diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml
index 546074f5c..68bd1c666 100644
--- a/.github/workflows/stale-actions.yaml
+++ b/.github/workflows/stale-actions.yaml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v8
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           # Staling issues and PR's
diff --git a/.gitignore b/.gitignore
index b43d958ab..bb6ac616e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .terragrunt-cache
 .terraform
 .terraform.lock.hcl
+.idea
diff --git a/README.md b/README.md
index 76c7cc624..61548fd7c 100644
--- a/README.md
+++ b/README.md
@@ -137,8 +137,9 @@ No modules.
 | [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.linkerd2](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -160,6 +161,7 @@ No modules.
 | [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.linkerd](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
@@ -177,8 +179,8 @@ No modules.
 | [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kyverno](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.linkerd2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -207,6 +209,7 @@ No modules.
 | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -233,6 +236,8 @@ No modules.
 | [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -341,6 +346,7 @@ No modules.
 | <a name="input_kube-prometheus-stack"></a> [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_kyverno"></a> [kyverno](#input\_kyverno) | Customize kyverno chart, see `kyverno.tf` for supported values | `any` | `{}` | no |
 | <a name="input_labels_prefix"></a> [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
+| <a name="input_linkerd"></a> [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd-viz"></a> [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2"></a> [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2-cni"></a> [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index aa295dc1a..8f5f41f7d 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -27,22 +27,22 @@ dependencies:
     version: 0.3.11
     repository: https://aws.github.io/eks-charts
   - name: cert-manager
-    version: v1.11.0
+    version: v1.11.1
     repository: https://charts.jetstack.io
   - name: cert-manager-csi-driver
     version: v0.5.0
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.26.0
+    version: 9.28.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
-    version: 1.12.1
+    version: 1.12.2
     repository: https://kubernetes-sigs.github.io/external-dns/
   - name: flux
     version: 1.13.3
     repository: https://charts.fluxcd.io
   - name: ingress-nginx
-    version: 4.5.2
+    version: 4.6.0
     repository: https://kubernetes.github.io/ingress-nginx
   - name: istio-operator
     version: 1.7.0
@@ -60,37 +60,40 @@ dependencies:
     version: 18.4.0
     repository: https://codecentric.github.io/helm-charts
   - name: kong
-    version: 2.16.5
+    version: 2.19.0
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 45.7.1
+    version: 45.9.1
     repository: https://prometheus-community.github.io/helm-charts
   - name: kyverno
-    version: 2.7.1
+    version: 2.7.2
     repository: https://kyverno.github.io/kyverno/
   - name: kyverno-crds
     version: v2.0.3
     repository: https://kyverno.github.io/kyverno/
-  - name: linkerd2
-    repository: https://helm.linkerd.io/edge
-    version: 21.12.3
   - name: linkerd2-cni
-    repository: https://helm.linkerd.io/edge
-    version: 21.12.4
+    version: 30.8.0
+    repository: https://helm.linkerd.io/stable
+  - name: linkerd-control-plane
+    version: 1.12.0
+    repository: https://helm.linkerd.io/stable
+  - name: linkerd-crds
+    version: 1.6.0
+    repository: https://helm.linkerd.io/stable
   - name: linkerd-viz
-    repository: https://helm.linkerd.io/edge
-    version: 21.12.4
+    version: 30.8.0
+    repository: https://helm.linkerd.io/stable
   - name: loki-stack
-    version: 2.9.9
+    version: 2.9.10
     repository: https://grafana.github.io/helm-charts
   - name: loki
-    version: 4.8.0
+    version: 5.0.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
-    version: 6.9.3
+    version: 6.10.0
     repository: https://grafana.github.io/helm-charts
   - name: metrics-server
-    version: 3.8.4
+    version: 3.9.0
     repository: https://kubernetes-sigs.github.io/metrics-server/
   - name: node-problem-detector
     version: 2.3.4
@@ -102,10 +105,10 @@ dependencies:
     version: 0.24.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: prometheus-blackbox-exporter
-    version: 7.6.1
+    version: 7.7.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: rabbitmq-cluster-operator
-    version: 3.2.7
+    version: 3.2.10
     repository: https://charts.bitnami.com/bitnami
   - name: scaleway-webhook
     version: v0.0.1
@@ -117,25 +120,25 @@ dependencies:
     version: 0.34.0
     repository: https://strimzi.io/charts/
   - name: thanos
-    version: 12.3.1
+    version: 12.4.2
     repository: https://charts.bitnami.com/bitnami
   - name: tigera-operator
-    version: v3.25.0
+    version: v3.25.1
     repository: https://docs.projectcalico.org/charts
   - name: traefik
-    version: 21.2.0
+    version: 22.1.0
     repository: https://helm.traefik.io/traefik
   - name: memcached
-    version: 6.3.13
+    version: 6.3.14
     repository: https://charts.bitnami.com/bitnami
   - name: vault
-    version: 0.23.0
+    version: 0.24.0
