linkerd2/linkerd2
Linkerd2 Helm Chart
Linkerd is a service mesh, designed to give platform-wide observability, reliability, and security without requiring configuration or code changes.
Linkerd is a Cloud Native Computing Foundation (CNCF) project.
Quickstart and documentation
You can run Linkerd on any Kubernetes 1.13+ cluster in a matter of seconds. See the Linkerd Getting Started Guide for how.
For more comprehensive documentation, start with the Linkerd docs.
Prerequisite: identity certificates
The identity component of Linkerd requires setting up a trust anchor
certificate, and an issuer certificate with its key. These need to be provided
to Helm by the user (unlike when using the linkerd install
CLI which can
generate these automatically). You can provide your own, or follow these
instructions to generate new
ones.
Note that the provided certificates must be ECDSA certificates.
Adding Linkerd’s Helm repository
# To add the repo for Linkerd2 stable releases:
helm repo add linkerd https://helm.linkerd.io/stable
# To add the repo for Linkerd2 edge releases:
helm repo add linkerd-edge https://helm.linkerd.io/edge
The following instructions use the linkerd
repo. For installing an edge
release, just replace with linkerd-edge
.
Installing the chart
You must provide the certificates and keys described in the preceding section, and the same expiration date you used to generate the Issuer certificate.
In this example we set the expiration date to one year ahead:
helm install \
--set-file global.identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
--set identity.issuer.crtExpiry=$(date -d '+8760 hour' +"%Y-%m-%dT%H:%M:%SZ") \
linkerd/linkerd2
Setting High-Availability
Besides the default values.yaml
file, the chart provides a values-ha.yaml
file that overrides some default values as to set things up under a
high-availability scenario, analogous to the --ha
option in linkerd install
.
Values such as higher number of replicas, higher memory/cpu limits and
affinities are specified in that file.
You can get ahold of values-ha.yaml
by fetching the chart files:
helm fetch --untar linkerd/linkerd2
Then use the -f
flag to provide the override file, for example:
helm install \
--set-file global.identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
--set identity.issuer.crtExpiry=$(date -d '+8760 hour' +"%Y-%m-%dT%H:%M:%SZ") \
-f linkerd2/values-ha.yaml
linkerd/linkerd2
Configuration
The following table lists the configurable parameters of the Linkerd2 chart and their default values.
Parameter | Description | Default |
---|---|---|
controllerImage |
Docker image for the controller, tap and identity components | ghcr.io/linkerd/controller |
controllerReplicas |
Number of replicas for each control plane pod | 1 |
controllerUID |
User ID for the control plane components | 2103 |
dashboard.replicas |
Number of replicas of dashboard | 1 |
debugContainer.image.name |
Docker image for the debug container | ghcr.io/linkerd/debug |
debugContainer.image.pullPolicy |
Pull policy for the debug container Docker image | IfNotPresent |
debugContainer.image.version |
Tag for the debug container Docker image | latest version |
destinationResources |
CPU and Memory resources required by destination (see global.proxy.resources for sub-fields) |
|
destinationProxyResources |
CPU and Memory resources required by proxy injected into destination pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
disableHeartBeat |
Set to true to not start the heartbeat cronjob | false |
enableH2Upgrade |
Allow proxies to perform transparent HTTP/2 upgrading | true |
global.clusterDomain |
Kubernetes DNS Domain name to use | cluster.local |
global.clusterNetworks |
The networks that may include pods & services in this cluscter | 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 |
global.cniEnabled |
Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | false |
global.controllerComponentLabel |
Control plane label. Do not edit | linkerd.io/control-plane-component |
global.controllerImageVersion |
Tag for the controller container docker image | latest version |
global.controllerLogLevel |
Log level for the control plane components | info |
global.controllerNamespaceLabel |
Control plane label. Do not edit | linkerd.io/control-plane-ns |
global.grafanaUrl |
URL of external grafana instance configured with reverse proxy, used by the dashboard | |
global.podLabels |
Additional labels to add to all pods | {} |
global.podAnnotations |
Additional annotations to add to all pods | {} |
global.createdByAnnotation |
Annotation label for the proxy create. Do not edit. | linkerd.io/created-by |
global.identityTrustAnchorsPEM |
