signadot
diff --git a/‎signadot/operator/Chart.yaml
+2-2 b/‎signadot/operator/Chart.yaml
+2-2
diff --git a/‎signadot/operator/README.md
+37-2 b/‎signadot/operator/README.md
+37-2
diff --git a/‎signadot/operator/templates/_helpers.tpl
+37 b/‎signadot/operator/templates/_helpers.tpl
+37
diff --git a/‎signadot/operator/templates/agent-deployment.yaml
+13-2 b/‎signadot/operator/templates/agent-deployment.yaml
+13-2
diff --git a/‎signadot/operator/templates/allowed_namespaces.yaml
+2-1 b/‎signadot/operator/templates/allowed_namespaces.yaml
+2-1
diff --git a/‎signadot/operator/templates/io-context-server-deployment.yaml
+1-1 b/‎signadot/operator/templates/io-context-server-deployment.yaml
+1-1
diff --git a/‎signadot/operator/templates/routeserver-deployment.yaml
+1-1 b/‎signadot/operator/templates/routeserver-deployment.yaml
+1-1
diff --git a/‎signadot/operator/templates/signadot-agent-clusterrole.yaml
+10 b/‎signadot/operator/templates/signadot-agent-clusterrole.yaml
+10
diff --git a/‎signadot/operator/templates/signadot-cluster-config-configmap.yaml
+14 b/‎signadot/operator/templates/signadot-cluster-config-configmap.yaml
+14
@@ -6,10 +6,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.19.0"
+version: "0.19.1"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.19.0"
+appVersion: "0.19.1"
@@ -66,6 +66,14 @@ kubectl delete ns signadot
 | `serviceLabels`      | Labels to add to all deployed `Service` objects           | `{}`     |
 | `serviceAnnotations` | Annotations to add to all deployed `Service` objects      | `{}`     |
 
+### Controller Manager parameters
+
+| Name                            | Description                                                                 | Default |
+| ------------------------------- | --------------------------------------------------------------------------- | ------- |
+| `allowedNamespaces`             | Restrict the namespaces in which `signadot-controller-manager` will operate | `[]`    |
+| `sandboxTrafficManager.enabled` | Whether to enable the sandbox traffic manager sidecar on forked workloads   | `true`  |
+
+
 ### Image customization parameters
 
 The parameters in the table below allow one to specify image names for the
@@ -120,7 +128,6 @@ style resources and are not needed in an installation which uses the new
 | `jobExecutorProxy.image`              | Job Executor Proxy container image override             | `signadot/job-executor-proxy:vX.Y.Z`   |
 | `jobExecutorProxy.imagePullPolicy`    | Job Executor Proxy container image pull policy          | `IfNotPresent`                         |
 | `jobExecutorProxy.imagePullSecret`    | Job Executor Proxy container image pull secret          | `""`                                   |
-| `sandboxTrafficManager.enabled`     | Whether to enable the sandbox traffic manager sidecar on forked workloads | `true`                         |
 | `sandboxTrafficManager.init.Image`     | Sandbox traffic manager sidecar image override | `signadot/sandbox-traffic-manager:vX.Y.Z`                         |
 | `sandboxTrafficManager.init.ImagePullPolicy`     | Sandbox traffic manager sidecar image pull policy | `IfNotPresent`                         |
 | `sandboxTrafficManager.init.ImagePullSecret`     | Sandbox traffic manager sidecar image pull secret | `""`                         |
@@ -148,14 +155,42 @@ style resources and are not needed in an installation which uses the new
 | `tunnel.auditor.inboundRulesLuaScript`   | All inbound traffic (from cluster to workstation) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details  | `""`    |
 | `tunnel.auditor.outboundRulesLuaScript`  | All outbound traffic (from workstation to cluster) will pass thru this script (if defined) in the Envoy auditor, check [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#stream-handle-api) documentation for details | `""`    |
 |                                          |                                                                                                                                                                                                                                                                              |         |
-### Istio Parameters
+### Istio parameters
 
 When Istio is enabled (`istio.enabled: true`), the Signadot Operator manipulates Istio VirtualServices by applying new HTTPRoutes where appropriate to direct traffic to sandboxed workloads. You can configure the operator to add labels and annotations to these objects when they are in use by the operator.  Note that these labels and annotations are only added when the object comes into use. This can be useful for temporarily disabling CI sync, amongst other possibilities.
 
