diff --git a/.github/workflows/static_checks.yml b/.github/workflows/static_checks.yml index fbab3401baa61..8d2ad93f8b33d 100644 --- a/.github/workflows/static_checks.yml +++ b/.github/workflows/static_checks.yml @@ -83,3 +83,12 @@ jobs: uses: actions/checkout@722adc6 - name: Markdown lint run: bin/markdownlint-all + chart_docs_diff: + name: Chart readme diff check + runs-on: ubuntu-18.04 + steps: + - name: Checkout code + # actions/checkout@v2 + uses: actions/checkout@722adc6 + - name: Check docs for diff + run: bin/helm-docs-diff diff --git a/.helmdocsignore b/.helmdocsignore new file mode 100644 index 0000000000000..d21bb0e1b0d1f --- /dev/null +++ b/.helmdocsignore @@ -0,0 +1 @@ +# Add potential chart ignores here diff --git a/BUILD.md b/BUILD.md index 92f9ea6db6573..7497568e2856a 100644 --- a/BUILD.md +++ b/BUILD.md @@ -296,6 +296,46 @@ automatically regenerated with the command: go test ./cli/cmd/... --update ``` +#### Generating helm charts docs + +Whenever a new chart is created, or updated a readme should be generated from +the chart's values.yml. This can be done by utilizing the bundled +[helm-docs](https://github.com/norwoodj/helm-docs) binary. For adding additional +information, such as specific installation instructions a readme template is +required to be created. Check existing charts for example. + +##### Annotating values.yml + +To allow helm-docs to properly document the values in values.yml a descriptive +comment is required. This can be done in two ways. +Either comment the value directly above with +`# -- This is a really nice value` where the double dashes automatically +annotates the value. Another explicit usage is to type out the value name. +`# global.MyNiceValue -- I really like this value` + +##### Using helm-docs + +Example usage: + +```sh +bin/helm-docs +bin/helm-docs --dry-run #Prints to cli instead +bin/helm-docs --chart-search-root=./charts #Sets search root for charts +bin/helm-docs --template-files=README.md.gotmpl #Sets the template file used +``` + +Note: +The tool searches through the current directory and sub-directories by default. +For additional information checkout their repo above. + +##### Markdown templates + +In order to accommodate for extra data that might not have a proper place in the +´values.yaml´ file the corresponding ´README.md.gotmpl´ can be modified for each +chart. This template allows the standard markdown syntax as well as the go +templating functions. Checkout +[helm-docs](https://github.com/norwoodj/helm-docs) for more info. + ##### Pretty-printed diffs for templated text When running `go test`, mismatched text is usually displayed as a compact diff. diff --git a/bin/helm-docs b/bin/helm-docs new file mode 100755 index 0000000000000..da5e72eabe152 --- /dev/null +++ b/bin/helm-docs @@ -0,0 +1,57 @@ +#!/usr/bin/env sh + +set -eu + +helmdocsv=1.4.0 +bindir=$( cd "${0%/*}" && pwd ) # Change to script dir and set bin dir to this +targetbin=$( cd "$bindir"/.. && pwd )/target/bin +helmdocsbin=$targetbin/helm-docs-$helmdocsv +os="" +arch="" + +if [ ! -f "$helmdocsbin" ]; then + case $(uname | tr '[:upper:]' '[:lower:]') in + darwin*) + os=darwin + arch=x86_64 + ;; + linux*) + os=linux + case $(uname -m) in + x86_64) arch=x86_64 ;; + amd64) arch=amd64 ;; + arm) + tmp=$(dpkg --print-architecture) + if echo "$tmp" | grep -q arm64; then + arch=arm64 + elif echo "$tmp" | grep -q armv7; then + arch=armv7 + elif echo "$tmp" | grep -q armv6; then + arch=armv6 + fi + ;; + esac + ;; + msys*) + os=windows + arch=x86_64 + ;; + esac + + if [ -z "$os" ]; then + echo "Couldn't find a matching binary" + exit 126 + fi + helmdocscurl="https://github.com/norwoodj/helm-docs/releases/download/v$helmdocsv/helm-docs_${helmdocsv}_${os}_${arch}.tar.gz" + tmp=$(mktemp -d -t helm-docs.XXX) + mkdir -p "$targetbin" + ( + cd "$tmp" + curl -Lsf -o "./helm-docs.tar.gz" "$helmdocscurl" + tar zf "./helm-docs.tar.gz" -x "helm-docs" + chmod +x "helm-docs" + ) + mv "$tmp/helm-docs" "$helmdocsbin" +fi + +"$helmdocsbin" "$@" diff --git a/bin/helm-docs-diff b/bin/helm-docs-diff new file mode 100755 index 0000000000000..d874e69d254db --- /dev/null +++ b/bin/helm-docs-diff @@ -0,0 +1,15 @@ +#!/usr/bin/env sh + +set -eu + +bin/helm-docs + +dir_dirty=$(git diff HEAD) +if [ -z "$dir_dirty" ]; then + echo "Helm-docs generated readmes match chart readmes." + exit 0 +else + echo "Helm-docs generated readmes diverge from current chart readmes:" + echo "$(git status)" + exit 64 +fi diff --git a/charts/add-ons/grafana/README.md b/charts/add-ons/grafana/README.md new file mode 100644 index 0000000000000..5ec9e5f4b5aea --- /dev/null +++ b/charts/add-ons/grafana/README.md @@ -0,0 +1,28 @@ +# grafana + +A Helm chart for the grafana add-on in Linkerd + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.name | string | `"ghcr.io/linkerd/grafana"` | Docker image name for the grafana instance | +| image.tag | string | `nil` | Docker image tag for the grafana instance | +| proxy.resources | string | `nil` | Structure analog to the resources fields above, but overriding the resources of the linkerd proxy injected into the grafana pod. | +| resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the grafana container can use | +| resources.cpu.request | string | `nil` | Amount of CPU units that the grafana container requests | +| resources.memory.limit | string | `nil` | Maximum amount of memory that grafana container can use | +| resources.memory.request | string | `nil` | Amount of memory that the grafana container requests | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/add-ons/grafana/README.md.gotmpl b/charts/add-ons/grafana/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/add-ons/grafana/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/add-ons/grafana/values.yaml b/charts/add-ons/grafana/values.yaml index 41328cd3633e4..c16b17081a5c6 100644 --- a/charts/add-ons/grafana/values.yaml +++ b/charts/add-ons/grafana/values.yaml @@ -1,2 +1,21 @@ image: + # -- Docker image name for the grafana instance name: ghcr.io/linkerd/grafana + # -- Docker image tag for the grafana instance + tag: + +resources: + cpu: + # -- Maximum amount of CPU units that the grafana container can use + limit: + # -- Amount of CPU units that the grafana container requests + request: + memory: + # -- Maximum amount of memory that grafana container can use + limit: + # -- Amount of memory that the grafana container requests + request: +proxy: + # -- Structure analog to the resources fields above, but overriding the + # resources of the linkerd proxy injected into the grafana pod. + resources: \ No newline at end of file diff --git a/charts/add-ons/prometheus/README.md b/charts/add-ons/prometheus/README.md new file mode 100644 index 0000000000000..66b4efaf4da09 --- /dev/null +++ b/charts/add-ons/prometheus/README.md @@ -0,0 +1,35 @@ +# prometheus + +A Helm chart for the prometheus add-on in Linkerd + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| alertManagers | string | `nil` | Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. | +| alertRelabelConfigs | string | `nil` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. | +| args | object | `{"config.file":"/etc/prometheus/prometheus.yml","log.level":"info","storage.tsdb.path":"/data","storage.tsdb.retention.time":"6h"}` | Command line options for Prometheus binary | +| globalConfig | object | `{"evaluation_interval":"10s","scrape_interval":"10s","scrape_timeout":"10s"}` | The global configuration specifies parameters that are valid in all other configuration contexts. | +| image | string | `"prom/prometheus:v2.19.3"` | Docker image for the prometheus instance | +| proxy.resources | string | `nil` | CPU and Memory resources required by proxy injected into prometheus pod (see global.proxy.resources for sub-fields) | +| remoteWrite | string | `nil` | Allows transparently sending samples to an endpoint. Mostly used for long term storage. | +| resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the prometheus container can use | +| resources.cpu.request | string | `nil` | Amount of CPU units that the prometheus container requests | +| resources.memory.limit | string | `nil` | Maximum amount of memory that prometheus container can use | +| resources.memory.request | string | `nil` | Amount of memory that the prometheus container requests | +| ruleConfigMapMounts | string | `nil` | Alerting/recording rule ConfigMap mounts (sub-path names must end in ´_rules.yml´ or ´_rules.yaml´) | +| scrapeConfigs | string | `nil` | A scrapeConfigs section specifies a set of targets and parameters describing how to scrape them. | +| sideCarContainers | string | `nil` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/add-ons/prometheus/README.md.gotmpl b/charts/add-ons/prometheus/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/add-ons/prometheus/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/add-ons/prometheus/values.yaml b/charts/add-ons/prometheus/values.yaml index 8225963219898..6f25b187dc68d 100644 --- a/charts/add-ons/prometheus/values.yaml +++ b/charts/add-ons/prometheus/values.yaml @@ -3,13 +3,121 @@ # when installing with the parent linkerd2 chart # Do not override them in this file! # If installing/upgrading with linkerd's CLI, use the `--config` flag. + +# -- Docker image for the prometheus instance image: prom/prometheus:v2.19.3 +# -- Command line options for Prometheus binary args: storage.tsdb.path: /data storage.tsdb.retention.time: 6h config.file: /etc/prometheus/prometheus.yml log.level: info +# -- The global configuration specifies parameters that are valid in all other +# configuration contexts. globalConfig: scrape_interval: 10s scrape_timeout: 10s evaluation_interval: 10s + +# -- Alert relabeling is applied to alerts before they are sent to the +# Alertmanager. +alertRelabelConfigs: +# Ex: +# - action: labeldrop +# regex: prometheus_replica + +# -- Alertmanager instances the Prometheus server sends alerts to configured via +# the static_configs parameter. +alertManagers: +# Ex: +# - scheme: http +# static_configs: +# - targets: +# - "alertmanager.linkerd.svc:9093" + +# -- Allows transparently sending samples to an endpoint. Mostly used for long +# term storage. +remoteWrite: + +# -- Alerting/recording rule ConfigMap mounts (sub-path names must end in +# ´_rules.yml´ or ´_rules.yaml´) +ruleConfigMapMounts: +# Ex: +# - name: alerting-rules +# subPath: alerting_rules.yml +# configMap: linkerd-prometheus-rules +# - name: recording-rules +# subPath: recording_rules.yml +# configMap: linkerd-prometheus-rules + +# -- A scrapeConfigs section specifies a set of targets and parameters +# describing how to scrape them. +scrapeConfigs: +# Ex: +# - job_name: 'kubernetes-nodes' +# scheme: https +# tls_config: +# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token +# kubernetes_sd_configs: +# - role: node +# relabel_configs: +# - action: labelmap +# regex: __meta_kubernetes_node_label_(.+) + +# -- A sidecarContainers section specifies a list of secondary containers to run +# in the prometheus pod e.g. to export data to non-prometheus systems +sideCarContainers: +# Ex: +# - name: sidecar +# image: gcr.io/myproject/stackdriver-prometheus-sidecar +# imagePullPolicy: Always +# command: +# - /bin/sh +# - -c +# - | +# exec /bin/stackdriver-prometheus-sidecar \ +# --stackdriver.project-id=myproject \ +# --stackdriver.kubernetes.location=us-central1 \ +# --stackdriver.kubernetes.cluster-name=mycluster \ +# --prometheus.wal-directory=/data/wal \ +# --log.level=info +# volumeMounts: +# - mountPath: /data +# name: data +# ports: +# - name: foo +# containerPort: 9091 +# protocol: TCP + + +proxy: + # -- CPU and Memory resources required by proxy injected into prometheus pod + # (see global.proxy.resources for sub-fields) + resources: + +### WARNING: persistence is experimental and has not been tested/vetted by the Linkerd team. +### As such, please refer to https://linkerd.io/2/tasks/exporting-metrics/ for the recommended approach to metrics data retention. +# if enabled, creates a persistent volume claim for prometheus data +# https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims +#persistence: +# -- Storage class used to create prometheus data PV. +# storageClass: +# -- PVC access mode. +# accessMode: +# -- Prometheus data volume size. +# size: + + +resources: + cpu: + # -- Maximum amount of CPU units that the prometheus container can use + limit: + # -- Amount of CPU units that the prometheus container requests + request: + memory: + # -- Maximum amount of memory that prometheus container can use + limit: + # -- Amount of memory that the prometheus container requests + request: + diff --git a/charts/add-ons/tracing/README.md b/charts/add-ons/tracing/README.md new file mode 100644 index 0000000000000..1f0d968bb8088 --- /dev/null +++ b/charts/add-ons/tracing/README.md @@ -0,0 +1,31 @@ +# tracing + +A Helm chart for the tracing add-on in Linkerd + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| collector.image | string | `"omnition/opencensus-collector:0.1.11"` | | +| collector.