Skip to content

Instantly share code, notes, and snippets.

@dwilliams782

dwilliams782/control-plane-values

Created September 12, 2022 14:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dwilliams782/2f9fe60f98e498c95abe049b632e4fb0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dwilliams782/2f9fe60f98e498c95abe049b632e4fb0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
control-plane-values
values:
identity:
externalCA: true
issuer:
scheme: kubernetes.io/tls
proxyInit:
iptablesMode: "legacy"
runAsRoot: true
policyValidator:
externalSecret: true
injectCaFrom: linkerd/linkerd-policy-validator
proxyInjector:
externalSecret: true
injectCaFrom: linkerd/linkerd-proxy-injector
profileValidator:
externalSecret: true
injectCaFrom: linkerd/linkerd-sp-validator
Raw
linkerd-control-plane-cert-bundle.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-self-signed-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-trust-anchor
namespace: cert-manager
spec:
isCA: true
duration: 87660h # 10 years
renewBefore: 360h # 15 days
commonName: root.linkerd.cluster.local
secretName: linkerd-identity-trust-roots
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: linkerd-self-signed-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-trust-anchor
namespace: cert-manager
spec:
ca:
secretName: linkerd-identity-trust-roots
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-trust-anchor
kind: ClusterIssuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
---
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: linkerd-identity-trust-roots
spec:
sources:
- secret:
name: "linkerd-identity-trust-roots"
key: "ca.crt"
target:
configMap:
key: "ca-bundle.crt"
Raw
linkerd-webhook-cert-bundle.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-self-signed-webhook-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-webhook-issuer-ca
namespace: cert-manager
spec:
isCA: true
duration: 87660h # 10 years
renewBefore: 360h # 15 days
commonName: webhook.linkerd.cluster.local
secretName: linkerd-webhook-issuer-tls
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: linkerd-self-signed-webhook-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-webhook-issuer
namespace: cert-manager
spec:
ca:
secretName: linkerd-webhook-issuer-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-policy-validator
namespace: linkerd
spec:
secretName: linkerd-policy-validator-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-policy-validator.linkerd.svc
dnsNames:
- linkerd-policy-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
encoding: PKCS8
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-proxy-injector
namespace: linkerd
spec:
secretName: linkerd-proxy-injector-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-proxy-injector.linkerd.svc
dnsNames:
- linkerd-proxy-injector.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-sp-validator
namespace: linkerd
spec:
secretName: linkerd-sp-validator-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-sp-validator.linkerd.svc
dnsNames:
- linkerd-sp-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
# ignore if not using the viz extension
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tap
namespace: linkerd-viz
spec:
secretName: tap-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: tap.linkerd-viz.svc
dnsNames:
- tap.linkerd-viz.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
# ignore if not using the viz extension
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-tap-injector
namespace: linkerd-viz
spec:
secretName: tap-injector-k8s-tls
duration: 8766h # 1 year
renewBefore: 720h # 30 days
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: tap-injector.linkerd-viz.svc
dnsNames:
- tap-injector.linkerd-viz.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
#---
# ignore if not using the jaeger extension
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: jaeger-injector
# namespace: linkerd-jaeger
#spec:
# secretName: jaeger-injector-k8s-tls
# duration: 24h
# renewBefore: 1h
# issuerRef:
# name: linkerd-webhook-issuer
# kind: ClusterIssuer
# commonName: jaeger-injector.linkerd-jaeger.svc
# dnsNames:
# - jaeger-injector.linkerd-jaeger.svc
# isCA: false
# privateKey:
# algorithm: ECDSA
# usages:
# - server auth
Raw
viz-values
tap:
externalSecret: true
injectCaFrom: linkerd-viz/tap
# Copied from HA
replicas: 3
resources: *ha_resources
tapInjector:
externalSecret: true
injectCaFrom: linkerd-viz/linkerd-tap-injector
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment