diff --git a/infra/gcp/terraform/kubernetes-public/iam.tf b/infra/gcp/terraform/kubernetes-public/iam.tf index 7c0506870fe..4f9ccd57657 100644 --- a/infra/gcp/terraform/kubernetes-public/iam.tf +++ b/infra/gcp/terraform/kubernetes-public/iam.tf @@ -23,6 +23,9 @@ module "iam" { mode = "authoritative" bindings = { + "roles/container.admin" = [ + "serviceAccount:argocd@k8s-infra-prow.iam.gserviceaccount.com", + ] "roles/secretmanager.secretAccessor" = [ "serviceAccount:kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com", "principal://iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/k8s-infra-prow.svc.id.goog/subject/ns/external-secrets/sa/external-secrets", diff --git a/kubernetes/eks-prow-kops/datadog/kustomization.yaml b/kubernetes/eks-prow-kops/datadog/kustomization.yaml index 72b82b5996f..98c989a6be1 100644 --- a/kubernetes/eks-prow-kops/datadog/kustomization.yaml +++ b/kubernetes/eks-prow-kops/datadog/kustomization.yaml @@ -6,8 +6,8 @@ helmCharts: - name: datadog repo: https://helm.datadoghq.com releaseName: datadog - version: 3.118.0 - kubeVersion: "1.29" + version: 3.135.4 + kubeVersion: "1.30" valuesFile: values.yaml resources: diff --git a/kubernetes/eks-prow-kops/datadog/values.yaml b/kubernetes/eks-prow-kops/datadog/values.yaml index 5c3d04f4bdc..10d098890e6 100644 --- a/kubernetes/eks-prow-kops/datadog/values.yaml +++ b/kubernetes/eks-prow-kops/datadog/values.yaml @@ -24,6 +24,9 @@ datadog: uncompressedLayersSupport: true host: enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 clusterAgent: tokenExistingSecret: datadog-secret agents: diff --git a/kubernetes/gke-aaa/datadog/kustomization.yaml b/kubernetes/gke-aaa/datadog/kustomization.yaml new file mode 100644 index 00000000000..d6fa25eb9e8 --- /dev/null +++ b/kubernetes/gke-aaa/datadog/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: datadog + +helmCharts: + - name: datadog + repo: https://helm.datadoghq.com + releaseName: datadog + version: 3.118.0 + valuesFile: values.yaml + +resources: + - secrets.yaml diff --git a/kubernetes/gke-aaa/datadog/secrets.yaml b/kubernetes/gke-aaa/datadog/secrets.yaml new file mode 100644 index 00000000000..0d64b30ff7e --- /dev/null +++ b/kubernetes/gke-aaa/datadog/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: datadog-secret +spec: + dataFrom: + - extract: + key: datadog-secrets + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow-build diff --git a/kubernetes/gke-aaa/datadog/values.yaml b/kubernetes/gke-aaa/datadog/values.yaml new file mode 100644 index 00000000000..fdde354d46e --- /dev/null +++ b/kubernetes/gke-aaa/datadog/values.yaml @@ -0,0 +1,40 @@ +registry: gcr.io/datadoghq +datadog: + apiKeyExistingSecret: datadog-secret + appKeyExistingSecret: datadog-secret + site: us5.datadoghq.com + clusterName: aaa + logs: + enabled: true + containerCollectAll: true + prometheusScrape: + enabled: true + serviceEndpoints: true + # COS specific https://docs.datadoghq.com/containers/kubernetes/distributions?tab=helm#GKE + systemProbe: + enableDefaultKernelHeadersPaths: false + kubeStateMetricsCore: + enabled: true + networkMonitoring: + enabled: true + processAgent: + enabled: true + processCollection: true + sbom: + enabled: true + containerImage: + enabled: true + uncompressedLayersSupport: true + host: + enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 +clusterAgent: + tokenExistingSecret: datadog-secret +agents: + tolerations: # datadog supports arm64 + - key: kubernetes.io/arch + operator: Equal + value: arm64 + effect: NoSchedule diff --git a/kubernetes/gke-aaa/helm/external-secrets.yaml b/kubernetes/gke-aaa/helm/external-secrets.yaml