Fix kuma issues and heartbeat monitoring

.github/workflows/buildtools-build.sh

@@ -5,9 +5,9 @@ set -o errexit
 
 KUBECTL_VERSION=1.21.0
 
-# https://github.com/fluxcd/kustomize-controller/blob/v0.10.0/go.mod#L34
+# https://github.com/fluxcd/kustomize-controller/blob/v0.41.2/go.mod#L34
 # https://github.com/kubernetes-sigs/kustomize/blob/kustomize/v3.9.4/kustomize/go.mod#L11
-FLUX_VERSION=0.10.0
+FLUX_VERSION=0.41.2
 KUSTOMIZE_VERSION=3.9.4
 
 KUBESEAL_VERSION=0.15.0

docs/AcceptanceTests.md

@@ -105,6 +105,7 @@ These are in order. Refer to the above access chart for how to login to each com
 | Is secure | | | Checks cert manager is working correctly |
 | Assets are correctly installed | | | |
 | Can login with admin creds from and view logs. All expected dashboards (including 'Dashboard' -> 'Tavros - Logs Dashboard') are there. | | | |
+| Observability -> Uptime shows UP for prod, dev, and test pod | | | |
 
 #### Jaeger
 
@@ -118,13 +119,12 @@ These are in order. Refer to the above access chart for how to login to each com
 
 | Expected result | Actual result | PASS/FAIL | Purpose of test |
 |---|---|---|---|
-| Can't curl across namespaces (ex: from prod to test) | | | Tests mesh is working correctly |
-
-Notes: 
-
-In prod troubleshooting shell:
-- curl http://api-repo.prod.svc.cluster.local:9000/api/pet/123 should return` {"opId":"get-pet-petId"}`
-- curl http://api-repo.dev.svc.cluster.local:9000/api/pet/123 should return `(52) Empty reply from server`
+| From PROD shell `curl 'http://api-repo.prod.svc.cluster.local:8080/actuator/health/liveness'` returns {"status":"UP"} | | | |
+| From PROD shell `curl 'http://api-repo.dev.svc.cluster.local:8080/actuator/health/liveness'` & `curl 'http://api-repo.test.svc.cluster.local:8080/actuator/health/liveness'` returns Empty reply from server | | |
+| From DEV shell `curl 'http://api-repo.prod.svc.cluster.local:8080/actuator/health/liveness'` returns Empty reply from server | | | |
+| From DEV shell `curl 'http://api-repo.dev.svc.cluster.local:8080/actuator/health/liveness'` & `curl 'http://api-repo.test.svc.cluster.local:8080/actuator/health/liveness'` returns {"status":"UP"} | | | |
+| From TEST shell `curl 'http://api-repo.prod.svc.cluster.local:8080/actuator/health/liveness'` returns Empty reply from server | | | |
+| From TEST shell `curl 'http://api-repo.dev.svc.cluster.local:8080/actuator/health/liveness'` & `curl 'http://api-repo.test.svc.cluster.local:8080/actuator/health/liveness'` returns {"status":"UP"} | | | |
 
