mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-02-13 21:41:37 -05:00
helm: upgrade Cilium to v1.15.8 (#3392)
* helm: upgrade to Cilium v1.15.8 * fixup! helm: upgrade to Cilium v1.15.8 use proper release tag * fixup! helm: upgrade to Cilium v1.15.8 use images build from tag
This commit is contained in:
Markus Rudy
GitHub
parent
02762f7956
commit
961fabbd1a
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: cilium
|
||||
displayName: Cilium
|
||||
home: https://cilium.io/
|
||||
version: 1.15.5-edg.1
|
||||
appVersion: 1.15.5-edg.1
|
||||
version: 1.15.8-edg.0
|
||||
appVersion: 1.15.8-edg.0
|
||||
kubeVersion: ">= 1.16.0-0"
|
||||
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg
|
||||
description: eBPF-based Networking, Security, and Observability
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# cilium
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
Cilium is open source software for providing and transparently securing
|
||||
network connectivity and loadbalancing between application workloads such as
|
||||
@ -46,7 +46,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge
|
||||
## Getting Help
|
||||
|
||||
The best way to get help if you get stuck is to ask a question on the
|
||||
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
|
||||
[Cilium Slack channel](https://slack.cilium.io). With Cilium
|
||||
contributors across the globe, there is almost always someone available to help.
|
||||
|
||||
## Values
|
||||
@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
|
||||
| authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
|
||||
| authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. |
|
||||
| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
|
||||
| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server |
|
||||
| authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
|
||||
| authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
|
||||
| authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations |
|
||||
@ -143,7 +143,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. |
|
||||
| bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. |
|
||||
| bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. |
|
||||
| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
|
||||
| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.14","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. |
|
||||
| certgen.affinity | object | `{}` | Affinity for certgen |
|
||||
| certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob |
|
||||
| certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. |
|
||||
@ -171,7 +171,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
|
||||
| clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
|
||||
| clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
|
||||
| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.5","useDigest":false}` | Clustermesh API server image. |
|
||||
| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.8","useDigest":false}` | Clustermesh API server image. |
|
||||
| clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
|
||||
| clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
|
||||
| clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
|
||||
@ -213,6 +213,8 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| clustermesh.apiserver.service.annotations | object | `{}` | Annotations for the clustermesh-apiserver For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal" For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 |
|
||||
| clustermesh.apiserver.service.externalTrafficPolicy | string | `nil` | The externalTrafficPolicy of service used for apiserver access. |
|
||||
| clustermesh.apiserver.service.internalTrafficPolicy | string | `nil` | The internalTrafficPolicy of service used for apiserver access. |
|
||||
| clustermesh.apiserver.service.loadBalancerClass | string | `nil` | Configure a loadBalancerClass. Allows to configure the loadBalancerClass on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer (requires Kubernetes 1.24+). |
|
||||
| clustermesh.apiserver.service.loadBalancerIP | string | `nil` | Configure a specific loadBalancerIP. Allows to configure a specific loadBalancerIP on the clustermesh-apiserver LB service in case the Service type is set to LoadBalancer. |
|
||||
| clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. |
|
||||
| clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. |
|
||||
| clustermesh.apiserver.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for the clustermesh-apiserver deployment |
|
||||
@ -274,6 +276,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. |
|
||||
| dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. |
|
||||
| dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. |
|
||||
| dnsProxy.socketLingerTimeout | int | `10` | Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background. |
|
||||
| egressGateway.enabled | bool | `false` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. |
|
||||
| egressGateway.installRoutes | bool | `false` | Deprecated without a replacement necessary. |
|
||||
| egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations |
|
||||
@ -335,7 +338,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
|
||||
| envoy.healthPort | int | `9878` | TCP port for the health API. |
|
||||
| envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
|
||||
| envoy.image | object | `{"digest":"sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515","useDigest":true}` | Envoy container image. |
|
||||
| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. |
|
||||
| envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
|
||||
| envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
|
||||
| envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
|
||||
@ -463,7 +466,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
|
||||
| hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
|
||||
| hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
|
||||
| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.5","useDigest":false}` | Hubble-relay container image. |
|
||||
| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.8","useDigest":false}` | Hubble-relay container image. |
|
||||
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
|
||||
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
|
||||
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
|
||||
@ -521,7 +524,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
|
||||
| hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
|
||||
| hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
|
||||
| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. |
|
||||
| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. |
|
||||
| hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
|
||||
| hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) |
|
||||
| hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
|
||||
@ -531,7 +534,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
|
||||
| hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
|
||||
| hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
|
||||
| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. |
|
||||
| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. |
|
||||
| hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
|
||||
| hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
|
||||
| hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
|
||||
@ -558,7 +561,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
|
||||
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
|
||||
| identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
|
||||
| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":false}` | Agent container image. |
|
||||
| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Agent container image. |
|
||||
| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
|
||||
| ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
|
||||
| ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
|
||||
@ -647,7 +650,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. |
|
||||
| nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. |
|
||||
| nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. |
|
||||
| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. |
|
||||
| nodeinit.image | object | `{"digest":"sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6331d6760c4e609d651b29c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"c54c7edeab7fde4da68e59acd319ab24af242c3f","useDigest":true}` | node-init image. |
|
||||
| nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
|
||||
| nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. |
|
||||
| nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. |
|
||||
@ -673,7 +676,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
|
||||
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
|
||||
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
|
||||
| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.5","useDigest":false}` | cilium-operator image. |
|
||||
| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.8","useDigest":false}` | cilium-operator image. |
|
||||
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
|
||||
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
|
||||
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
|
||||
@ -724,7 +727,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
|
||||
| preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
|
||||
| preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
|
||||
| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":false}` | Cilium pre-flight image. |
|
||||
| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Cilium pre-flight image. |
|
||||
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
|
||||
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
|
||||
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
@ -784,6 +787,8 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| startupProbe.periodSeconds | int | `2` | interval between checks of the startup probe |
|
||||
| svcSourceRangeCheck | bool | `true` | Enable check of service source ranges (currently, only for LoadBalancer). |
|
||||
| synchronizeK8sNodes | bool | `true` | Synchronize Kubernetes nodes to kvstore and perform CNP GC. |
|
||||
| sysctlfix | object | `{"enabled":true}` | Configure sysctl override described in #20072. |
|
||||
| sysctlfix.enabled | bool | `true` | Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute. |
|
||||
| terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-agent DaemonSet. |
|
||||
| tls | object | `{"ca":{"cert":"","certValidityDuration":1095,"key":""},"caBundle":{"enabled":false,"key":"ca.crt","name":"cilium-root-ca.crt","useSecret":false},"secretsBackend":"local"}` | Configure TLS configuration in the agent. |
|
||||
| tls.ca | object | `{"cert":"","certValidityDuration":1095,"key":""}` | Base64 encoded PEM values for the CA certificate and private key. This can be used as common CA to generate certificates used by hubble and clustermesh components. It is neither required nor used when cert-manager is used to generate the certificates. |
|
||||
|
||||
@ -48,7 +48,7 @@ offer from the [Getting Started Guides page](https://docs.cilium.io/en/stable/ge
|
||||
## Getting Help
|
||||
|
||||
The best way to get help if you get stuck is to ask a question on the
|
||||
[Cilium Slack channel](https://cilium.herokuapp.com/). With Cilium
|
||||
[Cilium Slack channel](https://slack.cilium.io). With Cilium
|
||||
contributors across the globe, there is almost always someone available to help.
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
@ -3194,7 +3194,23 @@
|
||||
"style": "dark",
|
||||
"tags": [],
|
||||
"templating": {
|
||||
"list": []
|
||||
"list": [
|
||||
{
|
||||
"current": {},
|
||||
"hide": 0,
|
||||
"includeAll": false,
|
||||
"label": "Prometheus",
|
||||
"multi": false,
|
||||
"name": "DS_PROMETHEUS",
|
||||
"options": [],
|
||||
"query": "prometheus",
|
||||
"queryValue": "",
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"type": "datasource"
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {
|
||||
"from": "now-6h",
|
||||
|
||||
@ -484,7 +484,7 @@
|
||||
"includeAll": false,
|
||||
"label": "Data Source",
|
||||
"multi": false,
|
||||
"name": "prometheus_datasource",
|
||||
"name": "DS_PROMETHEUS",
|
||||
"options": [],
|
||||
"query": "prometheus",
|
||||
"queryValue": "",
|
||||
|
||||
@ -883,7 +883,7 @@
|
||||
"includeAll": false,
|
||||
"label": "Data Source",
|
||||
"multi": false,
|
||||
"name": "prometheus_datasource",
|
||||
"name": "DS_PROMETHEUS",
|
||||
"options": [],
|
||||
"query": "prometheus",
|
||||
"queryValue": "",
|
||||
|
||||
@ -43,62 +43,7 @@ where:
|
||||
{{- if $priorityClass }}
|
||||
{{- $priorityClass }}
|
||||
{{- else if and $root.Values.enableCriticalPriorityClass $criticalPriorityClass -}}
|
||||
{{- if and (eq $root.Release.Namespace "kube-system") (semverCompare ">=1.10-0" $root.Capabilities.KubeVersion.Version) -}}
|
||||
{{- $criticalPriorityClass }}
|
||||
{{- else if semverCompare ">=1.17-0" $root.Capabilities.KubeVersion.Version -}}
|
||||
{{- $criticalPriorityClass }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for ingress.
|
||||
*/}}
|
||||
{{- define "ingress.apiVersion" -}}
|
||||
{{- if semverCompare ">=1.16-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
|
||||
{{- print "networking.k8s.io/v1beta1" -}}
|
||||
{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
|
||||
{{- print "networking.k8s.io/v1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate backend for Hubble UI ingress.
|
||||
*/}}
|
||||
{{- define "ingress.paths" -}}
|
||||
{{ if semverCompare ">=1.4-0, <1.19-0" .Capabilities.KubeVersion.Version -}}
|
||||
backend:
|
||||
serviceName: hubble-ui
|
||||
servicePort: http
|
||||
{{- else if semverCompare "^1.19-0" .Capabilities.KubeVersion.Version -}}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hubble-ui
|
||||
port:
|
||||
name: http
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for cronjob.
|
||||
*/}}
|
||||
{{- define "cronjob.apiVersion" -}}
|
||||
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
|
||||
{{- print "batch/v1" -}}
|
||||
{{- else -}}
|
||||
{{- print "batch/v1beta1" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiVersion for podDisruptionBudget.
|
||||
*/}}
|
||||
{{- define "podDisruptionBudget.apiVersion" -}}
|
||||
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version -}}
|
||||
{{- print "policy/v1" -}}
|
||||
{{- else -}}
|
||||
{{- print "policy/v1beta1" -}}
|
||||
{{- $criticalPriorityClass }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
@ -122,7 +122,6 @@ spec:
|
||||
{{- with .Values.extraArgs }}
|
||||
{{- toYaml . | trim | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
|
||||
@ -136,7 +135,6 @@ spec:
|
||||
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
initialDelaySeconds: 5
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
|
||||
exec:
|
||||
@ -154,14 +152,6 @@ spec:
|
||||
- name: "brief"
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
# The initial delay for the liveness probe is intentionally large to
|
||||
# avoid an endless kill & restart cycle if in the event that the initial
|
||||
# bootstrapping takes longer than expected.
|
||||
# Starting from Kubernetes 1.20, we are using startupProbe instead
|
||||
# of this field.
|
||||
initialDelaySeconds: 120
|
||||
{{- end }}
|
||||
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
|
||||
@ -183,9 +173,6 @@ spec:
|
||||
- name: "brief"
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
initialDelaySeconds: 5
|
||||
{{- end }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
@ -526,6 +513,8 @@ spec:
|
||||
drop:
|
||||
- ALL
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
{{- if .Values.sysctlfix.enabled }}
|
||||
- name: apply-sysctl-overwrites
|
||||
image: {{ include "cilium.image" .Values.image | quote }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
@ -790,7 +779,6 @@ spec:
|
||||
- NET_ADMIN
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }}
|
||||
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
||||
@ -840,8 +828,8 @@ spec:
|
||||
path: /sys/fs/bpf
|
||||
type: DirectoryOrCreate
|
||||
{{- end }}
|
||||
{{- if .Values.cgroup.autoMount.enabled }}
|
||||
# To mount cgroup2 filesystem on the host
|
||||
{{- if or .Values.cgroup.autoMount.enabled .Values.sysctlfix.enabled }}
|
||||
# To mount cgroup2 filesystem on the host or apply sysctlfix
|
||||
- name: hostproc
|
||||
hostPath:
|
||||
path: /proc
|
||||
|
||||
@ -1173,6 +1173,9 @@ data:
|
||||
# default DNS proxy to transparent mode in non-chaining modes
|
||||
dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }}
|
||||
{{- end }}
|
||||
{{- if (not (kindIs "invalid" .Values.dnsProxy.socketLingerTimeout)) }}
|
||||
dnsproxy-socket-linger-timeout: {{ .Values.dnsProxy.socketLingerTimeout | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.dnsProxy.dnsRejectResponseCode }}
|
||||
tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }}
|
||||
{{- end }}
|
||||
|
||||
@ -90,7 +90,6 @@ spec:
|
||||
{{- with .Values.envoy.extraArgs }}
|
||||
{{- toYaml . | trim | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
startupProbe:
|
||||
httpGet:
|
||||
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
|
||||
@ -101,21 +100,12 @@ spec:
