diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml index 8f5f41f7d..ed8f8022f 100644 --- a/helm-dependencies.yaml +++ b/helm-dependencies.yaml @@ -9,7 +9,7 @@ dependencies: version: 1.3.2 repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - name: aws-ebs-csi-driver - version: 2.17.2 + version: 2.18.0 repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver - name: aws-efs-csi-driver version: 2.4.1 @@ -18,7 +18,7 @@ dependencies: version: 0.1.24 repository: https://aws.github.io/eks-charts - name: aws-load-balancer-controller - version: 1.4.8 + version: 1.5.1 repository: https://aws.github.io/eks-charts - name: aws-node-termination-handler version: 0.21.0 @@ -54,7 +54,7 @@ dependencies: version: 1.7.2 repository: https://charts.helm.sh/stable - name: keda - version: 2.10.1 + version: 2.10.2 repository: https://kedacore.github.io/charts - name: keycloak version: 18.4.0 @@ -63,7 +63,7 @@ dependencies: version: 2.19.0 repository: https://charts.konghq.com - name: kube-prometheus-stack - version: 45.9.1 + version: 45.15.0 repository: https://prometheus-community.github.io/helm-charts - name: kyverno version: 2.7.2 @@ -72,28 +72,28 @@ dependencies: version: v2.0.3 repository: https://kyverno.github.io/kyverno/ - name: linkerd2-cni - version: 30.8.0 + version: 30.8.1 repository: https://helm.linkerd.io/stable - name: linkerd-control-plane - version: 1.12.0 + version: 1.12.1 repository: https://helm.linkerd.io/stable - name: linkerd-crds version: 1.6.0 repository: https://helm.linkerd.io/stable - name: linkerd-viz - version: 30.8.0 + version: 30.8.1 repository: https://helm.linkerd.io/stable - name: loki-stack version: 2.9.10 repository: https://grafana.github.io/helm-charts - name: loki - version: 5.0.0 + version: 5.1.0 repository: https://grafana.github.io/helm-charts - name: promtail version: 6.10.0 repository: https://grafana.github.io/helm-charts - name: metrics-server - version: 3.9.0 + version: 3.10.0 repository: https://kubernetes-sigs.github.io/metrics-server/ - name: node-problem-detector version: 2.3.4 @@ -114,13 +114,13 @@ dependencies: version: v0.0.1 repository: https://particuleio.github.io/charts - name: sealed-secrets - version: 2.8.1 + version: 2.8.2 repository: https://bitnami-labs.github.io/sealed-secrets - name: strimzi-kafka-operator version: 0.34.0 repository: https://strimzi.io/charts/ - name: thanos - version: 12.4.2 + version: 12.4.3 repository: https://charts.bitnami.com/bitnami - name: tigera-operator version: v3.25.1 @@ -132,7 +132,7 @@ dependencies: version: 6.3.14 repository: https://charts.bitnami.com/bitnami - name: vault - version: 0.24.0 + version: 0.24.1 repository: https://helm.releases.hashicorp.com - name: velero version: 3.1.6 diff --git a/ingress-nginx.tf b/ingress-nginx.tf index 32e626ceb..922c8ae95 100644 --- a/ingress-nginx.tf +++ b/ingress-nginx.tf @@ -11,6 +11,8 @@ locals { enabled = false default_network_policy = true ingress_cidrs = ["0.0.0.0/0"] + linkerd-viz-enabled = false + linkerd-viz-namespace = "linkerd-viz" allowed_cidrs = ["0.0.0.0/0"] }, var.ingress-nginx @@ -232,7 +234,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" { } resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" { - count = local.ingress-nginx["enabled"] && local.linkerd-viz["enabled"] && local.ingress-nginx["default_network_policy"] ? 