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the trace collector container can use | +| collector.resources.cpu.request | string | `nil` | Amount of CPU units that the trace collector container requests | +| collector.resources.memory.limit | string | `nil` | Maximum amount of memory that trace collector container can use | +| collector.resources.memory.request | string | `nil` | Amount of memory that the trace collector container requests | +| jaeger.image | string | `"jaegertracing/all-in-one:1.19.2"` | Docker image for the jaeger instance | +| jaeger.resources.cpu.limit | string | `nil` | Maximum amount of CPU units that the jaeger container can use | +| jaeger.resources.cpu.request | string | `nil` | Amount of CPU units that the jaeger container requests | +| jaeger.resources.memory.limit | string | `nil` | Maximum amount of memory that jaeger container can use | +| jaeger.resources.memory.request | string | `nil` | Amount of memory that the jaeger container requests | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/add-ons/tracing/README.md.gotmpl b/charts/add-ons/tracing/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/add-ons/tracing/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/add-ons/tracing/values.yaml b/charts/add-ons/tracing/values.yaml index ea38760c56297..aee0c159a945c 100644 --- a/charts/add-ons/tracing/values.yaml +++ b/charts/add-ons/tracing/values.yaml @@ -1,6 +1,28 @@ # Default values for tracing. collector: image: omnition/opencensus-collector:0.1.11 - # resources: + resources: + cpu: + # -- Maximum amount of CPU units that the trace collector container can use + limit: + # -- Amount of CPU units that the trace collector container requests + request: + memory: + # -- Maximum amount of memory that trace collector container can use + limit: + # -- Amount of memory that the trace collector container requests + request: jaeger: - image: jaegertracing/all-in-one:1.19.2 \ No newline at end of file + # -- Docker image for the jaeger instance + image: jaegertracing/all-in-one:1.19.2 + resources: + cpu: + # -- Maximum amount of CPU units that the jaeger container can use + limit: + # -- Amount of CPU units that the jaeger container requests + request: + memory: + # -- Maximum amount of memory that jaeger container can use + limit: + # -- Amount of memory that the jaeger container requests + request: diff --git a/charts/linkerd2-cni/Chart.yaml b/charts/linkerd2-cni/Chart.yaml index 5ec23c1b9732f..7450b5afdeb9c 100644 --- a/charts/linkerd2-cni/Chart.yaml +++ b/charts/linkerd2-cni/Chart.yaml @@ -1,6 +1,11 @@ apiVersion: v1 appVersion: edge-XX.X.X -description: A helm chart containing the resources needed by the Linkerd CNI plugin. +description: | + Linkerd is a *service mesh*, designed to give platform-wide observability, + reliability, and security without requiring configuration or code changes. The + Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting + up your pod's network so incoming and outgoing traffic is proxied through the + data plane. kubeVersion: ">=1.13.0-0" icon: https://linkerd.io/images/logo-only-200h.png name: "linkerd2-cni" diff --git a/charts/linkerd2-cni/README.md b/charts/linkerd2-cni/README.md index 16b00452edde2..b7c14942b48f4 100644 --- a/charts/linkerd2-cni/README.md +++ b/charts/linkerd2-cni/README.md @@ -1,5 +1,4 @@ - -# Linkerd2-cni Helm Chart +# linkerd2-cni Linkerd is a *service mesh*, designed to give platform-wide observability, reliability, and security without requiring configuration or code changes. The @@ -7,28 +6,42 @@ Linkerd [CNI plugin](https://linkerd.io/2/features/cni/) takes care of setting up your pod's network so incoming and outgoing traffic is proxied through the data plane. -## Configuration - -The following table lists the configurable parameters of the Linkerd2-cni chart -and their default values. - -| Parameter | Description | Default | -|--------------------------------------|-----------------------------------------------------------------------|-------------------------------| -|`cniPluginImage` | Docker image for the CNI plugin |`ghcr.io/linkerd/cni-plugin`| -|`cniPluginVersion` | Tag for the CNI container Docker image |latest version| -|`cniResourceAnnotation` | CNI resource annotation. Do not edit |`linkerd.io/cni-resource` -|`controllerNamespaceLabel` | Control plane label. Do not edit |`linkerd.io/control-plane-ns`| -|`createdByAnnotation` | Annotation label for the proxy create. Do not edit. |`linkerd.io/created-by`| -|`destCNIBinDir` | Directory on the host where the CNI plugin binaries reside |`/opt/cni/bin`| -|`destCNINetDir` | Directory on the host where the CNI configuration will be placed |`/etc/cni/net.d`| -|`ignoreInboundPorts` | Inbound ports the proxy should ignore || -|`ignoreOutboundPorts` | Outbound ports the proxy should ignore || -|`inboundProxyPort` | Inbound port for the proxy container |`4143`| -|`logLevel` | Log level for the CNI plugin |`info`| -|`namespace` | CNI plugin plane namespace |`linkerd-cni`| -|`outboundProxyPort` | Outbound port for the proxy container |`4140`| -|`portsToRedirect` | Ports to redirect to proxy || -|`proxyUID` | User id under which the proxy shall be ran |`2102`| -|`useWaitFlag` | Configures the CNI plugin to use the -w flag for the iptables command |`false`| -|`installNamespace` | Whether to create the CNI plugin plane namespace or not |`true`| -|`priorityClassName` | Kubernetes priorityClassName for the CNI plugin's Pods || +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +## Requirements + +Kubernetes: `>=1.13.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cniPluginImage | string | `"ghcr.io/linkerd/cni-plugin"` | Docker image for the CNI plugin | +| cniPluginVersion | string | `"linkerdVersionValue"` | Tag for the CNI container Docker image | +| cniResourceLabel | string | `"linkerd.io/cni-resource"` | CNI resource annotation. Do not edit | +| createdByAnnotation | string | `"linkerd.io/created-by"` | Annotation label for the proxy create. Do not edit. | +| destCNIBinDir | string | `"/opt/cni/bin"` | Directory on the host where the CNI configuration will be placed | +| destCNINetDir | string | `"/etc/cni/net.d"` | Directory on the host where the CNI plugin binaries reside | +| ignoreInboundPorts | string | `"25,443,587,3306,11211"` | Inbound ports the proxy should ignore - SMTP (25,587) server-first - HTTPS (443) opaque TLS - MYSQL (3306) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | +| ignoreOutboundPorts | string | `"25,443,587,3306,11211"` | Outbound ports the proxy should ignore | +| imagePullSecrets | string | `nil` | | +| inboundProxyPort | int | `4143` | Inbound port for the proxy container | +| installNamespace | bool | `true` | Whether to create the CNI plugin plane namespace or not | +| logLevel | string | `"info"` | Log level for the CNI plugin | +| namespace | string | `"linkerd-cni"` | CNI plugin plane namespace | +| outboundProxyPort | int | `4140` | Outbound port for the proxy container | +| portsToRedirect | string | `""` | Ports to redirect to proxy | +| priorityClassName | string | `""` | Kubernetes priorityClassName for the CNI plugin's Pods | +| proxyInjectAnnotation | string | `"linkerd.io/inject"` | | +| proxyInjectDisabled | string | `"disabled"` | | +| proxyUID | int | `2102` | User id under which the proxy shall be ran | +| useWaitFlag | bool | `false` | Configures the CNI plugin to use the -w flag for the iptables command | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/linkerd2-cni/README.md.gotmpl b/charts/linkerd2-cni/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/linkerd2-cni/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd2-cni/values.yaml b/charts/linkerd2-cni/values.yaml index 7cbc5ddd49e8f..c6112ca056598 100644 --- a/charts/linkerd2-cni/values.yaml +++ b/charts/linkerd2-cni/values.yaml @@ -1,26 +1,40 @@ +# -- CNI plugin plane namespace namespace: linkerd-cni +# -- Whether to create the CNI plugin plane namespace or not installNamespace: true +# -- CNI resource annotation. Do not edit cniResourceLabel: linkerd.io/cni-resource +# -- Inbound port for the proxy container inboundProxyPort: 4143 +# -- Outbound port for the proxy container outboundProxyPort: 4140 - -# Default set of ports to skip via itpables: +# -- Inbound ports the proxy should ignore # - SMTP (25,587) server-first # - HTTPS (443) opaque TLS # - MYSQL (3306) server-first # - Memcached (11211) clients do not issue any preamble, which breaks detection ignoreInboundPorts: "25,443,587,3306,11211" +# -- Outbound ports the proxy should ignore ignoreOutboundPorts: "25,443,587,3306,11211" - +# -- Annotation label for the proxy create. Do not edit. createdByAnnotation: linkerd.io/created-by -cniPluginImage: "ghcr.io/linkerd/cni-plugin" +# -- Docker image for the CNI plugin +cniPluginImage: "ghcr.io/linkerd/cni-plugin" +# -- Tag for the CNI container Docker image cniPluginVersion: linkerdVersionValue -logLevel: info -portsToRedirect: "" -proxyUID: 2102 -destCNINetDir: "/etc/cni/net.d" -destCNIBinDir: "/opt/cni/bin" -useWaitFlag: false +# -- Log level for the CNI plugin +logLevel: info +# -- Ports to redirect to proxy +portsToRedirect: "" +# -- User id under which the proxy shall be ran +proxyUID: 2102 +# -- Directory on the host where the CNI plugin binaries reside +destCNINetDir: "/etc/cni/net.d" +# -- Directory on the host where the CNI configuration will be placed +destCNIBinDir: "/opt/cni/bin" +# -- Configures the CNI plugin to use the -w flag for the iptables command +useWaitFlag: false +# -- Kubernetes priorityClassName for the CNI plugin's Pods priorityClassName: "" # namespace annotation and labels - do not edit diff --git a/charts/linkerd2-multicluster-link/Chart.yaml b/charts/linkerd2-multicluster-link/Chart.yaml index c6ec380a9b727..3ab84bafdd47e 100644 --- a/charts/linkerd2-multicluster-link/Chart.yaml +++ b/charts/linkerd2-multicluster-link/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v1 appVersion: edge-XX.X.X -description: A helm chart containing the resources to enable mirroring of services from a remote cluster +description: | + A helm chart containing the resources to enable mirroring + of services from a remote cluster kubeVersion: ">=1.13.0-0" icon: https://linkerd.io/images/logo-only-200h.png name: "linkerd2-multicluster-link" diff --git a/charts/linkerd2-multicluster-link/README.md b/charts/linkerd2-multicluster-link/README.md index 44beb067bc28d..63f7385953b44 100644 --- a/charts/linkerd2-multicluster-link/README.md +++ b/charts/linkerd2-multicluster-link/README.md @@ -1,40 +1,29 @@ +# linkerd2-multicluster-link -# Linkerd2-multicluster-link Helm Chart - -Linkerd is a *service mesh*, designed to give platform-wide observability, -reliability, and security without requiring configuration or code changes. This -chart provides the components needed to enable communication between clusters. - -## Configuration - -The following table lists the configurable parameters of the -linkerd2-multicluster chart and their default values. - -| Parameter | Description | Default | -|---------------------------------|---------------------------------------------------------------------------------------------|----------------------------------------------| -|`controllerComponentLabel` | Control plane label. Do not edit |`linkerd.io/control-plane-component` | -|`controllerImage` | Docker image for the Service mirror component (uses the Linkerd controller image) |`ghcr.io/linkerd/controller` | -|`controllerImageVersion` | Tag for the Service Mirror container Docker image |`latest version` | -|`createdByAnnotation` | Annotation label for the proxy