buoyant.io

BEL configuration reference

Use these values to configure BEL during installation and upgrade.

linkerd install --crds --set=key=value

Learn more about using these flags.

Chart name
linkerd-enterprise-crds

manageExternalWorkloads

TypeDefault
boolfalse

linkerd-crds.enableHttpRoutes

TypeDefault
booltrue
linkerd install --set=key=value

Learn more about using these flags.

Chart name
linkerd-enterprise-control-plane

license

Buoyant Enterprise for Linkerd license. Obtain at https://enterprise.buoyant.io. Exactly one of license or licenseSecret must be set.

TypeDefault
stringnil

licenseSecret

Name of the secret containing the Buoyant Enterprise for Linkerd license, at key license. Exactly one of license or licenseSecret must be set.

TypeDefault
stringnil

linkerd-control-plane.controllerImage

TypeDefault
string"ghcr.io/buoyantio/controller"

linkerd-control-plane.debugContainer.image.version

TypeDefault
string"edge-24.8.2"

linkerd-control-plane.linkerdVersion

TypeDefault
string"enterprise-2.16.0"

linkerd-control-plane.policyController.image.name

TypeDefault
string"ghcr.io/buoyantio/policy-controller"

linkerd-control-plane.proxy.image.name

TypeDefault
string"ghcr.io/buoyantio/proxy"

linkerd-control-plane.proxyInit.image.name

TypeDefault
string"ghcr.io/buoyantio/proxy-init"

linkerd-control-plane.proxyInit.image.version

TypeDefault
string"enterprise-2.16.0"

manageExternalWorkloads

TypeDefault
boolfalse

linkerd-control-plane.clusterDomain

Kubernetes DNS Domain name to use

TypeDefault
string"cluster.local"

linkerd-control-plane.clusterNetworks

The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments.

TypeDefault
string"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"

linkerd-control-plane.cniEnabled

enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed

TypeDefault
boolfalse

linkerd-control-plane.commonLabels

Labels to apply to all resources

TypeDefault
object{}

linkerd-control-plane.controlPlaneTracing

enables control plane tracing

TypeDefault
boolfalse

linkerd-control-plane.controlPlaneTracingNamespace

namespace to send control plane traces to

TypeDefault
string"linkerd-jaeger"

linkerd-control-plane.controller.podDisruptionBudget

sets pod disruption budget parameter for all deployments

TypeDefault
object{"maxUnavailable":1}

linkerd-control-plane.controller.podDisruptionBudget.maxUnavailable

Maximum number of pods that can be unavailable during disruption

TypeDefault
int1

linkerd-control-plane.controllerGID

Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)

TypeDefault
int-1

linkerd-control-plane.controllerImage

Docker image for the destination and identity components

TypeDefault
string"cr.l5d.io/linkerd/controller"

linkerd-control-plane.controllerImageVersion

Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.

TypeDefault
string""

linkerd-control-plane.controllerLogFormat

Log format for the control plane components

TypeDefault
string"plain"

linkerd-control-plane.controllerLogLevel

Log level for the control plane components

TypeDefault
string"info"

linkerd-control-plane.controllerReplicas

Number of replicas for each control plane pod

TypeDefault
int1

linkerd-control-plane.controllerUID

User ID for the control plane components

TypeDefault
int2103

linkerd-control-plane.debugContainer.image.name

Docker image for the debug container

TypeDefault
string"cr.l5d.io/linkerd/debug"

linkerd-control-plane.debugContainer.image.pullPolicy

Pull policy for the debug container image

TypeDefault
stringimagePullPolicy

linkerd-control-plane.debugContainer.image.version

Tag for the debug container image

TypeDefault
stringlinkerdVersion

linkerd-control-plane.deploymentStrategy

default kubernetes deployment strategy

TypeDefault
object{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}

linkerd-control-plane.destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds

TypeDefault
int10

linkerd-control-plane.destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds

TypeDefault
int3

linkerd-control-plane.destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle

TypeDefault
booltrue

linkerd-control-plane.disableHeartBeat

Set to true to not start the heartbeat cronjob

TypeDefault
boolfalse

linkerd-control-plane.disableIPv6

disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0)

