github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 10:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: cilium installation

Browse Source
This commit is contained in:
Andrei Kvapil
2024-04-01 20:11:02 +02:00
parent 0d36f3ee6c
commit 39667d69f1
8 changed files with 56 additions and 1008 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/core/platform/bundles/full-distro.yaml
View File

@@ -9,11 +9,14 @@ releases:
dependsOn: []
values:
cilium:
bpf:
masquerade: true
cni:
chainingMode: ~
customConf: false
configMap: ""
enableIPv4Masquerade: true
enableIdentityMark: true
- name: fluxcd
releaseName: fluxcd

2
packages/system/cilium/Makefile
View File

@@ -16,4 +16,4 @@ update:
helm repo update cilium
helm pull cilium/cilium --untar --untardir charts
sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
patch -p3 < patches/fix-cgroups.patch
patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch

4
packages/system/cilium/charts/cilium/Chart.yaml
View File

@@ -79,7 +79,7 @@ annotations:
Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can
be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n"
apiVersion: v2
appVersion: 1.15.2
appVersion: 1.15.3
description: eBPF-based Networking, Security, and Observability
home: https://cilium.io/
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg
@@ -95,4 +95,4 @@ kubeVersion: '>= 1.16.0-0'
name: cilium
sources:
- https://github.com/cilium/cilium
version: 1.15.2
version: 1.15.3

14
packages/system/cilium/charts/cilium/README.md
View File

@@ -1,6 +1,6 @@
# cilium
![Version: 1.15.2](https://img.shields.io/badge/Version-1.15.2-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square)
![Version: 1.15.3](https://img.shields.io/badge/Version-1.15.3-informational?style=flat-square) ![AppVersion: 1.15.3](https://img.shields.io/badge/AppVersion-1.15.3-informational?style=flat-square)
Cilium is open source software for providing and transparently securing
network connectivity and loadbalancing between application workloads such as
@@ -170,7 +170,7 @@ contributors across the globe, there is almost always someone available to help.
| clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
| clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
| clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:478c77371f34d6fe5251427ff90c3912567c69b2bdc87d72377e42a42054f1c2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.2","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.image | object | `{"digest":"sha256:da4573f8fe4415bdb786c4fdcbc3b518e5a485f930cd4292416eb80800cbd7fc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.3","useDigest":true}` | Clustermesh API server image. |
| clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
| clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
| clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
@@ -320,7 +320,7 @@ contributors across the globe, there is almost always someone available to help.
| eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
| eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
| eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
| envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) |
| envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
| envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
@@ -458,7 +458,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
| hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
| hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
| hubble.relay.image | object | `{"digest":"sha256:48480053930e884adaeb4141259ff1893a22eb59707906c6d38de2fe01916cb0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.2","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.image | object | `{"digest":"sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.3","useDigest":true}` | Hubble-relay container image. |
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -553,7 +553,7 @@ contributors across the globe, there is almost always someone available to help.
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
| identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
| image | object | `{"digest":"sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.2","useDigest":true}` | Agent container image. |
| image | object | `{"digest":"sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.3","useDigest":true}` | Agent container image. |
| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
| ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
| ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -666,7 +666,7 @@ contributors across the globe, there is almost always someone available to help.
| operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
| operator.image | object | `{"alibabacloudDigest":"sha256:e2dafa4c04ab05392a28561ab003c2894ec1fcc3214a4dfe2efd6b7d58a66650","awsDigest":"sha256:3f459999b753bfd8626f8effdf66720a996b2c15c70f4e418011d00de33552eb","azureDigest":"sha256:568293cebc27c01a39a9341b1b2578ebf445228df437f8b318adbbb2c4db842a","genericDigest":"sha256:4dd8f67630f45fcaf58145eb81780b677ef62d57632d7e4442905ad3226a9088","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.2","useDigest":true}` | cilium-operator image. |
| operator.image | object | `{"alibabacloudDigest":"sha256:59d5c0c5782163d38151dd06bae0118144f6c080598901a632c628b1143ccd10","awsDigest":"sha256:2b05dc6b88037a5ce05e4030ef616b1f7be9e65083e35abd36a1b66953fd0b6a","azureDigest":"sha256:b85a2671a74903c6e9a45e884654bb970b5b8d6a6e20371811a6cc0ad92b2f87","genericDigest":"sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.3","useDigest":true}` | cilium-operator image. |
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -716,7 +716,7 @@ contributors across the globe, there is almost always someone available to help.
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
| preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
| preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
| preflight.image | object | `{"digest":"sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.2","useDigest":true}` | Cilium pre-flight image. |
| preflight.image | object | `{"digest":"sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.3","useDigest":true}` | Cilium pre-flight image. |
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |

981
packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml.orig
View File

@@ -1,981 +0,0 @@
{{- if and .Values.agent (not .Values.preflight.enabled) }}
{{- /* Default values with backwards compatibility */ -}}
{{- $defaultKeepDeprecatedProbes := true -}}
{{- /* Default values when 1.8 was initially deployed */ -}}
{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
{{- $defaultKeepDeprecatedProbes = false -}}
{{- end -}}
{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "false") -}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-agent
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }}
{{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }}
{{- end }}
{{- end }}
spec:
selector:
matchLabels:
k8s-app: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.prometheus.port }}"
prometheus.io/scrape: "true"
{{- end }}
{{- if .Values.rollOutCiliumPods }}
# ensure pods roll when configmap updates
cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
{{- if .Values.cgroup.autoMount.enabled }}
container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined"
{{- end }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cilium-agent
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.sleepAfterInit }}
command:
- /bin/bash
- -c
- --
args:
- |
while true; do
sleep 30;
done
livenessProbe:
exec:
command:
- "true"
readinessProbe:
exec:
command:
- "true"
{{- else }}
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
{{- with .Values.extraArgs }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
startupProbe:
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: 1
initialDelaySeconds: 5
{{- end }}
livenessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
# Starting from Kubernetes 1.20, we are using startupProbe instead
# of this field.
initialDelaySeconds: 120
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
timeoutSeconds: 5
readinessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
initialDelaySeconds: 5
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
timeoutSeconds: 5
{{- end }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: '1'
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if .Values.cni.install }}
lifecycle:
{{- if ne .Values.cni.chainingMode "aws-cni" }}
postStart:
exec:
command:
- "bash"
- "-c"
- |
{{- tpl (.Files.Get "files/agent/poststart-eni.bash") . | nindent 20 }}
{{- end }}
preStop:
exec:
command:
- /cni-uninstall.sh
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }}
ports:
- name: peer-service
containerPort: {{ .Values.hubble.peerService.targetPort }}
hostPort: {{ .Values.hubble.peerService.targetPort }}
protocol: TCP
{{- if .Values.prometheus.enabled }}
- name: prometheus
containerPort: {{ .Values.prometheus.port }}
hostPort: {{ .Values.prometheus.port }}
protocol: TCP
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
- name: envoy-metrics
containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol: TCP
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
- name: hubble-metrics
containerPort: {{ .Values.hubble.metrics.port }}
hostPort: {{ .Values.hubble.metrics.port }}
protocol: TCP
{{- end }}
{{- end }}
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.ciliumAgent }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
{{- if .Values.authentication.mutual.spire.enabled }}
- name: spire-agent-socket
mountPath: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
readOnly: false
{{- end }}
{{- if .Values.envoy.enabled }}
- name: envoy-sockets
mountPath: /var/run/cilium/envoy/sockets
readOnly: false
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
{{- end}}
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- if .Values.securityContext.privileged }}
mountPropagation: Bidirectional
{{- else }}
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
{{- end}}
{{- end }}
{{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }}
# Check for duplicate mounts before mounting
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
{{- end}}
- name: cilium-run
mountPath: /var/run/cilium
- name: etc-cni-netd
mountPath: {{ .Values.cni.hostConfDirMountPath }}
{{- if .Values.etcd.enabled }}
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
mountPath: /var/lib/etcd-secrets
readOnly: true
{{- end }}
{{- end }}
- name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh
readOnly: true
{{- if .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
mountPath: /etc/config
readOnly: true
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
mountPath: {{ .Values.cni.confFileMountPath }}
readOnly: true
{{- end }}
# Needed to be able to load kernel modules
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }}