 #### Postgres
 

roles/elastic_cloud/files/heartbeat.yaml

@@ -1,35 +1,3 @@
-apiVersion: beat.k8s.elastic.co/v1beta1
-kind: Beat
-metadata:
- name: tavros-heartbeat
- namespace: elastic-system
-spec:
- type: heartbeat
- version: 7.13.4
- elasticsearchRef:
- name: tavros
- config:
- heartbeat:
- autodiscover:
- providers:
- - type: kubernetes
- node: ${NODE_NAME}
- hints.enabled: true
- daemonSet:
- podTemplate:
- spec:
- serviceAccountName: heartbeat
- automountServiceAccountToken: true
- securityContext:
- runAsUser: 0
- containers:
- - name: heartbeat
- env:
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -61,7 +29,7 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
- name: heartbeat
+ name: heartbeat-svc
  namespace: elastic-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -70,9 +38,123 @@ metadata:
  name: heartbeat
 subjects:
 - kind: ServiceAccount
- name: heartbeat
+ name: heartbeat-svc
  namespace: elastic-system
 roleRef:
  kind: ClusterRole
  name: heartbeat
  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: beat.k8s.elastic.co/v1beta1
+kind: Beat
+metadata:
+ name: tavros-heartbeat-prod
+ namespace: elastic-system
+spec:
+ type: heartbeat
+ version: 7.13.4
+ elasticsearchRef:
+ name: tavros
+ config:
+ heartbeat:
+ autodiscover:
+ providers:
+ - type: kubernetes
+ node: ${NODE_NAME}
+ namespace: "prod"
+ hints.enabled: true
+ daemonSet:
+ podTemplate:
+ metadata:
+ labels:
+ kuma.io/sidecar-injection: enabled
+ annotations:
+ kuma.io/mesh: prod
+ spec:
+ serviceAccountName: heartbeat-svc
+ automountServiceAccountToken: true
+ securityContext:
+ runAsUser: 0
+ containers:
+ - name: heartbeat
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+---
+apiVersion: beat.k8s.elastic.co/v1beta1
+kind: Beat
+metadata:
+ name: tavros-heartbeat-dev
+ namespace: elastic-system
+spec:
+ type: heartbeat
+ version: 7.13.4
+ elasticsearchRef:
+ name: tavros
+ config:
+ heartbeat:
+ autodiscover:
+ providers:
+ - type: kubernetes
+ node: ${NODE_NAME}
+ namespace: "dev"
+ hints.enabled: true
+ daemonSet:
+ podTemplate:
+ metadata:
+ labels:
+ kuma.io/sidecar-injection: enabled
+ annotations:
+ kuma.io/mesh: sandbox
+ spec:
+ serviceAccountName: heartbeat-svc
+ automountServiceAccountToken: true
+ securityContext:
+ runAsUser: 0
+ containers:
+ - name: heartbeat
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+---
+apiVersion: beat.k8s.elastic.co/v1beta1
+kind: Beat
+metadata:
+ name: tavros-heartbeat-test
+ namespace: elastic-system
+spec:
+ type: heartbeat
+ version: 7.13.4
+ elasticsearchRef:
+ name: tavros
+ config:
+ heartbeat:
+ autodiscover:
+ providers:
+ - type: kubernetes
+ node: ${NODE_NAME}
+ namespace: "test"
+ hints.enabled: true
+ daemonSet:
+ podTemplate:
+ metadata:
+ labels:
+ kuma.io/sidecar-injection: enabled
+ annotations:
+ kuma.io/mesh: sandbox
+ spec:
+ serviceAccountName: heartbeat-svc
+ automountServiceAccountToken: true
+ securityContext:
+ runAsUser: 0
+ containers:
+ - name: heartbeat
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName

roles/fluxtoolkit/tasks/main.yaml

@@ -5,7 +5,7 @@
 
 - name: Generate Flux GitOps Toolkit Resources
  shell: |
- flux install --version=v0.10.0 \
+ flux install --version=v0.41.2 \
  --export > /tmp/{{ cluster_fqdn }}/platform/flux-system/gotk-components.yaml
 
 - name: Template Files

roles/kong/templates/release.j2

@@ -114,7 +114,6 @@ spec:
 {% endif %}
  podAnnotations:
 {% if item[0].kuma_mesh_name is defined %}
- kuma.io/sidecar-injection: enabled
  kuma.io/gateway: {{ 'enabled' if ((item[0].hybrid) and (item[1].role == 'control_plane')) else 'enabled' }}
  kuma.io/mesh: {{ item[0].kuma_mesh_name }}
 {% endif %}
@@ -123,6 +122,10 @@ spec:
  co.elastic.logs.proxy/module: nginx
  co.elastic.logs.proxy/fileset.stdout: access
  co.elastic.logs.proxy/fileset.stderr: error
+{% endif %}
+{% if item[0].kuma_mesh_name is defined %}
+ podLabels:
+ kuma.io/sidecar-injection: enabled
 {% endif %}
  admin:
  enabled: {{ false if ((item[0].hybrid) and (item[1].role == 'data_plane')) else true }}

roles/kuma/files/release.yaml

@@ -12,8 +12,8 @@ spec:
  kind: HelmRepository
  name: kuma
  namespace: flux-system
- # https://github.com/kumahq/kuma/blob/1.2.0/deployments/charts/kuma/values.yaml
- version: 0.6.0
+ # https://github.com/kumahq/kuma/blob/2.4.3/deployments/charts/kuma/values.yaml
+ version: 2.4.3
  interval: 30m
  install:
  remediation:

roles/namespace/templates/ns.j2

@@ -3,7 +3,8 @@ kind: Namespace
 metadata:
  name: {{ item.name }}
 {% if item.kuma_mesh_name is defined %}
+ labels:
+ kuma.io/sidecar-injection: enabled
  annotations:
  kuma.io/mesh: {{ item.kuma_mesh_name }}
- kuma.io/sidecar-injection: enabled
-{% endif %}
+{% endif %}