TypeDefault
booltrue

linkerd-control-plane.enableEndpointSlices

enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on

TypeDefault
booltrue

linkerd-control-plane.enableH2Upgrade

Allow proxies to perform transparent HTTP/2 upgrading

TypeDefault
booltrue

linkerd-control-plane.enablePSP

Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21

TypeDefault
boolfalse

linkerd-control-plane.enablePodAntiAffinity

enables pod anti affinity creation on deployments for high availability

TypeDefault
boolfalse

linkerd-control-plane.enablePodDisruptionBudget

enables the creation of pod disruption budgets for control plane components

TypeDefault
boolfalse

linkerd-control-plane.enablePprof

enables the use of pprof endpoints on control plane component’s admin servers

TypeDefault
boolfalse

linkerd-control-plane.identity.externalCA

If the linkerd-identity-trust-roots ConfigMap has already been created

TypeDefault
boolfalse

linkerd-control-plane.identity.issuer.clockSkewAllowance

Amount of time to allow for clock skew within a Linkerd cluster

TypeDefault
string"20s"

linkerd-control-plane.identity.issuer.issuanceLifetime

Amount of time for which the Identity issuer should certify identity

TypeDefault
string"24h0m0s"

linkerd-control-plane.identity.issuer.scheme

TypeDefault
string"linkerd.io/tls"

linkerd-control-plane.identity.issuer.tls

Which scheme is used for the identity issuer secret format

TypeDefault
object{"crtPEM":"","keyPEM":""}

linkerd-control-plane.identity.issuer.tls.crtPEM

Issuer certificate (ECDSA). It must be provided during install.

TypeDefault
string""

linkerd-control-plane.identity.issuer.tls.keyPEM

Key for the issuer certificate (ECDSA). It must be provided during install

TypeDefault
string""

linkerd-control-plane.identity.kubeAPI.clientBurst

Burst value over clientQPS

TypeDefault
int200

linkerd-control-plane.identity.kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

TypeDefault
int100

linkerd-control-plane.identity.serviceAccountTokenProjection

Use Service Account token Volume projection for pod validation instead of the default token

TypeDefault
booltrue

linkerd-control-plane.identityTrustAnchorsPEM

Trust root certificate (ECDSA). It must be provided during install.

TypeDefault
string""

linkerd-control-plane.identityTrustDomain

Trust domain used for identity

TypeDefault
stringclusterDomain

linkerd-control-plane.imagePullPolicy

Docker image pull policy

TypeDefault
string"IfNotPresent"

linkerd-control-plane.imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

TypeDefault
list[]

linkerd-control-plane.kubeAPI.clientBurst

Burst value over clientQPS

TypeDefault
int200

linkerd-control-plane.kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

TypeDefault
int100

linkerd-control-plane.linkerdVersion

control plane version. See Proxy section for proxy version

TypeDefault
string"linkerdVersionValue"

linkerd-control-plane.networkValidator.connectAddr

Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.

TypeDefault
string""

linkerd-control-plane.networkValidator.enableSecurityContext

Include a securityContext in the network-validator pod spec

TypeDefault
booltrue

linkerd-control-plane.networkValidator.listenAddr

Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively.

TypeDefault
string""

linkerd-control-plane.networkValidator.logFormat

Log format (plain or json) for network-validator

TypeDefault
stringplain

linkerd-control-plane.networkValidator.logLevel

Log level for the network-validator

TypeDefault
stringdebug

linkerd-control-plane.networkValidator.timeout

Timeout before network-validator fails to validate the pod’s network connectivity

TypeDefault
string"10s"

linkerd-control-plane.nodeSelector

NodeSelector section, See the K8S documentation for more information

TypeDefault
object{"kubernetes.io/os":"linux"}

linkerd-control-plane.podAnnotations

Additional annotations to add to all pods

TypeDefault
object{}

linkerd-control-plane.podLabels

Additional labels to add to all pods

TypeDefault
object{}

linkerd-control-plane.podMonitor.controller.enabled

Enables the creation of PodMonitor for the control-plane

TypeDefault
booltrue

linkerd-control-plane.podMonitor.controller.namespaceSelector

Selector to select which namespaces the Endpoints objects are discovered from

TypeDefault
string"matchNames: - {{ .Release.Namespace }} - linkerd-viz - linkerd-jaeger "

linkerd-control-plane.podMonitor.enabled

Enables the creation of Prometheus Operator PodMonitor

TypeDefault
boolfalse

linkerd-control-plane.podMonitor.labels

Labels to apply to all pod Monitors

TypeDefault
object{}

linkerd-control-plane.podMonitor.proxy.enabled

Enables the creation of PodMonitor for the data-plane

TypeDefault
booltrue

linkerd-control-plane.podMonitor.scrapeInterval

Interval at which metrics should be scraped

TypeDefault
string"10s"

linkerd-control-plane.podMonitor.scrapeTimeout

Iimeout after which the scrape is ended

TypeDefault
string"10s"

linkerd-control-plane.podMonitor.serviceMirror.enabled

Enables the creation of PodMonitor for the Service Mirror component

TypeDefault
booltrue

linkerd-control-plane.policyController.image.name

Docker image for the policy controller

TypeDefault
string"cr.l5d.io/linkerd/policy-controller"

linkerd-control-plane.policyController.image.pullPolicy

Pull policy for the policy controller container image

TypeDefault
stringimagePullPolicy

linkerd-control-plane.policyController.image.version

Tag for the policy controller container image

TypeDefault
stringlinkerdVersion

linkerd-control-plane.policyController.logLevel

Log level for the policy controller

TypeDefault
string"info"

linkerd-control-plane.policyController.probeNetworks

The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized.

TypeDefault
list["0.0.0.0/0","::/0"]

linkerd-control-plane.policyController.resources

policy controller resource requests & limits

TypeDefault
object{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}

linkerd-control-plane.policyController.resources.cpu.limit

Maximum amount of CPU units that the policy controller can use

TypeDefault
string""

linkerd-control-plane.policyController.resources.cpu.request

Amount of CPU units that the policy controller requests

TypeDefault
string""

linkerd-control-plane.policyController.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the policy controller can use

TypeDefault
string""

linkerd-control-plane.policyController.resources.ephemeral-storage.request

Amount of ephemeral storage that the policy controller requests

TypeDefault
string""

linkerd-control-plane.policyController.resources.memory.limit

Maximum amount of memory that the policy controller can use

TypeDefault
string""

linkerd-control-plane.policyController.resources.memory.request

Maximum amount of memory that the policy controller requests

TypeDefault
string""

linkerd-control-plane.policyValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for policyValidator.crtPEM. If policyValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.policyValidator.crtPEM

Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.policyValidator.externalSecret

Do not create a secret resource for the policyValidator webhook. If this is set to true, the value policyValidator.caBundle must be set or the ca bundle must injected with cert-manager ca injector using policyValidator.injectCaFrom or policyValidator.injectCaFromSecret (see below).

TypeDefault
boolfalse

linkerd-control-plane.policyValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.policyValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.policyValidator.keyPEM

Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.policyValidator.namespaceSelector

Namespace selector used by admission webhook

TypeDefault
object{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}

linkerd-control-plane.priorityClassName

Kubernetes priorityClassName for the Linkerd Pods

TypeDefault
string""

linkerd-control-plane.profileValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for profileValidator.crtPEM. If profileValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.profileValidator.crtPEM

Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.profileValidator.externalSecret

Do not create a secret resource for the profileValidator webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

TypeDefault
boolfalse

linkerd-control-plane.profileValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.profileValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.profileValidator.keyPEM

Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.profileValidator.namespaceSelector

Namespace selector used by admission webhook

TypeDefault
object{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}

linkerd-control-plane.prometheusUrl

url of external prometheus instance (used for the heartbeat)

TypeDefault
string""

linkerd-control-plane.proxy.await

If set, the application container will not start until the proxy is ready

TypeDefault
booltrue

linkerd-control-plane.proxy.control.streams.idleTimeout

The timeout between consecutive updates from the control plane.

TypeDefault
string"5m"

linkerd-control-plane.proxy.control.streams.initialTimeout

The timeout for the first update from the control plane.

TypeDefault
string"3s"

linkerd-control-plane.proxy.control.streams.lifetime

The maximum duration for a response stream (i.e. before it will be reinitialized).

TypeDefault
string"1h"

linkerd-control-plane.proxy.cores

The cpu.limit and cores should be kept in sync. The value of cores must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is ‘1500m’, cores should be 2.

TypeDefault
int0

linkerd-control-plane.proxy.defaultInboundPolicy

The default allow policy to use when no Server selects a pod. One of: “all-authenticated”, “all-unauthenticated”, “cluster-authenticated”, “cluster-unauthenticated”, “deny”, “audit”

TypeDefault
string"all-unauthenticated"

linkerd-control-plane.proxy.disableInboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value

TypeDefault
boolfalse

linkerd-control-plane.proxy.disableOutboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value

TypeDefault
boolfalse

linkerd-control-plane.proxy.enableExternalProfiles

Enable service profiles for non-Kubernetes services

TypeDefault
boolfalse

linkerd-control-plane.proxy.enableShutdownEndpoint

Enables the proxy’s /shutdown admin endpoint

TypeDefault
boolfalse

linkerd-control-plane.proxy.gid

Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)

TypeDefault
int-1

linkerd-control-plane.proxy.image.name

Docker image for the proxy

TypeDefault
string"cr.l5d.io/linkerd/proxy"

linkerd-control-plane.proxy.image.pullPolicy

Pull policy for the proxy container image

TypeDefault
stringimagePullPolicy

linkerd-control-plane.proxy.image.version

Tag for the proxy container image

TypeDefault
stringlinkerdVersion

linkerd-control-plane.proxy.inbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to remote HTTP/2 clients.

