wip: unify sys and apps

apps/templates/resources/pre-linkerd.yaml

@@ -0,0 +1,206 @@
+{{ if .Values.linkerd.enabled }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    linkerd.io/control-plane-ns: linkerd
+    linkerd.io/is-control-plane: 'true'
+    config.linkerd.io/admission-webhooks: disabled
+  annotations:
+    linkerd.io/inject: disabled
+    argocd.argoproj.io/sync-wave: "-1"
+  name: linkerd
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: linkerd-trust-anchor
+  namespace: linkerd
+spec:
+  ca:
+    secretName: linkerd-trust-anchor
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-identity-issuer
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-identity-issuer
+  duration: 48h0m0s
+  renewBefore: 25h0m0s
+  issuerRef:
+    name: linkerd-trust-anchor
+    kind: Issuer
+  dnsNames:
+    - identity.linkerd.cluster.local
+  isCA: true
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - cert sign
+  - crl sign
+  - server auth
+  - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-policy-validator
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-policy-validator-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-policy-validator.linkerd.svc
+  dnsNames:
+  - linkerd-policy-validator.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-proxy-injector
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-proxy-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-proxy-injector.linkerd.svc
+  dnsNames:
+  - linkerd-proxy-injector.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-sp-validator-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-sp-validator.linkerd.svc
+  dnsNames:
+  - linkerd-sp-validator.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+{{ if .Values.linkerd.viz.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd-viz
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+# ignore if not using the viz extension
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tap
+  namespace: linkerd-viz
+spec:
+  revisionHistoryLimit: 5
+  secretName: tap-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap.linkerd-viz.svc
+  dnsNames:
+  - tap.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-tap-injector
+  namespace: linkerd-viz
+spec:
+  revisionHistoryLimit: 5
+  secretName: tap-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap-injector.linkerd-viz.svc
+  dnsNames:
+  - tap-injector.linkerd-viz.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+{{ end }}
+{{ if .Values.linkerd.jaeger.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd-jaeger
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jaeger-injector
+  namespace: linkerd-jaeger
+spec:
+  revisionHistoryLimit: 5
+  secretName: jaeger-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: jaeger-injector.linkerd-jaeger.svc
+  dnsNames:
+  - jaeger-injector.linkerd-jaeger.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+{{ end }}
+{{ end }}