|
||||
periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
initialDelaySeconds: 5
|
||||
{{- end }}
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
|
||||
path: /healthz
|
||||
port: {{ .Values.envoy.healthPort }}
|
||||
scheme: HTTP
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
# The initial delay for the liveness probe is intentionally large to
|
||||
# avoid an endless kill & restart cycle if in the event that the initial
|
||||
# bootstrapping takes longer than expected.
|
||||
# Starting from Kubernetes 1.20, we are using startupProbe instead
|
||||
# of this field.
|
||||
initialDelaySeconds: 120
|
||||
{{- end }}
|
||||
periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }}
|
||||
@ -126,9 +116,6 @@ spec:
|
||||
path: /healthz
|
||||
port: {{ .Values.envoy.healthPort }}
|
||||
scheme: HTTP
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
initialDelaySeconds: 5
|
||||
{{- end }}
|
||||
periodSeconds: {{ .Values.envoy.readinessProbe.periodSeconds }}
|
||||
successThreshold: 1
|
||||
failureThreshold: {{ .Values.envoy.readinessProbe.failureThreshold }}
|
||||
@ -214,7 +201,6 @@ spec:
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.envoy.priorityClassName "system-node-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.envoy.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.envoy.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.envoy.automount }}
|
||||
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
|
||||
|
||||
@ -24,14 +24,12 @@ spec:
|
||||
protocol: TCP
|
||||
nodePort: {{ .Values.ingressController.service.secureNodePort }}
|
||||
type: {{ .Values.ingressController.service.type }}
|
||||
{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}}
|
||||
{{- if .Values.ingressController.service.loadBalancerClass }}
|
||||
loadBalancerClass: {{ .Values.ingressController.service.loadBalancerClass }}
|
||||
{{- end }}
|
||||
{{- if (not (kindIs "invalid" .Values.ingressController.service.allocateLoadBalancerNodePorts)) }}
|
||||
allocateLoadBalancerNodePorts: {{ .Values.ingressController.service.allocateLoadBalancerNodePorts }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if .Values.ingressController.service.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.ingressController.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
|
||||
@ -114,7 +114,6 @@ spec:
|
||||
hostNetwork: true
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.nodeinit.priorityClassName "system-node-critical") }}
|
||||
{{- if .Values.serviceAccounts.nodeinit.enabled }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.nodeinit.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.nodeinit.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.nodeinit.automount }}
|
||||
{{- end }}
|
||||
|
||||
@ -252,7 +252,6 @@ spec:
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.operator.priorityClassName "system-cluster-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.operator.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.operator.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.operator.automount }}
|
||||
{{- with .Values.operator.affinity }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and .Values.operator.enabled .Values.operator.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.operator.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: cilium-operator
|
||||
|
||||
@ -176,10 +176,13 @@ spec:
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-node-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }}
|
||||
terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }}
|
||||
{{- with .Values.preflight.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.preflight.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | trim | nindent 8 }}
|
||||
|
||||
@ -88,7 +88,6 @@ spec:
|
||||
hostNetwork: true
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }}
|
||||
terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and .Values.preflight.enabled .Values.preflight.validateCNPs .Values.preflight.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.preflight.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: cilium-pre-flight-check
|
||||
|
||||
@ -404,7 +404,6 @@ spec:
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }}
|
||||
terminationGracePeriodSeconds: {{ .Values.clustermesh.apiserver.terminationGracePeriodSeconds }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.clustermeshApiserver.automount }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.clustermesh.apiserver.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: clustermesh-apiserver
|
||||
|
||||
@ -26,6 +26,9 @@ spec:
|
||||
{{- if and (eq "NodePort" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.nodePort }}
|
||||
nodePort: {{ .Values.clustermesh.apiserver.service.nodePort }}
|
||||
{{- end }}
|
||||
{{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerClass }}
|
||||
loadBalancerClass: {{ .Values.clustermesh.apiserver.service.loadBalancerClass }}
|
||||
{{- end }}
|
||||
{{- if and (eq "LoadBalancer" .Values.clustermesh.apiserver.service.type) .Values.clustermesh.apiserver.service.loadBalancerIP }}
|
||||
loadBalancerIP: {{ .Values.clustermesh.apiserver.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") .Values.clustermesh.apiserver.tls.auto.schedule }}
|
||||
apiVersion: {{ include "cronjob.apiVersion" . }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: clustermesh-apiserver-generate-certs
|
||||
|
||||
@ -110,7 +110,6 @@ spec:
|
||||
hostNetwork: true
|
||||
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }}
|
||||
restartPolicy: Always
|
||||
serviceAccount: {{ .Values.serviceAccounts.etcd.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.etcd.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.etcd.automount }}
|
||||
{{- with .Values.etcd.nodeSelector }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and .Values.etcd.managed .Values.etcd.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.etcd.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: cilium-etcd-operator
|
||||
|
||||
@ -71,26 +71,37 @@ spec:
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
{{- include "hubble-relay.probe" . | nindent 12 }}
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
# Starting from Kubernetes 1.20, we are using startupProbe instead
|
||||
# of this field.
|
||||
initialDelaySeconds: 5
|
||||
{{- end }}
|
||||
grpc:
|
||||
port: 4222
|
||||
timeoutSeconds: 3
|
||||
# livenessProbe will kill the pod, we should be very conservative
|
||||
# here on failures since killing the pod should be a last resort, and
|
||||
# we should provide enough time for relay to retry before killing it.
|
||||
livenessProbe:
|
||||
{{- include "hubble-relay.probe" . | nindent 12 }}
|
||||
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
# Starting from Kubernetes 1.20, we are using startupProbe instead
|
||||
# of this field.
|
||||
initialDelaySeconds: 60
|
||||
{{- end }}
|
||||
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
|
||||
grpc:
|
||||
port: 4222
|
||||
timeoutSeconds: 10
|
||||
# Give relay time to establish connections and make a few retries
|
||||
# before starting livenessProbes.
|
||||
initialDelaySeconds: 10
|
||||
# 10 second * 12 failures = 2 minutes of failure.
|
||||
# If relay cannot become healthy after 2 minutes, then killing it
|
||||
# might resolve whatever issue is occurring.
|
||||
#
|
||||
# 10 seconds is a reasonable retry period so we can see if it's
|
||||
# failing regularly or only sporadically.
|
||||
periodSeconds: 10
|
||||
failureThreshold: 12
|
||||
startupProbe:
|
||||
# give the relay one minute to start up
|
||||
{{- include "hubble-relay.probe" . | nindent 12 }}
|
||||
grpc:
|
||||
port: 4222
|
||||
# Give relay time to get it's certs and establish connections and
|
||||
# make a few retries before starting startupProbes.
|
||||
initialDelaySeconds: 10
|
||||
# 20 * 3 seconds = 1 minute of failure before we consider startup as failed.
|
||||
failureThreshold: 20
|
||||
# Retry more frequently at startup so that it can be considered started more quickly.
|
||||
periodSeconds: 3
|
||||
{{- end }}
|
||||
{{- with .Values.hubble.relay.extraEnv }}
|
||||
env:
|
||||
{{- toYaml . | trim | nindent 12 }}
|
||||
@ -114,7 +125,6 @@ spec:
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
restartPolicy: Always
|
||||
priorityClassName: {{ .Values.hubble.relay.priorityClassName }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.relay.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.relay.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.relay.automount }}
|
||||
terminationGracePeriodSeconds: {{ .Values.hubble.relay.terminationGracePeriodSeconds }}
|
||||
@ -185,17 +195,3 @@ spec:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "hubble-relay.probe" }}
|
||||
{{- /* This distinction can be removed once we drop support for k8s 1.23 */}}
|
||||
{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}}
|
||||
grpc:
|
||||
port: 4222
|
||||
{{- else }}
|
||||
exec:
|
||||
command:
|
||||
- grpc_health_probe
|
||||
- -addr=localhost:4222
|
||||
{{- end }}
|
||||
timeoutSeconds: 3
|
||||
{{- end }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled .Values.hubble.relay.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.hubble.relay.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: hubble-relay
|
||||
|
||||
@ -40,13 +40,10 @@ spec:
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with .Values.hubble.ui.securityContext }}
|
||||
{{- if .enabled }}
|
||||
securityContext:
|
||||
{{- omit . "enabled" | toYaml | nindent 8 }}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
priorityClassName: {{ .Values.hubble.ui.priorityClassName }}
|
||||
serviceAccount: {{ .Values.serviceAccounts.ui.name | quote }}
|
||||
serviceAccountName: {{ .Values.serviceAccounts.ui.name | quote }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccounts.ui.automount }}
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.ingress.enabled }}
|
||||
{{- $baseUrl := .Values.hubble.ui.baseUrl -}}
|
||||
apiVersion: {{ template "ingress.apiVersion" . }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: hubble-ui
|
||||
@ -35,6 +35,11 @@ spec:
|
||||
http:
|
||||
paths:
|
||||
- path: {{ $baseUrl | quote }}
|
||||
{{- include "ingress.paths" $ | nindent 12 }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hubble-ui
|
||||
port:
|
||||
name: http
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled .Values.hubble.ui.podDisruptionBudget.enabled }}
|
||||
{{- $component := .Values.hubble.ui.podDisruptionBudget }}
|
||||
apiVersion: {{ include "podDisruptionBudget.apiVersion" . }}
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: hubble-ui
|
||||
|
||||
@ -24,7 +24,5 @@ spec:
|
||||
{{- end }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.hubble.peerService.targetPort }}
|
||||
{{- if semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion }}
|
||||
internalTrafficPolicy: Local
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "cronJob") .Values.hubble.tls.auto.schedule }}
|
||||
apiVersion: {{ include "cronjob.apiVersion" . }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: hubble-generate-certs
|
||||
|
||||
@ -1,3 +1,17 @@
|
||||
