/templates/controller.yaml @@ -144,9 +144,9 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-controller volumes: - configMap: diff --git a/charts/linkerd/templates/grafana.yaml b/charts/linkerd/templates/grafana.yaml index acf196cd28251..9710aed4baa12 100644 --- a/charts/linkerd/templates/grafana.yaml +++ b/charts/linkerd/templates/grafana.yaml @@ -146,9 +146,9 @@ spec: - mountPath: /etc/grafana name: grafana-config readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-grafana volumes: - emptyDir: {} diff --git a/charts/linkerd/templates/identity.yaml b/charts/linkerd/templates/identity.yaml index 082ebe323c528..b73c18bfd5d5f 100644 --- a/charts/linkerd/templates/identity.yaml +++ b/charts/linkerd/templates/identity.yaml @@ -112,9 +112,9 @@ spec: name: config - mountPath: /var/run/linkerd/identity/issuer name: identity-issuer - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-identity volumes: - configMap: diff --git a/charts/linkerd/templates/prometheus.yaml b/charts/linkerd/templates/prometheus.yaml index a4be3ad9d1797..0eadaf7f64566 100644 --- a/charts/linkerd/templates/prometheus.yaml +++ b/charts/linkerd/templates/prometheus.yaml @@ -180,9 +180,9 @@ spec: - mountPath: /etc/prometheus name: prometheus-config readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-prometheus volumes: - emptyDir: {} diff --git a/charts/linkerd/templates/proxy-injector.yaml b/charts/linkerd/templates/proxy-injector.yaml index 289cd5e433da0..7df29d8cef88f 100644 --- a/charts/linkerd/templates/proxy-injector.yaml +++ b/charts/linkerd/templates/proxy-injector.yaml @@ -74,9 +74,9 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-proxy-injector volumes: - configMap: diff --git a/charts/linkerd/templates/sp-validator.yaml b/charts/linkerd/templates/sp-validator.yaml index 25766e22c6db5..097d9029775ea 100644 --- a/charts/linkerd/templates/sp-validator.yaml +++ b/charts/linkerd/templates/sp-validator.yaml @@ -91,9 +91,9 @@ spec: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-sp-validator volumes: - name: tls diff --git a/charts/linkerd/templates/tap.yaml b/charts/linkerd/templates/tap.yaml index 846ea94485dac..8ae8e99e90cf7 100644 --- a/charts/linkerd/templates/tap.yaml +++ b/charts/linkerd/templates/tap.yaml @@ -88,9 +88,9 @@ spec: {{- end }} securityContext: runAsUser: {{.ControllerUID}} - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-tap volumes: {{- include "partials.proxy.volumes.identity" . | nindent 6 -}} diff --git a/charts/linkerd/templates/web.yaml b/charts/linkerd/templates/web.yaml index 213046aebf750..71ed28ec46205 100644 --- a/charts/linkerd/templates/web.yaml +++ b/charts/linkerd/templates/web.yaml @@ -91,9 +91,9 @@ spec: volumeMounts: - mountPath: /var/run/linkerd/config name: config - {{- include "partials.proxy" .Proxy | nindent 6 -}} + {{- include "partials.proxy" . | nindent 6 -}} initContainers: - {{- include "partials.proxy-init" .ProxyInit | nindent 6 }} + {{- include "partials.proxy-init" . | nindent 6 }} serviceAccountName: linkerd-web volumes: - configMap: diff --git a/charts/linkerd/values.yaml b/charts/linkerd/values.yaml index bb8dc44256fde..767744965b47c 100644 --- a/charts/linkerd/values.yaml +++ b/charts/linkerd/values.yaml @@ -3,13 +3,13 @@ # Declare variables to be passed into your templates. ClusterDomain: &cluster_domain cluster.local -CNIEnabled: &cni_enabled false # not supported in Linkerd 2.5 +CNIEnabled: false # not supported in Linkerd 2.5 EnableH2Upgrade: true -HighAvailability: &high_availability false +HighAvailability: false ImagePullPolicy: &image_pull_policy IfNotPresent LinkerdVersion: &linkerd_version stable-2.4.0 -Namespace: &namespace linkerd -OmitWebhookSideEffects: &omit_webhook_side_effects false +Namespace: linkerd +OmitWebhookSideEffects: false # controller configuration ControllerImage: gcr.io/linkerd-io/controller @@ -31,8 +31,10 @@ PublicAPIResources: # identity configuration Identity: Issuer: + ClockSkewAllowance: 20s + # PEM encoded certificate - CrtPEM: &identity_issuer_crt | + CrtPEM: | -----BEGIN CERTIFICATE----- MIIBgzCCASmgAwIBAgIBATAKBggqhkjOPQQDAjApMScwJQYDVQQDEx5pZGVudGl0 eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMTkwNzI2MDMxNjQ4WhcNMjAwNzI1 @@ -49,6 +51,8 @@ Identity: CrtExpiry: 2020-07-25T03:17:08Z CrtExpiryAnnotation: linkerd.io/identity-issuer-expiry + IssuanceLifeTime: 86400s + # PEM encode ECDSA private key KeyPEM: | -----BEGIN EC PRIVATE KEY----- @@ -83,34 +87,28 @@ Proxy: Capabilities: Add: Drop: - ClusterDomain: *cluster_domain - ControlPlaneNamespace: *namespace EnableExternalProfile: false - HighAvailability: *high_availability - Identity: - TrustDomain: *cluster_domain - TrustAnchors: *identity_issuer_crt Image: - Name: &proxy_image_name gcr.io/linkerd-io/proxy + Name: gcr.io/linkerd-io/proxy PullPolicy: *image_pull_policy Version: *linkerd_version - LogLevel: &proxy_log_level warn,linkerd2_proxy=info + LogLevel: warn,linkerd2_proxy=info MountPaths: - Port: &proxy_ports - Admin: &proxy_port_admin 4191 - Control: &proxy_port_control 4190 - Inbound: &proxy_port_inbound 4143 - Outbound: &proxy_port_outbound 4140 - UID: &proxy_uid 2102 + Port: + Admin: 4191 + Control: 4190 + Inbound: 4143 + Outbound: 4140 + UID: 2102 # use this to override the default resource requirements in HA mode ResourceRequirements: CPU: - Limit: &proxy_cpu_limit "1" - Request: &proxy_cpu_request 100m + Limit: "1" + Request: 100m Memory: - Limit: &proxy_memory_limit 250Mi - Request: &proxy_memory_request 20Mi + Limit: 250Mi + Request: 20Mi # inject-only options. Do not change this for control plane installation DisableIdentity: false @@ -122,15 +120,12 @@ ProxyInit: Add: Drop: Image: - Name: &proxy_init_image_name gcr.io/linkerd-io/proxy-init + Name: gcr.io/linkerd-io/proxy-init PullPolicy: *image_pull_policy - Version: &proxy_init_image_version v1.0.0 - Proxy: - Port: - <<: *proxy_ports - IgnoreInboundPorts: "" - IgnoreOutboundPorts: "443" - UID: *proxy_uid + Version: v1.0.0 + IgnoreInboundPorts: "" + IgnoreOutboundPorts: "443" + MountPath: # use this to override the default resource requirements in HA mode ResourceRequirements: @@ -158,46 +153,6 @@ WebImage: gcr.io/linkerd-io/web WebResources: <<: *controller_resources -# linkerd-config config map data -Configs: - Global: - clusterDomain: *cluster_domain - cniEnabled: *cni_enabled - identityContext: - trustAnchorsPem": *identity_issuer_crt - trustDomain: *cluster_domain - linkerdNamespace: *namespace - omitWebhookSideEffects: *omit_webhook_side_effects - version: *linkerd_version - Proxy: - adminPort: - port: *proxy_port_admin - controlPort: - port: *proxy_port_control - ignoreInboundPorts: [] - ignoreOutboundPorts: [] - inboundPort: - port: *proxy_port_inbound - logLevel: - level: *proxy_log_level - outboundPort: - port: *proxy_port_outbound - proxyImage: - imageName: *proxy_image_name - pullPolicy: *image_pull_policy - proxyInitImage: - imageName: *proxy_init_image_name - pullPolicy: *image_pull_policy - proxyInitImageVersion: *proxy_init_image_version - proxyUid: *proxy_uid - proxyVersion: *linkerd_version - resource: - limitCpu: *proxy_cpu_limit - limitMemory: *proxy_memory_limit - requestCpu: *proxy_cpu_request - requestMemory: *proxy_memory_request - disableExternalProfiles: true - # annotations CreatedByAnnotation: linkerd.io/created-by ProxyInjectAnnotation: linkerd.io/inject diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl index 3df9de3a8ab83..a3d6bb9a537c8 100644 --- a/charts/partials/templates/_proxy-init.tpl +++ b/charts/partials/templates/_proxy-init.tpl @@ -7,25 +7,25 @@ - --proxy-uid - {{.Proxy.UID | quote}} - --inbound-ports-to-ignore - - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .Proxy.Port.IgnoreInboundPorts) "" (ne .Proxy.Port.IgnoreInboundPorts "")}} + - {{.Proxy.Port.Control}},{{.Proxy.Port.Admin}}{{ternary (printf ",%s" .ProxyInit.IgnoreInboundPorts) "" (ne .ProxyInit.IgnoreInboundPorts "")}} - --outbound-ports-to-ignore - - {{.Proxy.Port.IgnoreOutboundPorts | quote}} - image: {{.Image.Name}}:{{.Image.Version}} - imagePullPolicy: {{.Image.PullPolicy}} + - {{.ProxyInit.IgnoreOutboundPorts | quote}} + image: {{.ProxyInit.Image.Name}}:{{.ProxyInit.Image.Version}} + imagePullPolicy: {{.ProxyInit.Image.PullPolicy}} name: linkerd-init - {{- include "partials.resources" .ResourceRequirements | nindent 2 }} + {{- include "partials.resources" .ProxyInit.ResourceRequirements | nindent 2 }} securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW - {{- if .Capabilities -}} - {{- if .Capabilities.Add }} - {{- toYaml .Capabilities.Add | trim | nindent 6 }} + {{- if .ProxyInit.Capabilities -}} + {{- if .ProxyInit.Capabilities.Add }} + {{- toYaml .ProxyInit.Capabilities.Add | trim | nindent 6 }} {{- end }} - {{- if .Capabilities.Drop -}} - {{- include "partials.proxy-init.capabilities.drop" . | nindent 6 -}} + {{- if .ProxyInit.Capabilities.Drop -}} + {{- include "partials.proxy-init.capabilities.drop" .ProxyInit | nindent 6 -}} {{- end }} {{- end }} privileged: false @@ -33,8 +33,8 @@ runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError - {{- if .MountPaths }} + {{- if .ProxyInit.MountPaths }} volumeMounts: - {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- toYaml .ProxyInit.MountPaths | trim | nindent 2 -}} {{- end }} {{- end -}} diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index f00f29e090826..97df8844e166e 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -1,20 +1,20 @@ {{ define "partials.proxy" -}} - env: - name: LINKERD2_PROXY_LOG - value: {{.LogLevel}} + value: {{.Proxy.LogLevel}} - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR - value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .ControlPlaneNamespace .ClusterDomain) (eq .Component "linkerd-controller")}} + value: {{ternary "localhost.:8086" (printf "linkerd-destination.%s.svc.%s:8086" .Namespace .ClusterDomain) (eq .Proxy.Component "linkerd-controller")}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Control}} + value: 0.0.0.0:{{.Proxy.Port.Control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Admin}} + value: 0.0.0.0:{{.Proxy.Port.Admin}} - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR - value: 127.0.0.1:{{.Port.Outbound}} + value: 127.0.0.1:{{.Proxy.Port.Outbound}} - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR - value: 0.0.0.0:{{.Port.Inbound}} + value: 0.0.0.0:{{.Proxy.Port.Inbound}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES {{- $internalProfileSuffix := printf "svc.