From 4c220bb44352e7ac8939863d4eb09189d2f173eb Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 3 Apr 2025 18:37:47 +0200 Subject: [PATCH] Upd: Cilium to v1.17.2 Signed-off-by: Andrei Kvapil --- .../system/cilium/charts/cilium/Chart.yaml | 4 +- .../system/cilium/charts/cilium/README.md | 26 +++++---- .../configmap/bootstrap-config.yaml | 11 +++- .../templates/cilium-agent/daemonset.yaml | 6 +- .../templates/cilium-agent/rolebinding.yaml | 15 +++++ .../templates/cilium-agent/service.yaml | 3 + .../cilium/templates/cilium-configmap.yaml | 43 ++++++++------ .../templates/cilium-operator/role.yaml | 6 ++ .../cilium-operator/rolebinding.yaml | 27 +++++---- .../templates/hubble/servicemonitor.yaml | 2 +- .../templates/spire/server/service.yaml | 11 ++-- .../templates/spire/server/statefulset.yaml | 11 ++-- .../cilium/charts/cilium/values.schema.json | 17 ++++++ .../system/cilium/charts/cilium/values.yaml | 57 ++++++++++++------- .../cilium/charts/cilium/values.yaml.tmpl | 17 +++++- .../system/cilium/images/cilium/Dockerfile | 2 +- 16 files changed, 176 insertions(+), 82 deletions(-) diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index 517e8007..b301aa4d 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -79,7 +79,7 @@ annotations: Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.17.1 +appVersion: 1.17.2 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg @@ -95,4 +95,4 @@ kubeVersion: '>= 1.21.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.17.1 +version: 1.17.2 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 0f0ec17f..cab29347 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.17.1](https://img.shields.io/badge/Version-1.17.1-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square) +![Version: 1.17.2](https://img.shields.io/badge/Version-1.17.2-informational?style=flat-square) ![AppVersion: 1.17.2](https://img.shields.io/badge/AppVersion-1.17.2-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -85,7 +85,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | | authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | -| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:a5d0ce49aa801d475da48f8cb163c354ab95cab073cd3c138bd458fc8257fbf1","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.37.0","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -131,6 +131,8 @@ contributors across the globe, there is almost always someone available to help. | bpf.ctTcpMax | int | `524288` | Configure the maximum number of entries in the TCP connection tracking table. | | bpf.datapathMode | string | `veth` | Mode for Pod devices for the core datapath (veth, netkit, netkit-l2, lb-only) | | bpf.disableExternalIPMitigation | bool | `false` | Disable ExternalIP mitigation (CVE-2020-8554) | +| bpf.distributedLRU | object | `{"enabled":false}` | Control to use a distributed per-CPU backend memory for the core BPF LRU maps which Cilium uses. This improves performance significantly, but it is also recommended to increase BPF map sizing along with that. | +| bpf.distributedLRU.enabled | bool | `false` | Enable distributed LRU backend memory. For compatibility with existing installations it is off by default. | | bpf.enableTCX | bool | `true` | Attach endpoint programs using tcx instead of legacy tc hooks on supported kernels. | | bpf.events | object | `{"default":{"burstLimit":null,"rateLimit":null},"drop":{"enabled":true},"policyVerdict":{"enabled":true},"trace":{"enabled":true}}` | Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. Helm configuration for BPF events map rate limiting is experimental and might change in upcoming releases. | | bpf.events.default | object | `{"burstLimit":null,"rateLimit":null}` | Default settings for all types of events except dbg and pcap. | @@ -195,7 +197,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | | clustermesh.apiserver.healthPort | int | `9880` | TCP port for the clustermesh-apiserver health API. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.1","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.17.2","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `true` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -375,7 +377,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.httpRetryCount | int | `3` | Maximum number of retries for each HTTP request | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211","useDigest":true}` | Envoy container image. | | envoy.initialFetchTimeoutSeconds | int | `30` | Time in seconds after which the initial fetch on an xDS stream is considered timed out | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | @@ -392,6 +394,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.podLabels | object | `{}` | Labels to be added to envoy pods | | envoy.