dwilliams782/helmrelease-linkerd-control-plane.yaml

## helmrelease-linkerd-control-plane.yaml
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: linkerd-control-plane
  namespace: linkerd
spec:
  interval: 60m
  releaseName: linkerd-control-plane
  chart:
    spec:
      chart: linkerd-control-plane
      version: 1.9.4 # stable-2.12.2
      sourceRef:
        kind: HelmRepository
        name: linkerd-stable
  values:
    enableEndpointSlices: false
    identity:
      externalCA: true
      issuer:
        scheme: kubernetes.io/tls
    proxyInit:
      iptablesMode: "legacy"
      runAsRoot: true
      image:
        name: <our gcr registry>/linkerd/proxy-init
    policyController:
      image:
        name: <our gcr registry>/linkerd/policy-controller
    policyValidator:
      externalSecret: true
      injectCaFrom: linkerd/linkerd-policy-validator
    proxyInjector:
      externalSecret: true
      injectCaFrom: linkerd/linkerd-proxy-injector
    profileValidator:
      externalSecret: true
      injectCaFrom: linkerd/linkerd-sp-validator

 # The following are required for "HA" mode and are lifted from here: https://github.com/linkerd/linkerd2/blob/main/charts/linkerd-control-plane/values-ha.yaml
    # -- Create PodDisruptionBudget resources for each control plane workload
    enablePodDisruptionBudget: true

    # -- Specify a deployment strategy for each control plane workload
    deploymentStrategy:
      rollingUpdate:
        maxUnavailable: 1
        maxSurge: 25%

    # -- add PodAntiAffinity to each control plane workload
    enablePodAntiAffinity: true

    # nodeAffinity:

    # proxy configuration
    proxy:
      image:
        name: <our gcr registry>/linkerd/proxy
      # https://linkerd.io/2.12/tasks/configuring-proxy-concurrency/
      cores: 2
      resources:
        cpu:
          request: 100m
          limit: 2
        memory:
          limit: 250Mi
          request: 20Mi

    # controller configuration
    controllerReplicas: 3
    controllerImage: <our gcr registry>/linkerd/controller
    controllerResources: &controller_resources
      cpu: &controller_resources_cpu
        limit: ""
        request: 100m
      memory:
        limit: 250Mi
        request: 50Mi
    destinationResources:
      cpu: *controller_resources_cpu
      memory:
        limit: 768Mi
        request: 768Mi
    destinationProxyResources:
      memory:
        request: 100Mi

    # identity configuration
    identityResources:
      cpu: *controller_resources_cpu
      memory:
        limit: 250Mi
        request: 10Mi

    # heartbeat configuration
    heartbeatResources: *controller_resources

    # proxy injector configuration
    proxyInjectorResources:
      cpu: *controller_resources_cpu
      memory:
        limit: 512Mi
        request: 512Mi
    webhookFailurePolicy: Fail

    # service profile validator configuration
    spValidatorResources: *controller_resources
	---
	apiVersion: helm.toolkit.fluxcd.io/v2beta1
	kind: HelmRelease
	metadata:
	name: linkerd-control-plane
	namespace: linkerd
	spec:
	interval: 60m
	releaseName: linkerd-control-plane
	chart:
	spec:
	chart: linkerd-control-plane
	version: 1.9.4 # stable-2.12.2
	sourceRef:
	kind: HelmRepository
	name: linkerd-stable
	values:
	enableEndpointSlices: false
	identity:
	externalCA: true
	issuer:
	scheme: kubernetes.io/tls
	proxyInit:
	iptablesMode: "legacy"
	runAsRoot: true
	image:
	name: <our gcr registry>/linkerd/proxy-init
	policyController:
	image:
	name: <our gcr registry>/linkerd/policy-controller
	policyValidator:
	externalSecret: true
	injectCaFrom: linkerd/linkerd-policy-validator
	proxyInjector:
	externalSecret: true
	injectCaFrom: linkerd/linkerd-proxy-injector
	profileValidator:
	externalSecret: true
	injectCaFrom: linkerd/linkerd-sp-validator

	# The following are required for "HA" mode and are lifted from here: https://github.com/linkerd/linkerd2/blob/main/charts/linkerd-control-plane/values-ha.yaml
	# -- Create PodDisruptionBudget resources for each control plane workload
	enablePodDisruptionBudget: true

	# -- Specify a deployment strategy for each control plane workload
	deploymentStrategy:
	rollingUpdate:
	maxUnavailable: 1
	maxSurge: 25%

	# -- add PodAntiAffinity to each control plane workload
	enablePodAntiAffinity: true

	# nodeAffinity:

	# proxy configuration
	proxy:
	image:
	name: <our gcr registry>/linkerd/proxy
	# https://linkerd.io/2.12/tasks/configuring-proxy-concurrency/
	cores: 2
	resources:
	cpu:
	request: 100m
	limit: 2
	memory:
	limit: 250Mi
	request: 20Mi

	# controller configuration
	controllerReplicas: 3
	controllerImage: <our gcr registry>/linkerd/controller
	controllerResources: &controller_resources
	cpu: &controller_resources_cpu
	limit: ""
	request: 100m
	memory:
	limit: 250Mi
	request: 50Mi
	destinationResources:
	cpu: *controller_resources_cpu
	memory:
	limit: 768Mi
	request: 768Mi
	destinationProxyResources:
	memory:
	request: 100Mi

	# identity configuration
	identityResources:
	cpu: *controller_resources_cpu
	memory:
	limit: 250Mi
	request: 10Mi

	# heartbeat configuration
	heartbeatResources: *controller_resources

	# proxy injector configuration
	proxyInjectorResources:
	cpu: *controller_resources_cpu
	memory:
	limit: 512Mi
	request: 512Mi
	webhookFailurePolicy: Fail

	# service profile validator configuration
	spValidatorResources: *controller_resources