{{- end }}
{{- if .Values.kubeConfigPath }}
- name: kube-config
mountPath: {{ .Values.kubeConfigPath }}
readOnly: true
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
mountPath: /var/lib/cilium/bgp
readOnly: true
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
{{- end }}
- name: tmp
mountPath: /tmp
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
readOnly: {{ .readOnly }}
{{- if .mountPropagation }}
mountPropagation: {{ .mountPropagation }}
{{- end }}
{{- end }}
{{- if .Values.hubble.export.dynamic.enabled }}
- name: hubble-flowlog-config
mountPath: /flowlog-config
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.monitor.enabled }}
- name: cilium-monitor
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
- -c
- --
args:
- |-
for i in {1..5}; do \
[ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\
done; \
cilium-dbg monitor
{{- range $type := .Values.monitor.eventTypes -}}
{{ " " }}--type={{ $type }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.monitor.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end }}
initContainers:
- name: config
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- cilium-dbg
- build-config
{{- if (not (kindIs "invalid" .Values.daemon.configSources)) }}
- "--source={{.Values.daemon.configSources}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.allowedConfigOverrides)) }}
- "--allow-config-keys={{.Values.daemon.allowedConfigOverrides}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }}
- "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}"
{{- end }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
- name: tmp
mountPath: /tmp
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.cgroup.autoMount.enabled }}
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: CGROUP_ROOT
value: {{ .Values.cgroup.hostRoot }}
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
{{- with .Values.cgroup.autoMount.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.mountCgroup }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
- name: apply-sysctl-overwrites
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
env:
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.applySysctlOverwrites }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
{{- end }}
{{- if and .Values.bpf.autoMount.enabled (not .Values.securityContext.privileged) }}
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
{{- end }}
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: wait-for-node-init
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
command:
- sh
- -c
- |
until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do
echo "Waiting on node-init to run...";
sleep 1;
done
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cilium-bootstrap-file-dir
mountPath: "/tmp/cilium-bootstrap.d"
{{- end }}
- name: clean-cilium-state
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-state
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-bpf-state
optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
name: cilium-config
key: write-cni-conf-when-ready
optional: true
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities:
add:
{{- with .Values.securityContext.capabilities.cleanCiliumState }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end}}
volumeMounts:
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.initResources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if and .Values.waitForKubeProxy (and (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true")) }}
- name: wait-for-kube-proxy
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.initResources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
securityContext:
privileged: true
command:
- bash
- -c
- |
while true
do
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'"
exit 0
fi
if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'"
exit 0
fi
if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save"
exit 0
fi
if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'"
exit 0
fi
echo "Waiting for kube-proxy to create iptables rules...";
sleep 1;
done
terminationMessagePolicy: FallbackToLogsOnError
{{- end }} # wait-for-kube-proxy
{{- if .Values.cni.install }}
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/install-plugin.sh"
{{- with .Values.cni.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
capabilities:
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cni-path
mountPath: /host/opt/cni/bin
{{- end }} # .Values.cni.install
restartPolicy: Always
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }}
automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
hostNetwork: true
