Feat/cilium strict mode2.0 (#25)

* bump cilium helm charts

* integrate cilium strict mode v2

CHANGELOG.md

@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CoreOS images are publicly available for Azure.
 - GCP: Support for higher end N2D standard (128 & 224 vCPUs), *high-mem* and *high-cpu* VMs
 - Add `constellation upgrade` to update node images in Constellation.
+- Add cilium v1.12.1 with strict mode v2
 
 ### Changed
 <!-- For changes in existing functionality.  -->
@@ -41,6 +42,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Change cdbg to use load balancer for deploy.
 - cdbg now uses the Constellation config directly and does not require any extra config
 - Azure CVMs are attested using SNP attestation
+- Replaced kube-proxy with cilium
 
 ### Deprecated
 <!-- For soon-to-be removed features. -->

README.md

@@ -55,7 +55,7 @@ For more elaborate overviews of Constellation, see the [architecture] documentat
 ### Everything always encrypted
 
 - Memory runtime encryption of all Kubernetes nodes
-- [Transparent network encryption][network-encryption] for the entire cluster node to node traffic. Provided by [Cilium], application independent, no sidecar required
+- [Transparent network encryption][network-encryption] provided by [Cilium]. Application independent, no sidecar required
 - [Persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) encryption for block storage. [Encrypted in the confidential Kubernetes context][storage-encryption], keys and plaintext data never leave the cluster. No trust in the cloud storage backend required
 - [Key management][key-management] for transparent network and storage encryption
 

bootstrapper/internal/kubernetes/k8sapi/util.go

@@ -14,6 +14,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -175,7 +176,7 @@ func (k *KubernetesUtil) InitCluster(
 
 	// initialize the cluster
 	log.Infof("Initializing the cluster using kubeadm init")
-	cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs", "--config", initConfigFile.Name())
+	cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs,addon/kube-proxy", "--config", initConfigFile.Name())
 	out, err = cmd.CombinedOutput()
 	if err != nil {
 		var exitErr *exec.ExitError
@@ -216,20 +217,21 @@ func (k *KubernetesUtil) SetupHelmDeployments(ctx context.Context, kubectl Clien
 }
 
 type SetupPodNetworkInput struct {
-	CloudProvider     string
+	CloudProvider        string
-	NodeName          string
+	NodeName             string
-	FirstNodePodCIDR  string
+	FirstNodePodCIDR     string
-	SubnetworkPodCIDR string
+	SubnetworkPodCIDR    string
-	ProviderID        string
+	ProviderID           string
+	LoadBalancerEndpoint string
 }
 
 // deployCilium sets up the cilium pod network.
 func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInput, helmClient *action.Install, ciliumDeployment helm.Deployment, kubectl Client) error {
 	switch in.CloudProvider {
 	case "gcp":
-		return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR)
+		return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR, in.LoadBalancerEndpoint)
 	case "azure":
-		return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment)
+		return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment, in.LoadBalancerEndpoint)
 	case "qemu":
 		return k.deployCiliumQEMU(ctx, helmClient, ciliumDeployment, in.SubnetworkPodCIDR)
 	default:
@@ -237,7 +239,11 @@ func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInp
 	}
 }
 
-func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment) error {
+func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment, kubeAPIEndpoint string) error {
+	host := kubeAPIEndpoint
+	ciliumDeployment.Values["k8sServiceHost"] = host
+	ciliumDeployment.Values["k8sServicePort"] = strconv.Itoa(constants.KubernetesPort)
+
 	_, err := helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values)
 	if err != nil {
 		return fmt.Errorf("installing cilium: %w", err)
@@ -245,7 +251,7 @@ func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *acti
 	return nil
 }
 
-func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR string) error {
+func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error {
 	out, err := exec.CommandContext(ctx, kubectlPath, "--kubeconfig", kubeConfig, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
 	if err != nil {
 		err = errors.New(string(out))
@@ -270,9 +276,18 @@ func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action
 		return err
 	}
 
+	host, port, err := net.SplitHostPort(kubeAPIEndpoint)
+	if err != nil {
+		return err
+	}
+
 	// configure pod network CIDR
 	ciliumDeployment.Values["ipv4NativeRoutingCIDR"] = subnetworkPodCIDR
 	ciliumDeployment.Values["strictModeCIDR"] = subnetworkPodCIDR
+	ciliumDeployment.Values["k8sServiceHost"] = host
+	if port != "" {
+		ciliumDeployment.Values["k8sServicePort"] = port
+	}
 
