feat!: opt prometheus stack into ambient#1445
Merged
chance-coleman merged 12 commits intomainfrom Apr 14, 2025
Merged
Conversation
## Description Istio ambient components (CNI and Ztunnel) are currently present in uds-core but disabled by default. This PR: - Makes istio ambient default in uds-core. - Implement Gateway API CRDs (future requirement for keycloak work with ambient) - Remove references to `istio-ambient` and update docs section Breaking change: used to have `istio-ambient` component and `istio-controlplane`, now only have `istio-controlplane`. The two have been squashed together to improve developer experience and simplify the bundle/package experience. ## Related Issue Fixes #1280 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate - Verify that deploy uds-core standard package is successful and creates ambient workloads as well as new CRDs - `uds run test-uds-core` - `kubectl get crd -A` and validate these four crds are present: - gateway.networking.k8s gatewayclasses - gateway.networking.k8s httproutes - gateway.networking.k8s grpcroutes - gateway.networking.k8s referencegrants ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/loki](https://images.chainguard.dev/directory/image/loki/overview) ([source](https://github.com/chainguard-images/images-private/tree/HEAD/images/loki)) | patch | `3.4.2` -> `3.4.3` | | docker.io/grafana/loki | patch | `3.4.2` -> `3.4.3` | | [registry1.dso.mil/ironbank/opensource/grafana/loki](https://github.com/grafana/loki) ([source](https://repo1.dso.mil/dsop/opensource/grafana/loki)) | patch | `3.4.2` -> `3.4.3` | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com>
mjnagel
reviewed
Apr 10, 2025
Contributor
mjnagel
left a comment
mjnagel
left a comment
There was a problem hiding this comment.
Changes look good at a glance. I think we need to update/cleanup some documentation:
- Limitations on ambient: https://github.com/defenseunicorns/uds-core/blob/main/docs/reference/configuration/UDS%20operator/package.md?plain=1#L36 - this limitation should be gone
- Metrics docs: https://github.com/defenseunicorns/uds-core/blob/main/docs/reference/configuration/uds-monitoring-metrics.md?plain=1#L49-L51 - I think this can also be deleted? Metrics-server has permissive mTLS but is scraping fine, not sure if we should try to see what happens with a completely un-injected app though?
- Dev docs: https://github.com/defenseunicorns/uds-core/blob/main/docs/dev/monitoring-setup.md - this is mostly irrellevant now, maybe could update to note this was the previous setup for sidecar and some words about the new setup (which is very simple)?
Those were the ones I could find quickly, not sure if we might have other references. I did also find a few places where we have the skip-sm-mutate annotation that we may want to evaluate if it's necessary anymore:
mjnagel
previously approved these changes
Apr 11, 2025
Contributor
mjnagel
left a comment
mjnagel
left a comment
There was a problem hiding this comment.
LGTM overall, validated upgrading with GitLab in cluster and all metrics worked as expected. Two final comments:
- This might still be considered a breaking change if/because end users could create service monitors "for istio" (tls config) on top of core (without mutation) and this switch would break those. Likely an edge case, but I found a few packages around our org where that was the case. I think our un-mutate might still handle them for the ones I found, but there could be a weird combo of ignore annotations and pre-configured TLS config that would get missed. Open to opinions on this, maybe more something to note in the description/announcement than noting as breaking?
- We should be able to delete the prom podmonitor at this point since it will be redundant with the self monitoring service monitor.
mjnagel
approved these changes
Apr 14, 2025
chance-coleman
changed the title
mjnagel
pushed a commit
that referenced
this pull request
Apr 14, 2025
🤖 I have created a release *beep* *boop* --- ## [0.40.0](v0.39.0...v0.40.0) (2025-04-14) ### ⚠ BREAKING CHANGES * ServiceMonitors and PodMonitors no longer require TLS configuration for Istio, and may fail to scrape metrics if TLS configuration is present. The UDS Operator will handle removing this configuration from monitors in most cases, but may not update your monitor if TLS configuration was directly added separate from the Operator's mutations. In addition, the `istio-certs` and `exempt` scrape classes are no longer supplied as part of the Prometheus setup and should not be set on your monitoring resources going forward. * `Package` CR validation will now prevent creating multiple `Package` CRs in the same namespace. Ensure that you only have a single `Package` CR per namespace before this upgrade, otherwise you may be unable to update them going forward. * Istio Ambient workloads are now included by default with UDS Core. These workloads are now part of the `istio-controlplane` component (previously part of the optional `istio-ambient` component) - any override values/configuration should target this component instead of `istio-ambient`. * Theming configuration for removing additional registration fields has moved under the `themeCustomizations` values (`settings.enableRegistrationFields`). If overriding `DISABLE_REGISTRATION_FIELDS` under `realmInitEnv`, you will need to switch to this new value. ### Features * add serviceMesh.mode in Package CR ([#1386](#1386)) ([7e50b5d](7e50b5d)) * escape slashes in Keycloak Group names ([#1433](#1433)) ([6b6be2d](6b6be2d)) * make istio ambient components default in uds core ([#1428](#1428)) ([32d2752](32d2752)) * only allow creation of one `UDSPackage` per namespace ([#1372](#1372)) ([2f4dbac](2f4dbac)) * opt prometheus stack into ambient ([#1445](#1445)) ([793ccb8](793ccb8)) * recovering lost Keycloak credentials ([#1410](#1410)) ([0f3b536](0f3b536)) * task cleanup for Keycloak ([#1448](#1448)) ([5af6f2b](5af6f2b)) ### Bug Fixes * authpol remoteserviceaccount enablement ([#1415](#1415)) ([c6ae565](c6ae565)) * conditional pepr build in tasks ([#1414](#1414)) ([ea75df2](ea75df2)) * make exemptions conditional for `dev-setup` ([#1442](#1442)) ([4d7b471](4d7b471)) * move disable registration fields to theme values ([#1397](#1397)) ([61c67f0](61c67f0)) * remove flavor from dev deploy of prom CRDs task ([#1419](#1419)) ([10c9ff2](10c9ff2)) ### Miscellaneous * **ci:** add e2e tests for cloud distros ([#1259](#1259)) ([b116a96](b116a96)) * **deps:** update istio to v1.25.1 ([#1387](#1387)) ([c538ef4](c538ef4)) * **deps:** update loki ([#1349](#1349)) ([f087f55](f087f55)) * **deps:** update loki to v3.4.3 ([#1426](#1426)) ([cc7fbd1](cc7fbd1)) * **deps:** update neuvector to 5.4.3 ([#1368](#1368)) ([6c4b44e](6c4b44e)) * **deps:** update prometheus-stack ([#1402](#1402)) ([707b07d](707b07d)) * **deps:** update support dependencies to v3.28.14 ([#1435](#1435)) ([d29d1b5](d29d1b5)) * **deps:** update support dependencies to v3.28.15 ([#1441](#1441)) ([1e7ebce](1e7ebce)) * **deps:** update support dependencies to v3.4.8 ([#1450](#1450)) ([598242b](598242b)) * **deps:** update support dependencies to v4.6.1 ([#1451](#1451)) ([efb22ab](efb22ab)) * **deps:** update support-deps ([#1409](#1409)) ([d1ade16](d1ade16)) * **deps:** update support-deps ([#1418](#1418)) ([0eecf5f](0eecf5f)) * **deps:** update support-deps ([#1425](#1425)) ([9b6f681](9b6f681)) * **deps:** update support-deps ([#1443](#1443)) ([05def89](05def89)) * **deps:** update support-deps ([#1455](#1455)) ([ccd72cf](ccd72cf)) * **deps:** update vector ([#1444](#1444)) ([d36014d](d36014d)) * **deps:** update velero to v8.7.1 ([#1391](#1391)) ([ea4ed0f](ea4ed0f)) * **docs:** fix order of authpols doc ([#1408](#1408)) ([ee55ab1](ee55ab1)) * prefer `===` for comparisons ([#1412](#1412)) ([6963633](6963633)) * reduce sidecar cpu/memory requests for CI single-layer testing ([#1459](#1459)) ([cc8c405](cc8c405)) * remove watch and conditional logic around ambient component ([#1447](#1447)) ([d519af3](d519af3)) * update changelog ([#1406](#1406)) ([4239d95](4239d95)) ### Documentation * fix Velero doc link path ([#1456](#1456)) ([01cea57](01cea57)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
noahpb
pushed a commit
that referenced
this pull request
Apr 15, 2025
🤖 I have created a release *beep* *boop* --- ## [0.40.0](v0.39.0...v0.40.0) (2025-04-14) ### ⚠ BREAKING CHANGES * ServiceMonitors and PodMonitors no longer require TLS configuration for Istio, and may fail to scrape metrics if TLS configuration is present. The UDS Operator will handle removing this configuration from monitors in most cases, but may not update your monitor if TLS configuration was directly added separate from the Operator's mutations. In addition, the `istio-certs` and `exempt` scrape classes are no longer supplied as part of the Prometheus setup and should not be set on your monitoring resources going forward. * `Package` CR validation will now prevent creating multiple `Package` CRs in the same namespace. Ensure that you only have a single `Package` CR per namespace before this upgrade, otherwise you may be unable to update them going forward. * Istio Ambient workloads are now included by default with UDS Core. These workloads are now part of the `istio-controlplane` component (previously part of the optional `istio-ambient` component) - any override values/configuration should target this component instead of `istio-ambient`. * Theming configuration for removing additional registration fields has moved under the `themeCustomizations` values (`settings.enableRegistrationFields`). If overriding `DISABLE_REGISTRATION_FIELDS` under `realmInitEnv`, you will need to switch to this new value. ### Features * add serviceMesh.mode in Package CR ([#1386](#1386)) ([7e50b5d](7e50b5d)) * escape slashes in Keycloak Group names ([#1433](#1433)) ([6b6be2d](6b6be2d)) * make istio ambient components default in uds core ([#1428](#1428)) ([32d2752](32d2752)) * only allow creation of one `UDSPackage` per namespace ([#1372](#1372)) ([2f4dbac](2f4dbac)) * opt prometheus stack into ambient ([#1445](#1445)) ([793ccb8](793ccb8)) * recovering lost Keycloak credentials ([#1410](#1410)) ([0f3b536](0f3b536)) * task cleanup for Keycloak ([#1448](#1448)) ([5af6f2b](5af6f2b)) ### Bug Fixes * authpol remoteserviceaccount enablement ([#1415](#1415)) ([c6ae565](c6ae565)) * conditional pepr build in tasks ([#1414](#1414)) ([ea75df2](ea75df2)) * make exemptions conditional for `dev-setup` ([#1442](#1442)) ([4d7b471](4d7b471)) * move disable registration fields to theme values ([#1397](#1397)) ([61c67f0](61c67f0)) * remove flavor from dev deploy of prom CRDs task ([#1419](#1419)) ([10c9ff2](10c9ff2)) ### Miscellaneous * **ci:** add e2e tests for cloud distros ([#1259](#1259)) ([b116a96](b116a96)) * **deps:** update istio to v1.25.1 ([#1387](#1387)) ([c538ef4](c538ef4)) * **deps:** update loki ([#1349](#1349)) ([f087f55](f087f55)) * **deps:** update loki to v3.4.3 ([#1426](#1426)) ([cc7fbd1](cc7fbd1)) * **deps:** update neuvector to 5.4.3 ([#1368](#1368)) ([6c4b44e](6c4b44e)) * **deps:** update prometheus-stack ([#1402](#1402)) ([707b07d](707b07d)) * **deps:** update support dependencies to v3.28.14 ([#1435](#1435)) ([d29d1b5](d29d1b5)) * **deps:** update support dependencies to v3.28.15 ([#1441](#1441)) ([1e7ebce](1e7ebce)) * **deps:** update support dependencies to v3.4.8 ([#1450](#1450)) ([598242b](598242b)) * **deps:** update support dependencies to v4.6.1 ([#1451](#1451)) ([efb22ab](efb22ab)) * **deps:** update support-deps ([#1409](#1409)) ([d1ade16](d1ade16)) * **deps:** update support-deps ([#1418](#1418)) ([0eecf5f](0eecf5f)) * **deps:** update support-deps ([#1425](#1425)) ([9b6f681](9b6f681)) * **deps:** update support-deps ([#1443](#1443)) ([05def89](05def89)) * **deps:** update support-deps ([#1455](#1455)) ([ccd72cf](ccd72cf)) * **deps:** update vector ([#1444](#1444)) ([d36014d](d36014d)) * **deps:** update velero to v8.7.1 ([#1391](#1391)) ([ea4ed0f](ea4ed0f)) * **docs:** fix order of authpols doc ([#1408](#1408)) ([ee55ab1](ee55ab1)) * prefer `===` for comparisons ([#1412](#1412)) ([6963633](6963633)) * reduce sidecar cpu/memory requests for CI single-layer testing ([#1459](#1459)) ([cc8c405](cc8c405)) * remove watch and conditional logic around ambient component ([#1447](#1447)) ([d519af3](d519af3)) * update changelog ([#1406](#1406)) ([4239d95](4239d95)) ### Documentation * fix Velero doc link path ([#1456](#1456)) ([01cea57](01cea57)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
noahpb
pushed a commit
that referenced
this pull request
Apr 17, 2025
## Description Opt the prometheus-stack package into ambient mode. Cleanup ambient directory and combine with the common directory. Operator changes to allow prometheus port in Deny and CUSTOM authorizationpolicies, also remove unnecessary operator pieces. ## Related Issue Fixes #1423 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed BEGIN_COMMIT_OVERRIDE feat!: opt prometheus stack into ambient (#1445) BREAKING CHANGE: Prevents creation of Istio ServiceMonitors via TLS configs on top of core Users can no longer create ServiceMonitors for Istio by layering TLS configuration on top of the core package. This breaks setups that relied on unmutated ServiceMonitors with custom TLS, which were previously allowed. END_COMMIT_OVERRIDE --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
noahpb
pushed a commit
that referenced
this pull request
Apr 17, 2025
🤖 I have created a release *beep* *boop* --- ## [0.40.0](v0.39.0...v0.40.0) (2025-04-14) ### ⚠ BREAKING CHANGES * ServiceMonitors and PodMonitors no longer require TLS configuration for Istio, and may fail to scrape metrics if TLS configuration is present. The UDS Operator will handle removing this configuration from monitors in most cases, but may not update your monitor if TLS configuration was directly added separate from the Operator's mutations. In addition, the `istio-certs` and `exempt` scrape classes are no longer supplied as part of the Prometheus setup and should not be set on your monitoring resources going forward. * `Package` CR validation will now prevent creating multiple `Package` CRs in the same namespace. Ensure that you only have a single `Package` CR per namespace before this upgrade, otherwise you may be unable to update them going forward. * Istio Ambient workloads are now included by default with UDS Core. These workloads are now part of the `istio-controlplane` component (previously part of the optional `istio-ambient` component) - any override values/configuration should target this component instead of `istio-ambient`. * Theming configuration for removing additional