Merge branch 'main' into release

particuleio · Apr 20, 2023 · 82bc3af · 82bc3af
2 parents 3ec486a + 7ebc3c8
commit 82bc3af
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 15 deletions.
diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
@@ -9,7 +9,7 @@ dependencies:
     version: 1.3.2
     repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
   - name: aws-ebs-csi-driver
-    version: 2.17.2
+    version: 2.18.0
     repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
   - name: aws-efs-csi-driver
     version: 2.4.1
@@ -18,7 +18,7 @@ dependencies:
     version: 0.1.24
     repository: https://aws.github.io/eks-charts
   - name: aws-load-balancer-controller
-    version: 1.4.8
+    version: 1.5.1
     repository: https://aws.github.io/eks-charts
   - name: aws-node-termination-handler
     version: 0.21.0
@@ -54,7 +54,7 @@ dependencies:
     version: 1.7.2
     repository: https://charts.helm.sh/stable
   - name: keda
-    version: 2.10.1
+    version: 2.10.2
     repository: https://kedacore.github.io/charts
   - name: keycloak
     version: 18.4.0
@@ -63,7 +63,7 @@ dependencies:
     version: 2.19.0
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 45.9.1
+    version: 45.15.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: kyverno
     version: 2.7.2
@@ -72,28 +72,28 @@ dependencies:
     version: v2.0.3
     repository: https://kyverno.github.io/kyverno/
   - name: linkerd2-cni
-    version: 30.8.0
+    version: 30.8.1
     repository: https://helm.linkerd.io/stable
   - name: linkerd-control-plane
-    version: 1.12.0
+    version: 1.12.1
     repository: https://helm.linkerd.io/stable
   - name: linkerd-crds
     version: 1.6.0
     repository: https://helm.linkerd.io/stable
   - name: linkerd-viz
-    version: 30.8.0
+    version: 30.8.1
     repository: https://helm.linkerd.io/stable
   - name: loki-stack
     version: 2.9.10
     repository: https://grafana.github.io/helm-charts
   - name: loki
-    version: 5.0.0
+    version: 5.1.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
     version: 6.10.0
     repository: https://grafana.github.io/helm-charts
   - name: metrics-server
-    version: 3.9.0
+    version: 3.10.0
     repository: https://kubernetes-sigs.github.io/metrics-server/
   - name: node-problem-detector
     version: 2.3.4
@@ -114,13 +114,13 @@ dependencies:
     version: v0.0.1
     repository: https://particuleio.github.io/charts
   - name: sealed-secrets
-    version: 2.8.1
+    version: 2.8.2
     repository: https://bitnami-labs.github.io/sealed-secrets
   - name: strimzi-kafka-operator
     version: 0.34.0
     repository: https://strimzi.io/charts/
   - name: thanos
-    version: 12.4.2
+    version: 12.4.3
     repository: https://charts.bitnami.com/bitnami
   - name: tigera-operator
     version: v3.25.1
@@ -132,7 +132,7 @@ dependencies:
     version: 6.3.14
     repository: https://charts.bitnami.com/bitnami
   - name: vault
-    version: 0.24.0
+    version: 0.24.1
     repository: https://helm.releases.hashicorp.com
   - name: velero
     version: 3.1.6

diff --git a/ingress-nginx.tf b/ingress-nginx.tf
@@ -11,6 +11,8 @@ locals {
       enabled                = false
       default_network_policy = true
       ingress_cidrs          = ["0.0.0.0/0"]
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       allowed_cidrs          = ["0.0.0.0/0"]
     },
     var.ingress-nginx
@@ -232,7 +234,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
 }
 
 resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
-  count = local.ingress-nginx["enabled"] && local.linkerd-viz["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
 
   metadata {
     name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
@@ -247,7 +249,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
       from {
         namespace_selector {
           match_labels = {
-            name = local.linkerd-viz["namespace"]
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
           }
         }
       }

diff --git a/linkerd-viz.tf b/linkerd-viz.tf
@@ -62,7 +62,7 @@ locals {
     VALUES
 
   linkerd-viz_manifests = {
-    prometheus-servicemonitor = <<-VALUES
+    prometheus-servicemonitor         = <<-VALUES
       apiVersion: monitoring.coreos.com/v1
       kind: ServiceMonitor
       metadata:
@@ -95,6 +95,18 @@ locals {
           matchLabels:
             component: prometheus
       VALUES
+    allow-prometheus-admin-federation = <<-VALUES
+      apiVersion: policy.linkerd.io/v1beta1
+      kind: ServerAuthorization
+      metadata:
+        namespace: ${local.linkerd-viz.namespace}
+        name: prometheus-admin-federation
+      spec:
+        server:
+          name: prometheus-admin
+        client:
+          unauthenticated: true
+      VALUES
   }
 }
 

diff --git a/modules/aws/README.md b/modules/aws/README.md
@@ -242,6 +242,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |

diff --git a/modules/aws/ingress-nginx.tf b/modules/aws/ingress-nginx.tf
@@ -13,6 +13,8 @@ locals {
       use_l7                 = false
       enabled                = false
       default_network_policy = true
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       ingress_cidrs          = ["0.0.0.0/0"]
       allowed_cidrs          = ["0.0.0.0/0"]
     },
@@ -318,3 +320,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md
@@ -145,6 +145,7 @@ No modules.
 | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |

diff --git a/modules/scaleway/ingress-nginx.tf b/modules/scaleway/ingress-nginx.tf
@@ -10,6 +10,8 @@ locals {
       namespace              = "ingress-nginx"
       enabled                = false
       default_network_policy = true
+      linkerd-viz-enabled    = false
+      linkerd-viz-namespace  = "linkerd-viz"
       ingress_cidrs          = ["0.0.0.0/0"]
       allowed_cidrs          = ["0.0.0.0/0"]
     },
@@ -238,3 +240,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" {
+  count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz"
+    namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}