+Enabling Istio will activate the Istio proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests).
+
 | Name                                | Description                                                                                               | Default |
 | ----------------------------------- | --------------------------------------------------------------------------------------------------------- | ------- |
 | `istio.enabled`                     | Enable Istio integration                                                                                  | `false` |
 | `istio.additionalAnnotations`       | Annotations to add to istio VirtualServices if not present                                                | `{}`    |
 | `istio.additionalLabels`            | Labels to add to istio VirtualServices if not present                                                     | `{}`    |
 | `istio.enableDeprecatedHostRouting` | Enable sandbox routing by matching the `VirtualService.host` field. **This feature has been deprecated**. | `false` |
 
+
+### Linkerd parameters
+
+Enabling Linkerd will activate the Linkerd proxy in the following components: in Signadot `agent` (for control-plane access to the cluster), in `tunnel-proxy` (to allow workstation access to the cluster via `signadot local connect`), and in the managed job runner group (for executing in-cluster smart tests).
+
+Note that, unlike with Istio, routing in Linkerd is not expressed via Linkerd CRDs, but by using the DevMesh sidecars in the relevant workloads.
+
+| Name              | Description              | Default |
+| ----------------- | ------------------------ | ------- |
+| `linkerd.enabled` | Enable Linkerd integration | `false` |
+
+
+### Routing parameters
+
+| Name                    | Description                                     | Default |
+| ----------------------- | ----------------------------------------------- | ------- |
+| `routing.customHeaders` | List of custom headers used for sandbox routing | `[]`    |
+
+
+### Traffic capture parameters
+
+| Name                                  | Description                                                 | Default |
+| ------------------------------------- | ----------------------------------------------------------- | ------- |
+| `trafficCapture.enabled`              | Enable traffic capture                                      | `true`  |
+| `trafficCapture.requestHeadersElide`  | List of request headers to be elided from traffic captures  | `[]`    |
+| `trafficCapture.responseHeadersElide` | List of response headers to be elided from traffic captures | `[]`    |
@@ -0,0 +1,37 @@
+
+{{/*
+cluster config template
+*/}}
+{{- define "compileClusterConfig" -}}
+{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
+allowedNamespaces: {{ if gt (len $allowedNamespaces) 0 }}{{ printf "\n" }}{{ toYaml $allowedNamespaces | indent 2}}{{- else -}}[]{{- end }}
+routing:
+  istio:
+    enabled: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") -}}{{ toString .Values.istio.enabled }}{{- else -}}false{{- end }}
+    enableHostRouting: {{ if and (hasKey .Values "istio") (hasKey .Values.istio "enableDeprecatedHostRouting") -}}{{ toString .Values.istio.enableDeprecatedHostRouting }}{{- else -}}false{{- end }}
+  linkerd:
+    enabled: {{ if and (hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") -}}{{ toString .Values.linkerd.enabled }}{{- else -}}false{{- end }}
+  customHeaders: {{ with .Values }}{{ with .routing }}{{ with .customHeaders }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
+sandboxTrafficManager:
+  enabled: {{ if and (hasKey .Values "sandboxTrafficManager") (hasKey .Values.sandboxTrafficManager "enabled") -}}{{ toString .Values.sandboxTrafficManager.enabled }}{{- else -}}true{{- end }}
+trafficCapture:
+  enabled: {{ if and (hasKey .Values "trafficCapture") (hasKey .Values.trafficCapture "enabled") -}}{{ toString .Values.trafficCapture.enabled }}{{- else -}}true{{- end }}
+  requestHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .requestHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
+  responseHeadersElide: {{ with .Values }}{{ with .trafficCapture }}{{ with .responseHeadersElide }}{{ printf "\n" }}{{ toYaml . | indent 4}}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}{{- else -}}[]{{- end }}
+{{- end -}}
+
+
+{{/*
+get allowed namespaces
+*/}}
+{{- define "getAllowedNamespaces" -}}
+{{- if .Values.allowedNamespaces }}
+  {{- $userNamespaces := .Values.allowedNamespaces -}}
+  {{- if not (has "signadot" $userNamespaces) }}
+    {{- $userNamespaces = append $userNamespaces "signadot" -}}
+  {{- end }}
+{{- $userNamespaces | toJson -}}
+{{- else -}}
+[] 
+{{- end }}
+{{- end }}
@@ -1,4 +1,8 @@
 # This file is generated. Do not edit.
+{{- $istioEnabled := false -}}
+{{- with .Values }}{{ with .istio }}{{- if hasKey . "enabled" }}{{ $istioEnabled = .enabled }}{{- end }}{{- end }}{{- end }}
+{{- $linkerdEnabled := false -}}
+{{- with .Values }}{{ with .linkerd }}{{- if hasKey . "enabled" }}{{ $linkerdEnabled = .enabled }}{{- end }}{{- end }}{{- end }}
 {{ if not .Values.disableAgent }}
 apiVersion: apps/v1
 kind: Deployment
@@ -27,15 +31,22 @@ spec:
         {{- range $key, $val := .Values.podAnnotations }}
         {{ $key | quote }}: {{ $val | quote }}
         {{- end }}
+        cluster-config-checksum: '{{ include (print $.Template.BasePath "/signadot-cluster-config-configmap.yaml")
+          . | sha256sum }}'
+        {{- if $linkerdEnabled }}
+        linkerd.io/inject: enabled
+        {{- end }}
       labels:
         app: signadot-agent
-        sidecar.istio.io/inject: "true"
         {{- range $key, $val := .Values.commonLabels }}
         {{ $key | quote }}: {{ $val | quote }}
         {{- end }}
         {{- range $key, $val := .Values.podLabels }}
         {{ $key | quote }}: {{ $val | quote }}
         {{- end }}
+        {{- if $istioEnabled }}
+        sidecar.istio.io/inject: "true"
+        {{- end }}
     spec:
       containers:
       - args:
@@ -48,7 +59,7 @@ spec:
             secretKeyRef:
               key: token
               name: cluster-agent
-        image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }}{{- else -}}signadot/agent:v0.19.0{{- end }}
+        image: {{ with .Values }}{{ with .agent }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }}{{- else -}}signadot/agent:v0.19.1{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .agent }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         livenessProbe:
           httpGet:
 
