From 9478303f8035b3826701291ce04f5664b1854ac0 Mon Sep 17 00:00:00 2001 From: 3u13r Date: Fri, 12 Aug 2022 10:20:19 +0200 Subject: [PATCH] deploy cilium via helmchart (#321) --- .github/workflows/test-shellcheck.yml | 4 +- CHANGELOG.md | 3 +- bootstrapper/cloudprovider/gcp/client.go | 5 +- bootstrapper/cloudprovider/gcp/client_test.go | 6 +- bootstrapper/cmd/bootstrapper/test.go | 2 +- bootstrapper/initproto/init.pb.go | 53 +- bootstrapper/initproto/init.proto | 1 + .../internal/initserver/initserver.go | 2 + .../internal/initserver/initserver_test.go | 2 +- .../internal/kubernetes/k8sapi/util.go | 114 +- bootstrapper/internal/kubernetes/k8sutil.go | 2 +- .../internal/kubernetes/kubernetes.go | 5 +- .../internal/kubernetes/kubernetes_test.go | 12 +- cli/internal/cmd/helmloader.go | 13 + cli/internal/cmd/init.go | 15 +- cli/internal/cmd/init_test.go | 11 +- cli/internal/helm/charts/cilium/.helmignore | 23 + cli/internal/helm/charts/cilium/Chart.yaml | 127 + cli/internal/helm/charts/cilium/LICENSE | 202 ++ cli/internal/helm/charts/cilium/README.md | 474 ++++ .../helm/charts/cilium/README.md.gotmpl | 54 + .../cilium/files/nodeinit/poststart-eni.bash | 21 + .../charts/cilium/files/nodeinit/prestop.bash | 56 + .../charts/cilium/files/nodeinit/startup.bash | 168 ++ .../helm/charts/cilium/templates/NOTES.txt | 22 + .../helm/charts/cilium/templates/_helpers.tpl | 134 ++ .../templates/cilium-agent/clusterrole.yaml | 124 + .../cilium-agent/clusterrolebinding.yaml | 14 + .../templates/cilium-agent/daemonset.yaml | 844 +++++++ .../cilium/templates/cilium-agent/role.yaml | 16 + .../templates/cilium-agent/rolebinding.yaml | 15 + .../templates/cilium-agent/service.yaml | 46 + .../cilium-agent/serviceaccount.yaml | 11 + .../cilium-agent/servicemonitor.yaml | 30 + .../cilium/templates/cilium-ca-secret.yaml | 17 + .../cilium/templates/cilium-configmap.yaml | 950 ++++++++ .../templates/cilium-ingress-class.yaml | 8 + .../templates/cilium-nodeinit/daemonset.yaml | 111 + .../templates/cilium-operator/_helpers.tpl | 36 + .../cilium-operator/clusterrole.yaml | 225 ++ .../cilium-operator/clusterrolebinding.yaml | 14 + .../templates/cilium-operator/deployment.yaml | 278 +++ .../cilium-operator/poddisruptionbudget.yaml | 22 + .../templates/cilium-operator/role.yaml | 16 + .../cilium-operator/rolebinding.yaml | 15 + .../templates/cilium-operator/secret.yaml | 13 + .../templates/cilium-operator/service.yaml | 21 + .../cilium-operator/serviceaccount.yaml | 15 + .../cilium-operator/servicemonitor.yaml | 30 + .../cilium-preflight/clusterrole.yaml | 124 + .../cilium-preflight/clusterrolebinding.yaml | 14 + .../templates/cilium-preflight/daemonset.yaml | 188 ++ .../cilium-preflight/deployment.yaml | 88 + .../cilium-preflight/poddisruptionbudget.yaml | 22 + .../cilium-preflight/serviceaccount.yaml | 11 + .../templates/cilium-resource-quota.yaml | 35 + .../templates/cilium-secrets-namespace.yaml | 6 + .../clustermesh-apiserver/clusterrole.yaml | 66 + .../clusterrolebinding.yaml | 14 + .../clustermesh-apiserver/deployment.yaml | 170 ++ .../poddisruptionbudget.yaml | 20 + .../clustermesh-apiserver/service.yaml | 25 + .../clustermesh-apiserver/serviceaccount.yaml | 11 + .../tls-certmanager/_helpers.tpl | 9 + .../tls-certmanager/admin-secret.yaml | 16 + .../tls-certmanager/client-secret.yaml | 14 + .../clustermesh-apiserver-issuer.yaml | 21 + .../tls-certmanager/remote-secret.yaml | 14 + .../tls-certmanager/server-secret.yaml | 26 + .../tls-cronjob/_job-spec.tpl | 53 + .../tls-cronjob/ca-secret.yaml | 15 + .../tls-cronjob/cronjob.yaml | 14 + .../tls-cronjob/job.yaml | 20 + .../tls-cronjob/role.yaml | 35 + .../tls-cronjob/rolebinding.yaml | 15 + .../tls-cronjob/serviceaccount.yaml | 11 + .../tls-helm/_helpers.tpl | 37 + .../tls-helm/admin-secret.yaml | 17 + .../tls-helm/ca-secret.yaml | 12 + .../tls-helm/client-secret.yaml | 16 + .../tls-helm/remote-secret.yaml | 16 + .../tls-helm/server-secret.yaml | 18 + .../tls-provided/admin-secret.yaml | 12 + .../tls-provided/ca-secret.yaml | 12 + .../tls-provided/client-secret.yaml | 12 + .../tls-provided/remote-secret.yaml | 12 + .../tls-provided/server-secret.yaml | 12 + .../templates/clustermesh-config/_helpers.tpl | 14 + .../clustermesh-secret.yaml | 15 + .../cilium-etcd-operator-clusterrole.yaml | 73 + ...lium-etcd-operator-clusterrolebinding.yaml | 14 + .../cilium-etcd-operator-deployment.yaml | 90 + .../cilium-etcd-operator-serviceaccount.yaml | 11 + .../etcd-operator-clusterrole.yaml | 54 + .../etcd-operator-clusterrolebinding.yaml | 14 + .../etcd-operator-serviceaccount.yaml | 11 + .../etcd-operator/poddisruptionbudget.yaml | 22 + .../templates/hubble-relay/configmap.yaml | 41 + .../templates/hubble-relay/deployment.yaml | 146 ++ .../hubble-relay/metrics-service.yaml | 20 + .../hubble-relay/poddisruptionbudget.yaml | 20 + .../templates/hubble-relay/service.yaml | 24 + .../hubble-relay/serviceaccount.yaml | 11 + .../hubble-relay/servicemonitor.yaml | 26 + .../cilium/templates/hubble-ui/_nginx.tpl | 37 + .../templates/hubble-ui/clusterrole.yaml | 44 + .../hubble-ui/clusterrolebinding.yaml | 14 + .../cilium/templates/hubble-ui/configmap.yaml | 10 + .../templates/hubble-ui/deployment.yaml | 142 ++ .../cilium/templates/hubble-ui/ingress.yaml | 29 + .../hubble-ui/poddisruptionbudget.yaml | 20 + .../cilium/templates/hubble-ui/service.yaml | 20 + .../templates/hubble-ui/serviceaccount.yaml | 11 + .../templates/hubble/metrics-service.yaml | 27 + .../cilium/templates/hubble/peer-service.yaml | 24 + .../templates/hubble/servicemonitor.yaml | 32 + .../hubble/tls-certmanager/_helpers.tpl | 9 + .../hubble/tls-certmanager/hubble-issuer.yaml | 21 + .../tls-certmanager/relay-client-secret.yaml | 16 + .../tls-certmanager/relay-server-secret.yaml | 25 + .../hubble/tls-certmanager/server-secret.yaml | 26 + .../tls-certmanager/ui-client-certs.yaml | 16 + .../hubble/tls-cronjob/_job-spec.tpl | 59 + .../hubble/tls-cronjob/ca-secret.yaml | 15 + .../hubble/tls-cronjob/clusterrole.yaml | 33 + .../tls-cronjob/clusterrolebinding.yaml | 14 + .../templates/hubble/tls-cronjob/cronjob.yaml | 14 + .../templates/hubble/tls-cronjob/job.yaml | 20 + .../hubble/tls-cronjob/serviceaccount.yaml | 11 + .../templates/hubble/tls-helm/_helpers.tpl | 37 + .../templates/hubble/tls-helm/ca-secret.yaml | 12 + .../hubble/tls-helm/relay-client-secret.yaml | 17 + .../hubble/tls-helm/relay-server-secret.yaml | 18 + .../hubble/tls-helm/server-secret.yaml | 18 + .../hubble/tls-helm/ui-client-certs.yaml | 17 + .../hubble/tls-provided/ca-secret.yaml | 12 + .../tls-provided/relay-client-secret.yaml | 12 + .../tls-provided/relay-server-secret.yaml | 12 + .../hubble/tls-provided/server-secret.yaml | 12 + .../hubble/tls-provided/ui-client-certs.yaml | 12 + .../charts/cilium/templates/validate.yaml | 47 + cli/internal/helm/charts/cilium/values.yaml | 2122 +++++++++++++++++ .../helm/charts/cilium/values.yaml.tmpl | 2117 ++++++++++++++++ cli/internal/helm/cilium.patch | 25 + cli/internal/helm/generateCilium.sh | 10 + cli/internal/helm/loader.go | 141 ++ cli/internal/helm/values.go | 81 + go.mod | 100 +- go.sum | 176 +- hack/go.mod | 10 +- hack/go.sum | 15 +- internal/constants/constants.go | 6 + internal/deploy/helm/helm.go | 12 + 153 files changed, 11837 insertions(+), 134 deletions(-) create mode 100644 cli/internal/cmd/helmloader.go create mode 100644 cli/internal/helm/charts/cilium/.helmignore create mode 100644 cli/internal/helm/charts/cilium/Chart.yaml create mode 100644 cli/internal/helm/charts/cilium/LICENSE create mode 100644 cli/internal/helm/charts/cilium/README.md create mode 100644 cli/internal/helm/charts/cilium/README.md.gotmpl create mode 100644 cli/internal/helm/charts/cilium/files/nodeinit/poststart-eni.bash create mode 100644 cli/internal/helm/charts/cilium/files/nodeinit/prestop.bash create mode 100644 cli/internal/helm/charts/cilium/files/nodeinit/startup.bash create mode 100644 cli/internal/helm/charts/cilium/templates/NOTES.txt create mode 100644 cli/internal/helm/charts/cilium/templates/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/role.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/rolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-ingress-class.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/role.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/rolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-operator/servicemonitor.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-preflight/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-resource-quota.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/cilium-secrets-namespace.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-config/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/configmap.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/metrics-service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-relay/servicemonitor.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/_nginx.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/configmap.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/deployment.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/ingress.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble-ui/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/metrics-service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/peer-service.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/servicemonitor.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/job.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/_helpers.tpl create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ca-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-provided/server-secret.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml create mode 100644 cli/internal/helm/charts/cilium/templates/validate.yaml create mode 100644 cli/internal/helm/charts/cilium/values.yaml create mode 100644 cli/internal/helm/charts/cilium/values.yaml.tmpl create mode 100644 cli/internal/helm/cilium.patch create mode 100755 cli/internal/helm/generateCilium.sh create mode 100644 cli/internal/helm/loader.go create mode 100644 cli/internal/helm/values.go create mode 100644 internal/deploy/helm/helm.go diff --git a/.github/workflows/test-shellcheck.yml b/.github/workflows/test-shellcheck.yml index da3ac2c56..2d2916a7e 100644 --- a/.github/workflows/test-shellcheck.yml +++ b/.github/workflows/test-shellcheck.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Run ShellCheck - uses: ludeeus/action-shellcheck@94e0aab03ca135d11a35e5bfc14e6746dc56e7e9 + uses: ludeeus/action-shellcheck@203a3fd018dfe73f8ae7e3aa8da2c149a5f41c33 with: severity: error - ignore_names: merge_config.sh + ignore_paths: charts/cilium diff --git a/CHANGELOG.md b/CHANGELOG.md index 7255b31bf..5d5441e69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,8 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Kubernetes operator for Constellation nodes with ability to update node images. - - +- cilium strict pod2pod encryption. ### Changed ### Deprecated diff --git a/bootstrapper/cloudprovider/gcp/client.go b/bootstrapper/cloudprovider/gcp/client.go index b7425d446..334a068ed 100644 --- a/bootstrapper/cloudprovider/gcp/client.go +++ b/bootstrapper/cloudprovider/gcp/client.go @@ -206,10 +206,11 @@ func (c *Client) RetrieveSubnetworkAliasCIDR(ctx context.Context, project, zone, if err != nil { return "", fmt.Errorf("retrieving subnetwork alias CIDR failed: %w", err) } - if subnetwork == nil || subnetwork.IpCidrRange == nil || *subnetwork.IpCidrRange == "" { + if subnetwork == nil || len(subnetwork.SecondaryIpRanges) == 0 || (subnetwork.SecondaryIpRanges[0]).IpCidrRange == nil { return "", fmt.Errorf("retrieving subnetwork alias CIDR returned invalid results") } - return *subnetwork.IpCidrRange, nil + + return *(subnetwork.SecondaryIpRanges[0]).IpCidrRange, nil } // RetrieveLoadBalancerIP returns the IP address of the load balancer specified by project, zone and loadBalancerName. diff --git a/bootstrapper/cloudprovider/gcp/client_test.go b/bootstrapper/cloudprovider/gcp/client_test.go index 57d79ea83..b1df81ec4 100644 --- a/bootstrapper/cloudprovider/gcp/client_test.go +++ b/bootstrapper/cloudprovider/gcp/client_test.go @@ -701,7 +701,11 @@ func TestRetrieveSubnetworkAliasCIDR(t *testing.T) { }, stubSubnetworksClient: stubSubnetworksClient{ GetSubnetwork: &computepb.Subnetwork{ - IpCidrRange: &aliasCIDR, + SecondaryIpRanges: []*computepb.SubnetworkSecondaryRange{ + { + IpCidrRange: proto.String(aliasCIDR), + }, + }, }, }, wantAliasCIDR: aliasCIDR, diff --git a/bootstrapper/cmd/bootstrapper/test.go b/bootstrapper/cmd/bootstrapper/test.go index b9ae838ec..735dd32a5 100644 --- a/bootstrapper/cmd/bootstrapper/test.go +++ b/bootstrapper/cmd/bootstrapper/test.go @@ -14,7 +14,7 @@ import ( type clusterFake struct{} // InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster. -func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, *logger.Logger, +func (c *clusterFake) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger, ) ([]byte, error) { return []byte{}, nil } diff --git a/bootstrapper/initproto/init.pb.go b/bootstrapper/initproto/init.pb.go index bd93fc415..7bd3f2c04 100644 --- a/bootstrapper/initproto/init.pb.go +++ b/bootstrapper/initproto/init.pb.go @@ -35,6 +35,7 @@ type InitRequest struct { KubernetesVersion string `protobuf:"bytes,8,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"` SshUserKeys []*SSHUserKey `protobuf:"bytes,9,rep,name=ssh_user_keys,json=sshUserKeys,proto3" json:"ssh_user_keys,omitempty"` Salt []byte `protobuf:"bytes,10,opt,name=salt,proto3" json:"salt,omitempty"` + HelmDeployments []byte `protobuf:"bytes,11,opt,name=helm_deployments,json=helmDeployments,proto3" json:"helm_deployments,omitempty"` } func (x *InitRequest) Reset() { @@ -139,6 +140,13 @@ func (x *InitRequest) GetSalt() []byte { return nil } +func (x *InitRequest) GetHelmDeployments() []byte { + if x != nil { + return x.HelmDeployments + } + return nil +} + type InitResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -261,7 +269,7 @@ var File_init_proto protoreflect.FileDescriptor var file_init_proto_rawDesc = []byte{ 0x0a, 0x0a, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x69, 0x6e, - 0x69, 0x74, 0x22, 0xb5, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x69, 0x74, 0x22, 0xe0, 0x03, 0x0a, 0x0b, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67, 0x5f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x61, 0x75, 0x74, 0x6f, 0x73, 0x63, 0x61, 0x6c, 0x69, 0x6e, 0x67, @@ -288,26 +296,29 @@ var file_init_proto_rawDesc = []byte{ 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, - 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, - 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, - 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, - 0x6e, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, - 0x6e, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, - 0x65, 0x72, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, - 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, - 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, - 0x03, 0x41, 0x50, 0x49, 0x12, 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, - 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x12, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, - 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, - 0x73, 0x74, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x73, 0x61, 0x6c, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x68, 0x65, + 0x6c, 0x6d, 0x5f, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x0b, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x68, 0x65, 0x6c, 0x6d, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, + 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x5f, 0x69, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x49, 0x64, + 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x64, 0x22, + 0x47, 0x0a, 0x0a, 0x53, 0x53, 0x48, 0x55, 0x73, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, + 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x32, 0x34, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, + 0x2d, 0x0a, 0x04, 0x49, 0x6e, 0x69, 0x74, 0x12, 0x11, 0x2e, 0x69, 0x6e, 0x69, 0x74, 0x2e, 0x49, + 0x6e, 0x69, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x69, 0x6e, 0x69, + 0x74, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3d, + 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, + 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, + 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x62, 0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, + 0x70, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x69, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/bootstrapper/initproto/init.proto b/bootstrapper/initproto/init.proto index 3572d5792..54b74098a 100644 --- a/bootstrapper/initproto/init.proto +++ b/bootstrapper/initproto/init.proto @@ -19,6 +19,7 @@ message InitRequest { string kubernetes_version = 8; repeated SSHUserKey ssh_user_keys = 9; bytes salt = 10; + bytes helm_deployments = 11; } message InitResponse { diff --git a/bootstrapper/internal/initserver/initserver.go b/bootstrapper/internal/initserver/initserver.go index acef0b949..998cf994a 100644 --- a/bootstrapper/internal/initserver/initserver.go +++ b/bootstrapper/internal/initserver/initserver.go @@ -124,6 +124,7 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro UseExistingKEK: req.UseExistingKek, }, sshProtoKeysToMap(req.SshUserKeys), + req.HelmDeployments, s.log, ) if err != nil { @@ -198,6 +199,7 @@ type ClusterInitializer interface { measurementSalt []byte, kmsConfig resources.KMSConfig, sshUserKeys map[string]string, + helmDeployments []byte, log *logger.Logger, ) ([]byte, error) } diff --git a/bootstrapper/internal/initserver/initserver_test.go b/bootstrapper/internal/initserver/initserver_test.go index 879a87ec8..ca7819a50 100644 --- a/bootstrapper/internal/initserver/initserver_test.go +++ b/bootstrapper/internal/initserver/initserver_test.go @@ -282,7 +282,7 @@ type stubClusterInitializer struct { initClusterErr error } -func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, *logger.Logger, +func (i *stubClusterInitializer) InitCluster(context.Context, []string, string, string, []byte, resources.KMSConfig, map[string]string, []byte, *logger.Logger, ) ([]byte, error) { return i.initClusterKubeconfig, i.initClusterErr } diff --git a/bootstrapper/internal/kubernetes/k8sapi/util.go b/bootstrapper/internal/kubernetes/k8sapi/util.go index b6faba952..cbdb7deb5 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/util.go +++ b/bootstrapper/internal/kubernetes/k8sapi/util.go @@ -4,6 +4,7 @@ import ( "context" "crypto/rand" "crypto/x509" + "encoding/json" "encoding/pem" "errors" "fmt" @@ -13,13 +14,16 @@ import ( "os" "os/exec" "path/filepath" - "regexp" "strings" "time" "github.com/edgelesssys/constellation/bootstrapper/internal/kubelet" "github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources" + "github.com/edgelesssys/constellation/internal/constants" + kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" + "github.com/edgelesssys/constellation/internal/crypto" + "github.com/edgelesssys/constellation/internal/deploy/helm" "github.com/edgelesssys/constellation/internal/file" "github.com/edgelesssys/constellation/internal/logger" "github.com/edgelesssys/constellation/internal/versions" @@ -27,8 +31,9 @@ import ( "github.com/spf13/afero" "go.uber.org/zap" "golang.org/x/text/transform" + "helm.sh/helm/v3/pkg/action" + "helm.sh/helm/v3/pkg/cli" corev1 "k8s.io/api/core/v1" - "k8s.io/kubernetes/cmd/kubeadm/app/constants" ) const ( @@ -40,8 +45,6 @@ const ( crdTimeout = 15 * time.Second ) -var providerIDRegex = regexp.MustCompile(`^azure:///subscriptions/([^/]+)/resourceGroups/([^/]+)/providers/Microsoft.Compute/virtualMachineScaleSets/([^/]+)/virtualMachines/([^/]+)$`) - // Client provides the functions to talk to the k8s API. type Client interface { Apply(resources resources.Marshaler, forceConflicts bool) error @@ -182,6 +185,33 @@ func (k *KubernetesUtil) InitCluster( return nil } +func (k *KubernetesUtil) SetupHelmDeployments(ctx context.Context, kubectl Client, helmDeployments []byte, in SetupPodNetworkInput, log *logger.Logger) error { + var helmDeploy helm.Deployments + if err := json.Unmarshal(helmDeployments, &helmDeploy); err != nil { + return fmt.Errorf("unmarshalling helm deployments: %w", err) + } + settings := cli.New() + settings.KubeConfig = kubeConfig + + actionConfig := new(action.Configuration) + if err := actionConfig.Init(settings.RESTClientGetter(), constants.HelmNamespace, + "secret", log.Infof); err != nil { + return err + } + + helmClient := action.NewInstall(actionConfig) + helmClient.Namespace = constants.HelmNamespace + helmClient.ReleaseName = "cilium" + helmClient.Wait = true + helmClient.Timeout = 30 * time.Second + + if err := k.deployCilium(ctx, in, helmClient, helmDeploy.Cilium, kubectl); err != nil { + return fmt.Errorf("deploying cilium: %w", err) + } + + return nil +} + type SetupPodNetworkInput struct { CloudProvider string NodeName string @@ -190,40 +220,29 @@ type SetupPodNetworkInput struct { ProviderID string } -// SetupPodNetwork sets up the cilium pod network. -func (k *KubernetesUtil) SetupPodNetwork(ctx context.Context, in SetupPodNetworkInput, client Client) error { +// deployCilium sets up the cilium pod network. +func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInput, helmClient *action.Install, ciliumDeployment helm.Deployment, kubectl Client) error { switch in.CloudProvider { case "gcp": - return k.setupGCPPodNetwork(ctx, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR, client) + return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR) case "azure": - return k.setupAzurePodNetwork(ctx, in.ProviderID, in.SubnetworkPodCIDR) + return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment) case "qemu": - return k.setupQemuPodNetwork(ctx, in.SubnetworkPodCIDR) + return k.deployCiliumQEMU(ctx, helmClient, ciliumDeployment, in.SubnetworkPodCIDR) default: return fmt.Errorf("unsupported cloud provider %q", in.CloudProvider) } } -func (k *KubernetesUtil) setupAzurePodNetwork(ctx context.Context, providerID, subnetworkPodCIDR string) error { - matches := providerIDRegex.FindStringSubmatch(providerID) - if len(matches) != 5 { - return fmt.Errorf("error splitting providerID %q", providerID) - } - - ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--azure-resource-group", matches[2], "--ipam", "azure", - "--helm-set", - "tunnel=disabled,enableIPv4Masquerade=true,azure.enabled=true,debug.enabled=true,ipv4NativeRoutingCIDR="+subnetworkPodCIDR+ - ",endpointRoutes.enabled=true,encryption.enabled=true,encryption.type=wireguard,l7Proxy=false,egressMasqueradeInterfaces=eth0") - ciliumInstall.Env = append(os.Environ(), "KUBECONFIG="+kubeConfig) - out, err := ciliumInstall.CombinedOutput() +func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment) error { + _, err := helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values) if err != nil { - err = errors.New(string(out)) - return err + return fmt.Errorf("installing cilium: %w", err) } return nil } -func (k *KubernetesUtil) setupGCPPodNetwork(ctx context.Context, nodeName, nodePodCIDR, subnetworkPodCIDR string, kubectl Client) error { +func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR string) error { out, err := exec.CommandContext(ctx, kubectlPath, "--kubeconfig", kubeConfig, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput() if err != nil { err = errors.New(string(out)) @@ -248,13 +267,13 @@ func (k *KubernetesUtil) setupGCPPodNetwork(ctx context.Context, nodeName, nodeP return err } - ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--ipam", "kubernetes", "--ipv4-native-routing-cidr", subnetworkPodCIDR, - "--helm-set", "endpointRoutes.enabled=true,tunnel=disabled,encryption.enabled=true,encryption.type=wireguard,l7Proxy=false") - ciliumInstall.Env = append(os.Environ(), "KUBECONFIG="+kubeConfig) - out, err = ciliumInstall.CombinedOutput() + // configure pod network CIDR + ciliumDeployment.Values["ipv4NativeRoutingCIDR"] = subnetworkPodCIDR + ciliumDeployment.Values["strictModeCIDR"] = subnetworkPodCIDR + + _, err = helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values) if err != nil { - err = errors.New(string(out)) - return err + return fmt.Errorf("installing cilium: %w", err) } return nil @@ -264,14 +283,15 @@ func (k *KubernetesUtil) setupGCPPodNetwork(ctx context.Context, nodeName, nodeP // the cilium daemonset, it only restarts the local cilium pod. func (k *KubernetesUtil) FixCilium(nodeNameK8s string, log *logger.Logger) { // wait for cilium pod to be healthy + client := http.Client{} for { time.Sleep(5 * time.Second) - req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://127.0.0.1:9876/healthz", nil) + req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "http://127.0.0.1:9879/healthz", http.NoBody) if err != nil { log.With(zap.Error(err)).Errorf("Unable to create request") continue } - resp, err := http.DefaultClient.Do(req) + resp, err := client.Do(req) if err != nil { log.With(zap.Error(err)).Warnf("Waiting for local cilium daemonset pod not healthy") continue @@ -303,13 +323,19 @@ func (k *KubernetesUtil) FixCilium(nodeNameK8s string, log *logger.Logger) { } } -func (k *KubernetesUtil) setupQemuPodNetwork(ctx context.Context, subnetworkPodCIDR string) error { - ciliumInstall := exec.CommandContext(ctx, "cilium", "install", "--encryption", "wireguard", "--helm-set", "ipam.operator.clusterPoolIPv4PodCIDRList="+subnetworkPodCIDR+",endpointRoutes.enabled=true") - ciliumInstall.Env = append(os.Environ(), "KUBECONFIG="+kubeConfig) - out, err := ciliumInstall.CombinedOutput() +func (k *KubernetesUtil) deployCiliumQEMU(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment, subnetworkPodCIDR string) error { + // configure pod network CIDR + ciliumDeployment.Values["ipam"] = map[string]interface{}{ + "operator": map[string]interface{}{ + "clusterPoolIPv4PodCIDRList": []interface{}{ + subnetworkPodCIDR, + }, + }, + } + + _, err := helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values) if err != nil { - err = errors.New(string(out)) - return err + return fmt.Errorf("installing cilium: %w", err) } return nil } @@ -453,9 +479,9 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP) } parentCertRaw, err := k.file.Read(filepath.Join( - constants.KubernetesDir, - constants.DefaultCertificateDir, - constants.CACertName, + kubeconstants.KubernetesDir, + kubeconstants.DefaultCertificateDir, + kubeconstants.CACertName, )) if err != nil { return err @@ -467,9 +493,9 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP) } parentKeyRaw, err := k.file.Read(filepath.Join( - constants.KubernetesDir, - constants.DefaultCertificateDir, - constants.CAKeyName, + kubeconstants.KubernetesDir, + kubeconstants.DefaultCertificateDir, + kubeconstants.CAKeyName, )) if err != nil { return err diff --git a/bootstrapper/internal/kubernetes/k8sutil.go b/bootstrapper/internal/kubernetes/k8sutil.go index c1b7a127d..0ba233f5d 100644 --- a/bootstrapper/internal/kubernetes/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sutil.go @@ -14,7 +14,7 @@ type clusterUtil interface { InstallComponents(ctx context.Context, version versions.ValidK8sVersion) error InitCluster(ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, log *logger.Logger) error JoinCluster(ctx context.Context, joinConfig []byte, log *logger.Logger) error - SetupPodNetwork(context.Context, k8sapi.SetupPodNetworkInput, k8sapi.Client) error + SetupHelmDeployments(ctx context.Context, client k8sapi.Client, helmDeployments []byte, in k8sapi.SetupPodNetworkInput, log *logger.Logger) error SetupAccessManager(kubectl k8sapi.Client, sshUsers resources.Marshaler) error SetupAutoscaling(kubectl k8sapi.Client, clusterAutoscalerConfiguration resources.Marshaler, secrets resources.Marshaler) error SetupJoinService(kubectl k8sapi.Client, joinServiceConfiguration resources.Marshaler) error diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index a334ea5a3..8921f46b1 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -71,7 +71,7 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura // InitCluster initializes a new Kubernetes cluster and applies pod network provider. func (k *KubeWrapper) InitCluster( ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string, - measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, log *logger.Logger, + measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, helmDeployments []byte, log *logger.Logger, ) ([]byte, error) { k8sVersion, err := versions.NewValidK8sVersion(versionString) if err != nil { @@ -170,9 +170,8 @@ func (k *KubeWrapper) InitCluster( NodeName: nodeName, FirstNodePodCIDR: nodePodCIDR, SubnetworkPodCIDR: subnetworkPodCIDR, - ProviderID: providerID, } - if err = k.clusterUtil.SetupPodNetwork(ctx, setupPodNetworkInput, k.client); err != nil { + if err = k.clusterUtil.SetupHelmDeployments(ctx, k.client, helmDeployments, setupPodNetworkInput, log); err != nil { return nil, fmt.Errorf("setting up pod network: %w", err) } diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index b60fffbde..511cc1119 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -170,8 +170,8 @@ func TestInitCluster(t *testing.T) { wantErr: true, k8sVersion: versions.Latest, }, - "kubeadm init fails when setting up the pod network": { - clusterUtil: stubClusterUtil{setupPodNetworkErr: someErr}, + "kubeadm init fails when deploying helm charts": { + clusterUtil: stubClusterUtil{setupHelmDeploymentsErr: someErr}, kubeconfigReader: &stubKubeconfigReader{ Kubeconfig: []byte("someKubeconfig"), }, @@ -296,7 +296,7 @@ func TestInitCluster(t *testing.T) { kubeconfigReader: tc.kubeconfigReader, getIPAddr: func() (string, error) { return privateIP, nil }, } - _, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, logger.NewTest(t)) + _, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, nil, logger.NewTest(t)) if tc.wantErr { assert.Error(err) @@ -504,7 +504,7 @@ func TestK8sCompliantHostname(t *testing.T) { type stubClusterUtil struct { installComponentsErr error initClusterErr error - setupPodNetworkErr error + setupHelmDeploymentsErr error setupAutoscalingError error setupJoinServiceError error setupCloudControllerManagerError error @@ -533,8 +533,8 @@ func (s *stubClusterUtil) InitCluster(ctx context.Context, initConfig []byte, no return s.initClusterErr } -func (s *stubClusterUtil) SetupPodNetwork(context.Context, k8sapi.SetupPodNetworkInput, k8sapi.Client) error { - return s.setupPodNetworkErr +func (s *stubClusterUtil) SetupHelmDeployments(context.Context, k8sapi.Client, []byte, k8sapi.SetupPodNetworkInput, *logger.Logger) error { + return s.setupHelmDeploymentsErr } func (s *stubClusterUtil) SetupAutoscaling(kubectl k8sapi.Client, clusterAutoscalerConfiguration resources.Marshaler, secrets resources.Marshaler) error { diff --git a/cli/internal/cmd/helmloader.go b/cli/internal/cmd/helmloader.go new file mode 100644 index 000000000..0391930fa --- /dev/null +++ b/cli/internal/cmd/helmloader.go @@ -0,0 +1,13 @@ +package cmd + +type helmLoader interface { + Load(csp string) ([]byte, error) +} + +type stubHelmLoader struct { + loadErr error +} + +func (d *stubHelmLoader) Load(csp string) ([]byte, error) { + return nil, d.loadErr +} diff --git a/cli/internal/cmd/init.go b/cli/internal/cmd/init.go index 003c65d66..cf9862137 100644 --- a/cli/internal/cmd/init.go +++ b/cli/internal/cmd/init.go @@ -16,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/cli/internal/azure" "github.com/edgelesssys/constellation/cli/internal/cloudcmd" "github.com/edgelesssys/constellation/cli/internal/gcp" + "github.com/edgelesssys/constellation/cli/internal/helm" "github.com/edgelesssys/constellation/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/internal/cloud/cloudtypes" "github.com/edgelesssys/constellation/internal/config" @@ -55,12 +56,13 @@ func runInitialize(cmd *cobra.Command, args []string) error { newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer { return dialer.New(nil, validator.V(), &net.Dialer{}) } - return initialize(cmd, newDialer, serviceAccountCreator, fileHandler) + helmLoader := &helm.ChartLoader{} + return initialize(cmd, newDialer, serviceAccountCreator, fileHandler, helmLoader) } // initialize initializes a Constellation. -func initialize(cmd *cobra.Command, newDialer func(*cloudcmd.Validator) *dialer.Dialer, - serviceAccCreator serviceAccountCreator, fileHandler file.Handler, +func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator) *dialer.Dialer, + serviceAccCreator serviceAccountCreator, fileHandler file.Handler, helmLoader helmLoader, ) error { flags, err := evalFlagArgs(cmd, fileHandler) if err != nil { @@ -115,6 +117,12 @@ func initialize(cmd *cobra.Command, newDialer func(*cloudcmd.Validator) *dialer. autoscalingNodeGroups = append(autoscalingNodeGroups, workers.GroupID) } + cmd.Println("Loading Helm charts ...") + helmDeployments, err := helmLoader.Load(stat.CloudProvider) + if err != nil { + return fmt.Errorf("loading Helm charts: %w", err) + } + req := &initproto.InitRequest{ AutoscalingNodeGroups: autoscalingNodeGroups, MasterSecret: flags.masterSecret.Key, @@ -126,6 +134,7 @@ func initialize(cmd *cobra.Command, newDialer func(*cloudcmd.Validator) *dialer. CloudServiceAccountUri: serviceAccount, KubernetesVersion: config.KubernetesVersion, SshUserKeys: ssh.ToProtoSlice(sshUsers), + HelmDeployments: helmDeployments, } resp, err := initCall(cmd.Context(), newDialer(validator), stat.BootstrapperHost, req) if err != nil { diff --git a/cli/internal/cmd/init_test.go b/cli/internal/cmd/init_test.go index fff491281..da94b0220 100644 --- a/cli/internal/cmd/init_test.go +++ b/cli/internal/cmd/init_test.go @@ -85,6 +85,7 @@ func TestInitialize(t *testing.T) { testCases := map[string]struct { existingState state.ConstellationState serviceAccountCreator stubServiceAccountCreator + helmLoader stubHelmLoader initServerAPI *stubInitServer setAutoscaleFlag bool wantErr bool @@ -127,6 +128,12 @@ func TestInitialize(t *testing.T) { serviceAccountCreator: stubServiceAccountCreator{createErr: someErr}, wantErr: true, }, + "fail to load helm charts": { + existingState: testGcpState, + helmLoader: stubHelmLoader{loadErr: someErr}, + initServerAPI: &stubInitServer{initResp: testInitResp}, + wantErr: true, + }, } for name, tc := range testCases { @@ -162,7 +169,7 @@ func TestInitialize(t *testing.T) { defer cancel() cmd.SetContext(ctx) - err := initialize(cmd, newDialer, &tc.serviceAccountCreator, fileHandler) + err := initialize(cmd, newDialer, &tc.serviceAccountCreator, fileHandler, &tc.helmLoader) if tc.wantErr { assert.Error(err) @@ -441,7 +448,7 @@ func TestAttestation(t *testing.T) { defer cancel() cmd.SetContext(ctx) - err := initialize(cmd, newDialer, &stubServiceAccountCreator{}, fileHandler) + err := initialize(cmd, newDialer, &stubServiceAccountCreator{}, fileHandler, &stubHelmLoader{}) assert.Error(err) // make sure the error is actually a TLS handshake error assert.Contains(err.Error(), "transport: authentication handshake failed") diff --git a/cli/internal/helm/charts/cilium/.helmignore b/cli/internal/helm/charts/cilium/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/cli/internal/helm/charts/cilium/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/cli/internal/helm/charts/cilium/Chart.yaml b/cli/internal/helm/charts/cilium/Chart.yaml new file mode 100644 index 000000000..edbcd63d2 --- /dev/null +++ b/cli/internal/helm/charts/cilium/Chart.yaml @@ -0,0 +1,127 @@ +apiVersion: v2 +name: cilium +displayName: Cilium +home: https://cilium.io/ +version: 1.12.0 +appVersion: 1.12.0 +kubeVersion: ">= 1.16.0-0" +icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg +description: eBPF-based Networking, Security, and Observability +keywords: + - BPF + - eBPF + - Kubernetes + - Networking + - Security + - Observability + - Troubleshooting +sources: + - https://github.com/cilium/cilium +links: + - name: eBPF.io + url: https://ebpf.io/ +annotations: + artifacthub.io/crds: | + - kind: CiliumNetworkPolicy + version: v2 + name: ciliumnetworkpolicies.cilium.io + displayName: Cilium Network Policy + description: | + Cilium Network Policies provide additional functionality beyond what + is provided by standard Kubernetes NetworkPolicy such as the ability + to allow traffic based on FQDNs, or to filter at Layer 7. + - kind: CiliumClusterwideNetworkPolicy + version: v2 + name: ciliumclusterwidenetworkpolicies.cilium.io + displayName: Cilium Clusterwide Network Policy + description: | + Cilium Clusterwide Network Policies support configuring network traffic + policiies across the entire cluster, including applying node firewalls. + - kind: CiliumExternalWorkload + version: v2 + name: ciliumexternalworkloads.cilium.io + displayName: Cilium External Workload + description: | + Cilium External Workload supports configuring the ability for external + non-Kubernetes workloads to join the cluster. + - kind: CiliumLocalRedirectPolicy + version: v2 + name: ciliumlocalredirectpolicies.cilium.io + displayName: Cilium Local Redirect Policy + description: | + Cilium Local Redirect Policy allows local redirects to be configured + within a node to support use cases like Node-Local DNS or KIAM. + - kind: CiliumNode + version: v2 + name: ciliumnodes.cilium.io + displayName: Cilium Node + description: | + Cilium Node represents a node managed by Cilium. It contains a + specification to control various node specific configuration aspects + and a status section to represent the status of the node. + - kind: CiliumIdentity + version: v2 + name: ciliumidentities.cilium.io + displayName: Cilium Identity + description: | + Cilium Identity allows introspection into security identities that + Cilium allocates which identify sets of labels that are assigned to + individual endpoints in the cluster. + - kind: CiliumEndpoint + version: v2 + name: ciliumendpoints.cilium.io + displayName: Cilium Endpoint + description: | + Cilium Endpoint represents the status of individual pods or nodes in + the cluster which are managed by Cilium, including enforcement status, + IP addressing and whether the networking is succesfully operational. + - kind: CiliumEndpointSlice + version: v2alpha1 + name: ciliumendpointslices.cilium.io + displayName: Cilium Endpoint Slice + description: | + Cilium Endpoint Slice represents the status of groups of pods or nodes + in the cluster which are managed by Cilium, including enforcement status, + IP addressing and whether the networking is succesfully operational. + - kind: CiliumEgressNATPolicy + version: v2alpha1 + name: ciliumegressnatpolicies.cilium.io + displayName: Cilium Egress NAT Policy + description: | + Cilium Egress NAT Policy provides control over the way that traffic + leaves the cluster and which source addresses to use for that traffic. + - kind: CiliumEgressGatewayPolicy + version: v2 + name: ciliumegressgatewaypolicies.cilium.io + displayName: Cilium Egress Gateway Policy + description: | + Cilium Egress Gateway Policy provides control over the way that traffic + leaves the cluster and which source addresses to use for that traffic. + - kind: CiliumClusterwideEnvoyConfig + version: v2 + name: ciliumclusterwideenvoyconfigs.cilium.io + displayName: Cilium Clusterwide Envoy Config + description: | + Cilium Clusterwide Envoy Config specifies Envoy resources and K8s service mappings + to be provisioned into Cilium host proxy instances in cluster context. + - kind: CiliumEnvoyConfig + version: v2 + name: ciliumenvoyconfigs.cilium.io + displayName: Cilium Envoy Config + description: | + Cilium Envoy Config specifies Envoy resources and K8s service mappings + to be provisioned into Cilium host proxy instances in namespace context. + - kind: CiliumBGPPeeringPolicy + version: v2alpha1 + name: ciliumbgppeeringpolicies.cilium.io + displayName: Cilium BGP Peering Policy + description: | + Cilium BGP Peering Policy instructs Cilium to create specific BGP peering + configurations. + - kind: CiliumBGPLoadBalancerIPPool + version: v2alpha1 + name: ciliumbgploadbalancerippools.cilium.io + displayName: Cilium BGP Load Balancer IP Pool + description: | + Defining a Cilium BGP Load Balancer IP Pool instructs Cilium to assign and + advertise LoadBalancer Services to BGP peers defined by Cilium BGP Peering Policies. diff --git a/cli/internal/helm/charts/cilium/LICENSE b/cli/internal/helm/charts/cilium/LICENSE new file mode 100644 index 000000000..a2e486a80 --- /dev/null +++ b/cli/internal/helm/charts/cilium/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} Authors of Cilium + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/cli/internal/helm/charts/cilium/README.md b/cli/internal/helm/charts/cilium/README.md new file mode 100644 index 000000000..c5c4c2acd --- /dev/null +++ b/cli/internal/helm/charts/cilium/README.md @@ -0,0 +1,474 @@ +# cilium + +![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) + +Cilium is open source software for providing and transparently securing +network connectivity and loadbalancing between application workloads such as +application containers or processes. Cilium operates at Layer 3/4 to provide +traditional networking and security services as well as Layer 7 to protect and +secure use of modern application protocols such as HTTP, gRPC and Kafka. + +A new Linux kernel technology called eBPF is at the foundation of Cilium. +It supports dynamic insertion of eBPF bytecode into the Linux kernel at various +integration points such as: network IO, application sockets, and tracepoints +to implement security, networking and visibility logic. eBPF is highly +efficient and flexible. + +![Cilium feature overview](https://raw.githubusercontent.com/cilium/cilium/master/Documentation/images/cilium_overview.png) + +## Prerequisites + +* Kubernetes: `>= 1.16.0-0` +* Helm: `>= 3.0` + +## Getting Started + +Try Cilium on any Kubernetes distribution in under 15 minutes: + +| Minikube | Self-Managed K8s | Amazon EKS | Google GKE | Microsoft AKS | +|:-:|:-:|:-:|:-:|:-:| +| [![Minikube](https://raw.githubusercontent.com/cilium/charts/master/images/minikube.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Self-Managed Kubernetes](https://raw.githubusercontent.com/cilium/charts/master/images/k8s.png)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Amazon EKS](https://raw.githubusercontent.com/cilium/charts/master/images/aws.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Google GKE](https://raw.githubusercontent.com/cilium/charts/master/images/google-cloud.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Microsoft AKS](https://raw.githubusercontent.com/cilium/charts/master/images/azure.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | + +Or, for a quick install with the default configuration: + +``` +$ helm repo add cilium https://helm.cilium.io/ +$ helm install cilium cilium/cilium --namespace=kube-system +``` + +After Cilium is installed, you can explore the features that Cilium has to +offer from the [Getting Started Guides page](https://docs.cilium.io/en/latest/gettingstarted/). + +## Source Code + +* + +## Getting Help + +The best way to get help if you get stuck is to ask a question on the +[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +contributors across the globe, there is almost always someone available to help. + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-agent. | +| agent | bool | `true` | Install the cilium agent resources. | +| agentNotReadyTaintKey | string | `"node.cilium.io/agent-not-ready"` | Configure the key of the taint indicating that Cilium is not ready on the node. When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. | +| aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. | +| alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration | +| annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. | +| autoDirectNodeRoutes | bool | `false` | Enable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment. | +| azure.enabled | bool | `false` | Enable Azure integration. Note that this is incompatible with AKS clusters created in BYOCNI mode: use AKS BYOCNI integration (`aksbyocni.enabled`) instead. | +| bandwidthManager | object | `{"bbr":false,"enabled":false}` | Enable bandwidth manager to optimize TCP and UDP workloads and allow for rate-limiting traffic from individual Pods with EDT (Earliest Departure Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. | +| bandwidthManager.bbr | bool | `false` | Activate BBR TCP congestion control for Pods | +| bandwidthManager.enabled | bool | `false` | Enable bandwidth manager infrastructure (also prerequirement for BBR) | +| bgp | object | `{"announce":{"loadbalancerIP":false,"podCIDR":false},"enabled":false}` | Configure BGP | +| bgp.announce.loadbalancerIP | bool | `false` | Enable allocation and announcement of service LoadBalancer IPs | +| bgp.announce.podCIDR | bool | `false` | Enable announcement of node pod CIDR | +| bgp.enabled | bool | `false` | Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside cilium-agent and cilium-operator | +| bgpControlPlane | object | `{"enabled":false}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. | +| bgpControlPlane.enabled | bool | `false` | Enables the BGP control plane. | +| bpf.clockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | +| bpf.lbExternalClusterIP | bool | `false` | Allow cluster external access to ClusterIP services. | +| bpf.lbMapMax | int | `65536` | Configure the maximum number of service entries in the load balancer maps. | +| bpf.monitorAggregation | string | `"medium"` | Configure the level of aggregation for monitor notifications. Valid options are none, low, medium, maximum. | +| bpf.monitorFlags | string | `"all"` | Configure which TCP flags trigger notifications when seen for the first time in a connection. | +| bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. | +| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). | +| bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. | +| bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem | +| certgen | object | `{"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.8@sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd"},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen.podLabels | object | `{}` | Labels to be added to hubble-certgen pods | +| certgen.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| certgen.ttlSecondsAfterFinished | int | `1800` | Seconds after which the completed job pod will be deleted | +| cgroup | object | `{"autoMount":{"enabled":true},"hostRoot":"/run/cilium/cgroupv2"}` | Configure cgroup related configuration | +| cgroup.autoMount.enabled | bool | `true` | Enable auto mount of cgroup2 filesystem. When `autoMount` is enabled, cgroup2 filesystem is mounted at `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the volume will be mounted inside the cilium agent pod at the same path. | +| cgroup.hostRoot | string | `"/run/cilium/cgroupv2"` | Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) | +| cleanBpfState | bool | `false` | Clean all eBPF datapath state from the initContainer of the cilium-agent DaemonSet. WARNING: Use with care! | +| cleanState | bool | `false` | Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care! | +| cluster.id | int | `0` | (int) Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. | +| cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh. | +| clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver | +| clustermesh.apiserver.etcd.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"}` | Clustermesh API server etcd image. | +| clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.0","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods | +| clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| clustermesh.apiserver.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| clustermesh.apiserver.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| clustermesh.apiserver.podLabels | object | `{}` | Labels to be added to clustermesh-apiserver pods | +| clustermesh.apiserver.priorityClassName | string | `""` | The priority class to use for clustermesh-apiserver | +| clustermesh.apiserver.replicas | int | `1` | Number of replicas run for the clustermesh-apiserver deployment. | +| clustermesh.apiserver.resources | object | `{}` | Resource requests and limits for the clustermesh-apiserver | +| clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 | +| clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. | +| clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. | +| clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. | +| clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. | +| clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | +| clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. | +| clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | base64 encoded PEM values for the ExternalWorkload CA certificate and private key. | +| clustermesh.apiserver.tls.ca.cert | string | `""` | Optional CA cert. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | +| clustermesh.apiserver.tls.ca.key | string | `""` | Optional CA private key. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | +| clustermesh.apiserver.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. | +| clustermesh.apiserver.tls.remote | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. | +| clustermesh.apiserver.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. | +| clustermesh.apiserver.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | +| clustermesh.apiserver.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | +| clustermesh.apiserver.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| clustermesh.apiserver.