     repository: https://helm.releases.hashicorp.com
   - name: velero
-    version: 3.1.4
+    version: 3.1.6
     repository: https://vmware-tanzu.github.io/helm-charts
   - name: victoria-metrics-k8s-stack
-    version: 0.14.16
+    version: 0.14.17
     repository: https://victoriametrics.github.io/helm-charts/
   - name: yet-another-cloudwatch-exporter
     version: 0.14.0
diff --git a/ingress-nginx.tf b/ingress-nginx.tf
index 81d18ffb1..32e626ceb 100644
--- a/ingress-nginx.tf
+++ b/ingress-nginx.tf
@@ -230,3 +230,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
+  count = local.ingress-nginx["enabled"] && local.linkerd-viz["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = local.linkerd-viz["namespace"]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/linkerd-viz.tf b/linkerd-viz.tf
index ebc16bf01..82773eede 100644
--- a/linkerd-viz.tf
+++ b/linkerd-viz.tf
@@ -8,57 +8,94 @@ locals {
       chart_version          = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-viz")].version
       namespace              = "linkerd-viz"
       create_ns              = true
-      enabled                = local.linkerd2.enabled
+      enabled                = local.linkerd.enabled
       default_network_policy = true
+      allowed_cidrs          = ["0.0.0.0/0"]
       ha                     = true
     },
     var.linkerd-viz
   )
 
   values_linkerd-viz = <<VALUES
-namespace: ${local.linkerd-viz.namespace}
-installNamespace: false
-VALUES
+    linkerdNamespace: ${local.linkerd["namespace"]}
+    VALUES
 
   values_linkerd-viz_ha = <<VALUES
-
-enablePodAntiAffinity: true
-
-resources: &ha_resources
-  cpu: &ha_resources_cpu
-    limit: ""
-    request: 100m
-  memory:
-    limit: 250Mi
-    request: 50Mi
-
-# tap configuration
-tap:
-  replicas: 3
-  resources: *ha_resources
-
-# web configuration
-dashboard:
-  resources: *ha_resources
-
-# grafana configuration
-grafana:
-  resources:
-    cpu: *ha_resources_cpu
-    memory:
-      limit: 1024Mi
-      request: 50Mi
-
-# prometheus configuration
-prometheus:
-  resources:
-    cpu:
-      limit: ""
-      request: 300m
-    memory:
-      limit: 8192Mi
-      request: 300Mi
-VALUES
+    #
+    # The below is taken from: https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/values-ha.yaml
+    #
+
+    # This values.yaml file contains the values needed to enable HA mode.
+    # Usage:
+    #   helm install -f values.yaml -f values-ha.yaml
+
+    enablePodAntiAffinity: true
+
+    # nodeAffinity:
+
+    resources: &ha_resources
+      cpu: &ha_resources_cpu
+        limit: ""
+        request: 100m
+      memory:
+        limit: 250Mi
+        request: 50Mi
+
+    # tap configuration
+    tap:
+      replicas: 3
+      resources: *ha_resources
+
+    # web configuration
+    dashboard:
+      resources: *ha_resources
+
+    # prometheus configuration
+    prometheus:
+      resources:
+        cpu:
+          limit: ""
+          request: 300m
+        memory:
+          limit: 8192Mi
+          request: 300Mi
+    VALUES
+
+  linkerd-viz_manifests = {
+    prometheus-servicemonitor = <<-VALUES
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      metadata:
+        labels:
+          k8s-app: linkerd-prometheus
+          release: monitoring
+        name: linkerd-federate
+        namespace: ${local.linkerd-viz.namespace}
+      spec:
+        endpoints:
+        - interval: 30s
+          scrapeTimeout: 30s
+          params:
+            match[]:
+            - '{job="linkerd-proxy"}'
+            - '{job="linkerd-controller"}'
+          path: /federate
+          port: admin-http
+          honorLabels: true
+          relabelings:
+          - action: keep
+            regex: '^prometheus$'
+            sourceLabels:
+            - '__meta_kubernetes_pod_container_name'
+        jobLabel: app
+        namespaceSelector:
+          matchNames:
+          - ${local.linkerd-viz.namespace}
+        selector:
+          matchLabels:
+            component: prometheus
+      VALUES
+  }
 }
 
 resource "kubernetes_namespace" "linkerd-viz" {
@@ -79,6 +116,11 @@ resource "kubernetes_namespace" "linkerd-viz" {
   }
 }
 
+resource "kubectl_manifest" "linkerd-viz" {
+  for_each  = local.linkerd-viz.enabled && local.kube-prometheus-stack.enabled ? local.linkerd-viz_manifests : {}
+  yaml_body = each.value
+}
+
 resource "helm_release" "linkerd-viz" {
   count                 = local.linkerd-viz["enabled"] ? 1 : 0
   repository            = local.linkerd-viz["repository"]
@@ -106,6 +148,8 @@ resource "helm_release" "linkerd-viz" {
     local.linkerd-viz.ha ? local.values_linkerd-viz_ha : null
   ])
   namespace = local.linkerd-viz["create_ns"] ? kubernetes_namespace.linkerd-viz.*.metadata.0.name[count.index] : local.linkerd-viz["namespace"]
+
+  depends_on = [helm_release.linkerd-control-plane]
 }
 
 resource "kubernetes_network_policy" "linkerd-viz_default_deny" {
@@ -148,3 +192,61 @@ resource "kubernetes_network_policy" "linkerd-viz_allow_namespace" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "linkerd-viz_allow_control_plane" {
+  count = local.linkerd-viz["enabled"] && local.linkerd-viz["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.linkerd-viz.*.metadata.0.name[count.index]}-allow-control-plane"
+    namespace = kubernetes_namespace.linkerd-viz.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      ports {
+        port     = "8089"