Trust root certificate (ECDSA). It must be provided during install. | |
global.identityTrustDomain |
Trust domain used for identity | cluster.local |
global.imagePullPolicy |
Docker image pull policy | IfNotPresent |
global.linkerdNamespaceLabel |
Control plane label. Do not edit | linkerd.io/is-control-plane |
global.linkerdVersion |
Control plane version | latest version |
global.namespace |
Control plane namespace | linkerd |
global.prometheusUrl |
URL of external prometheus instance to perform queries, used by the public-api |
|
global.proxy.cores |
The number of proxy threads to be allocated for each proxy. Must be a whole number, and should be kept in sync with global.proxy.resources.cpu.limit , if set. |
|
global.proxy.enableExternalProfiles |
Enable service profiles for non-Kubernetes services | false |
global.proxy.image.name |
Docker image for the proxy | ghcr.io/linkerd/proxy |
global.proxy.image.pullPolicy |
Pull policy for the proxy container Docker image | IfNotPresent |
global.proxy.image.version |
Tag for the proxy container Docker image | latest version |
global.proxy.logLevel |
Log level for the proxy | warn,linkerd=info |
global.proxy.logFormat |
Log format (plain or json ) for the proxy |
plain |
global.proxy.ports.admin |
Admin port for the proxy container | 4191 |
global.proxy.ports.control |
Control port for the proxy container | 4190 |
global.proxy.ports.inbound |
Inbound port for the proxy container | 4143 |
global.proxy.ports.outbound |
Outbound port for the proxy container | 4140 |
global.proxy.resources.cpu.limit |
Maximum amount of CPU units that the proxy can use | |
global.proxy.resources.cpu.request |
Amount of CPU units that the proxy requests | |
global.proxy.resources.memory.limit |
Maximum amount of memory that the proxy can use | |
global.proxy.resources.memory.request |
Amount of memory that the proxy requests | |
global.proxy.trace.collectorSvcAccount |
Service account associated with the Trace collector instance | default |
global.proxy.trace.collectorSvcAddr |
Collector Service address for the proxies to send Trace Data | |
global.proxy.uid |
User id under which the proxy runs | 2102 |
global.proxy.waitBeforeExitSeconds |
The proxy sidecar will stay alive for at least the given period before receiving SIGTERM signal from Kubernetes but no longer than pod’s terminationGracePeriodSeconds . |
0 |
global.proxy.outboundConnectTimeout |
Maximum time allowed for the proxy to establish an outbound TCP connection | 1000ms |
global.proxy.inboundConnectTimeout |
Maximum time allowed for the proxy to establish an inbound TCP connection | 100ms |
global.proxyInit.ignoreInboundPorts |
Inbound ports the proxy should ignore | 25,443,587,3306,11211 |
global.proxyInit.ignoreOutboundPorts |
Outbound ports the proxy should ignore | 25,443,587,3306,11211 |
global.proxyInit.image.name |
Docker image for the proxy-init container | ghcr.io/linkerd/proxy-init |
global.proxyInit.image.pullPolicy |
Pull policy for the proxy-init container Docker image | IfNotPresent |
global.proxyInit.image.version |
Tag for the proxy-init container Docker image | latest version |
global.proxyInit.resources.cpu.limit |
Maximum amount of CPU units that the proxy-init container can use | 100m |
global.proxyInit.resources.cpu.request |
Amount of CPU units that the proxy-init container requests | 10m |
global.ProxyInit.resources.memory.limit |
Maximum amount of memory that the proxy-init container can use | 50Mi |
global.proxyInit.resources.memory.request |
Amount of memory that the proxy-init container requests | 10Mi |
global.proxyInjectAnnotation |
Annotation label to signal injection. Do not edit. | linkerd.io/inject |
global.proxyInjectDisabled |
Annotation value to disable injection. Do not edit. | disabled |
heartbeatSchedule |
Config for the heartbeat cronjob | 0 0 * * * |
identity.issuer.clockSkewAllowance |
Amount of time to allow for clock skew within a Linkerd cluster | 20s |
identity.issuer.crtExpiry |
Expiration timestamp for the issuer certificate. It must be provided during install | |
identity.issuer.crtExpiryAnnotation |
Annotation used to identity the issuer certificate expiration timestamp. Do not edit. | linkerd.io/identity-issuer-expiry |
identity.issuer.issuanceLifetime |
Amount of time for which the Identity issuer should certify identity | 24h0m0s |
identity.issuer.scheme |
Which scheme is used for the identity issuer secret format | linkerd.io/tls |
identity.issuer.tls.crtPEM |
Issuer certificate (ECDSA). It must be provided during install. | |
identity.issuer.tls.keyPEM |
Key for the issuer certificate (ECDSA). It must be provided during install. | |
identityResources |