@@ -1,6 +1,7 @@
 # Bind the ClusterRole containing namespaced permissions to the
 # controller-manager's ServiceAccount only in the specified namespaces.
-{{ range $namespace := .Values.allowedNamespaces }}
+{{- $allowedNamespaces := (include "getAllowedNamespaces" . | fromJsonArray) -}}
+{{ range $namespace := $allowedNamespaces }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 
@@ -40,7 +40,7 @@ spec:
         - /app/io-context-server
         - -tls=secretns=signadot
         - -port=8443
-        image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}{{- else -}}signadot/io-context-server:v0.19.0{{- end }}
+        image: {{ with .Values }}{{ with .ioContextServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}{{- else -}}signadot/io-context-server:v0.19.1{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .ioContextServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: io-context-server
         ports:
 
@@ -36,7 +36,7 @@ spec:
         {{- end }}
     spec:
       containers:
-      - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }}{{- else -}}signadot/route-server:v0.19.0{{- end }}
+      - image: {{ with .Values }}{{ with .routeServer }}{{ with .image }}{{ . | quote}}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }}{{- else -}}signadot/route-server:v0.19.1{{- end }}
         imagePullPolicy: {{ with .Values }}{{ with .routeServer }}{{ with .imagePullPolicy }}{{ . | quote}}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}{{- else -}}IfNotPresent{{- end }}
         name: routeserver
         ports:
 
@@ -75,4 +75,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - signadot-cluster-config
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
 {{ end }}
@@ -0,0 +1,14 @@
+{{- if and (hasKey .Values "istio") (hasKey .Values.istio "enabled") .Values.istio.enabled
+           (hasKey .Values "linkerd") (hasKey .Values.linkerd "enabled") .Values.linkerd.enabled
+}}
+{{ fail "istio and linkerd cannot be enabled at the same time" }}
+{{- end }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: signadot-cluster-config
+  namespace: signadot
+data:
+  cluster_config.yaml: |
+    {{- include "compileClusterConfig" . | nindent 4 }}