TypeDefault
string"10s"

linkerd-control-plane.proxy.inbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections.

TypeDefault
string"3s"

linkerd-control-plane.proxy.inboundConnectTimeout

Maximum time allowed for the proxy to establish an inbound TCP connection

TypeDefault
string"100ms"

linkerd-control-plane.proxy.inboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused inbound discovery result is evicted from the cache

TypeDefault
string"90s"

linkerd-control-plane.proxy.livenessProbe

LivenessProbe timeout and delay configuration

TypeDefault
object{"initialDelaySeconds":10,"timeoutSeconds":1}

linkerd-control-plane.proxy.logFormat

Log format (plain or json) for the proxy

TypeDefault
string"plain"

linkerd-control-plane.proxy.logHTTPHeaders

If set to off, will prevent the proxy from logging HTTP headers. If set to insecure, HTTP headers may be logged verbatim. Note that setting this to insecure is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug.

TypeDefault
`off` or `insecure`"off"

linkerd-control-plane.proxy.logLevel

Log level for the proxy

TypeDefault
string"warn,linkerd=info,hickory=error"

linkerd-control-plane.proxy.nativeSidecar

Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.

TypeDefault
boolfalse

linkerd-control-plane.proxy.opaquePorts

Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection

TypeDefault
string"25,587,3306,4444,5432,6379,9300,11211"

linkerd-control-plane.proxy.outbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to local application HTTP/2 clients.

TypeDefault
string"10s"

linkerd-control-plane.proxy.outbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections.

TypeDefault
string"3s"

linkerd-control-plane.proxy.outboundConnectTimeout

Maximum time allowed for the proxy to establish an outbound TCP connection

TypeDefault
string"1000ms"

linkerd-control-plane.proxy.outboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused outbound discovery result is evicted from the cache

TypeDefault
string"5s"

linkerd-control-plane.proxy.ports.admin

Admin port for the proxy container

TypeDefault
int4191

linkerd-control-plane.proxy.ports.control

Control port for the proxy container

TypeDefault
int4190

linkerd-control-plane.proxy.ports.inbound

Inbound port for the proxy container

TypeDefault
int4143

linkerd-control-plane.proxy.ports.outbound

Outbound port for the proxy container

TypeDefault
int4140

linkerd-control-plane.proxy.readinessProbe

ReadinessProbe timeout and delay configuration

TypeDefault
object{"initialDelaySeconds":2,"timeoutSeconds":1}

linkerd-control-plane.proxy.requireIdentityOnInboundPorts

TypeDefault
string""

linkerd-control-plane.proxy.resources.cpu.limit

Maximum amount of CPU units that the proxy can use

TypeDefault
string""

linkerd-control-plane.proxy.resources.cpu.request

Amount of CPU units that the proxy requests

TypeDefault
string""

linkerd-control-plane.proxy.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the proxy can use

TypeDefault
string""

linkerd-control-plane.proxy.resources.ephemeral-storage.request

Amount of ephemeral storage that the proxy requests

TypeDefault
string""

linkerd-control-plane.proxy.resources.memory.limit

Maximum amount of memory that the proxy can use

TypeDefault
string""

linkerd-control-plane.proxy.resources.memory.request

Maximum amount of memory that the proxy requests

TypeDefault
string""

linkerd-control-plane.proxy.shutdownGracePeriod

Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.

TypeDefault
string""

linkerd-control-plane.proxy.startupProbe.failureThreshold

TypeDefault
int120

linkerd-control-plane.proxy.startupProbe.initialDelaySeconds

TypeDefault
int0

linkerd-control-plane.proxy.startupProbe.periodSeconds

TypeDefault
int1

linkerd-control-plane.proxy.uid

User id under which the proxy runs

TypeDefault
int2102

linkerd-control-plane.proxy.waitBeforeExitSeconds

If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod’s terminationGracePeriodSeconds. See Lifecycle hooks for more info on container lifecycle hooks.