registration fields has moved under the `themeCustomizations` values (`settings.enableRegistrationFields`). If overriding `DISABLE_REGISTRATION_FIELDS` under `realmInitEnv`, you will need to switch to this new value. ### Features * add serviceMesh.mode in Package CR ([#1386](#1386)) ([7e50b5d](7e50b5d)) * escape slashes in Keycloak Group names ([#1433](#1433)) ([6b6be2d](6b6be2d)) * make istio ambient components default in uds core ([#1428](#1428)) ([32d2752](32d2752)) * only allow creation of one `UDSPackage` per namespace ([#1372](#1372)) ([2f4dbac](2f4dbac)) * opt prometheus stack into ambient ([#1445](#1445)) ([793ccb8](793ccb8)) * recovering lost Keycloak credentials ([#1410](#1410)) ([0f3b536](0f3b536)) * task cleanup for Keycloak ([#1448](#1448)) ([5af6f2b](5af6f2b)) ### Bug Fixes * authpol remoteserviceaccount enablement ([#1415](#1415)) ([c6ae565](c6ae565)) * conditional pepr build in tasks ([#1414](#1414)) ([ea75df2](ea75df2)) * make exemptions conditional for `dev-setup` ([#1442](#1442)) ([4d7b471](4d7b471)) * move disable registration fields to theme values ([#1397](#1397)) ([61c67f0](61c67f0)) * remove flavor from dev deploy of prom CRDs task ([#1419](#1419)) ([10c9ff2](10c9ff2)) ### Miscellaneous * **ci:** add e2e tests for cloud distros ([#1259](#1259)) ([b116a96](b116a96)) * **deps:** update istio to v1.25.1 ([#1387](#1387)) ([c538ef4](c538ef4)) * **deps:** update loki ([#1349](#1349)) ([f087f55](f087f55)) * **deps:** update loki to v3.4.3 ([#1426](#1426)) ([cc7fbd1](cc7fbd1)) * **deps:** update neuvector to 5.4.3 ([#1368](#1368)) ([6c4b44e](6c4b44e)) * **deps:** update prometheus-stack ([#1402](#1402)) ([707b07d](707b07d)) * **deps:** update support dependencies to v3.28.14 ([#1435](#1435)) ([d29d1b5](d29d1b5)) * **deps:** update support dependencies to v3.28.15 ([#1441](#1441)) ([1e7ebce](1e7ebce)) * **deps:** update support dependencies to v3.4.8 ([#1450](#1450)) ([598242b](598242b)) * **deps:** update support dependencies to v4.6.1 ([#1451](#1451)) ([efb22ab](efb22ab)) * **deps:** update support-deps ([#1409](#1409)) ([d1ade16](d1ade16)) * **deps:** update support-deps ([#1418](#1418)) ([0eecf5f](0eecf5f)) * **deps:** update support-deps ([#1425](#1425)) ([9b6f681](9b6f681)) * **deps:** update support-deps ([#1443](#1443)) ([05def89](05def89)) * **deps:** update support-deps ([#1455](#1455)) ([ccd72cf](ccd72cf)) * **deps:** update vector ([#1444](#1444)) ([d36014d](d36014d)) * **deps:** update velero to v8.7.1 ([#1391](#1391)) ([ea4ed0f](ea4ed0f)) * **docs:** fix order of authpols doc ([#1408](#1408)) ([ee55ab1](ee55ab1)) * prefer `===` for comparisons ([#1412](#1412)) ([6963633](6963633)) * reduce sidecar cpu/memory requests for CI single-layer testing ([#1459](#1459)) ([cc8c405](cc8c405)) * remove watch and conditional logic around ambient component ([#1447](#1447)) ([d519af3](d519af3)) * update changelog ([#1406](#1406)) ([4239d95](4239d95)) ### Documentation * fix Velero doc link path ([#1456](#1456)) ([01cea57](01cea57)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mjnagel
pushed a commit
to BagelLab/uds-core
that referenced
this pull request
Nov 14, 2025
## Description Opt the prometheus-stack package into ambient mode. Cleanup ambient directory and combine with the common directory. Operator changes to allow prometheus port in Deny and CUSTOM authorizationpolicies, also remove unnecessary operator pieces. ## Related Issue Fixes defenseunicorns#1423 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed BEGIN_COMMIT_OVERRIDE feat!: opt prometheus stack into ambient (defenseunicorns#1445) BREAKING CHANGE: Prevents creation of Istio ServiceMonitors via TLS configs on top of core Users can no longer create ServiceMonitors for Istio by layering TLS configuration on top of the core package. This breaks setups that relied on unmutated ServiceMonitors with custom TLS, which were previously allowed. END_COMMIT_OVERRIDE --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
mjnagel
