mirror of
https://github.com/fluxcd/flagger.git
synced 2026-03-01 01:00:40 +00:00
7242fa7d5c
In Linkerd 2.13 the Prometheus instance in the `linkerd-viz` namespace is now locked behind an [_AuthorizationPolicy_](https://github.com/linkerd/linkerd2/blob/stable-2.13.1/viz/charts/linkerd-viz/templates/prometheus-policy.yaml) that only allows access to the `metrics-api` _ServiceAccount_. This adds an extra _AuthorizationPolicy_ to authorize the `flagger` _ServiceAccount_. It's created by default when using Kustomize, but needs to be opted-in when using Helm via the new `linkerdAuthPolicy.create` value. This also implies that the Flagger workload has to be injected by the Linkerd proxy, and that can't happen in the same `linkerd` namespace where the control plane lives, so we're moving Flagger into the new injected `flagger-system` namespace. The `namespace` field in `kustomization.yml` was resetting the namespace for the new _AuthorizationPolicy_ resource, so that gets restored back to `linkerd-viz` using a `patchesJson6902` entry. A better way to do this would have been to use the `unsetOnly` field in a _NamespaceTransformer_ (see kubernetes-sigs/kustomize#4708) but for the life of me I couldn't make that work... Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
28 lines
597 B
YAML
28 lines
597 B
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: flagger
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: flagger
|
|
args:
|
|
- -log-level=info
|
|
- -include-label-prefix=app.kubernetes.io
|
|
- -mesh-provider=linkerd
|
|
- -metrics-server=http://prometheus.linkerd-viz:9090
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: flagger
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: flagger
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: flagger
|
|
namespace: flagger-system
|