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-envoy pods. | | envoy.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | +| envoy.policyRestoreTimeoutDuration | string | `nil` | Max duration to wait for endpoint policies to be restored on restart. Default "3m". | | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. | | envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. | | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy | @@ -515,7 +518,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.1","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.17.2","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -582,7 +585,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.1","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.2","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -592,7 +595,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.1","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.2","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -622,7 +625,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.1","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Agent container image. | | imagePullSecrets | list | `[]` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -759,7 +762,7 @@ contributors across the globe, there is almost always someone available to help. | operator.hostNetwork | bool | `true` | HostNetwork setting | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c","awsDigest":"sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6","azureDigest":"sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b","genericDigest":"sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.1","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe","awsDigest":"sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c","azureDigest":"sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0","genericDigest":"sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.17.2","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -809,7 +812,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.1","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.17.2","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -883,7 +886,7 @@ contributors across the globe, there is almost always someone available to help. | tls.caBundle.useSecret | bool | `false` | Use a Secret instead of a ConfigMap. | | tls.readSecretsOnlyFromSecretsNamespace | string | `nil` | Configure if the Cilium Agent will only look in `tls.secretsNamespace` for CiliumNetworkPolicy relevant Secrets. If false, the Cilium Agent will be granted READ (GET/LIST/WATCH) access to _all_ secrets in the entire cluster. This is not recommended and is included for backwards compatibility. This value obsoletes `tls.secretsBackend`, with `true` == `local` in the old setting, and `false` == `k8s`. | | tls.secretSync | object | `{"enabled":null}` | Configures settings for synchronization of TLS Interception Secrets | -| tls.secretSync.enabled | string | `nil` | Enable synchronization of Secrets for TLS Interception. If disabled and tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent. | +| tls.secretSync.enabled | string | `nil` | Enable synchronization of Secrets for TLS Interception. If disabled and tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent. | | tls.secretsBackend | string | `nil` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). This value is DEPRECATED and will be removed in a future version. Use `tls.readSecretsOnlyFromSecretsNamespace` instead. Possible values: - local - k8s | | tls.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | Configures where secrets used in CiliumNetworkPolicies will be looked for | | tls.secretsNamespace.create | bool | `true` | Create secrets namespace for TLS Interception secrets. | @@ -891,6 +894,7 @@ contributors across the globe, there is almost always someone available to help. | tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. | | tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve | +| tunnelSourcePortRange | string | 0-0 to let the kernel driver decide the range | Configure VXLAN and Geneve tunnel source port range hint. | | updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy | | upgradeCompatibility | string | `nil` | upgradeCompatibility helps users upgrading to ensure that the configMap for Cilium will not change critical values to ensure continued operation This flag is not required for new installations. For example: '1.7', '1.8', '1.9' | | vtep.cidr | string | `""` | A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24" | diff --git a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml index b6438cb6..3a26b3c2 100644 --- a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml +++ b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.yaml @@ -7,8 +7,15 @@ staticResources: - name: "envoy-prometheus-metrics-listener" address: socketAddress: - address: "0.0.0.0" + address: {{ .Values.ipv4.enabled | ternary "0.0.0.0" "::" | quote }} portValue: {{ .Values.envoy.prometheus.port }} + {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }} + additionalAddresses: + - address: + socketAddress: + address: "::" + portValue: {{ .Values.envoy.prometheus.port }} + {{- end }} filterChains: - filters: - name: "envoy.filters.network.http_connection_manager" @@ -289,7 +296,7 @@ overloadManager: applicationLogConfig: logFormat: {{- if .Values.envoy.log.format_json }} - jsonFormat: "{{ .Values.envoy.log.format_json | toJson }}" + jsonFormat: {{ .Values.envoy.log.format_json | toJson }} {{- else }} textFormat: "{{ .Values.envoy.log.format }}" {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index efe748cc..a593db28 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -232,7 +232,7 @@ spec: resources: {{- toYaml . | trim | nindent 10 }} {{- end }} - {{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }} + {{- if or .Values.prometheus.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) }} ports: - name: peer-service containerPort: {{ .Values.hubble.peerService.targetPort }} @@ -364,7 +364,7 @@ spec: mountPath: {{ .Values.kubeConfigPath }} readOnly: true {{- end }} - {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }} + {{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.tls.enabled }} - name: hubble-metrics-tls mountPath: /var/lib/cilium/tls/hubble-metrics readOnly: true @@ -999,7 +999,7 @@ spec: path: client-ca.crt {{- end }} {{- end }} - {{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.tls.enabled }} + {{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.tls.enabled }} - name: hubble-metrics-tls projected: # note: the leading zero means this number is in octal representation: do not remove it diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml index 01404e5f..87ffcc94 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml @@ -39,6 +39,9 @@ metadata: {{- end }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -62,6 +65,9 @@ metadata: {{- end }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -85,6 +91,9 @@ metadata: {{- end }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -104,6 +113,9 @@ metadata: namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -123,6 +135,9 @@ metadata: namespace: {{ .Values.tls.secretsNamespace.name | quote }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml index ecccdbe9..8f89eba6 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml @@ -46,6 +46,9 @@ metadata: k8s-app: cilium app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: clusterIP: None type: ClusterIP diff --git a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml index aa461187..07754b67 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -403,7 +403,7 @@ data: {{- if .Values.bpf.authMapMax }} # bpf-auth-map-max specifies the maximum number of entries in the auth map - bpf-auth-map-max: {{ .Values.bpf.authMapMax | quote }} + bpf-auth-map-max: "{{ .Values.bpf.authMapMax | int }}" {{- end }} {{- if or $bpfCtTcpMax $bpfCtAnyMax }} # bpf-ct-global-*-max specifies the maximum number of connections @@ -419,34 +419,34 @@ data: # For users upgrading from Cilium 1.2 or earlier, to minimize disruption # during the upgrade process, set bpf-ct-global-tcp-max to 1000000. {{- if $bpfCtTcpMax }} - bpf-ct-global-tcp-max: {{ $bpfCtTcpMax | quote }} + bpf-ct-global-tcp-max: "{{ $bpfCtTcpMax | int }}" {{- end }} {{- if $bpfCtAnyMax }} - bpf-ct-global-any-max: {{ $bpfCtAnyMax | quote }} + bpf-ct-global-any-max: "{{ $bpfCtAnyMax | int }}" {{- end }} {{- end }} {{- if .Values.bpf.ctAccounting }} - bpf-conntrack-accounting: "{{ .Values.bpf.ctAccounting }}" + bpf-conntrack-accounting: "{{ .Values.bpf.ctAccounting | int }}" {{- end }} {{- if .Values.bpf.natMax }} # bpf-nat-global-max specified the maximum number of entries in the # BPF NAT table. - bpf-nat-global-max: "{{ .Values.bpf.natMax }}" + bpf-nat-global-max: "{{ .Values.bpf.natMax | int }}" {{- end }} {{- if .Values.bpf.neighMax }} # bpf-neigh-global-max specified the maximum number of entries in the # BPF neighbor table. - bpf-neigh-global-max: "{{ .Values.bpf.neighMax }}" + bpf-neigh-global-max: "{{ .Values.bpf.neighMax | int }}" {{- end }} {{- if hasKey .Values.bpf "policyMapMax" }} # bpf-policy-map-max specifies the maximum number of entries in endpoint # policy map (per endpoint) - bpf-policy-map-max: "{{ .Values.bpf.policyMapMax }}" + bpf-policy-map-max: "{{ .Values.bpf.policyMapMax | int }}" {{- end }} {{- if hasKey .Values.bpf "lbMapMax" }} # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, # backend and affinity maps. - bpf-lb-map-max: "{{ .Values.bpf.lbMapMax }}" + bpf-lb-map-max: "{{ .Values.bpf.lbMapMax | int }}" {{- end }} {{- if hasKey .Values.bpf "lbExternalClusterIP" }} bpf-lb-external-clusterip: {{ .Values.bpf.lbExternalClusterIP | quote }} @@ -461,6 +461,7 @@ data: bpf-lb-mode-annotation: {{ .Values.bpf.lbModeAnnotation | quote }} {{- end }} + bpf-distributed-lru: {{ .Values.bpf.distributedLRU.enabled | quote }} bpf-events-drop-enabled: {{ .Values.bpf.events.drop.enabled | quote }} bpf-events-policy-verdict-enabled: {{ .Values.bpf.events.policyVerdict.enabled | quote }} bpf-events-trace-enabled: {{ .Values.bpf.events.trace.enabled | quote }} @@ -513,6 +514,9 @@ data: {{- if .Values.tunnelPort }} tunnel-port: {{ .Values.tunnelPort | quote }} {{- end }} +{{- if .Values.tunnelSourcePortRange }} + tunnel-source-port-range: {{ .Values.tunnelSourcePortRange | quote }} +{{- end }} {{- if .Values.serviceNoBackendResponse }} service-no-backend-response: "{{ .Values.serviceNoBackendResponse }}" @@ -927,9 +931,8 @@ data: operator-api-serve-addr: {{ $defaultOperatorApiServeAddr | quote }} {{- end }} -{{- if .Values.hubble.enabled }} - # Enable Hubble gRPC service. enable-hubble: {{ .Values.hubble.enabled | quote }} +{{- if .Values.hubble.enabled }} # UNIX domain socket for Hubble server to listen to. hubble-socket-path: {{ .Values.hubble.socketPath | quote }} {{- if hasKey .Values.hubble "eventQueueSize" }} @@ -941,7 +944,7 @@ data: # Capacity of the buffer to store recent events. hubble-event-buffer-capacity: {{ .Values.hubble.eventBufferCapacity | quote }} {{- end }} -{{- if .Values.hubble.metrics.enabled }} +{{- if or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled}} # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this # field is not set. hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}" @@ -953,14 +956,20 @@ data: hubble-metrics-server-tls-client-ca-files: /var/lib/cilium/tls/hubble-metrics/client-ca.crt {{- end }} {{- end }} +{{- end }} +{{- if .Values.hubble.metrics.enabled }} # A space separated list of metrics to enable. See [0] for available metrics. # # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md hubble-metrics: {{- range .Values.hubble.metrics.enabled }} {{.}} + {{- end}} +{{- if .Values.hubble.metrics.dynamic.enabled }} + hubble-dynamic-metrics-config-path: /dynamic-metrics-config/dynamic-metrics.yaml {{- end }} enable-hubble-open-metrics: {{ .Values.hubble.metrics.enableOpenMetrics | quote }} {{- end }} + {{- if .Values.hubble.redact }} {{- if eq .Values.hubble.redact.enabled true }} # Enables hubble redact capabilities @@ -1004,10 +1013,6 @@ data: hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml {{- end }} {{- end }} -{{- if .Values.hubble.metrics.dynamic.enabled }} - hubble-dynamic-metrics-config-path: /dynamic-metrics-config/dynamic-metrics.yaml - hubble-metrics-server: ":{{ .Values.hubble.metrics.port }}" -{{- end }} {{- if hasKey .Values.hubble "listenAddress" }} # An additional address for Hubble server to listen to (e.g. ":4244"). hubble-listen-address: {{ .Values.hubble.listenAddress | quote }} @@ -1041,8 +1046,8 @@ data: {{- else }} ipam: {{ $ipam | quote }} {{- end }} -{{- if hasKey .Values.ipam "multiPoolPreAllocation" }} - ipam-multi-pool-pre-allocation: {{ .Values.ipam.multiPoolPreAllocation }} +{{- if .Values.ipam.multiPoolPreAllocation }} + ipam-multi-pool-pre-allocation: {{ .Values.ipam.multiPoolPreAllocation | quote }} {{- end }} {{- if .Values.ipam.ciliumNodeUpdateRate }} @@ -1335,6 +1340,10 @@ data: external-envoy-proxy: {{ include "envoyDaemonSetEnabled" . | quote }} envoy-base-id: {{ .Values.envoy.baseID | quote }} +{{- if .Values.envoy.policyRestoreTimeoutDuration }} + envoy-policy-restore-timeout: {{ .Values.envoy.policyRestoreTimeoutDuration | quote }} +{{- end }} + {{- if .Values.envoy.log.path }} envoy-log: {{ .Values.envoy.log.path | quote }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml index 83d42480..8f7acd9f 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml @@ -41,6 +41,9 @@ metadata: {{- end }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} rules: - apiGroups: - "" @@ -66,6 +69,9 @@ metadata: {{- end }} labels: app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} rules: - apiGroups: - "" diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml index 8e866e59..c77e39e9 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml @@ -7,24 +7,23 @@ kind: RoleBinding metadata: name: cilium-operator-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} - {{- with .Values.commonLabels }} labels: + app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} {{- with .Values.operator.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: - app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cilium-operator-ingress-secrets subjects: - - kind: ServiceAccount - name: {{ .Values.serviceAccounts.operator.name | quote }} - namespace: {{ include "cilium.namespace" . }} +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.operator.name | quote }} + namespace: {{ include "cilium.namespace" . }} {{- end }} {{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.sync .Values.gatewayAPI.secretsNamespace.name }} @@ -34,12 +33,15 @@ kind: RoleBinding metadata: name: cilium-operator-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + labels: + app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.operator.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: - app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -57,12 +59,15 @@ kind: RoleBinding metadata: name: cilium-operator-tlsinterception-secrets namespace: {{ .Values.tls.secretsNamespace.name | quote }} + labels: + app.kubernetes.io/part-of: cilium + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.operator.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - labels: - app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml index 1f4eccd5..1f3717fa 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.hubble.enabled .Values.hubble.metrics.enabled .Values.hubble.metrics.serviceMonitor.enabled }} +{{- if and .Values.hubble.enabled (or .Values.hubble.metrics.enabled .Values.hubble.metrics.dynamic.enabled) .Values.hubble.metrics.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml index 376bb628..002863bc 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml @@ -4,10 +4,13 @@ kind: Service metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.commonLabels }} labels: + {{- with .Values.commonLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }} annotations: {{- with .Values.authentication.mutual.spire.annotations }} @@ -17,10 +20,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} - {{- with .Values.authentication.mutual.spire.install.server.service.labels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} spec: type: {{ .Values.authentication.mutual.spire.install.server.service.type }} ports: diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml index b515eadf..3b243fc8 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml @@ -4,10 +4,6 @@ kind: StatefulSet metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.commonLabels }} - labels: - {{- toYaml . | nindent 4 }} - {{- end }} {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }} annotations: {{- with .Values.authentication.mutual.spire.annotations }} @@ -19,9 +15,12 @@ metadata: {{- end }} labels: app: spire-server - {{- with .Values.authentication.mutual.spire.install.server.labels }} + {{- with .Values.commonLabels }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: diff --git a/packages/system/cilium/charts/cilium/values.schema.json b/packages/system/cilium/charts/cilium/values.schema.json index 634e6fc8..b84366a1 100644 --- a/packages/system/cilium/charts/cilium/values.schema.json +++ b/packages/system/cilium/charts/cilium/values.schema.json @@ -519,6 +519,14 @@ "disableExternalIPMitigation": { "type": "boolean" }, + "distributedLRU": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, "enableTCX": { "type": "boolean" }, @@ -2110,6 +2118,12 @@ }, "type": "object" }, + "policyRestoreTimeoutDuration": { + "type": [ + "null", + "string" + ] + }, "priorityClassName": { "type": [ "null", @@ -5462,6 +5476,9 @@ "tunnelProtocol": { "type": "string" }, + "tunnelSourcePortRange": { + "type": "string" + }, "updateStrategy": { "properties": { "rollingUpdate": { diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 0668966f..8a84dfe8 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -191,10 +191,10 @@ image: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.17.1" + tag: "v1.17.2" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866" + digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1" useDigest: true # -- Scheduling configurations for cilium pods scheduling: @@ -495,6 +495,13 @@ bpf: # tracking table. # @default -- `262144` ctAnyMax: ~ + # -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps + # which Cilium uses. This improves performance significantly, but it is also + # recommended to increase BPF map sizing along with that. + distributedLRU: + # -- Enable distributed LRU backend memory. For compatibility with existing + # installations it is off by default. + enabled: false # -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. # Helm configuration for BPF events map rate limiting is experimental and might change # in upcoming releases. @@ -1433,9 +1440,9 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.17.1" + tag: "v1.17.2" # hubble-relay-digest - digest: "sha256:397e8fbb188157f744390a7b272a1dec31234e605bcbe22d8919a166d202a3dc" + digest: "sha256:42a8db5c256c516cacb5b8937c321b2373ad7a6b0a1e5a5120d5028433d586cc" useDigest: true pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -1684,8 +1691,8 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.13.1" - digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b" + tag: "v0.13.2" + digest: "sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15" useDigest: true pullPolicy: "IfNotPresent" # -- Hubble-ui backend security context. @@ -1718,8 +1725,8 @@ hubble: # @schema override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.13.1" - digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6" + tag: "v0.13.2" + digest: "sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392" useDigest: true pullPolicy: "IfNotPresent" # -- Hubble-ui frontend security context. @@ -2332,6 +2339,11 @@ envoy: xffNumTrustedHopsL7PolicyIngress: 0 # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. xffNumTrustedHopsL7PolicyEgress: 0 + # @schema + # type: [null, string] + # @schema + # -- Max duration to wait for endpoint policies to be restored on restart. Default "3m". + policyRestoreTimeoutDuration: null # -- Envoy container image. image: # @schema @@ -2339,9 +2351,9 @@ envoy: # @schema override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae" + tag: "v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211" pullPolicy: "IfNotPresent" - digest: "sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521" + digest: "sha256:377c78c13d2731f3720f931721ee309159e782d882251709cb0fac3b42c03f4b" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. extraContainers: [] @@ -2605,7 +2617,7 @@ tls: # type: [null, boolean] # @schema # -- Enable synchronization of Secrets for TLS Interception. If disabled and - # tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent. + # tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent. enabled: ~ # -- Base64 encoded PEM values for the CA certificate and private key. # This can be used as common CA to generate certificates used by hubble and clustermesh components. @@ -2658,6 +2670,9 @@ routingMode: "" # -- Configure VXLAN and Geneve tunnel port. # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure VXLAN and Geneve tunnel source port range hint. +# @default -- 0-0 to let the kernel driver decide the range +tunnelSourcePortRange: 0-0 # -- Configure what the response should be to traffic for a service without backends. # Possible values: # - reject (default) @@ -2693,15 +2708,15 @@ operator: # @schema override: ~ repository: "quay.io/cilium/operator" - tag: "v1.17.1" + tag: "v1.17.2" # operator-generic-digest - genericDigest: "sha256:628becaeb3e4742a1c36c4897721092375891b58bae2bfcae48bbf4420aaee97" + genericDigest: "sha256:81f2d7198366e8dec2903a3a8361e4c68d47d19c68a0d42f0b7b6e3f0523f249" # operator-azure-digest - azureDigest: "sha256:b9e3e3994f5fcf1832e1f344f3b3b544832851b1990f124b2c2c68e3ffe04a9b" + azureDigest: "sha256:455fb88b558b1b8ba09d63302ccce76b4930581be89def027184ab04335c20e0" # operator-aws-digest - awsDigest: "sha256:da74748057c836471bfdc0e65bb29ba0edb82916ec4b99f6a4f002b2fcc849d6" + awsDigest: "sha256:955096183e22a203bbb198ca66e3266ce4dbc2b63f1a2fbd03f9373dcd97893c" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:034b479fba340f9d98510e509c7ce1c36e8889a109d5f1c2240fcb0942bc772c" + alibabacloudDigest: "sha256:7cb8c23417f65348bb810fe92fb05b41d926f019d77442f3fa1058d17fea7ffe" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2976,9 +2991,9 @@ preflight: # @schema override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.17.1" + tag: "v1.17.2" # cilium-digest - digest: "sha256:8969bfd9c87cbea91e40665f8ebe327268c99d844ca26d7d12165de07f702866" + digest: "sha256:3c4c9932b5d8368619cb922a497ff2ebc8def5f41c18e410bcc84025fcd385b1" useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. @@ -3125,9 +3140,9 @@ clustermesh: # @schema override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.17.1" + tag: "v1.17.2" # clustermesh-apiserver-digest - digest: "sha256:1de22f46bfdd638de72c2224d5223ddc3bbeacda1803cb75799beca3d4bf7a4c" + digest: "sha256:981250ebdc6e66e190992eaf75cfca169113a8f08d5c3793fe15822176980398" useDigest: true pullPolicy: "IfNotPresent" # -- TCP port for the clustermesh-apiserver health API. @@ -3634,7 +3649,7 @@ authentication: override: ~ repository: "docker.io/library/busybox" tag: "1.37.0" - digest: "sha256:a5d0ce49aa801d475da48f8cb163c354ab95cab073cd3c138bd458fc8257fbf1" + digest: "sha256:498a000f370d8c37927118ed80afe8adc38d1edcbfc071627d17b25c88efcab0" useDigest: true pullPolicy: "IfNotPresent" # SPIRE agent configuration diff --git a/packages/system/cilium/charts/cilium/values.yaml.tmpl b/packages/system/cilium/charts/cilium/values.yaml.tmpl index 4a4b7eb3..a894e4f6 100644 --- a/packages/system/cilium/charts/cilium/values.yaml.tmpl +++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl @@ -500,6 +500,13 @@ bpf: # tracking table. # @default -- `262144` ctAnyMax: ~ + # -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps + # which Cilium uses. This improves performance significantly, but it is also + # recommended to increase BPF map sizing along with that. + distributedLRU: + # -- Enable distributed LRU backend memory. For compatibility with existing + # installations it is off by default. + enabled: false # -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble. # Helm configuration for BPF events map rate limiting is experimental and might change # in upcoming releases. @@ -2351,6 +2358,11 @@ envoy: xffNumTrustedHopsL7PolicyIngress: 0 # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. xffNumTrustedHopsL7PolicyEgress: 0 + # @schema + # type: [null, string] + # @schema + # -- Max duration to wait for endpoint policies to be restored on restart. Default "3m". + policyRestoreTimeoutDuration: null # -- Envoy container image. image: # @schema @@ -2626,7 +2638,7 @@ tls: # type: [null, boolean] # @schema # -- Enable synchronization of Secrets for TLS Interception. If disabled and - # tls.secretsBackend is set to 'k8s', then secrets will be read directly by the agent. + # tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent. enabled: ~ # -- Base64 encoded PEM values for the CA certificate and private key. # This can be used as common CA to generate certificates used by hubble and clustermesh components. @@ -2679,6 +2691,9 @@ routingMode: "" # -- Configure VXLAN and Geneve tunnel port. # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure VXLAN and Geneve tunnel source port range hint. +# @default -- 0-0 to let the kernel driver decide the range +tunnelSourcePortRange: 0-0 # -- Configure what the response should be to traffic for a service without backends. # Possible values: # - reject (default) diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile index 9ea72945..7d855c32 100644 --- a/packages/system/cilium/images/cilium/Dockerfile +++ b/packages/system/cilium/images/cilium/Dockerfile @@ -1,2 +1,2 @@ -ARG VERSION=v1.17.1 +ARG VERSION=v1.17.2 FROM quay.io/cilium/cilium:${VERSION}