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | clustermesh-apiserver update strategy | +| clustermesh.config | object | `{"clusters":[],"domain":"mesh.cilium.io","enabled":false}` | Clustermesh explicit configuration. | +| clustermesh.config.clusters | list | `[]` | List of clusters to be peered in the mesh. | +| clustermesh.config.domain | string | `"mesh.cilium.io"` | Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. | +| clustermesh.config.enabled | bool | `false` | Enable the Clustermesh explicit configuration. | +| clustermesh.useAPIServer | bool | `false` | Deploy clustermesh-apiserver for clustermesh | +| cni.binPath | string | `"/opt/cni/bin"` | Configure the path to the CNI binary directory on the host. | +| cni.chainingMode | string | `"none"` | Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap | +| cni.confFileMountPath | string | `"/tmp/cni-configuration"` | Configure the path to where to mount the ConfigMap inside the agent pod. | +| cni.confPath | string | `"/etc/cni/net.d"` | Configure the path to the CNI configuration directory on the host. | +| cni.configMapKey | string | `"cni-config"` | Configure the key in the CNI ConfigMap to read the contents of the CNI configuration from. | +| cni.customConf | bool | `false` | Skip writing of the CNI configuration. This can be used if writing of the CNI configuration is performed by external automation. | +| cni.exclusive | bool | `true` | Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. | +| cni.hostConfDirMountPath | string | `"/host/etc/cni/net.d"` | Configure the path to where the CNI configuration directory is mounted inside the agent pod. | +| cni.install | bool | `true` | Install the CNI configuration and binary files into the filesystem. | +| cni.logFile | string | `"/var/run/cilium/cilium-cni.log"` | Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly. | +| containerRuntime | object | `{"integration":"none"}` | Configure container runtime specific integration. | +| containerRuntime.integration | string | `"none"` | Enables specific integrations for container runtimes. Supported values: - containerd - crio - docker - none - auto (automatically detect the container runtime) | +| customCalls | object | `{"enabled":false}` | Tail call hooks for custom eBPF programs. | +| customCalls.enabled | bool | `false` | Enable tail call hooks for custom eBPF programs. | +| daemon.runPath | string | `"/var/run/cilium"` | Configure where Cilium runtime state should be stored. | +| datapathMode | string | `"veth"` | Configure which datapath mode should be used for configuring container connectivity. Valid options are "veth" or "ipvlan". Deprecated, to be removed in v1.12. | +| debug.enabled | bool | `false` | Enable debug logging | +| disableEndpointCRD | string | `"false"` | Disable the usage of CiliumEndpoint CRD. | +| dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | +| dnsProxy.dnsRejectResponseCode | string | `"refused"` | DNS response code for rejecting DNS requests, available options are '[nameError refused]'. | +| dnsProxy.enableDnsCompression | bool | `true` | Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. | +| dnsProxy.endpointMaxIpPerHostname | int | `50` | Maximum number of IPs to maintain per FQDN name for each endpoint. | +| dnsProxy.idleConnectionGracePeriod | string | `"0s"` | Time during which idle but previously active connections with expired DNS lookups are still considered alive. | +| dnsProxy.maxDeferredConnectionDeletes | int | `10000` | Maximum number of IPs to retain for expired DNS lookups with still-active connections. | +| dnsProxy.minTtl | int | `3600` | The minimum time, in seconds, to use DNS data for toFQDNs policies. | +| dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. | +| dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. | +| dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. | +| egressGateway | object | `{"enabled":false,"installRoutes":false}` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | +| egressGateway.installRoutes | bool | `false` | Install egress gateway IP rules and routes in order to properly steer egress gateway traffic to the correct ENI interface | +| enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature. | +| enableCnpStatusUpdates | bool | `false` | Whether to enable CNP status updates. | +| enableCriticalPriorityClass | bool | `true` | Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in `helm template` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. | +| enableIPv4Masquerade | bool | `true` | Enables masquerading of IPv4 traffic leaving the node from endpoints. | +| enableIPv6Masquerade | bool | `true` | Enables masquerading of IPv6 traffic leaving the node from endpoints. | +| enableK8sEventHandover | bool | `false` | Configures the use of the KVStore to optimize Kubernetes event handling by mirroring it into the KVstore for reduced overhead in large clusters. | +| enableK8sTerminatingEndpoint | bool | `true` | Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. | +| enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. | +| enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. | +| encryption.enabled | bool | `false` | Enable transparent network encryption. | +| encryption.interface | string | `""` | Deprecated in favor of encryption.ipsec.interface. The interface to use for encrypted traffic. This option is only effective when encryption.type is set to ipsec. | +| encryption.ipsec.interface | string | `""` | The interface to use for encrypted traffic. | +| encryption.ipsec.keyFile | string | `""` | Name of the key file inside the Kubernetes secret configured via secretName. | +| encryption.ipsec.mountPath | string | `""` | Path to mount the secret inside the Cilium pod. | +| encryption.ipsec.secretName | string | `""` | Name of the Kubernetes secret containing the encryption keys. | +| encryption.keyFile | string | `"keys"` | Deprecated in favor of encryption.ipsec.keyFile. Name of the key file inside the Kubernetes secret configured via secretName. This option is only effective when encryption.type is set to ipsec. | +| encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. | +| encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to ipsec. | +| encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. | +| encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. | +| encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. | +| endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. | +| endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. | +| endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma. | +| eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation | +| eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI | +| eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use | +| eni.enabled | bool | `false` | Enable Elastic Network Interface (ENI) integration. | +| eni.eniTags | object | `{}` | Tags to apply to the newly created ENIs | +| eni.iamRole | string | `""` | If using IAM role for Service Accounts will not try to inject identity values from cilium-aws kubernetes secret. Adds annotation to service account if managed by Helm. See https://github.com/aws/amazon-eks-pod-identity-webhook | +| eni.instanceTagsFilter | string | `""` | Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances are going to be used to create new ENIs | +| eni.subnetIDsFilter | string | `""` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | +| eni.subnetTagsFilter | string | `""` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | +| eni.updateEC2AdapterLimitViaAPI | bool | `false` | Update ENI Adapter limits from the EC2 API | +| etcd.clusterDomain | string | `"cluster.local"` | Cluster domain for cilium-etcd-operator. | +| etcd.enabled | bool | `false` | Enable etcd mode for the agent. | +| etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints (not needed when using managed=true). | +| etcd.extraArgs | list | `[]` | Additional cilium-etcd-operator container arguments. | +| etcd.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-etcd-operator","tag":"v2.0.7@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc"}` | cilium-etcd-operator image. | +| etcd.k8sService | bool | `false` | If etcd is behind a k8s service set this option to true so that Cilium does the service translation automatically without requiring a DNS to be running. | +| etcd.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-etcd-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| etcd.podAnnotations | object | `{}` | Annotations to be added to cilium-etcd-operator pods | +| etcd.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| etcd.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| etcd.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| etcd.podLabels | object | `{}` | Labels to be added to cilium-etcd-operator pods | +| etcd.priorityClassName | string | `""` | The priority class to use for cilium-etcd-operator | +| etcd.resources | object | `{}` | cilium-etcd-operator resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| etcd.securityContext | object | `{}` | Security context to be added to cilium-etcd-operator pods | +| etcd.ssl | bool | `false` | Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if managed=true) | +| etcd.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-etcd-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| etcd.updateStrategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":1},"type":"RollingUpdate"}` | cilium-etcd-operator update strategy | +| externalIPs.enabled | bool | `false` | Enable ExternalIPs service support. | +| externalWorkloads | object | `{"enabled":false}` | Configure external workloads support | +| externalWorkloads.enabled | bool | `false` | Enable support for external workloads, such as VMs (false by default). | +| extraArgs | list | `[]` | Additional agent container arguments. | +| extraConfig | object | `{}` | extraConfig allows you to specify additional configuration parameters to be included in the cilium-config configmap. | +| extraEnv | list | `[]` | Additional agent container environment variables. | +| extraHostPathMounts | list | `[]` | Additional agent hostPath mounts. | +| extraVolumeMounts | list | `[]` | Additional agent volumeMounts. | +| extraVolumes | list | `[]` | Additional agent volumes. | +| gke.enabled | bool | `false` | Enable Google Kubernetes Engine integration | +| healthChecking | bool | `true` | Enable connectivity health checking. | +| healthPort | int | `9879` | TCP port for the agent health API. This is not the port for cilium-health. | +| hostFirewall | object | `{"enabled":false}` | Configure the host firewall. | +| hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. | +| hostPort.enabled | bool | `false` | Enable hostPort service support. | +| hubble.enabled | bool | `true` | Enable Hubble (true by default). | +| hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | +| hubble.metrics | object | `{"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"labels":{}}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/operations/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | +| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | +| hubble.metrics.port | int | `9965` | Configure the port the hubble metric server listens on. | +| hubble.metrics.serviceAnnotations | object | `{}` | Annotations to be added to hubble-metrics service. | +| hubble.metrics.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble | +| hubble.metrics.serviceMonitor.enabled | bool | `false` | Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | +| hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble | +| hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. | +| hubble.peerService.enabled | bool | `true` | Enable a K8s Service for the Peer service, so that it can be accessed by a non-local client | +| hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service. | +| hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay | +| hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | +| hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | +| hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | +| hubble.relay.image | object | `{"digest":"sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.0","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | +| hubble.relay.listenPort | string | `"4245"` | Port to listen to. | +| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| hubble.relay.podAnnotations | object | `{}` | Annotations to be added to hubble-relay pods | +| hubble.relay.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| hubble.relay.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| hubble.relay.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| hubble.relay.podLabels | object | `{}` | Labels to be added to hubble-relay pods | +| hubble.relay.priorityClassName | string | `""` | The priority class to use for hubble-relay | +| hubble.relay.prometheus | object | `{"enabled":false,"port":9966,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{}}}` | Enable prometheus metrics for hubble-relay on the configured port at /metrics | +| hubble.relay.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble-relay | +| hubble.relay.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | +| hubble.relay.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| hubble.relay.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble-relay | +| hubble.relay.replicas | int | `1` | Number of replicas run for the hubble-relay deployment. | +| hubble.relay.resources | object | `{}` | Specifies the resources for the hubble-relay pods | +| hubble.relay.retryTimeout | string | `nil` | Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). | +| hubble.relay.rollOutPods | bool | `false` | Roll out Hubble Relay pods automatically when configmap is updated. | +| hubble.relay.securityContext | object | `{}` | hubble-relay security context | +| hubble.relay.service | object | `{"nodePort":31234,"type":"ClusterIP"}` | hubble-relay service configuration. | +| hubble.relay.service.nodePort | int | `31234` | - The port to use when the service type is set to NodePort. | +| hubble.relay.service.type | string | `"ClusterIP"` | - The type of service used for Hubble Relay access, either ClusterIP or NodePort. | +| hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). | +| hubble.relay.sortBufferLenMax | string | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). | +| hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. | +| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble Relay | +| hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | +| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the hubble-relay server certificate and private key | +| hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen | +| hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen | +| hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| hubble.relay.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-relay update strategy | +| hubble.socketPath | string | `"/var/run/cilium/hubble.sock"` | Unix domain socket path to listen to when Hubble is enabled. | +| hubble.tls | object | `{"auto":{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"},"ca":{"cert":"","key":""},"enabled":true,"server":{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}}` | TLS configuration for Hubble | +| hubble.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm","schedule":"0 0 1 */4 *"}` | Configure automatic TLS certificates generation. | +| hubble.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when hubble.tls.auto.method=certmanager. If not specified, a CA issuer will be created. | +| hubble.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | +| hubble.tls.auto.enabled | bool | `true` | Auto-generate certificates. When set to true, automatically generate a CA and certificates to enable mTLS between Hubble server and Hubble Relay instances. If set to false, the certs for Hubble server need to be provided by setting appropriate values below. | +| hubble.tls.auto.method | string | `"helm"` | Set the method to auto-generate certificates. Supported values: - helm: This method uses Helm to generate all certificates. - cronJob: This method uses a Kubernetes CronJob the generate any certificates not provided by the user at installation time. - certmanager: This method use cert-manager to generate & rotate certificates. | +| hubble.tls.auto.schedule | string | `"0 0 1 */4 *"` | Schedule for certificates regeneration (regardless of their expiration date). Only used if method is "cronJob". If nil, then no recurring job will be created. Instead, only the one-shot job is deployed to generate the certificates at installation time. Defaults to midnight of the first day of every fourth month. For syntax, see https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule | +| hubble.tls.ca | object | `{"cert":"","key":""}` | Deprecated in favor of tls.ca. To be removed in 1.13. base64 encoded PEM values for the Hubble CA certificate and private key. | +| hubble.tls.ca.cert | string | `""` | Deprecated in favor of tls.ca.cert. To be removed in 1.13. | +| hubble.tls.ca.key | string | `""` | Deprecated in favor of tls.ca.key. To be removed in 1.13. The CA private key (optional). If it is provided, then it will be used by hubble.tls.auto.method=cronJob to generate all other certificates. Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. | +| hubble.tls.enabled | bool | `true` | Enable mutual TLS for listenAddress. Setting this value to false is highly discouraged as the Hubble API provides access to potentially sensitive network flow metadata and is exposed on the host network. | +| hubble.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the Hubble server certificate and private key | +| hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | +| hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | +| hubble.ui.affinity | object | `{}` | Affinity for hubble-ui | +| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | +| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"}` | Hubble-ui backend image. | +| hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | +| hubble.ui.enabled | bool | `false` | Whether to enable the Hubble UI. | +| hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | +| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"}` | Hubble-ui frontend image. | +| hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | +| hubble.ui.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"tls":[]}` | hubble-ui ingress configuration. | +| hubble.ui.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| hubble.ui.podAnnotations | object | `{}` | Annotations to be added to hubble-ui pods | +| hubble.ui.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| hubble.ui.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| hubble.ui.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| hubble.ui.podLabels | object | `{}` | Labels to be added to hubble-ui pods | +| hubble.ui.priorityClassName | string | `""` | The priority class to use for hubble-ui | +| hubble.ui.replicas | int | `1` | The number of replicas of Hubble UI to deploy. | +| hubble.ui.rollOutPods | bool | `false` | Roll out Hubble-ui pods automatically when configmap is updated. | +| hubble.ui.securityContext | object | `{"enabled":true,"fsGroup":1001,"runAsGroup":1001,"runAsUser":1001}` | Security context to be added to Hubble UI pods | +| hubble.ui.securityContext.enabled | bool | `true` | Deprecated in favor of hubble.ui.securityContext. Whether to set the security context on the Hubble UI pods. | +| hubble.ui.service | object | `{"nodePort":31235,"type":"ClusterIP"}` | hubble-ui service configuration. | +| hubble.ui.service.nodePort | int | `31235` | - The port to use when the service type is set to NodePort. | +| hubble.ui.service.type | string | `"ClusterIP"` | - The type of service used for Hubble UI access, either ClusterIP or NodePort. | +| hubble.ui.standalone.enabled | bool | `false` | When true, it will allow installing the Hubble UI only, without checking dependencies. It is useful if a cluster already has cilium and Hubble relay installed and you just want Hubble UI to be deployed. When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` | +| hubble.ui.standalone.tls.certsVolume | object | `{}` | When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required to provide a volume for mounting the client certificates. | +| hubble.ui.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values used to connect to hubble-relay This keypair is presented to Hubble Relay instances for mTLS authentication and is required when hubble.relay.tls.server.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | +| hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | +| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | +| image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Agent container image. | +| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | +| ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. | +| ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. | +| ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. | +| ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. | +| ingressController.secretsNamespace.name | string | `"cilium-secrets"` | Name of Ingress secret namespace. | +| ingressController.secretsNamespace.sync | bool | `true` | Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. If disabled, TLS secrets must be maintained externally. | +| installIptablesRules | bool | `true` | Configure whether to install iptables rules to allow for TPROXY (L7 proxy injection), iptables-based masquerading and compatibility with kube-proxy. | +| installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. | +| ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent | +| ipam.mode | string | `"cluster-pool"` | Configure IP Address Management mode. ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ | +| ipam.operator.clusterPoolIPv4MaskSize | int | `24` | IPv4 CIDR mask size to delegate to individual nodes for IPAM. | +| ipam.operator.clusterPoolIPv4PodCIDR | string | `"10.0.0.0/8"` | Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. IPv4 CIDR range to delegate to individual nodes for IPAM. | +| ipam.operator.clusterPoolIPv4PodCIDRList | list | `[]` | IPv4 CIDR list range to delegate to individual nodes for IPAM. | +| ipam.operator.clusterPoolIPv6MaskSize | int | `120` | IPv6 CIDR mask size to delegate to individual nodes for IPAM. | +| ipam.operator.clusterPoolIPv6PodCIDR | string | `"fd00::/104"` | Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. IPv6 CIDR range to delegate to individual nodes for IPAM. | +| ipam.operator.clusterPoolIPv6PodCIDRList | list | `[]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. | +| ipv4.enabled | bool | `true` | Enable IPv4 support. | +| ipv6.enabled | bool | `false` | Enable IPv6 support. | +| ipvlan.enabled | bool | `false` | Enable the IPVLAN datapath (deprecated) | +| k8s | object | `{}` | Configure Kubernetes specific configuration | +| keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. | +| keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet | +| kubeProxyReplacementHealthzBindAddr | string | `""` | healthz server bind address for the kube-proxy replacement. To enable set the value to '0.0.0.0:10256' for all ipv4 addresses and this '[::]:10256' for all ipv6 addresses. By default it is disabled. | +| l2NeighDiscovery.enabled | bool | `true` | Enable L2 neighbor discovery in the agent | +| l2NeighDiscovery.refreshPeriod | string | `"30s"` | Override the agent's default neighbor resolution refresh period. | +| l7Proxy | bool | `true` | Enable Layer 7 network policy. | +| livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | +| livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | +| localRedirectPolicy | bool | `false` | Enable Local Redirect Policy. | +| logSystemLoad | bool | `false` | Enables periodic logging of system load | +| maglev | object | `{}` | Configure maglev consistent hashing | +| monitor | object | `{"enabled":false}` | cilium-monitor sidecar. | +| monitor.enabled | bool | `false` | Enable the cilium-monitor sidecar. | +| name | string | `"cilium"` | Agent container name. | +| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enabled":false}` | Configure N-S k8s service loadbalancing | +| nodePort.autoProtectPortRange | bool | `true` | Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. | +| nodePort.bindProtection | bool | `true` | Set to true to prevent applications binding to service ports. | +| nodePort.enableHealthCheck | bool | `true` | Enable healthcheck nodePort server for NodePort services | +| nodePort.enabled | bool | `false` | Enable the Cilium NodePort service implementation. | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-agent. | +| nodeinit.affinity | object | `{}` | Affinity for cilium-nodeinit | +| nodeinit.bootstrapFile | string | `"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"` | bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet | +| nodeinit.enabled | bool | `false` | Enable the node initialization DaemonSet | +| nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | +| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"d69851597ea019af980891a4628fb36b7880ec26"}` | node-init image. | +| nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | +| nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | +| nodeinit.priorityClassName | string | `""` | The priority class to use for the nodeinit pod. | +| nodeinit.resources | object | `{"requests":{"cpu":"100m","memory":"100Mi"}}` | nodeinit resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| nodeinit.securityContext | object | `{"capabilities":{"add":["SYS_MODULE","NET_ADMIN","SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"]},"privileged":false,"seLinuxOptions":{"level":"s0","type":"spc_t"}}` | Security context to be added to nodeinit pods. | +| nodeinit.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| nodeinit.updateStrategy | object | `{"type":"RollingUpdate"}` | node-init update strategy | +| operator.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-operator | +| operator.dnsPolicy | string | `""` | DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | +| operator.enabled | bool | `true` | Enable the cilium-operator component (required). | +| operator.endpointGCInterval | string | `"5m0s"` | Interval for endpoint garbage collection. | +| operator.extraArgs | list | `[]` | Additional cilium-operator container arguments. | +| operator.extraEnv | list | `[]` | Additional cilium-operator environment variables. | +| operator.extraHostPathMounts | list | `[]` | Additional cilium-operator hostPath mounts. | +| operator.extraVolumeMounts | list | `[]` | Additional cilium-operator volumeMounts. | +| operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | +| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | +| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | +| operator.image | object | `{"alibabacloudDigest":"sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5","awsDigest":"sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22","azureDigest":"sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba","genericDigest":"sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.0","useDigest":true}` | cilium-operator image. | +| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | +| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | +| operator.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| operator.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| operator.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| operator.podLabels | object | `{}` | Labels to be added to cilium-operator pods | +| operator.priorityClassName | string | `""` | The priority class to use for cilium-operator | +| operator.prometheus | object | `{"enabled":false,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"labels":{}}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics | +| operator.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-operator | +| operator.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | +| operator.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-operator | +| operator.removeNodeTaints | bool | `true` | Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium pod running. | +| operator.replicas | int | `2` | Number of replicas to run for the cilium-operator deployment | +| operator.resources | object | `{}` | cilium-operator resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| operator.rollOutPods | bool | `false` | Roll out cilium-operator pods automatically when configmap is updated. | +| operator.securityContext | object | `{}` | Security context to be added to cilium-operator pods | +| operator.setNodeNetworkStatus | bool | `true` | Set Node condition NetworkUnavailable to 'false' with the reason 'CiliumIsUp' for nodes that have a healthy Cilium pod. | +| operator.skipCRDCreation | bool | `false` | Skip CRDs creation for cilium-operator | +| operator.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for cilium-operator scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| operator.unmanagedPodWatcher.intervalSeconds | int | `15` | Interval, in seconds, to check if there are any pods that are not managed by Cilium. | +| operator.unmanagedPodWatcher.restart | bool | `true` | Restart any pod that are not managed by Cilium. | +| operator.updateStrategy | object | `{"rollingUpdate":{"maxSurge":1,"maxUnavailable":1},"type":"RollingUpdate"}` | cilium-operator update strategy | +| podAnnotations | object | `{}` | Annotations to be added to agent pods | +| podLabels | object | `{}` | Labels to be added to agent pods | +| policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes | +| pprof.enabled | bool | `false` | Enable Go pprof debugging | +| preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight | +| preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) | +| preflight.extraEnv | list | `[]` | Additional preflight environment variables. | +| preflight.image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Cilium pre-flight image. | +| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | +| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | +| preflight.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number/percentage of pods that may be made unavailable | +| preflight.podDisruptionBudget.minAvailable | string | `nil` | Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null` | +| preflight.podLabels | object | `{}` | Labels to be added to the preflight pod. | +| preflight.priorityClassName | string | `""` | The priority class to use for the preflight pod. | +| preflight.resources | object | `{}` | preflight resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| preflight.securityContext | object | `{}` | Security context to be added to preflight pods | +| preflight.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for preflight Deployment and DaemonSet. | +| preflight.tofqdnsPreCache | string | `""` | Path to write the `--tofqdns-pre-cache` file to. | +| preflight.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | Node tolerations for preflight scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| preflight.updateStrategy | object | `{"type":"RollingUpdate"}` | preflight update strategy | +| preflight.validateCNPs | bool | `true` | By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. | +| priorityClassName | string | `""` | The priority class to use for cilium-agent. | +| prometheus | object | `{"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"labels":{}}}` | Configure prometheus metrics on the configured port at /metrics | +| prometheus.metrics | string | `nil` | Metrics that should be enabled or disabled from the default metric list. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics | +| prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-agent | +| prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | +| prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-agent | +| proxy | object | `{"prometheus":{"enabled":true,"port":"9964"},"sidecarImageRegex":"cilium/istio_proxy"}` | Configure Istio proxy options. | +| proxy.sidecarImageRegex | string | `"cilium/istio_proxy"` | Regular expression matching compatible Istio sidecar istio-proxy container image names | +| rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. | +| readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe | +| readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe | +| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity | +| resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. | +| resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/user-guide/compute-resources/ | +| rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. | +| securityContext | object | `{"extraCapabilities":["DAC_OVERRIDE","FOWNER","SETGID","SETUID"],"privileged":false}` | Security context to be added to agent pods | +| serviceAccounts | object | Component's fully qualified name. | Define serviceAccount names for components. | +| serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob | +| serviceAccounts.hubblecertgen | object | `{"annotations":{},"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob | +| sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. | +| socketLB | object | `{"enabled":false}` | Configure socket LB | +| socketLB.enabled | bool | `false` | Enable socket LB | +| sockops | object | `{"enabled":false}` | Configure BPF socket operations configuration | +| startupProbe.failureThreshold | int | `105` | failure threshold of startup probe. 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) | +| startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe | +| svcSourceRangeCheck | bool | `true` | Enable check of service source ranges (currently, only for LoadBalancer). | +| synchronizeK8sNodes | bool | `true` | Synchronize Kubernetes nodes to kvstore and perform CNP GC. | +| terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-agent DaemonSet. | +| tls | object | `{"ca":{"cert":"","certValidityDuration":1095,"key":""},"secretsBackend":"local"}` | Configure TLS configuration in the agent. | +| tls.ca | object | `{"cert":"","certValidityDuration":1095,"key":""}` | Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components | +| tls.ca.cert | string | `""` | Optional CA cert. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. | +| tls.ca.certValidityDuration | int | `1095` | Generated certificates validity duration in days. This will be used for auto generated CA. | +| tls.ca.key | string | `""` | Optional CA private key. If it is provided, it will be used by cilium to generate all other certificates. Otherwise, an ephemeral CA is generated. | +| tls.secretsBackend | string | `"local"` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). Possible values: - local - k8s | +| tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| tunnel | string | `"vxlan"` | Configure the encapsulation configuration for communication between nodes. Possible values: - disabled - vxlan (default) - geneve | +| updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy | +| vtep.cidr | string | `""` | A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" | +| vtep.enabled | bool | `false` | Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. | +| vtep.endpoint | string | `""` | A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" | +| vtep.mac | string | `""` | A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" | +| vtep.mask | string | `""` | VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" | +| waitForKubeProxy | bool | `false` | Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" init container before launching cilium-agent. More context can be found in the commit message of below PR https://github.com/cilium/cilium/pull/20123 | +| wellKnownIdentities.enabled | bool | `false` | Enable the use of well-known identities. | diff --git a/cli/internal/helm/charts/cilium/README.md.gotmpl b/cli/internal/helm/charts/cilium/README.md.gotmpl new file mode 100644 index 000000000..1e777a251 --- /dev/null +++ b/cli/internal/helm/charts/cilium/README.md.gotmpl @@ -0,0 +1,54 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +Cilium is open source software for providing and transparently securing +network connectivity and loadbalancing between application workloads such as +application containers or processes. Cilium operates at Layer 3/4 to provide +traditional networking and security services as well as Layer 7 to protect and +secure use of modern application protocols such as HTTP, gRPC and Kafka. + +A new Linux kernel technology called eBPF is at the foundation of Cilium. +It supports dynamic insertion of eBPF bytecode into the Linux kernel at various +integration points such as: network IO, application sockets, and tracepoints +to implement security, networking and visibility logic. eBPF is highly +efficient and flexible. + +![Cilium feature overview](https://raw.githubusercontent.com/cilium/cilium/master/Documentation/images/cilium_overview.png) + +## Prerequisites + +* Kubernetes: `{{ template "chart.kubeVersion" . }}` +* Helm: `>= 3.0` + +## Getting Started + +Try Cilium on any Kubernetes distribution in under 15 minutes: + +| Minikube | Self-Managed K8s | Amazon EKS | Google GKE | Microsoft AKS | +|:-:|:-:|:-:|:-:|:-:| +| [![Minikube](https://raw.githubusercontent.com/cilium/charts/master/images/minikube.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Self-Managed Kubernetes](https://raw.githubusercontent.com/cilium/charts/master/images/k8s.png)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Amazon EKS](https://raw.githubusercontent.com/cilium/charts/master/images/aws.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Google GKE](https://raw.githubusercontent.com/cilium/charts/master/images/google-cloud.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | [![Microsoft AKS](https://raw.githubusercontent.com/cilium/charts/master/images/azure.svg)](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/) | + +Or, for a quick install with the default configuration: + +``` +$ helm repo add cilium https://helm.cilium.io/ +$ helm install cilium cilium/cilium --namespace=kube-system +``` + +After Cilium is installed, you can explore the features that Cilium has to +offer from the [Getting Started Guides page](https://docs.cilium.io/en/latest/gettingstarted/). + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +## Getting Help + +The best way to get help if you get stuck is to ask a question on the +[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium +contributors across the globe, there is almost always someone available to help. + +{{ template "chart.valuesSection" . }} diff --git a/cli/internal/helm/charts/cilium/files/nodeinit/poststart-eni.bash b/cli/internal/helm/charts/cilium/files/nodeinit/poststart-eni.bash new file mode 100644 index 000000000..3c75f12aa --- /dev/null +++ b/cli/internal/helm/charts/cilium/files/nodeinit/poststart-eni.bash @@ -0,0 +1,21 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +# When running in AWS ENI mode, it's likely that 'aws-node' has +# had a chance to install SNAT iptables rules. These can result +# in dropped traffic, so we should attempt to remove them. +# We do it using a 'postStart' hook since this may need to run +# for nodes which might have already been init'ed but may still +# have dangling rules. This is safe because there are no +# dependencies on anything that is part of the startup script +# itself, and can be safely run multiple times per node (e.g. in +# case of a restart). +if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]]; +then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore +fi +echo 'Done!' diff --git a/cli/internal/helm/charts/cilium/files/nodeinit/prestop.bash b/cli/internal/helm/charts/cilium/files/nodeinit/prestop.bash new file mode 100644 index 000000000..caf4ba619 --- /dev/null +++ b/cli/internal/helm/charts/cilium/files/nodeinit/prestop.bash @@ -0,0 +1,56 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +if stat /tmp/node-deinit.cilium.io > /dev/null 2>&1; then + exit 0 +fi + +echo "Waiting on pods to stop..." +if [ ! -f /etc/crictl.yaml ] || grep -q 'docker' /etc/crictl.yaml; then + # Works for COS, ubuntu + while docker ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done +else + # COS-beta (with containerd). Some versions of COS have crictl in /home/kubernetes/bin. + while PATH="${PATH}:/home/kubernetes/bin" crictl ps | grep -v "node-init" | grep -q "POD_cilium"; do sleep 1; done +fi + +if ip link show cilium_host; then + echo "Deleting cilium_host interface..." + ip link del cilium_host +fi + +{{- if not (eq .Values.nodeinit.bootstrapFile "") }} +rm -f {{ .Values.nodeinit.bootstrapFile | quote }} +{{- end }} + +rm -f /tmp/node-init.cilium.io +touch /tmp/node-deinit.cilium.io + +{{- if .Values.nodeinit.reconfigureKubelet }} +# Check if we're running on a GKE containerd flavor. +GKE_KUBERNETES_BIN_DIR="/home/kubernetes/bin" +if [[ -f "${GKE_KUBERNETES_BIN_DIR}/gke" ]] && command -v containerd &>/dev/null; then + CONTAINERD_CONFIG="/etc/containerd/config.toml" + echo "Reverting changes to the containerd configuration" + sed -Ei "s/^\#(\s+conf_template)/\1/g" "${CONTAINERD_CONFIG}" + echo "Removing the kubelet wrapper" + [[ -f "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" ]] && mv "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" "${GKE_KUBERNETES_BIN_DIR}/kubelet" +else + echo "Changing kubelet configuration to --network-plugin=kubenet" + sed -i "s:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:--network-plugin=kubenet:g" /etc/default/kubelet +fi +echo "Restarting the kubelet" +systemctl restart kubelet +{{- end }} + +{{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}} +# If the IP-MASQ chain exists, add back default jump rule from the GKE instance configure script +if iptables -w -t nat -L IP-MASQ > /dev/null; then + iptables -w -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ +fi +{{- end }} + +echo "Node de-initialization complete" diff --git a/cli/internal/helm/charts/cilium/files/nodeinit/startup.bash b/cli/internal/helm/charts/cilium/files/nodeinit/startup.bash new file mode 100644 index 000000000..91bc5d297 --- /dev/null +++ b/cli/internal/helm/charts/cilium/files/nodeinit/startup.bash @@ -0,0 +1,168 @@ +#!/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +echo "Link information:" +ip link + +echo "Routing table:" +ip route + +echo "Addressing:" +ip -4 a +ip -6 a + +{{- if .Values.nodeinit.removeCbrBridge }} +if ip link show cbr0; then + echo "Detected cbr0 bridge. Deleting interface..." + ip link del cbr0 +fi +{{- end }} + +{{- if .Values.nodeinit.reconfigureKubelet }} +# Check if we're running on a GKE containerd flavor as indicated by the presence +# of the '--container-runtime-endpoint' flag in '/etc/default/kubelet'. +GKE_KUBERNETES_BIN_DIR="/home/kubernetes/bin" +KUBELET_DEFAULTS_FILE="/etc/default/kubelet" +if [[ -f "${GKE_KUBERNETES_BIN_DIR}/gke" ]] && [[ $(grep -cF -- '--container-runtime-endpoint' "${KUBELET_DEFAULTS_FILE}") == "1" ]]; then + echo "GKE *_containerd flavor detected..." + + # (GKE *_containerd) Upon node restarts, GKE's containerd images seem to reset + # the /etc directory and our changes to the kubelet and Cilium's CNI + # configuration are removed. This leaves room for containerd and its CNI to + # take over pods previously managed by Cilium, causing Cilium to lose + # ownership over these pods. We rely on the empirical observation that + # /home/kubernetes/bin/kubelet is not changed across node reboots, and replace + # it with a wrapper script that performs some initialization steps when + # required and then hands over control to the real kubelet. + + # Only create the kubelet wrapper if we haven't previously done so. + if [[ ! -f "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" ]]; + then + echo "Installing the kubelet wrapper..." + + # Rename the real kubelet. + mv "${GKE_KUBERNETES_BIN_DIR}/kubelet" "${GKE_KUBERNETES_BIN_DIR}/the-kubelet" + + # Initialize the kubelet wrapper which lives in the place of the real kubelet. + touch "${GKE_KUBERNETES_BIN_DIR}/kubelet" + chmod a+x "${GKE_KUBERNETES_BIN_DIR}/kubelet" + + # Populate the kubelet wrapper. It will perform the initialization steps we + # need and then become the kubelet. + cat <<'EOF' | tee "${GKE_KUBERNETES_BIN_DIR}/kubelet" +#!/bin/bash + +set -euo pipefail + +CNI_CONF_DIR="/etc/cni/net.d" +CONTAINERD_CONFIG="/etc/containerd/config.toml" + +# Only stop and start containerd if the Cilium CNI configuration does not exist, +# or if the 'conf_template' property is present in the containerd config file, +# in order to avoid unnecessarily restarting containerd. +if [[ -z "$(find "${CNI_CONF_DIR}" -type f -name '*cilium*')" || \ + "$(grep -cE '^\s+conf_template' "${CONTAINERD_CONFIG}")" != "0" ]]; +then + # Stop containerd as it starts by creating a CNI configuration from a template + # causing pods to start with IPs assigned by GKE's CNI. + # 'disable --now' is used instead of stop as this script runs concurrently + # with containerd on node startup, and hence containerd might not have been + # started yet, in which case 'disable' prevents it from starting. + echo "Disabling and stopping containerd" + systemctl disable --now containerd + + # Remove any pre-existing files in the CNI configuration directory. We skip + # any possibly existing Cilium configuration file for the obvious reasons. + echo "Removing undesired CNI configuration files" + find "${CNI_CONF_DIR}" -type f -not -name '*cilium*' -exec rm {} \; + + # As mentioned above, the containerd configuration needs a little tweak in + # order not to create the default CNI configuration, so we update its config. + echo "Fixing containerd configuration" + sed -Ei 's/^(\s+conf_template)/\#\1/g' "${CONTAINERD_CONFIG}" + + # Start containerd. It won't create it's CNI configuration file anymore. + echo "Enabling and starting containerd" + systemctl enable --now containerd +fi + +# Become the real kubelet, and pass it some additionally required flags (and +# place these last so they have precedence). +exec /home/kubernetes/bin/the-kubelet "${@}" --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }} +EOF + else + echo "Kubelet wrapper already exists, skipping..." + fi +else + # (Generic) Alter the kubelet configuration to run in CNI mode + echo "Changing kubelet configuration to --network-plugin=cni --cni-bin-dir={{ .Values.cni.binPath }}" + mkdir -p {{ .Values.cni.binPath }} + sed -i "s:--network-plugin=kubenet:--network-plugin=cni\ --cni-bin-dir={{ .Values.cni.binPath }}:g" "${KUBELET_DEFAULTS_FILE}" +fi +echo "Restarting the kubelet..." +systemctl restart kubelet +{{- end }} + +{{- if (and .Values.gke.enabled (or .Values.enableIPv4Masquerade .Values.gke.disableDefaultSnat))}} +# If Cilium is configured to manage masquerading of traffic leaving the node, +# we need to disable the IP-MASQ chain because even if ip-masq-agent +# is not installed, the node init script installs some default rules into +# the IP-MASQ chain. +# If we remove the jump to that ip-masq chain, then we ensure the ip masquerade +# configuration is solely managed by Cilium. +# Also, if Cilium is installed, it may be expected that it would be solely responsible +# for the networking configuration on that node. So provide the same functionality +# as the --disable-snat-flag for existing GKE clusters. +iptables -w -t nat -D POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ || true +{{- end }} + +{{- if not (eq .Values.nodeinit.bootstrapFile "") }} +mkdir -p {{ .Values.nodeinit.bootstrapFile | dir | quote }} +date > {{ .Values.nodeinit.bootstrapFile | quote }} +{{- end }} + +{{- if .Values.azure.enabled }} +# AKS: If azure-vnet is installed on the node, and (still) configured in bridge mode, +# configure it as 'transparent' to be consistent with Cilium's CNI chaining config. +# If the azure-vnet CNI config is not removed, kubelet will execute CNI CHECK commands +# against it every 5 seconds and write 'bridge' to its state file, causing inconsistent +# behaviour when Pods are removed. +if [ -f /etc/cni/net.d/10-azure.conflist ]; then + echo "Ensuring azure-vnet is configured in 'transparent' mode..." + sed -i 's/"mode":\s*"bridge"/"mode":"transparent"/g' /etc/cni/net.d/10-azure.conflist +fi + +# The azure0 interface being present means the node was booted with azure-vnet configured +# in bridge mode. This means there might be ebtables rules and neight entries interfering +# with pod connectivity if we deploy with Azure IPAM. +if ip l show dev azure0 >/dev/null 2>&1; then + + # In Azure IPAM mode, also remove the azure-vnet state file, otherwise ebtables rules get + # restored by the azure-vnet CNI plugin on every CNI CHECK, which can cause connectivity + # issues in Cilium-managed Pods. Since azure-vnet is no longer called on scheduling events, + # this file can be removed. + rm -f /var/run/azure-vnet.json + + # This breaks connectivity for existing workload Pods when Cilium is scheduled, but we need + # to flush these to prevent Cilium-managed Pod IPs conflicting with Pod IPs previously allocated + # by azure-vnet. These ebtables DNAT rules contain fixed MACs that are no longer bound on the node, + # causing packets for these Pods to be redirected back out to the gateway, where they are dropped. + echo 'Flushing ebtables pre/postrouting rules in nat table.. (disconnecting non-Cilium Pods!)' + ebtables -t nat -F PREROUTING || true + ebtables -t nat -F POSTROUTING || true + + # ip-masq-agent periodically injects PERM neigh entries towards the gateway + # for all other k8s nodes in the cluster. These are safe to flush, as ARP can + # resolve these nodes as usual. PERM entries will be automatically restored later. + echo 'Deleting all permanent neighbour entries on azure0...' + ip neigh show dev azure0 nud permanent | cut -d' ' -f1 | xargs -r -n1 ip neigh del dev azure0 to || true +fi +{{- end }} + +{{- if .Values.nodeinit.revertReconfigureKubelet }} +rm -f /tmp/node-deinit.cilium.io +{{- end }} +echo "Node initialization complete" diff --git a/cli/internal/helm/charts/cilium/templates/NOTES.txt b/cli/internal/helm/charts/cilium/templates/NOTES.txt new file mode 100644 index 000000000..f54050745 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/NOTES.txt @@ -0,0 +1,22 @@ +{{- if (and (.Values.preflight.enabled) (not (.Values.agent)) (not (.Values.operator.enabled))) }} + You have successfully ran the preflight check. + Now make sure to check the number of READY pods is the same as the number of running cilium pods. + Then make sure the cilium preflight deployment is also marked READY 1/1. + If you have an issues please refer to the CNP Validation section in the upgrade guide. +{{- else if (and (.Values.hubble.enabled) (.Values.hubble.relay.enabled)) }} + {{- if (.Values.hubble.ui.enabled) }} + You have successfully installed {{ title .Chart.Name }} with Hubble Relay and Hubble UI. + {{- else }} + You have successfully installed {{ title .Chart.Name }} with Hubble Relay. + {{- end }} +{{- else if .Values.hubble.enabled }} + You have successfully installed {{ title .Chart.Name }} with Hubble. +{{- else if (and (.Values.hubble.ui.enabled) (.Values.hubble.ui.standalone.enabled)) }} + You have successfully installed {{ title .Chart.Name }} with standalone Hubble UI. +{{- else }} + You have successfully installed {{ title .Chart.Name }}. +{{- end }} + +Your release version is {{ .Chart.Version }}. + +For any further help, visit https://docs.cilium.io/en/v{{ (semver .Chart.Version).Major }}.