CPU and Memory resources required by the identity controller (see global.proxy.resources for sub-fields) |
|
identityProxyResources |
CPU and Memory resources required by proxy injected into identity pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
installNamespace |
Set to false when installing Linkerd in a custom namespace. See the Linkerd documentation for more information. | true |
omitWebhookSideEffects |
Omit the sideEffects flag in the webhook manifests |
false |
proxyInjector.externalSecret |
Do not create a secret resource for the profileValidator webhook. If this is set to true , the value proxyInjector.caBundle must be set (see below). |
false |
proxyInjector.namespaceSelector |
Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled |
|
proxyInjector.crtPEM |
Certificate for the proxy injector. If not provided then Helm will generate one. | |
proxyInjector.keyPEM |
Certificate key for the proxy injector. If not provided then Helm will generate one. | |
proxyInjector.caBundle |
Bundle of CA certificates for proxy injector. If not provided then Helm will use the certificate generated for proxyInjector.crtPEM . If proxyInjector.externalSecret is set to true, this value must be set, as no certificate will be generated. |
|
proxyInjectorResources |
CPU and Memory resources required by the proxy injector (see global.proxy.resources for sub-fields) |
|
proxyInjectorProxyResources |
CPU and Memory resources required by proxy injected into the proxy injector pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
profileValidator.externalSecret |
Do not create a secret resource for the profileValidator webhook. If this is set to true , the value profileValidator.caBundle must be set (see below). |
false |
profileValidator.namespaceSelector |
Namespace selector used by admission webhook. If not set defaults to all namespaces without the annotation config.linkerd.io/admission-webhooks=disabled |
|
profileValidator.crtPEM |
Certificate for the service profile validator. If not provided then Helm will generate one. | |
profileValidator.keyPEM |
Certificate key for the service profile validator. If not provided then Helm will generate one. | |
profileValidator.caBundle |
Bundle of CA certificates for service profile validator. If not provided then Helm will use the certificate generated for profileValidator.crtPEM . If profileValidator.externalSecret is set to true, this value must be set, as no certificate will be generated. |
|
publicAPIResources |
CPU and Memory resources required by controllers publicAPI (see global.proxy.resources for sub-fields) |
|
publicAPIProxyResources |
CPU and Memory resources required by proxy injected into controllers public API pod (see global.proxy.resources for sub-fields) |
values global.proxy.resources |
spValidatorResources |
CPU and Memory resources required by the SP validator (see global.proxy.resources for sub-fields) |
|
spValidatorProxyResources |
CPU and Memory resources required by proxy injected into the SP validator pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
tap.externalSecret |
Do not create a secret resource for the Tap component. If this is set to true , the value tap.caBundle must be set (see below). |
false |
tap.crtPEM |
Certificate for the Tap component. If not provided then Helm will generate one. | |
tap.keyPEM |
Certificate key for Tap component. If not provided then Helm will generate one. | |
tap.caBundle |
Bundle of CA certificates for Tap component. If not provided then Helm will use the certificate generated for tap.crtPEM . If tap.externalSecret is set to true, this value must be set, as no certificate will be generated. |
|
tapResources |
CPU and Memory resources required by tap (see global.proxy.resources for sub-fields) |
|
tapProxyResources |
CPU and Memory resources required by proxy injected into tap pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
webhookFailurePolicy |
Failure policy for the proxy injector | Ignore |
webImage |
Docker image for the web container | ghcr.io/linkerd/web |
webResources |
CPU and Memory resources required by web UI (see global.proxy.resources for sub-fields) |
|
webProxyResources |
CPU and Memory resources required by proxy injected into web UI pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
enforcedHostRegexp |
Host header validation regex for the dashboard. See the Linkerd documentation for more information | "" |
nodeSelector |
NodeSelector section, See the K8S documentation for more information | beta.kubernetes.io/os: linux |
tolerations |
Tolerations section, See the K8S documentation for more information |
Add-Ons Configuration
Grafana Add-On
The following table lists the configurable parameters for the Grafana Add-On.