create. Do not edit. |`linkerd.io/created-by` | -|`gateway` | If the gateway component should be installed |`true` | -|`gatewayLocalProbePath` | The path that will be used by the local liveness checks to ensure the gateway is alive |`/health-local` | -|`gatewayLocalProbePort` | The port that will be used by the local liveness checks to ensure the gateway is alive |`8888` | -|`gatewayName` | The name of the gateway that will be installed |`linkerd-gateway` | -|`gatewayNginxImage` | The Nginx image |`nginx` | -|`gatewayNginxImageVersion` | The version of the Nginx image |`1.17` | -|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4143` | -|`gatewayProbePath` | The path that will be used by remote clusters for determining whether the gateway is alive |`/health` | -|`gatewayProbePort` | The port used for liveliness probing |`4181` | -|`gatewayProbeSeconds` | The interval (in seconds) between liveness probes |`3` | -|`identityTrustDomain` | Trust domain used for identity of the existing linkerd installation |`cluster.local` | -|`installNamespace` | If the namespace should be installed |`true` | -|`linkerdNamespace` | The namespace of the existing Linkerd installation |`linkerd` | -|`linkerdVersion` | Control plane version | latest version | -|`namespace` | Service Mirror component namespace |`linkerd-multicluster` | -|`proxyOutboundPort` | The port on which the proxy accepts outbound traffic |`4140` | -|`remoteMirrorServiceAccountName` | The name of the service account used to allow remote clusters to mirror local services |`linkerd-service-mirror-remote-access-default`| -|`remoteMirrorServiceAccount` | If the remote mirror service account should be installed |`true` | -|`serviceMirror` | If the service mirror component should be installed |`true` | -|`logLevel` | Log level for the Multicluster components |`info` | -|`serviceMirrorRetryLimit` | Number of times update from the remote cluster is allowed to be requeued (retried) |`3` | -|`serviceMirrorUID` | User id under which the Service Mirror shall be ran |`2103` | +A helm chart containing the resources to enable mirroring +of services from a remote cluster + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +## Requirements + +Kubernetes: `>=1.13.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controllerComponentLabel | string | `"linkerd.io/control-plane-component"` | Control plane label. Do not edit | +| controllerImage | string | `"ghcr.io/linkerd/controller"` | Docker image for the Service mirror component (uses the Linkerd controller image) | +| controllerImageVersion | string | `"linkerdVersionValue"` | Tag for the Service Mirror container Docker image | +| createdByAnnotation | string | `"linkerd.io/created-by"` | Annotation label for the proxy create. Do not edit. | +| gatewayProbePort | int | `4181` | The port used for liveliness probing | +| logLevel | string | `"info"` | Log level for the Multicluster components | +| namespace | string | `"linkerd-multicluster"` | Service Mirror component namespace | +| serviceMirrorRetryLimit | int | `3` | Number of times update from the remote cluster is allowed to be requeued (retried) | +| serviceMirrorUID | int | `2103` | User id under which the Service Mirror shall be ran | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/linkerd2-multicluster-link/README.md.gotmpl b/charts/linkerd2-multicluster-link/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/linkerd2-multicluster-link/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd2-multicluster-link/values.yaml b/charts/linkerd2-multicluster-link/values.yaml index 310dff194c51b..c4acacb2a227e 100644 --- a/charts/linkerd2-multicluster-link/values.yaml +++ b/charts/linkerd2-multicluster-link/values.yaml @@ -1,9 +1,20 @@ +# -- Control plane label. Do not edit controllerComponentLabel: linkerd.io/control-plane-component +# -- Docker image for the Service mirror component (uses the Linkerd controller +# image) controllerImage: ghcr.io/linkerd/controller +# -- Tag for the Service Mirror container Docker image controllerImageVersion: linkerdVersionValue +# -- Annotation label for the proxy create. Do not edit. createdByAnnotation: linkerd.io/created-by +# -- The port used for liveliness probing gatewayProbePort: 4181 +# -- Service Mirror component namespace namespace: linkerd-multicluster +# -- Log level for the Multicluster components logLevel: info +# -- Number of times update from the remote cluster is allowed to be requeued +# (retried) serviceMirrorRetryLimit: 3 +# -- User id under which the Service Mirror shall be ran serviceMirrorUID: 2103 diff --git a/charts/linkerd2-multicluster/Chart.yaml b/charts/linkerd2-multicluster/Chart.yaml index 0870b69269002..2405acdead837 100644 --- a/charts/linkerd2-multicluster/Chart.yaml +++ b/charts/linkerd2-multicluster/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v1 appVersion: edge-XX.X.X -description: A helm chart containing the resources to support multicluster linking to remote clusters +description: | + A helm chart containing the resources to support multicluster + linking to remote clusters kubeVersion: ">=1.13.0-0" icon: https://linkerd.io/images/logo-only-200h.png name: "linkerd2-multicluster" diff --git a/charts/linkerd2-multicluster/README.md b/charts/linkerd2-multicluster/README.md index 1c18c415b13a6..7928ca0d8a1a8 100644 --- a/charts/linkerd2-multicluster/README.md +++ b/charts/linkerd2-multicluster/README.md @@ -1,42 +1,38 @@ +# linkerd2-multicluster -# Linkerd2-multicluster Helm Chart - -Linkerd is a *service mesh*, designed to give platform-wide observability, -reliability, and security without requiring configuration or code changes. This -chart provides the components needed to enable communication between clusters. - -## Configuration - -The following table lists the configurable parameters of the -linkerd2-multicluster chart and their default values. - -| Parameter | Description | Default | -|---------------------------------|---------------------------------------------------------------------------------------------|----------------------------------------------| -|`controllerComponentLabel` | Control plane label. Do not edit |`linkerd.io/control-plane-component` | -|`controllerImage` | Docker image for the Service mirror component (uses the Linkerd controller image) |`ghcr.io/linkerd/controller` | -|`controllerImageVersion` | Tag for the Service Mirror container Docker image |`latest version` | -|`createdByAnnotation` | Annotation label for the proxy create. Do not edit. |`linkerd.io/created-by` | -|`gateway` | If the gateway component should be installed |`true` | -|`gatewayLocalProbePath` | The path that will be used by the local liveness checks to ensure the gateway is alive |`/health-local` | -|`gatewayLocalProbePort` | The port that will be used by the local liveness checks to ensure the gateway is alive |`8888` | -|`gatewayName` | The name of the gateway that will be installed |`linkerd-gateway` | -|`gatewayNginxImage` | The Nginx image |`nginx` | -|`gatewayNginxImageVersion` | The version of the Nginx image |`1.17` | -|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4143` | -|`gatewayProbePath` | The path that will be used by remote clusters for determining whether the gateway is alive |`/health` | -|`gatewayProbePort` | The port used for liveliness probing |`4181` | -|`gatewayProbeSeconds` | The interval (in seconds) between liveness probes |`3` | -|`gatewayServiceAnnotations` | Additional annotations to add to the gateway service |`{}` | -|`identityTrustDomain` | Trust domain used for identity of the existing linkerd installation |`cluster.local` | -|`installNamespace` | If the namespace should be installed |`true` | -|`linkerdNamespace` | The namespace of the existing Linkerd installation |`linkerd` | -|`linkerdVersion` | Control plane version | latest version | -|`namespace` | Service Mirror component namespace |`linkerd-multicluster` | -|`proxyOutboundPort` | The port on which the proxy accepts outbound traffic |`4140` | -|`remoteMirrorServiceAccountName` | The name (or list of names) of the service account(s) used to allow remote clusters to mirror local services |`linkerd-service-mirror-remote-access-default`| -|`remoteMirrorServiceAccount` | If the remote mirror service account should be installed |`true` | -|`serviceMirror` | If the service mirror component should be installed |`true` | -|`logLevel` | Log level for the Multicluster components |`info` | -|`serviceMirrorRetryLimit` | Number of times update from the remote cluster is allowed to be requeued (retried) |`3` | -|`serviceMirrorUID` | User id under which the Service Mirror shall be ran |`2103` | -|`loadBalancerIP` | Request a specific IP address for the gateway service (e.g. use an IP address you have reserved) |emptyString | +A helm chart containing the resources to support multicluster +linking to remote clusters + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +## Requirements + +Kubernetes: `>=1.13.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controllerComponentLabel | string | `"linkerd.io/control-plane-component"` | Control plane label. Do not edit | +| createdByAnnotation | string | `"linkerd.io/created-by"` | Annotation label for the proxy create. Do not edit. | +| gateway | bool | `true` | If the gateway component should be installed | +| gatewayLocalProbePath | string | `"/health-local"` | The path that will be used by the local liveness checks to ensure the gateway is alive | +| gatewayLocalProbePort | int | `8888` | The port that will be used by the local liveness checks to ensure the gateway is alive | +| gatewayName | string | `"linkerd-gateway"` | The name of the gateway that will be installed | +| gatewayNginxImage | string | `"nginx"` | The Nginx image | +| gatewayNginxImageVersion | float | `1.17` | The version of the Nginx image | +| gatewayPort | int | `4143` | The port on which all the gateway will accept incoming traffic | +| gatewayProbePath | string | `"/health"` | The path that will be used by remote clusters for determining whether the gateway is alive | +| gatewayProbePort | int | `4181` | The port used for liveliness probing | +| gatewayProbeSeconds | int | `3` | The interval (in seconds) between liveness probes | +| installNamespace | bool | `true` | If the namespace should be installed | +| linkerdVersion | string | `"linkerdVersionValue"` | Control plane version | +| namespace | string | `"linkerd-multicluster"` | Service Mirror component namespace | +| proxyOutboundPort | int | `4140` | The port on which the proxy accepts outbound traffic | +| remoteMirrorServiceAccount | bool | `true` | If the remote mirror service account should be installed | +| remoteMirrorServiceAccountName | string | `"linkerd-service-mirror-remote-access-default"` | The name of the service account used to allow remote clusters to mirror local services | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/linkerd2-multicluster/README.md.gotmpl b/charts/linkerd2-multicluster/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/linkerd2-multicluster/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd2-multicluster/values.yaml b/charts/linkerd2-multicluster/values.yaml index 6522e71075790..e747de85ea3be 100644 --- a/charts/linkerd2-multicluster/values.yaml +++ b/charts/linkerd2-multicluster/values.yaml @@ -1,18 +1,40 @@ +# -- Control plane label. Do not edit controllerComponentLabel: linkerd.io/control-plane-component +# -- Annotation label for the proxy create. Do not edit. createdByAnnotation: linkerd.io/created-by +# -- If the gateway component should be installed gateway: true +# -- The path that will be used by the local liveness checks to ensure the +# gateway is alive gatewayLocalProbePath: /health-local +# -- The port that will be used by the local liveness checks to ensure the +# gateway is alive gatewayLocalProbePort: 8888 +# -- The name of the gateway that will be installed gatewayName: linkerd-gateway +# -- The Nginx image gatewayNginxImage: nginx +# -- The version of the Nginx image gatewayNginxImageVersion: 1.17 +# -- The port on which all the gateway will accept incoming traffic gatewayPort: 4143 +# -- The path that will be used by remote clusters for determining whether the +# gateway is alive gatewayProbePath: /health +# -- The port used for liveliness probing gatewayProbePort: 4181 +# -- The interval (in seconds) between liveness probes gatewayProbeSeconds: 3 +# -- If the namespace should be installed installNamespace: true +# -- Control plane version linkerdVersion: linkerdVersionValue +# -- Service Mirror component namespace namespace: linkerd-multicluster +# -- The port on which the proxy accepts outbound traffic proxyOutboundPort: 4140 +# -- If the remote mirror service account should be installed remoteMirrorServiceAccount: true +# -- The name of the service account used to allow remote clusters to mirror +# local services remoteMirrorServiceAccountName: linkerd-service-mirror-remote-access-default diff --git a/charts/linkerd2/Chart.yaml b/charts/linkerd2/Chart.yaml index ce7ee5f954179..cbfc8b38b3637 100644 --- a/charts/linkerd2/Chart.yaml +++ b/charts/linkerd2/Chart.yaml @@ -1,7 +1,9 @@ apiVersion: "v1" # this version will be updated by the CI before publishing the Helm tarball appVersion: edge-XX.X.X -description: Linkerd gives you observability, reliability, and security for your microservices — with no code change required. +description: | + Linkerd gives you observability, reliability, and security + for your microservices — with no code change required. home: https://linkerd.io keywords: - service-mesh diff --git a/charts/linkerd2/README.md b/charts/linkerd2/README.md index 14bbd69ff7e09..e3a468243e4a9 100644 --- a/charts/linkerd2/README.md +++ b/charts/linkerd2/README.md @@ -1,9 +1,13 @@ -# Linkerd2 Helm Chart +# linkerd2 -Linkerd is a *service mesh*, designed to give platform-wide observability, -reliability, and security without requiring configuration or code changes. +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. -Linkerd is a Cloud Native Computing Foundation ([CNCF][cncf]) project. +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +**Homepage:** ## Quickstart and documentation @@ -29,7 +33,6 @@ Note that the provided certificates must be ECDSA certificates. ```bash # To add the repo for Linkerd2 stable releases: helm repo add linkerd https://helm.linkerd.io/stable - # To add the repo for Linkerd2 edge releases: helm repo add linkerd-edge https://helm.linkerd.io/edge ``` @@ -79,179 +82,6 @@ helm install \ linkerd/linkerd2 ``` -## Configuration - -The following table lists the configurable parameters of the Linkerd2 chart and -their default values. - -| Parameter | Description | Default | -|:--------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------| -| `controllerImage` | Docker image for the controller, tap and identity components | `ghcr.io/linkerd/controller` | -| `controllerReplicas` | Number of replicas for each control plane pod | `1` | -| `controllerUID` | User ID for the control plane components | `2103` | -| `dashboard.replicas` | Number of replicas of dashboard | `1` | -| `debugContainer.image.name` | Docker image for the debug container | `ghcr.io/linkerd/debug` | -| `debugContainer.image.pullPolicy` | Pull policy for the debug container Docker image | `IfNotPresent` | -| `debugContainer.image.version` | Tag for the debug container Docker image | latest version | -| `destinationResources` | CPU and Memory resources required by destination (see `global.proxy.resources` for sub-fields) | | -| `destinationProxyResources` | CPU and Memory resources required by proxy injected into destination pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `disableHeartBeat` | Set to true to not start the heartbeat cronjob | `false` | -| `enableH2Upgrade` | Allow proxies to perform transparent HTTP/2 upgrading | `true` | -| `global.clusterDomain` | Kubernetes DNS Domain name to use | `cluster.local` | -| `global.clusterNetworks` | The networks that may include pods & services in this cluscter | `10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16` | -| `global.cniEnabled` | Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | `false` | -| `global.controllerComponentLabel` | Control plane label. Do not edit | `linkerd.io/control-plane-component` | -| `global.controllerImageVersion` | Tag for the controller container docker image | latest version | -| `global.controllerLogLevel` | Log level for the control plane components | `info` | -| `global.controllerNamespaceLabel` | Control plane label. Do not edit | `linkerd.io/control-plane-ns` | -| `global.grafanaUrl` | URL of external grafana instance configured with reverse proxy, used by the dashboard | | -| `global.podLabels` | Additional labels to add to all pods | `{}` | -| `global.podAnnotations` | Additional annotations to add to all pods | `{}` | -| `global.createdByAnnotation` | Annotation label for the proxy create. Do not edit. | `linkerd.io/created-by` | -| `global.identityTrustAnchorsPEM` | Trust root certificate (ECDSA). It must be provided during install. | | -| `global.identityTrustDomain` | Trust domain used for identity | `cluster.local` | -| `global.imagePullPolicy` | Docker image pull policy | `IfNotPresent` | -| `global.linkerdNamespaceLabel` | Control plane label. Do not edit | `linkerd.io/is-control-plane` | -| `global.linkerdVersion` | Control plane version | latest version | -| `global.namespace` | Control plane namespace | `linkerd` | -| `global.prometheusUrl` | URL of external prometheus instance to perform queries, used by the `public-api` | | -| `global.proxy.cores` | The number of proxy threads to be allocated for each proxy. Must be a whole number, and should be kept in sync with `global.proxy.resources.cpu.limit`, if set. | | -| `global.proxy.enableExternalProfiles` | Enable service profiles for non-Kubernetes services | `false` | -| `global.proxy.image.name` | Docker image for the proxy | `ghcr.io/linkerd/proxy` | -| `global.proxy.image.pullPolicy` | Pull policy for the proxy container Docker image | `IfNotPresent` | -| `global.proxy.image.version` | Tag for the proxy container Docker image | latest version | -| `global.proxy.logLevel` | Log level for the proxy | `warn,linkerd=info` | -| `global.proxy.logFormat` | Log format (`plain` or `json`) for the proxy | `plain` | -| `global.proxy.ports.admin` | Admin port for the proxy container | `4191` | -| `global.proxy.ports.control` | Control port for the proxy container | `4190` | -| `global.proxy.ports.inbound` | Inbound port for the proxy container | `4143` | -| `global.proxy.ports.outbound` | Outbound port for the proxy container | `4140` | -| `global.proxy.resources.cpu.limit` | Maximum amount of CPU units that the proxy can use | | -| `global.proxy.resources.cpu.request` | Amount of CPU units that the proxy requests | | -| `global.proxy.resources.memory.limit` | Maximum amount of memory that the proxy can use | | -| `global.proxy.resources.memory.request` | Amount of memory that the proxy requests | | -| `global.proxy.trace.collectorSvcAccount` | Service account associated with the Trace collector instance | `default` | -| `global.proxy.trace.collectorSvcAddr` | Collector Service address for the proxies to send Trace Data | | -| `global.proxy.uid` | User id under which the proxy runs | `2102` | -| `global.proxy.waitBeforeExitSeconds` | The proxy sidecar will stay alive for at least the given period before receiving SIGTERM signal from Kubernetes but no longer than pod's `terminationGracePeriodSeconds`. | `0` | -| `global.proxy.outboundConnectTimeout` | Maximum time allowed for the proxy to establish an outbound TCP connection | `1000ms` | -| `global.proxy.inboundConnectTimeout` | Maximum time allowed for the proxy to establish an inbound TCP connection | `100ms` | -| `global.proxyInit.ignoreInboundPorts` | Inbound ports the proxy should ignore | `25,443,587,3306,11211` | -| `global.proxyInit.ignoreOutboundPorts` | Outbound ports the proxy should ignore | `25,443,587,3306,11211` | -| `global.proxyInit.image.name` | Docker image for the proxy-init container | `ghcr.io/linkerd/proxy-init` | -| `global.proxyInit.image.pullPolicy` | Pull policy for the proxy-init container Docker image | `IfNotPresent` | -| `global.proxyInit.image.version` | Tag for the proxy-init container Docker image | latest version | -| `global.proxyInit.resources.cpu.limit` | Maximum amount of CPU units that the proxy-init container can use | `100m` | -| `global.proxyInit.resources.cpu.request` | Amount of CPU units that the proxy-init container requests | `10m` | -| `global.ProxyInit.resources.memory.limit` | Maximum amount of memory that the proxy-init container can use | `50Mi` | -| `global.proxyInit.resources.memory.request` | Amount of memory that the proxy-init container requests | `10Mi` | -| `global.proxyInjectAnnotation` | Annotation label to signal injection. Do not edit. | `linkerd.io/inject` | -| `global.proxyInjectDisabled` | Annotation value to disable injection. Do not edit. | `disabled` | -| `heartbeatSchedule` | Config for the heartbeat cronjob | `0 0 * * *` | -| `identity.issuer.clockSkewAllowance` | Amount of time to allow for clock skew within a Linkerd cluster | `20s` | -| `identity.issuer.crtExpiry` | Expiration timestamp for the issuer certificate. It must be provided during install | | -| `identity.issuer.crtExpiryAnnotation` | Annotation used to identity the issuer certificate expiration timestamp. Do not edit. | `linkerd.io/identity-issuer-expiry` | -| `identity.issuer.issuanceLifetime` | Amount of time for which the Identity issuer should certify identity | `24h0m0s` | -| `identity.issuer.scheme` | Which scheme is used for the identity issuer secret format | `linkerd.io/tls` | -| `identity.issuer.tls.crtPEM` | Issuer certificate (ECDSA). It must be provided during install. | | -| `identity.issuer.tls.keyPEM` | Key for the issuer certificate (ECDSA). It must be provided during install. | | -| `identityResources` | CPU and Memory resources required by the identity controller (see `global.proxy.resources` for sub-fields) | | -| `identityProxyResources` | CPU and Memory resources required by proxy injected into identity pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `installNamespace` | Set to false when installing Linkerd in a custom namespace. See the [Linkerd documentation](https://linkerd.io/2/tasks/install-helm/#customizing-the-namespace) for more information. | `true` | -| `omitWebhookSideEffects` | Omit the `sideEffects` flag in the webhook manifests | `false` | -| `proxyInjector.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below). | `false` | -| `proxyInjector.namespaceSelector` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation `config.linkerd.io/admission-webhooks=disabled` | | -| `proxyInjector.crtPEM` | Certificate for the proxy injector. If not provided then Helm will generate one. | | -| `proxyInjector.keyPEM` | Certificate key for the proxy injector. If not provided then Helm will generate one. | | -| `proxyInjector.caBundle` | Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. | | -| `proxyInjectorResources` | CPU and Memory resources required by the proxy injector (see `global.proxy.resources` for sub-fields) | | -| `proxyInjectorProxyResources` | CPU and Memory resources required by proxy injected into the proxy injector pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `profileValidator.externalSecret` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). | false | -| `profileValidator.namespaceSelector` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation `config.linkerd.io/admission-webhooks=disabled` | | -| `profileValidator.crtPEM` | Certificate for the service profile validator. If not provided then Helm will generate one. | | -| `profileValidator.keyPEM` | Certificate key for the service profile validator. If not provided then Helm will generate one. | | -| `profileValidator.caBundle` | Bundle of CA certificates for service profile validator. If not provided then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value must be set, as no certificate will be generated. | | -| `publicAPIResources` | CPU and Memory resources required by controllers publicAPI (see `global.proxy.resources` for sub-fields) | | -| `publicAPIProxyResources` | CPU and Memory resources required by proxy injected into controllers public API pod (see `global.proxy.resources` for sub-fields) | values `global.proxy.resources` | -| `spValidatorResources` | CPU and Memory resources required by the SP validator (see `global.proxy.resources` for sub-fields) | | -| `spValidatorProxyResources` | CPU and Memory resources required