%s." .ClusterDomain }} - value: {{ternary "." $internalProfileSuffix .EnableExternalProfile}} + value: {{ternary "." $internalProfileSuffix .Proxy.EnableExternalProfile}} - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE @@ -25,7 +25,7 @@ fieldPath: metadata.namespace - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: ns:$(_pod_ns) - {{ if eq .Component "linkerd-prometheus" -}} + {{ if eq .Proxy.Component "linkerd-prometheus" -}} - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY value: "10000" {{ end -}} @@ -37,18 +37,18 @@ value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | - {{- .Identity.TrustAnchors | trim | nindent 6 }} + {{- .Identity.Issuer.CrtPEM | trim | nindent 6 }} - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR - {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .ControlPlaneNamespace .ClusterDomain }} - value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Component "linkerd-identity")}} + {{- $identitySvcAddr := printf "linkerd-identity.%s.svc.%s:8080" .Namespace .ClusterDomain }} + value: {{ternary "localhost.:8080" $identitySvcAddr (eq .Proxy.Component "linkerd-identity")}} - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns - value: {{.ControlPlaneNamespace}} + value: {{.Namespace}} - name: _l5d_trustdomain value: {{.Identity.TrustDomain}} - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME @@ -58,46 +58,46 @@ - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-controller.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) {{ end -}} - {{ if .DisableTap -}} + {{ if .Proxy.DisableTap -}} - name: LINKERD2_PROXY_TAP_DISABLED value: "true" {{ else -}} - name: LINKERD2_PROXY_TAP_SVC_NAME value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) {{ end -}} - image: {{.Image.Name}}:{{.Image.Version}} - imagePullPolicy: {{.Image.PullPolicy}} + image: {{.Proxy.Image.Name}}:{{.Proxy.Image.Version}} + imagePullPolicy: {{.Proxy.Image.PullPolicy}} livenessProbe: httpGet: path: /metrics - port: {{.Port.Admin}} + port: {{.Proxy.Port.Admin}} initialDelaySeconds: 10 name: linkerd-proxy ports: - - containerPort: {{.Port.Inbound}} + - containerPort: {{.Proxy.Port.Inbound}} name: linkerd-proxy - - containerPort: {{.Port.Admin}} + - containerPort: {{.Proxy.Port.Admin}} name: linkerd-admin readinessProbe: httpGet: path: /ready - port: {{.Port.Admin}} + port: {{.Proxy.Port.Admin}} initialDelaySeconds: 2 {{- if eq .HighAvailability true -}} - {{- include "partials.resources" .ResourceRequirements | nindent 2 -}} + {{- include "partials.resources" .Proxy.ResourceRequirements | nindent 2 -}} {{- end }} securityContext: allowPrivilegeEscalation: false - {{- if .Capabilities -}} - {{- include "partials.proxy.capabilities" . | nindent 4 -}} + {{- if .Proxy.Capabilities -}} + {{- include "partials.proxy.capabilities" .Proxy | nindent 4 -}} {{- end }} readOnlyRootFilesystem: true - runAsUser: {{.UID}} + runAsUser: {{.Proxy.UID}} terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - {{- if .MountPaths }} - {{- toYaml .MountPaths | trim | nindent 2 -}} + {{- if .Proxy.MountPaths }} + {{- toYaml .Proxy.MountPaths | trim | nindent 2 -}} {{- end }} {{ end -}}