Parameter | Description | Default |
---|---|---|
grafana.enabled |
Flag to enable grafana instance to be installed | true |
grafana.image.name |
Docker image name for the grafana instance | ghcr.io/linkerd/grafana |
grafana.image.tag |
Docker image tag for the grafana instance | latest version |
grafana.resources.cpu.limit |
Maximum amount of CPU units that the grafana container can use | |
grafana.resources.cpu.request |
Amount of CPU units that the grafana container requests | |
grafana.resources.memory.limit |
Maximum amount of memory that grafana container can use | |
grafana.resources.memory.request |
Amount of memory that the grafana container requests | |
grafana.proxy.resources |
Structure analog to the resources fields above, but overriding the resources of the linkerd proxy injected into the grafana pod. |
values in global.proxy.resources of the linkerd2 chart. |
Prometheus Add-On
The following table lists the configurable parameters for the Prometheus Add-On.
Parameter | Description | Default |
---|---|---|
prometheus.enabled |
Flag to enable prometheus instance to be installed | true |
prometheus.alert_relabel_configs |
Alert relabeling is applied to alerts before they are sent to the Alertmanager. | [] |
prometheus.alertManagers |
Alertmanager instances the Prometheus server sends alerts to configured via the static_configs parameter. | [] |
prometheus.args |
Command line options for Prometheus binary | storage.tsdb.path: /data, storage.tsdb.retention.time: 6h, config.file: /etc/prometheus/prometheus.yml, log.level: info |
prometheus.globalConfig |
The global configuration specifies parameters that are valid in all other configuration contexts. | scrape_interval: 10s, scrape_timeout: 10s, evaluation_interval: 10s |
prometheus.image |
Docker image for the prometheus instance | prom/prometheus:v2.19.3 |
prometheus.proxy.resources |
CPU and Memory resources required by proxy injected into prometheus pod (see global.proxy.resources for sub-fields) |
values in global.proxy.resources |
prometheus.persistence.storageClass |
Storage class used to create prometheus data PV. | nil |
prometheus.persistence.accessMode |
PVC access mode. | ReadWriteOnce |
prometheus.persistence.size |
Prometheus data volume size. | 8Gi |
prometheus.remoteWrite |
Allows transparently sending samples to an endpoint. Mostly used for long term storage. | |
prometheus.resources.cpu.limit |
Maximum amount of CPU units that the prometheus container can use | |
prometheus.resources.cpu.request |
Amount of CPU units that the prometheus container requests | |
prometheus.resources.memory.limit |
Maximum amount of memory that prometheus container can use | |
prometheus.resources.memory.request |
Amount of memory that the prometheus container requests | |
prometheus.ruleConfigMapMounts |
Alerting/recording rule ConfigMap mounts (sub-path names must end in _rules.yml or _rules.yaml ) |
[] |
prometheus.scrapeConfigs |
A scrape_config section specifies a set of targets and parameters describing how to scrape them. | [] |
prometheus.sidecarContainers |
A sidecarContainers section specifies a list of secondary containers to run in the prometheus pod e.g. to export data to non-prometheus systems | [] |
Most of the above configuration match directly with the official Prometheus configuration which can be found here
Tracing Add-On
The following table lists the configurable parameters for the Tracing Add-On.
Parameter | Description | Default |
---|---|---|
tracing.enabled |
Flag to enable tracing components to be installed | false |
tracing.collector.image |
Docker image for the trace collector | omnition/opencensus-collector:0.1.10 |
tracing.collector.resources.cpu.limit |
Maximum amount of CPU units that the trace collector container can use | |
tracing.collector.resources.cpu.request |
Amount of CPU units that the trace collector container requests | |
tracing.collector.resources.memory.limit |
Maximum amount of memory that the trace collector container can use | |
tracing.collector.resources.memory.request |
Amount of memory that the trace collector container requests | |
tracing.jaeger.image |
Docker image for the jaeger instance | jaegertracing/all-in-one:1.19.2 |
tracing.jaeger.resources.cpu.limit |
Maximum amount of CPU units that the jaeger container can use | |
tracing.jaeger.resources.cpu.request |
Amount of CPU units that the jaeger container requests | |
tracing.jaeger.resources.memory.limit |
Maximum amount of memory that the jaeger container can use | |
tracing.jaeger.resources.memory.request |
Amount of memory that the jaeger container requests |
Get involved
- Check out Linkerd’s source code at Github.
- Join Linkerd’s user mailing list, developer mailing list, and announcements mailing list.
- Follow @linkerd on Twitter.
- Join the Linkerd Slack.