constellation/internal/helm/charts/cilium/templates/validate.yaml

{{/* validate hubble config */}}
{{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}
  {{- if not .Values.hubble.relay.enabled }}
    {{ fail "Hubble UI requires .Values.hubble.relay.enabled=true" }}
  {{- end }}
{{- end }}
{{- if and .Values.hubble.ui.enabled .Values.hubble.ui.standalone.enabled .Values.hubble.relay.tls.server.enabled }}
  {{- if not .Values.hubble.ui.standalone.tls.certsVolume }}
    {{ fail "Hubble UI in standalone with Hubble Relay server TLS enabled requires providing .Values.hubble.ui.standalone.tls.certsVolume for mounting client certificates in the backend pod" }}
  {{- end }}
{{- end }}
{{- if .Values.hubble.relay.enabled }}
  {{- if not .Values.hubble.enabled }}
    {{ fail "Hubble Relay requires .Values.hubble.enabled=true" }}
  {{- end }}
{{- end }}

{{/* validate service monitoring CRDs */}}
{{- if or (and .Values.prometheus.enabled .Values.prometheus.serviceMonitor.enabled) (and .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled) (and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled .Values.envoy.prometheus.serviceMonitor.enabled) (and .Values.proxy.prometheus.enabled .Values.hubble.relay.prometheus.enabled .Values.hubble.relay.prometheus.serviceMonitor.enabled) }}
  {{- if not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }}
      {{- if not .Values.prometheus.serviceMonitor.trustCRDsExist }}
          {{ fail "Service Monitor requires monitoring.coreos.com/v1 CRDs. Please refer to https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml or set .Values.prometheus.serviceMonitor.trustCRDsExist=true" }}
      {{- end }}
  {{- end }}
{{- end }}

{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }}
  {{- if not .Values.hubble.tls.auto.certManagerIssuerRef }}
    {{ fail "Hubble TLS certgen method=certmanager requires that user specifies .Values.hubble.tls.auto.certManagerIssuerRef" }}
  {{- end }}
{{- end }}

{{- if and .Values.hubble.redact.http.headers.allow .Values.hubble.redact.http.headers.deny }}
  {{ fail "Only one of .Values.hubble.redact.http.headers.allow, .Values.hubble.redact.http.headers.deny can be specified"}}
{{- end }}

{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }}
  {{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }}
    {{ fail "ClusterMesh TLS certgen method=certmanager requires that user specifies .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }}
  {{- end }}
{{- end }}

{{/* validate hubble-ui specific config */}}
{{- if and .Values.hubble.ui.enabled
  (ne .Values.hubble.ui.backend.image.tag "latest")
  (ne .Values.hubble.ui.frontend.image.tag "latest") }}
  {{- if regexReplaceAll "@.*$" .Values.hubble.ui.backend.image.tag "" | trimPrefix "v" | semverCompare "<0.9.0" }}
    {{ fail "Hubble UI requires hubble.ui.backend.image.tag to be '>=v0.9.0'" }}
  {{- end }}
  {{- if regexReplaceAll "@.*$" .Values.hubble.ui.frontend.image.tag "" | trimPrefix "v" | semverCompare "<0.9.0" }}
    {{ fail "Hubble UI requires hubble.ui.frontend.image.tag to be '>=v0.9.0'" }}
  {{- end }}
{{- end }}

{{- if or .Values.ingressController.enabled .Values.gatewayAPI.enabled (eq .Values.loadBalancer.l7.backend "envoy") }}
  {{- if hasKey .Values "l7Proxy" }}
    {{- if not .Values.l7Proxy }}
      {{ fail "Ingress or Gateway API controller or Envoy L7 Load Balancer  requires .Values.l7Proxy to be set to 'true'" }}
    {{- end }}
  {{- end }}
{{- end }}

{{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
  {{- if or (eq (toString .Values.kubeProxyReplacement) "disabled") (and (not (hasKey .Values "kubeProxyReplacement")) (not (semverCompare ">=1.14" (default "1.14" .Values.upgradeCompatibility)))) }}
    {{ fail "Ingress/Gateway API controller and EnvoyConfig require .Values.kubeProxyReplacement to be explicitly set to 'false' or 'true'" }}
  {{- end }}
{{- end }}