+        protocol = "TCP"
+      }
+
+      dynamic "from" {
+        for_each = local.linkerd-viz["allowed_cidrs"]
+        content {
+          ip_block {
+            cidr = from.value
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "linkerd-viz_allow_monitoring" {
+  count = local.linkerd-viz["enabled"] && local.linkerd-viz["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.linkerd-viz.*.metadata.0.name[count.index]}-allow-monitoring"
+    namespace = kubernetes_namespace.linkerd-viz.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "monitoring"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/linkerd.tf b/linkerd.tf
new file mode 100644
index 000000000..a2b535f61
--- /dev/null
+++ b/linkerd.tf
@@ -0,0 +1,394 @@
+locals {
+  linkerd = merge(
+    local.helm_defaults,
+    {
+      name               = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-control-plane")].name
+      chart              = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-control-plane")].name
+      repository         = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-control-plane")].repository
+      chart_version      = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-control-plane")].version
+      namespace          = "linkerd"
+      create_ns          = true
+      enabled            = false
+      trust_anchor_pem   = null
+      cluster_dns_domain = "cluster.local"
+      ha                 = true
+    },
+    var.linkerd
+  )
+
+  values_linkerd = <<-VALUES
+    identity:
+      issuer:
+        scheme: kubernetes.io/tls
+    identityTrustAnchorsPEM: |
+      ${indent(2, local.linkerd.enabled ? local.linkerd["trust_anchor_pem"] == null ? tls_self_signed_cert.linkerd_trust_anchor.0.cert_pem : local.linkerd["trust_anchor_pem"] : "")}
+    policyValidator:
+      externalSecret: true
+      caBundle: |
+        ${indent(4, local.linkerd.enabled ? tls_self_signed_cert.webhook_issuer_tls.0.cert_pem : "")}
+    proxyInjector:
+      externalSecret: true
+      caBundle: |
+        ${indent(4, local.linkerd.enabled ? tls_self_signed_cert.webhook_issuer_tls.0.cert_pem : "")}
+    profileValidator:
+      externalSecret: true
+      caBundle: |
+        ${indent(4, local.linkerd.enabled ? tls_self_signed_cert.webhook_issuer_tls.0.cert_pem : "")}
+    VALUES
+
+  values_linkerd_ha = <<-VALUES
+    #
+    # The below is taken from: https://github.com/linkerd/linkerd/blob/main/charts/linkerd/values-ha.yaml
+    #
+
+    # This values.yaml file contains the values needed to enable HA mode.
+    # Usage:
+    #   helm install -f values-ha.yaml
+
+    # -- Create PodDisruptionBudget resources for each control plane workload
+    enablePodDisruptionBudget: true
+
+    # -- Specify a deployment strategy for each control plane workload
+    deploymentStrategy:
+      rollingUpdate:
+        maxUnavailable: 1
+        maxSurge: 25%
+
+    # -- add PodAntiAffinity to each control plane workload
+    enablePodAntiAffinity: true
+
+    # nodeAffinity:
+
+    # proxy configuration
+    proxy:
+      resources:
+        cpu:
+          request: 100m
+        memory:
+          limit: 250Mi
+          request: 20Mi
+
+    # controller configuration
+    controllerReplicas: 3
+    controllerResources: &controller_resources
+      cpu: &controller_resources_cpu
+        limit: ""
+        request: 100m
+      memory:
+        limit: 250Mi
+        request: 50Mi
+    destinationResources: *controller_resources
+
+    # identity configuration
+    identityResources:
+      cpu: *controller_resources_cpu
+      memory:
+        limit: 250Mi
+        request: 10Mi
+
+    # heartbeat configuration
+    heartbeatResources: *controller_resources
+
+    # proxy injector configuration
+    proxyInjectorResources: *controller_resources
+    webhookFailurePolicy: Fail
+
+    # service profile validator configuration
+    spValidatorResources: *controller_resources
+    VALUES
+
+  linkerd_manifests = {
+    linkerd-trust-anchor = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: linkerd-trust-anchor
+        namespace: ${local.linkerd.namespace}
+      spec:
+        ca:
+          secretName: linkerd-trust-anchor
+      VALUES
+
+    linkerd-identity-issuer = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: linkerd-identity-issuer
+        namespace: ${local.linkerd.namespace}
+      spec:
+        secretName: linkerd-identity-issuer
+        revisionHistoryLimit: 3
+        duration: 48h
+        renewBefore: 25h
+        issuerRef:
+          name: linkerd-trust-anchor
+          kind: Issuer
+        commonName: identity.linkerd.${local.linkerd.cluster_dns_domain}
+        dnsNames:
+        - identity.linkerd.${local.linkerd.cluster_dns_domain}
+        isCA: true
+        privateKey:
+          algorithm: ECDSA
+        usages:
+        - cert sign
+        - crl sign
+        - server auth
+        - client auth
+      VALUES
+
+    webhook-issuer = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Issuer
+      metadata:
+        name: webhook-issuer
+        namespace: ${local.linkerd.namespace}
+      spec:
+        ca:
+          secretName: webhook-issuer-tls
+      VALUES
+
+    linkerd-policy-validator = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: linkerd-policy-validator
+        namespace: ${local.linkerd.namespace}
+      spec:
+        secretName: linkerd-policy-validator-k8s-tls