{{ (semver .Chart.Version).Minor }}/gettinghelp diff --git a/cli/internal/helm/charts/cilium/templates/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/_helpers.tpl new file mode 100644 index 000000000..a9ccbab06 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cilium.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Render full image name from given values, e.g: +``` +image: + repository: quay.io/cilium/cilium + tag: v1.10.1 + useDigest: true + digest: abcdefgh +``` +then `include "cilium.image" .Values.image` +will return `quay.io/cilium/cilium:v1.10.1@abcdefgh` +*/}} +{{- define "cilium.image" -}} +{{- $digest := (.useDigest | default false) | ternary (printf "@%s" .digest) "" -}} +{{- if .override -}} +{{- printf "%s" .override -}} +{{- else -}} +{{- printf "%s:%s%s" .repository .tag $digest -}} +{{- end -}} +{{- end -}} + +{{/* +Return user specify priorityClass or default criticalPriorityClass +Usage: + include "cilium.priorityClass" (list $ ) +where: +* `priorityClass`: is user specify priorityClass e.g `.Values.operator.priorityClassName` +* `criticalPriorityClass`: default criticalPriorityClass, e.g `"system-cluster-critical"` + This value is used when `priorityClass` is `nil` and + `.Values.enableCriticalPriorityClass=true` and kubernetes supported it. +*/}} +{{- define "cilium.priorityClass" -}} +{{- $root := index . 0 -}} +{{- $priorityClass := index . 1 -}} +{{- $criticalPriorityClass := index . 2 -}} +{{- if $priorityClass }} + {{- $priorityClass }} +{{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}} + {{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}} + {{- $criticalPriorityClass }} + {{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}} + {{- $criticalPriorityClass }} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} +{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate backend for Hubble UI ingress. +*/}} +{{- define "ingress.paths" -}} +{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}} +backend: + serviceName: hubble-ui + servicePort: http +{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}} +pathType: Prefix +backend: + service: + name: hubble-ui + port: + name: http +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "cronjob.apiVersion" -}} +{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}} +{{- print "batch/v1" -}} +{{- else -}} +{{- print "batch/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for podDisruptionBudget. +*/}} +{{- define "podDisruptionBudget.apiVersion" -}} +{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Generate TLS CA for Cilium +Note: Always use this template as follows: + {{- $_ := include "cilium.ca.setup" . -}} + +The assignment to `$_` is required because we store the generated CI in a global `commonCA` +and `commonCASecretName` variables. + +*/}} +{{- define "cilium.ca.setup" }} + {{- if not .commonCA -}} + {{- $ca := "" -}} + {{- $secretName := "cilium-ca" -}} + {{- $crt := .Values.tls.ca.cert -}} + {{- $key := .Values.tls.ca.key -}} + {{- if and $crt $key }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- with lookup "v1" "Secret" .Release.Namespace $secretName }} + {{- $crt := index .data "ca.crt" }} + {{- $key := index .data "ca.key" }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- $validity := ( .Values.tls.ca.certValidityDuration | int) -}} + {{- $ca = genCA "Cilium CA" $validity -}} + {{- end }} + {{- end -}} + {{- $_ := set (set . "commonCA" $ca) "commonCASecretName" $secretName -}} + {{- end -}} +{{- end -}} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrole.yaml new file mode 100644 index 000000000..ca663a114 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrole.yaml @@ -0,0 +1,124 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) }} +{{- /* +Keep file in sync with cilium-preflight/clusterrole.yaml +*/ -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +{{- if .Values.annotateK8sNode }} +- apiGroups: + - "" + resources: + - nodes/status + verbs: + # To annotate the k8s node with Cilium's metadata + - patch +{{- end }} +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + # This is used when validating policies in preflight. This will need to stay + # until we figure out how to avoid "get" inside the preflight, and then + # should be removed ideally. + - get +{{- if eq "k8s" .Values.tls.secretsBackend }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- end }} +- apiGroups: + - cilium.io + resources: + - ciliumbgploadbalancerippools + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumegressnatpolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + # To synchronize garbage collection of such resources + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + verbs: + - patch +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml new file mode 100644 index 000000000..97ce2fb4c --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.cilium.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml new file mode 100644 index 000000000..af6fe5ff5 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -0,0 +1,844 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) }} + +{{- /* Default values with backwards compatibility */ -}} +{{- $defaultKeepDeprecatedProbes := true -}} + +{{- /* Default values when 1.8 was initially deployed */ -}} +{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} + {{- $defaultKeepDeprecatedProbes = false -}} +{{- end -}} + +{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "disabled") -}} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: cilium + namespace: {{ .Release.Namespace }} + labels: + k8s-app: cilium + {{- if .Values.keepDeprecatedLabels }} + kubernetes.io/cluster-service: "true" + {{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }} + {{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }} + {{- end }} + {{- end }} +spec: + selector: + matchLabels: + k8s-app: cilium + {{- if .Values.keepDeprecatedLabels }} + kubernetes.io/cluster-service: "true" + {{- end }} + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }} + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scrape: "true" + {{- end }} + {{- if .Values.rollOutCiliumPods }} + # ensure pods roll when configmap updates + cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} + {{- end }} + {{- if not .Values.securityContext.privileged }} + # Set app AppArmor's profile to "unconfined". The value of this annotation + # can be modified as long users know which profiles they have available + # in AppArmor. + container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined" + container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined" + container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined" + container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: cilium + {{- if .Values.keepDeprecatedLabels }} + kubernetes.io/cluster-service: "true" + {{- end }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: cilium-agent + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.sleepAfterInit }} + command: + - /bin/bash + - -c + - -- + args: + - | + while true; do + sleep 30; + done + livenessProbe: + exec: + command: + - "true" + readinessProbe: + exec: + command: + - "true" + {{- else }} + command: + - cilium-agent + args: + - --config-dir=/tmp/cilium/config-map + {{- with .Values.extraArgs }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} + startupProbe: + httpGet: + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + path: /healthz + port: {{ .Values.healthPort }} + scheme: HTTP + httpHeaders: + - name: "brief" + value: "true" + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + successThreshold: 1 + {{- end }} + livenessProbe: + {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} + exec: + command: + - cilium + - status + - --brief + {{- else }} + httpGet: + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + path: /healthz + port: {{ .Values.healthPort }} + scheme: HTTP + httpHeaders: + - name: "brief" + value: "true" + {{- end }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + # The initial delay for the liveness probe is intentionally large to + # avoid an endless kill & restart cycle if in the event that the initial + # bootstrapping takes longer than expected. + # Starting from Kubernetes 1.20, we are using startupProbe instead + # of this field. + initialDelaySeconds: 120 + {{- end }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: 1 + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + timeoutSeconds: 5 + readinessProbe: + {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} + exec: + command: + - cilium + - status + - --brief + {{- else }} + httpGet: + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + path: /healthz + port: {{ .Values.healthPort }} + scheme: HTTP + httpHeaders: + - name: "brief" + value: "true" + {{- end }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + initialDelaySeconds: 5 + {{- end }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: 1 + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + timeoutSeconds: 5 + {{- end }} + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: CILIUM_CNI_CHAINING_MODE + valueFrom: + configMapKeyRef: + name: cilium-config + key: cni-chaining-mode + optional: true + - name: CILIUM_CUSTOM_CNI_CONF + valueFrom: + configMapKeyRef: + name: cilium-config + key: custom-cni-conf + optional: true + {{- if .Values.k8sServiceHost }} + - name: KUBERNETES_SERVICE_HOST + value: {{ .Values.k8sServiceHost | quote }} + {{- end }} + {{- if .Values.k8sServicePort }} + - name: KUBERNETES_SERVICE_PORT + value: {{ .Values.k8sServicePort | quote }} + {{- end }} + {{- with .Values.extraEnv }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if .Values.cni.install }} + lifecycle: + postStart: + exec: + command: + - "/cni-install.sh" + - "--enable-debug={{ .Values.debug.enabled }}" + - "--cni-exclusive={{ .Values.cni.exclusive }}" + - "--log-file={{ .Values.cni.logFile }}" + preStop: + exec: + command: + - /cni-uninstall.sh + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }} + ports: + {{- if .Values.hubble.peerService.enabled }} + - name: peer-service + containerPort: {{ .Values.hubble.peerService.targetPort }} + hostPort: {{ .Values.hubble.peerService.targetPort }} + protocol: TCP + {{- end }} + {{- if .Values.prometheus.enabled }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} + hostPort: {{ .Values.prometheus.port }} + protocol: TCP + {{- if .Values.proxy.prometheus.enabled }} + - name: envoy-metrics + containerPort: {{ .Values.proxy.prometheus.port }} + hostPort: {{ .Values.proxy.prometheus.port }} + protocol: TCP + {{- end }} + {{- end }} + {{- if .Values.hubble.metrics.enabled }} + - name: hubble-metrics + containerPort: {{ .Values.hubble.metrics.port }} + hostPort: {{ .Values.hubble.metrics.port }} + protocol: TCP + {{- end }} + {{- end }} + securityContext: + {{- if .Values.securityContext.privileged }} + privileged: true + {{- else }} + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + {{- with .Values.securityContext.extraCapabilities }} + {{- toYaml . | nindent 14 }} + {{- end }} + drop: + - ALL + {{- end }} + volumeMounts: + {{- if not .Values.securityContext.privileged }} + # Unprivileged containers need to mount /proc/sys/net from the host + # to have write access + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + # Unprivileged containers need to mount /proc/sys/kernel from the host + # to have write access + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + {{- end}} + {{- /* CRI-O already mounts the BPF filesystem */ -}} + {{- if not (eq .Values.containerRuntime.integration "crio") }} + - name: bpf-maps + mountPath: /sys/fs/bpf + {{- if .Values.securityContext.privileged }} + mountPropagation: Bidirectional + {{- else }} + # Unprivileged containers can't set mount propagation to bidirectional + # in this case we will mount the bpf fs from an init container that + # is privileged and set the mount propagation from host to container + # in Cilium. + mountPropagation: HostToContainer + {{- end}} + {{- end }} + {{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }} + # Check for duplicate mounts before mounting + - name: cilium-cgroup + mountPath: {{ .Values.cgroup.hostRoot }} + {{- end}} + - name: cilium-run + mountPath: /var/run/cilium + - name: cni-path + mountPath: /host/opt/cni/bin + - name: etc-cni-netd + mountPath: {{ .Values.cni.hostConfDirMountPath }} + {{- if .Values.etcd.enabled }} + - name: etcd-config-path + mountPath: /var/lib/etcd-config + readOnly: true + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + mountPath: /var/lib/etcd-secrets + readOnly: true + {{- end }} + {{- end }} + - name: clustermesh-secrets + mountPath: /var/lib/cilium/clustermesh + readOnly: true + - name: cilium-config-path + mountPath: /tmp/cilium/config-map + readOnly: true + {{- if .Values.ipMasqAgent.enabled }} + - name: ip-masq-agent + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.cni.configMap }} + - name: cni-configuration + mountPath: {{ .Values.cni.confFileMountPath }} + readOnly: true + {{- end }} + # Needed to be able to load kernel modules + - name: lib-modules + mountPath: /lib/modules + readOnly: true + - name: xtables-lock + mountPath: /run/xtables.lock + {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }} + - name: cilium-ipsec-secrets + mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }} + {{- end }} + {{- if .Values.kubeConfigPath }} + - name: kube-config + mountPath: {{ .Values.kubeConfigPath }} + readOnly: true + {{- end }} + {{- if .Values.bgp.enabled }} + - name: bgp-config-path + mountPath: /var/lib/cilium/bgp + readOnly: true + {{- end }} + {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }} + - name: hubble-tls + mountPath: /var/lib/cilium/tls/hubble + readOnly: true + {{- end }} + {{- range .Values.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.monitor.enabled }} + - name: cilium-monitor + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /bin/bash + - -c + - -- + args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium monitor + {{- range $type := .Values.monitor.eventTypes -}} + {{ " " }}--type={{ $type }} + {{- end }} + volumeMounts: + - name: cilium-run + mountPath: /var/run/cilium + {{- with .Values.monitor.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- end }} + initContainers: + {{- if .Values.cgroup.autoMount.enabled }} + # Required to mount cgroup2 filesystem on the underlying Kubernetes node. + # We use nsenter command with host's cgroup and mount namespaces enabled. + - name: mount-cgroup + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: CGROUP_ROOT + value: {{ .Values.cgroup.hostRoot }} + - name: BIN_PATH + value: {{ .Values.cni.binPath }} + command: + - sh + - -ec + # The statically linked Go program binary is invoked to avoid any + # dependency on utilities like sh and mount that can be missing on certain + # distros installed on the underlying host. Copy the binary to the + # same directory where we install cilium cni plugin so that exec permissions + # are available. + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + volumeMounts: + - name: hostproc + mountPath: /hostproc + - name: cni-path + mountPath: /hostbin + securityContext: + {{- if .Values.securityContext.privileged }} + privileged: true + {{- else }} + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + drop: + - ALL + add: + # Only used for 'mount' cgroup + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + {{- end}} + {{- end }} + - name: apply-sysctl-overwrites + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: BIN_PATH + value: {{ .Values.cni.binPath }} + command: + - sh + - -ec + # The statically linked Go program binary is invoked to avoid any + # dependency on utilities like sh that can be missing on certain + # distros installed on the underlying host. Copy the binary to the + # same directory where we install cilium cni plugin so that exec permissions + # are available. + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + volumeMounts: + - name: hostproc + mountPath: /hostproc + - name: cni-path + mountPath: /hostbin + securityContext: + {{- if .Values.securityContext.privileged }} + privileged: true + {{- else }} + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + drop: + - ALL + add: + # Required in order to access host's /etc/sysctl.d dir + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + {{- end}} + {{- if not .Values.securityContext.privileged }} + # Mount the bpf fs if it is not mounted. We will perform this task + # from a privileged container because the mount propagation bidirectional + # only works from privileged containers. + - name: mount-bpf-fs + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' + command: + - /bin/bash + - -c + - -- + securityContext: + privileged: true + {{- /* CRI-O already mounts the BPF filesystem */ -}} + {{- if not (eq .Values.containerRuntime.integration "crio") }} + volumeMounts: + - name: bpf-maps + mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + {{- end }} + {{- end }} + {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} + - name: wait-for-node-init + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - | + until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do + echo "Waiting on node-init to run..."; + sleep 1; + done + volumeMounts: + - name: cilium-bootstrap-file-dir + mountPath: "/tmp/cilium-bootstrap.d" + {{- end }} + - name: clean-cilium-state + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + name: cilium-config + key: clean-cilium-state + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + name: cilium-config + key: clean-cilium-bpf-state + optional: true + {{- if .Values.k8sServiceHost }} + - name: KUBERNETES_SERVICE_HOST + value: {{ .Values.k8sServiceHost | quote }} + {{- end }} + {{- if .Values.k8sServicePort }} + - name: KUBERNETES_SERVICE_PORT + value: {{ .Values.k8sServicePort | quote }} + {{- end }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- if .Values.securityContext.privileged }} + privileged: true + {{- else }} + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + # Most of the capabilities here are the same ones used in the + # cilium-agent's container because this container can be used to + # uninstall all Cilium resources, and therefore it is likely that + # will need the same capabilities. + add: + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + drop: + - ALL + {{- end}} + volumeMounts: + {{- /* CRI-O already mounts the BPF filesystem */ -}} + {{- if not (eq .Values.containerRuntime.integration "crio") }} + - name: bpf-maps + mountPath: /sys/fs/bpf + {{- end }} + # Required to mount cgroup filesystem from the host to cilium agent pod + - name: cilium-cgroup + mountPath: {{ .Values.cgroup.hostRoot }} + mountPropagation: HostToContainer + - name: cilium-run + mountPath: /var/run/cilium + {{- with .Values.nodeinit.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }} + - name: wait-for-kube-proxy + image: {{ include "cilium.image" .Values.image | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: true + command: + - bash + - -c + - | + while true + do + if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then + echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'" + exit 0 + fi + if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then + echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'" + exit 0 + fi + if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then + echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save" + exit 0 + fi + if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then + echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'" + exit 0 + fi + echo "Waiting for kube-proxy to create iptables rules..."; + sleep 1; + done + {{- end }} # wait-for-kube-proxy + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} + serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + hostNetwork: true + {{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }} + # In managed etcd mode, Cilium must be able to resolve the DNS name of + # the etcd service + dnsPolicy: ClusterFirstWithHostNet + {{- else if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled }} + hostAliases: + {{- range $cluster := .Values.clustermesh.config.clusters }} + {{- range $ip := $cluster.ips }} + - ip: {{ $ip }} + hostnames: [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ] + {{- end }} + {{- end }} + {{- end }} + volumes: + # To keep state between restarts / upgrades + - name: cilium-run + hostPath: + path: {{ .Values.daemon.runPath }} + type: DirectoryOrCreate + {{- /* CRI-O already mounts the BPF filesystem */ -}} + {{- if not (eq .Values.containerRuntime.integration "crio") }} + # To keep state between restarts / upgrades for bpf maps + - name: bpf-maps + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + {{- end }} + {{- if .Values.cgroup.autoMount.enabled }} + # To mount cgroup2 filesystem on the host + - name: hostproc + hostPath: + path: /proc + type: Directory + {{- end }} + # To keep state between restarts / upgrades for cgroup2 filesystem + - name: cilium-cgroup + hostPath: + path: {{ .Values.cgroup.hostRoot}} + type: DirectoryOrCreate + # To install cilium cni plugin in the host + - name: cni-path + hostPath: + path: {{ .Values.cni.binPath }} + type: DirectoryOrCreate + # To install cilium cni configuration in the host + - name: etc-cni-netd + hostPath: + path: {{ .Values.cni.confPath }} + type: DirectoryOrCreate + # To be able to load kernel modules + - name: lib-modules + hostPath: + path: /lib/modules + # To access iptables concurrently with other processes (e.g. kube-proxy) + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + {{- if .Values.kubeConfigPath }} + - name: kube-config + hostPath: + path: {{ .Values.kubeConfigPath }} + type: FileOrCreate + {{- end }} + {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} + - name: cilium-bootstrap-file-dir + hostPath: + path: {{ .Values.nodeinit.bootstrapFile | dir | quote }} + type: DirectoryOrCreate + {{- end }} + {{- if .Values.etcd.enabled }} + # To read the etcd config stored in config maps + - name: etcd-config-path + configMap: + name: cilium-config + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + items: + - key: etcd-config + path: etcd.config + # To read the k8s etcd secrets in case the user might want to use TLS + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + secret: + secretName: cilium-etcd-secrets + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + optional: true + {{- end }} + {{- end }} + # To read the clustermesh configuration + - name: clustermesh-secrets + secret: + secretName: cilium-clustermesh + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + optional: true + # To read the configuration from the config map + - name: cilium-config-path + configMap: + name: cilium-config + {{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }} + - name: ip-masq-agent + configMap: + name: ip-masq-agent + optional: true + items: + - key: config + path: ip-masq-agent + {{- end }} + {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }} + - name: cilium-ipsec-secrets + secret: + secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }} + {{- end }} + {{- if .Values.cni.configMap }} + - name: cni-configuration + configMap: + name: {{ .Values.cni.configMap }} + {{- end }} + {{- if .Values.bgp.enabled }} + - name: bgp-config-path + configMap: + name: bgp-config + {{- end }} + {{- if not .Values.securityContext.privileged }} + - name: host-proc-sys-net + hostPath: + path: /proc/sys/net + type: Directory + - name: host-proc-sys-kernel + hostPath: + path: /proc/sys/kernel + type: Directory + {{- end }} + {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }} + - name: hubble-tls + projected: + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + sources: + - secret: + name: hubble-server-certs + optional: true + items: + - key: ca.crt + path: client-ca.crt + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + {{- range .Values.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- if .hostPathType }} + type: {{ .hostPathType }} + {{- end }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/role.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/role.yaml new file mode 100644 index 000000000..c3b9ce3b0 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/role.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.name }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-secrets + namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/rolebinding.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/rolebinding.yaml new file mode 100644 index 000000000..30fe6552a --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/rolebinding.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.name}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-secrets + namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-secrets +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccounts.cilium.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/service.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/service.yaml new file mode 100644 index 000000000..6a95ecf45 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/service.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled }} +{{- if .Values.prometheus.serviceMonitor.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: cilium-agent + namespace: {{ .Release.Namespace }} + labels: + k8s-app: cilium +spec: + clusterIP: None + type: ClusterIP + selector: + k8s-app: cilium + ports: + - name: metrics + port: {{ .Values.prometheus.port }} + protocol: TCP + targetPort: prometheus + - name: envoy-metrics + port: {{ .Values.proxy.prometheus.port }} + protocol: TCP + targetPort: envoy-metrics +{{- else if .Values.proxy.prometheus.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: cilium-agent + namespace: {{ .Release.Namespace }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.proxy.prometheus.port | quote }} + labels: + k8s-app: cilium +spec: + clusterIP: None + type: ClusterIP + selector: + k8s-app: cilium + ports: + - name: envoy-metrics + port: {{ .Values.proxy.prometheus.port }} + protocol: TCP + targetPort: envoy-metrics +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/serviceaccount.yaml new file mode 100644 index 000000000..605506f15 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.cilium.name | quote }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccounts.cilium.annotations }} + annotations: + {{- toYaml .Values.serviceAccounts.cilium.annotations | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml new file mode 100644 index 000000000..66765b6b7 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.prometheus.enabled .Values.prometheus.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: cilium-agent + namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }} + labels: + {{- with .Values.prometheus.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + k8s-app: cilium + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + interval: 10s + honorLabels: true + path: /metrics + targetLabels: + - k8s-app +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/cilium-ca-secret.yaml new file mode 100644 index 000000000..f512b1850 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-ca-secret.yaml @@ -0,0 +1,17 @@ +{{- if or + (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") (not .Values.clustermesh.apiserver.tls.ca.cert)) + (and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") (not .Values.hubble.tls.ca.cert)) + (and .Values.tls.ca.key .Values.tls.ca.cert) +-}} + +{{- $_ := include "cilium.ca.setup" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .commonCASecretName }} + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .commonCA.Cert | b64enc }} + ca.key: {{ .commonCA.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml b/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml new file mode 100644 index 000000000..9e3db9f63 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml @@ -0,0 +1,950 @@ +{{- if and (.Values.agent) (not .Values.preflight.enabled) }} +{{- /* Default values with backwards compatibility */ -}} +{{- $defaultEnableCnpStatusUpdates := "true" -}} +{{- $defaultBpfMapDynamicSizeRatio := 0.0 -}} +{{- $defaultBpfMasquerade := "false" -}} +{{- $defaultBpfClockProbe := "false" -}} +{{- $defaultBpfTProxy := "false" -}} +{{- $defaultIPAM := "cluster-pool" -}} +{{- $defaultOperatorApiServeAddr := "localhost:9234" -}} +{{- $defaultBpfCtTcpMax := 524288 -}} +{{- $defaultBpfCtAnyMax := 262144 -}} +{{- $enableIdentityMark := "true" -}} +{{- $fragmentTracking := "true" -}} +{{- $crdWaitTimeout := "5m" -}} +{{- $defaultKubeProxyReplacement := "disabled" -}} +{{- $azureUsePrimaryAddress := "true" -}} + +{{- /* Default values when 1.8 was initially deployed */ -}} +{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} + {{- $defaultEnableCnpStatusUpdates = "false" -}} + {{- $defaultBpfMapDynamicSizeRatio = 0.0025 -}} + {{- $defaultBpfMasquerade = "true" -}} + {{- $defaultBpfClockProbe = "true" -}} + {{- $defaultIPAM = "cluster-pool" -}} + {{- if .Values.ipv4.enabled }} + {{- $defaultOperatorApiServeAddr = "127.0.0.1:9234" -}} + {{- else -}} + {{- $defaultOperatorApiServeAddr = "[::1]:9234" -}} + {{- end }} + {{- $defaultBpfCtTcpMax = 0 -}} + {{- $defaultBpfCtAnyMax = 0 -}} + {{- $defaultKubeProxyReplacement = "probe" -}} +{{- end -}} + +{{- /* Default values when 1.9 was initially deployed */ -}} +{{- if semverCompare ">=1.9" (default "1.9" .Values.upgradeCompatibility) -}} + {{- $defaultKubeProxyReplacement = "probe" -}} +{{- end -}} + +{{- /* Default values when 1.10 was initially deployed */ -}} +{{- if semverCompare ">=1.10" (default "1.10" .Values.upgradeCompatibility) -}} + {{- /* Needs to be explicitly disabled because it was enabled on all versions >=v1.8 above. */ -}} + {{- $defaultBpfMasquerade = "false" -}} +{{- end -}} + +{{- /* Default values when 1.12 was initially deployed */ -}} +{{- if semverCompare ">=1.12" (default "1.12" .Values.upgradeCompatibility) -}} + {{- if .Values.azure.enabled }} + {{- $azureUsePrimaryAddress = "false" -}} + {{- end }} +{{- end -}} + +{{- $ipam := (coalesce .Values.ipam.mode $defaultIPAM) -}} +{{- $bpfCtTcpMax := (coalesce .Values.bpf.ctTcpMax $defaultBpfCtTcpMax) -}} +{{- $bpfCtAnyMax := (coalesce .Values.bpf.ctAnyMax $defaultBpfCtAnyMax) -}} +{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement $defaultKubeProxyReplacement) -}} +{{- $azureUsePrimaryAddress = (coalesce .Values.azure.usePrimaryAddress $azureUsePrimaryAddress) -}} +{{- $socketLB := (coalesce .Values.socketLB .Values.hostServices) -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cilium-config + namespace: {{ .Release.Namespace }} +data: +{{- if .Values.etcd.enabled }} + # The kvstore configuration is used to enable use of a kvstore for state + # storage. This can either be provided with an external kvstore or with the + # help of cilium-etcd-operator which operates an etcd cluster automatically. + kvstore: etcd + {{- if .Values.etcd.k8sService }} + kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config", "etcd.operator": "true"}' + {{- else }} + kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}' + {{- end }} + + # This etcd-config contains the etcd endpoints of your cluster. If you use + # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config + etcd-config: |- + --- + endpoints: + {{- if .Values.etcd.managed }} + - https://cilium-etcd-client.{{ .Release.Namespace }}.svc:2379 + {{- else }} + {{- range .Values.etcd.endpoints }} + - {{ . }} + {{- end }} + {{- end }} + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + trusted-ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt' + key-file: '/var/lib/etcd-secrets/etcd-client.key' + cert-file: '/var/lib/etcd-secrets/etcd-client.crt' + {{- end }} +{{- end }} + +{{- if hasKey .Values "conntrackGCInterval" }} + conntrack-gc-interval: {{ .Values.conntrackGCInterval | quote }} +{{- end }} + +{{- if hasKey .Values "disableEnvoyVersionCheck" }} + disable-envoy-version-check: {{ .Values.disableEnvoyVersionCheck | quote }} +{{- end }} + + # Identity allocation mode selects how identities are shared between cilium + # nodes by setting how they are stored. The options are "crd" or "kvstore". + # - "crd" stores identities in kubernetes as CRDs (custom resource definition). + # These can be queried with: + # kubectl get ciliumid + # - "kvstore" stores identities in an etcd kvstore, that is + # configured below. Cilium versions before 1.6 supported only the kvstore + # backend. Upgrades from these older cilium versions should continue using + # the kvstore by commenting out the identity-allocation-mode below, or + # setting it to "kvstore". + identity-allocation-mode: {{ .Values.identityAllocationMode }} +{{- if hasKey .Values "identityHeartbeatTimeout" }} + identity-heartbeat-timeout: "{{ .Values.identityHeartbeatTimeout }}" +{{- end }} +{{- if hasKey .Values "identityGCInterval" }} + identity-gc-interval: "{{ .Values.identityGCInterval }}" +{{- end }} +{{- if hasKey .Values.operator "endpointGCInterval" }} + cilium-endpoint-gc-interval: "{{ .Values.operator.endpointGCInterval }}" +{{- end }} + +{{- if hasKey .Values.operator "nodeGCInterval" }} + nodes-gc-interval: "{{ .Values.operator.nodeGCInterval | default "0s" }}" +{{- end }} + +{{- if hasKey .Values "disableEndpointCRD" }} + # Disable the usage of CiliumEndpoint CRD + disable-endpoint-crd: "{{ .Values.disableEndpointCRD }}" +{{- end }} + +{{- if hasKey .Values "identityChangeGracePeriod" }} + # identity-change-grace-period is the grace period that needs to pass + # before an endpoint that has changed its identity will start using + # that new identity. During the grace period, the new identity has + # already been allocated and other nodes in the cluster have a chance + # to whitelist the new upcoming identity of the endpoint. + identity-change-grace-period: {{ default "5s" .Values.identityChangeGracePeriod | quote }} +{{- end }} + +{{- if hasKey .Values "labels" }} + # To include or exclude matched resources from cilium identity evaluation + labels: {{ .Values.labels | quote }} +{{- end }} + + # If you want to run cilium in debug mode change this value to true + debug: {{ .Values.debug.enabled | quote }} + +{{- if hasKey .Values.debug "verbose" }} + debug-verbose: "{{ .Values.debug.verbose }}" +{{- end }} + +{{- if ne (int .Values.healthPort) 9879 }} + # Set the TCP port for the agent health status API. This is not the port used + # for cilium-health. + agent-health-port: "{{ .Values.healthPort }}" +{{- end }} + +{{- if hasKey .Values "clusterHealthPort" }} + # Set the TCP port for the agent health API. This port is used for cilium-health. + cluster-health-port: "{{ .Values.clusterHealthPort }}" +{{- end }} + +{{- if hasKey .Values "policyEnforcementMode" }} + # The agent can be put into the following three policy enforcement modes + # default, always and never. + # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes + enable-policy: "{{ lower .Values.policyEnforcementMode }}" +{{- end }} + +{{- if .Values.prometheus.enabled }} + # If you want metrics enabled in all of your Cilium agents, set the port for + # which the Cilium agents will have their metrics exposed. + # This option deprecates the "prometheus-serve-addr" in the + # "cilium-metrics-config" ConfigMap + # NOTE that this will open the port on ALL nodes where Cilium pods are + # scheduled. + prometheus-serve-addr: ":{{ .Values.prometheus.port }}" + # Port to expose Envoy metrics (e.g. "9964"). Envoy metrics listener will be disabled if this + # field is not set. + {{- if .Values.proxy.prometheus.enabled }} + proxy-prometheus-port: "{{ .Values.proxy.prometheus.port }}" + {{- end }} + {{- if .Values.prometheus.metrics }} + # Metrics that should be enabled or disabled from the default metric + # list. (+metric_foo to enable metric_foo , -metric_bar to disable + # metric_bar). + metrics: {{- range .Values.prometheus.metrics }} + {{ . }} + {{- end }} + {{- end }} +{{- end }} + +{{- if .Values.operator.prometheus.enabled }} + # If you want metrics enabled in cilium-operator, set the port for + # which the Cilium Operator will have their metrics exposed. + # NOTE that this will open the port on the nodes where Cilium operator pod + # is scheduled. + operator-prometheus-serve-addr: ":{{ .Values.operator.prometheus.port }}" + enable-metrics: "true" +{{- end }} + +{{- if .Values.operator.skipCRDCreation }} + skip-crd-creation: "true" +{{- end }} + +{{- if .Values.ingressController.enabled }} + enable-ingress-controller: "true" + enable-envoy-config: "true" + enforce-ingress-https: {{ .Values.ingressController.enforceHttps | quote }} + enable-ingress-secrets-sync: {{ .Values.ingressController.secretsNamespace.sync | quote }} + ingress-secrets-namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} +{{- end }} + + # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 + # address. + enable-ipv4: {{ .Values.ipv4.enabled | quote }} + + # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 + # address. + enable-ipv6: {{ .Values.ipv6.enabled | quote }} + +{{- if .Values.cleanState }} + # If a serious issue occurs during Cilium startup, this + # invasive option may be set to true to remove all persistent + # state. Endpoints will not be restored using knowledge from a + # prior Cilium run, so they may receive new IP addresses upon + # restart. This also triggers clean-cilium-bpf-state. + clean-cilium-state: "true" +{{- end }} + +{{- if .Values.cleanBpfState }} + # If you want to clean cilium BPF state, set this to true; + # Removes all BPF maps from the filesystem. Upon restart, + # endpoints are restored with the same IP addresses, however + # any ongoing connections may be disrupted briefly. + # Loadbalancing decisions will be reset, so any ongoing + # connections via a service may be loadbalanced to a different + # backend after restart. + clean-cilium-bpf-state: "true" +{{- end }} + +{{- if hasKey .Values.cni "customConf" }} + # Users who wish to specify their own custom CNI configuration file must set + # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. + custom-cni-conf: "{{ .Values.cni.customConf }}" +{{- end }} + +{{- if hasKey .Values "bpfClockProbe" }} + enable-bpf-clock-probe: {{ .Values.bpfClockProbe | quote }} +{{- else if eq $defaultBpfClockProbe "true" }} + enable-bpf-clock-probe: {{ $defaultBpfClockProbe | quote }} +{{- end }} + +{{- if hasKey .Values.bpf "tproxy" }} + enable-bpf-tproxy: {{ .Values.bpf.tproxy | quote }} +{{- else if eq $defaultBpfTProxy "true" }} + enable-bpf-tproxy: {{ $defaultBpfTProxy | quote }} +{{- end }} + # If you want cilium monitor to aggregate tracing for packets, set this level + # to "low", "medium", or "maximum". The higher the level, the less packets + # that will be seen in monitor output. + monitor-aggregation: {{ .Values.bpf.monitorAggregation }} + + # The monitor aggregation interval governs the typical time between monitor + # notification events for each allowed connection. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-interval: {{ .Values.bpf.monitorInterval }} + + # The monitor aggregation flags determine which TCP flags which, upon the + # first observation, cause monitor notifications to be generated. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-flags: {{ .Values.bpf.monitorFlags }} + + + + +{{- if hasKey .Values.bpf "mapDynamicSizeRatio" }} + # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic + # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. + bpf-map-dynamic-size-ratio: {{ .Values.bpf.mapDynamicSizeRatio | quote }} +{{- else if ne $defaultBpfMapDynamicSizeRatio 0.0 }} + # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic + # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. + bpf-map-dynamic-size-ratio: {{ $defaultBpfMapDynamicSizeRatio | quote }} +{{- end }} + +{{- if hasKey .Values.bpf "hostLegacyRouting" }} + enable-host-legacy-routing: {{ .Values.bpf.hostLegacyRouting | quote }} +{{- else if hasKey .Values.bpf "hostRouting" }} + # DEPRECATED: this block should be removed in 1.13 + enable-host-legacy-routing: {{ .Values.bpf.hostRouting | quote }} +{{- end }} + +{{- if or $bpfCtTcpMax $bpfCtAnyMax }} + # bpf-ct-global-*-max specifies the maximum number of connections + # supported across all endpoints, split by protocol: tcp or other. One pair + # of maps uses these values for IPv4 connections, and another pair of maps + # use these values for IPv6 connections. + # + # If these values are modified, then during the next Cilium startup the + # tracking of ongoing connections may be disrupted. As a result, reply + # packets may be dropped and the load-balancing decisions for established + # connections may change. + # + # For users upgrading from Cilium 1.2 or earlier, to minimize disruption + # during the upgrade process, set bpf-ct-global-tcp-max to 1000000. +{{- if $bpfCtTcpMax }} + bpf-ct-global-tcp-max: {{ $bpfCtTcpMax | quote }} +{{- end }} +{{- if $bpfCtAnyMax }} + bpf-ct-global-any-max: {{ $bpfCtAnyMax | quote }} +{{- end }} +{{- end }} +{{- if hasKey .Values.bpf "natMax" }} + # bpf-nat-global-max specified the maximum number of entries in the + # BPF NAT table. + bpf-nat-global-max: "{{ .Values.bpf.natMax }}" +{{- end }} +{{- if hasKey .Values.bpf "neighMax" }} + # bpf-neigh-global-max specified the maximum number of entries in the + # BPF neighbor table. + bpf-neigh-global-max: "{{ .Values.bpf.neighMax }}" +{{- end }} +{{- if hasKey .Values.bpf "policyMapMax" }} + # bpf-policy-map-max specifies the maximum number of entries in endpoint + # policy map (per endpoint) + bpf-policy-map-max: "{{ .Values.bpf.policyMapMax }}" +{{- end }} +{{- if hasKey .Values.bpf "lbMapMax" }} + # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, + # backend and affinity maps. + bpf-lb-map-max: "{{ .Values.bpf.lbMapMax }}" +{{- end }} + # bpf-lb-bypass-fib-lookup instructs Cilium to enable the FIB lookup bypass + # optimization for nodeport reverse NAT handling. +{{- if hasKey .Values.bpf "lbBypassFIBLookup" }} + bpf-lb-bypass-fib-lookup: {{ .Values.bpf.lbBypassFIBLookup | quote }} +{{- end }} +{{- if hasKey .Values.bpf "lbExternalClusterIP" }} + bpf-lb-external-clusterip: {{ .Values.bpf.lbExternalClusterIP | quote }} +{{- end }} + + # Pre-allocation of map entries allows per-packet latency to be reduced, at + # the expense of up-front memory allocation for the entries in the maps. The + # default value below will minimize memory usage in the default installation; + # users who are sensitive to latency may consider setting this to "true". + # + # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore + # this option and behave as though it is set to "true". + # + # If this value is modified, then during the next Cilium startup the restore + # of existing endpoints and tracking of ongoing connections may be disrupted. + # As a result, reply packets may be dropped and the load-balancing decisions + # for established connections may change. + # + # If this option is set to "false" during an upgrade from 1.3 or earlier to + # 1.4 or later, then it may cause one-time disruptions during the upgrade. + preallocate-bpf-maps: "{{ .Values.bpf.preallocateMaps }}" + + # Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecar-istio-proxy-image: "{{ .Values.proxy.sidecarImageRegex }}" + + # Name of the cluster. Only relevant when building a mesh of clusters. + cluster-name: {{ .Values.cluster.name }} + +{{- if hasKey .Values.cluster "id" }} + # Unique ID of the cluster. Must be unique across all conneted clusters and + # in the range of 1 and 255. Only relevant when building a mesh of clusters. + cluster-id: "{{ .Values.cluster.id }}" +{{- end }} + + # Encapsulation mode for communication between nodes + # Possible values: + # - disabled + # - vxlan (default) + # - geneve +{{- if .Values.gke.enabled }} + tunnel: "disabled" + enable-endpoint-routes: "true" + enable-local-node-route: "false" +{{- else if .Values.aksbyocni.enabled }} + tunnel: "vxlan" +{{- else }} + tunnel: {{ .Values.tunnel | quote }} +{{- end }} + +{{- if hasKey .Values "tunnelPort" }} + tunnel-port: "{{ .Values.tunnelPort }}" +{{- end }} + +{{- if .Values.eni.enabled }} + enable-endpoint-routes: "true" + auto-create-cilium-node-resource: "true" +{{- if .Values.eni.updateEC2AdapterLimitViaAPI }} + update-ec2-adapter-limit-via-api: "true" +{{- end }} +{{- if .Values.eni.awsReleaseExcessIPs }} + aws-release-excess-ips: "true" +{{- end }} +{{- if .Values.eni.awsEnablePrefixDelegation }} + aws-enable-prefix-delegation: "true" +{{- end }} + ec2-api-endpoint: {{ .Values.eni.ec2APIEndpoint | quote }} + eni-tags: {{ .Values.eni.eniTags | toRawJson | quote }} + subnet-ids-filter: {{ .Values.eni.subnetIDsFilter | quote }} + subnet-tags-filter: {{ .Values.eni.subnetTagsFilter | quote }} + instance-tags-filter: {{ .Values.eni.instanceTagsFilter | quote }} +{{- end }} + +{{- if .Values.azure.enabled }} + enable-endpoint-routes: "true" + auto-create-cilium-node-resource: "true" + enable-local-node-route: "false" +{{- if .Values.azure.userAssignedIdentityID }} + azure-user-assigned-identity-id: {{ .Values.azure.userAssignedIdentityID | quote }} +{{- end }} + azure-use-primary-address: {{ $azureUsePrimaryAddress | quote }} +{{- end }} + +{{- if .Values.alibabacloud.enabled }} + enable-endpoint-routes: "true" + auto-create-cilium-node-resource: "true" +{{- end }} + +{{- if hasKey .Values "l7Proxy" }} + # Enables L7 proxy for L7 policy enforcement and visibility + enable-l7-proxy: {{ .Values.l7Proxy | quote }} +{{- end }} + +{{- if ne .Values.cni.chainingMode "none" }} + # Enable chaining with another CNI plugin + # + # Supported modes: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap (Enables HostPort support for Cilium) + cni-chaining-mode: {{ .Values.cni.chainingMode }} + +{{- if hasKey .Values "enableIdentityMark" }} + enable-identity-mark: {{ .Values.enableIdentityMark | quote }} +{{- else if (ne $enableIdentityMark "true") }} + enable-identity-mark: "false" +{{- end }} +{{- if ne .Values.cni.chainingMode "portmap" }} + # Disable the PodCIDR route to the cilium_host interface as it is not + # required. While chaining, it is the responsibility of the underlying plugin + # to enable routing. + enable-local-node-route: "false" +{{- end }} +{{- end }} + + enable-ipv4-masquerade: {{ .Values.enableIPv4Masquerade | quote }} + enable-ipv6-masquerade: {{ .Values.enableIPv6Masquerade | quote }} + +{{- if hasKey .Values.bpf "masquerade" }} + enable-bpf-masquerade: {{ .Values.bpf.masquerade | quote }} +{{- else if eq $defaultBpfMasquerade "true" }} + enable-bpf-masquerade: {{ $defaultBpfMasquerade | quote }} +{{- end }} +{{- if hasKey .Values "egressMasqueradeInterfaces" }} + egress-masquerade-interfaces: {{ .Values.egressMasqueradeInterfaces }} +{{- end }} +{{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }} + enable-ip-masq-agent: "true" +{{- end }} + +{{- if .Values.encryption.enabled }} + {{- if eq .Values.encryption.type "ipsec" }} + enable-ipsec: {{ .Values.encryption.enabled | quote }} + + {{- if and .Values.encryption.ipsec.mountPath .Values.encryption.ipsec.keyFile }} + ipsec-key-file: {{ .Values.encryption.ipsec.mountPath }}/{{ .Values.encryption.ipsec.keyFile }} + {{- else }} + ipsec-key-file: {{ .Values.encryption.mountPath }}/{{ .Values.encryption.keyFile }} + {{- end }} + {{- if .Values.encryption.ipsec.interface }} + encrypt-interface: {{ .Values.encryption.ipsec.interface }} + {{- else if .Values.encryption.interface }} + encrypt-interface: {{ .Values.encryption.interface }} + {{- end }} + + {{- if .Values.encryption.nodeEncryption }} + encrypt-node: {{ .Values.encryption.nodeEncryption | quote }} + {{- end }} + {{- else if eq .Values.encryption.type "wireguard" }} + enable-wireguard: {{ .Values.encryption.enabled | quote }} + {{- if .Values.encryption.wireguard.userspaceFallback }} + enable-wireguard-userspace-fallback: {{ .Values.encryption.wireguard.userspaceFallback | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- if hasKey .Values "datapathMode" }} +{{- if eq .Values.datapathMode "ipvlan" }} + datapath-mode: ipvlan + ipvlan-master-device: {{ .Values.ipvlan.masterDevice }} +{{- end }} +{{- end }} + +{{- if .Values.strictModeCIDR }} + strict-mode-cidr: {{ .Values.strictModeCIDR | quote }} +{{- end }} + enable-xt-socket-fallback: {{ .Values.enableXTSocketFallback | quote }} + install-iptables-rules: {{ .Values.installIptablesRules | quote }} +{{- if or (.Values.azure.enabled) (.Values.eni.enabled) (.Values.gke.enabled) (ne .Values.cni.chainingMode "none") }} + install-no-conntrack-iptables-rules: "false" +{{- else }} + install-no-conntrack-iptables-rules: {{ .Values.installNoConntrackIptablesRules | quote }} +{{- end}} + +{{- if hasKey .Values "iptablesRandomFully" }} + iptables-random-fully: {{ .Values.iptablesRandomFully | quote }} +{{- end }} + +{{- if hasKey .Values "iptablesLockTimeout" }} + iptables-lock-timeout: {{ .Values.iptablesLockTimeout | quote }} +{{- end }} + + auto-direct-node-routes: {{ .Values.autoDirectNodeRoutes | quote }} + +{{- if .Values.bandwidthManager }} +{{- if typeIs "bool" .Values.bandwidthManager }} + # DEPRECATED: this block should be removed in 1.13 + enable-bandwidth-manager: {{ .Values.bandwidthManager | quote }} +{{- else }} +{{- if .Values.bandwidthManager.enabled }} + enable-bandwidth-manager: {{ .Values.bandwidthManager.enabled | quote }} + enable-bbr: {{ .Values.bandwidthManager.bbr | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- if hasKey .Values "localRedirectPolicy" }} + enable-local-redirect-policy: {{ .Values.localRedirectPolicy | quote }} +{{- end }} + +{{- if hasKey .Values "ipv4NativeRoutingCIDR" }} + ipv4-native-routing-cidr: {{ .Values.ipv4NativeRoutingCIDR }} +{{- end }} + +{{- if hasKey .Values "ipv6NativeRoutingCIDR" }} + ipv6-native-routing-cidr: {{ .Values.ipv6NativeRoutingCIDR }} +{{- end }} + +{{- if hasKey .Values "fragmentTracking" }} + enable-ipv4-fragment-tracking: {{ .Values.fragmentTracking | quote }} +{{- else if (ne $fragmentTracking "true") }} + enable-ipv4-fragment-tracking: "false" +{{- end }} + +{{- if and .Values.hostFirewall .Values.hostFirewall.enabled }} + enable-host-firewall: {{ .Values.hostFirewall.enabled | quote }} +{{- end}} + +{{- if hasKey .Values "devices" }} + # List of devices used to attach bpf_host.o (implements BPF NodePort, + # host-firewall and BPF masquerading) + devices: {{ join " " .Values.devices | quote }} +{{- end }} + +{{- if .Values.enableRuntimeDeviceDetection }} + enable-runtime-device-detection: "true" +{{- end }} + + kube-proxy-replacement: {{ $kubeProxyReplacement | quote }} + +{{- if ne $kubeProxyReplacement "disabled" }} + kube-proxy-replacement-healthz-bind-address: {{ default "" .Values.kubeProxyReplacementHealthzBindAddr | quote}} +{{- end }} + +{{- if $socketLB }} +{{- if hasKey $socketLB "enabled" }} + bpf-lb-sock: {{ $socketLB.enabled | quote }} +{{- end }} +{{- if hasKey $socketLB "hostNamespaceOnly" }} + bpf-lb-sock-hostns-only: {{ $socketLB.hostNamespaceOnly | quote }} +{{- end }} +{{- end }} + +{{- if hasKey .Values "hostServices" }} +{{- if ne .Values.hostServices.protocols "tcp,udp" }} + host-reachable-services-protos: {{ .Values.hostServices.protocols }} +{{- end }} +{{- end }} +{{- if hasKey .Values "hostPort" }} +{{- if eq $kubeProxyReplacement "partial" }} + enable-host-port: {{ .Values.hostPort.enabled | quote }} +{{- end }} +{{- end }} +{{- if hasKey .Values "externalIPs" }} +{{- if eq $kubeProxyReplacement "partial" }} + enable-external-ips: {{ .Values.externalIPs.enabled | quote }} +{{- end }} +{{- end }} +{{- if hasKey .Values "nodePort" }} +{{- if eq $kubeProxyReplacement "partial" }} + enable-node-port: {{ .Values.nodePort.enabled | quote }} +{{- end }} +{{- if hasKey .Values.nodePort "range" }} + node-port-range: {{ .Values.nodePort.range | quote }} +{{- end }} +{{- if hasKey .Values.nodePort "directRoutingDevice" }} + direct-routing-device: {{ .Values.nodePort.directRoutingDevice | quote }} +{{- end }} +{{- if hasKey .Values.nodePort "enableHealthCheck" }} + enable-health-check-nodeport: {{ .Values.nodePort.enableHealthCheck | quote}} +{{- end }} + node-port-bind-protection: {{ .Values.nodePort.bindProtection | quote }} + enable-auto-protect-node-port-range: {{ .Values.nodePort.autoProtectPortRange | quote }} +{{- end }} +{{- if hasKey .Values "loadBalancer" }} +{{- if .Values.loadBalancer.standalone }} + datapath-mode: lb-only +{{- end }} +{{- if hasKey .Values.loadBalancer "mode" }} + bpf-lb-mode: {{ .Values.loadBalancer.mode | quote }} +{{- end }} +{{- if hasKey .Values.loadBalancer "algorithm" }} + bpf-lb-algorithm: {{ .Values.loadBalancer.algorithm | quote }} +{{- end }} +{{- if hasKey .Values.loadBalancer "acceleration" }} + bpf-lb-acceleration: {{ .Values.loadBalancer.acceleration | quote }} +{{- end }} +{{- if hasKey .Values.loadBalancer "dsrDispatch" }} + bpf-lb-dsr-dispatch: {{ .Values.loadBalancer.dsrDispatch | quote }} +{{- end }} +{{- if hasKey .Values.loadBalancer "serviceTopology" }} + enable-service-topology: {{ .Values.loadBalancer.serviceTopology | quote }} +{{- end }} + +{{- end }} +{{- if hasKey .Values.maglev "tableSize" }} + bpf-lb-maglev-table-size: {{ .Values.maglev.tableSize | quote}} +{{- end }} +{{- if hasKey .Values.maglev "hashSeed" }} + bpf-lb-maglev-hash-seed: {{ .Values.maglev.hashSeed | quote}} +{{- end }} +{{- if .Values.sessionAffinity }} + enable-session-affinity: {{ .Values.sessionAffinity | quote }} +{{- end }} +{{- if .Values.svcSourceRangeCheck }} + enable-svc-source-range-check: {{ .Values.svcSourceRangeCheck | quote }} +{{- end }} + +{{- if hasKey .Values "l2NeighDiscovery" }} +{{- if hasKey .Values.l2NeighDiscovery "enabled" }} + enable-l2-neigh-discovery: {{ .Values.l2NeighDiscovery.enabled | quote }} +{{- end }} +{{- if hasKey .Values.l2NeighDiscovery "refreshPeriod" }} + arping-refresh-period: {{ .Values.l2NeighDiscovery.refreshPeriod | quote }} +{{- end }} +{{- end }} + +{{- if and .Values.pprof .Values.pprof.enabled }} + pprof: {{ .Values.pprof.enabled | quote }} +{{- end }} +{{- if .Values.logSystemLoad }} + log-system-load: {{ .Values.logSystemLoad | quote }} +{{- end }} +{{- if .Values.logOptions }} + log-opt: {{ .Values.logOptions | toJson | quote }} +{{- end }} +{{- if and .Values.sockops .Values.sockops.enabled }} + sockops-enable: {{ .Values.sockops.enabled | quote }} +{{- end }} +{{- if hasKey .Values.k8s "requireIPv4PodCIDR" }} + k8s-require-ipv4-pod-cidr: {{ .Values.k8s.requireIPv4PodCIDR | quote }} +{{- end }} +{{- if hasKey .Values.k8s "requireIPv6PodCIDR" }} + k8s-require-ipv6-pod-cidr: {{ .Values.k8s.requireIPv6PodCIDR | quote }} +{{- end }} +{{- if .Values.endpointStatus.enabled }} + endpoint-status: {{ required "endpointStatus.status required: policy, health, controllers, logs and / or state. For 2 or more options use a comma: \"policy, health\"" .Values.endpointStatus.status | quote }} +{{- end }} +{{- if and .Values.endpointRoutes .Values.endpointRoutes.enabled }} + enable-endpoint-routes: {{ .Values.endpointRoutes.enabled | quote }} +{{- end }} +{{- if .Values.cni.configMap }} + read-cni-conf: {{ .Values.cni.confFileMountPath }}/{{ .Values.cni.configMapKey }} + write-cni-conf-when-ready: {{ .Values.cni.hostConfDirMountPath }}/05-cilium.conflist +{{- else if .Values.cni.readCniConf }} + read-cni-conf: {{ .Values.cni.readCniConf }} +{{- end }} +{{- if .Values.kubeConfigPath }} + k8s-kubeconfig-path: {{ .Values.kubeConfigPath | quote }} +{{- end }} +{{- if and ( .Values.endpointHealthChecking.enabled ) (or (eq .Values.cni.chainingMode "portmap") (eq .Values.cni.chainingMode "none")) }} + enable-endpoint-health-checking: "true" +{{- else}} + # Disable health checking, when chaining mode is not set to portmap or none + enable-endpoint-health-checking: "false" +{{- end }} +{{- if hasKey .Values "healthChecking" }} + enable-health-checking: {{ .Values.healthChecking | quote }} +{{- end }} +{{- if or .Values.wellKnownIdentities.enabled .Values.etcd.managed }} + enable-well-known-identities: "true" +{{- else }} + enable-well-known-identities: "false" +{{- end }} + enable-remote-node-identity: {{ .Values.remoteNodeIdentity | quote }} + +{{- if hasKey .Values "synchronizeK8sNodes" }} + synchronize-k8s-nodes: {{ .Values.synchronizeK8sNodes | quote }} +{{- end }} + +{{- if hasKey .Values "policyAuditMode" }} + policy-audit-mode: {{ .Values.policyAuditMode | quote }} +{{- end }} + +{{- if ne $defaultOperatorApiServeAddr "localhost:9234" }} + operator-api-serve-addr: {{ $defaultOperatorApiServeAddr | quote }} +{{- end }} + +{{- if .Values.hubble.enabled }} + # Enable Hubble gRPC service. + enable-hubble: {{ .Values.hubble.enabled | quote }} + # UNIX domain socket for Hubble server to listen to. + hubble-socket-path: {{ .Values.hubble.socketPath | quote }} +{{- if hasKey .Values.hubble "eventQueueSize" }} + # Buffer size of the channel for Hubble to receive monitor events. If this field is not set, + # the buffer size is set to the default monitor queue size. + hubble-event-queue-size: {{ .Values.hubble.eventQueueSize | quote }} +{{- end }} +{{- if hasKey .Values.hubble "flowBufferSize" }} + # DEPRECATED: this block should be removed in 1.11 + hubble-flow-buffer-size: {{ .Values.hubble.flowBufferSize | quote }} +{{- end }} +{{- if hasKey .Values.hubble "eventBufferCapacity" }} + # Capacity of the buffer to store recent events. + hubble-event-buffer-capacity: {{ .Values.hubble.eventBufferCapacity | quote }} +{{- end }} +{{- if .Values.hubble.metrics.enabled }} + # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this + # field is not set. + hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}" + # A space separated list of metrics to enable. See [0] for available metrics. + # + # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md + hubble-metrics: {{- range .Values.hubble.metrics.enabled }} + {{.}} +{{- end }} +{{- end }} +{{- if hasKey .Values.hubble "listenAddress" }} + # An additional address for Hubble server to listen to (e.g. ":4244"). + hubble-listen-address: {{ .Values.hubble.listenAddress | quote }} +{{- if .Values.hubble.tls.enabled }} + hubble-disable-tls: "false" + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt +{{- else }} + hubble-disable-tls: "true" +{{- end }} +{{- end }} +{{- end }} +{{- if hasKey .Values "disableIptablesFeederRules" }} + # A space separated list of iptables chains to disable when installing feeder rules. + disable-iptables-feeder-rules: {{ .Values.disableIptablesFeederRules | join " " | quote }} +{{- end }} +{{- if .Values.aksbyocni.enabled }} + ipam: "cluster-pool" +{{- else }} + ipam: {{ $ipam | quote }} +{{- end }} + +{{- if or (eq $ipam "cluster-pool") (eq $ipam "cluster-pool-v2beta") }} +{{- if .Values.ipv4.enabled }} + {{- if .Values.ipam.operator.clusterPoolIPv4PodCIDRList }} + cluster-pool-ipv4-cidr: {{ .Values.ipam.operator.clusterPoolIPv4PodCIDRList | join " " | quote }} + {{- else }} + cluster-pool-ipv4-cidr: {{ .Values.ipam.operator.clusterPoolIPv4PodCIDR | quote }} + {{- end }} + cluster-pool-ipv4-mask-size: {{ .Values.ipam.operator.clusterPoolIPv4MaskSize | quote }} +{{- end }} +{{- if .Values.ipv6.enabled }} + {{- if .Values.ipam.operator.clusterPoolIPv6PodCIDRList }} + cluster-pool-ipv6-cidr: {{ .Values.ipam.operator.clusterPoolIPv6PodCIDRList | join " " | quote }} + {{- else }} + cluster-pool-ipv6-cidr: {{ .Values.ipam.operator.clusterPoolIPv6PodCIDR | quote }} + {{- end }} + cluster-pool-ipv6-mask-size: {{ .Values.ipam.operator.clusterPoolIPv6MaskSize | quote }} +{{- end }} +{{- end }} + +{{- if .Values.enableCnpStatusUpdates }} + disable-cnp-status-updates: {{ (not .Values.enableCnpStatusUpdates) | quote }} +{{- else if (eq $defaultEnableCnpStatusUpdates "false") }} + disable-cnp-status-updates: "true" +{{- end }} + +{{- if .Values.egressGateway.enabled }} + enable-ipv4-egress-gateway: "true" +{{- end }} +{{- if .Values.egressGateway.installRoutes }} + install-egress-gateway-routes: "true" +{{- end }} + +{{- if hasKey .Values "vtep" }} + enable-vtep: {{ .Values.vtep.enabled | quote }} +{{- if hasKey .Values.vtep "endpoint" }} + vtep-endpoint: {{ .Values.vtep.endpoint | quote }} +{{- end }} +{{- if hasKey .Values.vtep "cidr" }} + vtep-cidr: {{ .Values.vtep.cidr | quote }} +{{- end }} +{{- if hasKey .Values.vtep "mask" }} + vtep-mask: {{ .Values.vtep.mask | quote }} +{{- end }} +{{- if hasKey .Values.vtep "mac" }} + vtep-mac: {{ .Values.vtep.mac | quote }} +{{- end }} +{{- end }} + +{{- if .Values.enableK8sEventHandover }} + enable-k8s-event-handover: "true" +{{- end }} + +{{- if hasKey .Values "crdWaitTimeout" }} + crd-wait-timeout: {{ .Values.crdWaitTimeout | quote }} +{{- else if ( ne $crdWaitTimeout "5m" ) }} + crd-wait-timeout: {{ $crdWaitTimeout | quote }} +{{- end }} + +{{- if .Values.enableK8sEndpointSlice }} + enable-k8s-endpoint-slice: {{ .Values.enableK8sEndpointSlice | quote }} +{{- end }} + +{{- if hasKey .Values.k8s "serviceProxyName" }} + # Configure service proxy name for Cilium. + k8s-service-proxy-name: {{ .Values.k8s.serviceProxyName | quote }} +{{- end }} + +{{- if and .Values.customCalls .Values.customCalls.enabled }} + # Enable tail call hooks for custom eBPF programs. + enable-custom-calls: {{ .Values.customCalls.enabled | quote }} +{{- end }} + +{{- if and .Values.bgp.enabled (and (not .Values.bgp.announce.loadbalancerIP) (not .Values.bgp.announce.podCIDR)) }} + {{ fail "BGP was enabled, but no announcements were enabled. Please enable one or more announcements." }} +{{- end }} + +{{- if and .Values.bgp.enabled .Values.bgp.announce.loadbalancerIP }} + bgp-announce-lb-ip: {{ .Values.bgp.announce.loadbalancerIP | quote }} +{{- end }} + +{{- if and .Values.bgp.enabled .Values.bgp.announce.podCIDR }} + bgp-announce-pod-cidr: {{ .Values.bgp.announce.podCIDR | quote }} +{{- end}} + +{{- if .Values.bgpControlPlane.enabled }} + enable-bgp-control-plane: "true" +{{- else }} + enable-bgp-control-plane: "false" +{{- end }} + +{{- if not .Values.securityContext.privileged }} + procfs: "/host/proc" +{{- end }} + +{{- if hasKey .Values.bpf "root" }} + bpf-root: {{ .Values.bpf.root | quote }} +{{- end }} + +{{- if hasKey .Values.cgroup "hostRoot" }} + cgroup-root: {{ .Values.cgroup.hostRoot | quote }} +{{- end }} + +{{- if hasKey .Values.bpf "vlanBypass" }} + # A space separated list of explicitly allowed vlan id's + vlan-bpf-bypass: {{ .Values.bpf.vlanBypass | join " " | quote }} +{{- end }} + +{{- if .Values.enableCiliumEndpointSlice }} + enable-cilium-endpoint-slice: "true" +{{- end }} + +{{- if hasKey .Values "enableK8sTerminatingEndpoint" }} + enable-k8s-terminating-endpoint: {{ .Values.enableK8sTerminatingEndpoint | quote }} +{{- end }} + +{{- if hasKey .Values "dnsPolicyUnloadOnShutdown" }} + # Unload DNS policy rules on graceful shutdown + dns-policy-unload-on-shutdown: {{.Values.dnsPolicyUnloadOnShutdown | quote }} +{{- end }} + +{{- if .Values.annotateK8sNode }} + annotate-k8s-node: "true" +{{- end }} + +{{- if .Values.operator.removeNodeTaints }} + remove-cilium-node-taints: "true" +{{- end }} +{{- if .Values.operator.setNodeNetworkStatus }} + set-cilium-is-up-condition: "true" +{{- end }} + +{{- if .Values.operator.unmanagedPodWatcher.restart }} + unmanaged-pod-watcher-interval: {{ .Values.operator.unmanagedPodWatcher.intervalSeconds | quote }} +{{- else }} + unmanaged-pod-watcher-interval: "0" +{{- end }} + +{{- if .Values.dnsProxy }} + {{- if .Values.dnsProxy.dnsRejectResponseCode }} + tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }} + {{- end }} + {{- if hasKey .Values.dnsProxy "enableDnsCompression" }} + tofqdns-enable-dns-compression: {{ .Values.dnsProxy.enableDnsCompression | quote }} + {{- end }} + {{- if .Values.dnsProxy.endpointMaxIpPerHostname }} + tofqdns-endpoint-max-ip-per-hostname: {{ .Values.dnsProxy.endpointMaxIpPerHostname | quote }} + {{- end }} + {{- if .Values.dnsProxy.idleConnectionGracePeriod }} + tofqdns-idle-connection-grace-period: {{ .Values.dnsProxy.idleConnectionGracePeriod | quote }} + {{- end }} + {{- if .Values.dnsProxy.maxDeferredConnectionDeletes }} + tofqdns-max-deferred-connection-deletes: {{ .Values.dnsProxy.maxDeferredConnectionDeletes | quote }} + {{- end }} + {{- if .Values.dnsProxy.minTtl }} + tofqdns-min-ttl: {{ .Values.dnsProxy.minTtl | quote }} + {{- end }} + {{- if .Values.dnsProxy.preCache }} + tofqdns-pre-cache: {{ .Values.dnsProxy.preCache | quote }} + {{- end }} + {{- if .Values.dnsProxy.proxyPort }} + tofqdns-proxy-port: {{ .Values.dnsProxy.proxyPort | quote }} + {{- end }} + {{- if .Values.dnsProxy.proxyResponseMaxDelay }} + tofqdns-proxy-response-max-delay: {{ .Values.dnsProxy.proxyResponseMaxDelay | quote }} + {{- end }} +{{- end }} + +{{- if .Values.extraConfig }} + {{ toYaml .Values.extraConfig | nindent 2 }} +{{- end }} + +{{- if hasKey .Values "agentNotReadyTaintKey" }} + agent-not-ready-taint-key: {{ .Values.agentNotReadyTaintKey | quote }} +{{- end }} + +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-ingress-class.yaml b/cli/internal/helm/charts/cilium/templates/cilium-ingress-class.yaml new file mode 100644 index 000000000..5e4da3f23 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-ingress-class.yaml @@ -0,0 +1,8 @@ +{{- if .Values.ingressController.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: cilium +spec: + controller: cilium.io/ingress-controller +{{- end}} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml b/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml new file mode 100644 index 000000000..a458a9f80 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -0,0 +1,111 @@ +{{- if .Values.nodeinit.enabled }} +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: cilium-node-init + namespace: {{ .Release.Namespace }} + labels: + app: cilium-node-init +spec: + selector: + matchLabels: + app: cilium-node-init + {{- with .Values.nodeinit.updateStrategy }} + updateStrategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- with .Values.nodeinit.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.securityContext.privileged }} + # Set app AppArmor's profile to "unconfined". The value of this annotation + # can be modified as long users know which profiles they have available + # in AppArmor. + container.apparmor.security.beta.kubernetes.io/node-init: "unconfined" + {{- end }} + labels: + app: cilium-node-init + {{- with .Values.nodeinit.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + # To access iptables concurrently with other processes (e.g. kube-proxy) + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + containers: + - name: node-init + image: {{ include "cilium.image" .Values.nodeinit.image | quote }} + imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }} + volumeMounts: + # To access iptables concurrently with other processes (e.g. kube-proxy) + - mountPath: /run/xtables.lock + name: xtables-lock + lifecycle: + {{- if .Values.eni.enabled }} + postStart: + exec: + command: + - "/bin/sh" + - "-c" + - | + {{- tpl (.Files.Get "files/nodeinit/poststart-eni.bash") . | nindent 20 }} + {{- end }} + {{- if .Values.nodeinit.revertReconfigureKubelet }} + preStop: + exec: + command: + - nsenter + - --target=1 + - --mount + - -- + - /bin/sh + - -c + - | + {{- tpl (.Files.Get "files/nodeinit/prestop.bash") . | nindent 20 }} + {{- end }} + env: + {{- with .Values.nodeinit.extraEnv }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} + # STARTUP_SCRIPT is the script run on node bootstrap. Node + # bootstrapping can be customized in this script. This script is invoked + # using nsenter, so it runs in the host's network and mount namespace using + # the host's userland tools! + - name: STARTUP_SCRIPT + value: | + {{- tpl (.Files.Get "files/nodeinit/startup.bash") . | nindent 14 }} + {{- with .Values.nodeinit.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.nodeinit.securityContext }} + securityContext: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.nodeinit.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeinit.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.nodeinit.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + hostPID: true + hostNetwork: true + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.nodeinit.priorityClassName "system-node-critical") }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/cilium-operator/_helpers.tpl new file mode 100644 index 000000000..0910de630 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/_helpers.tpl @@ -0,0 +1,36 @@ +{{- define "cilium.operator.cloud" -}} +{{- $cloud := "generic" -}} +{{- if .Values.eni.enabled -}} + {{- $cloud = "aws" -}} +{{- else if .Values.azure.enabled -}} + {{- $cloud = "azure" -}} +{{- else if .Values.alibabacloud.enabled -}} + {{- $cloud = "alibabacloud" -}} +{{- end -}} +{{- $cloud -}} +{{- end -}} + +{{- define "cilium.operator.imageDigestName" -}} +{{- $imageDigest := (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.genericDigest) "" -}} +{{- if .Values.eni.enabled -}} + {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.awsDigest) "" -}} +{{- else if .Values.azure.enabled -}} + {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.azureDigest) "" -}} +{{- else if .Values.alibabacloud.enabled -}} + {{- $imageDigest = (.Values.operator.image.useDigest | default false) | ternary (printf "@%s" .Values.operator.image.alibabacloudDigest) "" -}} +{{- end -}} +{{- $imageDigest -}} +{{- end -}} + +{{/* +Return cilium operator image +*/}} +{{- define "cilium.operator.image" -}} +{{- if .Values.operator.image.override -}} +{{- printf "%s" .Values.operator.image.override -}} +{{- else -}} +{{- $cloud := include "cilium.operator.cloud" . }} +{{- $imageDigest := include "cilium.operator.imageDigestName" . }} +{{- printf "%s-%s%s:%s%s" .Values.operator.image.repository $cloud .Values.operator.image.suffix .Values.operator.image.tag $imageDigest -}} +{{- end -}} +{{- end -}} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrole.yaml new file mode 100644 index 000000000..ab1a82e0e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrole.yaml @@ -0,0 +1,225 @@ +{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-operator +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +{{- if hasKey .Values "disableEndpointCRD" }} +{{- if (eq (.Values.disableEndpointCRD | quote ) ( "false" | quote )) }} +{{- if (and .Values.operator.unmanagedPodWatcher.restart (ne (.Values.operator.unmanagedPodWatcher.intervalSeconds | int64) 0 ) ) }} + # to automatically delete [core|kube]dns pods so that are starting to being + # managed by Cilium + - delete +{{- end }} +{{- end }} +{{- end }} +{{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus .Values.operator.endpointGCInterval }} +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +{{- end }} +{{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus }} +- apiGroups: + - "" + resources: +{{- if .Values.operator.removeNodeTaints }} + # To remove node taints + - nodes +{{- end }} +{{- if .Values.operator.setNodeNetworkStatus }} + # To set NetworkUnavailable false on startup + - nodes/status +{{- end }} + verbs: + - patch +{{- end }} +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + # to perform LB IP allocation for BGP + - services/status + verbs: + - update +- apiGroups: + - "" + resources: + # to check apiserver connectivity + - namespaces +{{- if .Values.ingressController.enabled }} + - secrets +{{- end }} + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + # to perform the translation of a CNP that contains `ToGroup` to its endpoints + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.ingressController.enabled }} + - create + - update + - delete +{{- end }} +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + verbs: + # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups' + - create + - update + - deletecollection + # To update the status of the CNPs and CCNPs + - patch + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + verbs: + # Update the auto-generated CNPs and CCNPs status. + - patch + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumidentities + verbs: + # To perform garbage collection of such resources + - delete + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + # To synchronize garbage collection of such resources + - update +- apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - create + - update + - get + - list + - watch +{{- if .Values.operator.nodeGCInterval }} +{{- if ne .Values.operator.nodeGCInterval "0s" }} + # To perform CiliumNode garbage collector + - delete +{{- end }} +{{- end }} +- apiGroups: + - cilium.io + resources: + - ciliumnodes/status + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpointslices + - ciliumenvoyconfigs + verbs: + - create + - update + - get + - list + - watch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + resourceNames: + - ciliumbgploadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io + - ciliumclusterwideenvoyconfigs.cilium.io + - ciliumclusterwidenetworkpolicies.cilium.io + - ciliumegressgatewaypolicies.cilium.io + - ciliumegressnatpolicies.cilium.io + - ciliumendpoints.cilium.io + - ciliumendpointslices.cilium.io + - ciliumenvoyconfigs.cilium.io + - ciliumexternalworkloads.cilium.io + - ciliumidentities.cilium.io + - ciliumlocalredirectpolicies.cilium.io + - ciliumnetworkpolicies.cilium.io + - ciliumnodes.cilium.io +# For cilium-operator running in HA mode. +# +# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election +# between multiple running instances. +# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less +# common and fewer objects in the cluster watch "all Leases". +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +{{- if .Values.ingressController.enabled }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status # To update ingress status with load balancer IP. + verbs: + - update +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml new file mode 100644 index 000000000..4eb6c8261 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.operator.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml new file mode 100644 index 000000000..e78d7f2d5 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml @@ -0,0 +1,278 @@ +{{- if .Values.operator.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cilium-operator + namespace: {{ .Release.Namespace }} + labels: + io.cilium/app: operator + name: cilium-operator +spec: + # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go + # for more details. + replicas: {{ .Values.operator.replicas }} + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + {{- with .Values.operator.updateStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- if .Values.operator.rollOutPods }} + # ensure pods roll when configmap updates + cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} + {{- end }} + {{- if and .Values.operator.prometheus.enabled (not .Values.operator.prometheus.serviceMonitor.enabled) }} + prometheus.io/port: {{ .Values.operator.prometheus.port | quote }} + prometheus.io/scrape: "true" + {{- end }} + {{- with .Values.operator.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + io.cilium/app: operator + name: cilium-operator + {{- with .Values.operator.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: cilium-operator + image: {{ include "cilium.operator.image" . }} + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + command: + - cilium-operator-{{ include "cilium.operator.cloud" . }} + args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + {{- with .Values.operator.extraArgs }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + {{- if and .Values.eni.enabled (not .Values.eni.iamRole ) }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: cilium-aws + key: AWS_ACCESS_KEY_ID + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: cilium-aws + key: AWS_SECRET_ACCESS_KEY + optional: true + - name: AWS_DEFAULT_REGION + valueFrom: + secretKeyRef: + name: cilium-aws + key: AWS_DEFAULT_REGION + optional: true + {{- end }} + {{- if .Values.alibabacloud.enabled }} + - name: ALIBABA_CLOUD_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: cilium-alibabacloud + key: ALIBABA_CLOUD_ACCESS_KEY_ID + optional: true + - name: ALIBABA_CLOUD_ACCESS_KEY_SECRET + valueFrom: + secretKeyRef: + name: cilium-alibabacloud + key: ALIBABA_CLOUD_ACCESS_KEY_SECRET + optional: true + {{- end }} + {{- if .Values.k8sServiceHost }} + - name: KUBERNETES_SERVICE_HOST + value: {{ .Values.k8sServiceHost | quote }} + {{- end }} + {{- if .Values.k8sServicePort }} + - name: KUBERNETES_SERVICE_PORT + value: {{ .Values.k8sServicePort | quote }} + {{- end }} + {{- if .Values.azure.enabled }} + {{- if .Values.azure.subscriptionID }} + - name: AZURE_SUBSCRIPTION_ID + value: {{ .Values.azure.subscriptionID }} + {{- end }} + {{- if .Values.azure.tenantID }} + - name: AZURE_TENANT_ID + value: {{ .Values.azure.tenantID }} + {{- end }} + {{- if .Values.azure.resourceGroup }} + - name: AZURE_RESOURCE_GROUP + value: {{ .Values.azure.resourceGroup }} + {{- end }} + - name: AZURE_CLIENT_ID + valueFrom: + secretKeyRef: + name: cilium-azure + key: AZURE_CLIENT_ID + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: cilium-azure + key: AZURE_CLIENT_SECRET + {{- end }} + {{- with .Values.operator.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.operator.prometheus.enabled }} + ports: + - name: prometheus + containerPort: {{ .Values.operator.prometheus.port }} + hostPort: {{ .Values.operator.prometheus.port }} + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: cilium-config-path + mountPath: /tmp/cilium/config-map + readOnly: true + {{- if .Values.etcd.enabled }} + - name: etcd-config-path + mountPath: /var/lib/etcd-config + readOnly: true + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + mountPath: /var/lib/etcd-secrets + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.kubeConfigPath }} + - name: kube-config + mountPath: {{ .Values.kubeConfigPath }} + readOnly: true + {{- end }} + {{- range .Values.operator.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- if .Values.bgp.enabled }} + - name: bgp-config-path + mountPath: /var/lib/cilium/bgp + readOnly: true + {{- end }} + {{- with .Values.operator.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- with .Values.operator.securityContext }} + securityContext: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + hostNetwork: true + {{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }} + # In managed etcd mode, Cilium must be able to resolve the DNS name of + # the etcd service + dnsPolicy: ClusterFirstWithHostNet + {{- else if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.operator.dnsPolicy }} + {{- end }} + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.operator.priorityClassName "system-cluster-critical") }} + serviceAccount: {{ .Values.serviceAccounts.operator.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.operator.name | quote }} + {{- with .Values.operator.affinity }} + # In HA mode, cilium-operator pods must not be scheduled on the same + # node as they will clash with each other. + affinity: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.operator.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + volumes: + # To read the configuration from the config map + - name: cilium-config-path + configMap: + name: cilium-config + {{- if .Values.etcd.enabled }} + # To read the etcd config stored in config maps + - name: etcd-config-path + configMap: + name: cilium-config + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + items: + - key: etcd-config + path: etcd.config + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + # To read the k8s etcd secrets in case the user might want to use TLS + - name: etcd-secrets + secret: + secretName: cilium-etcd-secrets + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + optional: true + {{- end }} + {{- end }} + {{- if .Values.kubeConfigPath }} + - name: kube-config + hostPath: + path: {{ .Values.kubeConfigPath }} + type: FileOrCreate + {{- end }} + {{- range .Values.operator.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- if .hostPathType }} + type: {{ .hostPathType }} + {{- end }} + {{- end }} + {{- if .Values.bgp.enabled }} + - name: bgp-config-path + configMap: + name: bgp-config + {{- end }} + {{- with .Values.operator.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml new file mode 100644 index 000000000..5322ec9ef --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.operator.enabled .Values.operator.podDisruptionBudget.enabled }} +{{- $component := .Values.operator.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: cilium-operator + namespace: {{ .Release.Namespace }} + labels: + io.cilium/app: operator + name: cilium-operator +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/role.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/role.yaml new file mode 100644 index 000000000..79f160823 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/role.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.sync .Values.ingressController.secretsNamespace.name }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-operator-secrets + namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/rolebinding.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/rolebinding.yaml new file mode 100644 index 000000000..e0d1e89cf --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/rolebinding.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.ingressController.enabled .Values.ingressController.secretsNamespace.sync .Values.ingressController.secretsNamespace.name }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-operator-secrets + namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-secrets +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccounts.operator.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/secret.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/secret.yaml new file mode 100644 index 000000000..420964126 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.operator.enabled }} +{{- if .Values.azure.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: cilium-azure + namespace: {{ .Release.Namespace }} +type: Opaque +data: + AZURE_CLIENT_ID: {{ default "" .Values.azure.clientID | b64enc | quote }} + AZURE_CLIENT_SECRET: {{ default "" .Values.azure.clientSecret | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/service.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/service.yaml new file mode 100644 index 000000000..ba347c420 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.operator.enabled .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: cilium-operator + namespace: {{ .Release.Namespace }} + labels: + io.cilium/app: operator + name: cilium-operator +spec: + clusterIP: None + type: ClusterIP + ports: + - name: metrics + port: 9963 + protocol: TCP + targetPort: prometheus + selector: + io.cilium/app: operator + name: cilium-operator +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/serviceaccount.yaml new file mode 100644 index 000000000..4bb3551cf --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }} +{{- if and .Values.eni.enabled .Values.eni.iamRole }} + {{ $_ := set .Values.serviceAccounts.operator.annotations "eks.amazonaws.com/role-arn" .Values.eni.iamRole }} +{{- end}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.operator.name | quote }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccounts.operator.annotations }} + annotations: + {{- toYaml .Values.serviceAccounts.operator.annotations | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/servicemonitor.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/servicemonitor.yaml new file mode 100644 index 000000000..f37e5992c --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/servicemonitor.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.operator.enabled .Values.operator.prometheus.enabled .Values.operator.prometheus.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: cilium-operator + namespace: {{ .Values.operator.prometheus.serviceMonitor.namespace | default .Release.Namespace }} + labels: + {{- with .Values.operator.prometheus.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.operator.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + interval: 10s + honorLabels: true + path: /metrics + targetLabels: + - io.cilium/app +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrole.yaml new file mode 100644 index 000000000..437c49287 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrole.yaml @@ -0,0 +1,124 @@ +{{- if .Values.preflight.enabled }} +{{- /* +Keep file in sync with cilium-agent/clusterrole.yaml +*/ -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-pre-flight +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +{{- if .Values.annotateK8sNode }} +- apiGroups: + - "" + resources: + - nodes/status + verbs: + # To annotate the k8s node with Cilium's metadata + - patch +{{- end }} +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + # This is used when validating policies in preflight. This will need to stay + # until we figure out how to avoid "get" inside the preflight, and then + # should be removed ideally. + - get +{{- if eq "k8s" .Values.tls.secretsBackend }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- end }} +- apiGroups: + - cilium.io + resources: + - ciliumbgploadbalancerippools + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumegressnatpolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + # To synchronize garbage collection of such resources + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + verbs: + - patch +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml new file mode 100644 index 000000000..b4a6d54d2 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-pre-flight +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-pre-flight +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.preflight.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml new file mode 100644 index 000000000..b1a5d1954 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml @@ -0,0 +1,188 @@ +{{- if .Values.preflight.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: cilium-pre-flight-check + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + k8s-app: cilium-pre-flight-check + kubernetes.io/cluster-service: "true" + template: + metadata: + {{- with .Values.preflight.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: cilium-pre-flight-check + kubernetes.io/cluster-service: "true" + {{- with .Values.preflight.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 6 }} + {{- end }} + initContainers: + - name: clean-cilium-state + image: {{ include "cilium.image" .Values.preflight.image | quote }} + imagePullPolicy: {{ .Values.preflight.image.pullPolicy }} + command: ["/bin/echo"] + args: + - "hello" + containers: + - name: cilium-pre-flight-check + image: {{ include "cilium.image" .Values.preflight.image | quote }} + imagePullPolicy: {{ .Values.preflight.image.pullPolicy }} + command: ["/bin/sh"] + args: + - -c + - "touch /tmp/ready; sleep 1h" + livenessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + {{- with .Values.preflight.extraEnv }} + env: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + volumeMounts: + - name: cilium-run + mountPath: /var/run/cilium + {{- if .Values.etcd.enabled }} + - name: etcd-config-path + mountPath: /var/lib/etcd-config + readOnly: true + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + mountPath: /var/lib/etcd-secrets + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.preflight.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.preflight.securityContext }} + securityContext: + {{- toYaml . | trim | nindent 14 }} + {{- end }} + {{- if ne .Values.preflight.tofqdnsPreCache "" }} + - name: cilium-pre-flight-fqdn-precache + image: {{ include "cilium.image" .Values.preflight.image | quote }} + imagePullPolicy: {{ .Values.preflight.image.pullPolicy }} + name: cilium-pre-flight-fqdn-precache + command: ["/bin/sh"] + args: + - -ec + - | + cilium preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }}; + touch /tmp/ready-tofqdns-precache; + livenessProbe: + exec: + command: + - cat + - /tmp/read-tofqdns-precachey + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/read-tofqdns-precachey + initialDelaySeconds: 5 + periodSeconds: 5 + env: + {{- if .Values.k8sServiceHost }} + - name: KUBERNETES_SERVICE_HOST + value: {{ .Values.k8sServiceHost | quote }} + {{- end }} + {{- if .Values.k8sServicePort }} + - name: KUBERNETES_SERVICE_PORT + value: {{ .Values.k8sServicePort | quote }} + {{- end }} + volumeMounts: + - name: cilium-run + mountPath: /var/run/cilium + {{- if .Values.etcd.enabled }} + - name: etcd-config-path + mountPath: /var/lib/etcd-config + readOnly: true + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + mountPath: /var/lib/etcd-secrets + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.preflight.extraEnv }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- with .Values.preflight.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.preflight.securityContext }} + securityContext: + {{- toYaml . | trim | nindent 14 }} + {{- end }} + {{- end }} + hostNetwork: true + # This is here to seamlessly allow migrate-identity to work with + # etcd-operator setups. The assumption is that other cases would also + # work since the cluster DNS would forward the request on. + # This differs from the cilium-agent daemonset, where this is only + # enabled when etcd.managed=true + dnsPolicy: ClusterFirstWithHostNet + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-node-critical") }} + serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} + terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} + {{- with .Values.preflight.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + volumes: + # To keep state between restarts / upgrades + - name: cilium-run + hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + - name: bpf-maps + hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + {{- if .Values.etcd.enabled }} + # To read the etcd config stored in config maps + - name: etcd-config-path + configMap: + name: cilium-config + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + items: + - key: etcd-config + path: etcd.config + # To read the k8s etcd secrets in case the user might want to use TLS + {{- if or .Values.etcd.ssl .Values.etcd.managed }} + - name: etcd-secrets + secret: + secretName: cilium-etcd-secrets + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + optional: true + {{- end }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/deployment.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/deployment.yaml new file mode 100644 index 000000000..b7f8d373d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/deployment.yaml @@ -0,0 +1,88 @@ +{{- if and .Values.preflight.enabled .Values.preflight.validateCNPs }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cilium-pre-flight-check + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" + template: + metadata: + {{- with .Values.preflight.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" + {{- with .Values.preflight.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: cnp-validator + image: {{ include "cilium.image" .Values.preflight.image | quote }} + imagePullPolicy: {{ .Values.preflight.image.pullPolicy }} + command: ["/bin/sh"] + args: + - -ec + - | + cilium preflight validate-cnp; + touch /tmp/ready-validate-cnp; + sleep 1h; + livenessProbe: + exec: + command: + - cat + - /tmp/ready-validate-cnp + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - cat + - /tmp/ready-validate-cnp + initialDelaySeconds: 5 + periodSeconds: 5 + env: + {{- if .Values.k8sServiceHost }} + - name: KUBERNETES_SERVICE_HOST + value: {{ .Values.k8sServiceHost | quote }} + {{- end }} + {{- if .Values.k8sServicePort }} + - name: KUBERNETES_SERVICE_PORT + value: {{ .Values.k8sServicePort | quote }} + {{- end }} + {{- with .Values.preflight.extraEnv }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} + {{- with .Values.preflight.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + hostNetwork: true + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }} + serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} + terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} + {{- with .Values.preflight.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.preflight.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.preflight.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml new file mode 100644 index 000000000..90f82719d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.preflight.enabled .Values.preflight.validateCNPs .Values.preflight.podDisruptionBudget.enabled }} +{{- $component := .Values.preflight.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: cilium-pre-flight-check + namespace: {{ .Release.Namespace }} + labels: + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + k8s-app: cilium-pre-flight-check-deployment + kubernetes.io/cluster-service: "true" +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-preflight/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/cilium-preflight/serviceaccount.yaml new file mode 100644 index 000000000..a55aaa400 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-preflight/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.preflight.enabled .Values.serviceAccounts.preflight.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.preflight.name | quote }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccounts.preflight.annotations }} + annotations: + {{ toYaml .Values.serviceAccounts.preflight.annotations | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-resource-quota.yaml b/cli/internal/helm/charts/cilium/templates/cilium-resource-quota.yaml new file mode 100644 index 000000000..a98569679 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-resource-quota.yaml @@ -0,0 +1,35 @@ +{{- if or .Values.resourceQuotas.enabled (and (ne .Release.Namespace "kube-system") .Values.gke.enabled) }} +{{- if .Values.agent }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: cilium-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.resourceQuotas.cilium.hard.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} +{{- if .Values.operator.enabled }} +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: cilium-operator-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.resourceQuotas.operator.hard.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-cluster-critical +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-secrets-namespace.yaml b/cli/internal/helm/charts/cilium/templates/cilium-secrets-namespace.yaml new file mode 100644 index 000000000..fc8485b5b --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/cilium-secrets-namespace.yaml @@ -0,0 +1,6 @@ +{{- if and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.ingressController.secretsNamespace.name | quote }} +{{- end}} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml new file mode 100644 index 000000000..83960c752 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml @@ -0,0 +1,66 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: clustermesh-apiserver +rules: +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumendpoints + - ciliumidentities + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumexternalworkloads/status + - ciliumnodes + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumendpoints/status + verbs: + - patch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumexternalworkloads + - ciliumendpoints + - ciliumnodes + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - endpoints + - namespaces + - services + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml new file mode 100644 index 000000000..0b46c235a --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: clustermesh-apiserver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: clustermesh-apiserver +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml new file mode 100644 index 000000000..1df9ce243 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -0,0 +1,170 @@ +{{- if (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: clustermesh-apiserver + namespace: {{ .Release.Namespace }} + labels: + k8s-app: clustermesh-apiserver +spec: + replicas: {{ .Values.clustermesh.apiserver.replicas }} + selector: + matchLabels: + k8s-app: clustermesh-apiserver + {{- with .Values.clustermesh.apiserver.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- with .Values.clustermesh.apiserver.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: clustermesh-apiserver + {{- with .Values.clustermesh.apiserver.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + initContainers: + - name: etcd-init + image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} + command: ["/bin/sh", "-c"] + args: + - | + rm -rf /var/run/etcd/*; + /usr/local/bin/etcd --data-dir=/var/run/etcd --name=clustermesh-apiserver --listen-client-urls=http://127.0.0.1:2379 --advertise-client-urls=http://127.0.0.1:2379 --initial-cluster-token=clustermesh-apiserver --initial-cluster-state=new --auto-compaction-retention=1 & + export rootpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; + echo $rootpw | etcdctl --interactive=false user add root; + etcdctl user grant-role root root; + export vmpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; + echo $vmpw | etcdctl --interactive=false user add externalworkload; + etcdctl role add externalworkload; + etcdctl role grant-permission externalworkload --from-key read ''; + etcdctl role grant-permission externalworkload readwrite --prefix cilium/state/noderegister/v1/; + etcdctl role grant-permission externalworkload readwrite --prefix cilium/.initlock/; + etcdctl user grant-role externalworkload externalworkload; + export remotepw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; + echo $remotepw | etcdctl --interactive=false user add remote; + etcdctl role add remote; + etcdctl role grant-permission remote --from-key read ''; + etcdctl user grant-role remote remote; + etcdctl auth enable; + exit + env: + - name: ETCDCTL_API + value: "3" + - name: HOSTNAME_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + - name: etcd-data-dir + mountPath: /var/run/etcd + containers: + - name: etcd + image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} + command: + - /usr/local/bin/etcd + args: + - --data-dir=/var/run/etcd + - --name=clustermesh-apiserver + - --client-cert-auth + - --trusted-ca-file=/var/lib/etcd-secrets/ca.crt + - --cert-file=/var/lib/etcd-secrets/tls.crt + - --key-file=/var/lib/etcd-secrets/tls.key + - --listen-client-urls=https://127.0.0.1:2379,https://$(HOSTNAME_IP):2379 + - --advertise-client-urls=https://$(HOSTNAME_IP):2379 + - --initial-cluster-token=clustermesh-apiserver + - --auto-compaction-retention=1 + env: + - name: ETCDCTL_API + value: "3" + - name: HOSTNAME_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + - name: etcd-server-secrets + mountPath: /var/lib/etcd-secrets + readOnly: true + - name: etcd-data-dir + mountPath: /var/run/etcd + - name: apiserver + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} + command: + - /usr/bin/clustermesh-apiserver + args: + {{- if .Values.debug.enabled }} + - --debug + {{- end }} + - --cluster-name=$(CLUSTER_NAME) + - --cluster-id=$(CLUSTER_ID) + - --kvstore-opt + - etcd.config=/var/lib/cilium/etcd-config.yaml + env: + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: cilium-config + key: cluster-name + - name: CLUSTER_ID + valueFrom: + configMapKeyRef: + name: cilium-config + key: cluster-id + optional: true + - name: IDENTITY_ALLOCATION_MODE + valueFrom: + configMapKeyRef: + name: cilium-config + key: identity-allocation-mode + {{- with .Values.clustermesh.apiserver.extraEnv }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: etcd-admin-client + mountPath: /var/lib/cilium/etcd-secrets + readOnly: true + volumes: + - name: etcd-server-secrets + secret: + secretName: clustermesh-apiserver-server-cert + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + - name: etcd-admin-client + secret: + secretName: clustermesh-apiserver-admin-cert + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + - name: etcd-data-dir + emptyDir: {} + restartPolicy: Always + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} + serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + {{- with .Values.clustermesh.apiserver.