by proxy injected into the SP validator pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `tap.externalSecret` | Do not create a secret resource for the Tap component. If this is set to `true`, the value `tap.caBundle` must be set (see below). | false | -| `tap.crtPEM` | Certificate for the Tap component. If not provided then Helm will generate one. | | -| `tap.keyPEM` | Certificate key for Tap component. If not provided then Helm will generate one. | | -| `tap.caBundle` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. || -| `tapResources` | CPU and Memory resources required by tap (see `global.proxy.resources` for sub-fields) | | -| `tapProxyResources` | CPU and Memory resources required by proxy injected into tap pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `webhookFailurePolicy` | Failure policy for the proxy injector | `Ignore` | -| `webImage` | Docker image for the web container | `ghcr.io/linkerd/web` | -| `webResources` | CPU and Memory resources required by web UI (see `global.proxy.resources` for sub-fields) | | -| `webProxyResources` | CPU and Memory resources required by proxy injected into web UI pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `enforcedHostRegexp` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | `""` | -| `nodeSelector` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | `beta.kubernetes.io/os: linux` | -| `tolerations` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | | - -## Add-Ons Configuration - -### Grafana Add-On - -The following table lists the configurable parameters for the Grafana Add-On. - -| Parameter | Description | Default | -|:--------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------| -| `grafana.enabled` | Flag to enable grafana instance to be installed | `true` -| `grafana.image.name` | Docker image name for the grafana instance | `ghcr.io/linkerd/grafana` | -| `grafana.image.tag` | Docker image tag for the grafana instance | latest version | -| `grafana.resources.cpu.limit` | Maximum amount of CPU units that the grafana container can use || -| `grafana.resources.cpu.request` | Amount of CPU units that the grafana container requests || -| `grafana.resources.memory.limit` | Maximum amount of memory that grafana container can use || -| `grafana.resources.memory.request` | Amount of memory that the grafana container requests || -| `grafana.proxy.resources` | Structure analog to the `resources` fields above, but overriding the resources of the linkerd proxy injected into the grafana pod. | values in `global.proxy.resources` of the linkerd2 chart. | - -### Prometheus Add-On - -The following table lists the configurable parameters for the Prometheus Add-On. - -| Parameter | Description | Default | -|:--------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------| -| `prometheus.enabled` | Flag to enable prometheus instance to be installed | `true` | -| `prometheus.alert_relabel_configs` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. | `[]` | -| `prometheus.alertManagers` | Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. | `[]` | -| `prometheus.args` | Command line options for Prometheus binary | `storage.tsdb.path: /data, storage.tsdb.retention.time: 6h, config.file: /etc/prometheus/prometheus.yml, log.level: info` | -| `prometheus.globalConfig` | The global configuration specifies parameters that are valid in all other configuration contexts. | `scrape_interval: 10s, scrape_timeout: 10s, evaluation_interval: 10s` | -| `prometheus.image` | Docker image for the prometheus instance | `prom/prometheus:v2.19.3` | -| `prometheus.proxy.resources` | CPU and Memory resources required by proxy injected into prometheus pod (see `global.proxy.resources` for sub-fields) | values in `global.proxy.resources` | -| `prometheus.persistence.storageClass` | Storage class used to create prometheus data PV. | `nil` | -| `prometheus.persistence.accessMode` | PVC access mode. | `ReadWriteOnce` | -| `prometheus.persistence.size` | Prometheus data volume size. | `8Gi` | -| `prometheus.remoteWrite` | Allows transparently sending samples to an endpoint. Mostly used for long term storage. || -| `prometheus.resources.cpu.limit` | Maximum amount of CPU units that the prometheus container can use || -| `prometheus.resources.cpu.request` | Amount of CPU units that the prometheus container requests || -| `prometheus.resources.memory.limit` | Maximum amount of memory that prometheus container can use || -| `prometheus.resources.memory.request` | Amount of memory that the prometheus container requests || -| `prometheus.ruleConfigMapMounts` | Alerting/recording rule ConfigMap mounts (sub-path names must end in `_rules.yml` or `_rules.yaml`) | `[]` | -| `prometheus.scrapeConfigs` | A scrape_config section specifies a set of targets and parameters describing how to scrape them. | `[]` | -| `prometheus.sidecarContainers` | A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | `[]` | - -Most of the above configuration match directly with the official Prometheus -configuration which can be found [here](https://prometheus.io/docs/prometheus/latest/configuration/configuration) - -### Tracing Add-On - -The following table lists the configurable parameters for the Tracing Add-On. - -| Parameter | Description | Default | -|:---------------------------------------------|:-----------------------------------------------------------------------|:---------------------------------------| -| `tracing.enabled` | Flag to enable tracing components to be installed | `false` | -| `tracing.collector.image` | Docker image for the trace collector | `omnition/opencensus-collector:0.1.10` | -| `tracing.collector.resources.cpu.limit` | Maximum amount of CPU units that the trace collector container can use | | -| `tracing.collector.resources.cpu.request` | Amount of CPU units that the trace collector container requests | | -| `tracing.collector.resources.memory.limit` | Maximum amount of memory that the trace collector container can use | | -| `tracing.collector.resources.memory.request` | Amount of memory that the trace collector container requests | | -| `tracing.jaeger.image` | Docker image for the jaeger instance | `jaegertracing/all-in-one:1.19.2` | -| `tracing.jaeger.resources.cpu.limit` | Maximum amount of CPU units that the jaeger container can use | | -| `tracing.jaeger.resources.cpu.request` | Amount of CPU units that the jaeger container requests | | -| `tracing.jaeger.resources.memory.limit` | Maximum amount of memory that the jaeger container can use | | -| `tracing.jaeger.resources.memory.request` | Amount of memory that the jaeger container requests | | - ## Get involved * Check out Linkerd's source code at [Github][linkerd2]. @@ -269,3 +99,132 @@ The following table lists the configurable parameters for the Tracing Add-On. [linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users [slack]: http://slack.linkerd.io [twitter]: https://twitter.com/linkerd + +## Addons for linkerd + +For the linkerd application there are some addons that can be configured. The +documentation for the configurations of the addons can be found in their +respective readme.md + +[Prometheus](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/prometheus/README.md) + +[Grafana](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/grafana/README.md) + +[Tracing](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/tracing/README.md) + +## Requirements + +Kubernetes: `>=1.13.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../add-ons/grafana | grafana | 0.1.0 | +| file://../add-ons/prometheus | prometheus | 0.1.0 | +| file://../add-ons/tracing | tracing | 0.1.0 | +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controllerImage | string | `"ghcr.io/linkerd/controller"` | Docker image for the controller, tap and identity components | +| controllerReplicas | int | `1` | Number of replicas for each control plane pod | +| controllerUID | int | `2103` | User ID for the control plane components | +| dashboard.replicas | int | `1` | Number of replicas of dashboard | +| debugContainer.image.name | string | `"ghcr.io/linkerd/debug"` | Docker image for the debug container | +| debugContainer.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the debug container Docker image | +| debugContainer.image.version | string | `"linkerdVersionValue"` | Tag for the debug container Docker image | +| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | +| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | +| enforcedHostRegexp | string | `""` | Host header validation regex for the dashboard. See the [Linkerd documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more information | +| global.clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| global.clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"` | The cluster networks for which service discovery is performed. This should include the pod network but need not include the node network. By default, all private networks are specified so that resolution works in typical Kubernetes environments. | +| global.cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | +| global.controlPlaneTracing | bool | `false` | control plane trace configuration | +| global.controllerComponentLabel | string | `"linkerd.io/control-plane-component"` | Control plane label. Do not edit | +| global.controllerLogLevel | string | `"info"` | Log level for the control plane components | +| global.controllerNamespaceLabel | string | `"linkerd.io/control-plane-ns"` | Control plane label. Do not edit | +| global.createdByAnnotation | string | `"linkerd.io/created-by"` | Annotation label for the proxy create. Do not edit. | +| global.enableEndpointSlices | bool | `false` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on; the feature is still experimental. | +| global.grafanaUrl | string | `""` | url of external grafana instance with reverse proxy configured. | +| global.identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | +| global.identityTrustDomain | string | `"cluster.local"` | Trust domain used for identity | +| global.imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | +| global.imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| global.linkerdNamespaceLabel | string | `"linkerd.io/is-control-plane"` | Control plane label. Do not edit | +| global.linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| global.namespace | string | `"linkerd"` | Control plane namespace | +| global.podAnnotations | object | `{}` | Additional annotations to add to all pods | +| global.podLabels | object | `{}` | Additional labels to add to all pods | +| global.prometheusUrl | string | `""` | url of existing prometheus | +| global.proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | +| global.proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | +| global.proxy.image.name | string | `"ghcr.io/linkerd/proxy"` | Docker image for the proxy | +| global.proxy.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the proxy container Docker image | +| global.proxy.image.version | string | `"linkerdVersionValue"` | Tag for the proxy container Docker image | +| global.proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection | +| global.proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | +| global.proxy.logLevel | string | `"warn,linkerd=info"` | Log level for the proxy | +| global.proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | +| global.proxy.ports.admin | int | `4191` | Admin port for the proxy container | +| global.proxy.ports.control | int | `4190` | Control port for the proxy container | +| global.proxy.ports.inbound | int | `4143` | Inbound port for the proxy container | +| global.proxy.ports.outbound | int | `4140` | Outbound port for the proxy container | +| global.proxy.requireIdentityOnInboundPorts | string | `""` | | +| global.proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use | +| global.proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests | +| global.proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | +| global.proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | +| global.proxy.trace.collectorSvcAccount | string | `"default"` | Service account associated with the Trace collector instance | +| global.proxy.trace.collectorSvcAddr | string | `""` | Collector Service address for the proxies to send Trace Data | +| global.proxy.uid | int | `2102` | User id under which the proxy runs | +| global.proxy.waitBeforeExitSeconds | int | `0` | If set the proxy sidecar will stay alive for at least the given period before receiving SIGTERM signal from Kubernetes but no longer than pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | +| global.proxyInit.closeWaitTimeoutSecs | int | `0` | | +| global.proxyInit.ignoreInboundPorts | string | `"25,443,587,3306,11211"` | Default set of ports to skip via itpables: - SMTP (25,587) server-first - HTTPS (443) opaque TLS - MYSQL (3306) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | +| global.proxyInit.ignoreOutboundPorts | string | `"25,443,587,3306,11211"` | Default set of ports to skip via itpables, same defaults as InboudPorts | +| global.proxyInit.image.name | string | `"ghcr.io/linkerd/proxy-init"` | Docker image for the proxy-init container | +| global.proxyInit.