TypeDefault
int0

linkerd-control-plane.proxyInit.closeWaitTimeoutSecs

TypeDefault
int0

linkerd-control-plane.proxyInit.ignoreInboundPorts

Default set of inbound ports to skip via iptables - Galera (4567,4568)

TypeDefault
string"4567,4568"

linkerd-control-plane.proxyInit.ignoreOutboundPorts

Default set of outbound ports to skip via iptables - Galera (4567,4568)

TypeDefault
string"4567,4568"

linkerd-control-plane.proxyInit.image.name

Docker image for the proxy-init container

TypeDefault
string"cr.l5d.io/linkerd/proxy-init"

linkerd-control-plane.proxyInit.image.pullPolicy

Pull policy for the proxy-init container image

TypeDefault
stringimagePullPolicy

linkerd-control-plane.proxyInit.image.version

Tag for the proxy-init container image

TypeDefault
string"v2.4.1"

linkerd-control-plane.proxyInit.iptablesMode

Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in ’nft’ or in ’legacy’ mode. The mode will control which utility binary will be called. The host must support whichever mode will be used

TypeDefault
string"legacy"

linkerd-control-plane.proxyInit.kubeAPIServerPorts

Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server

TypeDefault
string"443,6443"

linkerd-control-plane.proxyInit.logFormat

Log format (plain or json) for the proxy-init

TypeDefault
stringplain

linkerd-control-plane.proxyInit.logLevel

Log level for the proxy-init

TypeDefault
stringinfo

linkerd-control-plane.proxyInit.privileged

Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with ‘runAsRoot: true’, the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host.

TypeDefault
boolfalse

linkerd-control-plane.proxyInit.runAsGroup

This value is used only if runAsRoot is false; otherwise runAsGroup will be 0

TypeDefault
int65534

linkerd-control-plane.proxyInit.runAsRoot

Allow overriding the runAsNonRoot behaviour (https://github.com/linkerd/linkerd2/issues/7308)

TypeDefault
boolfalse

linkerd-control-plane.proxyInit.runAsUser

This value is used only if runAsRoot is false; otherwise runAsUser will be 0

TypeDefault
int65534

linkerd-control-plane.proxyInit.skipSubnets

Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy

TypeDefault
string""

linkerd-control-plane.proxyInit.xtMountPath.mountPath

TypeDefault
string"/run"

linkerd-control-plane.proxyInit.xtMountPath.name

TypeDefault
string"linkerd-proxy-init-xtables-lock"

linkerd-control-plane.proxyInjector.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for proxyInjector.crtPEM. If proxyInjector.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.proxyInjector.crtPEM

Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.proxyInjector.externalSecret

Do not create a secret resource for the proxyInjector webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

TypeDefault
boolfalse

linkerd-control-plane.proxyInjector.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.proxyInjector.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

TypeDefault
string""

linkerd-control-plane.proxyInjector.keyPEM

Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one.

TypeDefault
string""

linkerd-control-plane.proxyInjector.namespaceSelector

Namespace selector used by admission webhook.

TypeDefault
object{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}

linkerd-control-plane.proxyInjector.objectSelector

Object selector used by admission webhook.

TypeDefault
object{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}

linkerd-control-plane.proxyInjector.timeoutSeconds

Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used.

TypeDefault
int10

linkerd-control-plane.revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.

TypeDefault
int10

linkerd-control-plane.runtimeClassName

Runtime Class Name for all the pods

TypeDefault
string""

linkerd-control-plane.webhookFailurePolicy

Failure policy for the proxy injector

TypeDefault
string"Ignore"
linkerd multicluster install --set=key=value

Learn more about using these flags.

Chart name
linkerd-enterprise-multicluster

linkerd-multicluster.linkerdVersion

TypeDefault
string"enterprise-2.16.0"

linkerd-multicluster.namespaceMetadata.image.registry

TypeDefault
string"ghcr.io/buoyantio"

linkerd-multicluster.namespaceMetadata.image.tag

TypeDefault
string"enterprise-2.16.0"

linkerd-multicluster.commonLabels

Labels to apply to all resources

TypeDefault
object{}

linkerd-multicluster.createNamespaceMetadataJob

Creates a Job that adds necessary metadata to the extension’s namespace during install; disable if lack of privileges require doing this manually

TypeDefault
booltrue

linkerd-multicluster.enablePSP

Create Roles and RoleBindings to associate this extension’s ServiceAccounts to the control plane PSP resource. This requires that enabledPSP is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21

TypeDefault
boolfalse

linkerd-multicluster.enablePodAntiAffinity

Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components.