+        duration: 24h
+        renewBefore: 1h
+        issuerRef:
+          name: webhook-issuer
+          kind: Issuer
+        commonName: linkerd-policy-validator.${local.linkerd.namespace}.svc
+        dnsNames:
+        - linkerd-policy-validator.${local.linkerd.namespace}.svc
+        isCA: false
+        privateKey:
+          algorithm: ECDSA
+          encoding: PKCS8
+        usages:
+        - server auth
+      VALUES
+
+    linkerd-proxy-injector = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: linkerd-proxy-injector
+        namespace: ${local.linkerd.namespace}
+      spec:
+        secretName: linkerd-proxy-injector-k8s-tls
+        revisionHistoryLimit: 3
+        duration: 24h
+        renewBefore: 1h
+        issuerRef:
+          name: webhook-issuer
+          kind: Issuer
+        commonName: linkerd-proxy-injector.${local.linkerd.namespace}.svc
+        dnsNames:
+        - linkerd-proxy-injector.${local.linkerd.namespace}.svc
+        isCA: false
+        privateKey:
+          algorithm: ECDSA
+        usages:
+        - server auth
+      VALUES
+
+    linkerd-sp-validator = <<-VALUES
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: linkerd-sp-validator
+        namespace: ${local.linkerd.namespace}
+      spec:
+        secretName: linkerd-sp-validator-k8s-tls
+        revisionHistoryLimit: 3
+        duration: 24h
+        renewBefore: 1h
+        issuerRef:
+          name: webhook-issuer
+          kind: Issuer
+        commonName: linkerd-sp-validator.${local.linkerd.namespace}.svc
+        dnsNames:
+        - linkerd-sp-validator.${local.linkerd.namespace}.svc
+        isCA: false
+        privateKey:
+          algorithm: ECDSA
+        usages:
+        - server auth
+      VALUES
+  }
+
+  linkerd-crds = merge(
+    local.helm_defaults,
+    {
+      name          = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-crds")].name
+      chart         = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-crds")].name
+      repository    = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-crds")].repository
+      chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd-crds")].version
+      namespace     = "linkerd"
+      create_ns     = false
+      enabled       = local.linkerd["enabled"] && !local.linkerd["skip_crds"]
+    },
+  )
+}
+
+resource "tls_private_key" "linkerd_trust_anchor" {
+  count       = local.linkerd["enabled"] && local.linkerd["trust_anchor_pem"] == null ? 1 : 0
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_self_signed_cert" "linkerd_trust_anchor" {
+  count                 = local.linkerd["enabled"] && local.linkerd["trust_anchor_pem"] == null ? 1 : 0
+  private_key_pem       = tls_private_key.linkerd_trust_anchor.0.private_key_pem
+  validity_period_hours = 87600
+  early_renewal_hours   = 78840
+  is_ca_certificate     = true
+
+  subject {
+    common_name = "root.linkerd.${local.linkerd.cluster_dns_domain}"
+  }
+
+  allowed_uses = [
+    "cert_signing",
+    "crl_signing",
+  ]
+}
+
+resource "kubernetes_secret" "linkerd_trust_anchor" {
+  count = local.linkerd["enabled"] && local.linkerd["trust_anchor_pem"] == null ? 1 : 0
+  metadata {
+    name      = "linkerd-trust-anchor"
+    namespace = local.linkerd.create_ns ? kubernetes_namespace.linkerd.0.metadata[0].name : local.linkerd.namespace
+  }
+
+  data = {
+    "tls.crt" = tls_self_signed_cert.linkerd_trust_anchor.0.cert_pem
+    "tls.key" = tls_private_key.linkerd_trust_anchor.0.private_key_pem
+  }
+
+  type = "kubernetes.io/tls"
+}
+
+resource "tls_private_key" "webhook_issuer_tls" {
+  count       = local.linkerd["enabled"] ? 1 : 0
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "tls_self_signed_cert" "webhook_issuer_tls" {
+  count                 = local.linkerd["enabled"] ? 1 : 0
+  private_key_pem       = tls_private_key.webhook_issuer_tls.0.private_key_pem
+  validity_period_hours = 87600
+  early_renewal_hours   = 78840
+  is_ca_certificate     = true
+
+  subject {
+    common_name = "webhook.linkerd.${local.linkerd.cluster_dns_domain}"
+  }
+
+  allowed_uses = [
+    "cert_signing",
+    "crl_signing",
+  ]
+}
+
+resource "kubernetes_secret" "webhook_issuer_tls" {
+  count = local.linkerd["enabled"] ? 1 : 0
+  metadata {
+    name      = "webhook-issuer-tls"
+    namespace = local.linkerd.create_ns ? kubernetes_namespace.linkerd.0.metadata[0].name : local.linkerd.namespace
+  }
+
+  data = {
+    "tls.crt" = tls_self_signed_cert.webhook_issuer_tls.0.cert_pem
+    "tls.key" = tls_private_key.webhook_issuer_tls.0.private_key_pem
+  }
+
+  type = "kubernetes.io/tls"
+}
+
+resource "kubernetes_namespace" "linkerd" {
+  count = local.linkerd["enabled"] && local.linkerd["create_ns"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name                                  = local.linkerd["namespace"]
+      "linkerd.io/is-control-plane"         = "true"
+      "config.linkerd.io/admission-webhook" = "disabled"
+      "linkerd.io/control-plane-ns"         = local.linkerd.namespace
+    }
+
+    annotations = {
+      "linkerd.io/inject" = "disabled"
+    }
+
+    name = local.linkerd["namespace"]
+  }
+}
+
+resource "helm_release" "linkerd-control-plane" {
+  count                 = local.linkerd["enabled"] ? 1 : 0
+  repository            = local.linkerd["repository"]
+  name                  = local.linkerd["name"]
+  chart                 = local.linkerd["chart"]