 	_, err = helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values)
 	if err != nil {

bootstrapper/internal/kubernetes/kubernetes.go

@@ -164,10 +164,11 @@ func (k *KubeWrapper) InitCluster(
 	// Step 3: configure & start kubernetes controllers
 	log.Infof("Starting Kubernetes controllers and deployments")
 	setupPodNetworkInput := k8sapi.SetupPodNetworkInput{
-		CloudProvider:     k.cloudProvider,
+		CloudProvider:        k.cloudProvider,
-		NodeName:          nodeName,
+		NodeName:             nodeName,
-		FirstNodePodCIDR:  nodePodCIDR,
+		FirstNodePodCIDR:     nodePodCIDR,
-		SubnetworkPodCIDR: subnetworkPodCIDR,
+		SubnetworkPodCIDR:    subnetworkPodCIDR,
+		LoadBalancerEndpoint: controlPlaneEndpoint,
 	}
 	if err = k.clusterUtil.SetupHelmDeployments(ctx, k.client, helmDeployments, setupPodNetworkInput, log); err != nil {
 		return nil, fmt.Errorf("setting up pod network: %w", err)

cli/internal/helm/charts/cilium/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: cilium
 displayName: Cilium
 home: https://cilium.io/
-version: 1.12.0
+version: 1.12.1
-appVersion: 1.12.0
+appVersion: 1.12.1
 kubeVersion: ">= 1.16.0-0"
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
 description: eBPF-based Networking, Security, and Observability

cli/internal/helm/charts/cilium/README.md

@@ -1,6 +1,6 @@
 # cilium
 
-![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
+![Version: 1.12.1](https://img.shields.io/badge/Version-1.12.1-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square)
 
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver |
 | clustermesh.apiserver.etcd.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"}` | Clustermesh API server etcd image. |
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.0","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.1","useDigest":false}` | Clustermesh API server image. |
 | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
 | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
@@ -239,7 +239,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
 | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
 | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
-| hubble.relay.image | object | `{"digest":"sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.0","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.1","useDigest":false}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -289,11 +289,11 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
 | hubble.ui.affinity | object | `{}` | Affinity for hubble-ui |
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
-| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0"}` | Hubble-ui backend image. |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
 | hubble.ui.enabled | bool | `false` | Whether to enable the Hubble UI. |
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
-| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24"}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"tls":[]}` | hubble-ui ingress configuration. |
 | hubble.ui.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
@@ -316,7 +316,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
-| image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
@@ -336,7 +336,6 @@ contributors across the globe, there is almost always someone available to help.
 | ipam.operator.clusterPoolIPv6PodCIDRList | list | `[]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. |
 | ipv4.enabled | bool | `true` | Enable IPv4 support. |
 | ipv6.enabled | bool | `false` | Enable IPv6 support. |
-| ipvlan.enabled | bool | `false` | Enable the IPVLAN datapath (deprecated) |
 | k8s | object | `{}` | Configure Kubernetes specific configuration |
 | keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. |
 | keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet |
@@ -382,7 +381,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5","awsDigest":"sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22","azureDigest":"sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba","genericDigest":"sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.0","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.1","useDigest":false}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -413,7 +412,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight |
 | preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) |
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
-| preflight.image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml

@@ -463,7 +463,6 @@ spec:
               - SYS_CHROOT
               - SYS_PTRACE
           {{- end}}
-      {{- end }}
       - name: apply-sysctl-overwrites
         image: {{ include "cilium.image" .Values.image | quote }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -507,6 +506,7 @@ spec:
               - SYS_CHROOT
               - SYS_PTRACE
           {{- end}}
+      {{- end }}
       {{- if not .Values.securityContext.privileged }}
       # Mount the bpf fs if it is not mounted. We will perform this task
       # from a privileged container because the mount propagation bidirectional

cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml

@@ -48,6 +48,7 @@
   {{- if .Values.azure.enabled }}
       {{- $azureUsePrimaryAddress = "false" -}}
   {{- end }}
+  {{- $defaultKubeProxyReplacement = "disabled" -}}
 {{- end -}}
 
 {{- $ipam := (coalesce .Values.ipam.mode $defaultIPAM) -}}
@@ -498,13 +499,6 @@ data:
   {{- end }}
 {{- end }}
 