{{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }}
# In managed etcd mode, Cilium must be able to resolve the DNS name of
# the etcd service
dnsPolicy: ClusterFirstWithHostNet
{{- else if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if and .Values.clustermesh.config.enabled (not (and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled )) }}
hostAliases:
{{- range $cluster := .Values.clustermesh.config.clusters }}
{{- range $ip := $cluster.ips }}
- ip: {{ $ip }}
hostnames: [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ]
{{- end }}
{{- end }}
{{- end }}
volumes:
# For sharing configuration between the "config" initContainer and the agent
- name: tmp
emptyDir: {}
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: {{ .Values.daemon.runPath }}
type: DirectoryOrCreate
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
{{- end }}
{{- if .Values.cgroup.autoMount.enabled }}
# To mount cgroup2 filesystem on the host
- name: hostproc
hostPath:
path: /proc
type: Directory
{{- end }}
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: {{ .Values.cgroup.hostRoot}}
type: DirectoryOrCreate
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: {{ .Values.cni.binPath }}
type: DirectoryOrCreate
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: {{ .Values.cni.confPath }}
type: DirectoryOrCreate
# To be able to load kernel modules
- name: lib-modules
hostPath:
path: /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.authentication.mutual.spire.enabled }}
- name: spire-agent-socket
hostPath:
path: {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.envoy.enabled }}
# Sharing socket with Cilium Envoy on the same node by using a host path
- name: envoy-sockets
hostPath:
path: "{{ .Values.daemon.runPath }}/envoy/sockets"
type: DirectoryOrCreate
{{- end }}
{{- if .Values.kubeConfigPath }}
- name: kube-config
hostPath:
path: {{ .Values.kubeConfigPath }}
type: FileOrCreate
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: cilium-bootstrap-file-dir
hostPath:
path: {{ .Values.nodeinit.bootstrapFile | dir | quote }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.etcd.enabled }}
# To read the etcd config stored in config maps
- name: etcd-config-path
configMap:
name: cilium-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
- key: etcd-config
path: etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
secret:
secretName: cilium-etcd-secrets
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
optional: true
{{- end }}
{{- end }}
# To read the clustermesh configuration
- name: clustermesh-secrets
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: cilium-clustermesh
optional: true
# note: items are not explicitly listed here, since the entries of this secret
# depend on the peers configured, and that would cause a restart of all agents
# at every addition/removal. Leaving the field empty makes each secret entry
# to be automatically projected into the volume as a file whose name is the key.
- secret:
name: clustermesh-apiserver-remote-cert
optional: true
items:
- key: tls.key
path: common-etcd-client.key
- key: tls.crt
path: common-etcd-client.crt
{{- if not .Values.tls.caBundle.enabled }}
- key: ca.crt
path: common-etcd-client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name: {{ .Values.tls.caBundle.name }}
optional: true
items:
- key: {{ .Values.tls.caBundle.key }}
path: common-etcd-client-ca.crt
{{- end }}
{{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
configMap:
name: ip-masq-agent
optional: true
items:
- key: config
path: ip-masq-agent
{{- end }}
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
secret:
secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }}
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
configMap:
name: {{ .Values.cni.configMap }}
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
configMap:
name: bgp-config
{{- end }}
{{- if not .Values.securityContext.privileged }}
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
optional: true
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
{{- if not .Values.tls.caBundle.enabled }}
- key: ca.crt
path: client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name: {{ .Values.tls.caBundle.name }}
optional: true
items:
- key: {{ .Values.tls.caBundle.key }}
path: client-ca.crt
{{- end }}
{{- end }}
{{- if .Values.hubble.export.dynamic.enabled }}
- name: hubble-flowlog-config
configMap:
name: {{ .Values.hubble.export.dynamic.config.configMapName }}
optional: true
{{- end }}
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
hostPath:
path: {{ .hostPath }}
{{- if .hostPathType }}
type: {{ .hostPathType }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

