feat: do not use tigera-operator for native network policies (#341)

Author: mglotov

docs/FAQ.md

@@ -1,25 +1,25 @@
 # Table of content
 
 <!-- TOC -->
-  * [EKS Upgrading](#eks-upgrading)
-  * [K8S namespace features:](#k8s-namespace-features-)
-  * [Gitlab-runner](#gitlab-runner)
-    * [How to add more restrictions for Gitlab-Runner](#how-to-add-more-restrictions-for-gitlab-runner)
-  * [Monitoring](#monitoring)
-  * [Grafana: How to add GitHub/Gitlab OAuth2 Authentication:](#grafana--how-to-add-githubgitlab-oauth2-authentication-)
-  * [Alertmanager](#alertmanager)
-    * [If you want to receive alerts **via Slack**, then do next:](#if-you-want-to-receive-alerts-via-slack--then-do-next-)
-  * [Deleting Tigera-operator](#deleting-tigera-operator)
-  * [What if you don't want to use an aws-load-balancer controller in front of an ingress-nginx and want to use a cert-manager and terminate SSL on ingres-nginx side](#what-if-you-dont-want-to-use-an-aws-load-balancer-controller-in-front-of-an-ingress-nginx-and-want-to-use-a-cert-manager-and-terminate-ssl-on-ingres-nginx-side)
-  * [Apply using terraform](#apply-using-terraform)
-    * [S3 state backend](#s3-state-backend)
-      * [Inputs](#inputs)
-      * [init](#init)
-      * [plan](#plan)
-      * [apply](#apply)
-  * [Update terraform version](#update-terraform-version)
-  * [Update terraform providers](#update-terraform-providers)
-  * [Update terragrunt version](#update-terragrunt-version)
+- [Table of content](#table-of-content)
+  - [EKS Upgrading](#eks-upgrading)
+  - [K8S namespace features:](#k8s-namespace-features)
+  - [Gitlab-runner](#gitlab-runner)
+    - [How to add more restrictions for Gitlab-Runner](#how-to-add-more-restrictions-for-gitlab-runner)
+  - [Monitoring](#monitoring)
+  - [Grafana: How to add GitHub/Gitlab OAuth2 Authentication:](#grafana-how-to-add-githubgitlab-oauth2-authentication)
+  - [Alertmanager](#alertmanager)
+    - [If you want to receive alerts **via Slack**, then do next:](#if-you-want-to-receive-alerts-via-slack-then-do-next)
+  - [What if you don't want to use an aws-load-balancer controller in front of an ingress-nginx and want to use a cert-manager and terminate SSL on ingres-nginx side](#what-if-you-dont-want-to-use-an-aws-load-balancer-controller-in-front-of-an-ingress-nginx-and-want-to-use-a-cert-manager-and-terminate-ssl-on-ingres-nginx-side)
+  - [Apply using terraform](#apply-using-terraform)
+    - [S3 state backend](#s3-state-backend)
+      - [Inputs](#inputs)
+      - [init](#init)
+      - [plan](#plan)
+      - [apply](#apply)
+  - [Update terraform version](#update-terraform-version)
+  - [Update terraform providers](#update-terraform-providers)
+  - [Update terragrunt version](#update-terragrunt-version)
 <!-- TOC -->
 
 ## EKS Upgrading
@@ -327,22 +327,6 @@ Alertmanager is disabled in default installation. If you want to enable it, then
 * See [this instruction](https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack) and generate Slack Incoming Webhook
 * Set `alertmanager_slack_webhook`, `alertmanager_slack_channel` variables in [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#!/home) secret with the pattern `/${local.name_wo_region}/infra/layer2-k8s`.
 
-## Deleting Tigera-operator
-1. Run:
-
-    ```bash
-    $ kubectl delete installations.operator.tigera.io default
-    ```
-
-2. Set `enabled: false` for `id: tigera-operator` in the file **helm-releases.yaml**
-3. Run `terraform apply` in the layer2-k8s folder
-4. Run:
-
-    ```bash
-    $ kubectl delete ns calico-apiserver calico-system
-    ```
-5. Restart all nodes
-
 ## What if you don't want to use an aws-load-balancer controller in front of an ingress-nginx and want to use a cert-manager and terminate SSL on ingres-nginx side
 
 1. Set `nginx ` for a `nginx_ingress_ssl_terminator` variable in the layer2-k8s folder

terraform/layer1-aws/aws-eks.tf

@@ -46,6 +46,9 @@ module "eks" {
     vpc-cni = {
       most_recent              = true
       service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+      configuration_values = jsonencode({
+        enableNetworkPolicy = "true"
+      })
     }
     aws-ebs-csi-driver = {
       most_recent              = true

terraform/layer2-k8s/README.md

@@ -50,7 +50,6 @@
 | <a name="module_kube_prometheus_stack_namespace"></a> [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_loki_namespace"></a> [loki\_namespace](#module\_loki\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_reloader_namespace"></a> [reloader\_namespace](#module\_reloader\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| <a name="module_tigera_operator_namespace"></a> [tigera\_operator\_namespace](#module\_tigera\_operator\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_victoria_metrics_k8s_stack_namespace"></a> [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 
 ## Resources
@@ -85,9 +84,7 @@
 | [helm_release.loki_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.prometheus_operator](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.tigera_operator](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [kubectl_manifest.calico_felix](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |

terraform/layer2-k8s/eks-tigera-operator.tf

@@ -531,7 +531,6 @@ resource "helm_release" "victoria_metrics_k8s_stack" {
 
   depends_on = [
     kubectl_manifest.kube_prometheus_stack_operator_crds,
-    helm_release.tigera_operator,
     helm_release.ingress_nginx
   ]
 

terraform/layer2-k8s/eks-victoria-metrics-k8s-stack.tf

@@ -101,12 +101,6 @@ releases:
     repository: https://stakater.github.io/stakater-charts
     chart_version: 1.0.22
     namespace: reloader
-  - id: tigera-operator
-    enabled: true
-    chart: tigera-operator
-    repository: https://projectcalico.docs.tigera.io/charts
-    chart_version: v3.25.0
-    namespace: tigera-operator
   - id: victoria-metrics-k8s-stack
     enabled: false
     chart: victoria-metrics-k8s-stack