+  version               = local.linkerd["chart_version"]
+  timeout               = local.linkerd["timeout"]
+  force_update          = local.linkerd["force_update"]
+  recreate_pods         = local.linkerd["recreate_pods"]
+  wait                  = local.linkerd["wait"]
+  atomic                = local.linkerd["atomic"]
+  cleanup_on_fail       = local.linkerd["cleanup_on_fail"]
+  dependency_update     = local.linkerd["dependency_update"]
+  disable_crd_hooks     = local.linkerd["disable_crd_hooks"]
+  disable_webhooks      = local.linkerd["disable_webhooks"]
+  render_subchart_notes = local.linkerd["render_subchart_notes"]
+  replace               = local.linkerd["replace"]
+  reset_values          = local.linkerd["reset_values"]
+  reuse_values          = local.linkerd["reuse_values"]
+  skip_crds             = local.linkerd["skip_crds"]
+  verify                = local.linkerd["verify"]
+  values = compact([
+    local.values_linkerd,
+    local.linkerd["extra_values"],
+    local.linkerd.ha ? local.values_linkerd_ha : null
+  ])
+  namespace = local.linkerd["create_ns"] ? kubernetes_namespace.linkerd.*.metadata.0.name[count.index] : local.linkerd["namespace"]
+
+  depends_on = [
+    helm_release.linkerd2-cni,
+    helm_release.linkerd-crds
+  ]
+}
+
+resource "kubectl_manifest" "linkerd" {
+  for_each  = local.linkerd.enabled ? local.linkerd_manifests : {}
+  yaml_body = each.value
+}
+
+resource "helm_release" "linkerd-crds" {
+  count                 = local.linkerd["enabled"] && !local.linkerd["skip_crds"] ? 1 : 0
+  repository            = local.linkerd["repository"]
+  name                  = local.linkerd-crds["name"]
+  chart                 = local.linkerd-crds["chart"]
+  version               = local.linkerd-crds["chart_version"]
+  timeout               = local.linkerd["timeout"]
+  force_update          = local.linkerd["force_update"]
+  recreate_pods         = local.linkerd["recreate_pods"]
+  wait                  = local.linkerd["wait"]
+  atomic                = local.linkerd["atomic"]
+  cleanup_on_fail       = local.linkerd["cleanup_on_fail"]
+  dependency_update     = local.linkerd["dependency_update"]
+  disable_crd_hooks     = local.linkerd["disable_crd_hooks"]
+  disable_webhooks      = local.linkerd["disable_webhooks"]
+  render_subchart_notes = local.linkerd["render_subchart_notes"]
+  replace               = local.linkerd["replace"]
+  reset_values          = local.linkerd["reset_values"]
+  reuse_values          = local.linkerd["reuse_values"]
+  skip_crds             = local.linkerd["skip_crds"]
+  verify                = local.linkerd["verify"]
+  values                = []
+  namespace             = local.linkerd["create_ns"] ? kubernetes_namespace.linkerd.*.metadata.0.name[count.index] : local.linkerd["namespace"]
+}
diff --git a/linkerd2-cni.tf b/linkerd2-cni.tf
index e29423cda..55c5eac55 100644
--- a/linkerd2-cni.tf
+++ b/linkerd2-cni.tf
@@ -8,7 +8,7 @@ locals {
       chart_version          = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd2-cni")].version
       namespace              = "linkerd-cni"
       create_ns              = true
-      enabled                = local.linkerd2.enabled
+      enabled                = local.linkerd.enabled
       cni_conflist_filename  = "10-calico.conflist"
       default_network_policy = true
     },
@@ -16,27 +16,7 @@ locals {
   )
 
   values_linkerd2-cni = <<VALUES
-namespace: ${local.linkerd2-cni.namespace}
-installNamespace: false
-tolerations:
-  - operator: "Exists"
-
-extraInitContainers:
-  - name: wait-for-other-cni
-    image: busybox:1.33
-    command:
-      - /bin/sh
-      - -xc
-      - |
-        for i in $(seq 1 180); do
-          test -f /host/etc/cni/net.d/${local.linkerd2-cni.cni_conflist_filename} && exit 0
-          sleep 1
-        done
-        exit 1
-    volumeMounts:
-      - mountPath: /host/etc/cni/net.d
-        name: cni-net-dir
-VALUES
+    VALUES
 }
 
 resource "kubernetes_namespace" "linkerd2-cni" {
diff --git a/linkerd2.tf b/linkerd2.tf
deleted file mode 100644
index ac313df1a..000000000
--- a/linkerd2.tf
+++ /dev/null
@@ -1,319 +0,0 @@
-locals {
-  linkerd2 = merge(
-    local.helm_defaults,
-    {
-      name               = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd2")].name
-      chart              = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd2")].name
-      repository         = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd2")].repository
-      chart_version      = local.helm_dependencies[index(local.helm_dependencies.*.name, "linkerd2")].version
-      namespace          = "linkerd"
-      create_ns          = true
-      enabled            = false
-      trust_anchor_pem   = null
-      cluster_dns_domain = "cluster.local"
-      ha                 = true
-    },
-    var.linkerd2
-  )
-
-  values_linkerd2 = <<-VALUES
-    installNamespace: false
-    namespace: ${local.linkerd2.namespace}
-    cniEnabled: true
-    enableEndpointSlices: true
-    identity:
-      issuer:
-        scheme: kubernetes.io/tls
-    identityTrustAnchorsPEM: |
-      ${indent(2, local.linkerd2.enabled ? local.linkerd2["trust_anchor_pem"] == null ? tls_self_signed_cert.linkerd_trust_anchor.0.cert_pem : local.linkerd2["trust_anchor_pem"] : "")}
-    proxyInjector:
-      externalSecret: true
-      caBundle: |
-        ${indent(4, local.linkerd2.enabled ? tls_self_signed_cert.webhook_issuer_tls.0.cert_pem : "")}
