Merge branch 'dev' into container-registry.zalando.net/teapot/skipper-internal

Author: vlktna

cluster/config-defaults.yaml

@@ -55,7 +55,7 @@ karpenter_instance_family_t_enabled: "false"
 karpenter_enable_spot: "true"
 
 # ALB config created by kube-aws-ingress-controller
-kube_aws_ingress_controller_ssl_policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
+kube_aws_ingress_controller_ssl_policy: "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
 kube_aws_ingress_controller_idle_timeout: "1m"
 kube_aws_ingress_controller_deregistration_delay_timeout: "10s"
 # allow using NLBs for ingress
@@ -377,6 +377,11 @@ skipper_open_policy_agent_data_preprocessing_optimization_enabled: "false"
 # Default timeout value in seconds for outgoing http calls from Open Policy Agent in a skipper filter
 skipper_open_policy_agent_styra_response_header_timeout: "2"
 
+# Decision logging use event buffer type
+skipper_open_policy_agent_decision_logs_buffer_type_event_enable: "false"
+# Decision logging sets the maximum number of decision log events that can be buffered before being dropped
+skipper_open_policy_agent_decision_logs_buffer_type_event_limit: "1000"
+
 #
 # FabricGateway controller config
 #
@@ -1293,4 +1298,4 @@ aws_load_balancer_controller_cpu: "100m"
 aws_load_balancer_controller_mem_max: "4Gi"
 
 # configure if sandbox-controller should be deployed
-sandbox_controller_enabled: "false" 
+sandbox_controller_enabled: "false"

cluster/manifests/02-skipper-validation-webhook/deployment.yaml

@@ -32,7 +32,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: skipper-admission-webhook
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.52
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.63
         args:
           - webhook
           - --address=:9085

cluster/manifests/deployment-service/controller-statefulset.yaml

@@ -29,7 +29,7 @@ spec:
       terminationGracePeriodSeconds: 300
       containers:
         - name: "deployment-service-controller"
-          image: "container-registry.zalando.net/teapot/deployment-controller:master-266"
+          image: "container-registry.zalando.net/teapot/deployment-controller:master-268"
           args:
             - "--config-namespace=kube-system"
             - "--decrypt-kms-alias-arn=arn:aws:kms:{{ .Cluster.Region }}:{{ .Cluster.InfrastructureAccountID }}:alias/deployment-secret"

cluster/manifests/deployment-service/status-service-deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-266" }}
+# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-268" }}
 # {{ $version := index (split $image ":") 1 }}
 
 apiVersion: apps/v1

cluster/manifests/ingress-controller/deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image := "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/kube-ingress-aws-controller:v0.17.7" }}
+# {{ $image := "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/kube-ingress-aws-controller:v0.18.3" }}
 # {{ $version := index (split $image ":") 1 }}
 
 apiVersion: apps/v1

cluster/manifests/roles/kubernetes-resource-analyzer.yaml

@@ -13,3 +13,36 @@ subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: zalando-iam:zalando:service:stups_kubernetes
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubernetes-resource-analyzer-secrets
+  labels:
+    application: kubernetes
+    component: resource-analyzer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-resource-analyzer-secrets
+  labels:
+    application: kubernetes
+    component: resource-analyzer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-resource-analyzer-secrets
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: zalando-iam:zalando:service:stups_kubernetes

cluster/manifests/sandbox-controller/30-deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-13" }}
+# {{ $image := "container-registry.zalando.net/gwproxy/sandbox-controller:main-16" }}
 # {{ $version := index (split $image ":") 1 }}
 
 {{ if eq .Cluster.ConfigItems.sandbox_controller_enabled "true" }}

cluster/manifests/skipper/configmap-open-policy-agent.yaml

@@ -31,6 +31,12 @@ data:
             session_name: open-policy-agent-instance
       name: styra-bundles
       url: "{{ .Cluster.ConfigItems.skipper_open_policy_agent_bundles_url }}"
+    {{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_decision_logs_buffer_type_event_enable "true" }}
+    decision_logs:
+      reporting:
+        buffer_type: "event"
+        buffer_size_limit_events: {{ .Cluster.ConfigItems.skipper_open_policy_agent_decision_logs_buffer_type_event_limit }}
+    {{ end }}
   envoymetadata.json: |-
     {
       "filter_metadata": {

cluster/manifests/stackset-controller/deployment.yaml

@@ -1,4 +1,4 @@
-{{ $version := "v1.4.99" }}
+{{ $version := "v1.4.112" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -55,8 +55,10 @@ spec:
         - "--sync-ingress-annotation=zalando.org/aws-waf-web-acl-id"
         - "--sync-ingress-annotation=kubernetes.io/ingress.class"
 {{ end}}
-        - "--cluster-domain={{ .Values.hosted_zone }}"
         - "--cluster-domain=ingress.cluster.local"
+{{- if eq .Cluster.Provider "zalando-aws" }}
+        - "--cluster-domain={{ .Values.hosted_zone }}"
+{{- end }}
         resources:
           limits:
             cpu: 10m

cluster/node-pools/master-default/userdata.yaml

@@ -260,7 +260,7 @@ write_files:
               name: admission-controller-kubeconfig
               readOnly: true
         - name: skipper-admission-webhook
-          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.53
+          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.63
           args:
             - webhook
             - --address=:9085
@@ -437,7 +437,7 @@ write_files:
             value: {{ .Cluster.ConfigItems.apiserver_business_partner_ids }}
 {{ end }}
         - name: skipper-proxy
-          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.53
+          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.63
           args:
           - skipper
           - -access-log-strip-query
@@ -488,7 +488,7 @@ write_files:
             name: ssl-certs-kubernetes
             readOnly: true
         - name: skipper-metrics
-          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.53
+          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.22.63
           args:
           - skipper
           - -access-log-strip-query