giantswarm · taylorbot · Oct 5, 2023 · Oct 5, 2023 · Oct 5, 2023
@@ -143,7 +143,7 @@ jobs:
           version: "${{ needs.gather_facts.outputs.version }}"
           title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}"
         run: |
-          hub pull-request -f  -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }}
+          gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }}
   create_release:
     name: Create release
     runs-on: ubuntu-22.04

@@ -128,4 +128,9 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
           base: "${{ needs.gather_facts.outputs.base }}"
         run: |
-          hub pull-request -f -m "Automated update from upstream" -m "This PR was created by the \`update-chart\` GitHub Actions workflow." -m "- [ ] **:warning: All tests are passing**" -m "- [ ] **:warning: The CHANGELOG.md file has been updated**" -m "- [ ] **:warning: Additional changes in ignored files (see vendir.yml) have been adapted and migrated**" -l "automated-update" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }}
+          gh pr create --title "Automated update from upstream"  --label "automated-update" --assignee ${{ github.actor }} --base ${{ env.base }} --head ${{ needs.gather_facts.outputs.branch }} --body-file - << EOF
+          This PR was created by the \`update-chart\` GitHub Actions workflow.
+          - [ ] **:warning: All tests are passing**"
+          - [ ] **:warning: The CHANGELOG.md file has been updated**
+          - [ ] **:warning: Additional changes in ignored files (see vendir.yml) have been adapted and migrated**
+          EOF
@@ -0,0 +1,5 @@
+{{- define "partials.giantswarm-labels" -}}
+giantswarm.io/service-type: "managed"
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
+{{- end -}}
+
@@ -1,5 +1,5 @@
 {{- define "partials.annotations.created-by" -}}
-linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }}
+linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" (.Values.cniPluginVersion | default .Values.linkerdVersion)) }}
 {{- end -}}
 
 {{- define "partials.proxy.annotations" -}}

@@ -0,0 +1,17 @@
+{{- define "partials.noop" -}}
+securityContext:
+  runAsUser: 65535
+args:
+- -v
+image: "{{.Values.image.registry}}/{{.Values.noop.image.name}}:{{.Values.noop.image.version}}"
+name: noop
+resources:
+  limits:
+    cpu: "50m"
+    memory: "10Mi"
+  requests:
+    cpu: "50m"
+    memory: "10Mi"
+securityContext:
+  runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
+{{- end -}}
@@ -71,8 +71,6 @@ securityContext:
   runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }}
   {{- end }}
   readOnlyRootFilesystem: true
-  seccompProfile:
-    type: RuntimeDefault
 terminationMessagePolicy: FallbackToLogsOnError
 {{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }}
 volumeMounts:

@@ -49,14 +49,6 @@ env:
 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
   value: {{.Values.proxy.outboundConnectTimeout | quote}}
 {{ end -}}
-{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}}
-- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
-  value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}}
-{{ end -}}
-{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}}
-- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
-  value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}}
-{{ end -}}
 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
   value: 0.0.0.0:{{.Values.proxy.ports.control}}
 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
@@ -169,10 +161,7 @@ securityContext:
   {{- include "partials.proxy.capabilities" . | nindent 2 -}}
   {{- end }}
   readOnlyRootFilesystem: true
-  runAsNonRoot: true
   runAsUser: {{.Values.proxy.uid}}
-  seccompProfile:
-    type: RuntimeDefault
 terminationMessagePolicy: FallbackToLogsOnError
 {{- if or (.Values.proxy.await) (.Values.proxy.waitBeforeExitSeconds) }}
 lifecycle:

@@ -1,12 +1,49 @@
 ---
+apiVersion: policy.linkerd.io/v1beta1
+kind: Server
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: admin
+  labels:
+    linkerd.io/extension: viz
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  podSelector:
+    matchLabels:
+      linkerd.io/extension: viz
+  port: admin-http
+  proxyProtocol: HTTP/1
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: admin
+  labels:
+    linkerd.io/extension: viz
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: admin
+  requiredAuthenticationRefs:
+  - group: policy.linkerd.io
+    kind: NetworkAuthentication
+    name: kubelet
+---
 apiVersion: policy.linkerd.io/v1alpha1
 kind: NetworkAuthentication
 metadata:
   namespace: {{ .Release.Namespace }}
   name: kubelet
   labels:
     linkerd.io/extension: viz
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:

@@ -7,7 +7,7 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
@@ -26,7 +26,7 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
@@ -47,7 +47,7 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:

@@ -9,7 +9,7 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
 rules:
 - apiGroups: ["extensions", "apps"]
   resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
@@ -34,7 +34,7 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -52,5 +52,5 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
 {{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
@@ -10,10 +10,9 @@ metadata:
   labels:
     linkerd.io/extension: viz
     component: metrics-api
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
-    {{- with .Values.metricsAPI.service.annotations }}{{ toYaml . | trim | nindent 4 }}{{- end }}
     linkerd.io/inject: enabled
 spec:
   type: ClusterIP
@@ -33,14 +32,14 @@ metadata:
     {{ include "partials.annotations.created-by" . }}
     linkerd.io/inject: enabled
     config.linkerd.io/proxy-await: "enabled"
+    giantswarm.io/monitoring_basic_sli: "true"
+    {{- include "partials.giantswarm-labels" . | nindent 4 }}
   labels:
     linkerd.io/extension: viz
     app.kubernetes.io/name: metrics-api
     app.kubernetes.io/part-of: Linkerd
     app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.cliVersion}}
     component: metrics-api
-    giantswarm.io/monitoring_basic_sli: "true"
-    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   name: metrics-api
   namespace: {{ .Release.Namespace }}
 spec:
@@ -61,12 +60,12 @@ spec:
         {{- end }}
         {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
         linkerd.io/inject: enabled
-        config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
         cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
       labels:
         linkerd.io/extension: viz
         component: metrics-api
         {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+        {{- include "partials.giantswarm-labels" . | nindent 8 }}
     spec:
       {{- if .Values.metricsAPI.tolerations -}}
       {{- include "linkerd.tolerations" (dict "Values" .Values.metricsAPI) | nindent 6 }}
@@ -111,16 +110,5 @@ spec:
         {{- include "partials.resources" .Values.metricsAPI.resources | nindent 8 }}
         {{- end }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
           runAsUser: {{.Values.metricsAPI.UID | default .Values.defaultUID}}
-          seccompProfile:
-            type: RuntimeDefault
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
       serviceAccountName: metrics-api
@@ -1,9 +1,6 @@
 kind: ServiceAccount
 apiVersion: v1
 metadata:
-  {{- with .Values.commonLabels }}
-  labels: {{ toYaml . | trim | nindent 4 }}
-  {{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
     "helm.sh/hook": post-install
@@ -16,9 +13,6 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  {{- with .Values.commonLabels }}
-  labels: {{ toYaml . | trim | nindent 4 }}
-  {{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
     "helm.sh/hook": post-install
@@ -35,9 +29,6 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  {{- with .Values.commonLabels }}
-  labels: {{ toYaml . | trim | nindent 4 }}
-  {{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
     "helm.sh/hook": post-install
@@ -53,25 +44,3 @@ subjects:
 - kind: ServiceAccount
   name: namespace-metadata
   namespace: {{.Release.Namespace}}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: {{ .Values.linkerdNamespace }}
-  {{- with .Values.commonLabels }}
-  labels: {{ toYaml . | trim | nindent 4 }}
-  {{- end }}
-  annotations:
-    {{ include "partials.annotations.created-by" . }}
-    "helm.sh/hook": post-install
-    "helm.sh/hook-weight": "0"
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-  name: viz-namespace-metadata-linkerd-config
-roleRef:
-  kind: Role
-  name: ext-namespace-metadata-linkerd-config
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: namespace-metadata
-  namespace: {{.Release.Namespace}}