From 3f62d65ad5c7d130e51547db2726c04f617895e5 Mon Sep 17 00:00:00 2001 From: Matias Charriere Date: Thu, 9 Nov 2023 22:35:51 +0100 Subject: [PATCH 1/3] update vendir to 2.14 Signed-off-by: Matias Charriere --- vendir.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendir.yml b/vendir.yml index 0f55d66..35a89ac 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: linkerd git: url: https://github.com/giantswarm/linkerd2-upstream - ref: stable-2.13.x + ref: stable-2.14.x includePaths: - viz/charts/linkerd-viz/**/* - charts/partials/**/* From 5cc6c66ad7d30dc5ade812c64296d74db8bd97a2 Mon Sep 17 00:00:00 2001 From: taylorbot Date: Thu, 9 Nov 2023 21:36:26 +0000 Subject: [PATCH 2/3] Automated update from upstream --- .../charts/partials/templates/_affinity.tpl | 2 +- .../partials/templates/_network-validator.tpl | 3 +++ .../charts/partials/templates/_proxy.tpl | 1 + .../templates/namespace-metadata-rbac.yaml | 24 +++++++++---------- .../templates/namespace-metadata.yaml | 6 +++++ helm/linkerd-viz/templates/prometheus.yaml | 2 +- vendir.lock.yml | 6 ++--- 7 files changed, 27 insertions(+), 17 deletions(-) diff --git a/helm/linkerd-viz/charts/partials/templates/_affinity.tpl b/helm/linkerd-viz/charts/partials/templates/_affinity.tpl index cec0db8..5dde1da 100644 --- a/helm/linkerd-viz/charts/partials/templates/_affinity.tpl +++ b/helm/linkerd-viz/charts/partials/templates/_affinity.tpl @@ -8,7 +8,7 @@ podAntiAffinity: operator: In values: - {{ .component }} - topologyKey: failure-domain.beta.kubernetes.io/zone + topologyKey: topology.kubernetes.io/zone weight: 100 requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: diff --git a/helm/linkerd-viz/charts/partials/templates/_network-validator.tpl b/helm/linkerd-viz/charts/partials/templates/_network-validator.tpl index d986d0d..907d3ab 100644 --- a/helm/linkerd-viz/charts/partials/templates/_network-validator.tpl +++ b/helm/linkerd-viz/charts/partials/templates/_network-validator.tpl @@ -3,15 +3,18 @@ name: linkerd-network-validator image: {{.Values.image.registry}}/{{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} {{ include "partials.resources" .Values.proxyInit.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault +{{- end }} command: - /usr/lib/linkerd/linkerd2-network-validator args: diff --git a/helm/linkerd-viz/charts/partials/templates/_proxy.tpl b/helm/linkerd-viz/charts/partials/templates/_proxy.tpl index a50c22f..e8e0a13 100644 --- a/helm/linkerd-viz/charts/partials/templates/_proxy.tpl +++ b/helm/linkerd-viz/charts/partials/templates/_proxy.tpl @@ -182,6 +182,7 @@ lifecycle: command: - /usr/lib/linkerd/linkerd-await - --timeout=2m + - --port={{.Values.proxy.ports.admin}} {{- end }} {{- if .Values.proxy.waitBeforeExitSeconds }} preStop: diff --git a/helm/linkerd-viz/templates/namespace-metadata-rbac.yaml b/helm/linkerd-viz/templates/namespace-metadata-rbac.yaml index c84513b..433f350 100644 --- a/helm/linkerd-viz/templates/namespace-metadata-rbac.yaml +++ b/helm/linkerd-viz/templates/namespace-metadata-rbac.yaml @@ -1,9 +1,9 @@ kind: ServiceAccount apiVersion: v1 metadata: - {{- with .Values.commonLabels }} - labels: {{ toYaml . | trim | nindent 4 }} - {{- end }} + labels: + linkerd.io/extension: viz + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} annotations: {{ include "partials.annotations.created-by" . }} "helm.sh/hook": post-install @@ -16,9 +16,9 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - {{- with .Values.commonLabels }} - labels: {{ toYaml . | trim | nindent 4 }} - {{- end }} + labels: + linkerd.io/extension: viz + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} annotations: {{ include "partials.annotations.created-by" . }} "helm.sh/hook": post-install @@ -35,9 +35,9 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - {{- with .Values.commonLabels }} - labels: {{ toYaml . | trim | nindent 4 }} - {{- end }} + labels: + linkerd.io/extension: viz + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} annotations: {{ include "partials.annotations.created-by" . }} "helm.sh/hook": post-install @@ -58,9 +58,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: {{ .Values.linkerdNamespace }} - {{- with .Values.commonLabels }} - labels: {{ toYaml . | trim | nindent 4 }} - {{- end }} + labels: + linkerd.io/extension: viz + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} annotations: {{ include "partials.annotations.created-by" . }} "helm.sh/hook": post-install diff --git a/helm/linkerd-viz/templates/namespace-metadata.yaml b/helm/linkerd-viz/templates/namespace-metadata.yaml index 09878ed..fc1b3fb 100644 --- a/helm/linkerd-viz/templates/namespace-metadata.yaml +++ b/helm/linkerd-viz/templates/namespace-metadata.yaml @@ -7,6 +7,7 @@ metadata: "helm.sh/hook-weight": "1" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: + linkerd.io/extension: viz app.kubernetes.io/name: namespace-metadata app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.cliVersion}} @@ -20,11 +21,16 @@ spec: {{ include "partials.annotations.created-by" . }} linkerd.io/inject: disabled labels: + linkerd.io/extension: viz app.kubernetes.io/name: namespace-metadata app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.cliVersion}} {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: + {{- if .Values.namespaceMetadata.tolerations -}} + {{- include "linkerd.tolerations" (dict "Values" .Values.namespaceMetadata) | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" (dict "Values" .Values.namespaceMetadata) | nindent 6 }} restartPolicy: Never securityContext: seccompProfile: diff --git a/helm/linkerd-viz/templates/prometheus.yaml b/helm/linkerd-viz/templates/prometheus.yaml index 87bede0..6eb400c 100644 --- a/helm/linkerd-viz/templates/prometheus.yaml +++ b/helm/linkerd-viz/templates/prometheus.yaml @@ -156,7 +156,7 @@ data: {{- if .Values.prometheus.remoteWrite }} remote_write: - {{- toYaml .Values.prometheus.remoteWrite | trim | nindent 4 }} + {{- toYaml .Values.prometheus.remoteWrite | trim | nindent 6 }} {{- end }} --- kind: Service diff --git a/vendir.lock.yml b/vendir.lock.yml index 9997f60..79e320b 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: add PSS flag for PSP->PSS migration (#559)... - sha: 81d4bbad3f3b9c4628b62134b014859c4e80ad15 + commitTitle: add nodetaint remover container... + sha: 05a70b5ffc1de5df36af2f4d447bad30c096dca6 tags: - - stable-2.10.1-2950-g81d4bbad3 + - stable-2.10.1-3185-g05a70b5ff path: linkerd path: vendor - contents: From bee790d810daaa29dc1c31cc7339cc863cbd1bd4 Mon Sep 17 00:00:00 2001 From: Matias Charriere Date: Thu, 9 Nov 2023 22:41:59 +0100 Subject: [PATCH 3/3] update to 2.14 Signed-off-by: Matias Charriere --- CHANGELOG.md | 4 ++++ helm/linkerd-viz/Chart.yaml | 2 +- helm/linkerd-viz/README.md | 22 +++++++++++++--------- helm/linkerd-viz/values.yaml | 13 +++++++++++-- 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac4900d..d1cebd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Upgrade to Linkerd v2.14.3. + ## [1.3.2] - 2023-10-12 ### Fixed diff --git a/helm/linkerd-viz/Chart.yaml b/helm/linkerd-viz/Chart.yaml index 063c93b..6f23ea9 100644 --- a/helm/linkerd-viz/Chart.yaml +++ b/helm/linkerd-viz/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: stable-2.13.6 +appVersion: stable-2.14.3 description: | The Linkerd-Viz extension contains observability and visualization components for Linkerd. diff --git a/helm/linkerd-viz/README.md