-{{- if hasKey .Values "datapathMode" }}
-{{- if eq .Values.datapathMode "ipvlan" }}
-  datapath-mode: ipvlan
-  ipvlan-master-device: {{ .Values.ipvlan.masterDevice }}
-{{- end }}
-{{- end }}
-
 {{- if .Values.strictModeCIDR }}
   strict-mode-cidr: {{ .Values.strictModeCIDR | quote }}
 {{- end }}

cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml

@@ -37,25 +37,19 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
-      # To access iptables concurrently with other processes (e.g. kube-proxy)
-      - hostPath:
-          path: /run/xtables.lock
-          type: FileOrCreate
-        name: xtables-lock
       containers:
         - name: node-init
           image: {{ include "cilium.image" .Values.nodeinit.image | quote }}
           imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }}
-          volumeMounts:
-            # To access iptables concurrently with other processes (e.g. kube-proxy)
-            - mountPath: /run/xtables.lock
-              name: xtables-lock
           lifecycle:
             {{- if .Values.eni.enabled }}
             postStart:
               exec:
                 command:
+                  - nsenter
+                  - --target=1
+                  - --mount
+                  - --
                   - "/bin/sh"
                   - "-c"
                   - |

cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml

@@ -207,7 +207,7 @@ spec:
       # In managed etcd mode, Cilium must be able to resolve the DNS name of
       # the etcd service
       dnsPolicy: ClusterFirstWithHostNet
-      {{- else if .Values.dnsPolicy }}
+      {{- else if .Values.operator.dnsPolicy }}
       dnsPolicy: {{ .Values.operator.dnsPolicy }}
       {{- end }}
       restartPolicy: Always

cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml

@@ -127,6 +127,12 @@ spec:
             configMapKeyRef:
               name: cilium-config
               key: identity-allocation-mode
+        - name: ENABLE_K8S_ENDPOINT_SLICE
+          valueFrom:
+            configMapKeyRef:
+              name: cilium-config
+              key: enable-k8s-endpoint-slice
+              optional: true
         {{- with .Values.clustermesh.apiserver.extraEnv }}
         {{- toYaml . | trim | nindent 8 }}
         {{- end }}

cli/internal/helm/charts/cilium/values.yaml

@@ -90,11 +90,11 @@ rollOutCiliumPods: false
 image:
   override: ~
   repository: "quay.io/cilium/cilium"
-  tag: "v1.12.0"
+  tag: "v1.12.1"
   pullPolicy: "IfNotPresent"
   # cilium-digest
-  digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
+  digest: ""
-  useDigest: true
+  useDigest: false
 
 # -- Affinity for cilium-agent.
 affinity:
@@ -788,10 +788,10 @@ hubble:
     image:
       override: ~
       repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.12.0"
+      tag: "v1.12.1"
        # hubble-relay-digest
-      digest: "sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d"
+      digest: ""
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     # -- Specifies the resources for the hubble-relay pods
@@ -972,7 +972,7 @@ hubble:
       image:
         override: ~
         repository: "quay.io/cilium/hubble-ui-backend"
-        tag: "v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"
+        tag: "v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0"
         pullPolicy: "IfNotPresent"
 
       # -- Additional hubble-ui backend environment variables.
@@ -992,7 +992,7 @@ hubble:
       image:
         override: ~
         repository: "quay.io/cilium/hubble-ui"
-        tag: "v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"
+        tag: "v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24"
         pullPolicy: "IfNotPresent"
 
       # -- Additional hubble-ui frontend environment variables.
@@ -1139,14 +1139,6 @@ ipv6:
   # -- Enable IPv6 support.
   enabled: false
 
-ipvlan:
-  # -- Enable the IPVLAN datapath (deprecated)
-  enabled: false
-
-  # -- masterDevice is the name of the device to use to attach secondary IPVLAN
-  # devices
-  # masterDevice: eth0
-
 # -- Configure Kubernetes specific configuration
 k8s: {}
   # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
@@ -1534,16 +1526,16 @@ operator:
   image:
     override: ~
     repository: "quay.io/cilium/operator"
-    tag: "v1.12.0"
+    tag: "v1.12.1"
     # operator-generic-digest
-    genericDigest: "sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410"
+    genericDigest: ""
     # operator-azure-digest
-    azureDigest: "sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba"
+    azureDigest: ""
     # operator-aws-digest
-    awsDigest: "sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22"
+    awsDigest: ""
     # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5"
+    alibabacloudDigest: ""
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
     suffix: ""
 