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml new file mode 100644 index 000000000..29d011fb9 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.podDisruptionBudget.enabled }} +{{- $component := .Values.clustermesh.apiserver.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: clustermesh-apiserver + namespace: {{ .Release.Namespace }} + labels: + k8s-app: clustermesh-apiserver +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + k8s-app: clustermesh-apiserver +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/service.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/service.yaml new file mode 100644 index 000000000..968af371a --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/service.yaml @@ -0,0 +1,25 @@ +{{- if (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) }} +apiVersion: v1 +kind: Service +metadata: + name: clustermesh-apiserver + namespace: {{ .Release.Namespace }} + labels: + k8s-app: clustermesh-apiserver + {{- with .Values.clustermesh.apiserver.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.clustermesh.apiserver.service.type }} + selector: + k8s-app: clustermesh-apiserver + ports: + - port: 2379 + {{- if and (eq "NodePort" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.nodePort }} + nodePort: {{ .Values.clustermesh.apiserver.service.nodePort }} + {{- end }} + {{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.clustermesh.apiserver.service.loadBalancerIP }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml new file mode 100644 index 000000000..b6153c392 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.serviceAccounts.clustermeshApiserver.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl new file mode 100644 index 000000000..782f252ec --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl @@ -0,0 +1,9 @@ +{{- define "clustermesh-apiserver-generate-certs.certmanager.issuer" }} +{{- if .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} + {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} +{{- else }} + group: cert-manager.io + kind: Issuer + name: clustermesh-apiserver-issuer +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml new file mode 100644 index 000000000..7f9bb8ba8 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml @@ -0,0 +1,16 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: clustermesh-apiserver-admin-cert + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: clustermesh-apiserver-admin-cert + commonName: root + dnsNames: + - localhost + duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml new file mode 100644 index 000000000..7906b8572 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: clustermesh-apiserver-client-cert + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: clustermesh-apiserver-client-cert + commonName: externalworkload + duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml new file mode 100644 index 000000000..5a8fa6a32 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml @@ -0,0 +1,21 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") (not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef) }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-ca-cert + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .cmca.Cert | b64enc }} + ca.key: {{ .cmca.Key | b64enc }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: clustermesh-apiserver-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: clustermesh-apiserver-ca-cert +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml new file mode 100644 index 000000000..1d2babbaa --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: clustermesh-apiserver-remote-cert + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: clustermesh-apiserver-remote-cert + commonName: remote + duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml new file mode 100644 index 000000000..9a35d4182 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml @@ -0,0 +1,26 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: clustermesh-apiserver-server-cert + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: clustermesh-apiserver-server-cert + commonName: clustermesh-apiserver.cilium.io + dnsNames: + - clustermesh-apiserver.cilium.io + - "*.mesh.cilium.io" + {{- range $dns := .Values.clustermesh.apiserver.tls.server.extraDnsNames }} + - {{ $dns | quote }} + {{- end }} + ipAddresses: + - "127.0.0.1" + - "::1" + {{- range $ip := .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} + - {{ $ip | quote }} + {{- end }} + duration: {{ printf "%dh" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl new file mode 100644 index 000000000..19727f282 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl @@ -0,0 +1,53 @@ +{{- define "clustermesh-apiserver-generate-certs.job.spec" }} +{{- $certValiditySecondsStr := printf "%ds" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24 60 60) -}} +spec: + template: + metadata: + labels: + k8s-app: clustermesh-apiserver-generate-certs + {{- with .Values.clustermesh.apiserver.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: certgen + image: {{ include "cilium.image" .Values.certgen.image | quote }} + imagePullPolicy: {{ .Values.certgen.image.pullPolicy }} + command: + - "/usr/bin/cilium-certgen" + args: + - "--cilium-namespace={{ .Release.Namespace }}" + {{- if .Values.debug.enabled }} + - "--debug" + {{- end }} + - "--ca-generate" + - "--ca-reuse-secret" + {{- if .Values.clustermesh.apiserver.tls.ca.cert }} + - "--ca-secret-name=clustermesh-apiserver-ca-cert" + {{- else -}} + {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} + - "--ca-secret-name=cilium-ca" + {{- end }} + {{- end }} + - "--clustermesh-apiserver-server-cert-generate" + - "--clustermesh-apiserver-server-cert-validity-duration={{ $certValiditySecondsStr }}" + - "--clustermesh-apiserver-admin-cert-generate" + - "--clustermesh-apiserver-admin-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- if .Values.externalWorkloads.enabled }} + - "--clustermesh-apiserver-client-cert-generate" + - "--clustermesh-apiserver-client-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- end }} + {{- if .Values.clustermesh.useAPIServer }} + - "--clustermesh-apiserver-remote-cert-generate" + - "--clustermesh-apiserver-remote-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- end }} + hostNetwork: true + serviceAccount: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml new file mode 100644 index 000000000..6f499cd87 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml @@ -0,0 +1,15 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} +{{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} +{{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} +{{- if and $crt $key }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-ca-cert + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ $crt }} + ca.key: {{ $key }} +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml new file mode 100644 index 000000000..4c613cc66 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml @@ -0,0 +1,14 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.clustermesh.apiserver.tls.auto.schedule }} +apiVersion: {{ include "cronjob.apiVersion" . }} +kind: CronJob +metadata: + name: clustermesh-apiserver-generate-certs + namespace: {{ .Release.Namespace }} + labels: + k8s-app: clustermesh-apiserver-generate-certs +spec: + schedule: {{ .Values.clustermesh.apiserver.tls.auto.schedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: +{{- include "clustermesh-apiserver-generate-certs.job.spec" . | nindent 4 }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml new file mode 100644 index 000000000..d888738a0 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml @@ -0,0 +1,20 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} +{{/* +Because Kubernetes job specs are immutable, Helm will fail patch this job if +the spec changes between releases. To avoid breaking the upgrade path, we +generate a name for the job here which is based on the checksum of the spec. +This will cause the name of the job to change if its content changes, +and in turn cause Helm to do delete the old job and replace it with a new one. +*/}} +{{- $jobSpec := include "clustermesh-apiserver-generate-certs.job.spec" . -}} +{{- $checkSum := $jobSpec | sha256sum | trunc 10 -}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: clustermesh-apiserver-generate-certs-{{$checkSum}} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: clustermesh-apiserver-generate-certs +{{ $jobSpec }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml new file mode 100644 index 000000000..4088d7a6d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml @@ -0,0 +1,35 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: clustermesh-apiserver-generate-certs + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - cilium-ca + - clustermesh-apiserver-ca-cert + verbs: + - get + - update + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - clustermesh-apiserver-server-cert + - clustermesh-apiserver-admin-cert + - clustermesh-apiserver-remote-cert + - clustermesh-apiserver-client-cert + verbs: + - update +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml new file mode 100644 index 000000000..61dba683d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml @@ -0,0 +1,15 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: clustermesh-apiserver-generate-certs + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: clustermesh-apiserver-generate-certs +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml new file mode 100644 index 000000000..a6f79a66f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.serviceAccounts.clustermeshcertgen.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl new file mode 100644 index 000000000..576160f94 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl @@ -0,0 +1,37 @@ +{{/* +Generate TLS certificates for ClusterMesh. + +Note: Always use this template as follows: + + {{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} + +The assignment to `$_` is required because we store the generated CI in a global `cmca` variable. +Please, don't try to "simplify" this, as without this trick, every generated +certificate would be signed by a different CA. +*/}} +{{- define "clustermesh-apiserver-generate-certs.helm.setup-ca" }} + {{- if not .cmca }} + {{- $ca := "" -}} + {{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} + {{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} + {{- if and $crt $key }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- with lookup "v1" "Secret" .Release.Namespace "clustermesh-apiserver-ca-cert" }} + {{- $crt := index .data "ca.crt" }} + {{- $key := index .data "ca.key" }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- $_ := include "cilium.ca.setup" . -}} + {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} + {{- $crt := index .data "ca.crt" }} + {{- $key := index .data "ca.key" }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- $ca = .commonCA -}} + {{- end }} + {{- end }} + {{- end }} + {{- $_ := set . "cmca" $ca -}} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml new file mode 100644 index 000000000..43ded27e8 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml @@ -0,0 +1,17 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $cn := "root" }} +{{- $dns := list "localhost" }} +{{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-admin-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .cmca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml new file mode 100644 index 000000000..832c6bb50 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-ca-cert + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .cmca.Cert | b64enc }} + ca.key: {{ .cmca.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml new file mode 100644 index 000000000..fd9433408 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $cn := "externalworkload" }} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-client-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .cmca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml new file mode 100644 index 000000000..2c3bf96b4 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $cn := "remote" }} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-remote-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .cmca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml new file mode 100644 index 000000000..75da3d53f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} +{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $cn := "clustermesh-apiserver.cilium.io" }} +{{- $ip := concat (list "127.0.0.1" "::1") .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} +{{- $dns := concat (list $cn "*.mesh.cilium.io") .Values.clustermesh.apiserver.tls.server.extraDnsNames }} +{{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-server-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .cmca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml new file mode 100644 index 000000000..ae30d895c --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-admin-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert }} + tls.crt: {{ .Values.clustermesh.apiserver.tls.admin.cert | required "missing clustermesh.apiserver.tls.admin.cert" }} + tls.key: {{ .Values.clustermesh.apiserver.tls.admin.key | required "missing clustermesh.apiserver.tls.admin.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml new file mode 100644 index 000000000..3fb695ecd --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-ca-cert + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert }} + {{- if .Values.clustermesh.apiserver.tls.ca.key }} + ca.key: {{ .Values.clustermesh.apiserver.tls.ca.key }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml new file mode 100644 index 000000000..b56035a7b --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.externalWorkloads.enabled (not .Values.clustermesh.apiserver.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-client-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert }} + tls.crt: {{ .Values.clustermesh.apiserver.tls.client.cert | required "missing clustermesh.apiserver.tls.client.cert" }} + tls.key: {{ .Values.clustermesh.apiserver.tls.client.key | required "missing clustermesh.apiserver.tls.client.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml new file mode 100644 index 000000000..458737400 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.clustermesh.useAPIServer (not .Values.clustermesh.apiserver.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-remote-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert }} + tls.crt: {{ .Values.clustermesh.apiserver.tls.remote.cert | required "missing clustermesh.apiserver.tls.remote.cert" }} + tls.key: {{ .Values.clustermesh.apiserver.tls.remote.key | required "missing clustermesh.apiserver.tls.remote.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml new file mode 100644 index 000000000..018e4cfe7 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: clustermesh-apiserver-server-cert + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert }} + tls.crt: {{ .Values.clustermesh.apiserver.tls.server.cert | required "missing clustermesh.apiserver.tls.server.cert" }} + tls.key: {{ .Values.clustermesh.apiserver.tls.server.key | required "missing clustermesh.apiserver.tls.server.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-config/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/clustermesh-config/_helpers.tpl new file mode 100644 index 000000000..e2e66dc16 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-config/_helpers.tpl @@ -0,0 +1,14 @@ +{{- define "clustermesh-config-generate-etcd-cfg" }} +{{- $cluster := index . 0 -}} +{{- $domain := index . 1 -}} + +endpoints: +{{- if $cluster.ips }} +- https://{{ $cluster.name }}.{{ $domain }}:{{ $cluster.port }} +{{ else }} +- https://{{ $cluster.address | required "missing clustermesh.apiserver.config.clusters.address" }}:{{ $cluster.port }} +{{- end }} +trusted-ca-file: /var/lib/cilium/clustermesh/{{ $cluster.name }}.etcd-client-ca.crt +key-file: /var/lib/cilium/clustermesh/{{ $cluster.name }}.etcd-client.key +cert-file: /var/lib/cilium/clustermesh/{{ $cluster.name }}.etcd-client.crt +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml new file mode 100644 index 000000000..1e34def09 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: cilium-clustermesh + namespace: {{ .Release.Namespace }} +data: + {{- range .Values.clustermesh.config.clusters }} + {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain) | b64enc }} + {{ .name }}.etcd-client-ca.crt: {{ $.Values.clustermesh.apiserver.tls.ca.cert }} + {{ .name }}.etcd-client.key: {{ .tls.key }} + {{ .name }}.etcd-client.crt: {{ .tls.cert }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml new file mode 100644 index 000000000..d702793fd --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml @@ -0,0 +1,73 @@ +{{- if .Values.etcd.managed }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-etcd-operator +rules: +- apiGroups: + - etcd.database.coreos.com + resources: + - etcdclusters + verbs: + - get + - delete + - create + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - delete + - get + - create +- apiGroups: + - "" + resources: + - deployments + verbs: + - delete + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - get + - delete +- apiGroups: + - apps + resources: + - deployments + verbs: + - delete + - create + - get + - update +- apiGroups: + - "" + resources: + - componentstatuses + verbs: + - get +- apiGroups: + - extensions + resources: + - deployments + verbs: + - delete + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - delete +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml new file mode 100644 index 000000000..026df4944 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-etcd-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-etcd-operator +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.etcd.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml new file mode 100644 index 000000000..876149421 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml @@ -0,0 +1,90 @@ +{{- if .Values.etcd.managed }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.cilium/app: etcd-operator + name: cilium-etcd-operator + name: cilium-etcd-operator + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + io.cilium/app: etcd-operator + name: cilium-etcd-operator +{{- with .Values.etcd.updateStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} +{{- end }} + template: + metadata: +{{- with .Values.etcd.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} +{{- end }} + labels: + io.cilium/app: etcd-operator + name: cilium-etcd-operator +{{- with .Values.etcd.podLabels }} + {{- toYaml . | nindent 8 }} +{{- end }} + spec: +{{- if .Values.etcd.affinity }} + affinity: +{{ toYaml .Values.etcd.affinity | indent 8 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} + containers: + - args: +{{- with .Values.etcd.extraArgs }} + {{- toYaml . | trim | nindent 8 }} +{{- end }} + #- --etcd-node-selector=disktype=ssd,cputype=high + command: + - /usr/bin/cilium-etcd-operator + env: + - name: CILIUM_ETCD_OPERATOR_CLUSTER_DOMAIN + value: "{{ .Values.etcd.clusterDomain }}" + - name: CILIUM_ETCD_OPERATOR_ETCD_CLUSTER_SIZE + value: "{{ .Values.etcd.clusterSize }}" + - name: CILIUM_ETCD_OPERATOR_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_ETCD_OPERATOR_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: CILIUM_ETCD_OPERATOR_POD_UID + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.uid + - name: CILIUM_ETCD_META_ETCD_AUTO_COMPACTION_MODE + value: "revision" + - name: CILIUM_ETCD_META_ETCD_AUTO_COMPACTION_RETENTION + value: "25000" + image: {{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }} + imagePullPolicy: {{ .Values.etcd.image.pullPolicy }} + name: cilium-etcd-operator + dnsPolicy: ClusterFirst + hostNetwork: true + priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} + restartPolicy: Always + serviceAccount: {{ .Values.serviceAccounts.etcd.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.etcd.name | quote }} +{{- with .Values.etcd.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} +{{- end }} +{{- with .Values.etcd.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 6 }} +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml new file mode 100644 index 000000000..9bc0a3ea6 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.etcd.managed .Values.serviceAccounts.etcd.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.etcd.name | quote }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccounts.etcd.annotations }} + annotations: +{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml new file mode 100644 index 000000000..5a87497c8 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml @@ -0,0 +1,54 @@ +{{- if .Values.etcd.managed }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: etcd-operator +rules: +- apiGroups: + - etcd.database.coreos.com + resources: + - etcdclusters + - etcdbackups + - etcdrestores + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - deployments + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: + - '*' +- apiGroups: + - extensions + resources: + - deployments + verbs: + - create + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml new file mode 100644 index 000000000..f2f36e2a8 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if .Values.etcd.managed }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: etcd-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: etcd-operator +subjects: +- kind: ServiceAccount + name: cilium-etcd-sa + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml new file mode 100644 index 000000000..278d98428 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.etcd.managed }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-etcd-sa + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAccounts.etcd.annotations }} + annotations: +{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml new file mode 100644 index 000000000..0507ebe19 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.etcd.managed .Values.etcd.podDisruptionBudget.enabled }} +{{- $component := .Values.etcd.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: cilium-etcd-operator + namespace: {{ .Release.Namespace }} + labels: + io.cilium/app: etcd-operator + name: cilium-etcd-operator +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + io.cilium/app: etcd-operator + name: cilium-etcd-operator +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/configmap.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/configmap.yaml new file mode 100644 index 000000000..e019c1aa7 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/configmap.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} +{{- $peerSvcPort := .Values.hubble.peerService.servicePort -}} +{{- if not .Values.hubble.peerService.servicePort }} +{{- $peerSvcPort = (.Values.hubble.tls.enabled | ternary 443 80) -}} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: hubble-relay-config + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + cluster-name: {{ .Values.cluster.name }} + {{- if and .Values.hubble.enabled .Values.hubble.peerService.enabled }} + peer-service: "hubble-peer.{{ .Release.Namespace }}.svc.{{ .Values.hubble.peerService.clusterDomain }}:{{ $peerSvcPort }}" + {{- else }} + peer-service: unix://{{ .Values.hubble.socketPath }} + {{- end }} + listen-address: {{ .Values.hubble.relay.listenHost }}:{{ .Values.hubble.relay.listenPort }} + {{- if .Values.hubble.relay.prometheus.enabled }} + metrics-listen-address: ":{{ .Values.hubble.relay.prometheus.port }}" + {{- end }} + dial-timeout: {{ .Values.hubble.relay.dialTimeout }} + retry-timeout: {{ .Values.hubble.relay.retryTimeout }} + sort-buffer-len-max: {{ .Values.hubble.relay.sortBufferLenMax }} + sort-buffer-drain-timeout: {{ .Values.hubble.relay.sortBufferDrainTimeout }} + {{- if .Values.hubble.tls.enabled }} + tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt + tls-client-key-file: /var/lib/hubble-relay/tls/client.key + tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt + {{- else }} + disable-client-tls: true + {{- end }} + {{- if and .Values.hubble.tls.enabled .Values.hubble.relay.tls.server.enabled }} + tls-server-cert-file: /var/lib/hubble-relay/tls/server.crt + tls-server-key-file: /var/lib/hubble-relay/tls/server.key + {{- else }} + disable-server-tls: true + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/deployment.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/deployment.yaml new file mode 100644 index 000000000..502e2bb10 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/deployment.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} +{{- $mountSocket := not .Values.hubble.peerService.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hubble-relay + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-relay +spec: + replicas: {{ .Values.hubble.relay.replicas }} + selector: + matchLabels: + k8s-app: hubble-relay + {{- with .Values.hubble.relay.updateStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + annotations: + {{- if .Values.hubble.relay.rollOutPods }} + # ensure pods roll when configmap updates + cilium.io/hubble-relay-configmap-checksum: {{ include (print $.Template.BasePath "/hubble-relay/configmap.yaml") . | sha256sum | quote }} + {{- end }} + {{- with .Values.hubble.relay.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: hubble-relay + {{- with .Values.hubble.relay.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.hubble.relay.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: hubble-relay + image: {{ include "cilium.image" .Values.hubble.relay.image | quote }} + imagePullPolicy: {{ .Values.hubble.relay.image.pullPolicy }} + command: + - hubble-relay + args: + - serve + {{- if .Values.debug.enabled }} + - --debug + {{- end }} + ports: + - name: grpc + containerPort: {{ .Values.hubble.relay.listenPort }} + {{- if .Values.hubble.relay.prometheus.enabled }} + - name: prometheus + containerPort: {{ .Values.hubble.relay.prometheus.port }} + protocol: TCP + {{- end }} + readinessProbe: + tcpSocket: + port: grpc + livenessProbe: + tcpSocket: + port: grpc + {{- with .Values.hubble.relay.extraEnv }} + env: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.hubble.relay.resources }} + resources: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + volumeMounts: + {{- if $mountSocket }} + - name: hubble-sock-dir + mountPath: {{ dir .Values.hubble.socketPath }} + readOnly: true + {{- end }} + - name: config + mountPath: /etc/hubble-relay + readOnly: true + {{- if .Values.hubble.tls.enabled }} + - name: tls + mountPath: /var/lib/hubble-relay/tls + readOnly: true + {{- end }} + restartPolicy: Always + priorityClassName: {{ .Values.hubble.relay.priorityClassName }} + serviceAccount: {{ .Values.serviceAccounts.relay.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.relay.name | quote }} + automountServiceAccountToken: false + terminationGracePeriodSeconds: {{ .Values.hubble.relay.terminationGracePeriodSeconds }} + {{- with .Values.hubble.relay.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hubble.relay.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.hubble.relay.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: hubble-relay-config + items: + - key: config.yaml + path: config.yaml + {{- if $mountSocket }} + - name: hubble-sock-dir + hostPath: + path: {{ dir .Values.hubble.socketPath }} + type: Directory + {{- end }} + {{- if .Values.hubble.tls.enabled }} + - name: tls + projected: + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + sources: + - secret: + name: hubble-relay-client-certs + items: + - key: ca.crt + path: hubble-server-ca.crt + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + {{- if .Values.hubble.relay.tls.server.enabled }} + - secret: + name: hubble-relay-server-certs + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/metrics-service.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/metrics-service.yaml new file mode 100644 index 000000000..5b7c99c9e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/metrics-service.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled }} +# We use a separate service from hubble-relay which can be exposed externally +kind: Service +apiVersion: v1 +metadata: + name: hubble-relay-metrics + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-relay +spec: + clusterIP: None + type: ClusterIP + selector: + k8s-app: hubble-relay + ports: + - name: metrics + port: {{ .Values.hubble.relay.prometheus.port }} + protocol: TCP + targetPort: prometheus +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml new file mode 100644 index 000000000..f1b757bfa --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.podDisruptionBudget.enabled }} +{{- $component := .Values.hubble.relay.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: hubble-relay + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-relay +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + k8s-app: hubble-relay +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/service.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/service.yaml new file mode 100644 index 000000000..002b7ea3e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/service.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: hubble-relay + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-relay +spec: + type: {{ .Values.hubble.relay.service.type | quote }} + selector: + k8s-app: hubble-relay + ports: + - protocol: TCP + {{- if .Values.hubble.relay.servicePort }} + port: {{ .Values.hubble.relay.servicePort }} + {{- else }} + port: {{ .Values.hubble.relay.tls.server.enabled | ternary 443 80 }} + {{- end }} + targetPort: {{ .Values.hubble.relay.listenPort }} + {{- if and (eq "NodePort" .Values.hubble.relay.service.type) .Values.hubble.relay.service.nodePort }} + nodePort: {{ .Values.hubble.relay.service.nodePort }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/serviceaccount.yaml new file mode 100644 index 000000000..f42bd1b0b --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.serviceAccounts.relay.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.relay.name | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccounts.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-relay/servicemonitor.yaml b/cli/internal/helm/charts/cilium/templates/hubble-relay/servicemonitor.yaml new file mode 100644 index 000000000..6a3a120af --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-relay/servicemonitor.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.prometheus.enabled .Values.hubble.relay.prometheus.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: hubble-relay + namespace: {{ .Values.hubble.relay.prometheus.serviceMonitor.namespace | default .Release.Namespace }} + labels: + {{- with .Values.hubble.relay.prometheus.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + k8s-app: hubble-relay + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + interval: {{ .Values.hubble.relay.prometheus.serviceMonitor.interval | quote }} + path: /metrics +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/_nginx.tpl b/cli/internal/helm/charts/cilium/templates/hubble-ui/_nginx.tpl new file mode 100644 index 000000000..753f50930 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/_nginx.tpl @@ -0,0 +1,37 @@ +{{- define "hubble-ui.nginx.conf" }} +server { + listen 8081; + listen [::]:8081; + server_name localhost; + root /app; + index index.html; + client_max_body_size 1G; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + # CORS + add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS"; + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Max-Age 1728000; + add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message; + add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout; + if ($request_method = OPTIONS) { + return 204; + } + # /CORS + + location /api { + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_hide_header Access-Control-Allow-Origin; + proxy_pass http://127.0.0.1:8090; + } + + location / { + try_files $uri $uri/ /index.html; + } + } +} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrole.yaml new file mode 100644 index 000000000..4bd809e7b --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hubble-ui +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - componentstatuses + - endpoints + - namespaces + - nodes + - pods + - services + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - "*" + verbs: + - get + - list + - watch +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml new file mode 100644 index 000000000..569ce06f2 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hubble-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hubble-ui +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.ui.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/configmap.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/configmap.yaml new file mode 100644 index 000000000..bbab253d9 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/configmap.yaml @@ -0,0 +1,10 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: hubble-ui-nginx + namespace: {{ .Release.Namespace }} +data: + nginx.conf: {{ include "hubble-ui.nginx.conf" . | trim | quote }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/deployment.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/deployment.yaml new file mode 100644 index 000000000..41a933068 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/deployment.yaml @@ -0,0 +1,142 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: hubble-ui + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-ui +spec: + replicas: {{ .Values.hubble.ui.replicas }} + selector: + matchLabels: + k8s-app: hubble-ui + template: + metadata: + annotations: + {{- if .Values.hubble.ui.rollOutPods }} + # ensure pods roll when configmap updates + cilium.io/hubble-ui-nginx-configmap-checksum: {{ include (print $.Template.BasePath "/hubble-ui/configmap.yaml") . | sha256sum | quote }} + {{- end }} + {{- with .Values.hubble.ui.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + k8s-app: hubble-ui + {{- with .Values.hubble.ui.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.hubble.ui.securityContext }} + {{- if .enabled }} + securityContext: + {{- omit . "enabled" | toYaml | nindent 8 }} + {{- end}} + {{- end }} + priorityClassName: {{ .Values.hubble.ui.priorityClassName }} + serviceAccount: {{ .Values.serviceAccounts.ui.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.ui.name | quote }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: frontend + image: {{ include "cilium.image" .Values.hubble.ui.frontend.image | quote }} + imagePullPolicy: {{ .Values.hubble.ui.frontend.image.pullPolicy }} + ports: + - name: http + containerPort: 8081 + {{- with .Values.hubble.ui.frontend.extraEnv }} + env: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.hubble.ui.frontend.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + volumeMounts: + - name: hubble-ui-nginx-conf + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: tmp-dir + mountPath: /tmp + - name: backend + image: {{ include "cilium.image" .Values.hubble.ui.backend.image | quote }} + imagePullPolicy: {{ .Values.hubble.ui.backend.image.pullPolicy }} + env: + - name: EVENTS_SERVER_PORT + value: "8090" + {{- if .Values.hubble.relay.tls.server.enabled }} + - name: FLOWS_API_ADDR + value: "hubble-relay:443" + - name: TLS_TO_RELAY_ENABLED + value: "true" + - name: TLS_RELAY_SERVER_NAME + value: ui.hubble-relay.cilium.io + - name: TLS_RELAY_CA_CERT_FILES + value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt + - name: TLS_RELAY_CLIENT_CERT_FILE + value: /var/lib/hubble-ui/certs/client.crt + - name: TLS_RELAY_CLIENT_KEY_FILE + value: /var/lib/hubble-ui/certs/client.key + {{- else }} + - name: FLOWS_API_ADDR + value: "hubble-relay:80" + {{- end }} + {{- with .Values.hubble.ui.backend.extraEnv }} + {{- toYaml . | trim | nindent 10 }} + {{- end }} + ports: + - name: grpc + containerPort: 8090 + {{- with .Values.hubble.ui.backend.resources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} + volumeMounts: + {{- if .Values.hubble.relay.tls.server.enabled }} + - name: hubble-ui-client-certs + mountPath: /var/lib/hubble-ui/certs + readOnly: true + {{- end }} + {{- with .Values.hubble.ui.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hubble.ui.nodeSelector }} + nodeSelector: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.hubble.ui.tolerations }} + tolerations: + {{- toYaml . | trim | nindent 8 }} + {{- end }} + volumes: + - configMap: + defaultMode: 420 + name: hubble-ui-nginx + name: hubble-ui-nginx-conf + - emptyDir: {} + name: tmp-dir + {{- if .Values.hubble.relay.tls.server.enabled }} + - name: hubble-ui-client-certs + {{- if .Values.hubble.ui.standalone.enabled }} + {{- toYaml .Values.hubble.ui.standalone.tls.certsVolume | nindent 8 }} + {{- else }} + projected: + # note: the leading zero means this number is in octal representation: do not remove it + defaultMode: 0400 + sources: + - secret: + name: hubble-ui-client-certs + items: + - key: ca.crt + path: hubble-relay-ca.crt + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + {{- end }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/ingress.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/ingress.yaml new file mode 100644 index 000000000..cc6ce2446 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/ingress.yaml @@ -0,0 +1,29 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: + name: hubble-ui + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-ui + {{- with .Values.hubble.ui.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hubble.ui.ingress.className }} + ingressClassName: {{ .Values.hubble.ui.ingress.className }} + {{- end }} + {{- if .Values.hubble.ui.ingress.tls }} + tls: + {{- toYaml .Values.hubble.ui.ingress.tls | nindent 4 }} + {{- end }} + rules: + {{- range .Values.hubble.ui.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: / + {{- include "ingress.paths" $ | nindent 12 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml new file mode 100644 index 000000000..81533516d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.podDisruptionBudget.enabled }} +{{- $component := .Values.hubble.ui.podDisruptionBudget }} +apiVersion: {{ include "podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: hubble-ui + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-ui +spec: + {{- with $component.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + {{- with $component.minAvailable }} + minAvailable: {{ . }} + {{- end }} + selector: + matchLabels: + k8s-app: hubble-ui +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/service.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/service.yaml new file mode 100644 index 000000000..e56318d1f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/service.yaml @@ -0,0 +1,20 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: hubble-ui + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-ui +spec: + type: {{ .Values.hubble.ui.service.type | quote }} + selector: + k8s-app: hubble-ui + ports: + - name: http + port: 80 + targetPort: 8081 + {{- if and (eq "NodePort" .Values.hubble.ui.service.type) .Values.hubble.ui.service.nodePort }} + nodePort: {{ .Values.hubble.ui.service.nodePort }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble-ui/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/hubble-ui/serviceaccount.yaml new file mode 100644 index 000000000..28f6061ca --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble-ui/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.serviceAccounts.ui.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.ui.name | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccounts.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/metrics-service.yaml b/cli/internal/helm/charts/cilium/templates/hubble/metrics-service.yaml new file mode 100644 index 000000000..2e13bc2ab --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/metrics-service.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: hubble-metrics + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble + annotations: + {{- with .Values.hubble.metrics.serviceAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if not .Values.hubble.metrics.serviceMonitor.enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.hubble.metrics.port | quote }} + {{- end }} +spec: + clusterIP: None + type: ClusterIP + ports: + - name: hubble-metrics + port: {{ .Values.hubble.metrics.port }} + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/peer-service.yaml b/cli/internal/helm/charts/cilium/templates/hubble/peer-service.yaml new file mode 100644 index 000000000..698e6bf8e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/peer-service.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.peerService.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: hubble-peer + namespace: {{ .Release.Namespace }} + labels: + k8s-app: cilium +spec: + selector: + k8s-app: cilium + ports: + - name: peer-service + {{- if .Values.hubble.peerService.servicePort }} + port: {{ .Values.hubble.peerService.servicePort }} + {{- else }} + port: {{ .Values.hubble.tls.enabled | ternary 443 80 }} + {{- end }} + protocol: TCP + targetPort: {{ .Values.hubble.peerService.targetPort }} +{{- if semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion }} + internalTrafficPolicy: Local +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/servicemonitor.yaml b/cli/internal/helm/charts/cilium/templates/hubble/servicemonitor.yaml new file mode 100644 index 000000000..b864b216b --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/servicemonitor.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: hubble + namespace: {{ .Values.prometheus.serviceMonitor.namespace | default .Release.Namespace }} + labels: + {{- with .Values.hubble.metrics.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.hubble.metrics.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + k8s-app: hubble + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: hubble-metrics + interval: 10s + honorLabels: true + path: /metrics + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: node + replacement: ${1} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/_helpers.tpl new file mode 100644 index 000000000..6b00dd5ae --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/_helpers.tpl @@ -0,0 +1,9 @@ +{{- define "hubble-generate-certs.certmanager.issuer" }} +{{- if .Values.hubble.tls.auto.certManagerIssuerRef }} + {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef }} +{{- else }} + group: cert-manager.io + kind: Issuer + name: hubble-issuer +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml new file mode 100644 index 000000000..8b60b1afb --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml @@ -0,0 +1,21 @@ +{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") (not .Values.hubble.tls.auto.certManagerIssuerRef) }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ca-secret + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .ca.Cert | b64enc }} + ca.key: {{ .ca.Key | b64enc }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: hubble-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: hubble-ca-secret +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml new file mode 100644 index 000000000..75bbb07e0 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hubble-relay-client-certs + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: hubble-relay-client-certs + commonName: "*.hubble-relay.cilium.io" + dnsNames: + - "*.hubble-relay.cilium.io" + duration: {{ printf "%dh" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml new file mode 100644 index 000000000..8e386660d --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hubble-relay-server-certs + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: hubble-relay-server-certs + commonName: "*.hubble-relay.cilium.io" + dnsNames: + - "*.hubble-relay.cilium.io" + {{- range $dns := .Values.hubble.relay.tls.server.extraDnsNames }} + - {{ $dns | quote }} + {{- end }} + {{- if .Values.hubble.relay.tls.server.extraIpAddresses }} + ipAddresses: + {{- range $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} + - {{ $ip | quote }} + {{- end }} + {{- end }} + duration: {{ printf "%dh" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml new file mode 100644 index 000000000..08589a86f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }} +{{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hubble-server-certs + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: hubble-server-certs + commonName: {{ $cn | quote }} + dnsNames: + - {{ $cn | quote }} + {{- range $dns := .Values.hubble.tls.server.extraDnsNames }} + - {{ $dns | quote }} + {{- end }} + {{- if .Values.hubble.tls.server.extraIpAddresses }} + ipAddresses: + {{- range $ip := .Values.hubble.tls.server.extraIpAddresses }} + - {{ $ip | quote }} + {{- end }} + {{- end }} + duration: {{ printf "%dh" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml new file mode 100644 index 000000000..0393d0850 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hubble-ui-client-certs + namespace: {{ .Release.Namespace }} +spec: + issuerRef: + {{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }} + secretName: hubble-ui-client-certs + commonName: "*.hubble-ui.cilium.io" + dnsNames: + - "*.hubble-ui.cilium.io" + duration: {{ printf "%dh" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl new file mode 100644 index 000000000..493051f40 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl @@ -0,0 +1,59 @@ +{{- define "hubble-generate-certs.job.spec" }} +{{- $certValiditySecondsStr := printf "%ds" (mul .Values.hubble.tls.auto.certValidityDuration 24 60 60) -}} +spec: + template: + metadata: + labels: + k8s-app: hubble-generate-certs + {{- with .Values.certgen.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: certgen + image: {{ include "cilium.image" .Values.certgen.image | quote }} + imagePullPolicy: {{ .Values.certgen.image.pullPolicy }} + command: + - "/usr/bin/cilium-certgen" + # Because this is executed as a job, we pass the values as command + # line args instead of via config map. This allows users to inspect + # the values used in past runs by inspecting the completed pod. + args: + - "--cilium-namespace={{ .Release.Namespace }}" + {{- if .Values.debug.enabled }} + - "--debug" + {{- end }} + - "--ca-generate" + - "--ca-reuse-secret" + {{- if .Values.hubble.tls.ca.cert }} + - "--ca-secret-name=hubble-ca-secret" + {{- else -}} + {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} + - "--ca-secret-name=cilium-ca" + {{- end }} + {{- end }} + - "--hubble-server-cert-generate" + - "--hubble-server-cert-common-name={{ list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }}" + - "--hubble-server-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- if .Values.hubble.relay.enabled }} + - "--hubble-relay-client-cert-generate" + - "--hubble-relay-client-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- end }} + {{- if and .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} + - "--hubble-relay-server-cert-generate" + - "--hubble-relay-server-cert-validity-duration={{ $certValiditySecondsStr }}" + {{- end }} + hostNetwork: true + {{- with .Values.certgen.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccount: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} + serviceAccountName: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/ca-secret.yaml new file mode 100644 index 000000000..1c7bab1fc --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/ca-secret.yaml @@ -0,0 +1,15 @@ +{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") }} +{{- $crt := .Values.hubble.tls.ca.cert | default .Values.tls.ca.cert -}} +{{- $key := .Values.hubble.tls.ca.key | default .Values.tls.ca.key -}} +{{- if and $crt $key }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ca-secret + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ $crt }} + ca.key: {{ $key }} +{{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml new file mode 100644 index 000000000..23ee1b3fa --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: hubble-generate-certs +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - hubble-server-certs + - hubble-relay-client-certs + - hubble-relay-server-certs + verbs: + - update + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - cilium-ca + - hubble-ca-secret + verbs: + - get + - update +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml new file mode 100644 index 000000000..c73ca7073 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: hubble-generate-certs +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hubble-generate-certs +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml new file mode 100644 index 000000000..6d59abbf4 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.hubble.tls.auto.schedule }} +apiVersion: {{ include "cronjob.apiVersion" . }} +kind: CronJob +metadata: + name: hubble-generate-certs + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-generate-certs +spec: + schedule: {{ .Values.hubble.tls.auto.schedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + {{- include "hubble-generate-certs.job.spec" . | nindent 4 }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/job.