{{/* validate deprecated options are not being used */}}
|
||||
{{- if .Values.tunnel }}
|
||||
{{ fail "tunnel was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
|
||||
{{- end }}
|
||||
{{- if or (dig "clustermesh" "apiserver" "tls" "ca" "cert" "" .Values.AsMap) (dig "clustermesh" "apiserver" "tls" "ca" "key" "" .Values.AsMap) }}
|
||||
{{ fail "clustermesh.apiserver.tls.ca.cert and clustermesh.apiserver.tls.ca.key were deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableK8sEventHandover }}
|
||||
{{ fail "enableK8sEventHandover was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
|
||||
{{- end }}
|
||||
{{- if .Values.enableCnpStatusUpdates }}
|
||||
{{ fail "enableCnpStatusUpdates was deprecated in v1.14 and has been removed in v1.15. For details please refer to https://docs.cilium.io/en/v1.15/operations/upgrade/#helm-options" }}
|
||||
{{- end }}
|
||||
|
||||
{{/* validate hubble config */}}
|
||||
{{- if and .Values.hubble.ui.enabled (not .Values.hubble.ui.standalone.enabled) }}
|
||||
{{- if not .Values.hubble.relay.enabled }}
|
||||
|
||||
@ -146,7 +146,7 @@ rollOutCiliumPods: false
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/cilium"
|
||||
tag: "v1.15.5"
|
||||
tag: "v1.15.8"
|
||||
pullPolicy: "IfNotPresent"
|
||||
# cilium-digest
|
||||
digest: ""
|
||||
@ -981,8 +981,8 @@ certgen:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/certgen"
|
||||
tag: "v0.1.12"
|
||||
digest: "sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e"
|
||||
tag: "v0.1.14"
|
||||
digest: "sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54"
|
||||
useDigest: true
|
||||
pullPolicy: "IfNotPresent"
|
||||
# -- Seconds after which the completed job pod will be deleted
|
||||
@ -1240,7 +1240,7 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-relay"
|
||||
tag: "v1.15.5"
|
||||
tag: "v1.15.8"
|
||||
# hubble-relay-digest
|
||||
digest: ""
|
||||
useDigest: false
|
||||
@ -1477,8 +1477,8 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-ui-backend"
|
||||
tag: "v0.13.0"
|
||||
digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803"
|
||||
tag: "v0.13.1"
|
||||
digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b"
|
||||
useDigest: true
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
@ -1516,8 +1516,8 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-ui"
|
||||
tag: "v0.13.0"
|
||||
digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666"
|
||||
tag: "v0.13.1"
|
||||
digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6"
|
||||
useDigest: true
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
@ -2084,9 +2084,9 @@ envoy:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/cilium-envoy"
|
||||
tag: "v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515"
|
||||
tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51"
|
||||
pullPolicy: "IfNotPresent"
|
||||
digest: "sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380"
|
||||
digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b"
|
||||
useDigest: true
|
||||
|
||||
# -- Additional containers added to the cilium Envoy DaemonSet.
|
||||
@ -2507,7 +2507,7 @@ operator:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/operator"
|
||||
tag: "v1.15.5"
|
||||
tag: "v1.15.8"
|
||||
# operator-generic-digest
|
||||
genericDigest: ""
|
||||
# operator-azure-digest
|
||||
@ -2710,8 +2710,8 @@ nodeinit:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/startup-script"
|
||||
tag: "19fb149fb3d5c7a37d3edfaf10a2be3ab7386661"
|
||||
digest: "sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456"
|
||||
tag: "c54c7edeab7fde4da68e59acd319ab24af242c3f"
|
||||
digest: "sha256:8d7b41c4ca45860254b3c19e20210462ef89479bb6331d6760c4e609d651b29c"
|
||||
useDigest: true
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
@ -2808,7 +2808,7 @@ preflight:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/cilium"
|
||||
tag: "v1.15.5"
|
||||
tag: "v1.15.8"
|
||||
# cilium-digest
|
||||
digest: ""
|
||||
useDigest: false
|
||||
@ -2970,7 +2970,7 @@ clustermesh:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/clustermesh-apiserver"
|
||||
tag: "v1.15.5"
|
||||
tag: "v1.15.8"
|
||||
# clustermesh-apiserver-digest
|
||||
digest: ""
|
||||
useDigest: false
|
||||
@ -3058,9 +3058,6 @@ clustermesh:
|
||||
# NodePort will be redirected to a local backend, regardless of whether the
|
||||
# destination node belongs to the local or the remote cluster.
|
||||
nodePort: 32379
|
||||
# -- Optional loadBalancer IP address to use with type LoadBalancer.
|
||||
# loadBalancerIP:
|
||||
|
||||
# -- Annotations for the clustermesh-apiserver
|
||||
# For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal"
|
||||
# For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
|
||||
@ -3072,6 +3069,21 @@ clustermesh:
|
||||
# -- The internalTrafficPolicy of service used for apiserver access.
|
||||
internalTrafficPolicy:
|
||||
|
||||
# @schema
|
||||
# type: [null, string]
|
||||
# @schema
|
||||
# -- Configure a loadBalancerClass.
|
||||
# Allows to configure the loadBalancerClass on the clustermesh-apiserver
|
||||
# LB service in case the Service type is set to LoadBalancer
|
||||
# (requires Kubernetes 1.24+).
|
||||
loadBalancerClass: ~
|
||||
# @schema
|
||||
# type: [null, string]
|
||||
# @schema
|
||||
# -- Configure a specific loadBalancerIP.
|
||||
# Allows to configure a specific loadBalancerIP on the clustermesh-apiserver
|
||||
# LB service in case the Service type is set to LoadBalancer.
|
||||
loadBalancerIP: ~
|
||||
# -- Number of replicas run for the clustermesh-apiserver deployment.
|
||||
replicas: 1
|
||||
|
||||
@ -3329,7 +3341,10 @@ cgroup:
|
||||
# memory: 128Mi
|
||||
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
|
||||
hostRoot: /run/cilium/cgroupv2
|
||||
|
||||
# -- Configure sysctl override described in #20072.
|
||||
sysctlfix:
|
||||
# -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute.
|
||||
enabled: true
|
||||
# -- Configure whether to enable auto detect of terminating state for endpoints
|
||||
# in order to support graceful termination.
|
||||
enableK8sTerminatingEndpoint: true
|
||||
@ -3342,6 +3357,8 @@ enableK8sTerminatingEndpoint: true
|
||||
agentNotReadyTaintKey: "node.cilium.io/agent-not-ready"
|
||||
|
||||
dnsProxy:
|
||||
# -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
|
||||
socketLingerTimeout: 10
|
||||
# -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'.
|
||||
dnsRejectResponseCode: refused
|
||||
# -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
|
||||
@ -3411,7 +3428,7 @@ authentication:
|
||||
override: ~
|
||||
repository: "docker.io/library/busybox"
|
||||
tag: "1.36.1"
|
||||
digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b"
|
||||
digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7"
|
||||
useDigest: true
|
||||
pullPolicy: "IfNotPresent"
|
||||
# SPIRE agent configuration
|
||||
|
||||
@ -3055,9 +3055,6 @@ clustermesh:
|
||||
# NodePort will be redirected to a local backend, regardless of whether the
|
||||
# destination node belongs to the local or the remote cluster.
|
||||
nodePort: 32379
|
||||
# -- Optional loadBalancer IP address to use with type LoadBalancer.
|
||||
# loadBalancerIP:
|
||||
|
||||
# -- Annotations for the clustermesh-apiserver
|
||||
# For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal"
|
||||
# For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
|
||||
@ -3069,6 +3066,21 @@ clustermesh:
|
||||
# -- The internalTrafficPolicy of service used for apiserver access.
|
||||
internalTrafficPolicy:
|
||||
|
||||
# @schema
|
||||
# type: [null, string]
|
||||
# @schema
|
||||
# -- Configure a loadBalancerClass.
|
||||
# Allows to configure the loadBalancerClass on the clustermesh-apiserver
|
||||
# LB service in case the Service type is set to LoadBalancer
|
||||
# (requires Kubernetes 1.24+).
|
||||
loadBalancerClass: ~
|
||||
# @schema
|
||||
# type: [null, string]
|
||||
# @schema
|
||||
# -- Configure a specific loadBalancerIP.
|
||||
# Allows to configure a specific loadBalancerIP on the clustermesh-apiserver
|
||||
# LB service in case the Service type is set to LoadBalancer.
|
||||
loadBalancerIP: ~
|
||||
# -- Number of replicas run for the clustermesh-apiserver deployment.
|
||||
replicas: 1
|
||||
|
||||
@ -3326,7 +3338,10 @@ cgroup:
|
||||
# memory: 128Mi
|
||||
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
|
||||
hostRoot: /run/cilium/cgroupv2
|
||||
|
||||
# -- Configure sysctl override described in #20072.
|
||||
sysctlfix:
|
||||
# -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute.
|
||||
enabled: true
|
||||
# -- Configure whether to enable auto detect of terminating state for endpoints
|
||||
# in order to support graceful termination.
|
||||
enableK8sTerminatingEndpoint: true
|
||||
@ -3339,6 +3354,8 @@ enableK8sTerminatingEndpoint: true
|
||||
agentNotReadyTaintKey: "node.cilium.io/agent-not-ready"
|
||||
|
||||
dnsProxy:
|
||||
# -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
|
||||
socketLingerTimeout: 10
|
||||
# -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'.
|
||||
dnsRejectResponseCode: refused
|
||||
# -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
diff --git a/install/kubernetes/cilium/Chart.yaml b/install/kubernetes/cilium/Chart.yaml
|
||||
index 4df10f166b..9f079933b2 100644
|
||||
--- a/install/kubernetes/cilium/Chart.yaml
|
||||
+++ b/install/kubernetes/cilium/Chart.yaml
|
||||
@@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: cilium
|
||||
displayName: Cilium
|
||||
home: https://cilium.io/
|
||||
-version: 1.15.5
|
||||
-appVersion: 1.15.5
|
||||
+version: 1.15.5-edg.1
|
||||
+appVersion: 1.15.5-edg.1
|
||||
kubeVersion: ">= 1.16.0-0"
|
||||
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg
|
||||
description: eBPF-based Networking, Security, and Observability
|
||||
diff --git a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
|
||||
index ffd5935ba1..e2b8ccff6c 100644
|
||||
--- a/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
|
||||
+++ b/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
|
||||
@@ -764,13 +764,14 @@ spec:
|
||||
- -exc
|
||||
- |
|
||||
pref=32
|
||||
- interface=$(ip route | awk '/^default/ { print $5 }')
|
||||
- tc qdisc add dev "${interface}" clsact || true
|
||||
- tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
|
||||
- handle=0
|
||||
- for cidr in ${POD_CIDRS}; do
|
||||
- handle=$((handle + 1))
|
||||
- tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
|
||||
+ for interface in $(ip route | awk '/^default/ { print $5 }'); do
|
||||
+ tc qdisc add dev "${interface}" clsact || true
|
||||
+ tc filter del dev "${interface}" ingress pref "${pref}" 2>/dev/null || true
|
||||
+ handle=0
|
||||
+ for cidr in ${POD_CIDRS}; do
|
||||
+ handle=$((handle + 1))
|
||||
+ tc filter replace dev "${interface}" ingress pref "${pref}" handle "${handle}" protocol ip flower dst_ip "${cidr}" action drop
|
||||
+ done
|
||||
done
|
||||
env:
|
||||
- name: POD_CIDRS
|
||||
@ -21,14 +21,13 @@ git clone \
|
||||
--no-checkout \
|
||||
--sparse \
|
||||
--depth 1 \
|
||||
-b v1.15.5-edg.1 \
|
||||
-b v1.15.8-edg.0 \
|
||||
https://github.com/edgelesssys/cilium.git
|
||||
cd cilium
|
||||
|
||||
git sparse-checkout add install/kubernetes/cilium
|
||||
git checkout
|
||||
|
||||
git apply "${calldir}/cilium.patch"
|
||||
cp -r install/kubernetes/cilium "${calldir}/charts"
|
||||
|
||||
echo # final newline
|
||||
|
||||
@ -198,7 +198,7 @@ func TestHelmApply(t *testing.T) {
|
||||
if tc.clusterCertManagerVersion != nil {
|
||||
certManagerVersion = *tc.clusterCertManagerVersion
|
||||
}
|
||||
helmListVersion(lister, "cilium", "v1.15.5-edg.1")
|
||||
helmListVersion(lister, "cilium", "v1.15.8-edg.0")
|
||||
helmListVersion(lister, "coredns", "v0.0.0")
|
||||
helmListVersion(lister, "cert-manager", certManagerVersion)
|
||||
helmListVersion(lister, "constellation-services", tc.clusterMicroServiceVersion)
|
||||
|
||||
@ -381,18 +381,18 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any,
|
||||
"image": map[string]any{
|
||||
"repository": "ghcr.io/edgelesssys/cilium/cilium",
|
||||
"suffix": "",
|
||||
"tag": "v1.15.5-edg.1-experimental",
|
||||
"digest": "sha256:a7e33355e6c632c826bfce37a8789b58a708c2743b7c1023bc01dbda3cccc241",
|
||||
"tag": "v1.15.8-edg.0",
|
||||
"digest": "sha256:67aedd821a732e9ba3e34d200c389122384b70c05ba9a5ffb6ad813a53f2d4db",
|
||||
"useDigest": true,
|
||||
},
|
||||
"operator": map[string]any{
|
||||
"image": map[string]any{
|
||||
"repository": "ghcr.io/edgelesssys/cilium/operator",
|
||||
"suffix": "",
|
||||
"tag": "v1.15.5-edg.1-experimental",
|
||||
"tag": "v1.15.8-edg.0",
|
||||
// Careful: this is the digest of ghcr.io/.../operator-generic!
|
||||
// See magic image manipulation in ./helm/charts/cilium/templates/cilium-operator/_helpers.tpl.
|
||||
"genericDigest": "sha256:f1706b15fa7fc94c3a7d082a93f249f42d4811eb5e2472805a461ba1be3938a7",
|
||||
"genericDigest": "sha256:dd41e2a65c607ac929d872f10b9d0c3eff88aafa99e7c062e9c240b14943dd2e",
|
||||
"useDigest": true,
|
||||
},
|
||||
"podDisruptionBudget": map[string]any{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user