From f35ac667b715a46df0fb8db049b8bb8e46ba06ca Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 1 Aug 2025 14:48:51 +0200 Subject: [PATCH] helm: bump Cilium version to v1.15.19-edg.0 (#3894) * helm: generate cilium * helm: update cilium ref --- internal/constellation/helm/BUILD.bazel | 1 + .../helm/charts/cilium/Chart.yaml | 4 +- .../helm/charts/cilium/README.md | 26 +- .../configmap/bootstrap-config.yaml | 232 ++++++++++++++++++ .../templates/cilium-envoy/configmap.yaml | 5 +- .../templates/cilium-envoy/daemonset.yaml | 4 - .../cilium/templates/hubble-ui/_nginx.tpl | 12 - .../tls-certmanager/relay-client-secret.yaml | 5 + .../tls-certmanager/relay-server-secret.yaml | 5 + .../hubble/tls-certmanager/server-secret.yaml | 6 + .../tls-certmanager/ui-client-certs.yaml | 5 + .../helm/charts/cilium/values.yaml | 30 +-- .../helm/charts/cilium/values.yaml.tmpl | 2 +- internal/constellation/helm/generateCilium.sh | 2 +- internal/constellation/helm/helm_test.go | 2 +- internal/constellation/helm/loader.go | 8 +- 16 files changed, 294 insertions(+), 55 deletions(-) create mode 100644 internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml diff --git a/internal/constellation/helm/BUILD.bazel b/internal/constellation/helm/BUILD.bazel index e82a7dfb8..a36717668 100644 --- a/internal/constellation/helm/BUILD.bazel +++ b/internal/constellation/helm/BUILD.bazel @@ -474,6 +474,7 @@ go_library( "charts/coredns/templates/service.yaml", "charts/coredns/templates/serviceaccount.yaml", "charts/aws-load-balancer-controller/templates/hpa.yaml", + "charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml", ], importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm", visibility = ["//:__subpackages__"], diff --git a/internal/constellation/helm/charts/cilium/Chart.yaml b/internal/constellation/helm/charts/cilium/Chart.yaml index 0aa3edc19..cca1abd89 100644 --- a/internal/constellation/helm/charts/cilium/Chart.yaml +++ b/internal/constellation/helm/charts/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.15.8-edg.0 -appVersion: 1.15.8-edg.0 +version: 1.15.19-edg.0 +appVersion: 1.15.19-edg.0 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/internal/constellation/helm/charts/cilium/README.md b/internal/constellation/helm/charts/cilium/README.md index 78fcdf684..5e177569d 100644 --- a/internal/constellation/helm/charts/cilium/README.md +++ b/internal/constellation/helm/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.15.8](https://img.shields.io/badge/Version-1.15.8-informational?style=flat-square) ![AppVersion: 1.15.8](https://img.shields.io/badge/AppVersion-1.15.8-informational?style=flat-square) +![Version: 1.15.19](https://img.shields.io/badge/Version-1.15.19-informational?style=flat-square) ![AppVersion: 1.15.19](https://img.shields.io/badge/AppVersion-1.15.19-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -83,7 +83,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:7edf5efe6b86dbf01ccc3c76b32a37a8e23b84e6bad81ce8ae8c221fa456fda8","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -143,7 +143,7 @@ contributors across the globe, there is almost always someone available to help. | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.14","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:28511366bb5dc99b6ec424dc87399945714d57a586194658d9e2316ba3db4d04","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.19","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -171,7 +171,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.8","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.19","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -338,7 +338,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -451,12 +451,12 @@ contributors across the globe, there is almost always someone available to help. | hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. | | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. | | hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. | -| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":false}}` | Enables redacting sensitive information present in Layer 7 flows. | +| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":true}}` | Enables redacting sensitive information present in Layer 7 flows. | | hubble.redact.http.headers.allow | list | `[]` | List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" | | hubble.redact.http.headers.deny | list | `[]` | List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: deny: - Authorization - Proxy-Authorization You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" | | hubble.redact.http.urlQuery | bool | `false` | Enables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.urlQuery="true" | | hubble.redact.http.userInfo | bool | `true` | Enables redacting user info, e.g., password when basic auth is used. Example: redact: enabled: true http: userInfo: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.userInfo="true" | -| hubble.redact.kafka.apiKey | bool | `false` | Enables redacting Kafka's API key. Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true" | +| hubble.redact.kafka.apiKey | bool | `true` | Enables redacting Kafka's API key. Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true" | | hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay | | hubble.relay.annotations | object | `{}` | Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) | | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | @@ -466,7 +466,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.8","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.19","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -524,7 +524,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.2","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -534,7 +534,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.2","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -561,7 +561,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.19","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -676,7 +676,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.8","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.19","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -727,7 +727,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.8","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.19","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml b/internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml new file mode 100644 index 000000000..920837268 --- /dev/null +++ b/internal/constellation/helm/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml @@ -0,0 +1,232 @@ +node: + id: "host~127.0.0.1~no-id~localdomain" + cluster: "ingress-cluster" +staticResources: + listeners: + {{- if .Values.envoy.prometheus.enabled }} + - name: "envoy-prometheus-metrics-listener" + address: + socketAddress: + address: {{ .Values.ipv4.enabled | ternary "0.0.0.0" "::" | quote }} + portValue: {{ .Values.envoy.prometheus.port }} + {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} + additionalAddresses: + - address: + socketAddress: + address: "::" + portValue: {{ .Values.envoy.prometheus.port }} + {{- end }} + filterChains: + - filters: + - name: "envoy.filters.network.http_connection_manager" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + statPrefix: "envoy-prometheus-metrics-listener" + routeConfig: + virtualHosts: + - name: "prometheus_metrics_route" + domains: + - "*" + routes: + - name: "prometheus_metrics_route" + match: + prefix: "/metrics" + route: + cluster: "/envoy-admin" + prefixRewrite: "/stats/prometheus" + httpFilters: + - name: "envoy.filters.http.router" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + internalAddressConfig: + cidrRanges: + {{- if .Values.ipv4.enabled }} + - addressPrefix: "10.0.0.0" + prefixLen: 8 + - addressPrefix: "172.16.0.0" + prefixLen: 12 + - addressPrefix: "192.168.0.0" + prefixLen: 16 + - addressPrefix: "127.0.0.1" + prefixLen: 32 + {{- end }} + {{- if .Values.ipv6.enabled }} + - addressPrefix: "::1" + prefixLen: 128 + {{- end }} + streamIdleTimeout: "0s" + {{- end }} + - name: "envoy-health-listener" + address: + socketAddress: + address: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} + portValue: {{ .Values.envoy.healthPort }} + {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} + additionalAddresses: + - address: + socketAddress: + address: "::1" + portValue: {{ .Values.envoy.healthPort }} + {{- end }} + filterChains: + - filters: + - name: "envoy.filters.network.http_connection_manager" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" + statPrefix: "envoy-health-listener" + routeConfig: + virtual_hosts: + - name: "health" + domains: + - "*" + routes: + - name: "health" + match: + prefix: "/healthz" + route: + cluster: "/envoy-admin" + prefixRewrite: "/ready" + httpFilters: + - name: "envoy.filters.http.router" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + internalAddressConfig: + cidrRanges: + {{- if .Values.ipv4.enabled }} + - addressPrefix: "10.0.0.0" + prefixLen: 8 + - addressPrefix: "172.16.0.0" + prefixLen: 12 + - addressPrefix: "192.168.0.0" + prefixLen: 16 + - addressPrefix: "127.0.0.1" + prefixLen: 32 + {{- end }} + {{- if .Values.ipv6.enabled }} + - addressPrefix: "::1" + prefixLen: 128 + {{- end }} + streamIdleTimeout: "0s" + clusters: + - name: "ingress-cluster" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + - name: "egress-cluster-tls" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + upstreamHttpProtocolOptions: {} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + transportSocket: + name: "cilium.tls_wrapper" + typedConfig: + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + - name: "egress-cluster" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + - name: "ingress-cluster-tls" + type: "ORIGINAL_DST" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + lbPolicy: "CLUSTER_PROVIDED" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + commonHttpProtocolOptions: + idleTimeout: "{{ .Values.envoy.idleTimeoutDurationSeconds }}s" + maxConnectionDuration: "{{ .Values.envoy.maxConnectionDurationSeconds }}s" + maxRequestsPerConnection: {{ .Values.envoy.maxRequestsPerConnection }} + upstreamHttpProtocolOptions: {} + useDownstreamProtocolConfig: {} + cleanupInterval: "{{ .Values.envoy.connectTimeoutSeconds }}.500s" + transportSocket: + name: "cilium.tls_wrapper" + typedConfig: + "@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext" + - name: "xds-grpc-cilium" + type: "STATIC" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + loadAssignment: + clusterName: "xds-grpc-cilium" + endpoints: + - lbEndpoints: + - endpoint: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/xds.sock" + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicitHttpConfig: + http2ProtocolOptions: {} + - name: "/envoy-admin" + type: "STATIC" + connectTimeout: "{{ .Values.envoy.connectTimeoutSeconds }}s" + loadAssignment: + clusterName: "/envoy-admin" + endpoints: + - lbEndpoints: + - endpoint: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/admin.sock" +dynamicResources: + ldsConfig: + apiConfigSource: + apiType: "GRPC" + transportApiVersion: "V3" + grpcServices: + - envoyGrpc: + clusterName: "xds-grpc-cilium" + setNodeOnFirstMessageOnly: true + resourceApiVersion: "V3" + cdsConfig: + apiConfigSource: + apiType: "GRPC" + transportApiVersion: "V3" + grpcServices: + - envoyGrpc: + clusterName: "xds-grpc-cilium" + setNodeOnFirstMessageOnly: true + resourceApiVersion: "V3" +bootstrapExtensions: +- name: "envoy.bootstrap.internal_listener" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" +overloadManager: + resourceMonitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typedConfig: + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig" + max_active_downstream_connections: "50000" +admin: + address: + pipe: + path: "/var/run/cilium/envoy/sockets/admin.sock" diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml index 990cf951a..4b6b9218f 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/configmap.yaml @@ -11,6 +11,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} data: -{{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} - + # Keep the key name as bootstrap-config.json to avoid breaking changes + bootstrap-config.json: | + {{- (tpl (.Files.Get "files/cilium-envoy/configmap/bootstrap-config.yaml") .) | fromYaml | toJson | nindent 4 }} {{- end }} diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml index fd5168a84..d20e383f5 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml @@ -26,10 +26,6 @@ spec: template: metadata: annotations: - {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }} - prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}" - prometheus.io/scrape: "true" - {{- end }} {{- if .Values.envoy.rollOutPods }} # ensure pods roll when configmap updates cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} diff --git a/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl b/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl index e787b5aad..5d3d0a80e 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl +++ b/internal/constellation/helm/charts/cilium/templates/hubble-ui/_nginx.tpl @@ -13,24 +13,12 @@ server { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - # CORS - add_header Access-Control-Allow-Methods "GET, POST, PUT, HEAD, DELETE, OPTIONS"; - add_header Access-Control-Allow-Origin *; - add_header Access-Control-Max-Age 1728000; - add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message; - add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout; - if ($request_method = OPTIONS) { - return 204; - } - # /CORS - location {{ .Values.hubble.ui.baseUrl }}api { {{- if not (eq .Values.hubble.ui.baseUrl "/") }} rewrite ^{{ (trimSuffix "/" .Values.hubble.ui.baseUrl) }}(/.*)$ $1 break; {{- end }} proxy_http_version 1.1; proxy_pass_request_headers on; - proxy_hide_header Access-Control-Allow-Origin; {{- if eq .Values.hubble.ui.baseUrl "/" }} proxy_pass http://127.0.0.1:8090; {{- else }} diff --git a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 1dd96b18c..373d6c541 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 845b4fb8e..c33b912b1 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -28,4 +28,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth {{- end }} diff --git a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 5f202e10b..b34f27c52 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -29,4 +29,10 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - server auth + - client auth {{- end }} diff --git a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 5006666ec..64ace1872 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/internal/constellation/helm/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -19,4 +19,9 @@ spec: duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }} privateKey: rotationPolicy: Always + isCA: false + usages: + - signing + - key encipherment + - client auth {{- end }} diff --git a/internal/constellation/helm/charts/cilium/values.yaml b/internal/constellation/helm/charts/cilium/values.yaml index d276064aa..c87bdc204 100644 --- a/internal/constellation/helm/charts/cilium/values.yaml +++ b/internal/constellation/helm/charts/cilium/values.yaml @@ -146,7 +146,7 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.8" + tag: "v1.15.19" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -981,8 +981,8 @@ certgen: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.14" - digest: "sha256:40cdac65aa6ee86c16ce107f8726c4b55ce6654d07bbdf490db6bd492587bf54" + tag: "v0.1.19" + digest: "sha256:28511366bb5dc99b6ec424dc87399945714d57a586194658d9e2316ba3db4d04" useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted @@ -1157,7 +1157,7 @@ hubble: # # --set hubble.redact.enabled="true" # --set hubble.redact.kafka.apiKey="true" - apiKey: false + apiKey: true # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that @@ -1240,7 +1240,7 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.15.8" + tag: "v1.15.19" # hubble-relay-digest digest: "" useDigest: false @@ -1477,8 +1477,8 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.13.1" - digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b" + tag: "v0.13.2" + digest: "sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15" useDigest: true pullPolicy: "IfNotPresent" @@ -1516,8 +1516,8 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.13.1" - digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6" + tag: "v0.13.2" + digest: "sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392" useDigest: true pullPolicy: "IfNotPresent" @@ -2084,9 +2084,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51" + tag: "v1.33.4-1752151664-7c2edb0b44cf95f326d628b837fcdd845102ba68" pullPolicy: "IfNotPresent" - digest: "sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b" + digest: "sha256:318eff387835ca2717baab42a84f35a83a5f9e7d519253df87269f80b9ff0171" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2507,7 +2507,7 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.15.8" + tag: "v1.15.19" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2808,7 +2808,7 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.8" + tag: "v1.15.19" # cilium-digest digest: "" useDigest: false @@ -2970,7 +2970,7 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.15.8" + tag: "v1.15.19" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -3428,7 +3428,7 @@ authentication: override: ~ repository: "docker.io/library/busybox" tag: "1.36.1" - digest: "sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7" + digest: "sha256:7edf5efe6b86dbf01ccc3c76b32a37a8e23b84e6bad81ce8ae8c221fa456fda8" useDigest: true pullPolicy: "IfNotPresent" # SPIRE agent configuration diff --git a/internal/constellation/helm/charts/cilium/values.yaml.tmpl b/internal/constellation/helm/charts/cilium/values.yaml.tmpl index dff8612a2..7fbed1be7 100644 --- a/internal/constellation/helm/charts/cilium/values.yaml.tmpl +++ b/internal/constellation/helm/charts/cilium/values.yaml.tmpl @@ -1154,7 +1154,7 @@ hubble: # # --set hubble.redact.enabled="true" # --set hubble.redact.kafka.apiKey="true" - apiKey: false + apiKey: true # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that diff --git a/internal/constellation/helm/generateCilium.sh b/internal/constellation/helm/generateCilium.sh index 0517552ba..acf28ca77 100755 --- a/internal/constellation/helm/generateCilium.sh +++ b/internal/constellation/helm/generateCilium.sh @@ -21,7 +21,7 @@ git clone \ --no-checkout \ --sparse \ --depth 1 \ - -b v1.15.8-edg.0 \ + -b v1.15.19-edg.0 \ https://github.com/edgelesssys/cilium.git cd cilium diff --git a/internal/constellation/helm/helm_test.go b/internal/constellation/helm/helm_test.go index 9d2e75e2e..8b36ea80c 100644 --- a/internal/constellation/helm/helm_test.go +++ b/internal/constellation/helm/helm_test.go @@ -198,7 +198,7 @@ func TestHelmApply(t *testing.T) { if tc.clusterCertManagerVersion != nil { certManagerVersion = *tc.clusterCertManagerVersion } - helmListVersion(lister, "cilium", "v1.15.8-edg.0") + helmListVersion(lister, "cilium", "v1.15.19-edg.0") helmListVersion(lister, "coredns", "v0.0.0") helmListVersion(lister, "cert-manager", certManagerVersion) helmListVersion(lister, "constellation-services", tc.clusterMicroServiceVersion) diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index fbe6c4a0b..61822da50 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -381,18 +381,18 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, "image": map[string]any{ "repository": "ghcr.io/edgelesssys/cilium/cilium", "suffix": "", - "tag": "v1.15.8-edg.0", - "digest": "sha256:67aedd821a732e9ba3e34d200c389122384b70c05ba9a5ffb6ad813a53f2d4db", + "tag": "v1.15.19-edg.0", + "digest": "sha256:700218a5ffc10473ce9b09d560b8e0e3ed1309a4d57a9273da2ed16e3e1533f3", "useDigest": true, }, "operator": map[string]any{ "image": map[string]any{ "repository": "ghcr.io/edgelesssys/cilium/operator", "suffix": "", - "tag": "v1.15.8-edg.0", + "tag": "v1.15.19-edg.0", // Careful: this is the digest of ghcr.io/.../operator-generic! // See magic image manipulation in ./helm/charts/cilium/templates/cilium-operator/_helpers.tpl. - "genericDigest": "sha256:dd41e2a65c607ac929d872f10b9d0c3eff88aafa99e7c062e9c240b14943dd2e", + "genericDigest": "sha256:5db046fea42cb1239d4eaa0f870d10e77911768a1eaf34c4968488dea93e27c4", "useDigest": true, }, "podDisruptionBudget": map[string]any{