-    profileValidator:
-      externalSecret: true
-      caBundle: |
-        ${indent(4, local.linkerd2.enabled ? tls_self_signed_cert.webhook_issuer_tls.0.cert_pem : "")}
-    VALUES
-
-  values_linkerd2_ha = <<-VALUES
-
-    #
-    # The below is taken from: https://github.com/linkerd/linkerd2/blob/main/charts/linkerd2/values-ha.yaml
-    #
-
-    enablePodAntiAffinity: true
-
-    # proxy configuration
-    proxy:
-      # A better default for log collectors that require structured data
-      logFormat: json
-      resources:
-        cpu:
-          request: 100m
-        memory:
-          limit: 250Mi
-          request: 20Mi
-
-    # controller configuration
-    controllerReplicas: 3
-    controllerResources: &controller_resources
-      cpu: &controller_resources_cpu
-        limit: ""
-        request: 100m
-      memory:
-        limit: 250Mi
-        request: 50Mi
-    destinationResources: *controller_resources
-
-    # identity configuration
-    identityResources:
-      cpu: *controller_resources_cpu
-      memory:
-        limit: 250Mi
-        request: 10Mi
-
-    # heartbeat configuration
-    heartbeatResources: *controller_resources
-
-    # proxy injector configuration
-    proxyInjectorResources: *controller_resources
-    webhookFailurePolicy: Fail
-
-    # service profile validator configuration
-    spValidatorResources: *controller_resources
-    VALUES
-
-  linkerd2_manifests = {
-    linkerd-identity-issuer = <<-VALUES
-      apiVersion: cert-manager.io/v1
-      kind: Certificate
-      metadata:
-        name: linkerd-identity-issuer
-        namespace: ${local.linkerd2.namespace}
-      spec:
-        secretName: linkerd-identity-issuer
-        revisionHistoryLimit: 3
-        duration: 8h
-        renewBefore: 4h
-        issuerRef:
-          name: linkerd-trust-anchor
-          kind: Issuer
-        commonName: identity.linkerd.cluster.local
-        dnsNames:
-        - identity.linkerd.cluster.local
-        isCA: true
-        privateKey:
-          algorithm: ECDSA
-        usages:
-        - cert sign
-        - crl sign
-        - server auth
-        - client auth
-      VALUES
-
-    linkerd-proxy-injector = <<-VALUES
-      apiVersion: cert-manager.io/v1
-      kind: Certificate
-      metadata:
-        name: linkerd-proxy-injector
-        namespace: ${local.linkerd2.namespace}
-      spec:
-        secretName: linkerd-proxy-injector-k8s-tls
-        revisionHistoryLimit: 3
-        duration: 8h
-        renewBefore: 4h
-        issuerRef:
-          name: webhook-issuer
-          kind: Issuer
-        commonName: linkerd-proxy-injector.${local.linkerd2.namespace}.svc
-        dnsNames:
-        - linkerd-proxy-injector.${local.linkerd2.namespace}.svc
-        isCA: false
-        privateKey:
-          algorithm: ECDSA
-        usages:
-        - server auth
-      VALUES
-
-    linkerd-sp-validator = <<-VALUES
-      apiVersion: cert-manager.io/v1
-      kind: Certificate
-      metadata:
-        name: linkerd-sp-validator
-        namespace: ${local.linkerd2.namespace}
-      spec:
-        secretName: linkerd-sp-validator-k8s-tls
-        revisionHistoryLimit: 3
-        duration: 8h
-        renewBefore: 4h
-        issuerRef:
-          name: webhook-issuer
-          kind: Issuer
-        commonName: linkerd-sp-validator.${local.linkerd2.namespace}.svc
-        dnsNames:
-        - linkerd-sp-validator.${local.linkerd2.namespace}.svc
-        isCA: false
-        privateKey:
-          algorithm: ECDSA
-        usages:
-        - server auth
-      VALUES
-
-    linkerd-trust-anchor = <<-VALUES
-      apiVersion: cert-manager.io/v1
-      kind: Issuer
-      metadata:
-        name: linkerd-trust-anchor
-        namespace: ${local.linkerd2.namespace}
-      spec:
-        ca:
-          secretName: linkerd-trust-anchor
-      VALUES
-
-    webhook-issuer = <<-VALUES
-      apiVersion: cert-manager.io/v1
-      kind: Issuer
-      metadata:
-        name: webhook-issuer
-        namespace: ${local.linkerd2.namespace}
-      spec:
-        ca:
-          secretName: webhook-issuer-tls
-      VALUES
-  }
-
-}
-
-resource "tls_private_key" "linkerd_trust_anchor" {
-  count       = local.linkerd2["enabled"] && local.linkerd2["trust_anchor_pem"] == null ? 1 : 0
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "tls_self_signed_cert" "linkerd_trust_anchor" {
-  count                 = local.linkerd2["enabled"] && local.linkerd2["trust_anchor_pem"] == null ? 1 : 0
-  private_key_pem       = tls_private_key.linkerd_trust_anchor.0.private_key_pem
-  validity_period_hours = 87600
-  early_renewal_hours   = 78840
-  is_ca_certificate     = true
-
-  subject {
-    common_name = "root.linkerd.cluster.local"
-  }
-
-  allowed_uses = [
-    "cert_signing",
-    "crl_signing",
-  ]
-}
-
-resource "kubernetes_secret" "linkerd_trust_anchor" {
-  count = local.linkerd2["enabled"] && local.linkerd2["trust_anchor_pem"] == null ? 1 : 0
-  metadata {
-    name      = "linkerd-trust-anchor"
-    namespace = local.linkerd2.create_ns ? kubernetes_namespace.linkerd2.0.metadata[0].name : local.linkerd2.namespace
-  }
-
-  data = {
-    "tls.crt" = tls_self_signed_cert.linkerd_trust_anchor.0.cert_pem
-    "tls.key" = tls_private_key.linkerd_trust_anchor.0.private_key_pem
-  }
-
-  type = "kubernetes.io/tls"
-}
-
