From 21dbcdba02dd773108214b4535d363ebf995aae6 Mon Sep 17 00:00:00 2001 From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com> Date: Thu, 11 Dec 2025 14:12:29 -0500 Subject: [PATCH 1/5] feat(linkerd): Add priority class and PDB for scheduling reliability --- .../aws/app-infrastructure/linkerd/helm.tf | 43 ++++++++++++++++++- .../app-infrastructure/linkerd/kubernetes.tf | 12 ++++++ 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 terraform/aws/app-infrastructure/linkerd/kubernetes.tf diff --git a/terraform/aws/app-infrastructure/linkerd/helm.tf b/terraform/aws/app-infrastructure/linkerd/helm.tf index b516e19..adb0dc5 100644 --- a/terraform/aws/app-infrastructure/linkerd/helm.tf +++ b/terraform/aws/app-infrastructure/linkerd/helm.tf @@ -75,11 +75,37 @@ resource "helm_release" "linkerd_control_plane" { { name = "identity.issuer.tls.keyPEM" value = tls_private_key.issuer.private_key_pem + }, + + # Scheduling and High Availability Configuration + # Ensures Linkerd components start before application pods + { + name = "priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "enablePodDisruptionBudget" + value = "true" + }, + { + name = "proxyInjector.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "destination.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "identity.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name } + ] + depends_on = [ - helm_release.linkerd_crds + helm_release.linkerd_crds, + kubernetes_priority_class.linkerd_critical ] } @@ -92,5 +118,18 @@ resource "helm_release" "linkerd_viz" { namespace = var.linkerd_viz_namespace_name create_namespace = true version = var.linkerd_helm_version - depends_on = [helm_release.linkerd_crds, helm_release.linkerd_control_plane] + + # Use same priority class for consistency + set = { + name = "priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + + depends_on = [ + helm_release.linkerd_crds, + helm_release.linkerd_control_plane, + kubernetes_priority_class.linkerd_critical + ] + + } diff --git a/terraform/aws/app-infrastructure/linkerd/kubernetes.tf b/terraform/aws/app-infrastructure/linkerd/kubernetes.tf new file mode 100644 index 0000000..2da31bb --- /dev/null +++ b/terraform/aws/app-infrastructure/linkerd/kubernetes.tf @@ -0,0 +1,12 @@ +# Priority class to ensure Linkerd components are scheduled before application pods +# This addresses DEV-27: Linkerd scheduling requirements to prevent service mesh injection issues + +resource "kubernetes_priority_class" "linkerd_critical" { + metadata { + name = "linkerd-critical" + } + + value = 1000000 + description = "Priority class for Linkerd service mesh components to ensure they start before application pods during cluster scale operations" + global_default = false +} \ No newline at end of file From 04584dd369729ff093f7c4ed494b013c9d4b5240 Mon Sep 17 00:00:00 2001 From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com> Date: Mon, 5 Jan 2026 16:13:46 -0500 Subject: [PATCH 2/5] test: Remove provider configurations from module --- .../app-infrastructure/linkerd/providers.tf | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/terraform/aws/app-infrastructure/linkerd/providers.tf b/terraform/aws/app-infrastructure/linkerd/providers.tf index 687e6d1..7892593 100644 --- a/terraform/aws/app-infrastructure/linkerd/providers.tf +++ b/terraform/aws/app-infrastructure/linkerd/providers.tf @@ -22,19 +22,19 @@ terraform { } } - required_version = ">= 1.13.3" + required_version = ">= 1.3.0" } -provider "helm" { - kubernetes = { - host = var.eks_cluster_endpoint # module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) # base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.cluster.token - } -} +# provider "helm" { +# kubernetes = { +# host = var.eks_cluster_endpoint # module.eks.cluster_endpoint +# cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) # base64decode(module.eks.cluster_certificate_authority_data) +# token = data.aws_eks_cluster_auth.cluster.token +# } +# } -provider "kubernetes" { - host = var.eks_cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.cluster.token -} \ No newline at end of file +# provider "kubernetes" { +# host = var.eks_cluster_endpoint +# cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data) +# token = data.aws_eks_cluster_auth.cluster.token +# } \ No newline at end of file From 66c48d163d5a308b6aa3fefa8a81d410ed19def3 Mon Sep 17 00:00:00 2001 From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com> Date: Mon, 5 Jan 2026 17:10:03 -0500 Subject: [PATCH 3/5] test: Support AWS provider 5.x and 6.x for broader compatibility --- terraform/aws/app-infrastructure/linkerd/providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/app-infrastructure/linkerd/providers.tf b/terraform/aws/app-infrastructure/linkerd/providers.tf index 7892593..7cb944b 100644 --- a/terraform/aws/app-infrastructure/linkerd/providers.tf +++ b/terraform/aws/app-infrastructure/linkerd/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 6.21.0, < 7.0.0" + version = ">= 5.0, < 7.0.0" } grafana = { source = "grafana/grafana" From b6a8609dcdf5e99a2a2b876985279741f4c154dc Mon Sep 17 00:00:00 2001 From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com> Date: Mon, 5 Jan 2026 19:15:23 -0500 Subject: [PATCH 4/5] test: Correct set block syntax for Helm provider 3.x --- .../aws/app-infrastructure/linkerd/helm.tf | 78 ++++++++++--------- 1 file changed, 40 insertions(+), 38 deletions(-) diff --git a/terraform/aws/app-infrastructure/linkerd/helm.tf b/terraform/aws/app-infrastructure/linkerd/helm.tf index adb0dc5..0002621 100644 --- a/terraform/aws/app-infrastructure/linkerd/helm.tf +++ b/terraform/aws/app-infrastructure/linkerd/helm.tf @@ -63,45 +63,47 @@ resource "helm_release" "linkerd_control_plane" { chart = var.linkerd_controlplane_chart #"linkerd-control-plane" version = var.linkerd_helm_version - set = [ - { - name = "identityTrustAnchorsPEM" - value = tls_locally_signed_cert.issuer.ca_cert_pem - }, - { - name = "identity.issuer.tls.crtPEM" - value = tls_locally_signed_cert.issuer.cert_pem - }, - { - name = "identity.issuer.tls.keyPEM" - value = tls_private_key.issuer.private_key_pem - }, - - # Scheduling and High Availability Configuration - # Ensures Linkerd components start before application pods - { - name = "priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - }, - { - name = "enablePodDisruptionBudget" - value = "true" - }, - { - name = "proxyInjector.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - }, - { - name = "destination.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - }, - { - name = "identity.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } + # Certificate configuration + set { + name = "identityTrustAnchorsPEM" + value = tls_self_signed_cert.ca.cert_pem + } - ] + set { + name = "identity.issuer.tls.crtPEM" + value = tls_locally_signed_cert.issuer.cert_pem + } + + set { + name = "identity.issuer.tls.keyPEM" + value = tls_private_key.issuer.private_key_pem + } + # NEW: Scheduling and High Availability Configuration + set { + name = "priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + + set { + name = "enablePodDisruptionBudget" + value = "true" + } + + set { + name = "proxyInjector.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + + set { + name = "destination.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + + set { + name = "identity.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } depends_on = [ helm_release.linkerd_crds, @@ -120,7 +122,7 @@ resource "helm_release" "linkerd_viz" { version = var.linkerd_helm_version # Use same priority class for consistency - set = { + set { name = "priorityClassName" value = kubernetes_priority_class.linkerd_critical.metadata[0].name } From d67a783d8e102f2be87779d170fe65c1e89052d0 Mon Sep 17 00:00:00 2001 From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com> Date: Mon, 5 Jan 2026 20:46:39 -0500 Subject: [PATCH 5/5] test: Correct set block syntax for Helm provider 3.x --- .../aws/app-infrastructure/linkerd/helm.tf | 88 +++++++++---------- 1 file changed, 41 insertions(+), 47 deletions(-) diff --git a/terraform/aws/app-infrastructure/linkerd/helm.tf b/terraform/aws/app-infrastructure/linkerd/helm.tf index 0002621..a341770 100644 --- a/terraform/aws/app-infrastructure/linkerd/helm.tf +++ b/terraform/aws/app-infrastructure/linkerd/helm.tf @@ -63,47 +63,40 @@ resource "helm_release" "linkerd_control_plane" { chart = var.linkerd_controlplane_chart #"linkerd-control-plane" version = var.linkerd_helm_version - # Certificate configuration - set { - name = "identityTrustAnchorsPEM" - value = tls_self_signed_cert.ca.cert_pem - } - - set { - name = "identity.issuer.tls.crtPEM" - value = tls_locally_signed_cert.issuer.cert_pem - } - - set { - name = "identity.issuer.tls.keyPEM" - value = tls_private_key.issuer.private_key_pem - } - - # NEW: Scheduling and High Availability Configuration - set { - name = "priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } - - set { - name = "enablePodDisruptionBudget" - value = "true" - } - - set { - name = "proxyInjector.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } - - set { - name = "destination.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } - - set { - name = "identity.priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } + set = [ + { + name = "identityTrustAnchorsPEM" + value = tls_self_signed_cert.ca.cert_pem + }, + { + name = "identity.issuer.tls.crtPEM" + value = tls_locally_signed_cert.issuer.cert_pem + }, + { + name = "identity.issuer.tls.keyPEM" + value = tls_private_key.issuer.private_key_pem + }, + { + name = "priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "enablePodDisruptionBudget" + value = "true" + }, + { + name = "proxyInjector.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "destination.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + }, + { + name = "identity.priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + ] depends_on = [ helm_release.linkerd_crds, @@ -112,6 +105,7 @@ resource "helm_release" "linkerd_control_plane" { } + # deploy linkerd-viz resource "helm_release" "linkerd_viz" { name = "linkerd-viz" @@ -121,12 +115,12 @@ resource "helm_release" "linkerd_viz" { create_namespace = true version = var.linkerd_helm_version - # Use same priority class for consistency - set { - name = "priorityClassName" - value = kubernetes_priority_class.linkerd_critical.metadata[0].name - } - + set = [ + { + name = "priorityClassName" + value = kubernetes_priority_class.linkerd_critical.metadata[0].name + } + ] depends_on = [ helm_release.linkerd_crds, helm_release.linkerd_control_plane,