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the proxy-init container Docker image | +| global.proxyInit.image.version | string | `"v1.3.8"` | Tag for the proxy-init container Docker image | +| global.proxyInit.resources.cpu.limit | string | `"100m"` | Maximum amount of CPU units that the proxy-init container can use | +| global.proxyInit.resources.cpu.request | string | `"10m"` | Amount of CPU units that the proxy-init container requests | +| global.proxyInit.resources.memory.limit | string | `"50Mi"` | Maximum amount of memory that the proxy-init container can use | +| global.proxyInit.resources.memory.request | string | `"10Mi"` | Amount of memory that the proxy-init container requests | +| global.proxyInit.xtMountPath.mountPath | string | `"/run"` | | +| global.proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` | | +| global.proxyInjectAnnotation | string | `"linkerd.io/inject"` | Annotation label to signal injection. Do not edit. | +| global.proxyInjectDisabled | string | `"disabled"` | Annotation value to disable injection. Do not edit. | +| global.workloadNamespaceLabel | string | `"linkerd.io/workload-ns"` | | +| grafana.enabled | bool | `true` | | +| heartbeatSchedule | string | `"0 0 * * *"` | Config for the heartbeat cronjob | +| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster | +| identity.issuer.crtExpiry | string | `nil` | Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM | +| identity.issuer.crtExpiryAnnotation | string | `"linkerd.io/identity-issuer-expiry"` | Annotation used to identity the issuer certificate expiration timestamp. Do not edit. | +| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity | +| identity.issuer.scheme | string | `"linkerd.io/tls"` | | +| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format | +| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. | +| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install | +| installNamespace | bool | `true` | Set to false when installing Linkerd in a custom namespace. See the [Linkerd documentation](https://linkerd.io/2/tasks/install-helmcustomizing-the-namespace) for more information. | +| nodeSelector | object | `{"beta.kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| omitWebhookSideEffects | bool | `false` | Omit the `sideEffects` flag in the webhook manifests | +| profileValidator.caBundle | string | `""` | Bundle of CA certificates for service profile validator. If not provided then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value must be set, as no certificate will be generated. | +| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided then Helm will generate one. | +| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). | +| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided then Helm will generate one. | +| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| prometheus.enabled | bool | `true` | | +| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. | +| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided then Helm will generate one. | +| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) | +| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided then Helm will generate one. | +| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled | +| tap.caBundle | string | `""` | Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for `tap.crtPEM`. If `tap.externalSecret` is set to true, this value must be set, as no certificate will be generated. | +| tap.crtPEM | string | `""` | Certificate for the Tap component. If not provided then Helm will generate one. | +| tap.externalSecret | bool | `false` | Do not create a secret resource for the Tap component. If this is set to `true`, the value `tap.caBundle` must be set (see below). | +| tap.keyPEM | string | `""` | Certificate key for Tap component. If not provided then Helm will generate one. | +| tracing.enabled | bool | `false` | | +| webImage | string | `"ghcr.io/linkerd/web"` | | +| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/linkerd2/README.md.gotmpl b/charts/linkerd2/README.md.gotmpl new file mode 100644 index 0000000000000..d2bb0982cbdde --- /dev/null +++ b/charts/linkerd2/README.md.gotmpl @@ -0,0 +1,118 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes 1.13+ cluster in a matter of seconds. See +the [Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd2 stable releases: +helm repo add linkerd https://helm.linkerd.io/stable +# To add the repo for Linkerd2 edge releases: +helm repo add linkerd-edge https://helm.linkerd.io/edge +``` + +The following instructions use the `linkerd` repo. For installing an edge +release, just replace with `linkerd-edge`. + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +In this example we set the expiration date to one year ahead: + +```bash +helm install \ + --set-file global.identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + --set identity.issuer.crtExpiry=$(date -d '+8760 hour' +"%Y-%m-%dT%H:%M:%SZ") \ + linkerd/linkerd2 +``` + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd2 +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install \ + --set-file global.identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + --set identity.issuer.crtExpiry=$(date -d '+8760 hour' +"%Y-%m-%dT%H:%M:%SZ") \ + -f linkerd2/values-ha.yaml + linkerd/linkerd2 +``` + +## Get involved + +* Check out Linkerd's source code at [Github][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[cncf]: https://www.cncf.io/ +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Addons for linkerd + +For the linkerd application there are some addons that can be configured. The +documentation for the configurations of the addons can be found in their +respective readme.md + +[Prometheus](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/prometheus/README.md) + +[Grafana](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/grafana/README.md) + +[Tracing](https://github.com/linkerd/linkerd2/blob/main/charts/add-ons/tracing/README.md) + + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd2/values.yaml b/charts/linkerd2/values.yaml index 1840af6276df8..a58b8de95ccb1 100644 --- a/charts/linkerd2/values.yaml +++ b/charts/linkerd2/values.yaml @@ -4,199 +4,262 @@ # Values that are passed along to sub-charts global: - # The kubernetes cluster domain. + # -- Kubernetes DNS Domain name to use clusterDomain: &cluster_domain cluster.local - # The cluster networks for which service discovery is performed. This should + # -- The cluster networks for which service discovery is performed. This should # include the pod network but need not include the node network. # # By default, all private networks are specified so that resolution works in # typical Kubernetes environments. clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - + # -- Docker image pull policy imagePullPolicy: &image_pull_policy IfNotPresent + # -- Log level for the control plane components controllerLogLevel: &controller_log_level info - # control plane trace configuration + # -- control plane trace configuration controlPlaneTracing: false - # control plane version. See Proxy section for proxy version + # -- control plane version. See Proxy section for proxy version linkerdVersion: &linkerd_version linkerdVersionValue + # -- Control plane namespace namespace: linkerd - # enables the use of EndpointSlice informers for the destination service; - # enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on; - # the feature is still experimental. + # -- enables the use of EndpointSlice informers for the destination service; + # enableEndpointSlices should be set to true only if EndpointSlice K8s feature + # gate is on; the feature is still experimental. enableEndpointSlices: false - # enabling this omits the NET_ADMIN capability in the PSP + # -- enabling this omits the NET_ADMIN capability in the PSP # and the proxy-init container when injecting the proxy; # requires the linkerd-cni plugin to already be installed cniEnabled: false + # -- Trust root certificate (ECDSA). It must be provided during install. identityTrustAnchorsPEM: | + # -- Trust domain used for identity identityTrustDomain: *cluster_domain - # url of existing prometheus + # -- url of existing prometheus prometheusUrl: "" - # url of external grafana instance with reverse proxy configured + # -- url of external grafana instance with reverse proxy configured. grafanaUrl: "" - # Additional annotations to add to all pods + # -- Additional annotations to add to all pods podAnnotations: {} - # Additional labels to add to all pods + # -- Additional labels to add to all pods podLabels: {} # proxy configuration proxy: + # -- Enable service profiles for non-Kubernetes services enableExternalProfiles: false + # -- Maximum time allowed for the proxy to establish an outbound TCP + # connection outboundConnectTimeout: 1000ms + # -- Maximum time allowed for the proxy to establish an inbound TCP + # connection inboundConnectTimeout: 100ms image: + # -- Docker image for the proxy name: ghcr.io/linkerd/proxy + # -- Pull policy for the proxy container Docker image pullPolicy: *image_pull_policy + # -- Tag for the proxy container Docker image version: *linkerd_version + # -- Log level for the proxy logLevel: warn,linkerd=info + # -- Log format (`plain` or `json`) for the proxy logFormat: plain ports: + # -- Admin port for the proxy container admin: 4191 + # -- Control port for the proxy container control: 4190 + # -- Inbound port for the proxy container inbound: 4143 + # -- Outbound port for the proxy container outbound: 4140 - # The `cpu.limit` and `cores` should be kept in sync. The value of `cores` + # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores` # must be an integer and should typically be set by rounding up from the # limit. E.g. if cpu.limit is '1500m', cores should be 2. cores: 0 resources: cpu: + # -- Maximum amount of CPU units that the proxy can use limit: "" + # -- Amount of CPU units that the proxy requests request: "" memory: + # -- Maximum amount of memory that the proxy can use limit: "" + # -- Maximum amount of memory that the proxy requests request: "" trace: + # -- Collector Service address for the proxies to send Trace Data collectorSvcAddr: "" + # -- Service account associated with the Trace collector instance collectorSvcAccount: default + # -- User id under which the proxy runs uid: 2102 - # If set, the proxy's pre-stop hook will postpone the Kubernetes's SIGTERM signal - # and wait for this duration before letting the proxy process the SIGTERM signal. - # See https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + + # -- If set the proxy sidecar will stay alive for at + # least the given period before receiving SIGTERM signal from Kubernetes but + # no longer than pod's `terminationGracePeriodSeconds`. See [Lifecycle + # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) # for more info on container lifecycle hooks. waitBeforeExitSeconds: 0 requireIdentityOnInboundPorts: "" # proxy-init configuration proxyInit: - # Default set of ports to skip via itpables: + # -- Default set of ports to skip via itpables: # - SMTP (25,587) server-first # - HTTPS (443) opaque TLS # - MYSQL (3306) server-first # - Memcached (11211) clients do not issue any preamble, which breaks detection ignoreInboundPorts: "25,443,587,3306,11211" + # -- Default set of ports to skip via itpables, same defaults as InboudPorts ignoreOutboundPorts: "25,443,587,3306,11211" image: + # -- Docker image for the proxy-init container name: ghcr.io/linkerd/proxy-init + # -- Pull policy for the proxy-init container Docker image pullPolicy: *image_pull_policy + # -- Tag for the proxy-init container Docker image version: v1.3.8 resources: cpu: + # -- Maximum amount of CPU units that the proxy-init container can use limit: 100m + # -- Amount of CPU units that the proxy-init container requests request: 10m memory: + # -- Maximum amount of memory that the proxy-init container can use limit: 50Mi + # -- Amount of memory that the proxy-init container requests request: 10Mi closeWaitTimeoutSecs: 0 xtMountPath: mountPath: /run name: linkerd-proxy-init-xtables-lock - # control plane annotations - do not edit + # -- Annotation label for the proxy create. Do not edit. createdByAnnotation: linkerd.io/created-by + # -- Annotation label to signal injection. Do not edit. proxyInjectAnnotation: linkerd.io/inject + # -- Annotation value to disable injection. Do not edit. proxyInjectDisabled: disabled - # control plane labels - do not edit + # -- Control plane label. Do not edit controllerComponentLabel: linkerd.io/control-plane-component + # -- Control plane label. Do not edit controllerNamespaceLabel: linkerd.io/control-plane-ns + # -- Control plane label. Do not edit linkerdNamespaceLabel: linkerd.io/is-control-plane workloadNamespaceLabel: linkerd.io/workload-ns - # For Private docker registries, authentication is needed. + # -- For Private docker registries, authentication is needed. # Registry secrets are applied to the respective service accounts imagePullSecrets: [] # - name: my-private-docker-registry-login-secret -# enforced host validation regular expression +# -- Host header validation regex for the dashboard. See the [Linkerd +# documentation](https://linkerd.io/2/tasks/exposing-dashboard) for more +# information enforcedHostRegexp: "" +# -- Allow proxies to perform transparent HTTP/2 upgrading enableH2Upgrade: true +# -- Omit the `sideEffects` flag in the webhook manifests omitWebhookSideEffects: false +# -- Failure policy for the proxy injector webhookFailurePolicy: Ignore -# controller configuration + +# controllerImage -- Docker image for the controller, tap and identity +# components controllerImage: ghcr.io/linkerd/controller +# -- Number of replicas for each control plane pod controllerReplicas: 1 +# -- User ID for the control plane components controllerUID: 2103 # destination configuration # set resources for the sp-validator and its linkerd proxy respectively # see global.proxy.resources for details. +# destinationResources -- CPU and Memory resources required by destination (see `global.proxy.resources` for sub-fields) #destinationResources: +#destinationProxyResources -- CPU and Memory resources required by proxy +# injected into destination pod (see `global.proxy.resources` for sub-fields) #destinationProxyResources: # web dashboard configuration dashboard: + # -- Number of replicas of dashboard replicas: 1 # debug configuration debugContainer: image: + # -- Docker image for the debug container name: ghcr.io/linkerd/debug + # -- Pull policy for the debug container Docker image pullPolicy: *image_pull_policy + # -- Tag for the debug container Docker image version: *linkerd_version -# identity configuration identity: issuer: scheme: linkerd.io/tls + # -- Amount of time to allow for clock skew within a Linkerd cluster clockSkewAllowance: 20s - # must match the expiry date in crtPEM + # -- Expiration timestamp for the issuer certificate. It must be provided during install. Must match the expiry date in crtPEM crtExpiry: - # control plane annotation - do not edit + # -- Annotation used to identity the issuer certificate expiration timestamp. Do not edit. crtExpiryAnnotation: linkerd.io/identity-issuer-expiry - + # -- Amount of time for which the Identity issuer should certify identity issuanceLifetime: 24h0m0s - + + # -- Which scheme is used for the identity issuer secret format tls: - # PEM-encoded certificate + # -- Issuer certificate (ECDSA). It must be provided during install. crtPEM: | - # PEM-encoded ECDSA private key + # -- Key for the issuer certificate (ECDSA). It must be provided during + # install keyPEM: | -# set resources for identity and its linkerd proxy respectively -# see global.proxy.resources for details. + +# -|- CPU and Memory resources required by the identity controller (see `global.proxy.resources` for sub-fields) #identityResources: +# -|- CPU and Memory resources required by proxy injected into identity pod (see `global.proxy.resources` for sub-fields) #identityProxyResources: # heartbeat configuration +# disableHeartBeat -- Set to true to not start the heartbeat cronjob disableHeartBeat: false +# -- Config for the heartbeat cronjob heartbeatSchedule: "0 0 * * *" # proxy injector configuration proxyInjector: + # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set (see below) externalSecret: false - # Namespace selector used by admission webhook + # -- Namespace selector used by admission webhook. If not set defaults to all + # namespaces without the annotation + # config.linkerd.io/admission-webhooks=disabled namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks @@ -204,24 +267,28 @@ proxyInjector: values: - disabled - # if empty, Helm will auto-generate these fields + # -- Certificate for the proxy injector. If not provided then Helm will generate one. crtPEM: | + # -- Certificate key for the proxy injector. If not provided then Helm will generate one. keyPEM: | - # if empty, Helm will auto-generate this field, unless externalSecret is set to true. + # -- Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value must be set, as no certificate will be generated. caBundle: | -# set resources for proxy injector and its linkerd proxy respectively -# see global.proxy.resources for details. +# -|- CPU and Memory resources required by the proxy injector (see +#`global.proxy.resources` for sub-fields) #proxyInjectorResources: +#-|- CPU and Memory resources required by proxy injected into the proxy injector +#pod (see `global.proxy.resources` for sub-fields) #proxyInjectorProxyResources: # service profile validator configuration profileValidator: + # -- Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `profileValidator.caBundle` must be set (see below). externalSecret: false - # Namespace selector used by admission webhook + # -- Namespace selector used by admission webhook namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks @@ -229,45 +296,68 @@ profileValidator: values: - disabled - # if empty, Helm will auto-generate these fields + # -- Certificate for the service profile validator. If not provided then Helm + # will generate one. crtPEM: | + # -- Certificate key for the service profile validator. If not provided then + # Helm will generate one. keyPEM: | - # if empty, Helm will auto-generate this field, unless externalSecret is set to true. + # -- Bundle of CA certificates for service profile validator. If not provided + # then Helm will use the certificate generated for `profileValidator.crtPEM`. + # If `profileValidator.externalSecret` is set to true, this value must be set, + # as no certificate will be generated. caBundle: | -# set resources for the sp-validator and its linkerd proxy respectively -# see global.proxy.resources for details. +# -|- CPU and Memory resources required by the SP validator (see +#`global.proxy.resources` for sub-fields) #spValidatorResources: +# -|- CPU and Memory resources required by proxy injected into the SP validator +#pod (see `global.proxy.resources` for sub-fields) #spValidatorProxyResources: -# set resources for controllers public API and its linkerd proxy respectively -# see global.proxy.resources for details. +# -|- CPU and Memory resources required by controllers publicAPI (see +#`global.proxy.resources` for sub-fields) #publicAPIResources: +#-|- CPU and Memory resources required by proxy injected into controllers public +#API pod (see `global.proxy.resources` for sub-fields) values +#`global.proxy.resources` #publicAPIProxyResources: # tap configuration tap: + # -- Do not create a secret resource for the Tap component. If this is set to + # `true`, the value `tap.caBundle` must be set (see below). externalSecret: false - # if empty, Helm will auto-generate these fields + # -- Certificate for the Tap component. If not provided then Helm will + # generate one. crtPEM: | + # -- Certificate key for Tap component. If not provided then Helm will + # generate one. keyPEM: | - # if empty, Helm will auto-generate this field, unless externalSecret is set to true. + # -- Bundle of CA certificates for Tap component. If not provided then Helm + # will use the certificate generated for `tap.crtPEM`. If + # `tap.externalSecret` is set to true, this value must be set, as no + # certificate will be generated. caBundle: | -# set resources for tap and its linkerd proxy respectively -# see global.proxy.resources for details. +# -|- CPU and Memory resources required by tap (see `global.proxy.resources` for +#sub-fields) #tapResources: +# -|- CPU and Memory resources required by proxy injected into tap pod (see +#`global.proxy.resources` for sub-fields) #tapProxyResources: -# web configuration +# -- Docker image for the web container webImage: ghcr.io/linkerd/web -# set resources for web UI and its linkerd proxy respectively -# see global.proxy.resources for details. +# -<- CPU and Memory resources required by web UI (see `global.proxy.resources` +#for sub-fields) #webResources: +# -|- CPU and Memory resources required by proxy injected into web UI pod (see +#`global.proxy.resources` for sub-fields) #webProxyResources: @@ -276,15 +366,20 @@ webImage: ghcr.io/linkerd/web # - The namespace created by the external tool must match the namespace value above # - The external tool needs to create the namespace with the label: # config.linkerd.io/admission-webhooks: disabled + +# installNamespace -- Set to false when installing Linkerd in a custom namespace. See the +# [Linkerd documentation](https://linkerd.io/2/tasks/install-helmcustomizing-the-namespace) for more information. installNamespace: true -# Node selection constraints for control-plane components -# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector. +# -- NodeSelector section, See the [K8S +# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) +# for more information nodeSelector: beta.kubernetes.io/os: linux -# Tolerations constraints for control-plane components -# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +# -|- Tolerations section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +# for more information #tolerations: # Configuration for Add-ons diff --git a/charts/partials/Chart.yaml b/charts/partials/Chart.yaml index 7d91420d6f647..b269da1a26ac6 100644 --- a/charts/partials/Chart.yaml +++ b/charts/partials/Chart.yaml @@ -1,4 +1,6 @@ apiVersion: v1 -description: A Helm chart containing Linkerd partial templates, depended by the 'linkerd' and 'patch' charts. +description: | + A Helm chart containing Linkerd partial templates, + depended by the 'linkerd' and 'patch' charts. name: partials version: 0.1.0 diff --git a/charts/partials/README.md b/charts/partials/README.md new file mode 100644 index 0000000000000..1663c6ecaec2e --- /dev/null +++ b/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/charts/partials/README.md.gotmpl b/charts/partials/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/cli/cmd/testdata/install_addon.golden b/cli/cmd/testdata/install_addon.golden index f67a406ef594b..a5bdf9379467e 100644 --- a/cli/cmd/testdata/install_addon.golden +++ b/cli/cmd/testdata/install_addon.golden @@ -2884,6 +2884,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3316,6 +3317,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 @@ -3623,6 +3625,7 @@ spec: httpGet: path: / port: 13133 + resources: volumeMounts: - mountPath: /conf name: linkerd-collector-config-val @@ -3847,6 +3850,7 @@ spec: name: collection - containerPort: 16686 name: ui + resources: - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index a05fbeaaceeed..998216df0e765 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -2980,6 +2980,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3426,6 +3427,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index cfdd71db426ac..ec316c6328f30 