pushed a commit
to BagelLab/uds-core
that referenced
this pull request
Nov 14, 2025
🤖 I have created a release *beep* *boop* --- ## [0.40.0](defenseunicorns/uds-core@v0.39.0...v0.40.0) (2025-04-14) ### ⚠ BREAKING CHANGES * ServiceMonitors and PodMonitors no longer require TLS configuration for Istio, and may fail to scrape metrics if TLS configuration is present. The UDS Operator will handle removing this configuration from monitors in most cases, but may not update your monitor if TLS configuration was directly added separate from the Operator's mutations. In addition, the `istio-certs` and `exempt` scrape classes are no longer supplied as part of the Prometheus setup and should not be set on your monitoring resources going forward. * `Package` CR validation will now prevent creating multiple `Package` CRs in the same namespace. Ensure that you only have a single `Package` CR per namespace before this upgrade, otherwise you may be unable to update them going forward. * Istio Ambient workloads are now included by default with UDS Core. These workloads are now part of the `istio-controlplane` component (previously part of the optional `istio-ambient` component) - any override values/configuration should target this component instead of `istio-ambient`. * Theming configuration for removing additional registration fields has moved under the `themeCustomizations` values (`settings.enableRegistrationFields`). If overriding `DISABLE_REGISTRATION_FIELDS` under `realmInitEnv`, you will need to switch to this new value. ### Features * add serviceMesh.mode in Package CR ([defenseunicorns#1386](defenseunicorns#1386)) ([7e50b5d](defenseunicorns@7e50b5d)) * escape slashes in Keycloak Group names ([defenseunicorns#1433](defenseunicorns#1433)) ([6b6be2d](defenseunicorns@6b6be2d)) * make istio ambient components default in uds core ([defenseunicorns#1428](defenseunicorns#1428)) ([32d2752](defenseunicorns@32d2752)) * only allow creation of one `UDSPackage` per namespace ([defenseunicorns#1372](defenseunicorns#1372)) ([2f4dbac](defenseunicorns@2f4dbac)) * opt prometheus stack into ambient ([defenseunicorns#1445](defenseunicorns#1445)) ([793ccb8](defenseunicorns@793ccb8)) * recovering lost Keycloak credentials ([defenseunicorns#1410](defenseunicorns#1410)) ([0f3b536](defenseunicorns@0f3b536)) * task cleanup for Keycloak ([defenseunicorns#1448](defenseunicorns#1448)) ([5af6f2b](defenseunicorns@5af6f2b)) ### Bug Fixes * authpol remoteserviceaccount enablement ([defenseunicorns#1415](defenseunicorns#1415)) ([c6ae565](defenseunicorns@c6ae565)) * conditional pepr build in tasks ([defenseunicorns#1414](defenseunicorns#1414)) ([ea75df2](defenseunicorns@ea75df2)) * make exemptions conditional for `dev-setup` ([defenseunicorns#1442](defenseunicorns#1442)) ([4d7b471](defenseunicorns@4d7b471)) * move disable registration fields to theme values ([defenseunicorns#1397](defenseunicorns#1397)) ([61c67f0](defenseunicorns@61c67f0)) * remove flavor from dev deploy of prom CRDs task ([defenseunicorns#1419](defenseunicorns#1419)) ([10c9ff2](defenseunicorns@10c9ff2)) ### Miscellaneous * **ci:** add e2e tests for cloud distros ([defenseunicorns#1259](defenseunicorns#1259)) ([b116a96](defenseunicorns@b116a96)) * **deps:** update istio to v1.25.1 ([defenseunicorns#1387](defenseunicorns#1387)) ([c538ef4](defenseunicorns@c538ef4)) * **deps:** update loki ([defenseunicorns#1349](defenseunicorns#1349)) ([f087f55](defenseunicorns@f087f55)) * **deps:** update loki to v3.4.3 ([defenseunicorns#1426](defenseunicorns#1426)) ([cc7fbd1](defenseunicorns@cc7fbd1)) * **deps:** update neuvector to 5.4.3 ([defenseunicorns#1368](defenseunicorns#1368)) ([6c4b44e](defenseunicorns@6c4b44e)) * **deps:** update prometheus-stack ([defenseunicorns#1402](defenseunicorns#1402)) ([707b07d](defenseunicorns@707b07d)) * **deps:** update support dependencies to v3.28.14 ([defenseunicorns#1435](defenseunicorns#1435)) ([d29d1b5](defenseunicorns@d29d1b5)) * **deps:** update support dependencies to v3.28.15 ([defenseunicorns#1441](defenseunicorns#1441)) ([1e7ebce](defenseunicorns@1e7ebce)) * **deps:** update support dependencies to v3.4.8 ([defenseunicorns#1450](defenseunicorns#1450)) ([598242b](defenseunicorns@598242b)) * **deps:** update support dependencies to v4.6.1 ([defenseunicorns#1451](defenseunicorns#1451)) ([efb22ab](defenseunicorns@efb22ab)) * **deps:** update support-deps ([defenseunicorns#1409](defenseunicorns#1409)) ([d1ade16](defenseunicorns@d1ade16)) * **deps:** update support-deps ([defenseunicorns#1418](defenseunicorns#1418)) ([0eecf5f](defenseunicorns@0eecf5f)) * **deps:** update support-deps ([defenseunicorns#1425](defenseunicorns#1425)) ([9b6f681](defenseunicorns@9b6f681)) * **deps:** update support-deps ([defenseunicorns#1443](defenseunicorns#1443)) ([05def89](defenseunicorns@05def89)) * **deps:** update support-deps ([defenseunicorns#1455](defenseunicorns#1455)) ([ccd72cf](defenseunicorns@ccd72cf)) * **deps:** update vector ([defenseunicorns#1444](defenseunicorns#1444)) ([d36014d](defenseunicorns@d36014d)) * **deps:** update velero to v8.7.1 ([defenseunicorns#1391](defenseunicorns#1391)) ([ea4ed0f](defenseunicorns@ea4ed0f)) * **docs:** fix order of authpols doc ([defenseunicorns#1408](defenseunicorns#1408)) ([ee55ab1](defenseunicorns@ee55ab1)) * prefer `===` for comparisons ([defenseunicorns#1412](defenseunicorns#1412)) ([6963633](defenseunicorns@6963633)) * reduce sidecar cpu/memory requests for CI single-layer testing ([defenseunicorns#1459](defenseunicorns#1459)) ([cc8c405](defenseunicorns@cc8c405)) * remove watch and conditional logic around ambient component ([defenseunicorns#1447](defenseunicorns#1447)) ([d519af3](defenseunicorns@d519af3)) * update changelog ([defenseunicorns#1406](defenseunicorns#1406)) ([4239d95](defenseunicorns@4239d95)) ### Documentation * fix Velero doc link path ([defenseunicorns#1456](defenseunicorns#1456)) ([01cea57](defenseunicorns@01cea57)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Opt the prometheus-stack package into ambient mode.
Cleanup ambient directory and combine with the common directory. Operator changes to allow prometheus port in Deny and CUSTOM authorizationpolicies, also remove unnecessary operator pieces.
Related Issue
Fixes #1423
Type of change
Checklist before merging
BEGIN_COMMIT_OVERRIDE
feat!: opt prometheus stack into ambient (#1445)
BREAKING CHANGE: ServiceMonitors and PodMonitors no longer require TLS configuration for Istio, and may fail to scrape metrics if TLS configuration is present. The UDS Operator will handle removing this configuration from monitors in most cases, but may not update your monitor if TLS configuration was directly added separate from the Operator's mutations. In addition, the
istio-certsandexemptscrape classes are no longer supplied as part of the Prometheus setup and should not be set on your monitoring resources going forward.END_COMMIT_OVERRIDE