{{- if .Values.authentication.mutual.spire.enabled }}
  {{- if not .Values.authentication.enabled }}
    {{ fail "SPIRE integration requires .Values.authentication.enabled=true and .Values.authentication.mutual.spire.enabled=true" }}
  {{- end }}
{{- end }}

{{/* validate Cilium operator */}}
{{- if eq .Values.enableCiliumEndpointSlice true }}
  {{- if eq .Values.disableEndpointCRD true }}
    {{ fail "if Cilium Endpoint Slice is enabled (.Values.enableCiliumEndpointSlice=true), it requires .Values.disableEndpointCRD=false" }}
  {{- end }}
{{- end }}

{{/* validate clustermesh-apiserver */}}
{{- if .Values.clustermesh.useAPIServer }}
  {{- if ne .Values.identityAllocationMode "crd" }}
    {{ fail (printf "The clustermesh-apiserver cannot be enabled in combination with .Values.identityAllocationMode=%s. To establish a Cluster Mesh, directly configure the parameters to access the remote kvstore through .Values.clustermesh.config" .Values.identityAllocationMode ) }}
  {{- end }}
  {{- if .Values.disableEndpointCRD }}
    {{ fail "The clustermesh-apiserver cannot be enabled in combination with .Values.disableEndpointCRD=true" }}
  {{- end }}
{{- end }}
{{- if .Values.externalWorkloads.enabled }}
  {{- if ne .Values.identityAllocationMode "crd" }}
    {{ fail (printf "External workloads support cannot be enabled in combination with .Values.identityAllocationMode=%s" .Values.identityAllocationMode ) }}
  {{- end }}
  {{- if .Values.disableEndpointCRD }}
    {{ fail "External workloads support cannot be enabled in combination with .Values.disableEndpointCRD=true" }}
  {{- end }}
{{- end }}
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`{{/* validate hubble config */}}`
			`{{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}`
			`{{- if not .Values.hubble.relay.enabled }}`
			`{{ fail "Hubble UI requires .Values.hubble.relay.enabled=true" }}`
			`{{- end }}`
			`{{- end }}`
			`{{- if and .Values.hubble.ui.enabled .Values.hubble.ui.standalone.enabled .Values.hubble.relay.tls.server.enabled }}`
			`{{- if not .Values.hubble.ui.standalone.tls.certsVolume }}`
			`{{ fail "Hubble UI in standalone with Hubble Relay server TLS enabled requires providing .Values.hubble.ui.standalone.tls.certsVolume for mounting client certificates in the backend pod" }}`
			`{{- end }}`
			`{{- end }}`
			`{{- if .Values.hubble.relay.enabled }}`
			`{{- if not .Values.hubble.enabled }}`
			`{{ fail "Hubble Relay requires .Values.hubble.enabled=true" }}`
			`{{- end }}`
			`{{- end }}`

			`{{/* validate service monitoring CRDs */}}`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`{{- if or (and .Values.prometheus.enabled .Values.prometheus.serviceMonitor.enabled) (and .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled) (and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled .Values.envoy.prometheus.serviceMonitor.enabled) (and .Values.proxy.prometheus.enabled .Values.hubble.relay.prometheus.enabled .Values.hubble.relay.prometheus.serviceMonitor.enabled) }}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`{{- if not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }}`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`{{- if not .Values.prometheus.serviceMonitor.trustCRDsExist }}`
			`{{ fail "Service Monitor requires monitoring.coreos.com/v1 CRDs. Please refer to https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml or set .Values.prometheus.serviceMonitor.trustCRDsExist=true" }}`
			`{{- end }}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`{{- end }}`
			`{{- end }}`

			`{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }}`
			`{{- if not .Values.hubble.tls.auto.certManagerIssuerRef }}`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`{{ fail "Hubble TLS certgen method=certmanager requires that user specifies .Values.hubble.tls.auto.certManagerIssuerRef" }}`
			`{{- end }}`
			`{{- end }}`

			`{{- if and .Values.hubble.redact.http.headers.allow .Values.hubble.redact.http.headers.deny }}`
			`{{ fail "Only one of .Values.hubble.redact.http.headers.allow, .Values.hubble.redact.http.headers.deny can be specified"}}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`{{- end }}`