-resource "tls_private_key" "webhook_issuer_tls" {
-  count       = local.linkerd2["enabled"] ? 1 : 0
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
-resource "tls_self_signed_cert" "webhook_issuer_tls" {
-  count                 = local.linkerd2["enabled"] ? 1 : 0
-  private_key_pem       = tls_private_key.webhook_issuer_tls.0.private_key_pem
-  validity_period_hours = 87600
-  early_renewal_hours   = 78840
-  is_ca_certificate     = true
-
-  subject {
-    common_name = "webhook.linkerd.cluster.local"
-  }
-
-  allowed_uses = [
-    "cert_signing",
-    "crl_signing",
-  ]
-}
-
-resource "kubernetes_secret" "webhook_issuer_tls" {
-  count = local.linkerd2["enabled"] ? 1 : 0
-  metadata {
-    name      = "webhook-issuer-tls"
-    namespace = local.linkerd2.create_ns ? kubernetes_namespace.linkerd2.0.metadata[0].name : local.linkerd2.namespace
-  }
-
-  data = {
-    "tls.crt" = tls_self_signed_cert.webhook_issuer_tls.0.cert_pem
-    "tls.key" = tls_private_key.webhook_issuer_tls.0.private_key_pem
-  }
-
-  type = "kubernetes.io/tls"
-}
-
-resource "kubernetes_namespace" "linkerd2" {
-  count = local.linkerd2["enabled"] && local.linkerd2["create_ns"] ? 1 : 0
-
-  metadata {
-    labels = {
-      name                                  = local.linkerd2["namespace"]
-      "linkerd.io/is-control-plane"         = "true"
-      "config.linkerd.io/admission-webhook" = "disabled"
-      "linkerd.io/control-plane-ns"         = local.linkerd2.namespace
-    }
-
-    annotations = {
-      "linkerd.io/inject" = "disabled"
-    }
-
-    name = local.linkerd2["namespace"]
-  }
-}
-
-resource "helm_release" "linkerd2" {
-  count                 = local.linkerd2["enabled"] ? 1 : 0
-  repository            = local.linkerd2["repository"]
-  name                  = local.linkerd2["name"]
-  chart                 = local.linkerd2["chart"]
-  version               = local.linkerd2["chart_version"]
-  timeout               = local.linkerd2["timeout"]
-  force_update          = local.linkerd2["force_update"]
-  recreate_pods         = local.linkerd2["recreate_pods"]
-  wait                  = local.linkerd2["wait"]
-  atomic                = local.linkerd2["atomic"]
-  cleanup_on_fail       = local.linkerd2["cleanup_on_fail"]
-  dependency_update     = local.linkerd2["dependency_update"]
-  disable_crd_hooks     = local.linkerd2["disable_crd_hooks"]
-  disable_webhooks      = local.linkerd2["disable_webhooks"]
-  render_subchart_notes = local.linkerd2["render_subchart_notes"]
-  replace               = local.linkerd2["replace"]
-  reset_values          = local.linkerd2["reset_values"]
-  reuse_values          = local.linkerd2["reuse_values"]
-  skip_crds             = local.linkerd2["skip_crds"]
-  verify                = local.linkerd2["verify"]
-  values = compact([
-    local.values_linkerd2,
-    local.linkerd2["extra_values"],
-    local.linkerd2.ha ? local.values_linkerd2_ha : null
-  ])
-  namespace = local.linkerd2["create_ns"] ? kubernetes_namespace.linkerd2.*.metadata.0.name[count.index] : local.linkerd2["namespace"]
-
-  depends_on = [
-    helm_release.linkerd2-cni
-  ]
-}
-
-resource "kubectl_manifest" "linkerd" {
-  for_each  = local.linkerd2.enabled ? local.linkerd2_manifests : {}
-  yaml_body = each.value
-}
diff --git a/modules/aws/README.md b/modules/aws/README.md
index 320cd29f5..43c581030 100644
--- a/modules/aws/README.md
+++ b/modules/aws/README.md
@@ -129,8 +129,9 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.linkerd2](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.metrics-server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -161,6 +162,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.linkerd](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.secrets-store-csi-driver-provider-aws](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
@@ -187,8 +189,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kyverno](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.linkerd2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.metrics-server](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -266,6 +268,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -427,6 +431,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | <a name="input_kube-prometheus-stack"></a> [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_kyverno"></a> [kyverno](#input\_kyverno) | Customize kyverno chart, see `kyverno.tf` for supported values | `any` | `{}` | no |
 | <a name="input_labels_prefix"></a> [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
+| <a name="input_linkerd"></a> [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd-viz"></a> [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2"></a> [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2-cni"></a> [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/aws/linkerd.tf b/modules/aws/linkerd.tf
new file mode 120000
index 000000000..d26369938
--- /dev/null
+++ b/modules/aws/linkerd.tf
@@ -0,0 +1 @@
+../../linkerd.tf
\ No newline at end of file
diff --git a/modules/aws/linkerd2.tf b/modules/aws/linkerd2.tf
deleted file mode 120000
index ed5e5b5d0..000000000
--- a/modules/aws/linkerd2.tf
+++ /dev/null
@@ -1 +0,0 @@
-../../linkerd2.tf
\ No newline at end of file
diff --git a/modules/azure/README.md b/modules/azure/README.md
index 9e17bbd68..3cbeb1737 100644
--- a/modules/azure/README.md
+++ b/modules/azure/README.md
@@ -59,8 +59,9 @@ No modules.