TypeDefault
boolfalse

linkerd-multicluster.gateway.GID

Group id under which the gateway shall be ran

TypeDefault
int2103

linkerd-multicluster.gateway.UID

User id under which the gateway shall be ran

TypeDefault
int2103

linkerd-multicluster.gateway.deploymentAnnotations

Annotations to add to the gateway deployment

TypeDefault
object{}

linkerd-multicluster.gateway.enabled

If the gateway component should be installed

TypeDefault
booltrue

linkerd-multicluster.gateway.loadBalancerClass

Set loadBalancerClass on gateway service

TypeDefault
string""

linkerd-multicluster.gateway.loadBalancerIP

Set loadBalancerIP on gateway service

TypeDefault
string""

linkerd-multicluster.gateway.loadBalancerSourceRanges

Set loadBalancerSourceRanges on gateway service

TypeDefault
list[]

linkerd-multicluster.gateway.name

The name of the gateway that will be installed

TypeDefault
string"linkerd-gateway"

linkerd-multicluster.gateway.nodeSelector

Node selectors for the gateway pod

TypeDefault
object{}

linkerd-multicluster.gateway.pauseImage

The pause container to use

TypeDefault
string"gcr.io/google_containers/pause:3.2"

linkerd-multicluster.gateway.port

The port on which all the gateway will accept incoming traffic

TypeDefault
int4143

linkerd-multicluster.gateway.probe.path

The path that will be used by remote clusters for determining whether the gateway is alive

TypeDefault
string"/ready"

linkerd-multicluster.gateway.probe.port

The port used for liveliness probing

TypeDefault
int4191

linkerd-multicluster.gateway.probe.seconds

The interval (in seconds) between liveness probes

TypeDefault
int3

linkerd-multicluster.gateway.replicas

Number of replicas for the gateway pod

TypeDefault
int1

linkerd-multicluster.gateway.serviceAnnotations

Annotations to add to the gateway service

TypeDefault
object{}

linkerd-multicluster.gateway.serviceType

Service Type of gateway Service

TypeDefault
string"LoadBalancer"

linkerd-multicluster.gateway.terminationGracePeriodSeconds

Set terminationGracePeriodSeconds on gateway deployment

TypeDefault
string""

linkerd-multicluster.gateway.tolerations

Tolerations for the gateway pod

TypeDefault
list[]

linkerd-multicluster.identityTrustDomain

Identity Trust Domain of the certificate authority

TypeDefault
string"cluster.local"

linkerd-multicluster.imagePullPolicy

Docker imagePullPolicy for all multicluster components

TypeDefault
string"IfNotPresent"

linkerd-multicluster.imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

TypeDefault
list[]

linkerd-multicluster.linkerdNamespace

Namespace of linkerd installation

TypeDefault
string"linkerd"

linkerd-multicluster.linkerdVersion

Control plane version

TypeDefault
string"linkerdVersionValue"

linkerd-multicluster.namespaceMetadata.image.name

Docker image name for the namespace-metadata instance

TypeDefault
string"extension-init"

linkerd-multicluster.namespaceMetadata.image.pullPolicy

Pull policy for the namespace-metadata instance

TypeDefault
stringimagePullPolicy

linkerd-multicluster.namespaceMetadata.image.registry

Docker registry for the namespace-metadata instance

TypeDefault
string"cr.l5d.io/linkerd"

linkerd-multicluster.namespaceMetadata.image.tag

Docker image tag for the namespace-metadata instance

TypeDefault
string"v0.1.1"

linkerd-multicluster.namespaceMetadata.nodeSelector

Node selectors for the namespace-metadata instance

TypeDefault
object{}

linkerd-multicluster.namespaceMetadata.tolerations

Tolerations for the namespace-metadata instance

TypeDefault
list[]

linkerd-multicluster.podLabels

Additional labels to add to all pods

TypeDefault
object{}

linkerd-multicluster.proxyOutboundPort

The port on which the proxy accepts outbound traffic

TypeDefault
int4140

linkerd-multicluster.remoteMirrorServiceAccount

If the remote mirror service account should be installed

TypeDefault
booltrue

linkerd-multicluster.remoteMirrorServiceAccountName

The name of the service account used to allow remote clusters to mirror local services

TypeDefault
string"linkerd-service-mirror-remote-access-default"

linkerd-multicluster.revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.

TypeDefault
int10