			`{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }}`
			`{{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }}`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00			`{{ fail "ClusterMesh TLS certgen method=certmanager requires that user specifies .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }}`
			`{{- end }}`
deploy cilium via helmchart (#321) 2022-08-12 04:20:19 -04:00			`{{- end }}`

			`{{/* validate hubble-ui specific config */}}`
			`{{- if and .Values.hubble.ui.enabled`
			`(ne .Values.hubble.ui.backend.image.tag "latest")`
			`(ne .Values.hubble.ui.frontend.image.tag "latest") }}`
			`{{- if regexReplaceAll "@.*$" .Values.hubble.ui.backend.image.tag "" \| trimPrefix "v" \| semverCompare "<0.9.0" }}`
			`{{ fail "Hubble UI requires hubble.ui.backend.image.tag to be '>=v0.9.0'" }}`
			`{{- end }}`
			`{{- if regexReplaceAll "@.*$" .Values.hubble.ui.frontend.image.tag "" \| trimPrefix "v" \| semverCompare "<0.9.0" }}`
			`{{ fail "Hubble UI requires hubble.ui.frontend.image.tag to be '>=v0.9.0'" }}`
			`{{- end }}`
			`{{- end }}`
deps: update cilium Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork. 2023-10-16 13:14:53 -04:00
			`{{- if or .Values.ingressController.enabled .Values.gatewayAPI.enabled (eq .Values.loadBalancer.l7.backend "envoy") }}`
			`{{- if hasKey .Values "l7Proxy" }}`
			`{{- if not .Values.l7Proxy }}`
			`{{ fail "Ingress or Gateway API controller or Envoy L7 Load Balancer requires .Values.l7Proxy to be set to 'true'" }}`
			`{{- end }}`
			`{{- end }}`
			`{{- end }}`

			`{{- if or .Values.envoyConfig.enabled .Values.ingressController.enabled .Values.gatewayAPI.enabled }}`
			`{{- if or (eq (toString .Values.kubeProxyReplacement) "disabled") (and (not (hasKey .Values "kubeProxyReplacement")) (not (semverCompare ">=1.14" (default "1.14" .Values.upgradeCompatibility)))) }}`
			`{{ fail "Ingress/Gateway API controller and EnvoyConfig require .Values.kubeProxyReplacement to be explicitly set to 'false' or 'true'" }}`
			`{{- end }}`
			`{{- end }}`

			`{{- if .Values.authentication.mutual.spire.enabled }}`
			`{{- if not .Values.authentication.enabled }}`
			`{{ fail "SPIRE integration requires .Values.authentication.enabled=true and .Values.authentication.mutual.spire.enabled=true" }}`
			`{{- end }}`
			`{{- end }}`

			`{{/* validate Cilium operator */}}`
			`{{- if eq .Values.enableCiliumEndpointSlice true }}`
			`{{- if eq .Values.disableEndpointCRD true }}`
			`{{ fail "if Cilium Endpoint Slice is enabled (.Values.enableCiliumEndpointSlice=true), it requires .Values.disableEndpointCRD=false" }}`
			`{{- end }}`
			`{{- end }}`

			`{{/* validate clustermesh-apiserver */}}`
			`{{- if .Values.clustermesh.useAPIServer }}`
			`{{- if ne .Values.identityAllocationMode "crd" }}`
			`{{ fail (printf "The clustermesh-apiserver cannot be enabled in combination with .Values.identityAllocationMode=%s. To establish a Cluster Mesh, directly configure the parameters to access the remote kvstore through .Values.clustermesh.config" .Values.identityAllocationMode ) }}`
			`{{- end }}`
			`{{- if .Values.disableEndpointCRD }}`
			`{{ fail "The clustermesh-apiserver cannot be enabled in combination with .Values.disableEndpointCRD=true" }}`
			`{{- end }}`
			`{{- end }}`
			`{{- if .Values.externalWorkloads.enabled }}`
			`{{- if ne .Values.identityAllocationMode "crd" }}`
			`{{ fail (printf "External workloads support cannot be enabled in combination with .Values.identityAllocationMode=%s" .Values.identityAllocationMode ) }}`
			`{{- end }}`
			`{{- if .Values.disableEndpointCRD }}`
			`{{ fail "External workloads support cannot be enabled in combination with .Values.disableEndpointCRD=true" }}`
			`{{- end }}`
			`{{- end }}`