In Linkerd 2.13 the Prometheus instance in
the `linkerd-viz` namespace is now locked behind an
[_AuthorizationPolicy_](https://github.com/linkerd/linkerd2/blob/stable-2.13.1/viz/charts/linkerd-viz/templates/prometheus-policy.yaml)
that only allows access to the `metrics-api` _ServiceAccount_.
This adds an extra _AuthorizationPolicy_ to authorize the `flagger`
_ServiceAccount_. It's created by default when using Kustomize, but
needs to be opted-in when using Helm via the new
`linkerdAuthPolicy.create` value. This also implies that the Flagger
workload has to be injected by the Linkerd proxy, and that can't happen
in the same `linkerd` namespace where the control plane lives, so we're
moving Flagger into the new injected `flagger-system` namespace.
The `namespace` field in `kustomization.yml` was resetting the namespace
for the new _AuthorizationPolicy_ resource, so that gets restored back
to `linkerd-viz` using a `patchesJson6902` entry. A better way to do
this would have been to use the `unsetOnly` field in a
_NamespaceTransformer_ (see kubernetes-sigs/kustomize#4708) but for
the life of me I couldn't make that work...
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
In Linkerd 2.10, The Prometheus instance moved into the `viz`
extension which is installed separately from the core
control-plane. This means that the prometheus now exists in
the `linkerd-viz` namespace by default unless overriden.
This PR updates the URl to reflect the same
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