b/helm/linkerd-viz/README.md index 0f5ccc4..e624fff 100644 --- a/helm/linkerd-viz/README.md +++ b/helm/linkerd-viz/README.md @@ -3,9 +3,9 @@ The Linkerd-Viz extension contains observability and visualization components for Linkerd. -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) +![Version: 1.3.2](https://img.shields.io/badge/Version-1.3.2-informational?style=flat-square) -![AppVersion: stable-2.13.4](https://img.shields.io/badge/AppVersion-stable--2.13.4-informational?style=flat-square) +![AppVersion: stable-2.13.6](https://img.shields.io/badge/AppVersion-stable--2.13.6-informational?style=flat-square) **Homepage:** @@ -107,6 +107,7 @@ Kubernetes: `>=1.16.0-0` | enablePSP | bool | `true` | Create Roles and RoleBindings to associate this extension's ServiceAccounts to the control plane PSP resource. This requires that `enabledPSP` is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21 | | enablePodAntiAffinity | bool | `true` | Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components. | | enablePodDisruptionBudget | bool | `true` | enables the creation of pod disruption budgets for tap and tap-injector components | +| global.podSecurityStandards.enforced | bool | `false` | | | grafana.externalUrl | string | `nil` | url of a Grafana instance hosted off-cluster. Cannot be set if grafana.url is set. The reverse proxy will not be used for this URL. | | grafana.uidPrefix | string | `nil` | prefix for Grafana dashboard UID's, used when grafana.externalUrl is set. | | grafana.url | string | `nil` | url of an in-cluster Grafana instance with reverse proxy configured, used by the Linkerd viz web dashboard to provide direct links to specific Grafana dashboards. Cannot be set if grafana.externalUrl is set. See the [Linkerd documentation](https://linkerd.io/2/tasks/grafana) for more information | @@ -115,7 +116,7 @@ Kubernetes: `>=1.16.0-0` | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | | jaegerUrl | string | `""` | url of external jaeger instance Set this to `jaeger.linkerd-jaeger.svc.:16686` if you plan to use jaeger extension | | linkerdNamespace | string | `"linkerd"` | Namespace of the Linkerd core control-plane install | -| linkerdVersion | string | `"stable-2.13.4"` | control plane version. See Proxy section for proxy version | +| linkerdVersion | string | `"stable-2.14.3"` | control plane version. See Proxy section for proxy version | | metricsAPI.UID | string | `nil` | UID for the metrics-api resource | | metricsAPI.image.name | string | `"giantswarm/linkerd-metrics-api"` | Docker image name for the metrics-api component | | metricsAPI.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the metrics-api component | @@ -139,6 +140,8 @@ Kubernetes: `>=1.16.0-0` | namespaceMetadata.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the namespace-metadata instance | | namespaceMetadata.image.registry | string | defaultRegistry | Docker registry for the namespace-metadata instance | | namespaceMetadata.image.tag | string | `"v0.1.0"` | Docker image tag for the namespace-metadata instance | +| namespaceMetadata.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| namespaceMetadata.tolerations | string | `nil` | Tolerations section, See the [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for more information | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Default nodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | | podLabels | object | `{}` | Additional labels to add to all pods | | prometheus.alertRelabelConfigs | string | `nil` | Alert relabeling is applied to alerts before they are sent to the Alertmanager. | @@ -149,7 +152,7 @@ Kubernetes: `>=1.16.0-0` | prometheus.image.name | string | `"giantswarm/prometheus"` | Docker image name for the prometheus instance | | prometheus.image.pullPolicy | string | defaultImagePullPolicy | Pull policy for the prometheus instance | | prometheus.image.registry | string | `""` | Docker registry for the prometheus instance | -| prometheus.image.tag | string | `"v2.43.0"` | Docker image tag for the prometheus instance | +| prometheus.image.tag | string | `"v2.47.0"` | Docker image tag for the prometheus instance | | prometheus.logFormat | string | defaultLogLevel | log format (plain, json) of the prometheus instance | | prometheus.logLevel | string | defaultLogLevel | log level of the prometheus instance | | prometheus.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | @@ -204,11 +207,12 @@ Kubernetes: `>=1.16.0-0` | tapInjector.keyPEM | string | `""` | Certificate key for the tapInjector. If not provided and not using an external secret then Helm will generate one. | | tapInjector.logFormat | string | defaultLogFormat | log format of the tapInjector component | | tapInjector.logLevel | string | defaultLogLevel | log level of the tapInjector | -| tapInjector.namespaceSelector[0].key | string | `"kubernetes.io/metadata.name"` | | -| tapInjector.namespaceSelector[0].operator | string | `"NotIn"` | | -| tapInjector.namespaceSelector[0].values[0] | string | `"kube-system"` | | -| tapInjector.namespaceSelector[0].values[1] | string | `"cert-manager"` | | -| tapInjector.namespaceSelector[0].values[2] | string | `"giantswarm"` | | +| tapInjector.namespaceSelector.matchExpressions[0].key | string | `"kubernetes.io/metadata.name"` | | +| tapInjector.namespaceSelector.matchExpressions[0].operator | string | `"NotIn"` | | +| tapInjector.namespaceSelector.matchExpressions[0].values[0] | string | `"kube-system"` | | +| tapInjector.namespaceSelector.matchExpressions[0].values[1] | string | `"cert-manager"` | | +| tapInjector.namespaceSelector.matchExpressions[0].values[2] | string | `"giantswarm"` | | +| tapInjector.namespaceSelector.matchExpressions[0].values[3] | string | `"kyverno"` | | | tapInjector.objectSelector | string | `nil` | | | tapInjector.proxy | string | `nil` | | | tapInjector.replicas | int | `2` | Number of replicas of tapInjector | diff --git a/helm/linkerd-viz/values.yaml b/helm/linkerd-viz/values.yaml index d124b14..5095559 100644 --- a/helm/linkerd-viz/values.yaml +++ b/helm/linkerd-viz/values.yaml @@ -5,7 +5,7 @@ # Fields that should be common with the core control plane # -- control plane version. See Proxy section for proxy version -linkerdVersion: stable-2.13.6 +linkerdVersion: stable-2.14.3 # -- Kubernetes DNS Domain name to use clusterDomain: cluster.local # -- Additional labels to add to all pods @@ -262,6 +262,7 @@ tapInjector: - kube-system - cert-manager - giantswarm + - kyverno objectSelector: # matchLabels: # foo: bar @@ -402,6 +403,14 @@ namespaceMetadata: # @default -- defaultImagePullPolicy pullPolicy: "" + # -- NodeSelector section, See the + # [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information + nodeSelector: *default_node_selector + # -- Tolerations section, See the + # [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) + # for more information + tolerations: *default_tolerations + grafana: # -- url of an in-cluster Grafana instance with reverse proxy configured, used by the # Linkerd viz web dashboard to provide direct links to specific Grafana @@ -424,7 +433,7 @@ prometheus: # -- Docker image name for the prometheus instance name: giantswarm/prometheus # -- Docker image tag for the prometheus instance - tag: v2.43.0 + tag: v2.47.0 # -- Pull policy for the prometheus instance # @default -- defaultImagePullPolicy pullPolicy: ""