new file mode 100644 index 00000000000..50f3f95251c --- /dev/null +++ b/kubernetes/gke-aaa/helm/external-secrets.yaml @@ -0,0 +1,17 @@ +extraObjects: + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: kubernetes-public + spec: + provider: + gcpsm: + projectID: kubernetes-public + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow-build + spec: + provider: + gcpsm: + projectID: k8s-infra-prow-build diff --git a/kubernetes/gke-prow-build-trusted/datadog/kustomization.yaml b/kubernetes/gke-prow-build-trusted/datadog/kustomization.yaml new file mode 100644 index 00000000000..fe7c2834574 --- /dev/null +++ b/kubernetes/gke-prow-build-trusted/datadog/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: datadog + +helmCharts: + - name: datadog + repo: https://helm.datadoghq.com + releaseName: datadog + version: 3.135.4 + valuesFile: values.yaml + +resources: + - secrets.yaml diff --git a/kubernetes/gke-prow-build-trusted/datadog/secrets.yaml b/kubernetes/gke-prow-build-trusted/datadog/secrets.yaml new file mode 100644 index 00000000000..0d64b30ff7e --- /dev/null +++ b/kubernetes/gke-prow-build-trusted/datadog/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: datadog-secret +spec: + dataFrom: + - extract: + key: datadog-secrets + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow-build diff --git a/kubernetes/gke-prow-build-trusted/datadog/values.yaml b/kubernetes/gke-prow-build-trusted/datadog/values.yaml new file mode 100644 index 00000000000..90c837774ea --- /dev/null +++ b/kubernetes/gke-prow-build-trusted/datadog/values.yaml @@ -0,0 +1,37 @@ +registry: gcr.io/datadoghq +datadog: + apiKeyExistingSecret: datadog-secret + appKeyExistingSecret: datadog-secret + site: us5.datadoghq.com + clusterName: k8s-infra-prow-build-trusted + logs: + enabled: true + containerCollectAll: true + prometheusScrape: + enabled: true + serviceEndpoints: true + kubeStateMetricsCore: + enabled: true + networkMonitoring: + enabled: true + processAgent: + enabled: true + processCollection: true + sbom: + enabled: true + containerImage: + enabled: true + uncompressedLayersSupport: true + host: + enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 +clusterAgent: + tokenExistingSecret: datadog-secret +agents: + tolerations: # datadog supports arm64 + - key: kubernetes.io/arch + operator: Equal + value: arm64 + effect: NoSchedule diff --git a/kubernetes/gke-prow-build-trusted/helm/external-secrets.yaml b/kubernetes/gke-prow-build-trusted/helm/external-secrets.yaml index 79f5e57f983..28fd1a79eea 100644 --- a/kubernetes/gke-prow-build-trusted/helm/external-secrets.yaml +++ b/kubernetes/gke-prow-build-trusted/helm/external-secrets.yaml @@ -7,6 +7,14 @@ extraObjects: provider: gcpsm: projectID: k8s-infra-prow-build-trusted + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow-build + spec: + provider: + gcpsm: + projectID: k8s-infra-prow-build - apiVersion: monitoring.googleapis.com/v1 kind: PodMonitoring metadata: diff --git a/kubernetes/gke-prow-build/datadog/kustomization.yaml b/kubernetes/gke-prow-build/datadog/kustomization.yaml new file mode 100644 index 00000000000..fe7c2834574 --- /dev/null +++ b/kubernetes/gke-prow-build/datadog/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: datadog + +helmCharts: + - name: datadog + repo: https://helm.datadoghq.com + releaseName: datadog + version: 3.135.4 + valuesFile: values.yaml + +resources: + - secrets.yaml diff --git a/kubernetes/gke-prow-build/datadog/secrets.yaml b/kubernetes/gke-prow-build/datadog/secrets.yaml new file mode 100644 index 00000000000..0d64b30ff7e --- /dev/null +++ b/kubernetes/gke-prow-build/datadog/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: datadog-secret +spec: + dataFrom: + - extract: + key: datadog-secrets + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow-build diff --git a/kubernetes/gke-prow-build/datadog/values.yaml b/kubernetes/gke-prow-build/datadog/values.yaml new file mode 100644 index 00000000000..d203e30f901 --- /dev/null +++ b/kubernetes/gke-prow-build/datadog/values.yaml @@ -0,0 +1,40 @@ +registry: gcr.io/datadoghq +datadog: + apiKeyExistingSecret: datadog-secret + appKeyExistingSecret: datadog-secret + site: us5.datadoghq.com + clusterName: k8s-infra-prow-build + logs: + enabled: true + containerCollectAll: true + prometheusScrape: + enabled: true + serviceEndpoints: true + # COS specific https://docs.datadoghq.com/containers/kubernetes/distributions?tab=helm#GKE + systemProbe: + enableDefaultKernelHeadersPaths: false + kubeStateMetricsCore: + enabled: true + networkMonitoring: + enabled: true + processAgent: + enabled: true + processCollection: true + sbom: + enabled: true + containerImage: + enabled: true + uncompressedLayersSupport: true + host: + enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 +clusterAgent: + tokenExistingSecret: datadog-secret +agents: + tolerations: # datadog supports arm64 + - key: kubernetes.io/arch + operator: Equal + value: arm64 + effect: NoSchedule diff --git a/kubernetes/gke-prow/datadog/kustomization.yaml b/kubernetes/gke-prow/datadog/kustomization.yaml new file mode 100644 index 00000000000..fe7c2834574 --- /dev/null +++ b/kubernetes/gke-prow/datadog/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: datadog + +helmCharts: + - name: datadog + repo: https://helm.datadoghq.com + releaseName: datadog + version: 3.135.4 + valuesFile: values.yaml + +resources: + - secrets.yaml diff --git a/kubernetes/gke-prow/datadog/secrets.yaml b/kubernetes/gke-prow/datadog/secrets.yaml new file mode 100644 index 00000000000..0d64b30ff7e --- /dev/null +++ b/kubernetes/gke-prow/datadog/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: datadog-secret +spec: + dataFrom: + - extract: + key: datadog-secrets + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow-build diff --git a/kubernetes/gke-prow/datadog/values.yaml b/kubernetes/gke-prow/datadog/values.yaml new file mode 100644 index 00000000000..e316bb07f6a --- /dev/null +++ b/kubernetes/gke-prow/datadog/values.yaml @@ -0,0 +1,40 @@ +registry: gcr.io/datadoghq +datadog: + apiKeyExistingSecret: datadog-secret + appKeyExistingSecret: datadog-secret + site: us5.datadoghq.com + clusterName: k8s-infra-prow + logs: + enabled: true + containerCollectAll: true + prometheusScrape: + enabled: true + serviceEndpoints: true + # COS specific https://docs.datadoghq.com/containers/kubernetes/distributions?tab=helm#GKE + systemProbe: + enableDefaultKernelHeadersPaths: false + kubeStateMetricsCore: + enabled: true + networkMonitoring: + enabled: true + processAgent: + enabled: true + processCollection: true + sbom: + enabled: true + containerImage: + enabled: true + uncompressedLayersSupport: true + host: + enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 +clusterAgent: + tokenExistingSecret: datadog-secret +agents: + tolerations: # datadog supports arm64 + - key: kubernetes.io/arch + operator: Equal + value: arm64 + effect: NoSchedule diff --git a/kubernetes/gke-prow/helm/external-secrets.yaml b/kubernetes/gke-prow/helm/external-secrets.yaml index b9b94b19048..ab3e127d6ee 100644 --- a/kubernetes/gke-prow/helm/external-secrets.yaml +++ b/kubernetes/gke-prow/helm/external-secrets.yaml @@ -1,5 +1,5 @@ extraObjects: - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: k8s-infra-prow @@ -7,7 +7,15 @@ extraObjects: provider: gcpsm: projectID: k8s-infra-prow - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow-build + spec: + provider: + gcpsm: + projectID: k8s-infra-prow-build + - apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: kubernetes-public @@ -15,7 +23,7 @@ extraObjects: provider: gcpsm: projectID: kubernetes-public - - apiVersion: external-secrets.io/v1beta1 + - apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: name: k8s-infra-prow-build-trusted @@ -23,7 +31,7 @@ extraObjects: provider: gcpsm: projectID: k8s-infra-prow-build-trusted - - apiVersion: monitoring.googleapis.com/v1 + - apiVersion: monitoring.googleapis.com/v1 kind: PodMonitoring metadata: labels: @@ -34,5 +42,5 @@ extraObjects: matchLabels: app.kubernetes.io/name: external-secrets endpoints: - - port: metrics - interval: 30s + - port: metrics + interval: 30s diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index 10e3b4e430c..a16a5764c20 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -70,6 +70,28 @@ stringData: } } --- +apiVersion: v1 +kind: Secret +metadata: + name: gke-aaa + labels: + argocd.argoproj.io/secret-type: cluster + clusterType: apps + environment: prod + cloud: gke +type: Opaque +stringData: + name: gke-aaa + server: https://gke-4d0eb7639c079dd868639801ff9cee7661c5-127754664067.us-central1.gke.goog + config: | + { + "execProviderConfig": { + "command": "argocd-k8s-auth", + "args": ["gcp"], + "apiVersion": "client.authentication.k8s.io/v1beta1" + } + } +--- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: diff --git a/kubernetes/gke-utility/datadog/kustomization.yaml b/kubernetes/gke-utility/datadog/kustomization.yaml new file mode 100644 index 00000000000..fe7c2834574 --- /dev/null +++ b/kubernetes/gke-utility/datadog/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: datadog + +helmCharts: + - name: datadog + repo: https://helm.datadoghq.com + releaseName: datadog + version: 3.135.4 + valuesFile: values.yaml + +resources: + - secrets.yaml diff --git a/kubernetes/gke-utility/datadog/secrets.yaml b/kubernetes/gke-utility/datadog/secrets.yaml new file mode 100644 index 00000000000..0d64b30ff7e --- /dev/null +++ b/kubernetes/gke-utility/datadog/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: datadog-secret +spec: + dataFrom: + - extract: + key: datadog-secrets + secretStoreRef: + kind: ClusterSecretStore + name: k8s-infra-prow-build diff --git a/kubernetes/gke-utility/datadog/values.yaml b/kubernetes/gke-utility/datadog/values.yaml new file mode 100644 index 00000000000..c08395edea5 --- /dev/null +++ b/kubernetes/gke-utility/datadog/values.yaml @@ -0,0 +1,40 @@ +registry: gcr.io/datadoghq +datadog: + apiKeyExistingSecret: datadog-secret + appKeyExistingSecret: datadog-secret + site: us5.datadoghq.com + clusterName: utility + logs: + enabled: true + containerCollectAll: true + prometheusScrape: + enabled: true + serviceEndpoints: true + # COS specific https://docs.datadoghq.com/containers/kubernetes/distributions?tab=helm#GKE + systemProbe: + enableDefaultKernelHeadersPaths: false + kubeStateMetricsCore: + enabled: true + networkMonitoring: + enabled: true + processAgent: + enabled: true + processCollection: true + sbom: + enabled: true + containerImage: + enabled: true + uncompressedLayersSupport: true + host: + enabled: true + apm: + instrumentation: + skipKPITelemetry: true # https://github.com/DataDog/helm-charts/issues/1395 +clusterAgent: + tokenExistingSecret: datadog-secret +agents: + tolerations: # datadog supports arm64 + - key: kubernetes.io/arch + operator: Equal + value: arm64 + effect: NoSchedule