 | [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.linkerd2](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.node-problem-detector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -80,6 +81,7 @@ No modules.
 | [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.linkerd](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.tigera-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
@@ -97,8 +99,8 @@ No modules.
 | [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kyverno](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.linkerd2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.node-problem-detector](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -146,6 +148,8 @@ No modules.
 | [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -247,6 +251,7 @@ No modules.
 | <a name="input_kube-prometheus-stack"></a> [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_kyverno"></a> [kyverno](#input\_kyverno) | Customize kyverno chart, see `kyverno.tf` for supported values | `any` | `{}` | no |
 | <a name="input_labels_prefix"></a> [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
+| <a name="input_linkerd"></a> [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd-viz"></a> [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2"></a> [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2-cni"></a> [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/azure/linkerd.tf b/modules/azure/linkerd.tf
new file mode 120000
index 000000000..d26369938
--- /dev/null
+++ b/modules/azure/linkerd.tf
@@ -0,0 +1 @@
+../../linkerd.tf
\ No newline at end of file
diff --git a/modules/azure/linkerd2.tf b/modules/azure/linkerd2.tf
deleted file mode 120000
index ed5e5b5d0..000000000
--- a/modules/azure/linkerd2.tf
+++ /dev/null
@@ -1 +0,0 @@
-../../linkerd2.tf
\ No newline at end of file
diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md
index 18d9d62ad..a253caa05 100644
--- a/modules/scaleway/README.md
+++ b/modules/scaleway/README.md
@@ -73,8 +73,9 @@ No modules.
 | [helm_release.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.kyverno-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-control-plane](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.linkerd-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd-viz](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [helm_release.linkerd2](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.loki-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
@@ -96,6 +97,7 @@ No modules.
 | [kubectl_manifest.csi-external-snapshotter](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.kong_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.linkerd](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.sync](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
 | [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
@@ -113,8 +115,8 @@ No modules.
 | [kubernetes_namespace.kong](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kube-prometheus-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.kyverno](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.linkerd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd-viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_namespace.linkerd2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.linkerd2-cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.loki-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.prometheus-adapter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -169,6 +171,8 @@ No modules.
 | [kubernetes_network_policy.kube-prometheus-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.kyverno_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.linkerd-viz_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd-viz_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.linkerd2-cni_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -278,6 +282,7 @@ No modules.
 | <a name="input_kube-prometheus-stack"></a> [kube-prometheus-stack](#input\_kube-prometheus-stack) | Customize kube-prometheus-stack chart, see `kube-prometheus-stack.tf` for supported values | `any` | `{}` | no |
 | <a name="input_kyverno"></a> [kyverno](#input\_kyverno) | Customize kyverno chart, see `kyverno.tf` for supported values | `any` | `{}` | no |
 | <a name="input_labels_prefix"></a> [labels\_prefix](#input\_labels\_prefix) | Custom label prefix used for network policy namespace matching | `string` | `"particule.io"` | no |
+| <a name="input_linkerd"></a> [linkerd](#input\_linkerd) | Customize linkerd chart, see `linkerd.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd-viz"></a> [linkerd-viz](#input\_linkerd-viz) | Customize linkerd-viz chart, see `linkerd-viz.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2"></a> [linkerd2](#input\_linkerd2) | Customize linkerd2 chart, see `linkerd2.tf` for supported values | `any` | `{}` | no |
 | <a name="input_linkerd2-cni"></a> [linkerd2-cni](#input\_linkerd2-cni) | Customize linkerd2-cni chart, see `linkerd2-cni.tf` for supported values | `any` | `{}` | no |
diff --git a/modules/scaleway/linkerd.tf b/modules/scaleway/linkerd.tf
new file mode 120000
index 000000000..d26369938
--- /dev/null
+++ b/modules/scaleway/linkerd.tf
@@ -0,0 +1 @@
+../../linkerd.tf
\ No newline at end of file
diff --git a/modules/scaleway/linkerd2.tf b/modules/scaleway/linkerd2.tf
deleted file mode 120000
index ed5e5b5d0..000000000
--- a/modules/scaleway/linkerd2.tf
+++ /dev/null
@@ -1 +0,0 @@
-../../linkerd2.tf
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 89a8afa23..e904a6c78 100644
--- a/variables.tf
+++ b/variables.tf
@@ -130,6 +130,12 @@ variable "linkerd-viz" {
   default     = {}
 }
 
+variable "linkerd" {
+  description = "Customize linkerd chart, see `linkerd.tf` for supported values"
+  type        = any
+  default     = {}
+}
+
 variable "loki-stack" {
   description = "Customize loki-stack chart, see `loki-stack.tf` for supported values"
   type        = any