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -2877,6 +2877,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3309,6 +3310,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 323bd70f71fcf..ea2540e08fe8f 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -2877,6 +2877,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3309,6 +3310,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 8d3c0b347f938..f02eb1182a383 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -2877,6 +2877,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3309,6 +3310,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_grafana_existing.golden b/cli/cmd/testdata/install_grafana_existing.golden index 3db78cce99088..f6d709769604f 100644 --- a/cli/cmd/testdata/install_grafana_existing.golden +++ b/cli/cmd/testdata/install_grafana_existing.golden @@ -2988,6 +2988,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index aeec8e24ff940..cc967d3baa897 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -2788,6 +2788,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3220,6 +3221,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_helm_output.golden b/cli/cmd/testdata/install_helm_output.golden index 03625c68aec8b..5d53504e8bdce 100644 --- a/cli/cmd/testdata/install_helm_output.golden +++ b/cli/cmd/testdata/install_helm_output.golden @@ -1012,6 +1012,7 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns image: name: ghcr.io/linkerd/grafana + tag: null partials: global: cliVersion: "" @@ -1097,6 +1098,15 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null heartbeatResources: null heartbeatSchedule: 0 0 * * * identity: @@ -1125,6 +1135,8 @@ data: values: - disabled prometheus: + alertManagers: null + alertRelabelConfigs: null args: config.file: /etc/prometheus/prometheus.yml log.level: info @@ -1305,6 +1317,19 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + remoteWrite: null + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null + ruleConfigMapMounts: null + scrapeConfigs: null + sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -3175,6 +3200,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3600,6 +3626,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_helm_output_addons.golden b/cli/cmd/testdata/install_helm_output_addons.golden index 641ed2729db45..d02b3009fa56c 100644 --- a/cli/cmd/testdata/install_helm_output_addons.golden +++ b/cli/cmd/testdata/install_helm_output_addons.golden @@ -1018,6 +1018,7 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns image: name: ghcr.io/linkerd/grafana + tag: null partials: global: cliVersion: "" @@ -1103,6 +1104,15 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null heartbeatResources: null heartbeatSchedule: 0 0 * * * identity: @@ -1131,6 +1141,8 @@ data: values: - disabled prometheus: + alertManagers: null + alertRelabelConfigs: null args: config.file: /etc/prometheus/prometheus.yml log.level: info @@ -1311,6 +1323,19 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + remoteWrite: null + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null + ruleConfigMapMounts: null + scrapeConfigs: null + sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem @@ -1338,6 +1363,13 @@ data: tracing: collector: image: omnition/opencensus-collector:0.1.11 + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null enabled: true global: cliVersion: "" @@ -1425,6 +1457,13 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns jaeger: image: jaegertracing/all-in-one:1.19.2 + resources: + cpu: + limit: null + request: null + memory: + limit: null + request: null partials: global: cliVersion: "" @@ -3355,6 +3394,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3780,6 +3820,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 @@ -4080,6 +4121,7 @@ spec: httpGet: path: / port: 13133 + resources: volumeMounts: - mountPath: /conf name: linkerd-collector-config-val @@ -4293,6 +4335,7 @@ spec: name: collection - containerPort: 16686 name: ui + resources: - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" diff --git a/cli/cmd/testdata/install_helm_output_ha.golden b/cli/cmd/testdata/install_helm_output_ha.golden index 09d07bafd81be..ac550c4f85679 100644 --- a/cli/cmd/testdata/install_helm_output_ha.golden +++ b/cli/cmd/testdata/install_helm_output_ha.golden @@ -1018,6 +1018,7 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns image: name: ghcr.io/linkerd/grafana + tag: null partials: global: cliVersion: "" @@ -1103,6 +1104,8 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null resources: cpu: limit: "" @@ -1150,6 +1153,8 @@ data: values: - disabled prometheus: + alertManagers: null + alertRelabelConfigs: null args: config.file: /etc/prometheus/prometheus.yml log.level: info @@ -1330,6 +1335,9 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + remoteWrite: null resources: cpu: limit: "" @@ -1337,6 +1345,9 @@ data: memory: limit: 8192Mi request: 300Mi + ruleConfigMapMounts: null + scrapeConfigs: null + sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index b919e5f8733ef..010331a76c34a 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -1026,6 +1026,7 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns image: name: ghcr.io/linkerd/grafana + tag: null partials: global: cliVersion: "" @@ -1115,6 +1116,8 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null resources: cpu: limit: "" @@ -1162,6 +1165,8 @@ data: values: - disabled prometheus: + alertManagers: null + alertRelabelConfigs: null args: config.file: /etc/prometheus/prometheus.yml log.level: info @@ -1350,6 +1355,9 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + remoteWrite: null resources: cpu: limit: "" @@ -1357,6 +1365,9 @@ data: memory: limit: 8192Mi request: 300Mi + ruleConfigMapMounts: null + scrapeConfigs: null + sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index 22ae2ffab5007..9aaf34445e26e 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -1018,6 +1018,7 @@ data: workloadNamespaceLabel: linkerd.io/workload-ns image: name: ghcr.io/linkerd/grafana + tag: null partials: global: cliVersion: "" @@ -1103,6 +1104,8 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null resources: cpu: limit: "" @@ -1150,6 +1153,8 @@ data: values: - enabled prometheus: + alertManagers: null + alertRelabelConfigs: null args: config.file: /etc/prometheus/prometheus.yml log.level: info @@ -1330,6 +1335,9 @@ data: proxyInjectAnnotation: linkerd.io/inject proxyInjectDisabled: disabled workloadNamespaceLabel: linkerd.io/workload-ns + proxy: + resources: null + remoteWrite: null resources: cpu: limit: "" @@ -1337,6 +1345,9 @@ data: memory: limit: 8192Mi request: 300Mi + ruleConfigMapMounts: null + scrapeConfigs: null + sideCarContainers: null proxyInjector: caBundle: test-proxy-injector-ca-bundle crtPEM: test-proxy-injector-crt-pem diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 03c478f0e8f7e..56791e3e51d6d 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -2608,6 +2608,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3002,6 +3003,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index 9ab5c15b4c720..67d1bd146a8bb 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -2892,6 +2892,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3326,6 +3327,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_prometheus_overwrite.golden b/cli/cmd/testdata/install_prometheus_overwrite.golden index ce7791cc44ff5..f837f9de76b87 100644 --- a/cli/cmd/testdata/install_prometheus_overwrite.golden +++ b/cli/cmd/testdata/install_prometheus_overwrite.golden @@ -2934,6 +2934,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3411,6 +3412,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index f564c63ae3f8b..af95de5f13b77 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -2877,6 +2877,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3309,6 +3310,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_restricted_dashboard.golden b/cli/cmd/testdata/install_restricted_dashboard.golden index 5e397c6030add..8e047133d2a97 100644 --- a/cli/cmd/testdata/install_restricted_dashboard.golden +++ b/cli/cmd/testdata/install_restricted_dashboard.golden @@ -2809,6 +2809,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3241,6 +3242,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 diff --git a/cli/cmd/testdata/install_tracing.golden b/cli/cmd/testdata/install_tracing.golden index f67a406ef594b..a5bdf9379467e 100644 --- a/cli/cmd/testdata/install_tracing.golden +++ b/cli/cmd/testdata/install_tracing.golden @@ -2884,6 +2884,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3316,6 +3317,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 @@ -3623,6 +3625,7 @@ spec: httpGet: path: / port: 13133 + resources: volumeMounts: - mountPath: /conf name: linkerd-collector-config-val @@ -3847,6 +3850,7 @@ spec: name: collection - containerPort: 16686 name: ui + resources: - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" diff --git a/cli/cmd/testdata/install_tracing_overwrite.golden b/cli/cmd/testdata/install_tracing_overwrite.golden index dfa768fd7446c..594021c970e71 100644 --- a/cli/cmd/testdata/install_tracing_overwrite.golden +++ b/cli/cmd/testdata/install_tracing_overwrite.golden @@ -2886,6 +2886,7 @@ spec: httpGet: path: /api/health port: 3000 + resources: securityContext: runAsUser: 472 volumeMounts: @@ -3318,6 +3319,7 @@ spec: port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + resources: securityContext: runAsNonRoot: true runAsUser: 65534 @@ -3625,6 +3627,7 @@ spec: httpGet: path: / port: 13133 + resources: volumeMounts: - mountPath: /conf name: linkerd-collector-config-val @@ -3849,6 +3852,7 @@ spec: name: collection - containerPort: 16686 name: ui + resources: - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" diff --git a/jaeger/charts/jaeger/README.md b/jaeger/charts/jaeger/README.md new file mode 100644 index 0000000000000..c4f33b5b24cb5 --- /dev/null +++ b/jaeger/charts/jaeger/README.md @@ -0,0 +1,42 @@ +# jaeger + +A Helm chart for the jaeger add-on in Linkerd + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square) + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| file://../../../charts/partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| collector.image.name | string | `"omnition/opencensus-collector"` | | +| collector.image.pullPolicy | string | `"Always"` | | +| collector.image.version | string | `"0.1.11"` | | +| collectorSvcAccount | string | `"collector"` | | +| collectorSvcAddr | string | `"collector.linkerd-jaeger:55678"` | | +| jaeger.image.name | string | `"jaegertracing/all-in-one"` | | +| jaeger.image.pullPolicy | string | `"Always"` | | +| jaeger.image.version | string | `"1.19.2"` | | +| linkerdVersion | string | `"linkerdVersionValue"` | | +| namespace | string | `"linkerd-jaeger"` | | +| webhook.caBundle | string | `""` | if empty, Helm will auto-generate this field, unless externalSecret is set to true. | +| webhook.crtPEM | string | `""` | if empty, Helm will auto-generate these fields | +| webhook.externalSecret | bool | `false` | | +| webhook.failurePolicy | string | `"Ignore"` | | +| webhook.image.name | string | `"ghcr.io/linkerd/jaeger-webhook"` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.version | string | `"linkerdVersionValue"` | | +| webhook.keyPEM | string | `""` | | +| webhook.logLevel | string | `"info"` | | +| webhook.namespaceSelector | string | `nil` | | +| webhook.objectSelector | string | `nil` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) diff --git a/jaeger/charts/jaeger/README.md.gotmpl b/jaeger/charts/jaeger/README.md.gotmpl new file mode 100644 index 0000000000000..37f5101061b56 --- /dev/null +++ b/jaeger/charts/jaeger/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/jaeger/charts/jaeger/values.yaml b/jaeger/charts/jaeger/values.yaml index e3ef54ed00fdc..d9766081dcbac 100644 --- a/jaeger/charts/jaeger/values.yaml +++ b/jaeger/charts/jaeger/values.yaml @@ -22,12 +22,12 @@ linkerdVersion: &linkerd_version linkerdVersionValue webhook: externalSecret: false - # if empty, Helm will auto-generate these fields + # -- if empty, Helm will auto-generate these fields crtPEM: | keyPEM: | - # if empty, Helm will auto-generate this field, unless externalSecret is set to true. + # -- if empty, Helm will auto-generate this field, unless externalSecret is set to true. caBundle: | failurePolicy: Ignore