mirror of
https://github.com/fluxcd/flagger.git
synced 2026-03-03 02:00:18 +00:00
7242fa7d5c
In Linkerd 2.13 the Prometheus instance in the `linkerd-viz` namespace is now locked behind an [_AuthorizationPolicy_](https://github.com/linkerd/linkerd2/blob/stable-2.13.1/viz/charts/linkerd-viz/templates/prometheus-policy.yaml) that only allows access to the `metrics-api` _ServiceAccount_. This adds an extra _AuthorizationPolicy_ to authorize the `flagger` _ServiceAccount_. It's created by default when using Kustomize, but needs to be opted-in when using Helm via the new `linkerdAuthPolicy.create` value. This also implies that the Flagger workload has to be injected by the Linkerd proxy, and that can't happen in the same `linkerd` namespace where the control plane lives, so we're moving Flagger into the new injected `flagger-system` namespace. The `namespace` field in `kustomization.yml` was resetting the namespace for the new _AuthorizationPolicy_ resource, so that gets restored back to `linkerd-viz` using a `patchesJson6902` entry. A better way to do this would have been to use the `unsetOnly` field in a _NamespaceTransformer_ (see kubernetes-sigs/kustomize#4708) but for the life of me I couldn't make that work... Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
19 lines
425 B
YAML
19 lines
425 B
YAML
namespace: flagger-system
|
|
bases:
|
|
- ../base/flagger/
|
|
- namespace.yaml
|
|
- authorizationpolicy.yaml
|
|
patchesStrategicMerge:
|
|
- patch.yaml
|
|
# restore overridden namespace field
|
|
patchesJson6902:
|
|
- target:
|
|
group: policy.linkerd.io
|
|
version: v1alpha1
|
|
kind: AuthorizationPolicy
|
|
name: prometheus-admin-flagger
|
|
patch: |-
|
|
- op: replace
|
|
path: /metadata/namespace
|
|
value: linkerd-viz
|