@@ -1767,10 +1759,10 @@ preflight:
   image:
     override: ~
     repository: "quay.io/cilium/cilium"
-    tag: "v1.12.0"
+    tag: "v1.12.1"
     # cilium-digest
-    digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
+    digest: ""
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for the preflight pod.
@@ -1904,10 +1896,10 @@ clustermesh:
     image:
       override: ~
       repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.12.0"
+      tag: "v1.12.1"
       # clustermesh-apiserver-digest
-      digest: "sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299"
+      digest: ""
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     etcd:

cli/internal/helm/charts/cilium/values.yaml.tmpl

@@ -1134,14 +1134,6 @@ ipv6:
   # -- Enable IPv6 support.
   enabled: false
 
-ipvlan:
-  # -- Enable the IPVLAN datapath (deprecated)
-  enabled: false
-
-  # -- masterDevice is the name of the device to use to attach secondary IPVLAN
-  # devices
-  # masterDevice: eth0
-
 # -- Configure Kubernetes specific configuration
 k8s: {}
   # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR

cli/internal/helm/generateCilium.sh

@@ -3,7 +3,7 @@
 CALLDIR=$(pwd)
 CILIUMTMPDIR=$(mktemp -d)
 cd $CILIUMTMPDIR
-git clone --depth 1 -b v1.12 https://github.com/cilium/cilium.git
+git clone --depth 1 -b 1.12.1 https://github.com/cilium/cilium.git
 cd cilium
 git apply $CALLDIR/cilium.patch
 cp -r install/kubernetes/cilium $CALLDIR/charts

cli/internal/helm/values.go

@@ -16,27 +16,28 @@ var azureVals = map[string]interface{}{
 			},
 		},
 	},
-	"strictModeCIDRs": []string{
+	"strictModeCIDR": "10.244.0.0/16",
-		"10.244.0.0/16",
-	},
 	"image": map[string]interface{}{
 		"repository": "ghcr.io/3u13r/cilium",
-		"suffix":     "v1.12.0-edg2",
+		"suffix":     "",
-		"tag":        "latest",
+		"tag":        "v1.12.1-edg",
-		"digest":     "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf",
+		"digest":     "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b",
-		"useDigest":  false,
+		"useDigest":  true,
 	},
 	"operator": map[string]interface{}{
 		"image": map[string]interface{}{
 			"repository":    "ghcr.io/3u13r/operator",
-			"tag":           "v1.12.0-edg2",
+			"tag":           "v1.12.1-edg",
 			"suffix":        "",
-			"genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a",
+			"genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb",
 			"useDigest":     true,
 		},
 	},
-	"egressMasqueradeInterfaces": "eth0",
+	"egressMasqueradeInterfaces":          "eth0",
-	"enableIPv4Masquerade":       true,
+	"enableIPv4Masquerade":                true,
+	"kubeProxyReplacement":                "strict",
+	"enableCiliumEndpointSlice":           true,
+	"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
 }
 
 var gcpVals = map[string]interface{}{
@@ -51,16 +52,16 @@ var gcpVals = map[string]interface{}{
 	"image": map[string]interface{}{
 		"repository": "ghcr.io/3u13r/cilium",
 		"suffix":     "",
-		"tag":        "v1.12.0-edg2",
+		"tag":        "v1.12.1-edg",
-		"digest":     "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf",
+		"digest":     "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b",
 		"useDigest":  true,
 	},
 	"operator": map[string]interface{}{
 		"image": map[string]interface{}{
 			"repository":    "ghcr.io/3u13r/operator",
 			"suffix":        "",
-			"tag":           "v1.12.0-edg2",
+			"tag":           "v1.12.1-edg",
-			"genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a",
+			"genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb",
 			"useDigest":     true,
 		},
 	},
@@ -68,6 +69,9 @@ var gcpVals = map[string]interface{}{
 	"ipam": map[string]interface{}{
 		"mode": "kubernetes",
 	},
+	"kubeProxyReplacement":                "strict",
+	"enableCiliumEndpointSlice":           true,
+	"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
 }
 
 var qemuVals = map[string]interface{}{