1 : 0 + count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0 metadata { name = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz" @@ -247,7 +249,7 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" { from { namespace_selector { match_labels = { - name = local.linkerd-viz["namespace"] + name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"] } } } diff --git a/linkerd-viz.tf b/linkerd-viz.tf index 82773eede..fe9637a85 100644 --- a/linkerd-viz.tf +++ b/linkerd-viz.tf @@ -62,7 +62,7 @@ locals { VALUES linkerd-viz_manifests = { - prometheus-servicemonitor = <<-VALUES + prometheus-servicemonitor = <<-VALUES apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -95,6 +95,18 @@ locals { matchLabels: component: prometheus VALUES + allow-prometheus-admin-federation = <<-VALUES + apiVersion: policy.linkerd.io/v1beta1 + kind: ServerAuthorization + metadata: + namespace: ${local.linkerd-viz.namespace} + name: prometheus-admin-federation + spec: + server: + name: prometheus-admin + client: + unauthenticated: true + VALUES } } diff --git a/modules/aws/README.md b/modules/aws/README.md index 43c581030..791c05398 100644 --- a/modules/aws/README.md +++ b/modules/aws/README.md @@ -242,6 +242,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing- | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | +| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | diff --git a/modules/aws/ingress-nginx.tf b/modules/aws/ingress-nginx.tf index c56058267..88b46b551 100644 --- a/modules/aws/ingress-nginx.tf +++ b/modules/aws/ingress-nginx.tf @@ -13,6 +13,8 @@ locals { use_l7 = false enabled = false default_network_policy = true + linkerd-viz-enabled = false + linkerd-viz-namespace = "linkerd-viz" ingress_cidrs = ["0.0.0.0/0"] allowed_cidrs = ["0.0.0.0/0"] }, @@ -318,3 +320,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" { policy_types = ["Ingress"] } } + +resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" { + count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0 + + metadata { + name = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz" + namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index] + } + + spec { + pod_selector { + } + + ingress { + from { + namespace_selector { + match_labels = { + name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"] + } + } + } + } + + policy_types = ["Ingress"] + } +} diff --git a/modules/scaleway/README.md b/modules/scaleway/README.md index a253caa05..4871a0504 100644 --- a/modules/scaleway/README.md +++ b/modules/scaleway/README.md @@ -145,6 +145,7 @@ No modules. | [kubernetes_network_policy.flux_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | +| [kubernetes_network_policy.ingress-nginx_allow_linkerd_viz](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | | [kubernetes_network_policy.ingress-nginx_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource | diff --git a/modules/scaleway/ingress-nginx.tf b/modules/scaleway/ingress-nginx.tf index 13b956d2d..e2b1bf721 100644 --- a/modules/scaleway/ingress-nginx.tf +++ b/modules/scaleway/ingress-nginx.tf @@ -10,6 +10,8 @@ locals { namespace = "ingress-nginx" enabled = false default_network_policy = true + linkerd-viz-enabled = false + linkerd-viz-namespace = "linkerd-viz" ingress_cidrs = ["0.0.0.0/0"] allowed_cidrs = ["0.0.0.0/0"] }, @@ -238,3 +240,29 @@ resource "kubernetes_network_policy" "ingress-nginx_allow_control_plane" { policy_types = ["Ingress"] } } + +resource "kubernetes_network_policy" "ingress-nginx_allow_linkerd_viz" { + count = local.ingress-nginx["enabled"] && (local.linkerd-viz["enabled"] || local.ingress-nginx["linkerd-viz-enabled"]) && local.ingress-nginx["default_network_policy"] ? 1 : 0 + + metadata { + name = "${kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index]}-allow-linkerd-viz" + namespace = kubernetes_namespace.ingress-nginx.*.metadata.0.name[count.index] + } + + spec { + pod_selector { + } + + ingress { + from { + namespace_selector { + match_labels = { + name = local.linkerd-viz["enabled"] ? local.linkerd-viz["namespace"] : local.ingress-nginx["linkerd-viz-namespace"] + } + } + } + } + + policy_types = ["Ingress"] + } +}