41
packages/system/cilium/charts/cilium/values.yaml
View File

@@ -146,10 +146,10 @@ rollOutCiliumPods: false
image:
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.15.2"
tag: "v1.15.3"
pullPolicy: "IfNotPresent"
# cilium-digest
digest: "sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746"
digest: "sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0"
useDigest: true
# -- Affinity for cilium-agent.
@@ -1220,9 +1220,9 @@ hubble:
image:
override: ~
repository: "quay.io/cilium/hubble-relay"
tag: "v1.15.2"
tag: "v1.15.3"
# hubble-relay-digest
digest: "sha256:48480053930e884adaeb4141259ff1893a22eb59707906c6d38de2fe01916cb0"
digest: "sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2"
useDigest: true
pullPolicy: "IfNotPresent"
@@ -2178,7 +2178,20 @@ envoy:
labelSelector:
matchLabels:
k8s-app: cilium-envoy
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
k8s-app: cilium
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cilium.io/no-schedule
operator: NotIn
values:
- "true"
# -- Node selector for cilium-envoy.
nodeSelector:
kubernetes.io/os: linux
@@ -2468,15 +2481,15 @@ operator:
image:
override: ~
repository: "quay.io/cilium/operator"
tag: "v1.15.2"
tag: "v1.15.3"
# operator-generic-digest
genericDigest: "sha256:4dd8f67630f45fcaf58145eb81780b677ef62d57632d7e4442905ad3226a9088"
genericDigest: "sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61"
# operator-azure-digest
azureDigest: "sha256:568293cebc27c01a39a9341b1b2578ebf445228df437f8b318adbbb2c4db842a"
azureDigest: "sha256:b85a2671a74903c6e9a45e884654bb970b5b8d6a6e20371811a6cc0ad92b2f87"
# operator-aws-digest
awsDigest: "sha256:3f459999b753bfd8626f8effdf66720a996b2c15c70f4e418011d00de33552eb"
awsDigest: "sha256:2b05dc6b88037a5ce05e4030ef616b1f7be9e65083e35abd36a1b66953fd0b6a"
# operator-alibabacloud-digest
alibabacloudDigest: "sha256:e2dafa4c04ab05392a28561ab003c2894ec1fcc3214a4dfe2efd6b7d58a66650"
alibabacloudDigest: "sha256:59d5c0c5782163d38151dd06bae0118144f6c080598901a632c628b1143ccd10"
useDigest: true
pullPolicy: "IfNotPresent"
suffix: ""
@@ -2761,9 +2774,9 @@ preflight:
image:
override: ~
repository: "quay.io/cilium/cilium"
tag: "v1.15.2"
tag: "v1.15.3"
# cilium-digest
digest: "sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746"
digest: "sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0"
useDigest: true
pullPolicy: "IfNotPresent"
@@ -2923,9 +2936,9 @@ clustermesh:
image:
override: ~
repository: "quay.io/cilium/clustermesh-apiserver"
tag: "v1.15.2"
tag: "v1.15.3"
# clustermesh-apiserver-digest
digest: "sha256:478c77371f34d6fe5251427ff90c3912567c69b2bdc87d72377e42a42054f1c2"
digest: "sha256:da4573f8fe4415bdb786c4fdcbc3b518e5a485f930cd4292416eb80800cbd7fc"
useDigest: true
pullPolicy: "IfNotPresent"

15
packages/system/cilium/charts/cilium/values.yaml.tmpl
View File

@@ -2179,7 +2179,20 @@ envoy:
labelSelector:
matchLabels:
k8s-app: cilium-envoy
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
k8s-app: cilium
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cilium.io/no-schedule
operator: NotIn
values:
- "true"
# -- Node selector for cilium-envoy.
nodeSelector:
kubernetes.io/os: linux

4
packages/system/cilium/values.yaml
View File

@@ -3,11 +3,10 @@ cilium:
enabled: false
externalIPs:
enabled: true
tunnel: disabled
autoDirectNodeRoutes: false
kubeProxyReplacement: strict
bpf:
masquerade: true
masquerade: false
loadBalancer:
algorithm: maglev
cgroup:
@@ -25,3 +24,4 @@ cilium:
configMap: cni-configuration
routingMode: native
enableIPv4Masquerade: false
enableIdentityMark: false