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/job.yaml new file mode 100644 index 000000000..3d5386fd2 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/job.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") }} +{{/* +Because Kubernetes job specs are immutable, Helm will fail patch this job if +the spec changes between releases. To avoid breaking the upgrade path, we +generate a name for the job here which is based on the checksum of the spec. +This will cause the name of the job to change if its content changes, +and in turn cause Helm to do delete the old job and replace it with a new one. +*/}} +{{- $jobSpec := include "hubble-generate-certs.job.spec" . -}} +{{- $checkSum := $jobSpec | sha256sum | trunc 10 -}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: hubble-generate-certs-{{$checkSum}} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: hubble-generate-certs +{{ $jobSpec }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml new file mode 100644 index 000000000..d538d67d9 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.serviceAccounts.hubblecertgen.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} + namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccounts.hubblecertgen.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/_helpers.tpl b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/_helpers.tpl new file mode 100644 index 000000000..e7337304f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/_helpers.tpl @@ -0,0 +1,37 @@ +{{/* +Generate TLS certificates for Hubble Server and Hubble Relay. + +Note: Always use this template as follows: + + {{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} + +The assignment to `$_` is required because we store the generated CI in a global `ca` variable. +Please, don't try to "simplify" this, as without this trick, every generated +certificate would be signed by a different CA. +*/}} +{{- define "hubble-generate-certs.helm.setup-ca" }} + {{- if not .ca }} + {{- $ca := "" -}} + {{- $crt := .Values.hubble.tls.ca.cert | default .Values.tls.ca.cert -}} + {{- $key := .Values.hubble.tls.ca.key | default .Values.tls.ca.key -}} + {{- if and $crt $key }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- with lookup "v1" "Secret" .Release.Namespace "hubble-ca-secret" }} + {{- $crt := index .data "ca.crt" }} + {{- $key := index .data "ca.key" }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- $_ := include "cilium.ca.setup" . -}} + {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} + {{- $crt := index .data "ca.crt" }} + {{- $key := index .data "ca.key" }} + {{- $ca = buildCustomCert $crt $key -}} + {{- else }} + {{- $ca = .commonCA -}} + {{- end }} + {{- end }} + {{- end }} + {{- $_ := set . "ca" $ca -}} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ca-secret.yaml new file mode 100644 index 000000000..f1e8e76f0 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ca-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ca-secret + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .ca.Cert | b64enc }} + ca.key: {{ .ca.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml new file mode 100644 index 000000000..947565eaf --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +{{- $cn := "*.hubble-relay.cilium.io" }} +{{- $dns := list $cn }} +{{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-relay-client-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .ca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml new file mode 100644 index 000000000..2c2339d6e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +{{- $cn := "*.hubble-relay.cilium.io" }} +{{- $ip := .Values.hubble.relay.tls.server.extraIpAddresses }} +{{- $dns := prepend .Values.hubble.relay.tls.server.extraDnsNames $cn }} +{{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-relay-server-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .ca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/server-secret.yaml new file mode 100644 index 000000000..cc3c1d91e --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/server-secret.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +{{- $cn := list "*" (.Values.cluster.name | replace "." "-") "hubble-grpc.cilium.io" | join "." }} +{{- $ip := .Values.hubble.tls.server.extraIpAddresses }} +{{- $dns := prepend .Values.hubble.tls.server.extraDnsNames $cn }} +{{- $cert := genSignedCert $cn $ip $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-server-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .ca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml new file mode 100644 index 000000000..90376d654 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm") .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +{{- $_ := include "hubble-generate-certs.helm.setup-ca" . -}} +{{- $cn := "*.hubble-ui.cilium.io" }} +{{- $dns := list $cn }} +{{- $cert := genSignedCert $cn nil $dns (.Values.hubble.tls.auto.certValidityDuration | int) .ca -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ui-client-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .ca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ca-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ca-secret.yaml new file mode 100644 index 000000000..7a9ca55a8 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ca-secret.yaml @@ -0,0 +1,12 @@ +{{- if and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ca-secret + namespace: {{ .Release.Namespace }} +data: + ca.crt: {{ .Values.hubble.tls.ca.cert }} + {{- if .Values.hubble.tls.ca.key }} + ca.key: {{ .Values.hubble.tls.ca.key }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml new file mode 100644 index 000000000..22cde037f --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: hubble-relay-client-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.hubble.tls.ca.cert }} + tls.crt: {{ .Values.hubble.relay.tls.client.cert | required "missing hubble.relay.tls.client.cert" }} + tls.key: {{ .Values.hubble.relay.tls.client.key | required "missing hubble.relay.tls.client.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml new file mode 100644 index 000000000..ccdfc2499 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: hubble-relay-server-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.hubble.tls.ca.cert }} + tls.crt: {{ .Values.hubble.relay.tls.server.cert | required "missing hubble.relay.tls.server.cert" }} + tls.key: {{ .Values.hubble.relay.tls.server.key | required "missing hubble.relay.tls.server.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/server-secret.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/server-secret.yaml new file mode 100644 index 000000000..f251b1b46 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/server-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.agent .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) }} +apiVersion: v1 +kind: Secret +metadata: + name: hubble-server-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.hubble.tls.ca.cert }} + tls.crt: {{ .Values.hubble.tls.server.cert | required "missing hubble.tls.server.cert" }} + tls.key: {{ .Values.hubble.tls.server.key | required "missing hubble.tls.server.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml new file mode 100644 index 000000000..0d2d948aa --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (not .Values.hubble.tls.auto.enabled) .Values.hubble.ui.enabled .Values.hubble.relay.enabled .Values.hubble.relay.tls.server.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: hubble-ui-client-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ .Values.hubble.tls.ca.cert }} + tls.crt: {{ .Values.hubble.ui.tls.client.cert | required "missing hubble.ui.tls.client.cert" }} + tls.key: {{ .Values.hubble.ui.tls.client.key | required "missing hubble.ui.tls.client.key" }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/validate.yaml b/cli/internal/helm/charts/cilium/templates/validate.yaml new file mode 100644 index 000000000..6c0ffed94 --- /dev/null +++ b/cli/internal/helm/charts/cilium/templates/validate.yaml @@ -0,0 +1,47 @@ +{{/* validate hubble config */}} +{{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }} + {{- if not .Values.hubble.relay.enabled }} + {{ fail "Hubble UI requires .Values.hubble.relay.enabled=true" }} + {{- end }} +{{- end }} +{{- if and .Values.hubble.ui.enabled .Values.hubble.ui.standalone.enabled .Values.hubble.relay.tls.server.enabled }} + {{- if not .Values.hubble.ui.standalone.tls.certsVolume }} + {{ fail "Hubble UI in standalone with Hubble Relay server TLS enabled requires providing .Values.hubble.ui.standalone.tls.certsVolume for mounting client certificates in the backend pod" }} + {{- end }} +{{- end }} +{{- if .Values.hubble.relay.enabled }} + {{- if not .Values.hubble.enabled }} + {{ fail "Hubble Relay requires .Values.hubble.enabled=true" }} + {{- end }} +{{- end }} + +{{/* validate service monitoring CRDs */}} +{{- if and .Values.prometheus.enabled (or .Values.prometheus.serviceMonitor.enabled .Values.operator.prometheus.serviceMonitor.enabled) }} + {{- if not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }} + {{ fail "Service Monitor requires monitoring.coreos.com/v1 CRDs. Please refer to https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml" }} + {{- end }} +{{- end }} + +{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }} + {{- if not .Values.hubble.tls.auto.certManagerIssuerRef }} + {{ fail "Hubble TLS certgen method=certmanager requires user specify .Values.hubble.tls.auto.certManagerIssuerRef" }} + {{- end }} +{{- end }} + +{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} + {{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} + {{ fail "ClusterMesh TLS certgen method=certmanager requires user specify .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }} + {{- end }} +{{- end }} + +{{/* validate hubble-ui specific config */}} +{{- if and .Values.hubble.ui.enabled + (ne .Values.hubble.ui.backend.image.tag "latest") + (ne .Values.hubble.ui.frontend.image.tag "latest") }} + {{- if regexReplaceAll "@.*$" .Values.hubble.ui.backend.image.tag "" | trimPrefix "v" | semverCompare "<0.9.0" }} + {{ fail "Hubble UI requires hubble.ui.backend.image.tag to be '>=v0.9.0'" }} + {{- end }} + {{- if regexReplaceAll "@.*$" .Values.hubble.ui.frontend.image.tag "" | trimPrefix "v" | semverCompare "<0.9.0" }} + {{ fail "Hubble UI requires hubble.ui.frontend.image.tag to be '>=v0.9.0'" }} + {{- end }} +{{- end }} diff --git a/cli/internal/helm/charts/cilium/values.yaml b/cli/internal/helm/charts/cilium/values.yaml new file mode 100644 index 000000000..ec3898a58 --- /dev/null +++ b/cli/internal/helm/charts/cilium/values.yaml @@ -0,0 +1,2122 @@ +# File generated by install/kubernetes/Makefile; DO NOT EDIT. +# This file is based on install/kubernetes/cilium/values.yaml.tmpl. + +# upgradeCompatibility helps users upgrading to ensure that the configMap for +# Cilium will not change critical values to ensure continued operation +# This is flag is not required for new installations. +# For example: 1.7, 1.8, 1.9 +# upgradeCompatibility: '1.8' + +debug: + # -- Enable debug logging + enabled: false + # verbose: + +rbac: + # -- Enable creation of Resource-Based Access Control configuration. + create: true + +# -- Configure image pull secrets for pulling container images +imagePullSecrets: +# - name: "image-pull-secret" + +# kubeConfigPath: ~/.kube/config +# k8sServiceHost: +# k8sServicePort: + +cluster: + # -- Name of the cluster. Only required for Cluster Mesh. + name: default + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 0 + +# -- Define serviceAccount names for components. +# @default -- Component's fully qualified name. +serviceAccounts: + cilium: + create: true + name: cilium + annotations: {} + etcd: + create: true + name: cilium-etcd-operator + annotations: {} + operator: + create: true + name: cilium-operator + annotations: {} + preflight: + create: true + name: cilium-pre-flight + annotations: {} + relay: + create: true + name: hubble-relay + annotations: {} + ui: + create: true + name: hubble-ui + annotations: {} + clustermeshApiserver: + create: true + name: clustermesh-apiserver + annotations: {} + # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob + clustermeshcertgen: + create: true + name: clustermesh-apiserver-generate-certs + annotations: {} + # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob + hubblecertgen: + create: true + name: hubble-generate-certs + annotations: {} + +# -- Configure termination grace period for cilium-agent DaemonSet. +terminationGracePeriodSeconds: 1 + +# -- Install the cilium agent resources. +agent: true + +# -- Agent container name. +name: cilium + +# -- Roll out cilium agent pods automatically when configmap is updated. +rollOutCiliumPods: false + +# -- Agent container image. +image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.12.0" + pullPolicy: "IfNotPresent" + # cilium-digest + digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" + useDigest: true + +# -- Affinity for cilium-agent. +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + +# -- Node selector for cilium-agent. +nodeSelector: + kubernetes.io/os: linux + +# -- Node tolerations for agent scheduling to nodes with taints +# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +tolerations: +- operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + +# -- The priority class to use for cilium-agent. +priorityClassName: "" + +# -- DNS policy for Cilium agent pods. +# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" + +# -- Additional agent container arguments. +extraArgs: [] + +# -- Additional agent container environment variables. +extraEnv: [] + +# -- Additional agent hostPath mounts. +extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + +# -- Additional agent volumes. +extraVolumes: [] + +# -- Additional agent volumeMounts. +extraVolumeMounts: [] + +# -- extraConfig allows you to specify additional configuration parameters to be +# included in the cilium-config configmap. +extraConfig: {} +# my-config-a: "1234" +# my-config-b: |- +# test 1 +# test 2 +# test 3 + +# -- Annotations to be added to agent pods +podAnnotations: {} + +# -- Labels to be added to agent pods +podLabels: {} + +# -- Agent resource limits & requests +# ref: https://kubernetes.io/docs/user-guide/compute-resources/ +resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + +# -- Security context to be added to agent pods +securityContext: + # runAsUser: 0 + privileged: false + extraCapabilities: + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + +# -- Cilium agent update strategy +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + +# Configuration Values for cilium-agent + +aksbyocni: + # -- Enable AKS BYOCNI integration. + # Note that this is incompatible with AKS clusters not created in BYOCNI mode: + # use Azure integration (`azure.enabled`) instead. + enabled: false + +# -- Enable installation of PodCIDR routes between worker +# nodes if worker nodes share a common L2 network segment. +autoDirectNodeRoutes: false + +# -- Annotate k8s node upon initialization with Cilium's metadata. +annotateK8sNode: false + +azure: + # -- Enable Azure integration. + # Note that this is incompatible with AKS clusters created in BYOCNI mode: use + # AKS BYOCNI integration (`aksbyocni.enabled`) instead. + enabled: false + # usePrimaryAddress: false + # resourceGroup: group1 + # subscriptionID: 00000000-0000-0000-0000-000000000000 + # tenantID: 00000000-0000-0000-0000-000000000000 + # clientID: 00000000-0000-0000-0000-000000000000 + # clientSecret: 00000000-0000-0000-0000-000000000000 + # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 + +alibabacloud: + # -- Enable AlibabaCloud ENI integration + enabled: false + +# -- Deprecated in favor of bandwidthManager.enabled. To be removed in 1.13. +# Optimize TCP and UDP workloads and enable rate-limiting traffic from +# individual Pods with EDT (Earliest Departure Time) through the +# "kubernetes.io/egress-bandwidth" Pod annotation. +#bandwidthManager: false + +# -- Enable bandwidth manager to optimize TCP and UDP workloads and allow +# for rate-limiting traffic from individual Pods with EDT (Earliest Departure +# Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. +bandwidthManager: + # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) + enabled: false + # -- Activate BBR TCP congestion control for Pods + bbr: false + +# -- Configure BGP +bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: false + # -- Enable announcement of node pod CIDR + podCIDR: false + +# -- This feature set enables virtual BGP routers to be created via +# CiliumBGPPeeringPolicy CRDs. +bgpControlPlane: + # -- Enables the BGP control plane. + enabled: false + +bpf: + # -- Configure the mount point for the BPF filesystem + root: /sys/fs/bpf + + # -- Enable BPF clock source probing for more efficient tick retrieval. + clockProbe: false + + # -- Enables pre-allocation of eBPF map values. This increases + # memory usage but can reduce latency. + preallocateMaps: false + + # -- Configure the maximum number of entries in the TCP connection tracking + # table. + # ctTcpMax: '524288' + + # -- Configure the maximum number of entries for the non-TCP connection + # tracking table. + # ctAnyMax: '262144' + + # -- Configure the maximum number of service entries in the + # load balancer maps. + lbMapMax: 65536 + + # -- Configure the maximum number of entries for the NAT table. + # natMax: 524288 + + # -- Configure the maximum number of entries for the neighbor table. + # neighMax: 524288 + + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + policyMapMax: 16384 + + # -- Configure auto-sizing for all BPF maps based on available memory. + # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps + #mapDynamicSizeRatio: 0.0025 + + # -- Configure the level of aggregation for monitor notifications. + # Valid options are none, low, medium, maximum. + monitorAggregation: medium + + # -- Configure the typical time between monitor notifications for + # active connections. + monitorInterval: "5s" + + # -- Configure which TCP flags trigger notifications when seen for the + # first time in a connection. + monitorFlags: "all" + + # -- Allow cluster external access to ClusterIP services. + lbExternalClusterIP: false + + # -- Enable native IP masquerade support in eBPF + #masquerade: false + + # -- Deprecated in favor of bpf.hostLegacyRouting. To be removed in 1.13. + # Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. + #hostRouting: true + + # -- Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. The latter has the implication that it will also + # bypass netfilter in the host namespace. + #hostLegacyRouting: false + + # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + # tproxy: true + + # -- Configure the FIB lookup bypass optimization for nodeport reverse + # NAT handling. + # lbBypassFIBLookup: true + + # -- Configure explicitly allowed VLAN id's for bpf logic bypass. + # [0] will allow all VLAN id's without any filtering. + # vlanBypass: [] + +# -- Clean all eBPF datapath state from the initContainer of the cilium-agent +# DaemonSet. +# +# WARNING: Use with care! +cleanBpfState: false + +# -- Clean all local Cilium state from the initContainer of the cilium-agent +# DaemonSet. Implies cleanBpfState: true. +# +# WARNING: Use with care! +cleanState: false + +# -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" +# init container before launching cilium-agent. +# More context can be found in the commit message of below PR +# https://github.com/cilium/cilium/pull/20123 +waitForKubeProxy: false + +cni: + # -- Install the CNI configuration and binary files into the filesystem. + install: true + + # -- Configure chaining on top of other CNI plugins. Possible values: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap + chainingMode: none + + # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the + # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. + # This ensures no Pods can be scheduled using other CNI plugins during Cilium + # agent downtime. + exclusive: true + + # -- Configure the log file for CNI logging with retention policy of 7 days. + # Disable CNI file logging by setting this field to empty explicitly. + logFile: /var/run/cilium/cilium-cni.log + + # -- Skip writing of the CNI configuration. This can be used if + # writing of the CNI configuration is performed by external automation. + customConf: false + + # -- Configure the path to the CNI configuration directory on the host. + confPath: /etc/cni/net.d + + # -- Configure the path to the CNI binary directory on the host. + binPath: /opt/cni/bin + + # -- Specify the path to a CNI config to read from on agent start. + # This can be useful if you want to manage your CNI + # configuration outside of a Kubernetes environment. This parameter is + # mutually exclusive with the 'cni.configMap' parameter. + # readCniConf: /host/etc/cni/net.d/05-cilium.conf + + # -- When defined, configMap will mount the provided value as ConfigMap and + # interpret the cniConf variable as CNI configuration file and write it + # when the agent starts up + # configMap: cni-configuration + + # -- Configure the key in the CNI ConfigMap to read the contents of + # the CNI configuration from. + configMapKey: cni-config + + # -- Configure the path to where to mount the ConfigMap inside the agent pod. + confFileMountPath: /tmp/cni-configuration + + # -- Configure the path to where the CNI configuration directory is mounted + # inside the agent pod. + hostConfDirMountPath: /host/etc/cni/net.d + +# -- Configure how frequently garbage collection should occur for the datapath +# connection tracking table. +# conntrackGCInterval: "0s" + +# -- Configure container runtime specific integration. +containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - containerd + # - crio + # - docker + # - none + # - auto (automatically detect the container runtime) + integration: none + # -- Configure the path to the container runtime control socket. + # socketPath: /path/to/runtime.sock + +# crdWaitTimeout: "" + +# -- Tail call hooks for custom eBPF programs. +customCalls: + # -- Enable tail call hooks for custom eBPF programs. + enabled: false + +# -- Configure which datapath mode should be used for configuring container +# connectivity. Valid options are "veth" or "ipvlan". Deprecated, to be removed +# in v1.12. +datapathMode: veth + +daemon: + # -- Configure where Cilium runtime state should be stored. + runPath: "/var/run/cilium" + +# -- Specify which network interfaces can run the eBPF datapath. This means +# that a packet sent from a pod to a destination outside the cluster will be +# masqueraded (to an output device IPv4 address), if the output device runs the +# program. When not specified, probing will automatically detect devices. +# devices: "" + +# -- Enables experimental support for the detection of new and removed datapath +# devices. When devices change the eBPF datapath is reloaded and services updated. +# If "devices" is set then only those devices, or devices matching a wildcard will +# be considered. +enableRuntimeDeviceDetection: false + +# -- Chains to ignore when installing feeder rules. +# disableIptablesFeederRules: "" + +# -- Limit egress masquerading to interface selector. +# egressMasqueradeInterfaces: "" + +# -- Whether to enable CNP status updates. +enableCnpStatusUpdates: false + +# -- Configures the use of the KVStore to optimize Kubernetes event handling by +# mirroring it into the KVstore for reduced overhead in large clusters. +enableK8sEventHandover: false + +# -- Enable setting identity mark for local traffic. +# enableIdentityMark: true + +# -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. +# enableK8sEndpointSlice: true + +# -- Enable CiliumEndpointSlice feature. +enableCiliumEndpointSlice: false + +ingressController: + # -- Enable cilium ingress controller + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- Enforce https for host having matching TLS host in Ingress. + # Incoming traffic to http listener will return 308 http error code with respective location in header. + enforceHttps: true + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Ingress. + create: true + + # -- Name of Ingress secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + +# -- Enables the fallback compatibility solution for when the xt_socket kernel +# module is missing and it is needed for the datapath L7 redirection to work +# properly. See documentation for details on when this can be disabled: +# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. +enableXTSocketFallback: true + +encryption: + # -- Enable transparent network encryption. + enabled: false + + # -- Encryption method. Can be either ipsec or wireguard. + type: ipsec + + # -- Enable encryption for pure node to node traffic. + # This option is only effective when encryption.type is set to ipsec. + nodeEncryption: false + + ipsec: + # -- Name of the key file inside the Kubernetes secret configured via secretName. + keyFile: "" + + # -- Path to mount the secret inside the Cilium pod. + mountPath: "" + + # -- Name of the Kubernetes secret containing the encryption keys. + secretName: "" + + # -- The interface to use for encrypted traffic. + interface: "" + + wireguard: + # -- Enables the fallback to the user-space implementation. + userspaceFallback: false + + # -- Deprecated in favor of encryption.ipsec.keyFile. + # Name of the key file inside the Kubernetes secret configured via secretName. + # This option is only effective when encryption.type is set to ipsec. + keyFile: keys + + # -- Deprecated in favor of encryption.ipsec.mountPath. + # Path to mount the secret inside the Cilium pod. + # This option is only effective when encryption.type is set to ipsec. + mountPath: /etc/ipsec + + # -- Deprecated in favor of encryption.ipsec.secretName. + # Name of the Kubernetes secret containing the encryption keys. + # This option is only effective when encryption.type is set to ipsec. + secretName: cilium-ipsec-keys + + # -- Deprecated in favor of encryption.ipsec.interface. + # The interface to use for encrypted traffic. + # This option is only effective when encryption.type is set to ipsec. + interface: "" + +strictModeCIDR: "" + +endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true + +# -- Enable endpoint status. +# Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma. +endpointStatus: + enabled: false + status: "" + +endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: false + +eni: + # -- Enable Elastic Network Interface (ENI) integration. + enabled: false + # -- Update ENI Adapter limits from the EC2 API + updateEC2AdapterLimitViaAPI: false + # -- Release IPs not used from the ENI + awsReleaseExcessIPs: false + # -- Enable ENI prefix delegation + awsEnablePrefixDelegation: false + # -- EC2 API endpoint to use + ec2APIEndpoint: "" + # -- Tags to apply to the newly created ENIs + eniTags: {} + # -- If using IAM role for Service Accounts will not try to + # inject identity values from cilium-aws kubernetes secret. + # Adds annotation to service account if managed by Helm. + # See https://github.com/aws/amazon-eks-pod-identity-webhook + iamRole: "" + # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetIDsFilter: "" + # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetTagsFilter: "" + # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances + # are going to be used to create new ENIs + instanceTagsFilter: "" + +externalIPs: + # -- Enable ExternalIPs service support. + enabled: false + +# fragmentTracking enables IPv4 fragment tracking support in the datapath. +# fragmentTracking: true + +gke: + # -- Enable Google Kubernetes Engine integration + enabled: false + +# -- Enable connectivity health checking. +healthChecking: true + +# -- TCP port for the agent health API. This is not the port for cilium-health. +healthPort: 9879 + +# -- Configure the host firewall. +hostFirewall: + # -- Enables the enforcement of host policies in the eBPF datapath. + enabled: false + +hostPort: + # -- Enable hostPort service support. + enabled: false + +# -- Configure socket LB +socketLB: + # -- Enable socket LB + enabled: false + + # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. + # hostNamespaceOnly: false + +# -- Configure certificate generation for Hubble integration. +# If hubble.tls.auto.method=cronJob, these values are used +# for the Kubernetes CronJob which will be scheduled regularly to +# (re)generate any certificates not provided manually. +certgen: + image: + override: ~ + repository: "quay.io/cilium/certgen" + tag: "v0.1.8@sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd" + pullPolicy: "IfNotPresent" + # -- Seconds after which the completed job pod will be deleted + ttlSecondsAfterFinished: 1800 + # -- Labels to be added to hubble-certgen pods + podLabels: {} + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: [] + +hubble: + # -- Enable Hubble (true by default). + enabled: true + + # -- Buffer size of the channel Hubble uses to receive monitor events. If this + # value is not set, the queue size is set to the default monitor queue size. + # eventQueueSize: "" + + # -- Number of recent flows for Hubble to cache. Defaults to 4095. + # Possible values are: + # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, + # 2047, 4095, 8191, 16383, 32767, 65535 + # eventBufferCapacity: "4095" + + # -- Hubble metrics configuration. + # See https://docs.cilium.io/en/stable/operations/metrics/#hubble-metrics + # for more comprehensive documentation about Hubble metrics. + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: ~ + # -- Configure the port the hubble metric server listens on. + port: 9965 + # -- Annotations to be added to hubble-metrics service. + serviceAnnotations: {} + serviceMonitor: + # -- Create ServiceMonitor resources for Prometheus Operator. + # This requires the prometheus CRDs to be available. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble + labels: {} + # -- Annotations to add to ServiceMonitor hubble + annotations: {} + + # -- Unix domain socket path to listen to when Hubble is enabled. + socketPath: /var/run/cilium/hubble.sock + + # -- An additional address for Hubble to listen to. + # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that + # Hubble is listening on port 4244. + listenAddress: ":4244" + peerService: + # -- Enable a K8s Service for the Peer service, so that it can be accessed + # by a non-local client + enabled: true + # -- Service Port for the Peer service. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + # -- Target Port for the Peer service. + targetPort: 4244 + # -- The cluster domain to use to query the Hubble Peer service. It should + # be the local cluster. + clusterDomain: cluster.local + # -- TLS configuration for Hubble + tls: + # -- Enable mutual TLS for listenAddress. Setting this value to false is + # highly discouraged as the Hubble API provides access to potentially + # sensitive network flow metadata and is exposed on the host network. + enabled: true + # -- Configure automatic TLS certificates generation. + auto: + # -- Auto-generate certificates. + # When set to true, automatically generate a CA and certificates to + # enable mTLS between Hubble server and Hubble Relay instances. If set to + # false, the certs for Hubble server need to be provided by setting + # appropriate values below. + enabled: true + # -- Set the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Defaults to midnight of the first day of every fourth month. For syntax, see + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. + certManagerIssuerRef: {} + + # -- Deprecated in favor of tls.ca. To be removed in 1.13. + # base64 encoded PEM values for the Hubble CA certificate and private key. + ca: + # -- Deprecated in favor of tls.ca.cert. To be removed in 1.13. + cert: "" + # -- Deprecated in favor of tls.ca.key. To be removed in 1.13. + # The CA private key (optional). If it is provided, then it will be + # used by hubble.tls.auto.method=cronJob to generate all other certificates. + # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. + key: "" + # -- base64 encoded PEM values for the Hubble server certificate and private key + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: false + + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: false + + # -- Hubble-relay container image. + image: + override: ~ + repository: "quay.io/cilium/hubble-relay" + tag: "v1.12.0" + # hubble-relay-digest + digest: "sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- Specifies the resources for the hubble-relay pods + resources: {} + + # -- Number of replicas run for the hubble-relay deployment. + replicas: 1 + + # -- Affinity for hubble-replay + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # + tolerations: [] + + # -- Additional hubble-relay environment variables. + extraEnv: [] + + # -- Annotations to be added to hubble-relay pods + podAnnotations: {} + + # -- Labels to be added to hubble-relay pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- The priority class to use for hubble-relay + priorityClassName: "" + + # -- Configure termination grace period for hubble relay Deployment. + terminationGracePeriodSeconds: 1 + + # -- hubble-relay update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- hubble-relay security context + securityContext: {} + + # -- hubble-relay service configuration. + service: + # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31234 + + # -- Host to listen to. Specify an empty string to bind to all the interfaces. + listenHost: "" + + # -- Port to listen to. + listenPort: "4245" + + # -- TLS configuration for Hubble Relay + tls: + # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # This keypair is presented to Hubble server instances for mTLS + # authentication and is required when hubble.tls.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the hubble-relay server certificate and private key + server: + # When set to true, enable TLS on for Hubble Relay server + # (ie: for clients connecting to the Hubble Relay API). + enabled: false + # These values need to be set manually if hubble.tls.auto.enabled is false. + cert: "" + key: "" + # -- extra DNS names added to certificate when its auto gen + extraDnsNames: [] + # -- extra IP addresses added to certificate when its auto gen + extraIpAddresses: [] + + # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). + dialTimeout: ~ + + # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). + retryTimeout: ~ + + # -- Max number of flows that can be buffered for sorting before being sent to the + # client (per request) (e.g. 100). + sortBufferLenMax: ~ + + # -- When the per-request flows sort buffer is not full, a flow is drained every + # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). + sortBufferDrainTimeout: ~ + + # -- Port to use for the k8s service backed by hubble-relay pods. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + + # -- Enable prometheus metrics for hubble-relay on the configured port at + # /metrics + prometheus: + enabled: false + port: 9966 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble-relay + labels: {} + # -- Annotations to add to ServiceMonitor hubble-relay + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + ui: + # -- Whether to enable the Hubble UI. + enabled: false + + standalone: + # -- When true, it will allow installing the Hubble UI only, without checking dependencies. + # It is useful if a cluster already has cilium and Hubble relay installed and you just + # want Hubble UI to be deployed. + # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` + enabled: false + + tls: + # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required + # to provide a volume for mounting the client certificates. + certsVolume: {} + # projected: + # defaultMode: 0400 + # sources: + # - secret: + # name: hubble-ui-client-certs + # items: + # - key: tls.crt + # path: client.crt + # - key: tls.key + # path: client.key + # - key: ca.crt + # path: hubble-relay-ca.crt + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: false + + tls: + # -- base64 encoded PEM values used to connect to hubble-relay + # This keypair is presented to Hubble Relay instances for mTLS + # authentication and is required when hubble.relay.tls.server.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + + backend: + # -- Hubble-ui backend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui-backend" + tag: "v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b" + pullPolicy: "IfNotPresent" + + # -- Additional hubble-ui backend environment variables. + extraEnv: [] + + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + frontend: + # -- Hubble-ui frontend image. + image: + override: ~ + repository: "quay.io/cilium/hubble-ui" + tag: "v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0" + pullPolicy: "IfNotPresent" + + # -- Additional hubble-ui frontend environment variables. + extraEnv: [] + + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + # -- The number of replicas of Hubble UI to deploy. + replicas: 1 + + # -- Annotations to be added to hubble-ui pods + podAnnotations: {} + + # -- Labels to be added to hubble-ui pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Affinity for hubble-ui + affinity: {} + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # + tolerations: [] + + # -- The priority class to use for hubble-ui + priorityClassName: "" + + # -- hubble-ui update strategy. + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Security context to be added to Hubble UI pods + securityContext: + # -- Deprecated in favor of hubble.ui.securityContext. + # Whether to set the security context on the Hubble UI pods. + enabled: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + + # -- hubble-ui service configuration. + service: + # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31235 + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + className: "" + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + +# -- Method to use for identity allocation (`crd` or `kvstore`). +identityAllocationMode: "crd" + +# -- Time to wait before using new identity on endpoint identity change. +# identityChangeGracePeriod: "5s" + +# -- GC interval for security identities. +# identityGCInterval: "15m0s" + +# -- Timeout after which identity expires on lack of heartbeat. +# identityHeartbeatTimeout: "30m0s" + + +# -- Configure whether to install iptables rules to allow for TPROXY +# (L7 proxy injection), iptables-based masquerading and compatibility +# with kube-proxy. +installIptablesRules: true + +# -- Install Iptables rules to skip netfilter connection tracking on all pod +# traffic. This option is only effective when Cilium is running in direct +# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium +# is running in a managed Kubernetes environment or in a chained CNI setup. +installNoConntrackIptablesRules: false + +ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ + mode: "cluster-pool" + operator: + # -- Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. + # IPv4 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDR: "10.0.0.0/8" + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: [] + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 + # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. + # IPv6 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDR: "fd00::/104" + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: [] + # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv6MaskSize: 120 + +# -- Configure the eBPF-based ip-masq-agent +ipMasqAgent: + enabled: false + +# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. +# iptablesLockTimeout: "5s" + +ipv4: + # -- Enable IPv4 support. + enabled: true + +ipv6: + # -- Enable IPv6 support. + enabled: false + +ipvlan: + # -- Enable the IPVLAN datapath (deprecated) + enabled: false + + # -- masterDevice is the name of the device to use to attach secondary IPVLAN + # devices + # masterDevice: eth0 + +# -- Configure Kubernetes specific configuration +k8s: {} + # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv4PodCIDR: false + + # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv6PodCIDR: false + +# -- Keep the deprecated selector labels when deploying Cilium DaemonSet. +keepDeprecatedLabels: false + +# -- Keep the deprecated probes when deploying Cilium DaemonSet +keepDeprecatedProbes: false + +startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 +livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 +readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + +# -- Configure the kube-proxy replacement in Cilium BPF datapath +# Valid options are "disabled", "partial", "strict". +# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ +#kubeProxyReplacement: "disabled" + +# -- healthz server bind address for the kube-proxy replacement. +# To enable set the value to '0.0.0.0:10256' for all ipv4 +# addresses and this '[::]:10256' for all ipv6 addresses. +# By default it is disabled. +kubeProxyReplacementHealthzBindAddr: "" + +l2NeighDiscovery: + # -- Enable L2 neighbor discovery in the agent + enabled: true + # -- Override the agent's default neighbor resolution refresh period. + refreshPeriod: "30s" + +# -- Enable Layer 7 network policy. +l7Proxy: true + +# -- Enable Local Redirect Policy. +localRedirectPolicy: false + +# To include or exclude matched resources from cilium identity evaluation +# labels: "" + +# logOptions allows you to define logging options. eg: +# logOptions: +# format: json + +# -- Enables periodic logging of system load +logSystemLoad: false + + +# -- Configure maglev consistent hashing +maglev: {} + # -- tableSize is the size (parameter M) for the backend table of one + # service entry + # tableSize: + + # -- hashSeed is the cluster-wide base64 encoded seed for the hashing + # hashSeed: + +# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. +enableIPv4Masquerade: true + +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables egress gateway to redirect and SNAT the traffic that leaves the +# cluster. +egressGateway: + enabled: false + # -- Install egress gateway IP rules and routes in order to properly steer + # egress gateway traffic to the correct ENI interface + installRoutes: false + +vtep: +# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow +# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + enabled: false + +# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + endpoint: "" +# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + cidr: "" +# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + mask: "" +# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + mac: "" + +# -- Allows to explicitly specify the IPv4 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. +# ipv4NativeRoutingCIDR: + +# -- Allows to explicitly specify the IPv6 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. +# ipv6NativeRoutingCIDR: + +# -- cilium-monitor sidecar. +monitor: + # -- Enable the cilium-monitor sidecar. + enabled: false + +# -- Configure service load balancing +# loadBalancer: + # -- standalone enables the standalone L4LB which does not connect to + # kube-apiserver. + # standalone: false + + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + # algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + # mode: snat + + # -- acceleration is the option to accelerate service handling via XDP + # e.g. native, disabled + # acceleration: disabled + + # -- dsrDispatch configures whether IP option or IPIP encapsulation is + # used to pass a service IP and port to remote backend + # dsrDispatch: opt + + # -- serviceTopology enables K8s Topology Aware Hints -based service + # endpoints filtering + # serviceTopology: false + +# -- Configure N-S k8s service loadbalancing +nodePort: + # -- Enable the Cilium NodePort service implementation. + enabled: false + + # -- Port range to use for NodePort services. + # range: "30000,32767" + + # -- Set to true to prevent applications binding to service ports. + bindProtection: true + + # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral + # ports is detected. + autoProtectPortRange: true + + # -- Enable healthcheck nodePort server for NodePort services + enableHealthCheck: true + +# policyAuditMode: false + +# -- The agent can be put into one of the three policy enforcement modes: +# default, always and never. +# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes +policyEnforcementMode: "default" + +pprof: + # -- Enable Go pprof debugging + enabled: false + +# -- Configure prometheus metrics on the configured port at /metrics +prometheus: + enabled: false + port: 9962 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-agent + labels: {} + # -- Annotations to add to ServiceMonitor cilium-agent + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Metrics that should be enabled or disabled from the default metric + # list. (+metric_foo to enable metric_foo , -metric_bar to disable + # metric_bar). + # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics + metrics: ~ + +# -- Configure Istio proxy options. +proxy: + prometheus: + enabled: true + port: "9964" + # -- Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecarImageRegex: "cilium/istio_proxy" + +# -- Enable use of the remote node identity. +# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +remoteNodeIdentity: true + +# -- Enable resource quotas for priority classes used in the cluster. +resourceQuotas: + enabled: false + cilium: + hard: + # 5k nodes * 2 DaemonSets (Cilium and cilium node init) + pods: "10k" + operator: + hard: + # 15 "clusterwide" Cilium Operator pods for HA + pods: "15" + +# Need to document default +################## +#sessionAffinity: false + +# -- Do not run Cilium agent when running with clean mode. Useful to completely +# uninstall Cilium as it will stop Cilium from starting and create artifacts +# in the node. +sleepAfterInit: false + +# -- Configure BPF socket operations configuration +sockops: + # enabled enables installation of socket options acceleration. + enabled: false + +# -- Enable check of service source ranges (currently, only for LoadBalancer). +svcSourceRangeCheck: true + +# -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. +synchronizeK8sNodes: true + +# -- Configure TLS configuration in the agent. +tls: + # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies + # (namely the secrets referenced by terminatingTLS and originatingTLS). + # Possible values: + # - local + # - k8s + secretsBackend: local + + # -- Base64 encoded PEM values for the CA certificate and private key. + # This can be used as common CA to generate certificates used by hubble and clustermesh components + ca: + # -- Optional CA cert. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + + # -- Optional CA private key. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + + # -- Generated certificates validity duration in days. This will be used for auto generated CA. + certValidityDuration: 1095 + +# -- Configure the encapsulation configuration for communication between nodes. +# Possible values: +# - disabled +# - vxlan (default) +# - geneve +tunnel: "vxlan" + +# -- Disable the usage of CiliumEndpoint CRD. +disableEndpointCRD: "false" + +wellKnownIdentities: + # -- Enable the use of well-known identities. + enabled: false + +etcd: + # -- Enable etcd mode for the agent. + enabled: false + + # -- cilium-etcd-operator image. + image: + override: ~ + repository: "quay.io/cilium/cilium-etcd-operator" + tag: "v2.0.7@sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc" + pullPolicy: "IfNotPresent" + + # -- The priority class to use for cilium-etcd-operator + priorityClassName: "" + + # -- Additional cilium-etcd-operator container arguments. + extraArgs: [] + + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Node labels for cilium-etcd-operator pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to cilium-etcd-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-etcd-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-etcd-operator resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to cilium-etcd-operator pods + securityContext: {} + # runAsUser: 0 + + # -- cilium-etcd-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- If etcd is behind a k8s service set this option to true so that Cilium + # does the service translation automatically without requiring a DNS to be + # running. + k8sService: false + + # -- Cluster domain for cilium-etcd-operator. + clusterDomain: cluster.local + + # -- List of etcd endpoints (not needed when using managed=true). + endpoints: + - https://CHANGE-ME:2379 + + # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if + # managed=true) + ssl: false + +operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: false + + # -- cilium-operator image. + image: + override: ~ + repository: "quay.io/cilium/operator" + tag: "v1.12.0" + # operator-generic-digest + genericDigest: "sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410" + # operator-azure-digest + azureDigest: "sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba" + # operator-aws-digest + awsDigest: "sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22" + # operator-alibabacloud-digest + alibabacloudDigest: "sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5" + useDigest: true + pullPolicy: "IfNotPresent" + suffix: "" + + # -- Number of replicas to run for the cilium-operator deployment + replicas: 2 + + # -- The priority class to use for cilium-operator + priorityClassName: "" + + # -- DNS policy for Cilium operator pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- cilium-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- Affinity for cilium-operator + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + io.cilium/app: operator + + # -- Node labels for cilium-operator pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for cilium-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Additional cilium-operator container arguments. + extraArgs: [] + + # -- Additional cilium-operator environment variables. + extraEnv: [] + + # -- Additional cilium-operator hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional cilium-operator volumes. + extraVolumes: [] + + # -- Additional cilium-operator volumeMounts. + extraVolumeMounts: [] + + # -- Annotations to be added to cilium-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-operator resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Security context to be added to cilium-operator pods + securityContext: {} + # runAsUser: 0 + + # -- Interval for endpoint garbage collection. + endpointGCInterval: "5m0s" + + # -- Interval for cilium node garbage collection. + nodeGCInterval: "5m0s" + + # -- Interval for identity garbage collection. + identityGCInterval: "15m0s" + + # -- Timeout for identity heartbeats. + identityHeartbeatTimeout: "30m0s" + + # -- Enable prometheus metrics for cilium-operator on the configured port at + # /metrics + prometheus: + enabled: false + port: 9963 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-operator + labels: {} + # -- Annotations to add to ServiceMonitor cilium-operator + annotations: {} + + # -- Skip CRDs creation for cilium-operator + skipCRDCreation: false + + # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium + # pod running. + removeNodeTaints: true + + # -- Set Node condition NetworkUnavailable to 'false' with the reason + # 'CiliumIsUp' for nodes that have a healthy Cilium pod. + setNodeNetworkStatus: true + + unmanagedPodWatcher: + # -- Restart any pod that are not managed by Cilium. + restart: true + # -- Interval, in seconds, to check if there are any pods that are not + # managed by Cilium. + intervalSeconds: 15 + +nodeinit: + # -- Enable the node initialization DaemonSet + enabled: false + + # -- node-init image. + image: + override: ~ + repository: "quay.io/cilium/startup-script" + tag: "d69851597ea019af980891a4628fb36b7880ec26" + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the nodeinit pod. + priorityClassName: "" + + # -- node-init update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional nodeinit environment variables. + extraEnv: [] + + # -- Affinity for cilium-nodeinit + affinity: {} + + # -- Node labels for nodeinit pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for nodeinit scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to node-init pods. + podAnnotations: {} + + # -- Labels to be added to node-init pods. + podLabels: {} + + # -- nodeinit resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: + requests: + cpu: 100m + memory: 100Mi + + # -- Security context to be added to nodeinit pods. + securityContext: + privileged: false + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # Used for nsenter + - NET_ADMIN + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + + # -- bootstrapFile is the location of the file where the bootstrap timestamp is + # written by the node-init DaemonSet + bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + +preflight: + # -- Enable Cilium pre-flight resources (required for upgrade) + enabled: false + + # -- Cilium pre-flight image. + image: + override: ~ + repository: "quay.io/cilium/cilium" + tag: "v1.12.0" + # cilium-digest + digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" + useDigest: true + pullPolicy: "IfNotPresent" + + # -- The priority class to use for the preflight pod. + priorityClassName: "" + + # -- preflight update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional preflight environment variables. + extraEnv: [] + + # -- Affinity for cilium-preflight + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for preflight pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for preflight scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to preflight pods + podAnnotations: {} + + # -- Labels to be added to the preflight pod. + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- preflight resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to preflight pods + securityContext: {} + # runAsUser: 0 + + # -- Path to write the `--tofqdns-pre-cache` file to. + tofqdnsPreCache: "" + + # -- Configure termination grace period for preflight Deployment and DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- By default we should always validate the installed CNPs before upgrading + # Cilium. This will make sure the user will have the policies deployed in the + # cluster with the right schema. + validateCNPs: true + +# -- Explicitly enable or disable priority class. +# .Capabilities.KubeVersion is unsettable in `helm template` calls, +# it depends on k8s libraries version that Helm was compiled against. +# This option allows to explicitly disable setting the priority class, which +# is useful for rendering charts for gke clusters in advance. +enableCriticalPriorityClass: true + +# disableEnvoyVersionCheck removes the check for Envoy, which can be useful +# on AArch64 as the images do not currently ship a version of Envoy. +#disableEnvoyVersionCheck: false + +clustermesh: + # -- Deploy clustermesh-apiserver for clustermesh + useAPIServer: false + + # -- Clustermesh explicit configuration. + config: + # -- Enable the Clustermesh explicit configuration. + enabled: false + # -- Default dns domain for the Clustermesh API servers + # This is used in the case cluster addresses are not provided + # and IPs are used. + domain: mesh.cilium.io + # -- List of clusters to be peered in the mesh. + clusters: [] + # clusters: + # # -- Name of the cluster + # - name: cluster1 + # # -- Address of the cluster, use this if you created DNS records for + # # the cluster Clustermesh API server. + # address: cluster1.mesh.cilium.io + # # -- Port of the cluster Clustermesh API server. + # port: 2379 + # # -- IPs of the cluster Clustermesh API server, use multiple ones when + # # you have multiple IPs to access the Clustermesh API server. + # ips: + # - 172.18.255.201 + # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # tls: + # cert: "" + # key: "" + + apiserver: + # -- Clustermesh API server image. + image: + override: ~ + repository: "quay.io/cilium/clustermesh-apiserver" + tag: "v1.12.0" + # clustermesh-apiserver-digest + digest: "sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299" + useDigest: true + pullPolicy: "IfNotPresent" + + etcd: + # -- Clustermesh API server etcd image. + image: + override: ~ + repository: "quay.io/coreos/etcd" + tag: "v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3" + pullPolicy: "IfNotPresent" + + service: + # -- The type of service used for apiserver access. + type: NodePort + # -- Optional port to use as the node port for apiserver access. + nodePort: 32379 + # -- Optional loadBalancer IP address to use with type LoadBalancer. + # loadBalancerIP: + + # -- Annotations for the clustermesh-apiserver + # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" + # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + + # -- Number of replicas run for the clustermesh-apiserver deployment. + replicas: 1 + + # -- Additional clustermesh-apiserver environment variables. + extraEnv: [] + + # -- Annotations to be added to clustermesh-apiserver pods + podAnnotations: {} + + # -- Labels to be added to clustermesh-apiserver pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as + # resources: + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + # -- Resource requests and limits for the clustermesh-apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Affinity for clustermesh.apiserver + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: clustermesh-apiserver + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: [] + + # -- clustermesh-apiserver update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- The priority class to use for clustermesh-apiserver + priorityClassName: "" + + tls: + # -- Configure automatic TLS certificates generation. + # A Kubernetes CronJob is used the generate any + # certificates not provided by the user at installation + # time. + auto: + # -- When set to true, automatically generate a CA and certificates to + # enable mTLS between clustermesh-apiserver and external workload instances. + # If set to false, the certs to be provided by setting appropriate values below. + enabled: true + # Sets the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Due to the out-of-band distribution of client certs to external workloads the + # CA is (re)regenerated only if it is not provided as a helm value and the k8s + # secret is manually deleted. + # + # Defaults to none. Commented syntax gives midnight of the first day of every + # fourth month. For syntax, see + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + # schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. + certManagerIssuerRef: {} + # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. + ca: + # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. + # Used if 'auto' is not enabled. + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. + # Used if 'auto' is not enabled. + admin: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. + # Used if 'auto' is not enabled. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. + # Used if 'auto' is not enabled. + remote: + cert: "" + key: "" + +# -- Configure external workloads support +externalWorkloads: + # -- Enable support for external workloads, such as VMs (false by default). + enabled: false + +# -- Configure cgroup related configuration +cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /run/cilium/cgroupv2 + +# -- Configure whether to enable auto detect of terminating state for endpoints +# in order to support graceful termination. +enableK8sTerminatingEndpoint: true + +# -- Configure whether to unload DNS policy rules on graceful shutdown +# dnsPolicyUnloadOnShutdown: false + +# -- Configure the key of the taint indicating that Cilium is not ready on the node. +# When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. +agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" + +dnsProxy: + # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. + dnsRejectResponseCode: refused + # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. + enableDnsCompression: true + # -- Maximum number of IPs to maintain per FQDN name for each endpoint. + endpointMaxIpPerHostname: 50 + # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. + idleConnectionGracePeriod: 0s + # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. + maxDeferredConnectionDeletes: 10000 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. + minTtl: 3600 + # -- DNS cache data at this path is preloaded on agent startup. + preCache: "" + # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. + proxyPort: 0 + # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. + proxyResponseMaxDelay: 100ms diff --git a/cli/internal/helm/charts/cilium/values.yaml.tmpl b/cli/internal/helm/charts/cilium/values.yaml.tmpl new file mode 100644 index 000000000..bdb2217a1 --- /dev/null +++ b/cli/internal/helm/charts/cilium/values.yaml.tmpl @@ -0,0 +1,2117 @@ +# upgradeCompatibility helps users upgrading to ensure that the configMap for +# Cilium will not change critical values to ensure continued operation +# This is flag is not required for new installations. +# For example: 1.7, 1.8, 1.9 +# upgradeCompatibility: '1.8' + +debug: + # -- Enable debug logging + enabled: false + # verbose: + +rbac: + # -- Enable creation of Resource-Based Access Control configuration. + create: true + +# -- Configure image pull secrets for pulling container images +imagePullSecrets: +# - name: "image-pull-secret" + +# kubeConfigPath: ~/.kube/config +# k8sServiceHost: +# k8sServicePort: + +cluster: + # -- Name of the cluster. Only required for Cluster Mesh. + name: default + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 0 + +# -- Define serviceAccount names for components. +# @default -- Component's fully qualified name. +serviceAccounts: + cilium: + create: true + name: cilium + annotations: {} + etcd: + create: true + name: cilium-etcd-operator + annotations: {} + operator: + create: true + name: cilium-operator + annotations: {} + preflight: + create: true + name: cilium-pre-flight + annotations: {} + relay: + create: true + name: hubble-relay + annotations: {} + ui: + create: true + name: hubble-ui + annotations: {} + clustermeshApiserver: + create: true + name: clustermesh-apiserver + annotations: {} + # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob + clustermeshcertgen: + create: true + name: clustermesh-apiserver-generate-certs + annotations: {} + # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob + hubblecertgen: + create: true + name: hubble-generate-certs + annotations: {} + +# -- Configure termination grace period for cilium-agent DaemonSet. +terminationGracePeriodSeconds: 1 + +# -- Install the cilium agent resources. +agent: true + +# -- Agent container name. +name: cilium + +# -- Roll out cilium agent pods automatically when configmap is updated. +rollOutCiliumPods: false + +# -- Agent container image. +image: + override: ~ + repository: "${CILIUM_REPO}" + tag: "${CILIUM_VERSION}" + pullPolicy: "${PULL_POLICY}" + # cilium-digest + digest: ${CILIUM_DIGEST} + useDigest: ${USE_DIGESTS} + +# -- Affinity for cilium-agent. +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + +# -- Node selector for cilium-agent. +nodeSelector: + kubernetes.io/os: linux + +# -- Node tolerations for agent scheduling to nodes with taints +# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +tolerations: +- operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + +# -- The priority class to use for cilium-agent. +priorityClassName: "" + +# -- DNS policy for Cilium agent pods. +# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" + +# -- Additional agent container arguments. +extraArgs: [] + +# -- Additional agent container environment variables. +extraEnv: [] + +# -- Additional agent hostPath mounts. +extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + +# -- Additional agent volumes. +extraVolumes: [] + +# -- Additional agent volumeMounts. +extraVolumeMounts: [] + +# -- extraConfig allows you to specify additional configuration parameters to be +# included in the cilium-config configmap. +extraConfig: {} +# my-config-a: "1234" +# my-config-b: |- +# test 1 +# test 2 +# test 3 + +# -- Annotations to be added to agent pods +podAnnotations: {} + +# -- Labels to be added to agent pods +podLabels: {} + +# -- Agent resource limits & requests +# ref: https://kubernetes.io/docs/user-guide/compute-resources/ +resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + +# -- Security context to be added to agent pods +securityContext: + # runAsUser: 0 + privileged: false + extraCapabilities: + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + +# -- Cilium agent update strategy +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 2 + +# Configuration Values for cilium-agent + +aksbyocni: + # -- Enable AKS BYOCNI integration. + # Note that this is incompatible with AKS clusters not created in BYOCNI mode: + # use Azure integration (`azure.enabled`) instead. + enabled: false + +# -- Enable installation of PodCIDR routes between worker +# nodes if worker nodes share a common L2 network segment. +autoDirectNodeRoutes: false + +# -- Annotate k8s node upon initialization with Cilium's metadata. +annotateK8sNode: false + +azure: + # -- Enable Azure integration. + # Note that this is incompatible with AKS clusters created in BYOCNI mode: use + # AKS BYOCNI integration (`aksbyocni.enabled`) instead. + enabled: false + # usePrimaryAddress: false + # resourceGroup: group1 + # subscriptionID: 00000000-0000-0000-0000-000000000000 + # tenantID: 00000000-0000-0000-0000-000000000000 + # clientID: 00000000-0000-0000-0000-000000000000 + # clientSecret: 00000000-0000-0000-0000-000000000000 + # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000 + +alibabacloud: + # -- Enable AlibabaCloud ENI integration + enabled: false + +# -- Deprecated in favor of bandwidthManager.enabled. To be removed in 1.13. +# Optimize TCP and UDP workloads and enable rate-limiting traffic from +# individual Pods with EDT (Earliest Departure Time) through the +# "kubernetes.io/egress-bandwidth" Pod annotation. +#bandwidthManager: false + +# -- Enable bandwidth manager to optimize TCP and UDP workloads and allow +# for rate-limiting traffic from individual Pods with EDT (Earliest Departure +# Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. +bandwidthManager: + # -- Enable bandwidth manager infrastructure (also prerequirement for BBR) + enabled: false + # -- Activate BBR TCP congestion control for Pods + bbr: false + +# -- Configure BGP +bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: false + # -- Enable announcement of node pod CIDR + podCIDR: false + +# -- This feature set enables virtual BGP routers to be created via +# CiliumBGPPeeringPolicy CRDs. +bgpControlPlane: + # -- Enables the BGP control plane. + enabled: false + +bpf: + # -- Configure the mount point for the BPF filesystem + root: /sys/fs/bpf + + # -- Enable BPF clock source probing for more efficient tick retrieval. + clockProbe: false + + # -- Enables pre-allocation of eBPF map values. This increases + # memory usage but can reduce latency. + preallocateMaps: false + + # -- Configure the maximum number of entries in the TCP connection tracking + # table. + # ctTcpMax: '524288' + + # -- Configure the maximum number of entries for the non-TCP connection + # tracking table. + # ctAnyMax: '262144' + + # -- Configure the maximum number of service entries in the + # load balancer maps. + lbMapMax: 65536 + + # -- Configure the maximum number of entries for the NAT table. + # natMax: 524288 + + # -- Configure the maximum number of entries for the neighbor table. + # neighMax: 524288 + + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + policyMapMax: 16384 + + # -- Configure auto-sizing for all BPF maps based on available memory. + # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps + #mapDynamicSizeRatio: 0.0025 + + # -- Configure the level of aggregation for monitor notifications. + # Valid options are none, low, medium, maximum. + monitorAggregation: medium + + # -- Configure the typical time between monitor notifications for + # active connections. + monitorInterval: "5s" + + # -- Configure which TCP flags trigger notifications when seen for the + # first time in a connection. + monitorFlags: "all" + + # -- Allow cluster external access to ClusterIP services. + lbExternalClusterIP: false + + # -- Enable native IP masquerade support in eBPF + #masquerade: false + + # -- Deprecated in favor of bpf.hostLegacyRouting. To be removed in 1.13. + # Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. + #hostRouting: true + + # -- Configure whether direct routing mode should route traffic via + # host stack (true) or directly and more efficiently out of BPF (false) if + # the kernel supports it. The latter has the implication that it will also + # bypass netfilter in the host namespace. + #hostLegacyRouting: false + + # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + # tproxy: true + + # -- Configure the FIB lookup bypass optimization for nodeport reverse + # NAT handling. + # lbBypassFIBLookup: true + + # -- Configure explicitly allowed VLAN id's for bpf logic bypass. + # [0] will allow all VLAN id's without any filtering. + # vlanBypass: [] + +# -- Clean all eBPF datapath state from the initContainer of the cilium-agent +# DaemonSet. +# +# WARNING: Use with care! +cleanBpfState: false + +# -- Clean all local Cilium state from the initContainer of the cilium-agent +# DaemonSet. Implies cleanBpfState: true. +# +# WARNING: Use with care! +cleanState: false + +# -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy" +# init container before launching cilium-agent. +# More context can be found in the commit message of below PR +# https://github.com/cilium/cilium/pull/20123 +waitForKubeProxy: false + +cni: + # -- Install the CNI configuration and binary files into the filesystem. + install: true + + # -- Configure chaining on top of other CNI plugins. Possible values: + # - none + # - aws-cni + # - flannel + # - generic-veth + # - portmap + chainingMode: none + + # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the + # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. + # This ensures no Pods can be scheduled using other CNI plugins during Cilium + # agent downtime. + exclusive: true + + # -- Configure the log file for CNI logging with retention policy of 7 days. + # Disable CNI file logging by setting this field to empty explicitly. + logFile: /var/run/cilium/cilium-cni.log + + # -- Skip writing of the CNI configuration. This can be used if + # writing of the CNI configuration is performed by external automation. + customConf: false + + # -- Configure the path to the CNI configuration directory on the host. + confPath: /etc/cni/net.d + + # -- Configure the path to the CNI binary directory on the host. + binPath: /opt/cni/bin + + # -- Specify the path to a CNI config to read from on agent start. + # This can be useful if you want to manage your CNI + # configuration outside of a Kubernetes environment. This parameter is + # mutually exclusive with the 'cni.configMap' parameter. + # readCniConf: /host/etc/cni/net.d/05-cilium.conf + + # -- When defined, configMap will mount the provided value as ConfigMap and + # interpret the cniConf variable as CNI configuration file and write it + # when the agent starts up + # configMap: cni-configuration + + # -- Configure the key in the CNI ConfigMap to read the contents of + # the CNI configuration from. + configMapKey: cni-config + + # -- Configure the path to where to mount the ConfigMap inside the agent pod. + confFileMountPath: /tmp/cni-configuration + + # -- Configure the path to where the CNI configuration directory is mounted + # inside the agent pod. + hostConfDirMountPath: /host/etc/cni/net.d + +# -- Configure how frequently garbage collection should occur for the datapath +# connection tracking table. +# conntrackGCInterval: "0s" + +# -- Configure container runtime specific integration. +containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - containerd + # - crio + # - docker + # - none + # - auto (automatically detect the container runtime) + integration: none + # -- Configure the path to the container runtime control socket. + # socketPath: /path/to/runtime.sock + +# crdWaitTimeout: "" + +# -- Tail call hooks for custom eBPF programs. +customCalls: + # -- Enable tail call hooks for custom eBPF programs. + enabled: false + +# -- Configure which datapath mode should be used for configuring container +# connectivity. Valid options are "veth" or "ipvlan". Deprecated, to be removed +# in v1.12. +datapathMode: veth + +daemon: + # -- Configure where Cilium runtime state should be stored. + runPath: "/var/run/cilium" + +# -- Specify which network interfaces can run the eBPF datapath. This means +# that a packet sent from a pod to a destination outside the cluster will be +# masqueraded (to an output device IPv4 address), if the output device runs the +# program. When not specified, probing will automatically detect devices. +# devices: "" + +# -- Enables experimental support for the detection of new and removed datapath +# devices. When devices change the eBPF datapath is reloaded and services updated. +# If "devices" is set then only those devices, or devices matching a wildcard will +# be considered. +enableRuntimeDeviceDetection: false + +# -- Chains to ignore when installing feeder rules. +# disableIptablesFeederRules: "" + +# -- Limit egress masquerading to interface selector. +# egressMasqueradeInterfaces: "" + +# -- Whether to enable CNP status updates. +enableCnpStatusUpdates: false + +# -- Configures the use of the KVStore to optimize Kubernetes event handling by +# mirroring it into the KVstore for reduced overhead in large clusters. +enableK8sEventHandover: false + +# -- Enable setting identity mark for local traffic. +# enableIdentityMark: true + +# -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it. +# enableK8sEndpointSlice: true + +# -- Enable CiliumEndpointSlice feature. +enableCiliumEndpointSlice: false + +ingressController: + # -- Enable cilium ingress controller + # This will automatically set enable-envoy-config as well. + enabled: false + + # -- Enforce https for host having matching TLS host in Ingress. + # Incoming traffic to http listener will return 308 http error code with respective location in header. + enforceHttps: true + + # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. + secretsNamespace: + # -- Create secrets namespace for Ingress. + create: true + + # -- Name of Ingress secret namespace. + name: cilium-secrets + + # -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name. + # If disabled, TLS secrets must be maintained externally. + sync: true + +# -- Enables the fallback compatibility solution for when the xt_socket kernel +# module is missing and it is needed for the datapath L7 redirection to work +# properly. See documentation for details on when this can be disabled: +# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. +enableXTSocketFallback: true + +encryption: + # -- Enable transparent network encryption. + enabled: false + + # -- Encryption method. Can be either ipsec or wireguard. + type: ipsec + + # -- Enable encryption for pure node to node traffic. + # This option is only effective when encryption.type is set to ipsec. + nodeEncryption: false + + ipsec: + # -- Name of the key file inside the Kubernetes secret configured via secretName. + keyFile: "" + + # -- Path to mount the secret inside the Cilium pod. + mountPath: "" + + # -- Name of the Kubernetes secret containing the encryption keys. + secretName: "" + + # -- The interface to use for encrypted traffic. + interface: "" + + wireguard: + # -- Enables the fallback to the user-space implementation. + userspaceFallback: false + + # -- Deprecated in favor of encryption.ipsec.keyFile. + # Name of the key file inside the Kubernetes secret configured via secretName. + # This option is only effective when encryption.type is set to ipsec. + keyFile: keys + + # -- Deprecated in favor of encryption.ipsec.mountPath. + # Path to mount the secret inside the Cilium pod. + # This option is only effective when encryption.type is set to ipsec. + mountPath: /etc/ipsec + + # -- Deprecated in favor of encryption.ipsec.secretName. + # Name of the Kubernetes secret containing the encryption keys. + # This option is only effective when encryption.type is set to ipsec. + secretName: cilium-ipsec-keys + + # -- Deprecated in favor of encryption.ipsec.interface. + # The interface to use for encrypted traffic. + # This option is only effective when encryption.type is set to ipsec. + interface: "" + +endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true + +# -- Enable endpoint status. +# Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma. +endpointStatus: + enabled: false + status: "" + +endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: false + +eni: + # -- Enable Elastic Network Interface (ENI) integration. + enabled: false + # -- Update ENI Adapter limits from the EC2 API + updateEC2AdapterLimitViaAPI: false + # -- Release IPs not used from the ENI + awsReleaseExcessIPs: false + # -- Enable ENI prefix delegation + awsEnablePrefixDelegation: false + # -- EC2 API endpoint to use + ec2APIEndpoint: "" + # -- Tags to apply to the newly created ENIs + eniTags: {} + # -- If using IAM role for Service Accounts will not try to + # inject identity values from cilium-aws kubernetes secret. + # Adds annotation to service account if managed by Helm. + # See https://github.com/aws/amazon-eks-pod-identity-webhook + iamRole: "" + # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetIDsFilter: "" + # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs + # Important note: This requires that each instance has an ENI with a matching subnet attached + # when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, + # use the CNI configuration file settings (cni.customConf) instead. + subnetTagsFilter: "" + # -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances + # are going to be used to create new ENIs + instanceTagsFilter: "" + +externalIPs: + # -- Enable ExternalIPs service support. + enabled: false + +# fragmentTracking enables IPv4 fragment tracking support in the datapath. +# fragmentTracking: true + +gke: + # -- Enable Google Kubernetes Engine integration + enabled: false + +# -- Enable connectivity health checking. +healthChecking: true + +# -- TCP port for the agent health API. This is not the port for cilium-health. +healthPort: 9879 + +# -- Configure the host firewall. +hostFirewall: + # -- Enables the enforcement of host policies in the eBPF datapath. + enabled: false + +hostPort: + # -- Enable hostPort service support. + enabled: false + +# -- Configure socket LB +socketLB: + # -- Enable socket LB + enabled: false + + # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules. + # hostNamespaceOnly: false + +# -- Configure certificate generation for Hubble integration. +# If hubble.tls.auto.method=cronJob, these values are used +# for the Kubernetes CronJob which will be scheduled regularly to +# (re)generate any certificates not provided manually. +certgen: + image: + override: ~ + repository: "${CERTGEN_REPO}" + tag: "${CERTGEN_VERSION}" + pullPolicy: "${PULL_POLICY}" + # -- Seconds after which the completed job pod will be deleted + ttlSecondsAfterFinished: 1800 + # -- Labels to be added to hubble-certgen pods + podLabels: {} + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: [] + +hubble: + # -- Enable Hubble (true by default). + enabled: true + + # -- Buffer size of the channel Hubble uses to receive monitor events. If this + # value is not set, the queue size is set to the default monitor queue size. + # eventQueueSize: "" + + # -- Number of recent flows for Hubble to cache. Defaults to 4095. + # Possible values are: + # 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, + # 2047, 4095, 8191, 16383, 32767, 65535 + # eventBufferCapacity: "4095" + + # -- Hubble metrics configuration. + # See https://docs.cilium.io/en/stable/operations/metrics/#hubble-metrics + # for more comprehensive documentation about Hubble metrics. + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: ~ + # -- Configure the port the hubble metric server listens on. + port: 9965 + # -- Annotations to be added to hubble-metrics service. + serviceAnnotations: {} + serviceMonitor: + # -- Create ServiceMonitor resources for Prometheus Operator. + # This requires the prometheus CRDs to be available. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble + labels: {} + # -- Annotations to add to ServiceMonitor hubble + annotations: {} + + # -- Unix domain socket path to listen to when Hubble is enabled. + socketPath: /var/run/cilium/hubble.sock + + # -- An additional address for Hubble to listen to. + # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that + # Hubble is listening on port 4244. + listenAddress: ":4244" + peerService: + # -- Enable a K8s Service for the Peer service, so that it can be accessed + # by a non-local client + enabled: true + # -- Service Port for the Peer service. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + # -- Target Port for the Peer service. + targetPort: 4244 + # -- The cluster domain to use to query the Hubble Peer service. It should + # be the local cluster. + clusterDomain: cluster.local + # -- TLS configuration for Hubble + tls: + # -- Enable mutual TLS for listenAddress. Setting this value to false is + # highly discouraged as the Hubble API provides access to potentially + # sensitive network flow metadata and is exposed on the host network. + enabled: true + # -- Configure automatic TLS certificates generation. + auto: + # -- Auto-generate certificates. + # When set to true, automatically generate a CA and certificates to + # enable mTLS between Hubble server and Hubble Relay instances. If set to + # false, the certs for Hubble server need to be provided by setting + # appropriate values below. + enabled: true + # -- Set the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Defaults to midnight of the first day of every fourth month. For syntax, see + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when hubble.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. + certManagerIssuerRef: {} + + # -- Deprecated in favor of tls.ca. To be removed in 1.13. + # base64 encoded PEM values for the Hubble CA certificate and private key. + ca: + # -- Deprecated in favor of tls.ca.cert. To be removed in 1.13. + cert: "" + # -- Deprecated in favor of tls.ca.key. To be removed in 1.13. + # The CA private key (optional). If it is provided, then it will be + # used by hubble.tls.auto.method=cronJob to generate all other certificates. + # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true. + key: "" + # -- base64 encoded PEM values for the Hubble server certificate and private key + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: false + + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: false + + # -- Hubble-relay container image. + image: + override: ~ + repository: "${HUBBLE_RELAY_REPO}" + tag: "${CILIUM_VERSION}" + # hubble-relay-digest + digest: ${HUBBLE_RELAY_DIGEST} + useDigest: ${USE_DIGESTS} + pullPolicy: "${PULL_POLICY}" + + # -- Specifies the resources for the hubble-relay pods + resources: {} + + # -- Number of replicas run for the hubble-relay deployment. + replicas: 1 + + # -- Affinity for hubble-replay + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # + tolerations: [] + + # -- Additional hubble-relay environment variables. + extraEnv: [] + + # -- Annotations to be added to hubble-relay pods + podAnnotations: {} + + # -- Labels to be added to hubble-relay pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- The priority class to use for hubble-relay + priorityClassName: "" + + # -- Configure termination grace period for hubble relay Deployment. + terminationGracePeriodSeconds: 1 + + # -- hubble-relay update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- hubble-relay security context + securityContext: {} + + # -- hubble-relay service configuration. + service: + # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31234 + + # -- Host to listen to. Specify an empty string to bind to all the interfaces. + listenHost: "" + + # -- Port to listen to. + listenPort: "4245" + + # -- TLS configuration for Hubble Relay + tls: + # -- base64 encoded PEM values for the hubble-relay client certificate and private key + # This keypair is presented to Hubble server instances for mTLS + # authentication and is required when hubble.tls.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the hubble-relay server certificate and private key + server: + # When set to true, enable TLS on for Hubble Relay server + # (ie: for clients connecting to the Hubble Relay API). + enabled: false + # These values need to be set manually if hubble.tls.auto.enabled is false. + cert: "" + key: "" + # -- extra DNS names added to certificate when its auto gen + extraDnsNames: [] + # -- extra IP addresses added to certificate when its auto gen + extraIpAddresses: [] + + # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). + dialTimeout: ~ + + # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s"). + retryTimeout: ~ + + # -- Max number of flows that can be buffered for sorting before being sent to the + # client (per request) (e.g. 100). + sortBufferLenMax: ~ + + # -- When the per-request flows sort buffer is not full, a flow is drained every + # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). + sortBufferDrainTimeout: ~ + + # -- Port to use for the k8s service backed by hubble-relay pods. + # If not set, it is dynamically assigned to port 443 if TLS is enabled and to + # port 80 if not. + # servicePort: 80 + + # -- Enable prometheus metrics for hubble-relay on the configured port at + # /metrics + prometheus: + enabled: false + port: 9966 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor hubble-relay + labels: {} + # -- Annotations to add to ServiceMonitor hubble-relay + annotations: {} + # -- Interval for scrape metrics. + interval: "10s" + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + + ui: + # -- Whether to enable the Hubble UI. + enabled: false + + standalone: + # -- When true, it will allow installing the Hubble UI only, without checking dependencies. + # It is useful if a cluster already has cilium and Hubble relay installed and you just + # want Hubble UI to be deployed. + # When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui` + enabled: false + + tls: + # -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required + # to provide a volume for mounting the client certificates. + certsVolume: {} + # projected: + # defaultMode: 0400 + # sources: + # - secret: + # name: hubble-ui-client-certs + # items: + # - key: tls.crt + # path: client.crt + # - key: tls.key + # path: client.key + # - key: ca.crt + # path: hubble-relay-ca.crt + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: false + + tls: + # -- base64 encoded PEM values used to connect to hubble-relay + # This keypair is presented to Hubble Relay instances for mTLS + # authentication and is required when hubble.relay.tls.server.enabled is true. + # These values need to be set manually if hubble.tls.auto.enabled is false. + client: + cert: "" + key: "" + + backend: + # -- Hubble-ui backend image. + image: + override: ~ + repository: "${HUBBLE_UI_BACKEND_REPO}" + tag: "${HUBBLE_UI_BACKEND_VERSION}" + pullPolicy: "${PULL_POLICY}" + + # -- Additional hubble-ui backend environment variables. + extraEnv: [] + + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + frontend: + # -- Hubble-ui frontend image. + image: + override: ~ + repository: "${HUBBLE_UI_FRONTEND_REPO}" + tag: "${HUBBLE_UI_FRONTEND_VERSION}" + pullPolicy: "${PULL_POLICY}" + + # -- Additional hubble-ui frontend environment variables. + extraEnv: [] + + # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. + resources: {} + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + + # -- The number of replicas of Hubble UI to deploy. + replicas: 1 + + # -- Annotations to be added to hubble-ui pods + podAnnotations: {} + + # -- Labels to be added to hubble-ui pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Affinity for hubble-ui + affinity: {} + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # + tolerations: [] + + # -- The priority class to use for hubble-ui + priorityClassName: "" + + # -- hubble-ui update strategy. + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- Security context to be added to Hubble UI pods + securityContext: + # -- Deprecated in favor of hubble.ui.securityContext. + # Whether to set the security context on the Hubble UI pods. + enabled: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + + # -- hubble-ui service configuration. + service: + # --- The type of service used for Hubble UI access, either ClusterIP or NodePort. + type: ClusterIP + # --- The port to use when the service type is set to NodePort. + nodePort: 31235 + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + className: "" + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + +# -- Method to use for identity allocation (`crd` or `kvstore`). +identityAllocationMode: "crd" + +# -- Time to wait before using new identity on endpoint identity change. +# identityChangeGracePeriod: "5s" + +# -- GC interval for security identities. +# identityGCInterval: "15m0s" + +# -- Timeout after which identity expires on lack of heartbeat. +# identityHeartbeatTimeout: "30m0s" + + +# -- Configure whether to install iptables rules to allow for TPROXY +# (L7 proxy injection), iptables-based masquerading and compatibility +# with kube-proxy. +installIptablesRules: true + +# -- Install Iptables rules to skip netfilter connection tracking on all pod +# traffic. This option is only effective when Cilium is running in direct +# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium +# is running in a managed Kubernetes environment or in a chained CNI setup. +installNoConntrackIptablesRules: false + +ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ + mode: "cluster-pool" + operator: + # -- Deprecated in favor of ipam.operator.clusterPoolIPv4PodCIDRList. + # IPv4 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDR: "10.0.0.0/8" + # -- IPv4 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv4PodCIDRList: [] + # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv4MaskSize: 24 + # -- Deprecated in favor of ipam.operator.clusterPoolIPv6PodCIDRList. + # IPv6 CIDR range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDR: "fd00::/104" + # -- IPv6 CIDR list range to delegate to individual nodes for IPAM. + clusterPoolIPv6PodCIDRList: [] + # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM. + clusterPoolIPv6MaskSize: 120 + +# -- Configure the eBPF-based ip-masq-agent +ipMasqAgent: + enabled: false + +# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium. +# iptablesLockTimeout: "5s" + +ipv4: + # -- Enable IPv4 support. + enabled: true + +ipv6: + # -- Enable IPv6 support. + enabled: false + +ipvlan: + # -- Enable the IPVLAN datapath (deprecated) + enabled: false + + # -- masterDevice is the name of the device to use to attach secondary IPVLAN + # devices + # masterDevice: eth0 + +# -- Configure Kubernetes specific configuration +k8s: {} + # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv4PodCIDR: false + + # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR + # range via the Kubernetes node resource + # requireIPv6PodCIDR: false + +# -- Keep the deprecated selector labels when deploying Cilium DaemonSet. +keepDeprecatedLabels: false + +# -- Keep the deprecated probes when deploying Cilium DaemonSet +keepDeprecatedProbes: false + +startupProbe: + # -- failure threshold of startup probe. + # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s) + failureThreshold: 105 + # -- interval between checks of the startup probe + periodSeconds: 2 +livenessProbe: + # -- failure threshold of liveness probe + failureThreshold: 10 + # -- interval between checks of the liveness probe + periodSeconds: 30 +readinessProbe: + # -- failure threshold of readiness probe + failureThreshold: 3 + # -- interval between checks of the readiness probe + periodSeconds: 30 + +# -- Configure the kube-proxy replacement in Cilium BPF datapath +# Valid options are "disabled", "partial", "strict". +# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ +#kubeProxyReplacement: "disabled" + +# -- healthz server bind address for the kube-proxy replacement. +# To enable set the value to '0.0.0.0:10256' for all ipv4 +# addresses and this '[::]:10256' for all ipv6 addresses. +# By default it is disabled. +kubeProxyReplacementHealthzBindAddr: "" + +l2NeighDiscovery: + # -- Enable L2 neighbor discovery in the agent + enabled: true + # -- Override the agent's default neighbor resolution refresh period. + refreshPeriod: "30s" + +# -- Enable Layer 7 network policy. +l7Proxy: true + +# -- Enable Local Redirect Policy. +localRedirectPolicy: false + +# To include or exclude matched resources from cilium identity evaluation +# labels: "" + +# logOptions allows you to define logging options. eg: +# logOptions: +# format: json + +# -- Enables periodic logging of system load +logSystemLoad: false + + +# -- Configure maglev consistent hashing +maglev: {} + # -- tableSize is the size (parameter M) for the backend table of one + # service entry + # tableSize: + + # -- hashSeed is the cluster-wide base64 encoded seed for the hashing + # hashSeed: + +# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. +enableIPv4Masquerade: true + +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables egress gateway to redirect and SNAT the traffic that leaves the +# cluster. +egressGateway: + enabled: false + # -- Install egress gateway IP rules and routes in order to properly steer + # egress gateway traffic to the correct ENI interface + installRoutes: false + +vtep: +# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow +# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel. + enabled: false + +# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1" + endpoint: "" +# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" + cidr: "" +# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0" + mask: "" +# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y" + mac: "" + +# -- Allows to explicitly specify the IPv4 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. +# ipv4NativeRoutingCIDR: + +# -- Allows to explicitly specify the IPv6 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. +# ipv6NativeRoutingCIDR: + +# -- cilium-monitor sidecar. +monitor: + # -- Enable the cilium-monitor sidecar. + enabled: false + +# -- Configure service load balancing +# loadBalancer: + # -- standalone enables the standalone L4LB which does not connect to + # kube-apiserver. + # standalone: false + + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + # algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + # mode: snat + + # -- acceleration is the option to accelerate service handling via XDP + # e.g. native, disabled + # acceleration: disabled + + # -- dsrDispatch configures whether IP option or IPIP encapsulation is + # used to pass a service IP and port to remote backend + # dsrDispatch: opt + + # -- serviceTopology enables K8s Topology Aware Hints -based service + # endpoints filtering + # serviceTopology: false + +# -- Configure N-S k8s service loadbalancing +nodePort: + # -- Enable the Cilium NodePort service implementation. + enabled: false + + # -- Port range to use for NodePort services. + # range: "30000,32767" + + # -- Set to true to prevent applications binding to service ports. + bindProtection: true + + # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral + # ports is detected. + autoProtectPortRange: true + + # -- Enable healthcheck nodePort server for NodePort services + enableHealthCheck: true + +# policyAuditMode: false + +# -- The agent can be put into one of the three policy enforcement modes: +# default, always and never. +# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes +policyEnforcementMode: "default" + +pprof: + # -- Enable Go pprof debugging + enabled: false + +# -- Configure prometheus metrics on the configured port at /metrics +prometheus: + enabled: false + port: 9962 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-agent + labels: {} + # -- Annotations to add to ServiceMonitor cilium-agent + annotations: {} + # -- Specify the Kubernetes namespace where Prometheus expects to find + # service monitors configured. + # namespace: "" + # -- Metrics that should be enabled or disabled from the default metric + # list. (+metric_foo to enable metric_foo , -metric_bar to disable + # metric_bar). + # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics + metrics: ~ + +# -- Configure Istio proxy options. +proxy: + prometheus: + enabled: true + port: "9964" + # -- Regular expression matching compatible Istio sidecar istio-proxy + # container image names + sidecarImageRegex: "cilium/istio_proxy" + +# -- Enable use of the remote node identity. +# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +remoteNodeIdentity: true + +# -- Enable resource quotas for priority classes used in the cluster. +resourceQuotas: + enabled: false + cilium: + hard: + # 5k nodes * 2 DaemonSets (Cilium and cilium node init) + pods: "10k" + operator: + hard: + # 15 "clusterwide" Cilium Operator pods for HA + pods: "15" + +# Need to document default +################## +#sessionAffinity: false + +# -- Do not run Cilium agent when running with clean mode. Useful to completely +# uninstall Cilium as it will stop Cilium from starting and create artifacts +# in the node. +sleepAfterInit: false + +# -- Configure BPF socket operations configuration +sockops: + # enabled enables installation of socket options acceleration. + enabled: false + +# -- Enable check of service source ranges (currently, only for LoadBalancer). +svcSourceRangeCheck: true + +# -- Synchronize Kubernetes nodes to kvstore and perform CNP GC. +synchronizeK8sNodes: true + +# -- Configure TLS configuration in the agent. +tls: + # -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies + # (namely the secrets referenced by terminatingTLS and originatingTLS). + # Possible values: + # - local + # - k8s + secretsBackend: local + + # -- Base64 encoded PEM values for the CA certificate and private key. + # This can be used as common CA to generate certificates used by hubble and clustermesh components + ca: + # -- Optional CA cert. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + + # -- Optional CA private key. If it is provided, it will be used by cilium to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + + # -- Generated certificates validity duration in days. This will be used for auto generated CA. + certValidityDuration: 1095 + +# -- Configure the encapsulation configuration for communication between nodes. +# Possible values: +# - disabled +# - vxlan (default) +# - geneve +tunnel: "vxlan" + +# -- Disable the usage of CiliumEndpoint CRD. +disableEndpointCRD: "false" + +wellKnownIdentities: + # -- Enable the use of well-known identities. + enabled: false + +etcd: + # -- Enable etcd mode for the agent. + enabled: false + + # -- cilium-etcd-operator image. + image: + override: ~ + repository: "${CILIUM_ETCD_OPERATOR_REPO}" + tag: "${CILIUM_ETCD_OPERATOR_VERSION}" + pullPolicy: "${PULL_POLICY}" + + # -- The priority class to use for cilium-etcd-operator + priorityClassName: "" + + # -- Additional cilium-etcd-operator container arguments. + extraArgs: [] + + # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Node labels for cilium-etcd-operator pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Annotations to be added to cilium-etcd-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-etcd-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-etcd-operator resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to cilium-etcd-operator pods + securityContext: {} + # runAsUser: 0 + + # -- cilium-etcd-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- If etcd is behind a k8s service set this option to true so that Cilium + # does the service translation automatically without requiring a DNS to be + # running. + k8sService: false + + # -- Cluster domain for cilium-etcd-operator. + clusterDomain: cluster.local + + # -- List of etcd endpoints (not needed when using managed=true). + endpoints: + - https://CHANGE-ME:2379 + + # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if + # managed=true) + ssl: false + +operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: false + + # -- cilium-operator image. + image: + override: ~ + repository: "${CILIUM_OPERATOR_BASE_REPO}" + tag: "${CILIUM_VERSION}" + # operator-generic-digest + genericDigest: ${OPERATOR_GENERIC_DIGEST} + # operator-azure-digest + azureDigest: ${OPERATOR_AZURE_DIGEST} + # operator-aws-digest + awsDigest: ${OPERATOR_AWS_DIGEST} + # operator-alibabacloud-digest + alibabacloudDigest: ${OPERATOR_ALIBABACLOUD_DIGEST} + useDigest: ${USE_DIGESTS} + pullPolicy: "${PULL_POLICY}" + suffix: "${CILIUM_OPERATOR_SUFFIX}" + + # -- Number of replicas to run for the cilium-operator deployment + replicas: 2 + + # -- The priority class to use for cilium-operator + priorityClassName: "" + + # -- DNS policy for Cilium operator pods. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" + + # -- cilium-operator update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + + # -- Affinity for cilium-operator + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + io.cilium/app: operator + + # -- Node labels for cilium-operator pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for cilium-operator scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Additional cilium-operator container arguments. + extraArgs: [] + + # -- Additional cilium-operator environment variables. + extraEnv: [] + + # -- Additional cilium-operator hostPath mounts. + extraHostPathMounts: [] + # - name: host-mnt-data + # mountPath: /host/mnt/data + # hostPath: /mnt/data + # hostPathType: Directory + # readOnly: true + # mountPropagation: HostToContainer + + # -- Additional cilium-operator volumes. + extraVolumes: [] + + # -- Additional cilium-operator volumeMounts. + extraVolumeMounts: [] + + # -- Annotations to be added to cilium-operator pods + podAnnotations: {} + + # -- Labels to be added to cilium-operator pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- cilium-operator resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Security context to be added to cilium-operator pods + securityContext: {} + # runAsUser: 0 + + # -- Interval for endpoint garbage collection. + endpointGCInterval: "5m0s" + + # -- Interval for cilium node garbage collection. + nodeGCInterval: "5m0s" + + # -- Interval for identity garbage collection. + identityGCInterval: "15m0s" + + # -- Timeout for identity heartbeats. + identityHeartbeatTimeout: "30m0s" + + # -- Enable prometheus metrics for cilium-operator on the configured port at + # /metrics + prometheus: + enabled: false + port: 9963 + serviceMonitor: + # -- Enable service monitors. + # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + enabled: false + # -- Labels to add to ServiceMonitor cilium-operator + labels: {} + # -- Annotations to add to ServiceMonitor cilium-operator + annotations: {} + + # -- Skip CRDs creation for cilium-operator + skipCRDCreation: false + + # -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium + # pod running. + removeNodeTaints: true + + # -- Set Node condition NetworkUnavailable to 'false' with the reason + # 'CiliumIsUp' for nodes that have a healthy Cilium pod. + setNodeNetworkStatus: true + + unmanagedPodWatcher: + # -- Restart any pod that are not managed by Cilium. + restart: true + # -- Interval, in seconds, to check if there are any pods that are not + # managed by Cilium. + intervalSeconds: 15 + +nodeinit: + # -- Enable the node initialization DaemonSet + enabled: false + + # -- node-init image. + image: + override: ~ + repository: "${CILIUM_NODEINIT_REPO}" + tag: "${CILIUM_NODEINIT_VERSION}" + pullPolicy: "${PULL_POLICY}" + + # -- The priority class to use for the nodeinit pod. + priorityClassName: "" + + # -- node-init update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional nodeinit environment variables. + extraEnv: [] + + # -- Affinity for cilium-nodeinit + affinity: {} + + # -- Node labels for nodeinit pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for nodeinit scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - operator: Exists + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to node-init pods. + podAnnotations: {} + + # -- Labels to be added to node-init pods. + podLabels: {} + + # -- nodeinit resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: + requests: + cpu: 100m + memory: 100Mi + + # -- Security context to be added to nodeinit pods. + securityContext: + privileged: false + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # Used for nsenter + - NET_ADMIN + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + + # -- bootstrapFile is the location of the file where the bootstrap timestamp is + # written by the node-init DaemonSet + bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time" + +preflight: + # -- Enable Cilium pre-flight resources (required for upgrade) + enabled: false + + # -- Cilium pre-flight image. + image: + override: ~ + repository: "${CILIUM_REPO}" + tag: "${CILIUM_VERSION}" + # cilium-digest + digest: ${CILIUM_DIGEST} + useDigest: ${USE_DIGESTS} + pullPolicy: "${PULL_POLICY}" + + # -- The priority class to use for the preflight pod. + priorityClassName: "" + + # -- preflight update strategy + updateStrategy: + type: RollingUpdate + + # -- Additional preflight environment variables. + extraEnv: [] + + # -- Affinity for cilium-preflight + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + + # -- Node labels for preflight pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for preflight scheduling to nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + # -- Annotations to be added to preflight pods + podAnnotations: {} + + # -- Labels to be added to the preflight pod. + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- preflight resource limits & requests + # ref: https://kubernetes.io/docs/user-guide/compute-resources/ + resources: {} + # limits: + # cpu: 4000m + # memory: 4Gi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Security context to be added to preflight pods + securityContext: {} + # runAsUser: 0 + + # -- Path to write the `--tofqdns-pre-cache` file to. + tofqdnsPreCache: "" + + # -- Configure termination grace period for preflight Deployment and DaemonSet. + terminationGracePeriodSeconds: 1 + + # -- By default we should always validate the installed CNPs before upgrading + # Cilium. This will make sure the user will have the policies deployed in the + # cluster with the right schema. + validateCNPs: true + +# -- Explicitly enable or disable priority class. +# .Capabilities.KubeVersion is unsettable in `helm template` calls, +# it depends on k8s libraries version that Helm was compiled against. +# This option allows to explicitly disable setting the priority class, which +# is useful for rendering charts for gke clusters in advance. +enableCriticalPriorityClass: true + +# disableEnvoyVersionCheck removes the check for Envoy, which can be useful +# on AArch64 as the images do not currently ship a version of Envoy. +#disableEnvoyVersionCheck: false + +clustermesh: + # -- Deploy clustermesh-apiserver for clustermesh + useAPIServer: false + + # -- Clustermesh explicit configuration. + config: + # -- Enable the Clustermesh explicit configuration. + enabled: false + # -- Default dns domain for the Clustermesh API servers + # This is used in the case cluster addresses are not provided + # and IPs are used. + domain: mesh.cilium.io + # -- List of clusters to be peered in the mesh. + clusters: [] + # clusters: + # # -- Name of the cluster + # - name: cluster1 + # # -- Address of the cluster, use this if you created DNS records for + # # the cluster Clustermesh API server. + # address: cluster1.mesh.cilium.io + # # -- Port of the cluster Clustermesh API server. + # port: 2379 + # # -- IPs of the cluster Clustermesh API server, use multiple ones when + # # you have multiple IPs to access the Clustermesh API server. + # ips: + # - 172.18.255.201 + # # -- base64 encoded PEM values for the cluster client certificate, private key and certificate authority. + # tls: + # cert: "" + # key: "" + + apiserver: + # -- Clustermesh API server image. + image: + override: ~ + repository: "${CLUSTERMESH_APISERVER_REPO}" + tag: "${CILIUM_VERSION}" + # clustermesh-apiserver-digest + digest: ${CLUSTERMESH_APISERVER_DIGEST} + useDigest: ${USE_DIGESTS} + pullPolicy: "${PULL_POLICY}" + + etcd: + # -- Clustermesh API server etcd image. + image: + override: ~ + repository: "${ETCD_REPO}" + tag: "${ETCD_VERSION}" + pullPolicy: "${PULL_POLICY}" + + service: + # -- The type of service used for apiserver access. + type: NodePort + # -- Optional port to use as the node port for apiserver access. + nodePort: 32379 + # -- Optional loadBalancer IP address to use with type LoadBalancer. + # loadBalancerIP: + + # -- Annotations for the clustermesh-apiserver + # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" + # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + annotations: {} + + # -- Number of replicas run for the clustermesh-apiserver deployment. + replicas: 1 + + # -- Additional clustermesh-apiserver environment variables. + extraEnv: [] + + # -- Annotations to be added to clustermesh-apiserver pods + podAnnotations: {} + + # -- Labels to be added to clustermesh-apiserver pods + podLabels: {} + + # PodDisruptionBudget settings + podDisruptionBudget: + # -- enable PodDisruptionBudget + # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + enabled: false + # -- Minimum number/percentage of pods that should remain scheduled. + # When it's set, maxUnavailable must be disabled by `maxUnavailable: null` + minAvailable: null + # -- Maximum number/percentage of pods that may be made unavailable + maxUnavailable: 1 + + # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as + # resources: + # limits: + # cpu: 1000m + # memory: 1024M + # requests: + # cpu: 100m + # memory: 64Mi + # -- Resource requests and limits for the clustermesh-apiserver + resources: {} + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1000m + # memory: 1024M + + # -- Affinity for clustermesh.apiserver + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: clustermesh-apiserver + + # -- Node labels for pod assignment + # ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: + kubernetes.io/os: linux + + # -- Node tolerations for pod assignment on nodes with taints + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + tolerations: [] + + # -- clustermesh-apiserver update strategy + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # -- The priority class to use for clustermesh-apiserver + priorityClassName: "" + + tls: + # -- Configure automatic TLS certificates generation. + # A Kubernetes CronJob is used the generate any + # certificates not provided by the user at installation + # time. + auto: + # -- When set to true, automatically generate a CA and certificates to + # enable mTLS between clustermesh-apiserver and external workload instances. + # If set to false, the certs to be provided by setting appropriate values below. + enabled: true + # Sets the method to auto-generate certificates. Supported values: + # - helm: This method uses Helm to generate all certificates. + # - cronJob: This method uses a Kubernetes CronJob the generate any + # certificates not provided by the user at installation + # time. + # - certmanager: This method use cert-manager to generate & rotate certificates. + method: helm + # -- Generated certificates validity duration in days. + certValidityDuration: 1095 + # -- Schedule for certificates regeneration (regardless of their expiration date). + # Only used if method is "cronJob". If nil, then no recurring job will be created. + # Instead, only the one-shot job is deployed to generate the certificates at + # installation time. + # + # Due to the out-of-band distribution of client certs to external workloads the + # CA is (re)regenerated only if it is not provided as a helm value and the k8s + # secret is manually deleted. + # + # Defaults to none. Commented syntax gives midnight of the first day of every + # fourth month. For syntax, see + # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule + # schedule: "0 0 1 */4 *" + + # [Example] + # certManagerIssuerRef: + # group: cert-manager.io + # kind: ClusterIssuer + # name: ca-issuer + # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. + # If not specified, a CA issuer will be created. + certManagerIssuerRef: {} + # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key. + ca: + # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + cert: "" + # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to + # generate all other certificates. Otherwise, an ephemeral CA is generated. + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. + # Used if 'auto' is not enabled. + server: + cert: "" + key: "" + # -- Extra DNS names added to certificate when it's auto generated + extraDnsNames: [] + # -- Extra IP addresses added to certificate when it's auto generated + extraIpAddresses: [] + # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. + # Used if 'auto' is not enabled. + admin: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. + # Used if 'auto' is not enabled. + client: + cert: "" + key: "" + # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. + # Used if 'auto' is not enabled. + remote: + cert: "" + key: "" + +# -- Configure external workloads support +externalWorkloads: + # -- Enable support for external workloads, such as VMs (false by default). + enabled: false + +# -- Configure cgroup related configuration +cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: true + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /run/cilium/cgroupv2 + +# -- Configure whether to enable auto detect of terminating state for endpoints +# in order to support graceful termination. +enableK8sTerminatingEndpoint: true + +# -- Configure whether to unload DNS policy rules on graceful shutdown +# dnsPolicyUnloadOnShutdown: false + +# -- Configure the key of the taint indicating that Cilium is not ready on the node. +# When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up. +agentNotReadyTaintKey: "node.cilium.io/agent-not-ready" + +dnsProxy: + # -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'. + dnsRejectResponseCode: refused + # -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present. + enableDnsCompression: true + # -- Maximum number of IPs to maintain per FQDN name for each endpoint. + endpointMaxIpPerHostname: 50 + # -- Time during which idle but previously active connections with expired DNS lookups are still considered alive. + idleConnectionGracePeriod: 0s + # -- Maximum number of IPs to retain for expired DNS lookups with still-active connections. + maxDeferredConnectionDeletes: 10000 + # -- The minimum time, in seconds, to use DNS data for toFQDNs policies. + minTtl: 3600 + # -- DNS cache data at this path is preloaded on agent startup. + preCache: "" + # -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. + proxyPort: 0 + # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. + proxyResponseMaxDelay: 100ms diff --git a/cli/internal/helm/cilium.patch b/cli/internal/helm/cilium.patch new file mode 100644 index 000000000..5a9f09eea --- /dev/null +++ b/cli/internal/helm/cilium.patch @@ -0,0 +1,25 @@ +diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml +index 13c4b01414..348d1281b2 100644 +--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml ++++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml +@@ -500,4 +500,7 @@ data: + {{- end }} + ++{{- if .Values.strictModeCIDR }} ++ strict-mode-cidr: {{ .Values.strictModeCIDR | quote }} ++{{- end }} + enable-xt-socket-fallback: {{ .Values.enableXTSocketFallback | quote }} + install-iptables-rules: {{ .Values.installIptablesRules | quote }} +diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml +index bbdccc1465..7dece98eac 100644 +--- a/install/kubernetes/cilium/values.yaml ++++ b/install/kubernetes/cilium/values.yaml +@@ -550,6 +550,8 @@ encryption: + # This option is only effective when encryption.type is set to ipsec. + interface: "" + ++strictModeCIDR: "" ++ + endpointHealthChecking: + # -- Enable connectivity health checking between virtual endpoints. + enabled: true diff --git a/cli/internal/helm/generateCilium.sh b/cli/internal/helm/generateCilium.sh new file mode 100755 index 000000000..3407fa52e --- /dev/null +++ b/cli/internal/helm/generateCilium.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +CALLDIR=$(pwd) +CILIUMTMPDIR=$(mktemp -d) +cd $CILIUMTMPDIR +git clone --depth 1 -b v1.12 https://github.com/cilium/cilium.git +cd cilium +git apply $CALLDIR/cilium.patch +cp -r install/kubernetes/cilium $CALLDIR/charts +rm -r $CILIUMTMPDIR diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go new file mode 100644 index 000000000..1e239b551 --- /dev/null +++ b/cli/internal/helm/loader.go @@ -0,0 +1,141 @@ +package helm + +import ( + "bytes" + "embed" + "encoding/json" + "fmt" + "io/fs" + "path/filepath" + "strings" + + "github.com/edgelesssys/constellation/internal/cloud/cloudprovider" + "github.com/edgelesssys/constellation/internal/deploy/helm" + "github.com/pkg/errors" + "helm.sh/helm/pkg/ignore" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" +) + +// Run `go generate` to deterministically create the patched Helm deployment for cilium +//go:generate ./generateCilium.sh + +//go:embed all:charts/cilium/* +var HelmFS embed.FS + +type ChartLoader struct{} + +func (i *ChartLoader) Load(csp string) ([]byte, error) { + ciliumDeployment, err := i.loadCilium(csp) + if err != nil { + return nil, err + } + deployments := helm.Deployments{Cilium: ciliumDeployment} + depl, err := json.Marshal(deployments) + if err != nil { + return nil, err + } + return depl, nil +} + +func (i *ChartLoader) loadCilium(csp string) (helm.Deployment, error) { + chart, err := loadChartsDir(HelmFS, "charts/cilium") + if err != nil { + return helm.Deployment{}, err + } + var ciliumVals map[string]interface{} + switch csp { + case cloudprovider.GCP.String(): + ciliumVals = gcpVals + case cloudprovider.Azure.String(): + ciliumVals = azureVals + case cloudprovider.QEMU.String(): + ciliumVals = qemuVals + default: + return helm.Deployment{}, fmt.Errorf("unknown csp: %s", csp) + } + return helm.Deployment{Chart: chart, Values: ciliumVals}, nil +} + +// taken from loader.LoadDir from the helm go module +// loadChartsDir loads from a directory. +// +// This loads charts only from directories. +func loadChartsDir(efs embed.FS, dir string) (*chart.Chart, error) { + utf8bom := []byte{0xEF, 0xBB, 0xBF} + // Just used for errors. + c := &chart.Chart{} + + rules := ignore.Empty() + ifile, err := efs.ReadFile(filepath.Join(dir, ignore.HelmIgnore)) + if err == nil { + r, err := ignore.Parse(bytes.NewReader(ifile)) + if err != nil { + return c, err + } + rules = r + } + rules.AddDefaults() + + files := []*loader.BufferedFile{} + + walk := func(path string, d fs.DirEntry, err error) error { + n := strings.TrimPrefix(path, dir) + if n == "" { + // No need to process top level. Avoid bug with helmignore .* matching + // empty names. See issue https://github.com/kubernetes/helm/issues/1776. + return nil + } + + // Normalize to / since it will also work on Windows + n = filepath.ToSlash(n) + + // Check input err + if err != nil { + return err + } + + fi, err := d.Info() + if err != nil { + return err + } + + if d.IsDir() { + // Directory-based ignore rules should involve skipping the entire + // contents of that directory. + if rules.Ignore(n, fi) { + return filepath.SkipDir + } + return nil + } + + // If a .helmignore file matches, skip this file. + if rules.Ignore(n, fi) { + return nil + } + + // Irregular files include devices, sockets, and other uses of files that + // are not regular files. In Go they have a file mode type bit set. + // See https://golang.org/pkg/os/#FileMode for examples. + if !fi.Mode().IsRegular() { + return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", path) + } + + data, err := efs.ReadFile(path) + if err != nil { + return errors.Wrapf(err, "error reading %s", n) + } + + data = bytes.TrimPrefix(data, utf8bom) + n = strings.TrimPrefix(n, "/") + + files = append(files, &loader.BufferedFile{Name: n, Data: data}) + return nil + } + + if err := fs.WalkDir(efs, dir, walk); err != nil { + return c, err + } + + return loader.LoadFiles(files) +} diff --git a/cli/internal/helm/values.go b/cli/internal/helm/values.go new file mode 100644 index 000000000..a99671a29 --- /dev/null +++ b/cli/internal/helm/values.go @@ -0,0 +1,81 @@ +package helm + +var azureVals = map[string]interface{}{ + "endpointRoutes": map[string]interface{}{ + "enabled": true, + }, + "encryption": map[string]interface{}{ + "enabled": true, + "type": "wireguard", + }, + "l7Proxy": false, + "ipam": map[string]interface{}{ + "operator": map[string]interface{}{ + "clusterPoolIPv4PodCIDRList": []string{ + "10.244.0.0/16", + }, + }, + }, + "strictModeCIDRs": []string{ + "10.244.0.0/16", + }, + "image": map[string]interface{}{ + "repository": "ghcr.io/3u13r/cilium", + "suffix": "v1.12.0-edg2", + "tag": "latest", + "digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf", + "useDigest": false, + }, + "operator": map[string]interface{}{ + "image": map[string]interface{}{ + "repository": "ghcr.io/3u13r/operator", + "tag": "v1.12.0-edg2", + "suffix": "", + "genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a", + "useDigest": true, + }, + }, + "egressMasqueradeInterfaces": "eth0", + "enableIPv4Masquerade": true, +} + +var gcpVals = map[string]interface{}{ + "endpointRoutes": map[string]interface{}{ + "enabled": true, + }, + "tunnel": "disabled", + "encryption": map[string]interface{}{ + "enabled": true, + "type": "wireguard", + }, + "image": map[string]interface{}{ + "repository": "ghcr.io/3u13r/cilium", + "suffix": "", + "tag": "v1.12.0-edg2", + "digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf", + "useDigest": true, + }, + "operator": map[string]interface{}{ + "image": map[string]interface{}{ + "repository": "ghcr.io/3u13r/operator", + "suffix": "", + "tag": "v1.12.0-edg2", + "genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a", + "useDigest": true, + }, + }, + "l7Proxy": false, + "ipam": map[string]interface{}{ + "mode": "kubernetes", + }, +} + +var qemuVals = map[string]interface{}{ + "endpointRoutes": map[string]interface{}{ + "enabled": true, + }, + "encryption": map[string]interface{}{ + "enabled": true, + "type": "wireguard", + }, +} diff --git a/go.mod b/go.mod index b12a8a1f0..c60db4bb0 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/kms v1.17.3 github.com/aws/aws-sdk-go-v2/service/s3 v1.26.2 github.com/coreos/go-systemd/v22 v22.3.2 - github.com/docker/docker v20.10.16+incompatible + github.com/docker/docker v20.10.17+incompatible github.com/fsnotify/fsnotify v1.5.4 github.com/go-playground/locales v0.14.0 github.com/go-playground/universal-translator v0.18.0 @@ -86,19 +86,19 @@ require ( go.uber.org/goleak v1.1.12 go.uber.org/multierr v1.8.0 go.uber.org/zap v1.21.0 - golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 - golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e - google.golang.org/api v0.86.0 - google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f + golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e + golang.org/x/net v0.0.0-20220617184016-355a448f1bc9 + google.golang.org/api v0.85.0 + google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad google.golang.org/grpc v1.47.0 google.golang.org/protobuf v1.28.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.24.0 - k8s.io/apiextensions-apiserver v0.24.0 - k8s.io/apimachinery v0.24.0 - k8s.io/apiserver v0.24.0 - k8s.io/cli-runtime v0.24.0 - k8s.io/client-go v0.24.0 + k8s.io/api v0.24.2 + k8s.io/apiextensions-apiserver v0.24.2 + k8s.io/apimachinery v0.24.2 + k8s.io/apiserver v0.24.2 + k8s.io/cli-runtime v0.24.2 + k8s.io/client-go v0.24.2 k8s.io/cluster-bootstrap v0.0.0 k8s.io/klog/v2 v2.60.1 k8s.io/kubelet v0.0.0 @@ -107,15 +107,7 @@ require ( k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 ) -require ( - github.com/blang/semver/v4 v4.0.0 // indirect - sigs.k8s.io/controller-runtime v0.12.1 // indirect -) - -require ( - github.com/google/go-containerregistry v0.10.0 // indirect - go.opentelemetry.io/otel/trace v1.3.0 // indirect -) +require github.com/google/go-containerregistry v0.10.0 // indirect require ( github.com/dnaeon/go-vcr v1.2.0 // indirect @@ -130,6 +122,65 @@ require ( require ( cloud.google.com/go v0.102.0 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/BurntSushi/toml v1.0.0 // indirect + github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.1.1 // indirect + github.com/Masterminds/sprig/v3 v3.2.2 // indirect + github.com/Masterminds/squirrel v1.5.3 // indirect + github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect + github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/docker/cli v20.10.17+incompatible // indirect + github.com/docker/docker-credential-helpers v0.6.4 // indirect + github.com/docker/go-metrics v0.0.1 // indirect + github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect + github.com/fatih/color v1.13.0 // indirect + github.com/go-gorp/gorp/v3 v3.0.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/google/btree v1.0.1 // indirect + github.com/gorilla/mux v1.8.0 // indirect + github.com/gosuri/uitable v0.0.4 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/huandu/xstrings v1.3.2 // indirect + github.com/jmoiron/sqlx v1.3.5 // indirect + github.com/klauspost/compress v1.15.4 // indirect + github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect + github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect + github.com/lib/pq v1.10.6 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/mattn/go-colorable v0.1.12 // indirect + github.com/mattn/go-isatty v0.0.14 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect + github.com/moby/locker v1.0.1 // indirect + github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect + github.com/morikuni/aec v1.0.0 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/prometheus/client_golang v1.12.1 // indirect + github.com/prometheus/client_model v0.2.0 // indirect + github.com/prometheus/common v0.32.1 // indirect + github.com/prometheus/procfs v0.7.3 // indirect + github.com/rubenv/sql-migrate v1.1.1 // indirect + github.com/russross/blackfriday v1.6.0 // indirect + github.com/shopspring/decimal v1.2.0 // indirect + github.com/spf13/cast v1.4.1 // indirect + github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect + github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/xeipuuv/gojsonschema v1.2.0 // indirect + k8s.io/kubectl v0.24.2 // indirect + oras.land/oras-go v1.2.0 // indirect + sigs.k8s.io/controller-runtime v0.12.1 // indirect +) + +require ( code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.5.0 // indirect @@ -157,6 +208,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sts v1.16.7 // indirect github.com/aws/smithy-go v1.11.3 // indirect github.com/benbjohnson/clock v1.3.0 // indirect + github.com/containerd/containerd v1.6.6 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/distribution v2.8.1+incompatible // indirect @@ -203,7 +255,7 @@ require ( github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect github.com/operator-framework/api v0.15.0 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect - github.com/pkg/errors v0.9.1 // indirect + github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/sirupsen/logrus v1.8.1 // indirect @@ -212,7 +264,7 @@ require ( go.opencensus.io v0.23.0 // indirect go.starlark.net v0.0.0-20220223235035-243c74974e97 // indirect go.uber.org/atomic v1.9.0 // indirect - golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect + golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect @@ -222,7 +274,9 @@ require ( google.golang.org/appengine v1.6.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 - k8s.io/component-base v0.24.0 // indirect + helm.sh/helm v2.17.0+incompatible + helm.sh/helm/v3 v3.9.2 + k8s.io/component-base v0.24.2 // indirect k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect sigs.k8s.io/kustomize/api v0.11.4 // indirect diff --git a/go.sum b/go.sum index 819a7ca1d..f999141b8 100644 --- a/go.sum +++ b/go.sum @@ -166,25 +166,38 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= +github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= github.com/GoogleCloudPlatform/k8s-cloud-provider v1.16.1-0.20210702024009-ea6160c1d0e3/go.mod h1:8XasY4ymP2V/tn2OOV9ZadmiTE1FIB/h3W+yNlPttKw= github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= +github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd h1:sjQovDkwrZp8u+gxLtPgKGjk5hCxuy2hrRejBTA9xFU= github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E= github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= +github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8= +github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= +github.com/Masterminds/squirrel v1.5.3 h1:YPpoceAcxuzIljlr5iWpNKaql7hLeG1KLSrhvdHpkZc= +github.com/Masterminds/squirrel v1.5.3/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.4.15/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/hcsshim v0.8.22/go.mod h1:91uVCVzvX2QD16sMCenoxxXo6L1wJnLMX2PSufFMtF0= +github.com/Microsoft/hcsshim v0.9.3 h1:k371PzBuRrz2b+ebGuI2nVgVhgsVX60jMfSw80NECxo= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= @@ -193,6 +206,7 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= @@ -227,9 +241,12 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY= +github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI= github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU= github.com/auth0/go-jwt-middleware v1.0.1/go.mod h1:YSeUX3z6+TF2H+7padiEqNJ73Zy9vXW72U//IgN0BIM= @@ -321,8 +338,13 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec= github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= +github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc= github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc= github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw= github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo= @@ -334,11 +356,11 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 h1:7aWHqerlJ41y6FOsEUvknqgXnGmJyJSbjhAWq5pO4F8= github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5/go.mod h1:/iP1qXHoty45bqomnu2LM+VVyAEdWN+vtSHGlQgyxbw= github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU= @@ -368,11 +390,14 @@ github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/container-storage-interface/spec v1.5.0/go.mod h1:8K96oQNkJ7pFcC2R9Z1ynGGBB1I93kcS6PGg3SsOk8s= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= +github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw= github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/containerd/containerd v1.4.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.12/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/containerd/containerd v1.6.6 h1:xJNPhbrmz8xAMDNoVjHy9YHtWwEQNS+CDkcIRh7t8Y0= +github.com/containerd/containerd v1.6.6/go.mod h1:ZoP1geJldzCVY3Tonoz7b1IXk8rIX0Nltt5QE4OMNk0= github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM= github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4= github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok= @@ -402,34 +427,50 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= +github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc= +github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/daviddengcn/go-colortext v0.0.0-20160507010035-511bcaf42ccd/go.mod h1:dv4zxwHi5C/8AeI+4gX4dCWOIvNi7I6JCSX0HvlKPgE= github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA= +github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/distribution/distribution/v3 v3.0.0-20220526142353-ffbd94cbe269 h1:hbCT8ZPPMqefiAWD2ZKjn7ypokIGViTvBBg/ExLSdCk= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= +github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M= +github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v20.10.16+incompatible h1:2Db6ZR/+FUR3hqPMwnogOPHFn405crbpxvWzKovETOQ= -github.com/docker/docker v20.10.16+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE= +github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= +github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= +github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= +github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= +github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -437,6 +478,7 @@ github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5m github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= @@ -463,6 +505,7 @@ github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQL github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg= @@ -471,9 +514,11 @@ github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwo github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= +github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= +github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= @@ -509,6 +554,8 @@ github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3Bop github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gorp/gorp/v3 v3.0.2 h1:ULqJXIekoqMx29FI5ekXXFoH1dT2Vc8UhnRzBg+Emz4= +github.com/go-gorp/gorp/v3 v3.0.2/go.mod h1:BJ3q1ejpV8cVALtcXvXaXyTOlMmJhWDxTmncaR6rwBY= github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -521,10 +568,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI= github.com/go-logr/zapr v1.2.0/go.mod h1:Qa4Bsj2Vb+FAVeAKsLD8RLQ+YRJB8YDmOAKxaBQf7Ro= github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= @@ -555,6 +600,7 @@ github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8w github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= @@ -572,11 +618,20 @@ github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslW github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU= github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= +github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= +github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= +github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= +github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= +github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= +github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godror/godror v0.24.2/go.mod h1:wZv/9vPiUib6tkoDl+AZ/QLf5YZgMravZ7jxH2eQWAE= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw= @@ -595,6 +650,7 @@ github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzq github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -648,8 +704,10 @@ github.com/golangci/misspell v0.3.5/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPP github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2/go.mod h1:LK+zW4MpyytAWQRz0M4xnzEk50lSvqDQKfx304apFkY= github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= github.com/golangplus/testing v0.0.0-20180327235837-af21d9c3145e/go.mod h1:0AA//k/eakGydO4jKRoRL2j92ZKSzTgj9tclaCrvXHk= +github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/cadvisor v0.44.1/go.mod h1:GQ9KQfz0iNHQk3D6ftzJWK4TXabfIgM10Oy3FkR+Gzg= github.com/google/cel-go v0.10.1/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= @@ -774,9 +832,11 @@ github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXG github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= @@ -794,7 +854,10 @@ github.com/gostaticanalysis/forcetypeassert v0.0.0-20200621232751-01d4955beaa5/g github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= +github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= +github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= @@ -867,6 +930,9 @@ github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4= +github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= +github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -876,6 +942,7 @@ github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= @@ -899,6 +966,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4= github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= +github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= +github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= @@ -926,6 +995,7 @@ github.com/julz/importas v0.0.0-20210419104244-841f0c0fe66d/go.mod h1:oSFU2R4XK/ github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213/go.mod h1:vNUNkEQ1e29fT/6vq2aBdFsgNPmy8qMdSay1npru+Sw= +github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= @@ -936,9 +1006,11 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.4 h1:1kn4/7MepF/CHmYub99/nNX8az0IJjfSOU/jbnTVfqQ= +github.com/klauspost/compress v1.15.4/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kortschak/utter v1.0.1/go.mod h1:vSmSjbyrlKjjsL71193LmzBOKgwePk9DH6uFaWHIInc= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -956,6 +1028,10 @@ github.com/kunwardeep/paralleltest v1.0.3/go.mod h1:vLydzomDFpk7yu5UX02RmP0H8QfR github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0= github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw= @@ -966,10 +1042,15 @@ github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3m github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs= +github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/libopenstorage/openstorage v1.0.0/go.mod h1:Sp1sIObHjat1BeXhfMqLZ14wnOzEhNx2YQedreMcUyc= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM= github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4= @@ -990,6 +1071,12 @@ github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJ github.com/malt3/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v0.0.0-20220728112040-735e3fd529fa h1:ICIHFvfkpajS96A01sg/apLtS4PLP/SsUn/9el0GMKA= github.com/malt3/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v0.0.0-20220728112040-735e3fd529fa/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0= github.com/maratori/testpackage v1.0.1/go.mod h1:ddKdw+XG0Phzhx8BFDTKgpWP4i7MpApTE5fXSKAqwDU= +github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= +github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= +github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= +github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= +github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6 h1:YDjLk3wsL5ZLhLC4TIwIvT2NkSCAdAV6pzzZaRfj4jk= github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6/go.mod h1:gZoZ0+POlM1ge/VUxWpMmZVNPzzMJ7l436CgkQ5+qzU= github.com/matoous/godox v0.0.0-20210227103229-6504466cf951/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s= @@ -1001,7 +1088,10 @@ github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVc github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.11/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= @@ -1011,7 +1101,9 @@ github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2y github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-oci8 v0.1.1/go.mod h1:wjDx6Xm9q7dFtHJvIlrI99JytznLw5wQ4R+9mNXJwGI= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= @@ -1021,6 +1113,9 @@ github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg= +github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -1041,15 +1136,19 @@ github.com/mindprince/gonvml v0.0.0-20190828220739-9ebdce4bb989/go.mod h1:2eu9pR github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= +github.com/mitchellh/cli v1.1.2/go.mod h1:6iaV0fGdElS6dPBx0EApTxHrcWvmJphyh2n8YBLPPZ4= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= @@ -1059,9 +1158,15 @@ github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/ipvs v1.0.1/go.mod h1:2pngiyseZbIKXNv7hsKj3O9UEz30c53MT9005gt2hxQ= +github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= +github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= +github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= +github.com/moby/sys/mountinfo v0.6.0 h1:gUDhXQx58YNrpHlK4nSL+7y2pxFZkUcXqzFDKWdC0Oo= github.com/moby/sys/mountinfo v0.6.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc= github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw= @@ -1174,8 +1279,10 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= @@ -1195,11 +1302,14 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= +github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1 h1:oL4IBbcqwhhNWh31bjOX8C/OCy0zs9906d/VUru+bqg= +github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og= github.com/prometheus/client_golang v1.5.1/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= @@ -1218,6 +1328,7 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= @@ -1230,6 +1341,7 @@ github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= @@ -1265,8 +1377,11 @@ github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUA github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= +github.com/rubenv/sql-migrate v1.1.1 h1:haR5Hn8hbW9/SpAICrXoZqXnywS7Q5WijwkQENPeNWY= +github.com/rubenv/sql-migrate v1.1.1/go.mod h1:/7TZymwxN8VWumcIxw1jjHEcR1djpdkMHQPT4FWdnbQ= github.com/rubiojr/go-vhd v0.0.0-20200706105327-02e210299021/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -1291,6 +1406,8 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs= github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew= +github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= +github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= @@ -1324,6 +1441,8 @@ github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw= github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA= +github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= @@ -1418,15 +1537,21 @@ github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/V github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= +github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= +github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U= github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY= github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= @@ -1446,6 +1571,11 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= +github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs= +github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= @@ -1496,7 +1626,6 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1: go.opentelemetry.io/contrib/propagators v0.19.0 h1:HrixVNZYFjUl/Db+Tr3DhqzLsVW9GeVf/Gye+C5dNUY= go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo= go.opentelemetry.io/otel v1.3.0 h1:APxLf0eiBwLl+SOXiJJCVYzA1OOJNyAoV8C5RNRyy7Y= -go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw= @@ -1505,7 +1634,6 @@ go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE= go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw= go.opentelemetry.io/otel/trace v1.3.0 h1:doy8Hzb1RJ+I3yFhtDmwNc7tIyw1tNMOIsyPzp1NOGY= -go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.starlark.net v0.0.0-20220223235035-243c74974e97 h1:ghIB+2LQvihWROIGpcAVPq/ce5O2uMQersgxXiOeTS4= @@ -1544,6 +1672,7 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -1553,7 +1682,9 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210314154223-e6e6c4f2bb5b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= @@ -1566,8 +1697,8 @@ golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw= -golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1686,8 +1817,8 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e h1:TsQ7F31D3bUCLeqPT0u+yjp1guoArKaNKmCr22PYgTQ= -golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9 h1:Yqz/iviulwKwAREEeUd3nbBFn0XuyJqkoft2IlrvOhc= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1755,6 +1886,7 @@ golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190620070143-6f217b454f45/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1842,6 +1974,7 @@ golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -1859,6 +1992,7 @@ golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220624220833-87e55d714810 h1:rHZQSjJdAI4Xf5Qzeh2bBc5YJIkPFVM6oDtMFYmgws0= golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -2000,6 +2134,7 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.6/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2064,8 +2199,8 @@ google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.86.0 h1:ZAnyOHQFIuWso1BodVfSaRyffD74T9ERGFa3k1fNk/U= -google.golang.org/api v0.86.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.85.0 h1:8rJoHuRxx+vCmZtAO/3k1dRLvYNVyTJtZ5oaFZvhgvc= +google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2177,8 +2312,8 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f h1:hJ/Y5SqPXbarffmAsApliUlcvMU+wScNGfyop4bZm8o= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U= +google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -2289,10 +2424,18 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= +helm.sh/helm v2.17.0+incompatible h1:cSe3FaQOpRWLDXvTObQNj0P7WI98IG5yloU6tQVls2k= +helm.sh/helm v2.17.0+incompatible/go.mod h1:0Xbc6ErzwWH9qC55X1+hE3ZwhM3atbhCm/NbFZw5i+4= +helm.sh/helm/v3 v3.9.2 h1:bx7kdhr5VAhYoWv9bIdT1C6qWR+/7SIoPCwLx22l78g= +helm.sh/helm/v3 v3.9.2/go.mod h1:y/dJc/0Lzcn40jgd85KQXnufhFF7sr4v6L/vYMLRaRM= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -2339,6 +2482,7 @@ k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 h1:Gii5eqf+GmIEwGNKQYQClC k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= k8s.io/kube-proxy v0.24.0/go.mod h1:OZ1k9jSwW94Rmj5hepCFea7qlGvvU+bfcosc6+dcFKA= k8s.io/kube-scheduler v0.24.0/go.mod h1:DUq+fXaC51N1kl2YnT2EZSxOph6JOmIJe/pQe5keZPc= +k8s.io/kubectl v0.24.0 h1:nA+WtMLVdXUs4wLogGd1mPTAesnLdBpCVgCmz3I7dXo= k8s.io/kubectl v0.24.0/go.mod h1:pdXkmCyHiRTqjYfyUJiXtbVNURhv0/Q1TyRhy2d5ic0= k8s.io/kubelet v0.24.0 h1:fH+D6mSr4DGIeHp/O2+mCEJhkVq3Gpgv9BVOHI+GrWY= k8s.io/kubelet v0.24.0/go.mod h1:p3BBacmHTCMpUf+nluhlyzuGHmONKAspqCvpu9oPAyA= @@ -2364,6 +2508,8 @@ mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48= mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= mvdan.cc/unparam v0.0.0-20210104141923-aac4ce9116a7/go.mod h1:hBpJkZE8H/sb+VRFvw2+rBpHNsTBcvSpk61hr8mzXZE= +oras.land/oras-go v1.2.0 h1:yoKosVIbsPoFMqAIFHTnrmOuafHal+J/r+I5bdbVWu4= +oras.land/oras-go v1.2.0/go.mod h1:pFNs7oHp2dYsYMSS82HaX5l4mpnGO7hbpPN6EWH2ltc= pack.ag/amqp v0.11.2/go.mod h1:4/cbmt4EJXSKlG6LCfWHoqmN0uFdy5i/+YFz+fTfhV4= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= diff --git a/hack/go.mod b/hack/go.mod index 2a0dcc05d..30ca1afdf 100644 --- a/hack/go.mod +++ b/hack/go.mod @@ -96,6 +96,7 @@ require ( github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect + github.com/Masterminds/semver/v3 v3.1.1 // indirect github.com/aws/aws-sdk-go-v2 v1.16.5 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1 // indirect github.com/aws/aws-sdk-go-v2/config v1.15.11 // indirect @@ -142,9 +143,9 @@ require ( github.com/leodido/go-urn v1.2.1 // indirect github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect github.com/matryer/is v1.4.0 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sigstore/sigstore v1.3.0 // indirect @@ -153,10 +154,10 @@ require ( github.com/theupdateframework/go-tuf v0.3.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect go.opencensus.io v0.23.0 // indirect - go.opentelemetry.io/otel v1.3.0 // indirect + go.opentelemetry.io/otel/trace v1.3.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.8.0 // indirect - golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect + golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect @@ -169,5 +170,8 @@ require ( google.golang.org/protobuf v1.28.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect + helm.sh/helm v2.17.0+incompatible // indirect + helm.sh/helm/v3 v3.9.2 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/hack/go.sum b/hack/go.sum index 4be72ab9c..8898d3bae 100644 --- a/hack/go.sum +++ b/hack/go.sum @@ -158,6 +158,8 @@ github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= +github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc= +github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= @@ -345,7 +347,7 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= -github.com/docker/docker v20.10.16+incompatible h1:2Db6ZR/+FUR3hqPMwnogOPHFn405crbpxvWzKovETOQ= +github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -773,7 +775,6 @@ github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lL github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= -github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= @@ -1141,8 +1142,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw= -golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1759,6 +1760,10 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +helm.sh/helm v2.17.0+incompatible h1:cSe3FaQOpRWLDXvTObQNj0P7WI98IG5yloU6tQVls2k= +helm.sh/helm v2.17.0+incompatible/go.mod h1:0Xbc6ErzwWH9qC55X1+hE3ZwhM3atbhCm/NbFZw5i+4= +helm.sh/helm/v3 v3.9.2 h1:bx7kdhr5VAhYoWv9bIdT1C6qWR+/7SIoPCwLx22l78g= +helm.sh/helm/v3 v3.9.2/go.mod h1:y/dJc/0Lzcn40jgd85KQXnufhFF7sr4v6L/vYMLRaRM= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1778,4 +1783,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU= diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 80a62fe4c..671c081a7 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -85,6 +85,12 @@ const ( KubernetesJoinTokenTTL = 15 * time.Minute + // + // Helm. + // + + HelmNamespace = "kube-system" + // // Releases. // diff --git a/internal/deploy/helm/helm.go b/internal/deploy/helm/helm.go new file mode 100644 index 000000000..13c17e271 --- /dev/null +++ b/internal/deploy/helm/helm.go @@ -0,0 +1,12 @@ +package helm + +import "helm.sh/helm/v3/pkg/chart" + +type Deployment struct { + Chart *chart.Chart + Values map[string]interface{} +} + +type Deployments struct { + Cilium Deployment +}